18 January 2022

The well-considered proposals put forward in the Attorney General’s Department’s Privacy Act Review Discussion Paper present a sound basis for advancing the case of privacy reform in Australia, the Office of the Australian Information Commissioner (OAIC) said.

In its response to the Discussion Paper, the OAIC has made detailed recommendations which draw on the agency’s regulatory experience about how these potential reforms would operate in practice.

The OAIC’s recommendations seek to ensure Australia’s privacy regime continues to operate effectively for all and promotes innovation and growth by:

  • protecting consumers from individual and collective privacy risks and harms
  • empowering consumers to take control of their personal information through new rights and enhanced transparency requirements
  • enhancing the framework of organisational accountability and personal information handling to ensure regulated entities are confident to innovate and use data within the boundaries of the law, informed by community expectations
  • establishing a regulatory framework that supports proactive and targeted regulation, strategic enforcement, efficient and more direct avenues of redress for individuals, and appropriate deterrents against mishandling of personal information
  • supporting global interoperability and minimising friction to ensure consistency of protection across the economy and to protect personal information wherever it flows.

“The shift to the digital economy, while it offers tremendous opportunities, is not without its risks, and requires an upgraded privacy framework that reinforces trust and security in the digital world,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said.

A key theme in the OAIC’s submission is that strengthening accountability measures for organisations handling personal information will help protect and empower consumers while promoting innovation and a thriving digital economy.

“By embedding strong accountability measures, businesses and other organisations can build a reputation for strong and effective privacy management, which is essential for meeting community expectations and realising the benefits of the personal information they hold,” Commissioner Falk said.

“Our personal information is increasingly being handled in complex ways that individuals may not expect. It is unrealistic to expect individuals to consider and evaluate whether every collection of their personal information is reasonable, and to take steps to protect themselves from all privacy harms.

“Strengthened accountability requirements will raise the standard of data handling so individuals can have greater confidence that their personal information will be handled fairly when they choose to engage with a product or service.”

Commissioner Falk said a strong digital economy needs to be paired with clear responsibility for how personal information is handled, driving the OAIC’s recommendations for fairness and accountability to be at the centre of the Privacy Act.

“Establishing a positive duty on organisations to handle personal information fairly and reasonably will require them to take a proactive approach to meeting their obligations, as they are best equipped to consider the impacts of the complex information handling flows and practices of their business,” she said.

“Just as with safety laws, preventing privacy harms upfront gives greater protection without relying on reactive action by the regulator.

“This central obligation would provide a new baseline for privacy practice giving the community confidence when we provide our personal information that – like a safety standard – privacy protection has been built in.”

The OAIC’s submission also recommends measures to support the agency in pursuing significant privacy risks and systemic non-compliance through regulatory action.

“We have recommended changes to the Privacy Act enforcement framework to give the OAIC a greater range of effective tools to uphold the law and respond to emerging threats in a proportionate and pragmatic way,” Commissioner Falk said.

“This can occur through a simplified civil penalty regime, supported by infringement notices as a quick and cost-effective way to deter non-compliant behaviour without the need for court proceedings.

“These changes should be supported by the introduction of a direct right of action and statutory tort of privacy that would give individuals access to additional options to protect their privacy rights.”

The OAIC’s full submission can be found on the OAIC website.