Regulators all want a piece of the privacy pie

Privacy has been a hot topic for a while now. In response to the flurry of activity in the privacy space, regulators are now making moves and responding – and it is not just the national privacy regulator who is talking about privacy.

Below we summarise the different global regulators and courts who are considering privacy.  With Moores’ passion for helping our for-purpose, charitable and education clients, we have also explained what these news items mean for these industries.

Medibank decision from APRA

The Australian Prudential and Regulation Authority (APRA) will require Medibank to increase its capital adequacy requirement to $250 million, to reflect weaknesses in Medibank’s information security environment identified in the review of the cyber incident in October 2022. APRA regulates the Australian financial market, including banks and insurance companies like Medibank. 

The Office of the Australian Information Commissioner (OAIC) is yet to announce its decision into response to the incident, which could include a fine of $50 million. Separately, Slater and Gordon instituted proceedings in May 2023 in a class action representing millions of Australians.

The takeaway: Privacy is on the radar of many regulators, not just the privacy regulator. Regulators know they need to be seen to be taking a tough stance on privacy to align with the public’s expectations.

Facial recognition found to violate human rights

The European Court of Human Rights has ruled that the use of facial recognition to locate and arrest a protester while he was travelling on the Moscow underground violated rights to freedom of expression and privacy.[1] The Court concluded that the processing of Mr Glukhin’s personal data in the context of his peaceful demonstration, which had not caused any danger to public order or safety, had been particularly intrusive. The use of facial-recognition technology in his case had been incompatible with the ideals and values of a democratic society governed by the rule of law.

In Australia, the OAIC has investigated retailers for collecting facial images from customers without valid consent, and those retailers were ordered to delete all faceprints collected. These investigations are ongoing.

The takeaway: This decision turned on the ‘reasonableness’ of the use of the technology. This is a key part of Australian privacy regulation too. How you use personal information needs to be reasonable in circumstances to avoid being intrusive or illegal.

Data protection relevant to investigating Meta’s possible competition infringements

Meta had challenged the investigation by German competition regulator (equivalent to the ACCC) into possible privacy breaches. On 4 July 2023, the Court of Justice of the European Union ruled that the German competition authorities could also consider data protection issues in its review of Meta’s business practices, as the collection of data without consent was a potential abuse of market power. The practical consequence could be to substantially limit Meta’s use of personal data for advertising purposes.

The takeaway: Competition regulators are getting involved with privacy.

  • This trend exists in Australia too, with the ACCC taking an increased interest in privacy. The ACCC has investigated possible privacy breaches as they may relate to misleading or deceptive conduct. In 2021, the Federal Court found that Google had misled customers about the collection and use of location data. The penalty was $60 million.[2]
  • On 10 July 2023, the ACCC invited views on the Australian data broker industry from consumers, businesses and interested stakeholders, in response to its issues paper on data brokers.[3]

The ACNC’s says privacy is an ethical responsibility

The Australian Charities and Not-for-profit’s Commission (ACNC) acknowledges that gathering data about people charities provide services to “brings with it important legal and ethical responsibilities”. Information about managing people’s information published by the ACNC is available here.

The takeaway: “A charity’s Responsible People must be aware of the legal requirements of managing people’s information and data. They are responsible for their charity’s actions and must ensure their charity complies with all the relevant laws governing data collection, storage and usage.”[4]

How we can help

With specialised knowledge of the for-purpose and education sectors, we can help you navigate regulatory compliance and interactions with regulators, be it the specific privacy regulator – the OAIC – or other regulators who may become interested in your activities. More information about our regulatory compliance and privacy offerings are linked for you, or contact us directly.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

[1] Glukhin v. Russia (European Court of Human Rights, Chamber, Application No 11519/20, 4 July 2023). 

[2] Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367.

[3] Australian Competition and Consumer Commission,Digital platform services inquiry – March 2024 report – issues paper (published 10 July 2023) <>.

[4] Australian Charities and Not-for-profit’s Commission, Managing People’s Information and Data, <>.