The national privacy and information regulator would get a $25 million funding boost and stronger penalties would be introduced for tech giants that oversee data breaches under a government policy proposal.
The $25 million cash injection over three years for the Office of the Australian Information Commissioner will be included in next week’s budget, with the Coalition also proposing to increase fines for data breaches to $10 million.
But the government does not plan to consult on the amendments to the Privacy Act until the second half of the year, well after the upcoming May election, so it’s unclear whether they will ever materialise.
The extra cash is much-needed for the OAIC, which has regularly faced under funding and under resourcing issues, even as its workload continued to increase.
Under the proposal, the OAIC would be given new powers to issue infringement notices to companies and individuals who do not cooperate with efforts to resolve minor data breaches. Companies would be fined up to $63,000 and individuals up to $12,600.
The Commissioner would also be given additional options to make sure data breaches are addressed adequately, with reviews and the publishing of public statements on specific breaches.
To complete this new work, the OAIC will be provided $25 million over three years in next week’s federal budget, provided the government is re-elected in May.
It’s the first significant funding boost for the OAIC in many years, with the agency facing constant accusations of under-funding and under-resourcing.
Early last year the Office was facing “unprecedented challenges” and was “stretched beyond breaking point”, according to the former Victorian privacy commissioner.
It received a $2.9 million funding boost in last year’s budget for its work on the Consumer Data Right, but is still struggling to keep up with its ever-increasing workload.
There has been an 18 per cent increase in privacy complaints received by the OAIC and a 27 per cent increase in Freedom of Information access review complaints, while in the last six months of last year, there was a 22 per cent increase in privacy complaints and a 42 per cent increase in FOI complaints.
In total, it received over 10,000 enquiries across its entire remit, just in the last half of 2018.
In a senate estimates hearing last month, Information Commissioner Angelene Falk said the agency was in discussions with the government for more funding to help it cope with the workload.
Digital Rights Watch chair Tim Singleton-Norton welcomed the funding boost for the office, but said changes also needed to be made to the structure of the authority.
“It’s always been woefully underfunded in order to do its job, and so this is a great step towards ensuring that the relevant watchdog is properly funded,” Mr Singleton-Norton told InnovationAus.com.
“There’s certainly room for improvement in terms of the overall structure of how government bodies such as the OAIC work. The concept of ‘information’ and ‘privacy’ have changed so much since these bodies were initially created, in particular the relationship between public users and corporations who build systems or software.”
Ms Falk said the funding boost and policy announcement is an “important step in meeting community expectations that personal information will be handled in a way that is transparent and accountable”.
“These changes will strengthen our existing privacy safeguards to help ensure entities operate transparently and handle personal information responsibly. They will also provide stronger protections for children and other vulnerable Australians as they navigate the online environment,” Ms Falk said.
The government has also committed to introducing more significant penalties for large tech companies that breach Australian privacy laws. The changes would increase the fine to $10 million, up from $2.1 million.
The companies would also face a fine of three times the value of any benefit obtained by the misuse of the information, or 10 percent of their annual domestic turnover, if either of those options is more than $10 million.
The proposed amendments to the Privacy Act would also require tech companies to stop using and disclosing personal information about individuals upon request.
While this is a positive step, there also needs to be a focus on preventing the data breaches in the first place, Mr Singleton-Norton said.
“It’s good to see the government at least taking this issue seriously for once. But a pure stick approach is not going to solve the wider issue of both keeping companies to account as well as restoring public faith in their use of those services,” he said.
“It needs to be a truly collaborative approach that involves corporations, government and civil society in the development and enforcement codes, including penalties.”
Attorney-General Christian Porter said the current penalties and protections in the Privacy Act “fall short of community expectations”.
“What the Morrison government is doing today is outlining a new regime of protections for Australians and penalties for those who misuse Australians’ personal information,” Mr Porter said.
“This regime will update our privacy laws without impeding the continued innovation and development of companies working in the online space.
Tech companies like Facebook and Google need to do better in protecting the personal information of Australians, communications minister Mitch Fifield said.
“Today we are sending a clear message that this government will act to ensure consumers have their privacy respected and we will punish those firms and platforms who defy our norms and our laws,” senator Fifield said.
The government said it would begin consultations on the amendments to the Privacy Act in the second half of the year, but there is likely to be a change in government in May, so it’s unclear whether any of the changes will come into effect.
The amendments will also include requirements for tech firms to be “more transparent” about the sharing of data and more specific when obtaining consent for this.
“We will be requiring platforms to implement a mechanism to ensure they can take all reasonable action to stop using an individual’s personal information if a user requests them to do so and have even stronger regimes to address these issues when the user is a child or other vulnerable person,” Mr Porter said.