Following the recent spate of data breaches, much of the public conversation has focused on the need for regulatory reform to protect Australians’ privacy and “incentivise better behaviour” from companies that collect and store personal data.
The Albanese government has proposed legislation to increase penalties for companies subject to repeated or serious privacy breaches. Both the Office of the Australian Information Commissioner (OAIC) and the Australian Communications and Media Authority (ACMA) will receive greater powers to resolve privacy breaches and share information, and the Notifiable Data Breaches scheme will also be strengthened.
If these regulatory reforms are to be successful, the regulators will need the resources to exercise the new powers effectively.
The Budget provided small amounts of additional funding to the OAIC. This is welcome, but it doesn’t address the under-resourcing of the regulators in recent years. While it seems a truism to say that additional regulatory powers require additional resourcing, Australia’s tech regulators are consistently being asked to do more with less.
Australia’s tech regulators are currently grappling with the ubiquitous, global, and growing nature of technology, the opportunities, and the risks that it presents, and what it means for their role, responsibilities, and resourcing.
In the last month alone, multiple sectors have been impacted by data breaches. Optus (telecommunications), Medibank Private (health and insurance), and EnergyAustralia (energy) have been subject to significant cyber incidents resulting in the unauthorised access of customer information, scams and threats of disclosure.
Responding to the Optus breach, the OAIC and the ACMA have both launched investigations into the incident.
This response from the regulators speaks to a larger trend. Australia’s tech regulators are increasingly expected to take on a stronger regulatory posture, characterised by investigations and enforcement action. Something that has been particularly evident in relation to the behaviour of digital platforms and data breaches.
The Budget provided the OAIC with a small boost in funding over the next two years — $5.5 million has been provided to handle the Opus breach, $1.45 million to support the expansion of the Consumer Data Right, $2 million to oversee privacy protections within the My Health Record system, and $1 million over four years to assist with freedom of information functions.
This Budget bucks a recent trend. Previously the OAIC had being given responsibility for the introduction of important initiatives such as the Notifiable Data Breach Scheme and for regulating the COVIDSafe app with no extra resourcing to support these functions.
The increase in power and responsibility for Australia’s tech regulators has often come without resourcing to support it. Budget allocations for Australia’s tech regulators, the Australian Competition and Consumer Commission, the Office of the eSafety Commissioner, ACMA, and the OAIC, have changed little in the last three years despite a growing range of expectations and responsibilities.
The OAIC remains the least resourced of Australia’s tech regulators. Its resourcing has been relatively static since 2017-18. In the overview of OAIC strategic priorities 2022, released under FOI request this year, the Australian Information Commissioner identified that there will be 43 per cent reduction in funding over the next two years as short-term budget measures come to an end.
The OAIC is also under-resourced in comparison to global peers. In a comparison of the OAIC, the United Kingdom’s Information Commissioner’s Office and Ireland’s Data Protection Commission, Reset Australia found that for the period 2021-22 the OAIC received $1.11 per person, the ICO received $1.96 per person and the DPO received $6.04 per person (based on the respective populations in 2021).
So far Australia’s tech regulators, particularly the OAIC, have been able to do more with less. But this is not sustainable. The Budget recognised that greater power and responsibility need greater resourcing, but funding commitments need to move beyond band-aid solutions and short-term measures.
In response to recent data breaches, the Albanese government should not focus solely on more regulation and more powers. It must also focus on the effective exercise and oversight of regulations that already exist, and of any new powers. New powers will have limited impact if regulators are not resourced to do their jobs.
Sarah O’Connor is a research fellow at the Australian National University’s Tech Policy Design Centre.
Do you know more? Contact James Riley via Email.