Privacy Enforcement in Australia is Strengthened: Gaps Remain
(2014) 128 Privacy Laws & Business International Report 1-5
6 Pages Posted: 21 Jul 2014 Last revised: 15 Oct 2014
Date Written: April 20, 2014
Australia’s Privacy Act 1988 now includes considerably stronger enforcement powers, including civil penalties of up to AUD $1.7 million (1.15 million euros), in effect from 12 March 2014. This article first outlines the new powers, and argues that there are still deficiencies in appeal rights and transparency which may reduce their effectiveness.
Seven changes to the enforcement aspects of the Act are discussed:
(i) Civil penalty provisions for ‘serious’ or ‘repeated’ breaches;
(ii) Power to make determinations following ‘Commissioner initiated’ investigations;
(iii) Commissioner can accept enforceable undertakings;
(iv) Broader orders possible after complaint determinations;
(v) Right of appeal to the AAT;
(vi) Compliance ‘assessments’ of any public or private sector organisation;
(vii) Privacy Impact Assessments (PIAs) by agencies.
All of these new powers are potentially valuable, and when added to the existing enforcement powers to award compensation, seek injunctions, and investigate ‘representative’ or class complaints, Australia’s Privacy Act now has one of the strongest ‘regulatory toolkits’ in the Asia-Pacific. But expanded powers are only valuable if they become credible through use, and credibility also requires transparency. Problems with the effectiveness of enforcement arise from five ‘transparency gaps’ which remain in Australia’s law discussed under these heads: Silence from the courts; Determinations are lacking; Dissatisfied complainants still have no right of appeal; Lack of case summaries; Compensation payments remain unknown. For Australia to have a ‘responsive regulation’ system for data privacy, these deficiencies need to be remedied.
Finally, the article notes further developments, as yet unresolved, which will have impact on the effectiveness of Australia’s enforcement of privacy laws: the Commissioner’s draft ‘enforcement policy’; mandatory data breach notification (MDBN); and a statutory ‘privacy tort’.
Keywords: privacy, data protection, Australia, enforcement, mandatory data breach notification, tort
Suggested Citation: Suggested Citation