The federal government has floated the idea of an industry-funded model for the nation’s privacy office, which has faced concerns of under-resourcing despite an increasing workload for several years.
The Office of the Australian Information Commissioner (OAIC) has continually raised concerns with its vastly increasing workload and the lack of a comparable funding increase, with a sharp rise in freedom of information and privacy work.
As part of a wide-ranging review of the Privacy Act run out of the Attorney-General’s Department, a discussion paper this week flagged the potential of an industry-funded model for the OAIC to solve this problem.
This would see organisations that come under the OAIC’s remit pay a levy to fund the operation of the privacy office, and higher-risk companies such as Facebook paying a separate, larger levy.
The discussion paper acknowledges that nearly all submissions to the review called for more funding and staff for the OAIC to enable it to complete its important work.
“The OAIC also noted it must be appropriately resourced to take on more substantive regulatory action and pursue enforcement through the courts. Although the OAIC is currently able to seek a costs order against an entity to reimburse it for the costs of litigation, this is only available to the OAIC after the court has found an entity has breached a civil penalty provision,” the discussion paper said.
“The OAIC needs resourcing to be available before initiating such an action to enable it to prepare for and sustain litigation which may last for years, particularly against large multinational technology giants.”
Instead of proposing that the federal government provide more funding to the OAIC, the discussion paper raises the possibility of a new industry levy to fund the operations of the office, similar to how ASIC and the UK’s privacy office are funded.
“A levy would recognise that entities should pay for services the OAIC provides to them in the form of tailored guidance, advice and assessments,” the paper said.
“A narrower group of entities which operate in a high privacy risk environment could also contribute a statutory levy to support the OAIC’s management of public inquiries and investigation into their acts or practices. This may include social media platforms and entities which trade in personal information such as digital marketing businesses.”
Such a funding model is already in place to sustain the operations of ASIC, with 90 per cent of its regulatory activities funded by industry levies.
The UK’s Information Commissioner’s Office is also funded primarily through organisations in the country paying a data protection fee.
While the industry-funding model is merely a proposal in the discussion paper, the accompanying questions for consultation appear to show the government is leaning towards this option, with queries about how this would operate rather than whether it should be implemented at all.
The two questions in the discussion paper are around which OAIC costs should be covered by industry, and which industries should be included as “high privacy risk” for the extra levy.
Submissions to the Privacy Act review labelled the OAIC “weak” and “dysfunctional” and called for significantly more funding for the office.
The OAIC is still facing a “remarkable” drop in its government funding next year with a three-year $25 million lifeline in 2019 comes to an end. Its funding guarantee is likely to be decided as part of the Privacy Act review.
In its submission, Electronic Frontiers Australia said that the “greatest impediment” to upholding the privacy rights of Australians was the “chronic underfunding” of the OAIC.
The OAIC itself also called for more funding and staffing so it can “effectively deter inappropriate conduct and support privacy best practice”.
“There is a need to take more substantive regulatory and enforcement action on the Commissioner’s own initiative in order to shift the behaviour of regulated entities across sectors, rectify, remedy and provide broader deterrence. This requires sufficient regulatory tools and powers, as well as resources,” the OAIC submission said.
“The OAIC must be appropriately resourced to properly carry out its statutory functions and use the full suite of regulatory powers effectively, including enforcement through the courts, which can be costly and resource intensive.”
Do you know more? Contact James Riley via Email.