Skip to main content

Media centre

Search our media releases, articles, interviews

Global privacy authorities issue follow-up joint statement on data scraping

The OAIC and 16 international data protection and privacy counterparts have released a joint statement with further expectations about how social media companies can better protect personal information

Media release
Artificial intelligence
Privacy

29 October 2024

New privacy guidance released for charities and other NFPs

The OAIC has released updated privacy guidance for not-for-profits

Media release
Privacy

22 October 2024

New AI guidance makes privacy compliance easier for business

New guides for businesses published today clearly articulate how Australian privacy law applies to AI and set out the OAIC’s expectations

Media release
Artificial intelligence
Privacy

21 October 2024

New Credit Reporting Code strengthens privacy protections

The OAIC today registered a new Privacy Credit Reporting Code 2024

Media release
Credit reporting

1 October 2024

OAIC closes investigation into 7-Eleven Stores Pty Ltd following uplift of privacy practices

The OAIC has concluded its Commissioner initiated investigation into the inadvertent reactivation of facial recognition technology FRT by 7-Eleven Stores Pty Ltd 7-Eleven

Media release
Privacy

27 September 2024

Mainstreaming access to information a must for IAID 2024

Information commissioners and ombudsmen highlight the importance of mainstreaming access to information and participation in a joint statement issued for International Access to Information Day 2024

Media release
Information access

26 September 2024

Digital platform regulators release working paper on multimodal foundation models

DP-REG has published a working paper on multimodal foundation models used in generative artificial intelligence

Media release
Artificial intelligence

19 September 2024

Report shows highest number of data breaches in 3.5 years

New statistics show the number of data breaches notified in the first half of 2024 was at its highest in 3 5 years

Media release
Data breach
Privacy

16 September 2024

Statement on MediSecure data breach

The OAIC has closed our inquiries into the MediSecure data breach

Statement
Data breach

13 September 2024

OAIC welcomes first step in privacy reforms

The OAIC today welcomed the first tranche of reforms to the Privacy Act however much more needs to be done

Media release
Legislation
Privacy

12 September 2024

Statement on Clearview AI

The OAIC provides an update on action against Clearview AI Inc

Statement
Determination
Enforcement

21 August 2024

OAIC welcomes appointment of new FOI Commissioner

The OAIC welcomes the appointment of Ms Toni Pirani as Freedom of Information Commissioner

Media release
Freedom of Information

15 August 2024

Digital Platform Regulators Forum 2024 communique

DP-REG has published its yearly wrap up and strategic priorities to build capacity promote regulatory coherence and respond to emerging risks and opportunities

Statement
Privacy

25 July 2024

Statement on MediSecure breach

The OAIC has been advised by MediSecure that approximately 12 9 million individuals may have been impacted by its cyber security incident

Statement
Data breach
Privacy

18 July 2024

GPEN Sweep finds majority of websites and mobile apps use deceptive design to influence privacy choices

A global privacy sweep that examined more than 1 000 websites and mobile apps has found nearly all of them employed one or more deceptive design patterns that made it difficult for users to make privacy-protective decisions

Media release
International
Privacy

10 July 2024

Showing 1 to 15 of 166 results

1 to 15 of 166 search results
filter icon

Refine your search

2

Refine your search

Type

Topic

Can you confirm you have been notified of a data breach?

The OAIC generally will not comment publicly about the content of data breach notifications.

Where a particular incident is of community concern and has already been reported in the media, we may confirm publicly that we have received a notification or are investigating or making inquiries into the matter. We will generally not comment further until the investigation or our inquiries are complete.

We may also comment publicly on a matter where there is public interest in us doing so, for example, to enable members of the public to respond to a data breach.

Why don’t you list the names of organisations that have notified data breaches?

There is no specific provision that provides for the OAIC to make available a list of names of organisations that notify data breaches. The NDB scheme does have specific provisions regarding how organisations must notify individuals at likely risk of serious harm from a data breach and the OAIC. Accordingly, the OAIC will not generally disclose a list of names of organisations that notify data breaches.

Can you advise when an investigation will be completed?

Some investigations can be finalised quickly, but some take longer because of the type of inquiries and the volume of material that needs to be reviewed. We aim to finalise all investigations as quickly as possible.

Will you publish a report on the investigation?

Where the Commissioner makes a determination, a decision will be published. If the Commissioner takes proceedings for civil penalties, the Commissioner will file a statement of claim.

There’s more information on Commissioner-initiated investigations, including our approach to publication, in our Guide to Privacy Regulatory Action.

What penalties are available to the OAIC for an interference with privacy?

Section 80W of the Privacy Act 1988 empowers the Commissioner to apply to the FederalCourt or Federal Circuit Court for an order that an entity that is alleged to have contravened a civil penalty
provision in that Act pay the Commonwealth a penalty.

Under section 13G of the Privacy Act, since 13 December 2022 the maximum penalty for serious or repeated interferences with privacy are:

  • for a body corporate, the greater of either:
    • $50million; or
    • the value of any benefit the relevant court has determined that the body corporate, or any body corporate related to it, has obtained directly or indirectly that is reasonably attributable to the contravention, multiplied by three;
    • or if the court cannot determine the value of that benefit, 30% of the annual turnover of the body corporate during the 12-month period ending at the end of the month in which the contravention happened or began.
  • for a person other than a body corporate, the maximum penalty amount is $2.5million.

The Federal Court or Federal Circuit Court ultimately determines the penalty awarded, taking into account matters including:

  • the nature and extent of the contravention
  • the nature and extent of any loss or damage suffered because of the contravention
  • the circumstances in which the contravention took place
  • whether the person has previously been found by a court to have engaged in any similar conduct.

There is more information on civil penalties, including provisions in other legislative frameworks, in our Guide to Privacy Regulatory Action.

How to contact us if you have a media enquiry or interview request
Photographs of Australian Information Commissioner Elizabeth Tydd
Photograph of Privacy Commissioner Carly Kind