The federal government has indicated it has no immediate plans to install a dedicated privacy commissioner despite its heavy workload and a string of ongoing high-profile investigations.
The Office of the Australian Information Commissioner is currently juggling investigations against Bunnings and Kmart over their use of facial recognition technology and a protracted, complex case against Facebook over the Cambridge Analytica affair.
Last financial year, the office dealt with almost 2,500 complaints and 11,647 inquiries about privacy breaches, and almost 1,000 notifications of data breaches, but remains without a dedicated privacy commissioner.
The head of the OAIC, Angelene Falk, currently holds dual appointments as both the information and privacy commissioner. The former government appointed a dedicated freedom of information commissioner in March, following repeated complaints about problems with the nation’s FOI regime.
But the new government appears to have no immediate plans to appoint a dedicated privacy commissioner. Prior to leaving office, the former senator Rex Patrick asked: “Does the Albanese government intend to appoint a privacy commissioner in addition to the information commissioner and FOI commissioner, as is required [by law]… and if so, by when?”
The government responded this week, saying: “Currently, Ms Angelene Falk holds dual appointments as the Australian Information Commissioner and Privacy Commissioner. The government will continue to assess the operational requirements of the Office of the Australian Information Commissioner.”
Patrick said the response shows the government has no intention of appointing a dedicated privacy commissioner. He said that left the information commissioner struggling as a “one-armed juggler”.
“Whilst the information commissioner is carrying out two separate roles, it slows that process down, and slows the FOI side of things down as well,” Patrick said.
“We need to have the proper resources for both privacy and FOI.”
The OAIC’s overall workload decreased slightly from 2019-20 to 2020-21. But it remains engaged in highly complex cases, including its protracted case against Facebook over the Cambridge Analytica scandal. That case remains before the federal court after the OAIC initiated proceedings in 2018, two years after the privacy breach was exposed in the Guardian, and well after comparable nations.
Last financial year, the OAIC was engaged in complex investigations into privacy breaches by Flight Centre and Uber and managed 975 notifications under the notifiable data breaches scheme, which requires companies and organisations to notify the agency where data breaches put individuals at risk of serious harm.
That scheme has only been in operation for several years.
The attorney-general, Mark Dreyfus, said the government was committed to “protecting Australia’s personal information and strengthening privacy laws to empower users to better control and understand how their data is used”.
“My department is in the final stages of its review of the Privacy Act 1988, which will inform future steps to be taken in this space,” he said.