Santa directs elves in Australia to act on 2024 OAIC regulatory action

Articles


Posted By on 17/12/24 at 11:05 AM

On a particularly hot December day before Christmas in Australia, Santa called an urgent meeting with the talented elves in digital strategy to discuss the need to adapt current practices for the region on account of recent shifts in Australian privacy enforcement culture. Following Santa’s earlier meeting with the Australian Privacy Commissioner, who he described as ‘very kind’, Santa was attending the meeting with a good grasp of the Australian Privacy Principles (APP)[1] to which he voluntarily submitted. Having revisited the Office of the Australian Information Commissioner’s (OAIC) 2024 determinations, he comes equipped with some privacy enhancing ideas.

Practices, procedures and systems

Santa’s Workshop in the North Pole already abides by the European GDPR but only as far as children in Europe are concerned. However, elf responsible for audience acquisition reported that no risk assessments were carried out for the deployment of tracking technologies in Australia. Children who believe in Santa are often identified unbeknown to them from observed or inferred data, and without reference to their letter to Santa which often serves as best proof of their belief in Santa. The OAIC has signalled that enforcement is overdue for the advertising industry. Santa reminded the elves that privacy assessments and effective procedures and systems are required to comply with APP 1.2, as highlighted in recent OAIC determinations including Bunnings,[2] AQE and Noonan Real Estate Agency Pty Ltd[3] and Cherrybrook Medical Centre[4].Reaching wider audiences must not come at the expense of children’s privacy”, Santa noted.

Data retention

Elf responsible for data management reported that a record of all children is retained indefinitely, even when a child no longer believes in Santa. Referring to the recent AHL and TICA[5] determination, Santa gave directions to ensure that Santa’s Workshop takes reasonable steps to destroy or de-identify personal information no longer needed under APP 11.2. The elf noted, “A clear retention policy and data erasure process will help us keep relevant data and avoid errors such as delivering toys to adults. It will also spare Santa having to inspect stockings which simply do not look or smell like they were intended for a gift donation”. Santa sighed as he nodded.

Sharing sensitive data

Elf responsible for special audiences pointed out her concern about Santa Workshop’s targeting and profiling children based on health data, to ensure that the right gift lights up their hearts. Individual profiles of children are shared with the entire 110 elf-strong digital team, some of whom are not involved in relevant work. Santa pointed out that, apart from tension with security obligations under APP 11.1, under privacy principle 3.3, such sharing must be reasonably necessary for relevant functions, as highlighted in the recent ALI and ALJ[6]determination. The extensive profile sharing does not seem justified. Santa also pointed out the need for the child’s consent to use their health data, which is problematic because children lack the capacity to give it. Parental consent would also be difficult, because parents do not believe in Santa and their consent would likely lack intention. The OAIC is focusing on children data and will be issuing a Children’s Online Privacy Code, likely in the course of 2025.

Publication of data

Elf in charge of public relations expressed concern about the use by naughty children of public reviews to force their wishes upon Santa. On a couple of occasions, such reviews included exaggerated and ill intended statements and claimed that Santa may not be real. Santa noted, “we must not use replies to public reviews to shame the reviewer by disclosing true personal information, even if this is to clarify why we think we acted correctly and why they are wrong”. As shown in recent AQE and Noonan Real Estate Agency Pty Ltd,[7] the risk in using personal information for a secondary purpose without consent is a breach of APP 6. Such attack would no doubt also cast doubt on our Christmas spirit and professionalism.

Public data scraping

Some families’ Christmas may be impacted by financial distress. One elf reported that public records are scraped to recognise families in financial distress and to allocate more toys to the affected children. Santa pointed out that our data collection must be fair under APP 3.5, meaning it must be “without intimidation or deception” and not “unreasonably intrusive”. This cannot be said about scraping daily court listings because they are intended to inform parties and interested persons of the relevant court details, and not to identify individuals in financial distress. Even if children will appreciate the nice gifts, even public data can be private, as highlighted in the recent Property Lovers Pty Ltd[8] determination.

Facial recognition

The rollout of facial recognition to identify children who stay up all night to see Santa raises proportionality concerns, similar to the recent Bunnings[9]determination. Santa said that just because of a very small number of kids who can stay awake all night thanks to their unauthorised access to sugary drinks and see Santa tiptoeing around the tree, we must not scan the faces of all sleeping children. Instead, Santa will ask his reindeers to look out for children who are awake and act on a case-by-case basis.

Data access

Some of the smarter children have requested in their letter to Santa access to the personal information held about them. Elves noted that failing to disclose all relevant personal information (and mistakenly withholding any documents) could be a reach of APP 12.1 and APP 12.8, as shown in the recent ‘AGX’ and ‘AGY[10]determination. Elves were discussing how to comply and if the privacy of others exemption might apply. Santa noted, the exemption only applies to humans and not elves, and we cannot withhold disclosure on that basis. However, some disclosure might be withheld under APP 12.3(e) if it could prejudice Santa’s intention to surprise the child.

Concluding remarks

Santa acknowledged that the OAIC rarely awarded compensation for privacy interference in 2024 and where it was awarded, it did not exceed $3,000. However, individuals can now seek redress in courts following the recent case of Walller v Barrett, (each a pseudonym), recognising the equitable tort of invasion of privacy under Australian common law, with the potential of achieving higher settlements.

With the passing of the Privacy and Other Legislation Amendment Bill 2024 earlier this month,[11] the Privacy Commissioner can now issue civil penalties for minor breaches caped at 200 penalty units ($66,000), interference with privacy of individuals capped at 2000 penalty units ($660,000), and serious interference with privacy which remains capped at $2.5M for non-corporates and $50M, 3-times the benefit or 30% of adjusted annual turnover for corporates.

The new powers coupled with recent regulatory trends and the equitable tort of invasion of privacy signal a cultural change in Australian privacy. All organisations must catch up with these changes and Santa’s Workshop is no exception! Santa concluded, “I wish for all elves to attend data privacy training and bring our house in order. 2025 will no doubt lead to stronger recognition of the right to privacy of Australians, and we best be ready for it!”

Merry Christmas everyone!

Want Data Privacy, Cyber & Digital updates delivered straight to your inbox? Click here to subscribe. 


[1] Privacy Act 1988 (Cth).

[2] Commissioner Initiated Investigation into Bunnings Group Ltd (Privacy) [2024] AICmr 230 (29 October 2024) (link).

[3] AQE and Noonan Real Estate Agency Pty Ltd (Privacy) [2024] AICmr 237.

[4] Cherrybrook Medical Centre (Privacy) [2024] AICmr 43.

[5] ‘AHL’ and TICA Default Tenancy Control Pty Ltd (Privacy) [2024] AICmr 26.

[6] ALI and ALJ (Privacy) [2024] AICmr 131.

[7] AQE and Noonan Real Estate Agency Pty Ltd (Privacy) [2024] AICmr 237.

[8] Commissioner Initiated Investigation into Property Lovers Pty Ltd (Privacy) [2024] AICmr 249.

[9] Commissioner Initiated Investigation into Bunnings Group Ltd (Privacy) [2024] AICmr 230 (29 October 2024) (link).

[10] ‘AGX’ and ‘AGY’ (Privacy) [2024] AICmr 16

[11] Privacy and Other Legislation Amendment Bill 2024 (link).

KHQ Lawyers - Alex Dittel

Alex Dittel Principal Solicitor - practising English law

Alex leads our Data Privacy, Cyber and Digital practice. He brings 15 years of experience in data protection, information security and technology commercial matters acquired during his time working... Read More