Privacy 108 Webinar on Digital Regulation in Australia

For Privacy Awareness Week 2026, Dr Jodie Siganto, founder of Privacy 108, presented on the history of digital regulation in Australia, with a focus on privacy and data protection. She examined some of the key issues and the underlying contest of ideas that have shaped Australia’s ability to effectively regulate the digital space.

Some progress had been made with privacy reform, with additional key reforms on the horizon, and bold moves had been made to ban social media use for under-16s. However, AI regulation had stalled even as the societal and environmental harms linked to its use were crystallising. These initiatives revealed some of the tensions between the growing need to protect citizens and the community while enabling digital transformation. Australia’s path was not forged in isolation. International tensions, between the EU’s rights-driven approach and the US’s market-led model, were influencing the global regulatory landscape.

Dr Siganto examined how these competing philosophies rippled into Australia’s policymaking, and what this meant for businesses, communities, and the future of digital governance. The session invited participants to consider: Can Australia resist the gravitational forces of global digital power blocs and carve out a distinctive regulatory identity?

Here’s the transcript:

Hey, good morning. Oh, good afternoon, everybody. Sorry, we’ve ticked over. So happy Privacy Awareness Week. I’ll give everyone a chance to join. We’ve got, we haven’t got over 1000 but we’ve got quite a lot of people who have agreed to join us today. So thank you very much. It’s quite exciting. Privacy Awareness Week. It comes around once a year, told all my friends and families who are not as excited as I suspect we are. So yes, this this session is being recorded just so everyone knows that we will make a copy of the recording available in a little while after after the session, and there’ll be a link on our website. I’m being assisted today by Jessica Smith, one of our team. She is just going to help me manage the chat and any questions, I’m really happy to take questions as we go through so if I don’t see you, put your hand up, then Jess is going to be my, be my intermediary and and let me know. So it’ll be great if it’s interactive. I think the session is really designed to just be a little bit reflective, which is a great thing for us to be able to do in Privacy Awareness Week. I feel like we get really caught up in the every day of dealing with privacy stuff, with doing privacy impact assessments, dealing with complaints issues, updating policies, notices, etc. And sometimes it’s great to be able to just take a step back and reflect on where we’re up to, both in Australia in terms of privacy and what’s happening in the broader, I’m going to say digital regulation, but in our space, which kind of covers a lot of of intersecting areas. And also, I guess what the impacts on Australia are, what’s happening in the rest of the world, and I think the world has changed really quite significantly over the last few years, and I think that’s had an impact on on regulation, digital regulation in particular. And I think it’s interesting for us as Australians to maybe just have a think about what that means to us and as Australia as one of Mark Carney’s middle powers, I guess, what our role might be, and what we could perhaps do in this sort of world where we have got competing ideas and tensions, etc. So hopefully that sets a little bit of the scene for this. I’ll try not to be too there are different there are different parts of this presentation, when I’m going through them, where I sort of think, Oh, I’m just showing kind of some of my frustrations about the pace of regulatory change, etc. So please, please try and and bear with that, and I’ll try not to rant too much, but hope, but perhaps some of you will also understand some of those kind of frustrations that we feel around what’s kind of been happening in our space in the last little while. So yeah, that’s what we’re going to do again, really happy for questions as we go through, put your hand up or put it in the chat. And I’m going to just use Jess to help direct those as they come through. So this is what we’re going to talk about today. First of all, just to set things of the development of privacy generally in the kind of the international world, which I think knowing how we ended up where we are now, also kind of is useful to think about what that might mean for the future. For a lot of you, this is probably stuff that you already know. So appreciate, if you bear with me, around that a little bit of a look at we’re up to in privacy in Australia, then the going back out again to what’s happening in the international space, and then coming back in again to what we’ve been doing in Australia, more broadly than just the privacy space. So some of the other intersecting, regular, regulatory kind of initiatives that of interest. There are a lot of them, and I’ve picked out just a couple that I think are kind of informative in the way that they talk about what the direction might be for Australia going forward. So hopefully that’ll make sense. Hopefully it all will come together. For any of you guys who’ve done any training with with me, I know that this is something that you will be familiar with, but I found it very powerful. Talking around about where privacy came from, it helps us understand what privacy is, and to talk about it in a more meaningful way than talking about it, just in the context of data breach, for example. So Carly, Carly, kind, our fabulous Privacy Commissioner, will talk about privacy as being around control and about power. And I think that that really comes from the original start of privacy as we know it in Australia, which comes from Europe, and mostly from post World War Two Europe, where, as a consequence of the horrible war that they had, a lot of thinking was given to how we should embed some fundamental rights, I’m going to say. But what you know? What? What we would like to have in place as a democratic, liberal society, so not just the right to things like for. An expression, but the right not to be tortured, the right to have a job, the right to kind of privacy of a person, etc. So the articulation of these, these rights post World War Two, and in particular, the right to privacy, the right to privacy of your home, your family, your personal life, the recognition of that is kind of as something that was really important to the way that we wanted our society to operate and for us to be able to live as individuals, was the real foundational piece for the development of I’m going to say privacy law, because that’s what we know it, but it’s probably better understood as data protection law, because our Privacy Act is really around the way that we protect personal information, which is information about us. So this idea of privacy, the right to privacy of your home, your family, your personal life, was adopted not just by the the UN the Universal Declaration of Human Rights, but it became part of the European and then EU law by passing kind of conventions and charters, and it has, really, as I said, formed a foundational piece of for the development of data protection law. I think the other thing that’s really interesting to kind of remember when we think about the way that data protection law developed in the EU and Europe, and the way that they have reflected and and have, I think, really enshrined the importance of human rights, is the fact that it was a very divided country in terms of kind of communist, oppressive, sort of dictatorial type regimes, up until, kind of until about 1989 1990 which I know it seems like it’s been forever ago, but it’s really not that long ago, and it’s in the living memory of many, Many people that there was a time where Germany, for example, was half run by stars in a surveillance kind of state, and half was kind of a democratic West Germany. So the sort of the the immediate history of Europe, I think, means the lived experience of many people is the the the damage and the harm that can be done by interference with your human rights, and particularly your your the information that the information about you that might be collected and held by not just governments, but by other agencies. So part of the rise of or the implementation of data protection law, which comes out of privacy law, was really attributed to the rise of computerization and the fact that for the first time, it wasn’t just people collecting information on bits of paper and putting it into a filing cabinet, but computers meant that a large, large amounts of information could be collected and held and shared And correlated and used to make lots of decisions about people, and that had a big impact, I think, on on on people’s on the this idea of your right to privacy and people’s ability to, you know, interact and live in a, in a in a free sort of way. So we saw this move from just general human rights, to articulating a more specific right around protecting the data that’s been collected around you. First of all, in 1980 with the Council of Europe, who adopted the OECD privacy guidelines. And I know that you guys know a lot of you guys will know how much I I bang on about those and the importance of the OECD privacy guidelines as a instrumental in the development of privacy law, mostly around the world, including Australia’s Privacy Act, that and that kind of convention eventually will, you know, becomes the 1995 EU Data protective data privacy directive, which becomes, you know, In 2016 the general data protection regulation, which was really the big game changer in the in the Data Protection world, as well as tightening up and making much more prescriptive these data protections that were that all that all organizations had to be, It significantly increased the territorial application of the regulation to extend to us, big tech in particular, and it also significantly increased fines, so they went to significant financial penalties and percentages to 4% of your gross annual turnover. So really significantly put the focus on the importance of data and protecting of people’s data, kind of in the in in Europe. Interestingly, by contrast, we have what was happening in the US. The US came to the party a little earlier in terms of privacy, but have always put a slightly different lens on on what they mean by it. There was a very influential paper written in the 1890 by Warren and Brandeis, two very significant American jurists. Brandeis subsequently became a Supreme Court justice and wrote a very influential dissenting judgment around the right to privacy being, you know, sort of funded so fundamental to. The rights of Americans, that it must be sort of seen as as a right. And from that, developed a tort which was always a bit messy and unclear. The fundamental idea of the Warren and Brandis idea of privacy in the US was not related to human rights. It was really more grounded in this idea of freedom from interference, or freedom from government surveillance into in particular. So the idea that the government shouldn’t be collecting information about you and should not be surveilling your activities, which is a very kind of American view of the world. So following that sort of initial positioning of privacy, they developed a sort of a kind of strange group of cases around the right to a kind of a tort of the right to privacy, which got sort of pulled together into a kind of a taxonomy which identified four different types of privacy, quite narrow. Was the impact of that 1960 kind of taxonomy, of narrowing it down, of what privacy law might be to things like just intrusion on seclusion, kind of idea, or the kind of publication of of private information, that sort of stuff so very limited, in comparison to the EU, kind of human rights based approach, which was getting kind of much more kind of broad and prescriptive, particularly in the way that it applied to computers and the way that information was being collected. Interestingly, in the US, they were not they were not unaware of some of the problems that might be related to data protection. And they first came up with the Fair Information Processing principles that, again, a lot of you guys will be familiar with, because they were the sort of forerunners of the OECD privacy principles and our PPS. You can see kind of the parallels between them. These were implemented to some extent in a 1974 Privacy Act. It applies to fed to us, federal government agencies, so recognizing some of the issues that had been kind of foreseen around the same time in Europe in regard to, kind of the issues around computerization, but that’s where things kind of stopped in the States. That’s where all of a sudden, privacy, private industry went like, whoa. Just a second. We don’t want to be unnecessarily impeded in the way that we are doing stuff, in particular in regard to innovation and in the internet generally. So there were a whole lot of wars and and different things that were happening over the kind of 1970s 1980s 1990s around the freedom of the internet, which was linked to freedom of speech and protection against government surveillance, which meant that, other than from some very specific sectors, where very prescriptive and narrow laws were applied generally, the development of tech, of the internet, of all sorts of ways of doing business, was left unregulated, and thus we have been lucky enough to end up with a lot of the US. Big Tech has become kind of so ubiquitous. So, you know, Facebook, Facebook, YouTube, Twitter, all of those platforms which we’re going to be talking a bit about and and the impact of their influence. So there have been some attempts to wind back some of the untrammeled power or or ability of these to kind of do stuff in the States, and mostly at a state level, with data breach notification laws, and then we’ve seen more recently at a state level, privacy acts being passed. Again. It’s a little troubling because they’re not necessarily consistent. They have a consumer sort of lens, which we’ll talk about with some of the issues with kind of taking that consumer lens to privacy, and again, it’s leading to this kind of difficult patchwork of inconsistent regulation that makes it very hard to kind of wind your way through if you are doing kind of business. Across the United States, there have been many attempts to pass law at the federal level, or the most likely was one during the Biden administration and California, somewhat bizarrely, were the ones who stopped that one because they thought it would undermine their existing law, that was which they thought provided greater protections than what the federal act did. So having kind of put the brakes on that one, we sort of lost the opportunity with the changing regime. So the federal privacy of federal privacy law looks very, very far away in the United States. So interestingly, two big powers, two very different approaches to not just personal information, but the way that we regulate the technology companies that are going to using our data as we thought we talked about, that the waging of war, the business model that that was used and and what really happened was that this has become increasingly problematic for Europe, but more more importantly for the EU, because the. EU as a regulatory body, has got a lot, a lot of power, right? It’s a large trading block. It’s, it’s a significant, it’s a significant part of the world. If big tech wants to do business in the EU, then they need to be aware of, or to at least try and comply with some of the EU regulation. So the EU, you know, there are a series of things I know, the Snowden revelations about the amount of amount of data that was being collected by us, national security agencies, the Google case with the Spanish regulator, where Google was arguing that it’s American operations were outside the jurisdiction of Europe, which they failed. Max shrems, the kind of poster boy for privacy who took on Facebook and said that Facebook shouldn’t be transferring data to the United States because it didn’t it the United States didn’t provide sufficient protections for it, which is just such a kind of great David and Goliath story, although there are lots of people who kind of, you know, lots of people who love and lots of people who hate Max Schrems, but it just shows the power of kind of really active civil society to hold to hold large organizations to account, which is fantastic Cambridge Analytica, which was a kind of a big one for Facebook. And it really, I think Cambridge Analytica was a big wake up call in terms of decisional interference and political interference, where it became more than just targeted advertising and people kind of just feeling it was all a bit icky. It became kind of something that had an impact on democracy and on, you know, the way that countries were run, that really made people stand up and have a look at it. So there was a whole kind of series of things in 23 on 2013 2014 that led to this cranking up of privacy protections under the GDPR, and with a particular focus on trying to rein in the power of us, big tech, as I said, the extended territoriality of the laws, to make sure that it really clearly kind of covered us big tech. So there’s no more kind of argument that that wasn’t the case, the significant increase of obligations on processes with big tech still arguing in some cases that they were just providing a platform rather than a method of processing. And of course, the much greater penalties that we’ve talked about again, which were all again, ways of the EU trying to address kind of redress the imbalance, I guess, the fact that us, big tech had been able to create solutions and business business services that the Europeans felt would not have been able to be developed if they had had to comply with the European approaches to privacy. So that’s the that’s the way that things happen, and we were going along right with the GDPR kind of becoming something that most people, I think, accepted was, you know, the new benchmark for privacy, and certainly something that a lot of other jurisdictions followed. You know, Brazil, even China, lots of countries have kind of lived in or implemented privacy laws that are kind of akin to the GDPR. European regulators kind of haven’t sat back and just sort of let things go. They have taken it up to us. Big tech. Nine out of the biggest fines for violating GDPR against us. Big tech. The only one that isn’t against big tech is us. Big tech is Tiktok. That’s, you know, arguably Chinese, but potentially now it’s, it’s going to be us, big tech. So all of those platforms are ones that we are kind of familiar with. Some of the sort of the themes that come across from this, from these actions, are interesting, though. They’re about things like lack of transparency around the use of children’s data, the targeted targeted advertising, and the way that information is collected for targeted advertising. So there are some themes around particular harms I think that have kind of come through from the things that the large fines that have that have been implemented so far. It’s good to see that these fines have taken, have have, you know, been issued, but it hasn’t been without, again, some complications. The Irish Data Protection Regulation regulator is the one who’s doing most of the hard lifting, often, you know, in an environment where some of the other kind of European countries are not as sort of supportive of the direction. Think that maybe more can be, can be done. But I know Ireland is a relatively small country with 5 million people, that’s become the European regulator for big tech, which I think is an unexpected outcome of some of the harmonization of kind of regulatory enforcement things that have happened. So again, we’re kind of up to now. We’ll talk, and, you know, we’ll kind of come back to where we’re up to with with with regulation in the EU and the US, because sort of things that sort of are changing a little bit, I think because of the change in regimes. I guess now what I wanted to do was just talk. Just turn to Australia a little bit. It and talk about what our journey is in Australia, because we have quite a different approach. I suppose our Privacy Act is a piece of legislation that sits sort of by itself, without any underpinning, in kind of any kind of substantial commitment to human rights. It’s unlikely, I think, at this stage, that Australia will ever accept a Charter of Human Rights. And so this makes you know some of the things that we’re trying to do with our Privacy Act, I think a little bit challenging. We got our Privacy Act in 1988 which is interesting. It’s quite early on in terms of privacy, the introduction of privacy regulation, but it was really as a reaction to the Australia card and the our first act was limited to just federal government agencies, and was introduced by the government in response to concerns around that the introduction of the identity card, it was extended to the private sector only 2000s and then, even then, If guys, a lot of you people won’t remember. A lot of I’m sure a lot of you won’t remember. We had two sets of privacy principles. I think we had IPPs and NPPs difference applying to government and to the private sector. And it was sort of one of those things that was kind of right for reform. So the reform process of the our biggest reform process so far, in my view, was, was the one that was kind of rolled up as part of the Australian Law Reform Commission review in 2008 I know that this is going to be an incredibly privacy nerdy thing to say, but that Australian Law Reform Commission review from 2008 is just like an excellent, excellent piece of of of review into the privacy, the state of privacy law at the time, and making recommendations about what the ways that we could kind of go forward. You know, they included, you know, the statutory tort for breach of privacy. They included the right to the individual right to sue, a whole lot of things that have kind of continued to be discussed so and again, you know, this is again, our recent experience in terms of the sort of the long process of reform is not new. The original Law Reform Commission review, I think, started in 2006 they published a report in 2008 I think that the initial legislation was passed in 2012 and it became effective in 2014 so in effect, we had a 2006 to 2014 eight year process, so that but by the time the amendments were introduced or became effective, arguably, the law was already out of date. If you looked at what had happened in the tech space, between 2006 and 2014 we added in a notifiable data breach scheme, which was part of those original reforms. It just had a little bit of a delay while we’ve kind of thought about it a little bit more. And then we had some amendments in 2022 just really post Optus and Medibank, when all of a sudden, I think a lot of people woke up to what the implications were of a significant data breach and some of the practicalities of what you know, what what might be the response, where you had that across different state jurisdictions and across different types of identity documents through different government agencies, etc, Probably the the biggest kind of round of reform is the one that we saw starting 2019 after the ACCC digital platform inquiry. So this is the ACCC, which deals with consumers and competition. They did a an inquiry into, into the power, really, of big tech and digital platforms. And I’m going to talk about that a little bit later. But we had a issues paper. It was released in 2020 following that inquiry, we had a discussion paper issue, not in 2021 we had a report on the on that on the discussion paper. We then had a response to the report on the discussion paper that followed the issues paper. So again, I felt that there was a lot of privacy, kind of privacy professional fatigue after that, where we were sort of putting a lot of time into responding to all these different kind of issues and discussion papers, as well as kind of other discussions that were happening kind of independently of that, where we finally get to, you know, the reforms are introduced, and they’re part of our tranche one reforms, Which, again, is all that we’ve got. We’re now in May 2026, and I’m not sure whether anybody on the call has got any more information than me, and you probably have, but I haven’t heard of the progress yet of any of those additional reforms that have been discussed now, for you know, getting on to six years, which is almost like our last round of reform for Privacy Act changes. So as I said, the recent reforms, the ones we’ve had, the tranche one reforms, came out of an advocacy digital platform inquiry. So it’s interesting, I think, to note that the amendments that we’re looking at to the Privacy Act really come out of concerns around the activities and. The power and some of the practices of digital platforms. So they had the a triple C, had some specific recommendations there that were kind of passed over to Attorney General Department that then kicked off the review process that ended up in the tranche one reforms and the other reforms that we’ve seen. Some of these, you will absolutely recognize the the strengthening the definition of consent, the statutory talk for serious invasion of privacy. They talked about privacy code for digital platforms that somehow got turned into a privacy code for children, for online children. Platforms are too with online children, which we’ll talk about as well. So that got watered down, as well as some other things that kind of didn’t proceed. So again, interesting to just to remember that that was kind of the genesis of our of our reforms. So most of us, hopefully are familiar with the reforms that were introduced in 2024 none of them, in my view, were amazingly earth shattering. I wouldn’t think that anybody would think that these bring us in line with, or even close to, what we have under regimes like the GDPR, but they did move us forward a little. I’m going to talk separately around the statutory tort and the Children’s Online Privacy code so that we can just kind of fill that one out a bit. I kind of went back and had a look at the numbers out of the 116 recommendations that we looked at, kind of in the issues discussions of the issue paper, the discussion paper, etc, 38 of them were agreed, but only 23 of those ones that were agreed were included in the tranche one reforms. So the ones that were agreed in principle, which were kind of like, yes, we’ll go ahead with these, but we might need to do some more thinking. And that’s when I was pulling my hair out, going like, how much more thinking? Or, you know, consultation. Do we need no progress yet? And there were 10 of them that were noted, which, in political speak, means that they are probably not going to proceed. So we still got 15 that were agreed that we haven’t actually had any progress on as well as the other agreed in principle, etc. So yeah, less than a quarter of the reforms have actually made their way into law so far. So the Children’s Online Privacy code was one of the big things. I think that most people are really concerned about the effect of all sorts of things on children, whether it’s cyber bullying, the dissemination of of pictures, the practices or the harmful practices of some platforms, etc, there’s certainly a huge growing concern and focus on on protecting children, and I think that’s probably what directed the idea of having a privacy code to it really being kind of narrowed down, rather than applying to all digital platforms just applying to children, children online in the way that that certain, certain providers of online service are going to deal with, With with children. So we have a exposure draft of that code was issued, I’m going to say last month, maybe the beginning of this month. We have until the fifth of June to get back to that code. I’ve included there on the right hand side. Some of the things that are included in that code. One of those, one of the things I think that is is good, is that there is this idea of acting in the best interest of the child. It’s a kind of an overarching requirement, a little bit like the fair and reasonable requirement that we haven’t yet seen introduced into the Privacy Act. But you know that idea that there is an overarching kind of focus that needs to be put on, on the on the child, and whether or not that is in the best interest of the child, which I think is a very, a very good thing, other things in there that probably are not surprising, and there is some consistency between what’s proposed in Australia and what we’ve seen in the UK and other jurisdictions. Privacy 108 has published a response to the exposure draft, and we’re going to have that on our website. I think it’s up now. If you wanted to go and have a look at that, it is open for consultation till the fifth of June, with the idea that the final code is going to be in place by the 10th of December. So an important area for reform. And again, for people who are interested, I highly recommend kind of having a look at it and having your say. The other major area that was introduced as part of the tranche one reforms was the statutory tort. So I have been a big proponent of having a statutory tort or introducing the individual right to sue, because without those additional avenues for address, we’re really reliant on just the right to complain to the Privacy Act, to the privacy commission on the Privacy Act, and then the process that you have from there, which is quite laborious in terms of going through a minister of appeals tribunals and then on to the federal court. So this gives an independent way of of commencing action if there’s been a serious invasion of privacy, but it is quite limited. It. It has to be kind of one of two types of invasions of privacy. So it’s not related to a breach of the Privacy Act. It is really if you have an intrusion on seclusion, which is kind of, again, if you remember back to the when I was talking about the American kind of tort, that’s one of the torts that they have developed for this idea of of intruding on your your right to seclusion, your right to kind of be alone, and also the misuse of privacy of private information, so that unauthorized collection, use or disclosure so operates outside of the Privacy Act. It means that it applies to to entities or individuals who might not otherwise be subject to the Privacy Act. The Privacy Act has got a carve out for sort of domestic personal use. So we’ve already had a couple of cases, right? One of them was Sam growth, I think he’s the deputy leader of the Liberal Party in Victoria, who bought an action in the statutory talk for serious invasion of privacy against the Herald Sun newspaper for alleging that he might have inappropriately, kind of had an inappropriate relationship with his now, now wife. That case settled, which is interesting, there is a journalistic carve out, and again, there’s a whole kind of series that we could do on on what that car that is and what the responses are. But it’s interesting that it was settled, and it was interesting that that the growths avail themselves of this new statutory tort to bring that action. There has been another successful action, successful ish action. It was really to just get an injunction from the New South Wales District Court. So not incredibly persuasive. It was a case where it was a case of kind of extortion, where somebody was asking for money to stop objecting to a development application, somewhat bizarrely, and as part of the campaign to extort money to get out of the from the development company, the extorta published wedding photos of the director of the development company, as well as setting up an anti Development website and publishing defamatory, you know, giving them a one star Google review. Also, you know, all sorts of stuff that they did that again to get a an injunction to prevent that behavior, the developer relied on strategy to talk for serious invasion of privacy, and was successful. So a again, it’s, it may be it’s, it’s in a potentially it’s, it’s, its benefit will be in those kind of cases where it’s the publication of personal material or the use of personal material, there’s still a question mark over whether the serious talk for or the statutory talk for serious invasion of privacy is going to be available for the data breach cases. I guess we’ll wait and see. The Medibank and Optus cases are winding themselves through court, but they won’t be able to avail themselves of this because it only applies to conduct that happened after June 2025 so that’s obviously after the those big data breaches. But again, data breach cases may be where this would become effective. It has got, again, some serious limitations, particularly in that it is kind of, it has to, you have to have that element of intention. It can’t just be negligent failure to take reasonable care. It really has to be a kind of intentional or reckless kind of disregard for the harm. So again, this could be, and probably should be, an entire session on itself, so I’ll just leave that one there.

Jodie. Sorry, just to cut in before you go to the next topic. We’ve had a comment, maybe a bit of a discussion point about the children’s online privacy code, so the comment is the OAC OAIC privacy rules. When taking care of children’s personal information online, as per the online privacy code, won’t protect the information of minors when their parents share photos of the kids near their schools and in their uniforms.

Yeah, I think that that’s really right. And I think that one of these things is, is giving kind of, is yeah, that is, that is really true, isn’t it? A lot of the problem is around what parents do around around kids and how you manage that. Yeah, I think that the one of the things that let me just think about this, and I need to just check it out, I’m thinking that one of the things they are doing is giving children the right to bring action outside those time frames that we’re just talking about with the serious invasion of privacy, but yeah, that’s a really good point about parents. I feel like some, like I look at a lot of parents now, and maybe it’s a generational thing, but I see a lot of parents now will make sure that their, that their children’s faces are obscured in some way, which seems to be a good way, rather than having their lives on, on, online. It’s, it’s one of those things, isn’t it? I think that when it first started, we were also happy to be sharing with just friends and families what. Is going on in our lives, and then all of a sudden we realize that, in fact, it’s actually goes much, much broader than that, that went that I think that those, you know, the, we’re going to talk about this a little bit about how the harm sometimes harms present themselves a little bit too late, and we’re playing this game to catch up about trying to put the cat back into the into the bag, which I think is what is kind of the discussion we need to have about about AI, and we also just had a comment as well from a bit further back regarding GDPR and Ireland being the main sort of regulator, just perhaps something to do with Ireland being a major hub for Google.

Absolutely, that’s right. You know, Ireland has placed itself and given tax incentives for the establishment of European headquarters of big tech, and you know, they speak English, they’ve got a well-educated, you know, articulate great workforce. So, there are lots of reasons why big tech headquarters itself in Ireland, and you know Ireland has benefited from that, but it is just one of those, one of those I think unexpected outcomes from them is that they then now have this kind of regulatory burden on their, on them, and again, without kind of going into it too deeply, the Irish experience in terms of human rights is a little different to, well, I guess that’s interesting, is that because their experience, they would probably say that they were kind of an occupied country in terms of the English people, but their cultural norms and their experience is a little different to, I think, to people from France, Germany, etc. So, yeah, it is interesting that they have become kind of the primary regulator and so just in terms of tranche two, I feel that we’ve kind of forgotten about tranch two. I haven’t forgotten about them. I hope, I hope everybody hasn’t, and other people haven’t forgotten about them, because there are so many great things that should be happening, in particular that fair and reasonable test, which is the one that I think that privacy practitioners were really hoping would be introduced just to kind of establish something like that foundational ground level, that like even if you got consent, for example, it may not be that what you’re doing is fair and reasonable, like it might, you know, if you get consent to, you know, exploit a vulnerable person, is that really, is is that really something that you should be allowed to do, so there are some, there are some great things in there that I get, as I said, we would like to see things like the, in particular, the potential narrowing of the political exemption, because there’s a fair, fair and reasonable test, one of the reasons why I think that fair and reasonable is good, and a lot of people were talking about it. I think that I went to the IPP conference. It must have been in 2024 There’s a lot of discussion about what fair and reasonable would be. How would we implement it? There are lots of issues around it, it’s inherent subjectivity, how you work out kind of, you know, the balancing kind of competing factors, etc. But I think overall people thought that it would introduce a do you know that kind of balancing requirement that would shift things a little bit more in favor of the individual, but as I said, we haven’t, we haven’t seen it yet. Hopefully we will. One of my biggest bug bears at the moment is the political party exemption. I think it was just reported just in the last week or so, and I guess this is why it’s probably on my on my mind that the Privacy Commissioner said that they couldn’t do anything about the United Australia part in, I think, what else was it, was the Trumpeters for, I don’t know, the Trumpeters for something for Australia or something. Clive Palmer had data, which had a ransomware attack. He basically said, I can’t notify anybody because I don’t know what information I had. If I’ve given you any information, just assume that that’s that’s all gone, and then do whatever it is that you need to do. It was just so wholly, you know, unremorseful, and with no kind of attempt to recognize that there should be kind of some obligation on you, if you’re holding information, particularly about donors or people who are supporting your party, that you should be keeping their information secured. It just is absolutely extraordinary, and the political party exemption had sort of different parts to it. One of them was that maybe you don’t kind of need to have the use and collection, but still the reasonable security steps should apply to political parties that are holding personal information, and I really don’t think that anybody could argue with that. So, but at the moment it’s a complete exemption from all of the provisions of the privacy of the privacy app, so Clive can keep on doing whatever he likes to do without, without any redress available under the Privacy Act. Unfortunately, so although we haven’t seen any real movement, but cross fingers, and I’m not counting it out, and perhaps we will. Terms of tranche two, I think that we have, you know, there are some bright spots in that we are seeing an increasingly active privacy commissioner in Carla Kind, for example, the privacy policy sweep that she did after really signaling that she had particular industries like real estate agents kind of in her sights, and she kind of did that privacy policy sweep, which I think, which is a, which is a great way of bringing the, you know, the privacy commissioners’ kind of powers to the attention of industries that might think that they are kind of not, you know, not kind of or operating without any kind of surveillance. It’s interesting to see what she said about that. I was absolutely gobsmacked at the amount of information that’s been collected by real estate agents, and maybe that just reflects that I haven’t had to go and kind of rent a property, but it was just absolutely mind-boggling, the type of information that was being, that was being collected, or that she said was not appropriate to be collected, which suggested that it was being collected. Certainly, more communicative. Kyle, the commissioner, publishes blog posts much more regularly. She’s on LinkedIn, talks a lot more, and gives a lot more signals around what the regulatory direction is. Certainly, I think there’s a clear indication that she’s focusing on kind of big systemic issues, the litigation and the big cases that she’s taking, which will be chewing up a fair amount of the available, the limited resources of the OAIC, so you know that we still got Medibank and Optus that are still churning along in the background. Medibank was still, I saw, arguing over whether legal professional privilege applied to the information they got from their kind of forensic report from their cyber security kind of experts, which got knocked back, I think they might have gone to the High Court, I could be wrong, but it was not back by there. So, the amount, you know, the deep pockets and the links to which the large organizations will do, will go to to kind of argue every point in these cases are going to put a strain on the OASC kind of budget, which is, I’m going to say, in the vicinity of $40 million so you know this is running one of these big complex cases going up to the High Court. It’s going to be a big drain on that, which might indicate one of the reasons why the Privacy Commission has indicated that she’s not going to appeal the Bunnings Administrative Tribunal decision. The piece that that she, the tribunal upheld the lack of notice, and they, the issue that that Bunning, that Bunnings were successful on when they went to the tribunal, was whether or not they could rely on an exemption to collecting consent to the collection of sensitive information, so that was the one where they argued that they could rely on that kind of the safety of their staff, the imminent danger, etc. which I think is a kind of a problematic finding, and I suspect that, you know, if there was more money available, that probably would be worth appealing, that’s my personal opinion, but the commissioner has indicated that it’s not going to take that at this stage, but there’s still some interesting findings again, as I said, that they’ve still got the transparency issue, also got the issue regarding the whether or not there’d a collection, you know, the argument that it was just for, you know, fractions of a second meant that there wasn’t actually a collection, which the tribunal said no, that is a collection, which I think is interesting and shouldn’t be lost sight of, so yeah, I again, interestingly, the this enforcement activity just shines a light on the limited resources that are available to the commissioner. The theme of Privacy Awareness Week this year is really been around complaint handling and how important it is, but the underlying message is that the commissioner is really creaking under the strain of the complaint handling that they have got that they are faced with the recent information was that if you made a complaint to the commission now it would take six to 12 months before you even kind of get off the starting line, so there’s a significant backlog, there’s significant wait time, there’s a significant issue around that, given that at the moment the complaint is other than the statutory tort, it’s really the only redress that you can have, and I think that is why the Privacy Commissioner is trying to get organizations to step up a little and say, you know, can you do a better job of handling complaints yourself, and if there are alternative dispute resolution mechanisms, like ombudsmen, for example, or industry regulators that might be able to kind of to step in, then that’s I think where things are going to be directed, so again, a troublesome, a troublesome outcome, but not unexpected, given the, you know, the OAIC has been running on the smell of an oily rag for such a long time, got a little bit of a bump up in money after the Medibank to help do the investigation there, but that was just sort of a one-off infusion, so yes. Just a reminder to people, I know that you guys will know most of this, but we’ve been talking about the federal privacy act that doesn’t apply to state government agencies. They all have their own privacy act. There are exceptions, of course, for things like tax file numbers. I just really wanted to talk to call out the West Australia, the new West Australian Privacy, West Australian Privacy Responsible Information Sharing Act. It has really adopted some of those amendments that we’ve been talking about in tranche two that haven’t made their way into the Australian, the Federal Privacy Act, things like they have made it quite clear that personal information includes things like identifiers, any kind of unique identifier, online identifier student includes local location information. It also includes inferred information, and inferred information is something that you know is increasingly being generated, I guess, by AI and by other kinds of ways of aggregating and making kind of assumptions about people, it has extended the definition of collect to include the inferring or generating of information. Again, that sometimes is something that can be a little unclear under the federal privacy act, whether or not collect extends to those kind of actions. It’s got specific provisions around de-identified information, saying that you, that your security obligations still apply, and you also have restrictions on disclosures outside of Australia, which I think is excellent, right? I think that we all understand that you can de-identify information, and at some stage the re-identification risk may significantly change, and it’s really just depends on what other data sets become available and types of computing and processing, etc. So I think that idea of treating de-identified information and ensuring the security and proper disclosure of it, I think, is a very good idea. They also require privacy impact assessments for high privacy impact functions or activities, again something that most government agencies are doing, but it isn’t required for the general, for general organizations, for kind of outside of that, the federal public space, where they’ve got their public code. So, just, yeah, good shout out to WA for moving ahead, I think, of other jurisdictions at this stage, and showing how they can make some, you know, real inroads into some of those difficult areas that plague that plague us still. So I know that I’m kind of running out of time, so I’ll just sort of, you know, kind of go through this a little quickly, because I do want to talk about AI, but I think the most of us understand that that, or are concerned about what’s happening. I’m going to say in the digital world, but that covers a whole lot of things, right? It covers social media platforms, it covers it, covers the access to platforms by governments, the sharing of information, deceptive practices, harm to children, the proliferation of really harmful content, and our seemingly our seeming inability to really kind of rein any of this in. I think again, just going back to what I was saying before about Europe and what it did kind of when it introduced the GDPR, and after it had the Snowden in the Snowden revelations, and then Cambridge Analytica, and it became clear that the national security agencies were bugging Angela Merkel’s phone, etc. I think that there was a real wake-up call, and a feeling like we’ve missed the boat, right? We didn’t step in and do something at a time here where we could have, and it now is, you know, time for us to kind of play catch up, but it is still kind of challenging to work out how to do that in the digital space, because it’s a very difficult place to regulate, you know, it’s hard to keep up with technology, it’s hard to do this from a single country point of view, because so many of these issues, it’s sort of international and cross-border. It’s very difficult for underfunded and under-supported regulators to take on digital platforms, or even to take on big international companies, you know, who’ve got deep pockets and who have, you know, swags of lawyers on side who can kind of contest every action that’s taken, but there I think are increasing pros and increasing recognition of the importance of digital regulation and its importance to our society, right, to the way that we trust each other, to the way that we can, I don’t know, spread news that with the way that we can trust what we hear into having a distrustful, suspicious conspiracy-ridden society is not sort of, is not a good outcome, I don’t think, and it’s certainly not the sort of society that I think any of us would like to live in. I think the other thing about de. Digital regulation is this sort of idea of trying to identify what the harm is and trying to kind of prevent it before it happens, rather than finding people for doing kind of things, which is what’s happening at the moment. You know, the GDPR is really around finding organizations for breach, rather than preventing the behavior in the first instance, and what they’d quite like to do is to try to somehow kind of steer the ship of digital regulation a little better, kind of going forward. So the EU has really embarked on this with a really kind of comprehensive plan of digital regulation that started off with a digital services package, which mapped it out in 2020 The key, the key piece of this is a Digital Services Act, which is really focusing on providing a safer online space for consumers. It requires a whole lot of, a whole lot of obligation in terms, in terms of transparency, notice, and taking down of illegal content. It puts additional duties on very large online platforms or search engines, so they’re most of the ones that we’ve been talking about. So, really trying again to create this safer online space. They’ve also got the Digital Markets Act, which is around some of the predatory unfair practices, so you know that all that self-preferencing, or that you know, quick, only five left, or you know, seven of your friends have looked at this today, all that kind of stuff is the is to you know try and again the make it kind of a fairer and more trustworthy kind of online marketplace, we get a data act where we try to get information from IoT products, so that it isn’t, it doesn’t become proprietary, so that information about this interest of interest, kind of from a community or public interest benefit, can be made available and shared. The AI Act, we’ll talk about next the development of an EU digital identity wallet, which is one way that people are going to be able to manage their digital identities. All of these things have been put together by the EU as part of this plan for it to address the digital kind of what’s happening in the digital space. Unfortunately, the tides have changed a little, and I think that the introduction of the second Trump presidency and some of the direction of some of the way that some of the EU countries is going means that there’s been more of a concern around sort of winding back some of these things. The Trump administration has made it really clear that the way that the EU is addressing digital regulation is one of their core issues, and that’s one of the reasons why they want to put these big tariffs on the EU, because they think that they are making it an unfair kind of trading space, imposing unfair restrictions on the on European tech, in particular. So that’s kind of the start of the of the war, is in that, is in that kind of is in that commercial space. As a result of that, and again, you know, changes in politics, etc. There has been a release of this digital omnibus, which is a kind of stepping back from some of the things in the GDPR, and there certainly are moves to simplify the GDPR, because it’s recognized that it is kind of overly complex, and it can be difficult for small businesses to comply. So, there’s been some lot of talk around some of the ways that they can make it easier for small business, but there’s also some talk about winding back what’s happening with AI, and AI again. I’ve almost got to the end of this, this, this presentation, and Bunny really just started talking about AI, which is pretty good, but AI is the real battlefield at the moment, and this is an area where the EU really took on the US in terms of the battle, they battled really hard to get this EU AI act up, and it operates on a risk basis with some types of AI that it just says should never be allowed, which are kind of unacceptable use cases, and some high-risk use cases, so unacceptable use cases like exploiting vulnerable people, large scale monitoring, I’m using sensitive data, and anything that’s used for kind of social credit reporting, that sort of stuff, are all regarded as, as like the sorts of uses that shouldn’t be allowed in any circumstances, and then sort of certain kind of high, high risk use cases, and limited minimal risk cases, and different things that need to happen with those different cases. The US hated this, you know. Well, you know what, that’s not quite true. The originally, the the US was kind of going along with it, accepting that it was probably inevitable that there needed to be some guard rails around the development and deployment of of AI, and that’s how we got to the 2024 the act was released, but since Trump administration started, there’s been a significant kind of 180 degree switch from, you know, the US saying yes, it’s good to have guard rails, and people like, you know, Elon Musk saying yes, AI is most dangerous, you know, to the existential crisis to now. Turning into a, it is really something that we need to pursue in terms of kind of productivity and innovation and efficiency. If you put any, any, any guard, any, any breaks around what we can do, it’s going to have a significant impact on our ability to, you know, lead the race in terms of AI. We could be beaten by China, etc. etc. So we’ve seen that significant step away, which means that again it’s followed through to the EU, where we’ve seen again some delaying of the implementation of some of those high-risk use case controls were meant to kind of commence in 2026 so we’re seeing how this push and pull between the different forces, trade forces, political forces, the interest in economics versus the interest in human rights, the effect on individuals, the effect on democracies, on politics, decisional interference, etc. And it is kind of an uncomfortable place to be, to be honest, at the moment, but again, Australia is is probably sitting a little to the side of some of this, and so I guess the question is, what it really means for us, and that I think is again like a really interesting question. Australia has been aware of the issues with regard to digital platforms. We had a big inquiry around it from 2020 25 that came off that digital platforms initial inquiry talked about in 2019 that kicked off our Privacy Act stuff. We know that it’s not good. We’ve had a couple of cracks at trying to take on social media, and I’d say in our first crack at taking them on with the news media bargaining bargaining code, we lost it kind of went well the first time that now we got the voluntary bargains and journalists, journalists got some money from social media in return, or for media platforms in return for use of their news, but then when it came around to the time to renegotiated Microsoft, and, and I think Google, Microsoft in particular, said, “No, we’re not going to do that anymore. We’re not going to do that. And there was really nothing much that the government could do, so it’s kind of really fallen over. But the government is now thinking, well, maybe we can give some sort of incentive to platforms to to pay for the news that they access from the from, you know, struggling journalists. So I’d say that that was a loss to Australia in terms of our kind of taking them on, we’ve potentially been more successful with things like our online safety act, where the eSafety Commissioner, again, this is about children, it’s an area where it’s really, I think, gets a lot more political sway, the harm is really clear, so the idea that harmful or child sexual exploitation material should be taken down, and the platforms have an obligation to do that. I think is well understood. So, again, the Safety Commissioner has been more successful in terms of what she can do under the Online Safety Act, fairly narrow act. And again, you know, from my point of view, it’s not really – it’s kind of the regulator putting a lot of obligation on the regulator to find in material, give notice to take it down, and for the platform to then comply. The platforms also need to provide transparency around what they’re doing in terms of managing online harmful material, but again, some of them have been less than good about that. I guess the one that’s most topical is our decision to implement the social media minimum age requirements to prevent children under 16 getting on social media, got a lot of political support, you know, a lot of the, again, the harm case was really clear about it, a lot of pushback from social media, of course, and I would have to say that I’m not sure that it has been that effective. I think it’s probably still early to say it only came in place into place in December. Researchers say that we need at least six months to kind of see how it’s working out. There is an action against it on the base of the interference with freedom of expression, political expression, or whatever, in which, which will be interesting to kind of to follow, I think. As most people thought, it’s relatively easy to be sort of circumvented, and most people are doing that, I think. Interestingly, though, it shows that this is an issue that is concerning for lots of other countries, there are many countries who have followed Australia’s lead on this, where they have either already enacted or have legislation on the books, or considering whether or not they will impose the same sort of ban, and if they do, that may have a bigger impact on the social media platforms, rather than them just having to do this for Australia, if they had to do it more broadly, then it might mean that they do actually implement more effective ways of ensuring either that appropriate material is shown to underage children or making sure that underage children don’t have access to their platform, whichever way we decide to go, I guess, guys. The last thing I just want to talk about was AI regulation in Australia. This is again something where I think I was quite optimistic that we would see something, I guess the all of the indicators from Ed Husik before he got rolled as the Minister for Science, whatever, were that we were going to have some mandatory guard rails that will be passed as part of an act that was turned around when we got our national AI plan in 2025 which said that we don’t need any regulation at the moment, but we could look at uplifting existing laws. I know, just as an aside, you guys will see that there’s lots of push by AI by AI companies to lift copyright and intellectual property protections, so that they can get access to copyright material as part of their training, right, which again is you can often see trotted out as something that Australia might want to do, because I think this is a an area where Australia did it, other countries might follow, so again we’re in the place, like I guess not, not, not unexpectedly, given what’s happened at kind of at a at a higher level between Europe and the United States, where we have got some voluntary guidelines, but we haven’t actually legislated anything yet, and we’re just crossing our fingers and hoping everything will be okay. So that’s kind of the digital regulars, maybe it’s an interesting point in time where we are just watching and seeing this battle kind of continue around us, although I do think that the action that Australia has taken shows that we do have a role to play, in particular in relation to the social media minimum age laws that we introduced. It again, question mark over effectiveness, but it certainly has caught on and might lead to introduction, and maybe some changes in the way that social media platforms happen. More generally, I guess this is something a lot of people are talking about, but it seems to me that a lot of what is happening at the moment is putting the onus on regulators or individuals to protect themselves, for us to read notices, for us to unsubscribe, for us to, you know, withhold our consent, and this seems to me to be just a little unfair, particularly given the imbalance in terms of the understanding that a lot of us have around, you know, the sorts of uses of our data and what the future uses might be, etc. And I guess I’d like to think that putting more onus on digital platforms by requiring them to exercise a digital duty of care would be kind of a better way forward. I’ve lifted there some of the things that that might be part of a digital duty of care. I appreciate that it’s something that Australia itself is not going to be able to do with any kind of great impact, but maybe just a way forward for those of us who want some kind of think and hope for ways that we might try and grab back some power from what seems at the moment to be sort of a race where we are at a clear disadvantage, well, it’s going to end up being hopeful, but so maybe I mean, maybe we, maybe we can be more hopeful. I guess the hopeful bit is that you know, I’ve got a lot of you guys who joined the call today, and I hope that this has been interesting. I feel generally that more Australians are concerned about privacy and understand some of the issues around privacy. Certainly, AI is putting things on their heads, and hopefully we might be able to have a better and more engaged conversation about some of these issues, and the way that we can kind of address them going forward, which would be a really good outcome. So, thank you, everybody. I know, I know we’ve sort of gone a little over time in terms of me talking. I want to have some more time for questions, but if anybody had any questions or comments, love to love to to have them now.

Yep, so we’ve just gotten one come through, or a comment, I suppose. So the hopeful bit is that privacy and security intersections are now becoming more mainstream, and people are more aware of privacy. And also, thank you, as always, Mandy.
Oh, thanks, Mandy. Yeah, I agree. I agree. Security is the other piece of this as well, isn’t it? I think security is now there’s just sort of so well understood you’d have to be living under a rock not to appreciate the importance of of security of data, but that intersection between kind of keeping it safe, but also all the other things, not collecting it if you don’t need it, not over collecting it, all those other privacy things having an appropriate purpose for collection. So, yeah, thanks, Mandy.
And just another question, could you expand a little more on the predictive policy policing and what that would entail?
Great question. Yes, and I’m not an expert, but I think predictive policing is big, is things like looking at at particular groups, for example, with. Particular characteristics, and being able to kind of predict whether or not they’re likely to offend, perhaps it’s around predicting where you might have no social unrest, where you might need to have more kind of police presence, it might be predictive policing is something that I think is, is, is seen as particularly dangerous, because it’ll be making assumptions around potentially unlawful activity of people based on a prediction rather than fact, so using data around previous groups, for example, which you know might be biased, and etc. Again, is a problem in terms of the reliability of the output of something that’s used for predictive policing. Good question, though. Yeah, it’s a, it’s a, it a lot of the questions that we get, a lot of the stuff that we get is around use of all sorts of kind of tools for law enforcement, because then we appreciate that a lot of what law enforcement does is kind of coming up against kind of technology as well as criminals get you know so much better at what they do but I think that there are some real you know hard limits that we need to put around the way that that tech is used by law enforcement
so we have another comment from Andrew, saying having had my privacy breached by a real estate agent, there is definitely a need for tighter legislation under my state’s rental legislation. I wasn’t even told about the outcome of my complaint over an offense committed under the legislation to protect the privacy of the sales agent committing the offense,
right? I think that’s the experience of a lot of people, which is why the Privacy Commissioner has really taken up that kind of the, the, you know, the attention on real estate agents, because you know, in a, in a difficult real estate market, they have so much power, and they can make decisions around the ability for people to get no rentals or to purchase houses or whatever, and often on information that you’re not aware that they even hold, because it’s kind of often shared by different, by different providers. The problem with real estate agents that I’m sure a lot of you guys appreciate as well is that a lot of them fall outside the operation of Privacy Act because of the $3 million annual turnover exemption, so yeah, it’s small real estate agents, in particular, will potentially be out there. A lot of them are operated by franchises, so you know, arguably that’s how they get under the under the private sector limit. It’s another really good argument for why we shouldn’t have that kind of wholesale exemption for small businesses, just based on your annual turnover, it should really be linked to the kind of data that they collect. So, completely agree with you. I think that’s too, it’s really shocking and terrible.
And just another comment, thanks, Jodie. I agree with you that the burden of protecting privacy should move away from individuals and regulators and rest primarily with corporations, ensuring that corporate conduct is assessed against clear principles of fairness and reasonableness.
Yeah, great, yeah, yeah, I, yeah, it’s always hard to do that, but I think that there has to be some kind of shifting of the burden, and we didn’t talk about that, but that’s one of the issues around kind of taking a consumer lens to this, where consumers, you know, are supposed to be able to protect themselves by reading a notice and then consenting, but it’s just so not appropriate in the privacy space, where none of us are able to read privacy notices or or understand really what we are consenting to, so you know, shifting the burden away from that, and again, it’s a burden on us to do that, and shifting it back to organizations, so that they have an obligation, you know, to just as I said, to be fair and reasonable, or to, you know, just to take reasonable care. I think it’s a would be a good move. Thank you.
All right,
so that’s all the questions that have come through so far, if anyone wanted to put their hand up too, instead of, you know, typing it out, but I can turn the mic on as well.
Excellent. Well, thank you, thank you, thank you, so much, everybody. Hope that that was of some interest. Happy Privacy Awareness Week. I know there are lots of other things on. If you have any questions, we’ve got our hello at Privacy 108 dot com.au We come through to me and Jess, so don’t worry. We will be very, we will be, we’ll be very careful with our response. We’ll get this kind of engineered a little bit, so that you don’t have all my arms and arse, and we make it look a little bit better, and then we’ll put it on the website if you wanted to ever listen to this again. So, thank you so much, everybody. Really appreciate all of your participation, and yeah, happy, happy, happy Privacy Awareness Week. Thanks a lot.
Bye.