Image credit: Farzad Nazifi
If there’s one thing privacy experts agree on, it’s that the watchdog tasked with enforcing Australia’s Privacy Act is not adequately resourced or funded to police contraventions of the act in any meaningful way.
It’s not that Australia’s privacy laws are necessarily inadequate, according to Malcolm Crompton, a former federal Australian privacy commissioner who is now managing director at privacy consulting outfit Information Integrity Solutions. “What is happening is that the law is not being enforced,” Crompton told Crikey, because the Office of the Australian Information Commissioner (OAIC), is inadequately funded.
Dr Angela Daly, a postdoctoral research fellow at Queensland University of Technology, agrees, suggesting that the Privacy Act was “not totally useless”. But, she says, “enforcement remains a really big problem”. And, she adds, the privacy commissioner’s office is “kind of a scared mouse when it comes to speaking truth to power,” due to its lack of resourcing.
Mr Crompton referenced a recent question to a panel he chaired during Privacy Awareness Week in May to illustrate his point. The audience member, who was among a group of Australian privacy industry representatives, started their question by noting that the level of funding for the OAIC was “criminally deficient”.
“It’s a badly understaffed office that doesn’t have money for prosecutions [against companies] and doesn’t have money for enough staff,” Crompton said. The level of funding for the office is “woeful,” he argues. “They need a credible budget so that large companies know that they will be taken to court and the prosecutions seen through.”
The OAIC’s core funding this financial year is $10.7 million, plus an additional $3.6 million through agreements with various government agencies to do work for them. But the $10 million also includes the cost of reviews of government freedom of information (FOI) requests. As of early February, the OAIC had 48 staff working on privacy and 18 on FOI.
Anna Johnston, director of privacy consultancy Salinger Privacy and a former deputy privacy commissioner of NSW, says the OAIC’s lack of funds and small penalties that are rarely if ever applied, means it lacks teeth and authority.
“Every regulator needs to take a mix of carrot and stick approaches, but if you are waving a big stick you need to have a fair bit of money behind you to run cases and enforce the law.”
Fines that can be levied on companies and government agencies amount to up to $2.1 million for breaches of privacy. But the privacy commissioner has never applied such a hefty fine on a company, instead opting for what’s known as court-enforceable undertakings, or settlements. Such undertakings are similar to good behaviour bonds slapped on criminals without a prison sentence. They acknowledge a breach has often occurred, but don’t impose a penalty.
“It’s an extremely weak model both in theory and in practice,” said David Vaile, co-convenor of the Cyberspace Law and Policy Community at the University of NSW and chair of the Australian Privacy Foundation. “They don’t have to investigate and they don’t have to make a determination. And if they do [make a determination], it is not enforceable [until upheld by a court].”
According to the OAIC’s latest annual report, 2494 privacy complaints were made in 2016-17 compared to 2128 in 2015-16. The office “closed” 2485 complaints in 16-17 and 2038 in 2015-16. The time taken to close a complaint was 4.7 months in 2016-17 compared to 4.9 months in 2015-16.
“The majority of privacy complaints continue to be closed on the basis that the respondent has not interfered with the individual’s privacy, or the respondent has adequately dealt with the matter,” the commissioner’s annual report states.
“If there is no message sent out to business and government that there are really serious consequences for breaching the Privacy Act,” said Graham Greenleaf, professor of law and information systems at the University of NSW, “the only reasonable conclusion one can draw is that there are no serious consequences and that it is just an expense of doing business if you occasionally might get caught up.”
The experts also lamented the fact that Australia had not yet seen a company that trades on personal information, such as Facebook or Google, challenged before the courts on whether they had sought genuine and informed consent.
“When the courts have been asked to test ‘Are these consents actually consent as defined in Australian law and common law?’ only then will we know whether the provisions in the Privacy Act are sufficient to deter [invasions of privacy].”