Privacy Complaints and the OAIC’s New Approach

Privacy Awareness Week (PAW) runs from the 4th – 10th May 2026.  This year’s theme is Trust is built here – In every privacy complaint. In every resolution, which highlights the critical role complaint handling plays in demonstrating fairness and accountability.

From our experience, complaints and other requests from data subjects are definitely on the rise. However, a focus primarily on complaint handling seems an unusual stance for the Office of the Australian Information Commissioner during such a critical period for privacy.

This post examines the impact of privacy complaints on OAIC’s resources, its stated regulatory priorities, and the importance of shifting effective complaint handling responsibilities to the regulated community, perhaps shining some light on why privacy complaints are the focus of PAW 2026.

Complaint handling statistics

For the OAIC, complaint handling is one part of a broad range of regulatory activities including:

• conducting investigations
• reviewing decisions made under the FOI Act
• monitoring agency administration
• providing advice to the public, organisations and Australian Government agencies

However, it is clear that complaint handling is becoming increasingly challenging for the OAIC, with its limited resources.

Across the period from 2022 to 2026, the number of complaints has remained relatively consistent (after the big uptick in 2022 – 2023, following the litany of Australian data breaches) and the number of complaints resolved each year has generally trended upwards, rising from 2,575 finalised in 2022-23 to over 3,100 per year in both 2023-24 and 2024-25.

However, the OAIC system is clearly under pressure. The time taken to resolve complaints has stretched out: the average time to finalise a complaint increased from 6.4 months in 2022-23 to 7.6 months in 2024-25, and the proportion finalised within 12 months dropped from 84% in 2022-24 to 76% in 2024-25 (See Appendix 1 for information taken from the OAIC Annual report).

By early 2026, the OAIC publicly acknowledged that, due to ongoing high complaint volumes and resource constraints, it was unlikely to progress new privacy complaints for 6 to 12 months after lodgement, except in exceptional cases. This indicates a mounting backlog and highlights the increasing strain on the OAIC’s capacity to deliver timely resolutions, despite ongoing process improvements and efforts to address older, more complex matters.  Clearly, without additional resourcing, something must change.

New era of complaint handling responsibility

In its announcement of the PAW theme, the OAIC notes that it is building on the 2025 theme, Privacy: it’s everyone’s business. The intent of the 2026 campaign is to shift from theory to practical application of the Privacy Act, particularly when organisations and government agencies handle privacy complaints and disputes. The OAIC says:

Effective dispute resolution supports timely outcomes, strengthens governance and builds public confidence. Poor complaint handling can erode trust and increase regulatory risk.

The most obvious clue to the new direction in privacy complaint handling by the OAIC is the Privacy Commissioner’s Blog Post from March 2026: Handling privacy complaints – a new approach for a new era released in March 2025.

The new era is introduced by a confirmation of the regulatory priorities in terms of safeguarding privacy rights, which are enforcement activities including civil penalty proceedings, issuing infringement notices, issuing determinations and guidance. These actions are clearly seen as more effective from a regulatory perspective, with the Privacy Commissioner stating that she believes that:

The general deterrence impacts of significant enforcement action can lead to systemic change, and potentially lead to the eradication of harmful market practices. That means we can actually help more people by strategically pursuing matters that enable us to tackle persistent, egregious or systemic harms.

A new approach to individual privacy complaints

But this focus will not address the growing problem of complaint handling. And so, we have a new approach. No doubt to help lighten the load, the OAIC will now prioritise serious and valid complaints, which will speed up decision-making, and ensure OAIC resources are allocated proportionately to matters that can drive meaningful change.

To do this, not all complaints will be investigated, and the Commissioner will use discretion to focus on systemic and persistent harms, aiming for broader impacts across the economy. Those complaints that don’t meet a threshold of seriousness that warrants the proportionate investment of our resources are unlikely to be investigated in the future.

Steps will also be taken to ensure complainants have followed the necessary processes and provided all the required information.

Complainants are asked to familiarise themselves with the requirements for lodging a privacy complaint with an organisation or agency, and if you are unable to resolve your complaint with the organisation or agency, the requirements for lodging a valid complaint with us.

Complainants are also being directed to an external dispute resolution scheme (EDR scheme) where available, which should include some of the most complained about sectors e.g. banks, super funds and telecommunication providers. A list of approved external dispute resolution schemes is available on the OAIC website.

• A list of relevant information that should be provided from the outset is provided. This list includes:
• a copy of the complaint made to the entity,
• a copy of any relevant document or correspondence, including the entity’s response to your complaint and
• a statement of what outcome you’d like to resolve your complaint.

A clear-eyed look at constraints and outcomes

The Privacy Commissioner’s Blog Post ends with some advice for complainants. They should be aware that the OAIC will use its discretion to investigate to support a strategic assessment of which complaints it will take on.

It is unlikely to proceed where the complaint relates to an issue already under OAIC investigation (such as a notifiable data breach or representative complaint).

Finally, complainants are urged to be realistic. If the entity being complained about offers a resolution deemed reasonable by the OAIC, the complaint is unlikely to be investigated further. If the complaint is substantiated after investigation, the OAIC may issue remediation declarations, but compensation is not guaranteed and depends on the specific circumstances. Delays are likely; because of the backlog, new complaints may not be substantially progressed for 6–12 months unless there are exceptional circumstances.

Conclusion

While it is understandable that the OAIC’s focus should be where it can obtain the best outcomes for Australians, it is disappointing that the resources available to the office are so constrained that individuals will have even more limited access to some sort of redress where they believe there has been an interference with their privacy rights.

Limitations on the availability of the Statutory Tort for Breach of Privacy means that most Australians are constrained to use the complaint process in the Privacy Act where they have a privacy concern. 

It is not clear that the Commissioner’s decision to not investigate a complaint is a decision that an individual may take administrative action regarding.  If this is the case, it is possible that many Australians will feel that they have not been adequately protected by Australia’s privacy laws or the regulator.

Appendix 1: OAIC Annual Reports – Complaint Handling Details

The following information is taken from the OAIC Annual reports from 2022 to 2025:

• 2022 – 2023 OAIC Annual Report: There was a massive leap in privacy complaints – from 2,546 to 3,402 – a 34% increase. The number of finalised complaints increased by 17% (from 2,206 to 2,575).  84% of complaints were finalised within 12 months against a target of 80% with the average time taken to finalise a complaint being 6.4 months. The Top 5 Sectors by privacy complaints received were Finance, Health Service Providers, Telecommunications, Australian Government and Retail.
• 2023 – 2024 OAIC Annual Report: Although there was a slight decrease of 5% this year, complaint numbers remained high. 20% more privacy complaints were resolved (3,104 in total), following last year’s 17% increase (2,576 resolved). Focus was on clearing older, typically more complex complaints, finalising 84% (271 out of 322) that had been unresolved for over 12 months as of June 2023. However, newer complaints also aged during the reporting period. Because of the volume and attention on longstanding cases, the number of matters older than 12 months increased to 729 by year-end. The OAIC will continue targeting these aging cases through process improvements and strategic resource allocation. [1]
• 2024 – 2025 OAIC Annual Report: There was a 3% increase in privacy complaints from 3,196 to 3,295. The number of complaints finalised in the year remained around the same (3,123 compared to 3,103 in the previous year). 76% of complaints were finalised within 12 months against a target of 80%.  The average time taken to finalise a privacy complaint was 7.6 months (around 30 weeks).  The highest number of complaints related to Health Service Providers followed by Finance and then the Australian Government. Social Media and Online Services were the 3^rd and 4^th most complained about.

[1] OAIC Annual report 2023–24, p4