What you need to know:

• The Productivity Commissioner’s third interim report into the state of Australia’s productivity, Harnessing data and digital technology, has questioned the onerous regulatory approach proposed in Australia’s Privacy Act reforms and offered up an alternative, dualtrack compliance approach for businesses.
• The new option calls for an outcomes-based approach to judging whether personal information has been used in a way that’s in the best interests of an individual to run alongside the more stringent path set by the Privacy Commissioner.
• It’s one of seven recommendations, a list that also includes an immediate halt on mandatory guardrails for highrisk AI use cases, a rethink on setting anymore specific regulation at all, more data accessibility and a potential flip on AI copyright infringement – that is, open slather..
• Per Data Synergies principal Peter Leonard: “As of 10.30pm last night [Tuesday], the world may have changed” on Australia’s privacy law and regime and could give organisations confidence they’re using consumer information in the “best interests” of that consumer a new way of choosing what compliance best suits them.
• The OAIC – home to the Australian Privacy Commissioner – responded with cautious optimism on first look at the interim report, saying it’s looking forward to further dialogue about how to balance consumer needs with overly burdensome compliance costs for businesses.
• But whether you see this Productivity Commission as a move to direct Australia’s privacy regulation evolution or not, Civic Data’s Chris Brinkworth believes it shows how various government departments are navigating their way around broader economic conditions and global technology and innovation competition, increasingly relying on data.
• ADMA’s Andrea Martens is hopeful the latest recommendations are a “circuit breaker to the unproductive privacy versus business debate” that has stalled progress over the last 18 months as policymakers considered how to ensure digital data trustworthiness and balance privacy protection with business productivity – though she notes they’re not exact finalised guidelines. 
• Brinkworth uses the examples of connected cars made in China as a goldmine of information for foreign governments and entrepreneurs. ““This isn’t about privacy, it’s about building better products.”

The Productivity Commissioner threw the cat among the privacy pigeons at 10.30pm Tuesday night with the release of its interim report, Harnessing data and digital technology, the third of five inquiries being undertaken as part of a push to lift Australia’s sluggish productivity.

While there are a number of controversial recommendations across AI regulation and use, copyright infringement, data accessibility and more, of the most comprehensively surprising is for a second, alternative privacy compliance option for businesses “overly burdened” by current and forthcoming Privacy Act regulation.

It’s a slap against ever-growing regulatory control posed by other parts of Government. The Productivity Commission’s interim report rejects data protections embedded in the Privacy Act as costly for business, a brake on innovation, and in many cases, failing to provide the protections consumers expect anyway. Citing a wealth of Privacy Act submissions and commentary critical of the complexity of Australia’s Privacy Principles (APPs), the Commission pointed out the additional costs of protecting privacy affecting some 277,000 firms nationally, not only involve direct and ongoing monetary expense on compliance, but also risks putting opportunity – and therefore productivity – in jeopardy.

“To use a product or service, consumers are often asked to acknowledge lengthy, complex privacy policies that few have the time to read. In many cases, this is not providing the protection consumers expect, and it can be costly and difficult for businesses to comply with,” said Commissioner Julie Abramson.

Instead, the Productivity Commission has put forward what it’s calling a more flexible outcomes-based privacy regulation approach to counter the Privacy Act’s “control-based approach”. This could be achieved through an alternative compliance pathway and a ‘dual track’ regime based on prospective outcomes. In such a construct, one track would be for this outcomes-based approach, while the other would be the more prescriptive track, designed to provide regulated entities with greater certainty about their privacy obligations.

Data Synergies principal, Peter Leonard, told the IAB Data and Privacy Summit yesterday such an approach hadn’t been proposed before and opened the door to two ways a company could handle the question of whether their data use is in best interests of a consumer’s privacy.

“So as of 10.30pm last night, the world may have changed,” Leonard told attendees. “When you look at the Attorney-General’s recommendations around the form of notice and consent, potential opt-ins for targeted advertising and so on, they [the Productivity Commission] looked at all of that and said, in essence, this is making what is already a complex and not well understood regulatory regime, even more complex and not necessarily focused on outcomes.”

During Privacy Act consultation, various groups advocated uses of personal information be beholden to ‘fair and reasonable’ testing over and above any established consent. The Government agreed in principle. This ‘fair and reasonable’ overlay didn’t make it into tranche one of Privacy Act reforms last year, but many still expect it in tranche 2. The test was to be complemented by an opt-out regime in respect to targeted advertising.

“Instead, the Productivity Commission says, hang on, we should be thinking about a dual track, and that dual track might look something like this: An organisation could elect either to comply with the revised privacy regime based upon notice and consent, and however it might be changed after what I like to call tranche 1.5, because we’ll never see tranche two,” Leonard said. “Or they can elect to take an outcomes-based approach, and that would be based on a new concept, which asks the question: Is what an organisation doing in the best interests of the person concerned?

If an organisation has confidence what it’s doing is in the best interests of the person concerned, the question Leonard then posed is this: “Are you ready to be able to prove to the Privacy Commissioner you meet whatever is stated to be this new ‘best interest’ test that was only proposed as of 10.30pm last night? Or do you elect to go down the notice and consent route?”

Leonard agreed the Productivity Commissioner’s new option is going to sound very attractive for many brands and businesses engaged in digital advertising. “Many of you might consider what you’re doing is in the best interest of the person concerned. You’re delivering them more relevant advertising material to their interests, and maybe you’re ready to go down that path and avoid having to deal with the full notice and consent regime,” he continued.  

“But one thing to pause and think about is how the tranche 1.5 track might develop if, in fact that alternative is made available. There is a risk always when government allows a safety valve or a safe harbour, that they double down on the other side and make the other side requirements even more onerous because an organisation has the choice of the safe harbour.

“So on the one hand… it’s very good news I wanted to bring to this gathering about the concept of best interests and outcome-based approach as an alternative to the very prescriptive regime proposed in the AG’s Report. But on the other it does carry the risk that that then encourages further development of the prescriptive rules on the other side. Like all regulatory reforms, what initially sounds good may or may not be as good as it looks.”

Precedent and practice

While the dual-track idea is new in Australia’s privacy reform discussion, the Productivity Commission noted several participants in the Privacy Act Review had supported a ‘safe harbour’ legal provision that would protect entities form liability if they failed to meet their legal obligations, provided they had taken certain prescribed actions. It also noted dual-track compliance regimes already exist in financial advice (Best interests Duty, under the Corporations Act 2001) and work health and safety (Work, Health and Safety legislation and Codes of Practice).

Two broad options are proposed: The first, favoured by the Commission, is framing outcomes-based obligations as a ‘defence’. “This means that the existing Privacy Act requirements would be retained as the core regulatory regime, but regulated entities who do not (or choose not to), for example, meet all the current APPs to the letter, could invoke the defence to show that they are nevertheless compliant with their regulatory obligations,” the interim report stated.

Alternatively, an outcomes-based requirements could be framed as the general rule applying to all regulated entities. “The existing Privacy Act requirements [including the APPs] could be cast as a safe harbour or ‘deemed to satisfy’ style regime – so regulated entities could opt to follow a more prescriptive or controls-based set of rules that would be deemed to meet the broader outcomes-based obligation,” the report continued.

“These options are inversions of each other – reversing which path is the ‘rule’ and which path is the ‘exception’. This means that choosing between these options is an implementation issue, not one of policy.”

The Productivity Commission also provided three ways outcomes-based obligations could be met: Through a ‘best interests’ obligation (its preferred option); by ‘having regard to the best interest’ of an individual in respect of their privacy; or by ‘duty of care’ that sees an organisation take steps to identify potential harms and prevent or mitigate them.

In an example relatable to the marketing industry – the event of a data breach – acting in the ‘best interests’ could mean locking an individual’s account, while ‘having regard to their best interests’ may be considering locking down an account. A ‘duty of care’ response would simply mean notifying the individual about the breach.

A further Productivity Commissioner shot across the Privacy Act reform bow is quashing the ‘right to erasure’  of personal information proposed under Privacy Act amendments. Again, its first reason is the high compliance burden it places on regulated entities; the second is the uncertain privacy benefit for individuals.

In its initial response to the Productivity Commission’s report, the Office of the Australian Information Commissioner (OAIC) took a cautiously constructive stance, framing the outcomes-based approach as a way of improving privacy rights for consumers.

 “The OAIC is a strong supporter of reforming the Privacy Act to ensure that it is fit for the digital age, and we support the Productivity Commission’s goal of developing a thriving digital and data-driven economy with trust at its centre,” the statement read. “A greater focus on outcomes as opposed to controls can improve privacy rights in Australia. We look forward to the Government proceeding with the Tranche 2 reforms to the Privacy Act, including the introduction of the fair and reasonable test, which we believe embodies an outcomes-focused approach.”

The OAIC pointed to its own ‘Australian Community Attitudes to Privacy Survey’, which found 84 per cent of Australians want more control and choice over the collection and use of their information, while three in four feel data breaches are one of the biggest privacy risks they face today.

“The OAIC’s priority is meeting the needs and expectations of the Australian community whilst supporting trustworthy innovation. Our regulatory guidance and advocacy is being applied to achieve effective and innovative privacy outcomes.”

ADMA welcomed the report “as a timely and constructive contribution to the national conversation on data, privacy and productivity”, but emphasises the Productivity Commission’s “draft recommendations” are not yet filled out or final legislative reform proposals, presenting further recommendations to inform further discussion and future reform. Still, she’s hoping they might finally restart the engine on privacy progress.

“Australian data privacy reform has been stalled for over 18 months while policymakers consider how to ensure digital data trustworthiness by balancing enhanced privacy protections for Australians with potential business productivity gains from uses of personal information, including for digital marketing. Privacy versus business productivity is a false dichotomy: the two can coexist. The Productivity Commission’s draft recommendations endeavour to re-energise privacy reform, by opening an alternative, simplified pathway for privacy compliance, focused upon whether the outcome for affected individuals is demonstrably and verifiably in their best interests,” ADMA CEO, Andrea Martens says. 

“We hope this proposal acts as a circuit breaker to the unproductive privacy versus business debate, restarting progress on updating Australia’s Privacy Act as proportionate legislation which balances the needs of business and the protection of the privacy of consumers. Businesses should also recognise that the Office of the Australian Information Commissioner is already reinterpreting existing obligations under the Privacy Act and adopting an active enforcement stance to ensure businesses are applying new OAIC guidance as to those obligations. With increased scrutiny and enforcement by the Commissioner, compliance is not optional – it is essential.”

Martens was also encouraged to see the Productivity Commission’s thinking broadly aligned with its own submission on the topic of harnessing data and digital technology. “For privacy reform to succeed, it must be both principled and practical [readily understandable, particularly for smaller businesses]. It is important that privacy laws are streamlined and proportionate in order for marketers to move forward with certainty and confidence. They must also maintain the highest levels of integrity to ensure that Australian consumers can reasonably expect that businesses will be responsible and fair in their data practices,” she said. 

For ADMA, merit could well exist in a differentiated approach for trusted entities, but only if it is underpinned by clearly defined data categories, strict eligibility criteria, and robust oversight – especially where sensitive data is involved.

The Australian Association of National Advertisers (AANA) and Interactive Advertising Bureau (IAB) Australia said they’re both now gathering views and working on responses to market.  

The Productivity Commission’s other qualms: Let loose on AI; data as a productivity gains

Privacy wasn’t the only big-ticket item in the Productivity Commission’s sights. It’s also against AI-specific regulation – only as a last resort – and called for an immediate halt on implementing mandatory guardrails for high-risk AI use cases unless there’s absolutely no other regulation framework adaptable, or where technology-neutral regulations are not possible.

“Like any new technology, AI comes with risks. But we can address many of these risks by refining and amending the rules and frameworks we already have in place,” said Commissioner Stephen King. “Adding economy-wide regulations that specifically target AI could see Australia fall behind the curve, limiting a potentially enormous growth opportunity.”

Harnessing data and making it more accessible for individuals and businesses is another one of the Harnessing digital and data technology interim report recommendations. While these are expected to differ depending on sector and relative benefits, the Commission suggested approaches could include industry-led data access codes that support basic use cases and periodic export access for consumers, and standardising data transfers with government along minimum technical standard lines. According to the report, improving people’s ability to access data that relates to them could spur competition and innovation and deliver productivity gains worth as much as $10 billion a year.

Civic Data managing partner, Chris Brinkworth, could see why data, AI and usage needed to be at the heart of the Productivity Commission’s recommendations.

The extraordinary rise of generative AI since late 2022 has rewritten the rules of both commerce and national security, and at the heart of the shift lies data.

In China, the government has gone so far as to label data the ‘fifth factor’ of production, alongside land, labour, capital and technology. Beijing is hungry for it wherever it can be found, including in Australia. The Productivity Commission is preparing to argue that it would be economically perverse to let Chinese firms boost productivity and innovation using Australian data, while local companies are denied the same opportunity by privacy restrictions.

A case in point: Driverless. Electric-vehicle firms such as BYD now make up about one-third of Australia’s EV sales, he said.

Each one is a rolling data centre, logging journeys, braking habits, routes and even calls. For the manufacturers this is gold dust.

Patterns on Australian roads help extend battery life. Real-world conditions improve autonomous-driving algorithms. Usage data informs design tweaks. Supply chains can be refined to local demand. What looks like a car to consumers is, to Chinese firms, also a feedstock of commercial intelligence, raising uncomfortable questions about who controls Australians’ personal information, just as the Productivity Commission has detonated six years of privacy reform.

Nor is this solely about geopolitical rivals for Brinkworth. “Elon Musk’s Tesla is not just an electric car, it’s a data collection machine. He’s also got all the data from X, and from Starlink. Brinkworth flagged such concerns years ago, arguing any legislation “needed to consider the future rather than just current states, and that included connected cars owned by the same company that owns satellites”.

“The scale of the stakes is evident in the investment binge of the digital giants,” said Brinkworth.

Their surging capital expenditure reflects the ravenous demands of AI innovation. Amazon’s most recent quarterly capex, for instance, exceeds the combined global capex outlays of Meta, Alphabet, Microsoft and itself in the same quarter five years ago, even as the pandemic was fuelling its own boom in spending.

“This isn’t about privacy, it’s about building better products.”

ADMA also noted the interim report’s limited treatment of how proprietary and consumer data may be used to train AI systems – an issue with major implications for the advertising and marketing ecosystem.

“We urge policymakers to distinguish clearly between legitimate, consent-based commercial data use and broader AI training applications, ensuring any future regulation does not inadvertently undermine the ability of Australian marketers to deliver relevant content or maintain competitive advantage through ethical data practices,” Martens says. 

Six years on privacy reform – and counting

Even so, Australia still has to find a way to an evolved, future-fit Australian Privacy Act. Because it’s been a long, long time coming.

It’s six years since the Coalition Government first kicked off a Privacy Act review off the back of recommendations from the ACCC’s final Digital Platforms Inquiry. It’s two-and-a-half years since the Attorney General released the Privacy Act Review Report, and just shy of two years since a first-term Labor Government released its response to the Privacy Act Review. And it’s eight months since industry saw a watered-down first tranche of a proposed two-tranche approach to reform ratified by Parliament.

Yet even as the Privacy Commissioner, Carly Kind, looks increasingly to wield her expanded enforcement powers to ensure companies don’t get complacent around data usage, and the latest Attorney-General, Michelle Rowland, reiterates a commitment to tranche 2, telling Sky News, “Australians are sick and tired of their personal data being exploited… We will not have our privacy reforms dictated by multinational tech giants”, the push for productivity is put Australia’s privacy approach into question once more.

For Leonard, how privacy regulation develops isn’t likely to be grounded in what’s best or most appropriate for digital advertising regardless.

“Part of the reason we’re having this discussion about what privacy law should look like, driven by the Productivity Commission – a bunch of economists – is Australia has a productivity crisis. The government is responding to an economic imperative and broader productivity crisis across the Australian economy, and fundamentally rethinking what privacy law should look like, and potentially overruling what the Attorney General’s Department said privacy law should look like only two years ago,” he commented.

Emphasising unpredictability over global consistency, Leonard also noted the EU is reviewing its privacy regulation as well as AI regulation, and is unlikely to help pave Australia’s path to reform.

“That’s not just only about the pressure of Donald Trump. It is also because EU AI regulation is stupid. It’s overcooked. It was developed before Gen AI came on the scene. It’s completely unfit for purpose of dealing with applications of Gen AI, but you try and change the law when you’ve got 28 countries in the EU that need to agree on change. The EU is not going to set the path for Australia,” said Leonard.

“Donald Trump is not going to set the path for Australia because he’s made it clear his path is concerned with one thing only, to make America great again. If that means enabling global digital platforms to trample over the rest of the world, well, so be it. If that means enabling AI companies to get whatever data they like without concern as to privacy, so be it.

“So the two key jurisdictions we generally look to are not going to provide a guide to Australia. And that may mean Australia does something quite differently and without regard, or without waiting to see what the rest of the world does.”

The solo traveller test on best-interest personalisation

Leonard sees many moving parts influencing where privacy law may go. The big piece is whether “individuation” is actually in the best interests of an individual or not.

Take the “favourite new airline pricing trick” cited in The Economist by a thrifty US traveller, who noticed Delta, American Airlines and United had all started charging higher per person fares for single passenger bookings than for identical itineraries with two people. Its author suggested the practice “amounted to carriers weaponising their fares against solo travellers who can’t clone themselves”.

“Although no airline has yet commented on the subject, Delta and United reportedly scrapped the practice. The reason I raise it is it’s a classic example of how data about people, including in the context of contextual price personalisation, may be used contrary to the interests of the person to whom the data relates,” Leonard said. “Point two: That personalisation doesn’t necessarily require you to know who that individual is. It’s an important point. All of our privacy law today is built on the concept of a reasonably identifiable individual. Let’s face it, the reason clean rooms are proposed are to try and work a way through the regulatory regime and find a way to personalise to individuals without using direct information about a reasonably identifiable individual.

“But ask the question: Was that data used in the best interest of the person concerned or contrary to their interests? If I’m a solo traveller and I’m being offered a higher price because I’m a solo traveller, I know what I think the answer to that question is.”

Leonard also noted a New York law which came into effect in May 2025, which now requires companies using personalised algorithmic pricing to disclose prices set by the algorithm based on their personal data.

“When you actually look at the regulation, the use of personal data is a broader concept than information about a reasonably identifiable individual. It’s not just whether it’s defined personal information, as we do in the Australian Privacy Act, it’s that broader concept of personalisation I was talking about,” he said.

“So the existential fears of individuals about AI, algorithms and how they’re being used in ways that might affect them, are starting to be an important influence in the regulatory process… Potentially, the possible Australian response of a dual-track might give an alternative way of addressing this and a potential safe harbour for digital advertisers who are willing to think about the best interests of people. And potentially it gets us away from this really technical and engaged process of notice, consent, disclosures, providing an alternative track based upon a safe harbour of best interests of people concerned.”