New Australian privacy chief hopes to become a more visible and active face of data protection

4 April 2024
By Mike Swift and James Panichi

Carly Kind, who recently assumed her role as the first stand-alone Privacy Commissioner since 2015 within the Office of the Australian Information Commissioner, told MLex in an interview today that she will bring a human rights focus to the job and that she hopes to raise the visibility of the OAIC. “I hope that it means that for the Australian public, they can have a very visible face and name to put to privacy issues,” Kind said.

For Carly Kind, the new privacy commissioner at the Office of the Australian Information Commissioner, speaking to several thousand people in Washington DC at the world’s largest annual gathering of the data privacy community was a bit of a coming out party as the newest regulator in the space.

Kind comes to the role as a former human rights lawyer with the United Nations and the leader of non-profits working to promote data rights and exploring social questions relating to personal data and artificial intelligence. Most recently, she was director of the Ada Lovelace Institute in the UK, before moving back to her native Australia to become the OAIC’s first stand-alone Privacy Commissioner since 2015.

That background “has very much informed, I think, as I move into the regulatory space, thinking about the purpose of regulation — what's the outcome we're trying to achieve here?” Kind said in an exclusive interview with MLex on the sidelines of the conference.* “For me, it's about consumer rights, citizens' rights, ensuring that they're able to use and enjoy technology to the best of their abilities, while not having to compromise their personal data privacy rights.”

For Australians, Kind said she wants to be a more public face of privacy than the OAIC had when there was no stand-alone privacy commissioner over the past nine years. Privacy issues were previously handled by the OAIC’s top official, whose responsibilities also included freedom of information matters.

“I hope that it means that for the Australian public, they can have a very visible face and name to put to privacy issues,” Kind said. “And that's one thing that I certainly am endeavoring to do in this new role, but also that the office can really exercise its functions to the fullest, now that it's properly equipped with the right expertise and the right leadership.”

Strong message

Kind sees her role as being an educator, not just of the public about their privacy rights under the current law and after Australia completes an update of the 1988 Privacy Act, but also of companies to make sure that they fully understand their privacy commitments under the law. A string of recent large data breaches in Australia, such as health insurer Medibank Private and Singtel Optus, a telecom company, have highlighted that need, she said.

In the wake of those breaches, “we really want to be out there on the front foot ensuring compliance before those problems arise, but also sending a strong message that when noncompliance is serious and repeated, that we will take action,” Kind said.

The role of the OAIC in the updating of the Privacy Act is as a stakeholder, making recommendations to the attorney general about what needs to be included in the update.

“Many, many of our recommendations have been agreed or agreed in principle by the government and we're really pleased to see that almost everything that we'd like to have seen in the legislation, the Attorney General has indicated that they intend to take in some form or another,” Kind said. “So we’ll continue to support that process from the outside.”

Kind acknowledged that the OAIC is pursuing just two lawsuits at present that are seeking civil penalties, involving Meta Platforms over its Facebook/Cambridge Analytica privacy breach in 2018 and Australian Clinical Labs. But she said that the OAIC actually has upwards of 70 pieces of litigation that haven’t risen to the level of seeking civil penalties. The OAIC currently has about 90 active privacy investigations underway at various levels of maturity, and is sifting through about 2,500 privacy complaints.

“Your central point is correct, which is that we've filed fiscal penalties in those two cases,” Kind said. “But I only referenced the other number to emphasize that we are very busy on numerous fronts, with litigation-related matters that don't necessarily rise to the level of civil penalties.”

Kind expects that level of activity to increase. “The move towards seeking civil penalties I think is really for the most serious, repeated cases and we are very much committed to seeking enforcement action for those kinds of matters,” she said. “We anticipate that there will be further matters that are brought, and we hope this year.” She declined to comment on any specific cases.

Kind, who began her role at OAIC in late February, said she hasn’t really formed an opinion yet about whether Australian companies have an adequate awareness of the privacy challenges consumers face and the need to protect their data.

“It’s something I'm still in the process of understanding because I've only recently moved to Australia as well as becoming the privacy commissioner,” Kind said. “What I've seen so far is that Australia has a very engaged community of privacy professionals. I've had a lot of outreach and hospitality from the private sector, generally, and a willingness to engage, I think, across the board.”

Following the recent data breaches, privacy “is very much at the top of people's minds. And I think businesses realize that, and there is a really — as far as I can see so far — there's a good-faith effort to modernize and update and to really keep pace with where attitudes are, as well as to begin to prepare for the changes that the Privacy Act review will hopefully bring,” she said.

Global community

At the start of the Global Privacy Summit this week, Kind was keynote speaker along with Rebecca Kelly Slaughter, a commissioner with the US Federal Trade Commission.

Rather than speaking about the intricacies of enforcing privacy laws, Kind took a step back as she spoke about artificial intelligence, saying that personal data — and who controls it — is really about power.

“Privacy law is, at its heart, about power. Control of personal information is a form of exercising power, and equally determining one's own personal information is a way of being empowered and exercising power,” said Kind.

Kind has already worked with many governmental bodies that regulate privacy, including the European Commission, the Council of Europe, numerous UN bodies and a range of civil society organizations. Before running the Ada Lovelace Institute, Kind was the Legal Director of Privacy International, an NGO devoted to data rights and governance. She has long known people active in the space, including Ashkan Soltani, executive director of the California Privacy Protection Agency.

But this week’s event in Washington was her first privacy summit and was eye-opening.

“It's the first time I've seen it in one place, the privacy professional community,” she said, adding that she was struck by not only the size but the engagement of the community.

“That to me shows a lot of potential for cross-jurisdictional capacity building, but also a solidarity amongst privacy professionals, that we can really leverage as regulators to kind of uplift privacy protections everywhere,” she said. “I think really engaging that community will be a focus for me.”

*International Association of Privacy Professionals Global Privacy Summit 2024 – Washington, DC, April 2-4, 2024.