On privacy and dumbbells

Protecting privacy is a bit like doing bicep curls. Sometimes the effort hardly seems worth it. Will I really be stronger tomorrow? Or will I just have sore arms? I mean, really, it’s so much easier just to sit on the couch and scroll through other people’s workout fails, right? 

Last month the Productivity Commission released its Interim Report, Harnessing Data and Digital Technology. Note, the report’s title was not, Harnessing Data and Digital Technology while Giving Privacy the Protection it Duly Deserves. At the risk of oversimplifying its 116 pages, the report recommends more productivity and less privacy. Sadly, the report was silent on bicep curls.

The Commission called for two reforms to the Privacy Act: one, the introduction of ‘an alternative compliance pathway that enables regulated entities to fulfil their privacy obligations by meeting criteria that are targeted at outcomes, rather than controls based rules’; and two, that the government not enact a ‘right to erasure’.

We argued against both these recommendations. In our submission, David Lindsay, Genevieve Wilkinson, Sarah Hook and I argued that an outcomes-based approach has significant limitations. What’s more, we argued that a flawed assessment underpins the report. Above all, the economic benefits of robust privacy protections aren’t adequately taken into account.

When people’s data isn’t held securely, there are enormous costs. We’ve seen this countless times, with the 2022 Optus data breach, the 2025 Qantas data breach and whatever data breach we’ll all be reading about next week. These data breaches cost us all billions. Ironically, advances in AI, for which the Productivity Commission is advocating, will enable the development of sophisticated new data breaches.

But there’s something further, which centres on trust. Productivity can only flourish in an environment of trust. Indeed, the Commission recognises this, when it writes:

The productivity benefits of data access and use can only be realised if there is trust that the party providing access to the data has the right to do so, trust that the system of access is safe and secure; and trust that the party accessing the data will handle the data safely.

Trust hinges on respect for privacy. People need to be confident that information about them is being treated in a way that is not misleading or deceptive, and that respects their consent, and that is not unfair. People will be much more prepared to engage in a digital economy if they are confident that the conversation they have in a private online chat is not going to be used by a bank to deny them a loan, or by an insurance company to deny them a policy, or by an employer to deny them a job.

Currently, such trust is in short supply. Engaging online, people can have little confidence in confidentiality when data is being used by search engines, social media companies and data brokers for maximum profit. Today’s digital environment isn’t a case of maximising productivity; it’s a model for maximising profit at the expense of privacy.

To protect privacy properly, we need rights-based protections, including a right to erasure. On this, the Report fails to address the costs of not implementing a right to erasure, which would allow individuals to request deletion of personal data from an organisation’s records under specific conditions. Put simply, Australians deserve the right to informational self-determination.

The adequate protection of privacy needs more, including ex ante protections, just as the ACCC has recommended for better consumer and competition protections from harms caused by digital platforms. Just like cars need seat belts, businesses who deal in data need legal limits. Their data practices need to respect consent, be fair and reasonable, and be transparent.

As with bicep curls, the due protection of privacy involves some heavy lifting. And as with bicep curls, privacy is important for reasons that are often subtle, indirect and long-term. But those benefits can be cumulative. Ultimately, proper privacy protections will not only enhance our well-being, they can boost productivity.

References: 
 
Productivity Commission (2025). Harnessing Data and Digital Technology Interim Report, 5 August 2025. https://www.pc.gov.au/inquiries/current/data-digital/interim 
 
Sacha Molitorisz, David Lindsay, Genevieve Wilkonson and Sarah Hook (2025). Submission on privacy in response to ‘Harnessing Data and Digital Technology’, Productivity Commission Interim Report 2025. 15 September, UTS Law, University of Technology Sydney, NSW. 
 
Cary Coglianese (2017). ‘The Limits of Performance-Based Regulation.’ University of Michigan Journal of Law Reform, 50 (3). https://repository.law.umich.edu/cgi/viewcontent.cgi?article=1176&context=mjlr 
 
OAIC (2025). ‘Australian Information Commissioner takes civil penalty action against Optus’, 8 August 2025. https://www.oaic.gov.au/news/media-centre/australian-information-commissioner-takes-civil-penalty-action-against-optus 
 
Stephanie Chalmers (2025). ‘Qantas confirms 5.7 million customers were impacted in cyber attack’, ABC News, 9 July 2025. https://www.abc.net.au/news/2025-07-09/qantas-confirms-number-of-customers-impacted-in-cyber-attack/105510654 
 
ACCC (2022). Digital Platform Services Inquiry Interim Report No. 5 – Regulatory Reform, 11 November 2022. https://www.accc.gov.au/about-us/publications/serial-publications/digital-platform-services-inquiry-2020-25-reports/digital-platform-services-inquiry-september-2022-interim-report-regulatory-reform