By Chong Shao and Malcolm Crompton

On 2 March 2026, Privacy Commissioner Carly Kind published a post announcing a ‘new approach’ to how the Office of the Australian Information Commissioner (OAIC) will handle individual privacy complaints. At one level, the post is about complaint handling. IIS reads this as an enforcement memo in complaints clothing.

Commissioner Kind has made a statement about regulatory priorities: in an environment of growing privacy risks, rising complaint volumes, and constrained public resources, the OAIC intends to focus its effort where it can have the greatest impact. The complaints-handling changes flow from that. They are a consequence of the strategy, not the story.

What the OAIC has announced

Four elements of the announcement are worth noting, all of which point in the same direction:

1. Enforcement focus is now the headline. The OAIC describes an intentional shift over the past 12 months toward a greater focus on enforcement, citing deterrent and educative benefits, and a desire for ‘maximum impact’ across sectors. The results are already tangible: a $5.8 million civil penalty against Australian Clinical Labs, civil penalties proceedings filed against Optus and Medibank, and a $50 million settlement from Meta Platforms.

2. Complaint handling will be more selective and threshold-driven. Not all complaints will be taken through to investigation. The OAIC will conduct a ‘strategic assessment’ and may decide not to investigate after considering all circumstances, including regulatory priorities.

3. Complainants are being coached to bring better-formed complaints. The OAIC has published checklists, templates, and is clear about what information is required from the outset (including what happened, when, and the impact).

4. Timing expectations are being reset. As of February 2026, new validly lodged complaints are unlikely to be substantially progressed for 6-12 months. That is a frank admission, and a deliberate signal.

It’s rare for a regulator to be this candid about the trade-offs it is making. The OAIC isn’t just explaining process – it is publicly setting out why individual casework is being deprioritised in favour of enforcement.

So what for organisations?

IIS advises four things with respect to this shift in focus:

1. Don’t confuse ‘slower complaint handling’ with ‘lower risk’

The OAIC is concentrating its effort, not retreating from the field. Organisations whose practices generate repeated complaints or patterns of non-compliance are now more likely to attract attention, not less.

The relevant question isn’t whether your next complaint gets processed in three months or twelve. It’s whether your privacy practices are the kind the OAIC will decide are worth pursuing at scale.

2. Complaints will increasingly function as signals, not just casework

The OAIC is deliberately narrowing the front door. Complainants are being directed to raise matters with organisations first, to use alternative pathways where available, and to understand that even a well-formed complaint may not be investigated.

The practical effect is that organisations become the primary forum for resolution. The complaints that do reach the OAIC will increasingly arrive as signals of something worth looking at, not as individual grievances to be managed. Treat your complaint themes accordingly. A pattern of similar issues across customers or channels is exactly what an enforcement-focused regulator scans for.

3. This is consistent with the direction the OAIC has been signalling

None of this is a surprise. IIS’ reflections on Privacy Awareness Week 2025 highlighted Commissioner Kind’s emphasis on organisational accountability, systemic power imbalances, and a more proactive regulatory posture. The March 2026 post is another milestone on that same trajectory: greater willingness to use the regulator’s full toolkit, and a clearer focus on shaping organisational behaviour and resilience at scale.

The direction of travel is clear: privacy compliance is increasingly about governance and accountability, not just documentation and process.

4. Privacy complaint handling still matters

Finally, and straightforwardly, make sure your privacy complaint handling process is in good shape. The OAIC requires complainants to raise matters with the organisation first and allow 30 days for a response. That makes the organisation the first and most important forum for resolution. The process does not need to be elaborate – but it does need to reach the right people, produce a genuine response, and generate enough of a record to identify repeat issues. Pattern detection, at even a basic level, is now a governance capability.

The way forward

Don’t read the Privacy Commissioner’s post as ‘complaints will take longer to process, so we can relax’. Read plainly, it signals the opposite: the OAIC is being explicit that it will deploy its resources toward enforcement and systemic impact. It will apply more robust thresholds to individual complaints to make that shift possible.

For organisations, the practical response has two dimensions. The first is operational: ensure privacy complaint handling is genuinely effective and allows for pattern detection over time. The second is strategic: treat complaint patterns as an early warning system for the kinds of systemic issues and market practices that the OAIC is now most focused on. That is where the real regulatory risk sits, and where board and executive attention should be directed.

IIS can help – if you would like assistance with this or any other privacy or data protection matters, please contact us.