7 May 2021

Keynote address by Angelene Falk, Australian Information Commissioner and Privacy Commissioner: Fair, flexible, fundamental: the future of data protection in a digital world

Introduction

Good morning and thank you for that introduction Michael. It’s great to be here with you at the end of what’s been our biggest Privacy Awareness Week yet, where we’ve called on the community as well as business and government to make privacy a priority.

And this morning I’m going to give you an insight into what our community thinks about privacy and where the community says we should put our priorities, but also from a regulatory perspective, with the review of the Privacy Act underway.

A decade of the OAIC

The OAIC has now been in existence for a decade. During that time, we have assisted hundreds of thousands of people with reviews,  complaints and enquiries. We have:

  • driven better practice through our advice and guidance, education and awareness
  • held regulated entities to account through our compliance and enforcement work, audits and investigations
  • and helped shape the information landscape through our submissions and policy advice, and our active program of regulatory engagement and collaboration, at home and abroad.

More recently, we have taken on responsibilities for enhancing consumer protection and improving personal information security through our oversight of the Notifiable Data Breaches scheme and the Consumer Data Right.

But as we acknowledge the achievements of that decade, we are firmly focused on the decade ahead, and a framework for managing information privacy and access that meets the challenges of our digital era.

Today, at the end of Privacy Awareness Week, I’m going to focus on our privacy regulatory priorities and the current review of the Privacy Act. But it’s also important to note that the FOI Act also has an important role to play when it comes to access to personal information held by agencies.

There were more than 41,000 FOI requests to agencies last year, and 81% of those were for access to personal information. The FOI Act plays an important role in protecting personal information from unreasonable disclosure, where that’s contrary to the public interest.

Privacy in a digital world

Reflecting on where we’ve come from, and particularly the past 18 months, we can see a transformation in where and how our personal data is used. It’s fair to say that the focus of our collective privacy interests has moved from an analogue to a digital world.

In the OAIC’s early years, privacy breaches of physical documents was the norm. There were occasions when  staff went and retrieved records from where they had been dumped or discarded in back lanes– both to safeguard people’s sensitive information, but also to serve as evidence.

And privacy in the physical realm remains a concern. While cyber intrusion is the leading cause of data breaches, we still have instances of lost or stolen paperwork and devices and they are featuring in notifiable data breaches reported to my office.

But of course, the vast amounts of personal information now stored and shared across the globe,  the countless ways our information is handled by  governments and private sector business, innovation, research, and service delivery, and in our day to day lives, means data privacy is now the core concern.

So, learning from the experience of the past decade, and from our international counterparts, means we are in a unique position to offer the OAIC’s regulatory experience as Australia looks forward, and to plan for a privacy system that will address issues in the here and now, and serve us for the next decade.

Today, with the review of the Privacy Act by the Attorney General’s Department underway, I would like to talk with you about that opportunity from the regulator’s perspective: for a contemporary system of privacy regulation that assists Australia in the global digital economy.

And that’s a system that respects our fundamental human right of privacy and encourages entities to build in the privacy fundamentals from the ground up. A system that remains technologically neutral and flexible to suit entities’ different circumstances, but is able to deal with emerging challenges, and those we cannot foresee as we stand here now.

Above all, a system that requires our personal information to be handled fairly, and reasonably, and that will support Australia’s investment in the Digital Economy Strategy as part of this year’s budget.

Community expectations

In approaching privacy regulation now and in the future, we are informed by the concerns of the community and their expectations. Our recent survey of community attitudes to privacy told us privacy is a major concern for 70% of Australians and 87% want more choice and control over how their personal information is handled.

Identity theft and fraud, data security and breaches, and digital services such as social media sites are seen as the biggest privacy risks, and the concerns are based on experience. Nearly 60% of Australians experienced a problem with the handling of their personal information in the previous year.

Of interest to agencies, government is generally more trusted than businesses with the protection of personal information, and certain uses of personal information are considered more legitimate than others, such as public safety.

As government seeks to use personal information and technology for more efficient and effective service delivery, to inform public policy and enable research, retaining the trust of the community is going to be central to its success. Critically, trust and confidence that personal information is protected and respected.

Regulatory priorities

In line with what the community is telling us, my office is focused on four priority areas to focus our privacy regulatory actions, minimise the risk of harm to individuals and provide consistency and certainty for regulated entities. They are around:

  • online platforms, social media, and high privacy impact technologies.
  • security of personal information
  • regulating the Consumer Data Right, and
  • personal information handling practices that have arisen in the context of COVID-19.

I am also pleased to report – in terms of individual complaints – that over the past year we have eliminated a backlog of complaints through initiatives made possible by additional funding.

And we are determining more complaints than ever, and that provides you as practitioners with some important precedents to guide your advice to agencies. Cases, for example:

  • where the complainant’s online records were linked with her former partner, and who had experienced domestic violence, demonstrates the importance of taking reasonable steps to ensure the accuracy of personal information before it’s used
  • sending sensitive health information to the wrong email address highlights the need to safeguard personal information
  • determinations emphasising the importance of private sector respondents, and there are some lessons there for health practitioners, around providing access to personal information, and
  • Commissioner-initiated determinations that draw out the issue of  privacy policies and notices – that they should be a transparency mechanism not a notice and consent mechanism.

Declarations from those determinations have required payment of compensation, changes of practice, and also government agencies and businesses to conduct audits and report to my office.

Online platforms, social media, and high privacy impact technologies

So looking at those four regulatory priorities in a little more detail: in terms of online platforms, the global digital economy brings opportunity. It also creates privacy risks.

Our goal is to shift the environment so that organisations are providing consumers with a greater degree of choice and control, but also, that entities are building in systems upfront to protect personal information, and that of course includes Australian Government agencies.

We have regulatory actions and investigations on foot including those that seek to hold global digital businesses to account. That includes our Federal Court action against US-based Facebook Inc and Facebook Ireland. AGS is representing us in that matter.

You may be aware that in September the court granted us leave to serve the initiating court documents. Today the full Federal Court will hear Facebook Inc’s application for leave to appeal that decision. The primary issue is whether the Privacy Act applied to Facebook Inc at the relevant time.

Internationally, with our UK counterpart, the Information Commissioner’s Office, we are jointly investigating Clearview AI over its use of ‘scraped’ data and biometrics for its facial recognition app.

And the online environment is also an area where regulatory frameworks intersect, both domestically and internationally: privacy and data protection, consumer protection, competition, online safety, as well as the role of financial and corporate regulators in protecting the public interest. That’s why we have MOUs in place including with the ACCC to guide our regulatory co-operation, including for the Consumer Data Right.

In terms of government, we are also engaging and auditing government online initiatives, such as the Digital Transformation Agency’s expansion of the Digital Identity system.

Security of personal information

Security of personal information is also a fundamental element in the ring of defence for Australians engaging in the digital environment and is a regulatory priority.

Along with the Cyber Security Strategy 2020 and the Online Safety Bill, measures that protect personal information give citizens the confidence to participate in the digital economy. Privacy built into the design of tech and systems helps realise the benefits of digital and data.

We report twice yearly on the Notifiable Data Breaches scheme, including causes, and identify areas where entities need to do better, and I urge you to consider those reports. Across most of the 1050 data breaches that we received us last year we continue to see a human element.

We are prioritising regulatory action for significant failings to protect personal information, particularly where we have called out the risks and mitigations in our six-monthly reports.

In our last NDB report,  it’s worth noting that the Australian Government entered the top 5 industry sectors for the first time. Agencies reported 33 data breaches – all but 4 caused by human error.

About half involved personal information being emailed or mailed to the wrong person. So agencies need to make sure they are mitigating those risks with  processes and systems, and in terms of training of our people.

We also expect timely assessments of suspected eligible data breaches and notifications where there is a likely risk of serious harm.

Regulating the Consumer Data Right

Our third regulatory priority is co-regulating the Consumer Data Right, and working with Treasury and the ACCC as it rolls out across the economy. This reform is a clear example of how privacy safeguards and consumer protections work together, in the public interest.

Consumer Data Right gives individuals more choice and control over their data and encourages competition and innovation, and it is founded on a privacy-by-design approach.

There are also lessons to be learned from CDR. The CDR privacy safeguards have got additional protections that are not present in the Privacy Act, and we need to look at that in light of the review. Consumers have a clear right to delete their CDR data, to take action in courts for breaches of the privacy safeguards.

We also have an opportunity to ensure the CDR privacy safeguards are interoperable at the global level, and that is also an objective of the privacy review from my regulatory perspective.

Personal information handling practices arising from COVID-19

The last regulatory priority is the impact of COVID-19 on personal information handling.

Our community attitudes survey from last year did tell us that Australians agreed some concessions must be made to privacy protections during the pandemic, so long as they are not permanent. Three-quarters believe COVID does not excuse business or government from meeting their usual obligations under privacy laws.

So, we have an ongoing role to play to ensure the responsible handling of personal information to support strong public health initiatives and outcomes.

We supported amendments to the Privacy Act to legislate strong privacy protections and expand the OAIC’s regulatory role and powers in relation to the COVIDSafe app. We have also published extensive guidance on COVIDSafe and contact tracing and we are engaging with COVID privacy issues as they arise, including the vaccine roll-out, and its implications for employment and travel.

Of course, we continue to oversee the privacy aspects of the My Health Record system, which the government plans to update to integrate certain COVID-19 health information.

Shift in privacy regulation

These regulatory focus areas illustrate the shift that is already taking place in the way we protect personal information, and it is in response to the community’s expectations.

The public has sought stronger safeguards for their information considered higher risk, in situations like COVIDSafe, My Health Record and also CDR data. The Notifiable Data Breaches scheme provides greater accountability for organisations handling our personal information.

And in line with the Digital Platforms Inquiry recommendations of the ACCC, we are expecting to see a draft bill from government to enable a new Online Privacy Code, infringement notices to be issued by my office, and an increase in the value of penalties that I can seek in the Federal Court to align with competition and consumer remedies.

Privacy fundamentals

So, what further change is needed to make our privacy law fit for purpose in the digital era?

From the OAIC’s perspective, the foundations of the Privacy Act are sound. It implements Australia’s international obligations in relation to the fundamental, although not absolute, right to privacy. As the regulator we promote privacy fundamentals to the agencies and organisations the Act covers.

Flexible and technologically-neutral

However, our regulatory experience, international developments,  community expectations – all tell us that more is needed.

As you know, the Privacy Act is principles-based, so it is technologically-neutral, and flexible and scalable to suit different organisations across the economy. We think it is important to retain that scalability. But we do see the need for binding codes or rules that provide greater specificity or clarity for sectors, including in areas of higher risk, to give more certainty.

Fair and reasonable

We are also recommending a broader change to create what we say, based on our regulatory experience, is required: to have a new standard or benchmark of fair and reasonable handling of personal information right across the information lifecycle.

More than 30 years ago, when the Privacy Act was introduced, we could not have predicted the complexity of the information flows that are happening now. We can no longer navigate the system by relying so heavily on notice and consent – as individuals or indeed as regulators.

Recent research shows social media privacy policies, for example, run to an average of more than 6,000 words. Our own attitudes to privacy survey tells us that only 31% of people normally read online privacy policies, usually because they are too long or too complex. When they do, more than half say they are not confident they’ve understood it.

So, it is not realistic nor is it fair to expect individuals to absorb long and technical policies, decipher complex practices, and to give their meaningful agreement in all cases, and it does impact consumer trust and confidence.

Trust in personal information handling

Our survey shows trust in information handling practice is continuing to decline. For the Federal Government’s it is down by 14% since 2007, and about 13% for businesses, and a strong majority – 83% of Australians – want government to do more to protect their information.

So, we see a need for this new baseline for privacy practice that meets community expectations and helps to restore that trust; requiring entities to not just collect our information by fair and lawful means, as is the current legal test, but to use and disclose it fairly and reasonably.

It is also relevant as we look at growing the artificial intelligence sector. Of course, new technologies such as AI can have positive impacts for innovation and society, but they can also have a high privacy impact. A fair handling obligation will help to close that gap between the expectation and the practice.

No-go zones

We have also recommended that we consider as a community whether some data practices should be limited, or indeed prohibited. To give you an example, 84% of Australian parents believe their children have a right to grow up without being profiled and targeted with advertising online.

In March, the UN Committee on the Rights of the Child recommended that the profiling or targeting of children of any age for commercial purpose should be prohibited in the digital environment.

In the US, the Children’s Online Privacy Protection Act prohibits behavioural advertising to children – where they are served ads based on monitoring of their past online behaviour – without parental consent.

Internationally, we have seen strong regulatory action to protect children in the digital environment.

Other areas of concern include inappropriate surveillance, tracking, monitoring or recording of individuals, and scraping of personal information from online platforms.

Smart regulation

Our privacy framework also needs a regulator who has the right tools and capabilities to support entities to comply, and to enforce the law where it is required.

We’ve also asked government to consider providing us with more discretion to identify and address the most serious situations before greater harm occurs.

Data and digital

Data, digital and smart regulatory design are seen as key to our recovery from the COVID-19 pandemic and our continued economic success.

For the OAIC, the future of privacy is regulation that:

  • gives certainty to business and government while providing for fairness and accountability
  • supports global interoperability and minimises regulatory friction to help drive economic growth and innovation, and
  • fosters confidence and encourages digital participation by all Australians, while protecting their fundamental rights.

I look forward to talking more with the panel about these and other opportunities and taking your questions. Thank you.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia