The federal government should explore industry funding models for the country’s privacy watchdog to give it sufficient resourcing to carry out its growing responsibilities, according to the Privacy Act review.
Further consideration should also be given access to a special account to cover the cost of any litigation against “high-resource entities”, as the office continues to pursue Meta over the Cambridge Analytica scandal.
An industry funding model was initially flagged in a 2021 privacy review discussion paper to solve the well-documented funding and resource limitations of the Office of the Australian Information Commissioner (OAIC).
Such a model would see organisations covered by the Privacy Act pay a levy to fund the office, which has seen its workload grow significantly in recent years, including with the arrival of the Notifiable Data Breaches Scheme in 2018.
The Australian Securities and Investments Commission adopted this model in 2017, with 90 per cent of the corporate regulator’s activities now funded by industry levies and the remaining 10 per cent recovered via service fees.
The OAIC’s counterpart in the United Kingdom, the UK Information Commissioner’s Office, is also funded primarily through industry. Organisations in the country pay a data protection fee which accounts for up to 90 per cent of the agency’s annual budget.
Most respondents to the discussion paper, including DIGI, the industry group representing Facebook, Apple, Twitter and Google, opposed a cost recovery model and “instead considered the OAIC… be funded entirely by government”.
“Generally, the rationale for this view was that APP entities currently have high regulator costs and, because privacy harms affect the individual, the cost of regulating those harms should be taxpayer funded,” the review said.
But other “submitters who commented on various other proposals [in the privacy review] noted that their effectiveness would depend on the OAIC being adequately resourced to utilise any new powers”.
OAIC also indicated its support for consideration of an “industry funding model with appropriate supplementary budget appropriations for functions and activities not funded by a levy”.
The review concluded this model would help address “funding constraints that limit the OAIC’s enforcement activity”, but would require a “significant investment of time and resources to design, implement and administer”.
It will also rely on the government removing the small business exemption, with the review noting that industry funding may not “raise sufficient revenue to justify costs associated with its implementation and ongoing administration”.
Further “extensive consultation and analysis… to determine whether an industry funding model would be suitable” has been proposed, involving preparation of a service catalogue to determine whether any of OAIC’s activities suitable for cost recovery.
The investigation would also determine “whether certain industries are more problematic and costly to regulate” and “which types of fees/levies may be appropriate or whether a combination of cost recovery levies, cost recovery fees and statutory levies would be feasible”.
Separately, the review has recommended the government give further consideration to “establishing a contingency litigation fund to fund any costs orders against the OAIC, and an enforcement special account to fund high-cost litigation”.
“The OAIC can be constrained in its ability to take enforcement action due to the cost associated with bringing enforcement proceedings against well-resourced entities and the possibility of significant cost orders being made against it,” the review said.
“For the OAIC to have assurance regarding its capacity to fund ongoing enforcement litigation and to pay any costs orders made against it, consideration should be given to establishing special accounts to cover costs orders and high litigation costs against well-resourced entities.”
Ahead of the October Budget last year, in which OAIC received an additional $5.5 million, Information and Privacy Commissioner Angelene Falk warned the government that her office was “unable to keep up” with its increased workloads, with enforcement one of the areas impacted.
OAIC is pursuing Meta in the Federal Court over alleged privacy breaches relating to Facebook’s Cambridge Analytica data harvesting scandal. The regulator began proceeding against the social media giant in March 2020.
Do you know more? Contact James Riley via Email.