Why a poorly resourced privacy enforcer could undo Australia's privacy update

Australia’s plans to overhaul its aging privacy regime appeared to take a leap forward last month, with the Attorney General’s Department unveiling over a hundred proposals designed to drag the 1988 Privacy Act into the digital era.

Yet with so much of the government department’s 320-page report still open for consultation, the review — underway since 2020 — appears to have both moved ahead and remained frozen in time. While everything appears to be on the table, for now, nothing has changed.

Among the proposals put forward to overhaul Australia’s Privacy Act was a new penalty mechanism.

And if the call to increase penalties sounds familiar, it’s because two significant cybersecurity breaches in 2022, involving the personal data of millions of Australians, saw the rapid proposal and adoption of new maximum penalties for serious breaches.

The two mass-data breaches affecting health-insurance company Medibank Private and telecommunications provider Singtel Optus appeared to energize lawmakers, who late last year moved quickly to introduce new maximum penalties for companies failing to protect customer data.

Now, the Attorney General’s Department report looks to take that penalty revamp further — suggesting penalty tiers more akin to the enforcement tools at the disposal of the country’s securities regulator and competition watchdog.

But lawyers and academics observing the review told MLex that any new enforcement provisions made available to the Office of the Australian Information Commissioner, or OAIC, could be pointless without an increase in funding for the notoriously under-resourced regulator.

What’s more, unless the legal update can better clarify the current “principles-based” approach to infringements — which lawyers say includes a lot of gray areas — the OAIC could struggle to impose any fines at all.

Enforcement focus

In its Feb. 16 report, the Attorney General’s Department said that the OAIC should be “structured to have a greater enforcement focus”.

Most observers agree. Since penalties for serious breaches were introduced in 2014, the OAIC has initiated just one civil-penalty lawsuit against a company — Meta.

The Federal Court of Australia privacy lawsuit is linked to the Facebook-Cambridge Analytica scandal and alleged privacy breaches from March 2014 to May 2015. The case is now being held up in the High Court of Australia, the country’s top court of appeal, where Meta is arguing that its US-registered parent company shouldn’t be included in the lawsuit.

Another prominent investigation was the OAIC’s 2021 decision targeting Uber’s collection and storage of personal information — conduct that dated back to 2016. Privacy lawyers told MLex that the regulator’s sluggishness could be linked to its reliance on the work of other authorities overseas to support its investigations.

“The OAIC has in the past preferred to leave it to international data-protection regulators to take the lead and then traditionally piggyback off that work,” Gavin Smith, a partner at law firm Allens, told MLex.

“It's also been quite slow historically to undertake and complete its investigations. Sometimes, when they get to the final regulatory outcome, normally a determination, it's some years after the conduct that gave rise to the investigation,” Smith said.

“There's a very big question as to whether that regulatory outcome has any efficacy at that point,” he said.

Toby Patten, a partner at law firm Baker McKenzie, said that there was “no doubt [that] limited resources are being channeled to conciliation processes, with a more 'softly-softly' approach. Quite the contrast when you consider [the Australian media regulator’s] approach under the Spam Act, noting some high profile and rather sizeable penalties being brought.”

There are two reasons for this slow enforcement pace, experts argue: a lack of resourcing and the vague nature of Australian privacy law.

Penalty tiers

Under existing rules, the OAIC can enforce civil penalties for serious or repeated interferences with privacy.

Following updates introduced in November, the maximum penalties for such infringements increased from A$2.2 million ($1.49 million) to the greater of: A$50 million; three times the value of any benefit obtained through the misuse of information; or 30 percent of a company's adjusted turnover in the relevant period.

But last months’ report by the Attorney General’s Department went further and significantly expanded the types of breaches that could be considered “serious”.

The report has proposed removing the word “repeated” and clarifying that a “serious” interference with privacy could include breaches involving “sensitive information” or other information of a sensitive nature, as well as any breach that adversely affects a large group of individuals, among other categories.

Kimberlee Weatherall, a law professor at the University of Sydney, told MLex that last month’s paper made a good call in “effectively saying if you have small, broadly dispersed impacts on people — i.e.. affecting a lot of people — that is serious and worthy of serious consequences.”

On top of this expansion at the top end of the scale of severity for data breaches, the report proposed introducing a mid-tier civil penalty with the goal of expanding the type of conduct for which the OAIC can seek fines.

The Attorney General’s Department also put forward a “low-level” civil penalty with infringement-notice powers to capture “administrative breaches” of national privacy law.

Susan Kantor, special counsel with law firm Minter Ellison, told MLex that the penalty tiers signal “an intention to operate in a way that's more akin to [the Australian Securities and Investments Commission and the Australian Competition & Consumer Commission], where that tiered approach to penalties is taken.”

“The government's intention appears to be twofold: achieving better privacy compliance and more enforcement action,” Kantor said, adding that a tiered approach to penalties should assist those goals.

“The tiered approach will likely result in more enforcement action being taken, which should mean that organizations take a more serious approach to privacy compliance, resulting in better privacy compliance outcomes,” Kantor said.

“The devil's in the detail about how do you define the different tiers and what falls within the lower levels remains to be seen,” she said. “That is potentially where uncertainty could arise for businesses.”

Remedies, not penalties

Some observers believe that, by focusing on penalties, lawmakers may be missing the main game.

Speaking to MLex, lawyer Patrick Fair said that it was “remarkable how the government is obsessed with penalties. The previous privacy commissioner was on the record as saying that the most powerful remedy the office has is to impose an enforceable undertaking with audit requirements.”

Existing measures for small penalties that individuals can pursue if they feel their privacy has been compromised “can be largely useless, because it is so slow and costly to pursue: the government might serve the community better if it properly funded this system as a first step,” Fair said.

Indeed, funding remains the main point of difference between the OAIC and the regulators in other jurisdictions that the government is seeking to align it with more closely.

One suggestion on the table following last month’s report is an industry-funded model for the regulator — something similar to a model used for other Australian regulators. However, while some experts see this as a “critical” step, others anticipate an industry backlash that would make it impossible.

Just this week, Angelene Falk, who heads the OAIC, said that “the review of the Privacy Act is an opportune time to look at the resourcing of the OAIC” so that the regulator’s resources are "commensurate with demands placed on the office”.

Clarity needed

It’s not just better resourcing which is limiting the OAIC’s enforcement approach, lawyers and experts told MLex. Enforcement of the Privacy Act today is governed by privacy principles with too much room for interpretation, some argue.

“The lack of a bright line between compliant conduct and infringing conduct makes it very difficult for a regulator to issue fines,” he added. The OAIC’s guidelines are the regulator’s opinion, not binding standards, Patrick Fair said.

As long as it's unclear what is infringing conduct, it will be hard for the regulator to issue fines, and harder still if the OAIC is poorly funded compared with its securities and competition enforcement counterparts.