The Privacy Series

To help marketers prepare for the impact that the privacy reforms will have on the industry and our practices, we have created The Privacy Series. Each month we will deep dive into one of the key components set to reshape the Privacy Act to understand what they mean for marketers and their businesses.

Changing regulator enforcement powers

As we have previously explored in the Privacy Series when detailing the first tranche of privacy reform and crackdown on the use of tracking pixels, the Office of the Australian Information Commissioner (OAIC) has been granted stronger enforcement powers as part of Australia’s privacy reforms. However, the Information commissioner, Carly Kind, whom is now a year into the role, has already demonstrated that the OAIC will be an enforcement regulator – even prior to the enhanced powers becoming law.

The OAIC has given fair warning that their concern for, and governance of, privacy and the correct handling and use of consumer data is a top priority. With marketer’s being the first touch point between a business and customer data, it is paramount that they are across the changing regulations and the likely ramifications should non-compliant practices occur.

In this article, we will outline the stronger enforcement powers of the OAIC and explore some recent determinations as evidence that the OAIC is an enforcement regulator. And finally, we will assess how this directly impacts the role of the marketer in today’s environment.

Stronger enforcement powers

In September 2024, the first tranche of privacy reform was introduced to parliament by Attorney General Mark Dreyfus in the Privacy and Other Legislation Amendment Bill 2024 (the Bill). Part of that Bill granted stronger penalties and enforcement powers to the OAIC to provide more robust measures to ensure privacy protection. These changes were in addition to the stronger penalties and enforcement powers introduced by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. The changes from these two pieces of legislation include the following:

Increased financial penalties for serious or repeated privacy breaches

The financial penalties for serious or repeated privacy breaches were significantly increased by the legislation passed in 2022. As a result, businesses that do not comply with the Privacy Act and the Australian Privacy Principles (APPs) can be fined up to, but not exceeding, the greater of: $50 million; three times the value of the benefit obtained by the business from the breach; or, 30% of the entity’s adjusted turnover during the relevant period. Expanded scope of investigation

As a result of the more recent Tranche 1 reforms, the OAIC now has a range of broader powers, including the ability to conduct investigations for non-compliance, even if a formal complaint has not been made. This enables a more proactive OAIC in monitoring privacy practices.

Compliance Notices and Enforceable Undertakings

Organisations can now be issued Compliance Notices and Enforceable Undertakings which are legally binding and carry serious consequences for non-compliance. A Compliance Notice provides direct steps to rectify privacy violations, while an Enforceable Undertaking involves an entity agreeing to specific actions to address breaches.

Issue penalty notices

In addition to the 2022 legislation, the 2024 legislation now also provides the OAIC with the ability to issue organisations with penalty notices. For more minor breaches of the law, financial penalties can now be directly imposed without the need for judicial proceedings. This makes it easier and more efficient for the OAIC to enforce compliance.

Notifiable data breaches

When a significant data breach occurs, organisations must report these within 30 days of discovering the breach. If the OAIC believes an organisation has failed to do this, they can issue directions or make determinations in response.

By providing the OAIC with these stronger enforcement powers, organisations will have no choice but to implement robust privacy practices. As the world continues to develop technology at an unfathomable pace and become increasingly data-driven, holding businesses accountable and transparent by enforcing compliance to protect individual privacy is paramount.

Real world examples

With new enforcement powers at the ready and a passion for the protection of people’s privacy, the Privacy Commissioner is not holding back on keeping organisations accountable. Here are two real world examples of how the OAIC is signalling that it is an enforcement regulator.

Facial recognition

Facial recognition technology has been implemented in retail settings for many years now. However, in October 2024 after rigorous review, the OAIC issued a determination for a facial recognition case with a homewares supplies retailer. Without diving into all the details of the determination, in short the retailer was using facial recognition technology in their stores in a manner that according to the OAIC was in breach of APP 1, which focuses on open and transparent management of personal information. The OAIC's guidance on APP 1 emphasises that this is an ongoing obligation. Entities need to continuously review and update their practices and procedures to ensure they remain appropriate and effective in light of any changes to their operations or the evolving privacy landscape.

This is noteworthy as the OAIC is not just seeking out cases where serious or repeated breaches have occurred, but setting an example that the obligations as set out in the APPs need to be upheld. The

OAIC is holding organisations accountable and to a higher standard to ensure that privacy is protected adequately.

Data scraping

In late 2024, the OAIC issued two determinations involving data scraping which targeted vulnerable people by a property investment private education institute and its related online property development program. In both cases, the involved entities dealt with companies collecting personal information from publicly available sources, without individuals' knowledge or consent, to create "leads lists" for property investors. The Privacy Commissioner found that both entities breached APP 3.5 – collect personal information only by lawful and fair means – by collecting this information in a way that was not fair.

The key takeaway here is that, once again, the OAIC is not just an enforcer of compliance, but is actively raising the bar to a higher standard and evolving its expectations of best practice in response to new technologies and business practices. In the data scraping determination, “fair” means more than just lawful. Even though the information was publicly available, the Commissioner emphasised that APP 3.5 requires collection to be both lawful and fair. As the collection of personal information in these two cases was not fair, the OAIC is enacting its right to enforce compliance and make an example that when it comes to privacy, fairness is equally as important as the law.

What it means for marketers

All businesses, whether they have a marketing team of one or 1,000, should consider the recent guidance provisions and determinations given by the OAIC as notice of what is to come. That is, greater surveillance and scrutiny of organisations and their privacy practices, particularly around the governance of data classified as personal information.

Theoretically, the solution to avoid any OAIC interactions is an easy one. Simply be a responsible marketer and consider the law as the floor. By operating above and beyond what is compliant in applying best practice and doing what is right by the customer, you should be well on your way to minimising the risk of non-compliance. That of course, is potentially easier said than done. If being a responsible marketer is how you and your business has always practiced, then you will be ahead of the game, however always make sure you are keeping up to date with regulatory changes and work with your in-house legal teams to ensure that risk-management is ongoing. However, if like many, there is uncertainty around your data practices, excess or historical data being stored, and a multitude of systems, software and processes in place without a single source of truth, there is work to be done.

There is no longer any time to spare and the OAIC has clearly demonstrated that. It is time to thoroughly audit your data, purge any unnecessary data, and clean up your systems and processes. The importance of this project should not be underestimated, nor should the time it will take to complete. By doing this now, when the full privacy reforms are legislated, your business will be able to put their best foot forward in the new regulatory landscape. The transition will be swift and seamless, and you can carry on with business as usual. Business activity will remain largely unaffected, and you can continue to operate as you need, rather than scrambling to become compliant as quickly as possible.

Additionally – and we cannot stress this enough – it is absolutely critical for marketers to upskill in privacy and compliance. Marketing teams can no longer turn a blind eye and rely solely on their legal and compliance stakeholders. To be a responsible commercial marketer is to understand the legislative frameworks governing our practices. Having a thorough understanding of the law now, and what it will likely become will mean marketers can apply a compliance lens over their work. Ignorance is not bliss here. Rather education is key to ensure compliance is met and implementing responsible marketing practices by doing what is right for the customer.

Want to know more?

ADMA IQ has a series of regulatory courses to help marketers upskill in this critical area. Whether you enrol in one of our specific online regulatory short courses or are looking for a more thorough and comprehensive course in our Privacy and Compliance for Marketers course, we have the learning solution for you.