Australia
How to Make a Privacy Complaint to the OAIC
This page is being updated. Please check back shortly.
Frequently Asked Questions
Do I have to complain to the company before going to the OAIC?
Generally yes. Section 40(1A) of the Privacy Act 1988 (Cth) means the Commissioner will not investigate unless you first complained to the organisation or agency and gave it a chance to respond. The OAIC treats 30 days as a reasonable time to wait before escalating. Limited exceptions can apply, for example where there is a significant power imbalance or a systemic issue.
How long should I give the organisation to respond?
The OAIC considers 30 days a reasonable period for an organisation or agency to respond to your privacy complaint. If it does not reply within about 30 days, or its response does not resolve the matter, you can lodge a complaint with the OAIC.
Does my complaint to the OAIC have to be in writing?
Yes. The OAIC states that the Privacy Act 1988 (Cth) requires complaints to it to be made in writing under s 36, so the OAIC cannot take your complaint over the phone. You can use the OAIC's online form, email, or post.
Is there a deadline for making a privacy complaint?
There is no single fixed cut-off, but under s 41 the OAIC may decline to investigate if the complaint was made more than 12 months after you became aware of the conduct. As a practical matter, lodge within 12 months of becoming aware of the issue.
What is conciliation and is it confidential?
Conciliation is a confidential, OAIC-facilitated negotiation aimed at resolving the complaint without a formal finding, conducted under s 40A of the Privacy Act 1988 (Cth). Outcomes can include an apology, changed practices, correction or deletion of information, or a payment. What is said in conciliation generally cannot be used in later proceedings without the parties' consent.
Can the OAIC order an organisation to pay me compensation?
Yes, through a determination under s 52 of the Privacy Act 1988 (Cth). If the complaint is substantiated, the Commissioner can declare that you are entitled to compensation for loss or damage under s 52(1)(b)(iii), and reimbursement of reasonable expenses under s 52(3). The Commissioner can also order the organisation to stop the conduct and take corrective steps.
Can I be compensated for hurt feelings, not just financial loss?
Yes. The OAIC and the courts have generally held that loss or damage under s 52 can include injury to the complainant's feelings and humiliation, so compensation is not limited to out-of-pocket financial loss.
What happens if the organisation ignores the OAIC's determination?
A determination is not, on its own, binding or conclusive between the parties. Either you or the Commissioner can begin proceedings in the Federal Court or the Federal Circuit and Family Court of Australia under s 55A to enforce the determination, and the court can make orders it thinks fit.
What are the penalties for serious privacy breaches in Australia?
For a serious interference with privacy under s 13G of the Privacy Act 1988 (Cth), the Federal Court can impose civil penalties of up to the greatest of AUD 50 million, three times the benefit obtained, or 30% of adjusted turnover. The AUD 50 million maximum took effect on 13 December 2022; from 11 December 2024, repetition of conduct is a factor in deciding whether an interference is serious rather than a separate trigger. These penalties are paid to the Commonwealth, separate from any compensation to you.
Can the OAIC refuse to investigate my complaint?
Yes. Under s 41 of the Privacy Act 1988 (Cth) the Commissioner can decline to investigate for several reasons, including that the act is not an interference with privacy, the complaint is frivolous or lacks substance, more than 12 months have passed since you became aware of it, or another body is better placed to deal with it.
Sources and References
- Privacy Act 1988 (Cth)(legislation.gov.au).gov
- OAIC, Complain to an organisation or agency (30-day response period)(oaic.gov.au).gov
- OAIC, Before you lodge a privacy complaint with us (written complaint, s 36)(oaic.gov.au).gov
- OAIC, Guide to Privacy Regulatory Action, Ch 1: Privacy complaint handling process (ss 36, 40, 40A, 41, 42)(oaic.gov.au).gov
- OAIC, Guide to Privacy Regulatory Action, Ch 5: Determinations (s 52, hurt feelings)(oaic.gov.au).gov
- Privacy Act 1988 (Cth) s 52, Determination of the Commissioner(austlii.edu.au).gov
- Privacy Act 1988 (Cth) s 55A, Proceedings to enforce a determination(austlii.edu.au).gov
- Privacy Act 1988 (Cth) s 13G, Civil penalty for serious interference with privacy(austlii.edu.au).gov