OAIC Investigation Powers and Section 52 Determinations

Part V framework

The Information Commissioner’s privacy investigation powers are set out in Part V of the Privacy Act 1988. This framework establishes the processes for investigating potential breaches of privacy. Individuals can initiate investigations by lodging complaints with the Commissioner, as enabled by section 36. These complaints relate to acts or practices that may constitute an interference with an individual’s privacy.

The Commissioner also has the power to initiate investigations independently. Section 40(2) allows for Commissioner-initiated investigations (CII) where concerns arise without a formal complaint being lodged. This provides a mechanism for addressing systemic privacy issues.

However, the Commissioner’s ability to investigate is not unlimited. Section 41 outlines circumstances where an investigation may be discontinued or not pursued, such as when a complaint has not initially been addressed to the relevant organisation.

Compulsory information powers

The Privacy Act provides the Commissioner with several powers to obtain information during investigations. Section 44 allows the Commissioner to issue a notice requiring a person to provide information, produce documents, or attend a compulsory conference.

Section 46 enables the Commissioner to formally summon a person to appear and give evidence, and to produce documents. The Commissioner also has the power to enter premises with the consent of the occupier, as outlined in section 68, for the purposes of assessments.

Non-compliance with a notice issued under section 44, without a reasonable excuse, constitutes an offence under section 65.

Section 52 determinations

The Commissioner has the power to make determinations following both complaint-driven and Commissioner-initiated investigations. Under section 52(1), the Commissioner may dismiss a complaint or find it substantiated after investigating a complaint. Section 52(1A) allows the Commissioner to make determinations including findings and orders following an investigation initiated by the Commissioner.

Remedies that may be included in a determination are varied. These can include orders that a respondent must not repeat or continue an act or practice, must perform actions to redress loss or damage, and must pay compensation to the complainant.

Section 52 determinations, along with the Commissioner’s reasons, are published on the OAIC website. These determinations are enforceable in the Federal Court or Federal Circuit and Family Court.

Other enforcement outcomes

The Commissioner has options beyond investigation and Section 52 determinations. The Commissioner may accept an enforceable undertaking from an organisation under section 33E. This can occur instead of, or alongside, other enforcement actions.

For serious interferences with privacy, the Commissioner can apply to the Federal Court for a civil penalty order under section 13G. Following the Privacy and Other Legislation Amendment Act 2024 Notifiable Data Breach 30-day rule, the maximum civil penalty for a body corporate for such an interference is now the greater of $50 million, three times the value of any benefit obtained, or 30 per cent of adjusted turnover during the breach period.

The Privacy and Other Legislation Amendment Act 2024 also introduced a mid-tier civil penalty for interferences with privacy that do not reach the ‘serious’ threshold. Additionally, a lower-tier penalty, along with infringement notice powers, is available for administrative breaches of the Australian Privacy Principles.