Privacy Commissioner indicates imminent changes to enforcement focus in Australia

Authors: Hamish Fraser, Madeleine Clift, Evelyn Park, Jonathan Wong.

Australian Privacy Commissioner Carly Kind has kicked off Privacy Awareness Week by signalling a shift in the regulator’s focus to facilitate more “outcome-based enforcement” in her keynote address at the IAPP Sydney KnowledgeNet event.

In her address, the Commissioner highlighted her intent for the Office of the Australian Information Commissioner (OAIC) to take a stronger enforcement role in privacy protections, and called for people, organisations and government to “power up (their) privacy – to take control and step things up”.

Ms Kind indicated that her team was reviewing the OAIC’s enforcement practices with a view to taking a more proactive and proportionate approach as an enforcement focused regulator that “punches above its weight”.

Ms Kind reiterated this point today in an online panel discussion with the Privacy Commissioners in NSW, Victoria and Queensland, stating that “I would agree that privacy regulators everywhere should be exercising their powers to their fullest extent, and many times this means enforcement”. She noted that privacy regulators around the world are “gearing up” and “the OAIC is keen to be part of that trend”.

The OAIC has, for many years, been described by some as a “toothless tiger” when compared to Australia’s other regulators with historically stronger enforcement powers and activity, but this description is apt to mislead given the changes in recent years that strengthened the OAIC’s regulatory powers and the present indications that the OAIC is adopting an enforcement focus moving forward. The Commissioner acknowledged that the privacy reforms, which are overdue, aims to restore power in individuals, and that the OAIC will be wanting to see “entities inject power (to individuals) rather than react”.

This new focus on enforcement, along with the upcoming privacy reforms (likely to expand the OAIC’s enforcement powers), signals a further shift of the OAIC into its role as an active enforcement regulator.  Businesses should be watching this space very closely to see what our new Privacy Commissioner will make of the role.

The Commissioner also advocated for better and more considered data practices across the board, noting that businesses should be wearing the burden of protecting individual’s data rights and proactively implementing data minimisation practices. The Commissioner encouraged attendees to shift their approach to data security.  This includes limiting their frontline collection of personal information (e.g. by applying necessity tests) to avoid over collecting unnecessary data, as opposed to relying solely on data security once the business has accrued large data sets. In other words, prevention before the cure.

On the topic of AI and emerging technologies, Ms Kind urged CEOs at organisations to take a precautionary approach before signing off LLM and AI tools emerging from experimental phases which deal with individuals’ data, and ensure “transparency, accountability and security”.

If not already in train, businesses should begin taking stock of their data holdings (particularly in the wake of the Government’s announcement to release further privacy legislation in August), with a view to reviewing their data collection, retention and management practices to enable compliance with the incoming laws and ensure appropriate data minimisation practices are implemented in line with the Commissioner’s recent comments.