Greens Senator David Shoebridge and Attorney-General Mark Dreyfus (Images: AAP/Private Media)
Greens Senator David Shoebridge and Attorney-General Mark Dreyfus (Images: AAP/Private Media)

Following the Optus and Medibank hacks, a proposed legal change to threaten businesses with $50 million fines for privacy breaches could prove toothless as the responsible regulator is starved of cash, a senator has warned.

Greens Senator David Shoebridge, who sits on the committee looking into the government’s proposed new fine regime, said it was unlikely the Office of the Australian Information Commissioner (OAIC) has the funds to effectively deter rule breakers.

“Of course, we support some serious penalties for serious privacy breaches, but we need this to be more than a headline. The fines need to be credible with the resources there to back them up,” Shoebridge told Crikey.

The OAIC is tasked with ensuring firms follow the Privacy Act 1988 — the regulatory regime where the new fines would apply — but is also responsible for managing government information and resolving complaints about freedom of information (FOI) requests from the media and public.

It does all this with a budget of barely $30 million a year, according to evidence last week to the Legal and Constitutional Affairs Legislation Committee.

The OAIC was handed another $5.5 million just to investigate the Optus hack, which according to OAIC commissioner Angelene Falk is the rough amount needed to undertake complex privacy probes.

Dealing with FOI requests is a significant resource drain on the office as well. The OAIC is currently handling 2041 FOI claims, including 60 matters lodged in 2018 and 249 that have dragged on since 2019.

“It’s a matter of having a large caseload and a limited number of resources,” Falk told Senate estimates earlier this month. “It is our intention, through the efforts that we make every day, to resolve all matters as quickly as possible. It’s regrettable that we have a legacy caseload of this size.”

Shoebridge said there was a risk that companies wouldn’t be deterred by the proposed larger privacy breach fines because the OAIC was “already drowning from excessive work and lack of resources”.

“Corporate Australia will look at these new fines and then look at the inability of the regulator to ever prosecute them and seriously discount the risk of ever being held to account,” he said.

Falk told the committee last week she hoped her office would get a bigger budget, and drew a comparison with the equivalent body in the UK, which she said had “nearly tenfold the staff of our office”.

“I have said publicly that as part of the Attorney-General’s Department’s more comprehensive review of the Privacy Act then I think that is the optimal time to assess the resourcing needs of the office and to ensure that we are set up in a way that can protect and regulate Australians’ data in a way that is
expected into the future,” she said.

Optus, which was hacked before the new rules were proposed, could face a $2.2 million fine for each privacy contravention if the OAIC decides to take the company to court as a result of its investigation.

The Attorney-General’s Office declined to comment.