Privacy Enforcement in Australia is Strengthened: Gaps Remain

(2014) 128 Privacy Laws & Business International Report 1-5

UNSW Law Research Paper No. 2014-32

6 Pages Posted: 21 Jul 2014 Last revised: 15 Oct 2014

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: April 20, 2014


Australia’s Privacy Act 1988 now includes considerably stronger enforcement powers, including civil penalties of up to AUD $1.7 million (1.15 million euros), in effect from 12 March 2014. This article first outlines the new powers, and argues that there are still deficiencies in appeal rights and transparency which may reduce their effectiveness.

Seven changes to the enforcement aspects of the Act are discussed:

(i) Civil penalty provisions for ‘serious’ or ‘repeated’ breaches;

(ii) Power to make determinations following ‘Commissioner initiated’ investigations;

(iii) Commissioner can accept enforceable undertakings;

(iv) Broader orders possible after complaint determinations;

(v) Right of appeal to the AAT;

(vi) Compliance ‘assessments’ of any public or private sector organisation;

(vii) Privacy Impact Assessments (PIAs) by agencies.

All of these new powers are potentially valuable, and when added to the existing enforcement powers to award compensation, seek injunctions, and investigate ‘representative’ or class complaints, Australia’s Privacy Act now has one of the strongest ‘regulatory toolkits’ in the Asia-Pacific. But expanded powers are only valuable if they become credible through use, and credibility also requires transparency. Problems with the effectiveness of enforcement arise from five ‘transparency gaps’ which remain in Australia’s law discussed under these heads: Silence from the courts; Determinations are lacking; Dissatisfied complainants still have no right of appeal; Lack of case summaries; Compensation payments remain unknown. For Australia to have a ‘responsive regulation’ system for data privacy, these deficiencies need to be remedied.

Finally, the article notes further developments, as yet unresolved, which will have impact on the effectiveness of Australia’s enforcement of privacy laws: the Commissioner’s draft ‘enforcement policy’; mandatory data breach notification (MDBN); and a statutory ‘privacy tort’.

Keywords: privacy, data protection, Australia, enforcement, mandatory data breach notification, tort

Suggested Citation

Greenleaf, Graham, Privacy Enforcement in Australia is Strengthened: Gaps Remain (April 20, 2014). (2014) 128 Privacy Laws & Business International Report 1-5, UNSW Law Research Paper No. 2014-32, Available at SSRN:

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)


Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics