Australia’s privacy office is “weak” and “dysfunctional” and requires significant additional funding and resources to adequately carry out its important roles, according to submissions to the federal government’s Privacy Act review.
Nearly all submissions to the inquiry, being conducted by the Attorney-General’s department, are in agreement that the Office of the Australia Information Commissioner (OAIC) is under-funded, under-resourced and ineffective in its current state due to these factors.
The OAIC is facing a “remarkable” drop in annual funding when the $25 million lifeline over three years provided in 2019 comes to an end.
The office was allocated $24 million in 2020-21 but will receive an average of about $13.3 million annually over the forward estimates.
The OAIC is yet to receive a funding guarantee going forward, and its budget over the forward estimates will likely be determined as part of the review of the Privacy Act.
The resourcing of the privacy office was a central theme among many of the submissions to the issues paper of the inquiry.
The Australian Privacy Foundation said that the OAIC is a “weak regulator” compared to its global peers.
“The OAIC needs to have adequate funding, strong powers, a regulatory culture similar to the ACCC and high compensation limits. The OAIC needs to be a strong regulator, and the review of the Privacy Act must be followed with adequate funding of the OAIC,” the Australian Privacy Foundation submission said.
A privacy commission separate from the office’s information roles should also be established, the submission argued, while it is “ineffectual and arguably dysfunctional” due in part to its lack of funding and Australian courts not having many opportunities to interpret the Privacy Act.
In a separate submission, Electronic Frontiers Australia said that the “greatest impediment” to the upholding of privacy rights for Australia is the “chronic underfunding” of the OAIC.
The Office of the Victorian Information Commissioner (OVIC) also made the case for its federal counterpart to be provided significantly more funding to deal with its increasing workload.
“Effective enforcement of the Privacy Act is impacted by the amount of resourcing provided to the OAIC to enable it to carry out its statutory functions. Consider OAIC’s and its predecessors’ expanding privacy responsibilities over the last four decades, as described in their annual reports. These reports show that the role of Australia’s federal privacy regulator has grown immensely over this time,” the OVIC submission said.
“In 2019-20, the OAIC’s privacy functions including providing advice, conducting audits, managing a data breach notification scheme, exercising a wide range of regulatory powers, conducting court proceedings against Facebook, and handing 2,673 privacy complaints.
“As well as regulating the public sector, it also has the larger task of regulating Australia’s private sector, and large global businesses that collect personal information in Australia,” OVIC said.
“In light of its growing responsibilities, it is crucial that the OAIC is appropriately resourced to effectively carry out its regulatory functions, including its complaint handling and determination functions.”
The Australian Competition and Consumer Commission (ACCC), whose digital platforms inquiry led the government to launch the Privacy Act inquiry, also said the OAIC’s funding should be central to this investigation.
“It is important that the review consider whether the OAIC has the full suite of enforcement and investigative tools it needs and whether the OAIC is adequately staffed and resourced to take enforcement action,” the ACCC said in a submission.
The OAIC itself has also told the government that it needs more funding and staff to “effectively deter inappropriate conduct and support privacy best practice”.
“There is a need to take more substantive regulatory and enforcement action on the Commissioner’s own initiative in order to shift the behaviour of regulated entities across sectors, rectify, remedy and provide broader deterrence. This requires sufficient regulatory tools and powers, as well as resources,” Australian Information Commissioner Angelene Falk said in the submission.
“The OAIC must be appropriately resourced to properly carry out its statutory functions and use the full suite of regulatory powers effectively, including enforcement through the courts, which can be costly and resource intensive.”
Do you know more? Contact James Riley via Email.