Australia’s privacy authority has called for more funding and stronger enforcement powers to bring it into line with its global peers as part of a sweeping review of the Privacy Act.
In a submission to the federal government review, Australian Information Commissioner Angelene Falk said her office needs more freedom to have a proactive role in enforcing privacy laws and protections, and more enforcement powers at her disposal.
The Attorney-General’s department is reviewing the Privacy Act on the back of a swathe of recommendations provided to it by the Australian Competition and Consumer Commission as part of its inquiry into digital platforms.
In a submission, Ms Falk said that Australians expect more to be done to protect their privacy, and the Office of the Australian Information Commissioner (OAIC) needs better enforcement mechanisms and resourcing to do this.
“The OAIC’s regulatory experience indicates that additional mechanisms to the current privacy regulatory framework are required to ensure that the OAIC can continue to meet community expectations of a contemporary regulator,” Ms Falk said in the submission.
“It is essential that the Privacy Act provides the OAIC with robust enforcement mechanisms that ensure individuals have access to quick and effective remedies for the protection of their privacy rights and that create incentives for active compliance by APP entities.
“The OAIC must have the right regulatory tools available to take a pragmatic, proactive and proportionate approach to regulation. This includes enhanced provisions to work cooperatively with international regulators to investigate matters of global concern jointly, using commensurate powers.”
The OAIC is currently required to investigate all complaints made to the office, but this can be “resource intensive” and limit its ability to “take a targeted or systemic approach to regulation”.
Instead, the office should have more discretion in choosing which complaints to investigate in order to better identify priority sectors or common acts and practices.
“It is important for the OAIC to be able to effectively prioritise matters and direct public funds towards resolving issues that have systemic importance or where more serious misconduct or harms have occurred,” Ms Falk said.
The OAIC also called on the government to provide it with enhanced enforcement powers and regulatory tools to “effectively deter inappropriate conduct and support privacy best practice”.
“There is a need to take more substantive regulatory and enforcement action on the Commissioner’s own initiative in order to shift the behaviour of regulated entities across sectors, rectify, remedy and provide broader deterrence. This requires sufficient regulatory tools and powers, as well as resources,” Ms Falk said in the submission.
This would bring the OAIC better into line with comparable jurisdictions in Australia and international peers, with the privacy office currently struggling with an increased workload.
“As the collection, use or disclosure of personal information is being increasingly monetised, it is also essential that the Commissioner’s enforcement powers are sufficient to reduce the likelihood of APP entities treating breaches of the Privacy Act as a cost of doing business,” the submission said.
The OAIC should be able to issue public infringement notices for interferences with privacy, Ms Falk said.
“It will help address the risk that declarations to change acts and practices through a s52 determination of a Commissioner-initiated investigation lack strength and proportionately when compared with pecuniary options issued by other regulators, domestically and internationally,” she said.
The office should also be allowed to issue these notices when a person or business refuses to provide information, answer a question or produce a document when required under the Privacy Act.
There have been concerns about the level of funding provided by the government to the OAIC for several years, with little in the way of new cash provided despite a sharp uptick in workload and new responsibilities.
This will have to change if the OAIC is able to properly defend the privacy of Australians in the coming years, Ms Falk said.
“The OAIC must be appropriately resourced to properly carry out its statutory functions and use the full suite of regulatory powers effectively, including enforcement through the courts, which can be costly and resource intensive,” she said.
The OAIC pointed to the UK government’s model, where the Information Commission is partly funded by entities paying a data protection fee, as a potential area of investigation for the Australian government.