Executive Summary

The OAIC has made a submission to the Australian Government's review of the Privacy Act 1988, in response to its Issues Paper. You can read more about the review process on the Attorney-General's Department website.

 Download our submission

An accessible version of our submission will be made available soon.

Executive summary

The privacy landscape has changed significantly since the introduction of the Privacy Act 1988 (Cth) (the Privacy Act) 32 years ago. In the intervening decades, most aspects of the daily lives of Australians have been transformed by innovations in technology and service delivery. This has resulted in a dramatic increase in the amount of data and personal information collected, used, and shared, both in Australia and globally. Alongside this significant shift in data handling practices has come an increase in community expectations that their personal information will be protected.

The Privacy Act is a well-established framework for the protection of fundamental privacy rights and an enabler of innovation that supports economic growth. Being principles-based, it is technologically neutral and flexible. However, given the scale and scope of environmental change, the current review of the Privacy Act is necessary to ensure that this framework is proportionate, sustainable and responsive to emerging privacy risks into the future.

A greater emphasis on the rights of individuals and the obligations of entities to protect those rights is required to ensure the public interest is served by privacy law into the next decade. Australia’s privacy framework can also be strengthened by a more central focus on protecting individuals from the harms associated with current and emerging practices around the collection, use and disclosure of their personal information.

The OAIC considers that there are four key elements needed to support effective privacy regulation over the next decade:

  • Global interoperability ― making sure our laws continue to connect around the world, so our data is protected wherever it flows
  • Enabling privacy self-management ―so individuals can exercise meaningful choice and control
  • Organisational accountability ― ensuring there are sufficient obligations built into the system
  • A contemporary approach to regulation ― having the right tools to regulate in line with community expectations.

Strong data protection and privacy rights are both necessary to uphold our human right to dignity in the digital age, and a precondition for consumer confidence and economic growth. They are also critical to achieving other societal objectives such as the protection of health, safety and security. As well as implementing Australia’s international human rights obligations, the Privacy Act was designed to support economic growth.[1] It supports Government to deliver better outcomes for Australians that are technology-enabled and citizen-focused, and supports organisations to deliver products and services that can provide both profit and public benefits.

Effective and proportionate privacy regulation is essential to achieving these benefits. When regulated entities have a clear framework that sets out their personal information handling responsibilities, they will be able to operate and innovate with confidence. Equally, when Australians have clear privacy rights and trust that their personal information is protected, they will feel confident to engage in the data-driven economy and to access services.

Government and organisations are increasingly aware of the benefits that good privacy practice brings. The response to the COVID-19 pandemic has demonstrated that privacy is crucial to achieving large-scale public policy initiatives. In developing the COVIDSafe application, the government recognised that strong privacy protections are essential to public confidence in engaging with the technology. For organisations, privacy is becoming a market differentiator.

Australians have consistently indicated that they care deeply about their privacy, but are challenged in a digital age where individuals are increasingly asked to consent to information handling practices that are not clearly explained, and are buried in long, complex terms and conditions.

The OAIC’s Australian Community Attitudes to Privacy Survey (ACAPS) 2020 found that 69% of individuals do not read privacy policies attached to any internet site. The key reasons Australians don’t read privacy policies attached to internet sites is because of the length (77%) followed by their complexity (52%) .[2]

The Consumer Policy Research Centre’s 2020 Data and Technology Consumer Survey found that 69% of consumers who read privacy policies reported accepting terms even though they weren’t comfortable with them. The main reason for doing so was it was the only way to access the product or service (75%).[3]

The alternative is to not engage with the product or service at all, which, as Daniel Susser points out, is often not a realistic option:

… the cost of opting out is often too high. If, for instance, the choice is between accepting a social network’s privacy policy and getting to see pictures of one’s grandchildren, or rejecting the policy’s terms and not getting to see them, many grandparents will not view the latter as an acceptable option.’

These issues are diminishing the Australian community’s trust in personal information handling. The OAIC’s research shows a steady decline in trust since 2007: trust in companies in general is down by 13% and trust in Federal Government departments is down 14%.

The OAIC’s ACAPS 2020 results found that privacy is a major concern for 70% of Australians:

  • Australians consider the social media industry the most untrustworthy in how they protect or use their personal information (70% consider this industry untrustworthy), followed by search engines (55% untrustworthy) and apps (54% untrustworthy)
  • 40% feel the privacy of their personal information is poorly protected, while 24% feel it is well protected
  • 83% of Australians would like the government to do more to protect the privacy of their data
  • 84% of Australians believe that personal information should not be used in ways that cause harm, loss or distress.

The OAIC’s recommendations in this submission are aimed at addressing these declining levels of trust and responding to the community’s desire for more to be done to protect their privacy in the face of new and emerging threats. Restoring trust and confidence in the digital age requires the Privacy Act to be supplemented with protections that create legal obligations aimed at achieving greater fairness and organisational accountability to address privacy risks and harms. The OAIC is proposing amendments to the Privacy Act that:

  • Maintain the flexibility and scalability of the existing principles-based approach, supported by enhanced abilities for the Commissioner to make legally binding instruments to provide greater certainty for the regulated community in areas where specific rules or greater clarity is required.
  • Enhance and limit the application of privacy-self management tools to ensure that individuals are able to exercise meaningful choice and control by understanding how their personal information is being handled through notice and consent, where appropriate.
  • Require regulated entities to ensure that all collections, uses or disclosures of personal information are fair and reasonable while ensuring increased safeguards are in place for certain high-risk information handling activities, or that these are prohibited.
  • Introduce additional organisational accountability measures to ensure that entities have implemented actions and controls that demonstrate their compliance with the privacy regulatory framework.
  • Enhance the OAIC’s ability to regulate in line with community expectations through strengthened enforcement powers and new regulatory measures, including a direct right of action and statutory tort to provide individuals with greater control of their personal information.
  • Enshrine global interoperability through proposed reforms that have been informed by international policy, standards and models for data protection and privacy thereby ensuring that personal information is protected wherever it flows.

A key strength of the Privacy Act is that it is principles-based. It sets out general rules which can be applied to a range of situations across the economy based on the risks posed by particular entities or personal information handling practices. To remain fit for purpose, it is essential that the Privacy Act contains flexible protections that can remain relevant as technologies shift and innovation continues, while creating legal obligations that address current and evolving privacy risks and harms. In some circumstances, this principles-based framework may need to be supplemented with more specific or prescriptive rules to address high-risk activities or sectors.

Privacy self-management tools of notice and consent continue to be important transparency mechanisms that help individuals exercise meaningful choice and control over their personal information. However, reliance on consent should be targeted and limited to situations where individuals can and should validly exercise a choice, not expanded and used more broadly to permit data handling practices.

Additional accountability measures can redress the power and information asymmetry between individuals and entities and ensure that the burden of understanding and consenting to complicated practices does not fall solely on individuals. More broadly, by embedding strong accountability measures, entities can build a reputation for reliable, transparent and effective privacy management which is essential to promoting consumer trust and confidence in their brand.

These legislative protections must be reinforced by a strong system of oversight that upholds individuals’ rights and holds entities to account. The privacy regulator needs the correct tools to respond efficiently and appropriately to new threats and regulate in line with community expectations.

The current Privacy Act positions the regulator to resolve individual privacy complaints through negotiation, conciliation and determination. This reflects the context in which the Privacy Act was first introduced.  In the digital environment, privacy harms can occur on a larger scale. While resolving individual complaints is a necessary part of effective privacy regulation, there must be a greater ability to pursue significant privacy risks and systemic non-compliance through regulatory action.

This shift can be seen in privacy regulation around the world, with privacy regulators being provided with powers that enable efficient and effective action to identify and respond to privacy threats. While Australia’s current framework provides some enforcement powers, these need to be strengthened and recalibrated to deter non-compliant behaviour and ensure practices are rectified. The regulator also needs appropriate resources to proactively identify and address existing and emerging risks before serious, widespread or societal harm occurs. 

Greater discretion for the Commissioner to focus on systemic risks should not leave individuals without a remedy, and should be complemented with the ability for people to take action directly through the courts, through the introduction of a direct right of action and a statutory tort for serious invasions of privacy.

Finally, the Privacy Act needs to connect with privacy laws around the world and ensure that personal information is protected wherever it flows. Strong privacy and data protection frameworks support innovation and growth in the Australian digital economy and international trade. Globally interoperable data protection laws are increasingly important to protect individuals online and reduce regulatory friction for business.

A summary of the OAIC’s submission and outline of recommendations are provided below.

Summary of submission

Our submission is structured in thirteen parts.

  • Part 1: The Objectives of the Privacy Act seeks to place the Privacy Act and the right of privacy in Australia in context and makes recommendations to amend the objects of the Privacy Act to ensure they remain fit for purpose into the next decade. In particular, this section includes recommendations to elevate the protection of individuals’ privacy rights in the objects section of the Act, and recognise the significant public interest in the protection of privacy.
  • Part 2: Definition of personal information discusses the importance of a flexible definition of personal information and proposes reforms to clarify the scope of this key concept, including in relation to technical data and inferred information.
  • Part 3: Flexibility of the APPs in regulating and protecting privacy outlines the importance of maintaining the existing principles-based approach to Australia’s privacy framework but recommends that the Commissioner is provided with enhanced abilities to make legally binding instruments to address areas of the law that require further certainty or specificity where appropriate. It also makes recommendations to enhance organisational accountability measures, strengthen individual rights and resolve ambiguities in the APPs.
  • Part 4: Exemptions recommends that the scope of the Privacy Act is expanded to protect personal information held in employee records, and capture acts and practices by small business operators and political parties.
  • Part 5: Notice and consent considers the strengths and limitations of notice and consent mechanisms in promoting privacy self-management and protecting individuals from privacy risks and harms. This section makes recommendations about how notice and consent requirements can be enhanced but suggests that these reforms should be complimented with the introduction of an overarching fair and reasonable requirement and additional organisational accountability obligations.
  • Part 6: Fairness and reasonableness requirements for entities discusses the need to introduce additional responsibilities for APP entities, in order to address the limitations of privacy self-management and better protect the privacy rights of individuals. This part recommends the introduction of explicit requirements for APP entities to collect, use and disclose personal information fairly and reasonably and proposes a framework for fully and partially prohibiting certain information handling practices..
  • Part 7: Organisational accountability requirements for entities outlines the importance of accountability requirements in facilitating compliance with privacy obligations, meeting the expectations of regulators and building consumer trust and confidence in personal information handling practices. This part recommends several enhancements to APP 1 designed to enhance organisational accountability including express obligations to implement, and be able to demonstrate the steps taken to implement, a ‘privacy by design’ and ‘privacy by default’ approach. This part also discusses the benefits of an independent third-party certification scheme, which would enable Australians to quickly assess the level of data protection offered by an APP entity and further support organisational accountability.
  • Part 8: Overseas data flows explores how the Privacy Act can establish an appropriate and interoperable framework that facilitates the efficient movement of data across borders alongside strong protections for individuals’ personal information. This section considers the ways in which Australia’s framework can be strengthened to ensure it remains globally interoperable and makes recommendations about how the extraterritoriality application of the Privacy Act can be strengthened.
  • Part 9: Enforcement powers under the Privacy Act and the role of the OAIC provides a snapshot of the OAIC’s current enforcement framework and argues that reforms are required to ensure that the OAIC can continue to meet community expectations of a contemporary regulator. This part recommends that the Commissioner be granted more discretion when exercising their regulatory powers in relation to individual complaints and that additional enforcement powers be introduced to enhance the Commissioner’s ability to effectively investigate potential breaches of the Privacy Act, deter inappropriate conduct and support privacy best practice.
  • Part 10: Direct right of action discusses how a direct right of action would complement the OAIC’s recommended enhancements to the Commissioner’s enforcement powers and makes recommendations about how a direct right of action should be framed under the Privacy Act.
  • Part 11: Statutory tort recommends that a statutory tort for serious invasions of privacy is introduced, which would enhance Australia’s privacy framework and constitute an important addition to the suite of regulatory measures needed to address online harms.
  • Part 12: Notifiable data breach scheme – impact and effectiveness explores how the NDB scheme has been effective in meeting its key objectives of improving consumer protection and driving better security standards for protecting personal information. This part outlines some recommended enhancements to the NDB scheme designed to support timely notification and engagement with the OAIC.
  • Part 13: Interaction between the Act and other regulatory schemes provides an overview of the Commissioner’s regulatory responsibilities under various Commonwealth laws and the need to ensure that the Commissioner has full jurisdiction over enforcing any privacy protections that are included in other legislative regimes. This part also outlines the importance of harmonising privacy protections commensurate with those under the Privacy Act, which should be a key goal in the design of any federal, state and territory laws that purport to address privacy issues.  

Recommendations

The OAIC recommends that the Privacy Act review:

Part 1: Objectives of the Privacy Act

Recommendation 1 – Amend the first object in s2A of the Privacy Act to state that the predominant object of the legislation is to recognise that individuals have a right to privacy and to protect individuals having regard to the collection, use or disclosure of their personal information.

Recommendation 2– Amend s 2A of the Privacy Act to more broadly state that an objective of the legislation is to promote the public interest in protecting privacy rights.

Recommendation 3 – Ensure that national consistency of privacy regulation is a key goal of the Council of Attorneys-General by establishing a working group to consider amendments to State and Territory privacy laws to achieve alignment with the Privacy Act.

Part 2: Definition of Personal Information

Recommendation 4Replace the word ‘about’ with ‘relates to’ in the definition of personal information to achieve greater clarity and certainty for regulated entities.

Recommendation 5Include a non-exhaustive list of technical data that may be captured by the definition of personal information in the explanatory memorandum for these amendments.

Recommendation 6Introduce a new subsection in the definition of personal information clarifying that the definition applies whether the information or opinion is provided, collected, created, generated or inferred.

Recommendation 7Clarify that the concept of collecting personal information under the Privacy Act applies broadly, and includes gathering, acquiring, inferring or obtaining personal information from any source and by any means. This includes collection by ‘creation’, which may occur when information is created with reference to, or generated from, other information the entity holds.

Recommendation 8 – Replace the term ‘de-identified’ with ‘anonymised’ in the Privacy Act.

Recommendation 9 – Amend APP 1 to insert an express obligation that an APP privacy policy must notify individuals that their information may be anonymised and used for purposes other than those permitted for the initial collection.

Recommendation 10 – Extend the obligations of APP 11 to require APP entities to take reasonable steps to protect anonymised information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Recommendation 11 – Introduce a prohibition on APP entities taking steps to re-identify information that they collected in an anonymised state, except in order to conduct testing of the effectiveness of security safeguards that have been put in place to protect the information.

Recommendation 12 – Extend Part IIIC to require notification where:

  • there is unauthorised access to or unauthorised disclosure of anonymised information, or a loss of anonymised information, that an entity holds, in circumstances where there is a risk of re-identification of that information
  • if this information is re-identified, it is likely to result in serious harm to one or more individuals, and
  • the entity has not been able to prevent the likely risk of serious harm with remedial action.

Recommendation 13Amend the Privacy Act to ensure that the definition of personal information extends to deceased individuals for a period of 30 years after death.

Part 3: Flexibility of the APPs in regulating and protecting privacy

Recommendation 14 – Amend the APP code framework in Part IIIB of the Privacy Act to provide the Commissioner with greater flexibility and discretion to develop APP codes. The framework should:

  • enable the Commissioner to develop an APP code in the first instance (i.e. without having to first request a code developer to develop an APP code), and
  • enable the Commissioner to issue a temporary APP code if it is urgently required and where it is in the public interest to do so, and
  • retain the existing power which enables the Commissioner to request that a code developer develop a code, and
  • enable the Commissioner to intervene at any point in the code development process where an APP code is being developed by a code developer if satisfied it would be preferable for the Commissioner to develop the code.

Recommendation 15 – Supplement the code-making powers in Part IIIB of the Privacy Act with a general power for the Commissioner to issue legally binding rules about the application of the APPs.

Recommendation 16 – Include a new provision in the Privacy Act that would require entities to have regard to any guidelines issued by the Commissioner when carrying out their functions and activities under the Privacy Act.

Recommendation 17 – Amend APP 3.6 to require an APP entity to take reasonable steps to satisfy itself that personal information that was not collected directly from an individual was originally collected in accordance with APP 3.

Recommendation 18 – Repeal APP 7 and rely on the existing use and disclosure requirements in APP 6 for direct marketing activities.

Recommendation 19 – Ensure that the proposed new right to object includes:

  • an absolute right for individuals to object to the use and disclosure of their personal information for direct marketing purposes, and
  • the ability for individuals to request an organisation to identify the source of the personal information and the organisation should be required to notify the individual of its source, unless this is unreasonable or impracticable.

Recommendation 20Introduce enhanced code-making powers and new powers for the Commissioner to issue legally binding rules to enable the Commissioner to make sector- or threat-specific legislative instruments that support the principles-based approach in APP 11.1.

Recommendation 21Introduce enhanced code-making powers and new powers to make legally-binding rules under the Privacy Act to enable the Commissioner to set requirements or standards for destruction and de-identification by legislative instrument where appropriate.

Recommendation 22 – Extend the right to request correction of personal information in APP 13 to personal information that is no longer ‘held’ by the entity.

Recommendation 23 – Introduce a right to erasure that includes, as a minimum:

  • the exceptions recommended in the DPI report
  • an exception for ‘frivolous or vexatious’ requests, consistent with APP 12, or a similar threshold, for example ‘manifestly unfounded or excessive requests, consistent with the GDPR
  • an appropriate timeframe within which APP entities must respond to erasure requests, for example consistent with APP 12 or the GDPR, and
  • extends to personal information that is no longer ‘held’ by an entity, and to notify others of the erasure request where personal information has been made public, subject to the exceptions outlined at point (a) above.

Recommendation 24 – Introduce a requirement for APP entities to notify individuals of their ability to request the erasure of their personal information. This could be modelled on similar requirements in Article 13 of the GDPR.

Recommendation 25 – Introduce a right to object that includes:

  • an absolute right to object in relation to direct marketing
  • a limited right to object in relation to processing on other grounds.

Recommendation 26 – Introduce a requirement for APP entities to notify individuals of their ability to object to the handling of their personal information, including the absolute right for individuals to object to the use and disclosure of their personal information for direct marketing.

Part 4: Exemptions

Recommendation 27 Remove the small business exemption, subject to an appropriate transition period to aid with awareness of, and preparation for compliance with, the Privacy Act.

Recommendation 28 Remove the employee records exemption, subject to an appropriate transition period to aid with awareness of, and preparation for compliance with, the Privacy Act.

Recommendation 29 Remove the political parties exemption, subject to an appropriate transition period to aid with awareness of, and preparation for compliance with, the Privacy Act.

Recommendation 30 – Introduce greater enforceability requirements for the privacy safeguards covering media organisations. The review could consider whether the EDR scheme model is appropriate to achieve this outcome.

Part 5: Notice and consent

Recommendation 31 – Strengthen notice and consent requirements in the Privacy Act to address the limitations in these mechanisms, but preserve the use of consent for high privacy risk situations, rather than routine personal information handling.

Recommendation 32Introduce requirements that APP 5 notices should be concise, transparent, intelligible and written in clear and plain language.

Recommendation 33 – OAIC supports the development of standardised icons or lexicon through an industry led process to assist individuals make informed decisions about their personal information.

Recommendation 34 – Amend the definition of ‘consent’ to require a clear affirmative act that is freely given, specific, current, unambiguous and informed.

Recommendation 35 – Amend the Privacy Act to require all settings to be set to privacy protective as default except for collections of personal information that reasonably enable provision of the particular product or service.

Recommendation 36 – Elevate OAIC guidance on withdrawing consent into the Privacy Act, including a requirement that APP entities must notify an individual of their right to withdraw consent, where consent has been required for the personal information handling.

Part 6: Fairness and accountability requirements for entities

Recommendation 37 – Introduce fairness and reasonableness obligations into APPs 3 and 6:

APP 3 - The collection of personal information by an APP entity under Australian Privacy Principle 3 must be fair and reasonable in the circumstances, even if an individual consents to the collection.

and

APP 6 - The use or disclosure of personal information by an APP entity under Australian Privacy Principle 6 must be fair and reasonable in the circumstances, even if an individual consents to the use or disclosure.

Recommendation 38 – Introduce a non-exhaustive list of factors that the Commissioner will consider when determining whether acts or practices are fair and reasonable.

Recommendation 39Amend APP 1 to require APP entities to take steps as are reasonable in the circumstances to implement practices, procedure and systems which will mitigate the risk of unfair and unreasonable information handling practices as a result of the entity’s handling of personal information.

Recommendation 40 – Introduce full or partial prohibitions of specified information handling activities into the general privacy framework. These could apply to the following practices:

  • profiling, tracking or behavioural monitoring of, or direct advertising targeted at children
  • inappropriate surveillance or monitoring of an individual through audio or video functionality of the individual’s mobile phone or other personal devices
  • scraping of personal information from online platforms
  • handling location information about individuals, and
  • certain uses of AI technology to make decisions about individuals.

Recommendation 41 - Introduce additional rights that apply specifically to the processing of personal information by AI technologies.

Part 7: Organisational accountability requirements for entities

Recommendation 42 – Amend APP 1 to include express accountability requirements for all regulated entities. At a minimum, APP 1 should require entities to:

  • take reasonable steps, and demonstrate those reasonable steps, to implement practices, procedures and systems that will ensure compliance with the APPs and any registered APP code under APP 1.2
  • implement, and be able to demonstrate the steps taken to implement, a ‘privacy by design’ and ‘privacy by default’ approach
  • provide the Commissioner, on request, with evidence of the steps taken to ensure compliance with the APPs and any registered APP code, and to implement a ‘privacy by design’ and ‘privacy by default’ approach, and
  • appoint a privacy officer or privacy officers and ensure that privacy officer functions are undertaken.

Recommendation 43 – Include a note in the explanatory memorandum that will accompany the amending Bill that an ongoing and demonstrable, comprehensive privacy management program, which includes conducting privacy impact assessments where appropriate, is central to facilitating a ‘privacy by design’ and ‘privacy by default’ approach. 

Recommendation 44 – Amend APP 3 to expressly require entities to determine, at or before the time of collection, each of the purposes for which the information is to be collected, used or disclosed and to record those purposes.

Recommendation 45Introduce a domestic privacy certification scheme into Australia’s privacy framework. The certification scheme should:

  • be interoperable the APEC CPBR system and other relevant domestic accreditation or certification schemes
  • be voluntary across the economy generally, but may be made mandatory in relation to specific high privacy risk sectors or practices through an APP code or rules where appropriate
  • be flexible and enable entities to seek enterprise-wide certification for all of its operations, or certification for specific products, data types or business processes
  • enable the OAIC to develop and publish accreditation requirements for certification bodies and certification criteria for the scheme
  • ensure that an independent third party is responsible for appointing the accreditation body or bodies that will carry out audits of entities seeking certification and approving the use of a trust mark or seal and identify the OAIC as the scheme’s regulator for privacy breaches.

Part 8: Overseas data flows

Recommendation 46 – Consider whether additional legislated transfer mechanisms could enhance the APP 8 accountability approach. These could include:

  • Contractual safeguards (to support an APP entity’s accountability under APP 8.1, rather than an exception to accountability under APP 8.2)
  • Certification
  • ‘Adequacy’ or whitelists.

Recommendation 47 – Amend the Privacy Act to address issues with the extraterritoriality of the Act, including:

  • Remove the requirement in s 5B(3)(c) for the information to have been collected or held in Australia be removed, and instead the collection or holding of information could be considered an indicator of ‘carrying on a business in Australia’.
  • Amend s 5B(3) to refer to particular indicators of ‘carrying on business in Australia’ for the purposes of the Privacy Act.
  • Extend the extraterritorial operation of the Privacy Act to a body corporate that has collected Australians’ personal information from a related body corporate to which s 5B(3) applies (irrespective of whether it carries on business in Australia in its own right).

Part 9: Enforcement powers under the Privacy Act and role of the OAIC

Recommendation 48 – Amend s 40(1) to replace the words ‘shall investigate’ with ‘may investigate’ and clarify in the Explanatory Memorandum that this change is to allow the Commissioner to exercise discretion to investigate based on factors such as the Commissioner’s regulatory policies and priorities, whether the resources needed to investigate a complaint are proportionate to the likely outcome or remedy available and whether the substance of the complaint is about matters that fall under the Privacy Act.

Recommendation 49 – Expand s 41(dc) to instances where a complaint has already been adequately dealt with by an EDR scheme.

Recommendation 50 – Introduce the following amendments to the enforcement mechanisms under the Privacy Act:

  • empower the Commissioner to issue infringement notices for interferences with privacy and where a person fails to give information to the Commissioner when this has been required under the Privacy Act
  • introduce civil penalties for interferences with privacy
  • provide the Federal Court with the power to make the conduct orders which are available to the Commissioner through a s 52 determination
  • allowing the Commissioner to make order in a s52 determination requiring  respondents identify and mitigate foreseeable risks or delete personal information
  • enhance the Commissioner’s search and seizure powers to allow the OAIC to make copies of information and documents specified in the warrant and operate electronic materials to determine whether the kinds of information and documents specified in the warrant are accessible
  • empower the Commissioner to seek a warrant to preserve and secure relevant information and documents.

Part 10: Direct right of action

Recommendation 51 – Ensure that the direct right of action is not limited to ‘serious’ breaches of the Privacy Act or the APPs.

Recommendation 52 – Ensure that the direct right of action is framed so that individuals are required to make a complaint, or a representative complaint, to the OAIC before applying to the courts.

Recommendation 53 – Ensure that the Commissioner has appropriate powers to decline to investigate a complaint or representative complaint, or continue to investigate a complaint or representative complaint, where the matter is more appropriately dealt with by the courts.

Recommendation 54 – Revise the representative complaint provisions under Part V of the Privacy Act to ensure greater alignment with the powers available to the Federal Court under the Federal Court Act in relation to the management of class actions.

Recommendation 55 – Ensure that damages recoverable under a direct right of action for privacy breaches are not capped.

Recommendation 56 – Supplement the direct right of action with legislative options for the OAIC to exercise:

  • a right to intervene in proceedings (or alternatively to seek the leave of the court to intervene)
  • a right to seek leave of the court to act in the role of amicus curiae in the proceedings.

Part 11: Statutory tort

Recommendation 57 – Introduce a statutory tort for serious invasions of privacy into Australia’s privacy framework.

Recommendation 58 – Supplement the statutory tort with legislative powers for the OAIC to be notified of, to exercise a right to intervene in proceedings, and to seek the leave of the court to act in the role of amicus curiae in the proceedings. 

Recommendation 59 – Enact a single and comprehensive tort, rather than confining the tort to intrusion upon seclusion and misuse or disclosure of private information.

Recommendation 60 – Enact a tort that does not specify a fault element to ensure it covers intentional, reckless and negligent acts.

Recommendation 61 – Include a requirement to weigh other public interests, including the right to freedom of expression and the public interest in being informed about matters of public concern, as part of the consideration as to whether an individual’s privacy has been seriously invaded.

Part 12: Notifiable Data Breaches scheme – impact and effectiveness

Recommendation 62 – Amend s 26WK so that once an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach, they must notify the Commissioner as soon as practicable, but no later than 30 days, after the entity became aware that there were reasonable grounds to suspect that there may have been an eligible data breach.

Recommendation 63 – Amend s 26WL so that an entity must notify individuals as soon practicable, but no later than five days, after notifying the Commissioner.

Recommendation 64 – Amend s 26WR to provide the Commissioner with an express power to direct an entity to continue to investigate a data breach and provide subsequent notification to affected individuals if required in the circumstances.

Recommendation 65 – Enable the Commissioner to issue an infringement notice or apply to the Courts for a civil penalty in circumstances where an entity has failed to comply with the prescribed timeframes.

Recommendation 66 – Include an express requirement for entities to take reasonable steps to mitigate the adverse impacts of risk of harm to individuals whose personal information has been involved in a breach and, to the extent possible, return an individual to the position they would have been in prior to the breach.

Part 13: Interaction between the Act and other regulatory schemes

Recommendation 67 – Ensure that the Commissioner has full jurisdiction over enforcing any privacy protections that are included in other legislative regimes.

Recommendation 68 – Amend the Privacy Act to provide an express power for the Commissioner to share information with other bodies where necessary, including other regulators and government agencies, law enforcement and complaint handling bodies (including State or Territory or foreign bodies if they have functions to protect the privacy of individuals).

Recommendation 69 – Ensure that harmonisation of privacy protections is a key goal in the design of any federal, state or territory laws that purport to address privacy issues.

Recommendation 70 – Ensure that the privacy protections in any laws that purport to address privacy issues are commensurate with those under the Privacy Act.


[1] The Explanatory Memorandum to the 2000 Bill that expanded the scope of the Privacy Act to private organisations noted: ‘The Australian public has expressed concern about doing business online, and this concern could frustrate the growth of electronic commerce. The Government acknowledges that user confidence in the way personal information is handled in the online environment will significantly influence consumer choices about whether to use electronic commerce. Any business demonstrating that it will protect the privacy of its customers will therefore gain a competitive advantage. Similarly, a country that can demonstrate it protects its citizens’ privacy will have an advantage over those countries that do not.’

[2] OAIC (2020) Australian Community Attitudes to Privacy Survey 2020, report prepared by Lonergan Research, p. 70

[3] Consumer Policy Research Centre, CPRC 2020 Data and Technology Consumer Survey, Consumer research conducted in partnership with Roy Morgan Research over March and April 2020, https://cprc.org.au/app/uploads/2020/11/CPRC-2020-Data-and-Technology-Consumer-Survey.pdf (accessed 8 December 2020).