Insight,

Digitise,

Productivity Commission releases final report into Harnessing Data and Digital Technologies

15 January 2026

Our People
|
Current site :      |  

Tell me in 30 seconds

On 19 December 2025, the Productivity Commission released its final report into Harnessing Data and Digital Technologies, recommending that:

  • The Privacy Act 1988 (Cth) should be amended to embed an outcomes-based fair and reasonable test, and that the existing Australian Privacy Principles be phased out;
  • Regulation of AI be undertaken within existing regulatory frameworks and that AI specific regulation should be a last resort;
  • Government monitors the development of AI and its interaction with copyright holders over the next 3 years, and if key issues discussed further below are not resolved by then, to establish an independent review of Australian copyright settings and the impact of AI;
  • The Consumer Data Right (CDR) be simplified and ‘rightsized’ to support high value uses while minimising compliance costs; and
  • Digital annual and half‑yearly financial reporting be made mandatory for disclosing entities under the Corporations Act.

Privacy Act Reform

The Commission has accepted the argument that the emphasis in the Privacy Act around controls, such as consent and disclosure procedures, and the requirement to have privacy policies, are ineffective and does not guarantee positive privacy outcomes because they place the onus on the individual to manage and protect their own data.

The Commission considers that embedding an overarching ‘fair and reasonable in the circumstances’ duty in the Privacy Act is the best way to achieve the objectives of outcomes-based privacy regulation. It would operate both proactively and reactively and would apply irrespective of consent to effectively shift responsibility for protecting personal information clearly onto regulated entities. To guide implementation, this duty should be further scaffolded in the Privacy Act by non-exhaustive principles-based factors including transparency, proportionality and necessity:

  • proportionality would balance interests between the benefit obtained against the burden imposed. Was the outcome for the regulated entity proportionate to the privacy impacts on the individual?
  • necessity would consider how the dealing with personal information is necessary to the functions and activities of the regulated entity.
  • transparency would consider whether the individual was provided with clear, current and understandable advice about the dealing with their personal information.

It also proposes implementation of the duty be further assisted through comprehensive supporting documentation such as regulatory guidance, industry codes, templates and guidelines.

Importantly, the Commission disagrees with the proposal in the Privacy Act Review to integrate a ‘fair and reasonable’ test within some of the existing APPs that would simply impose additional requirements on the collection, use and disclosure of information. Instead, the Commission recommends creating this standard to replace the existing APPs (with a 3 year transition period) to reduce complexity and cumulative regulatory burden.

This would be a radical change in the way organisations would have to manage privacy in Australia. We are concerned that the proposal:

  • Will give rise to greater uncertainty in interpreting the new fair and reasonable obligation in the absence of case law. While the APPs may not be perfect, there is a body of law and Privacy Commissioner determinations which give organisations the ability to make reasonable judgments about their level of compliance with the APPs. This change would require organisations to completely rethink and re-engineer their compliance processes and procedures, which would take significant time, effort and cost.
  • Would result in Australia being out of step with other jurisdictions, which would increase the regulatory burden for organisations that operate in multiple jurisdictions. Even if the outcome-based approach was more permissive than laws in other jurisdictions, the change would necessitate a review of existing compliance controls.  This is an issue for Australian-headquartered multinationals as well as multinationals with headquarters in the US, Europe or elsewhere.
  • May impede the flow of data into Australia, as it could cast further doubt as to the ‘adequacy’ of Australian privacy laws compared to other global standards such as the GDPR. So, it could have the effect of isolating Australia and making it impossible to run a business here that depends on having access to information from other jurisdictions.
  • Will give the Privacy Commissioner increased powers to effectively ‘make and change regulation’ through issuing and changing guidance and interpretation of the fair and reasonable obligation.
  • Will not necessarily do away with the APPs – a form of the APPs may be issued by the Privacy Commissioner to help guide organisations in what will be considered to be fair and reasonable and to add colour to the principles based factors of proportionality, necessity and transparency.

If the small business exemption is removed, perhaps the fair and reasonable outcomes-based approach could be applied only to small businesses with larger businesses still having to comply with the APPs. The simpler / more flexible model may be more suitable for small businesses as it will be less prescriptive (making it easier to ‘right-size’ their approach to compliance) and they are less likely to have concerns about alignment with international standards. Having said that, the issues about uncertainty would still apply, and small business may have less resources to devote to dealing with this uncertainty.

Regulation of AI

The Commission thought it likely that AI would significantly raise Australian productivity, but there is ongoing debate about the magnitude of this effect. While the magnitude of the effect was uncertain, it thought that multifactor productivity gains above 2.3% are likely over the next decade which would imply about an extra $116 billion of GDP over the next decade.

In light of this, and economic evidence that the European General Data Protection Regulation (GDPR) has been costly to implement, dampened economic activity and reduced innovation, the Commission warned that unnecessarily burdensome regulation risks forfeiting AI’s benefits and can stifle innovation.

It supported the Government’s National AI Plan that has moved away from the previously proposed whole of economy, technology-specific AI regulation, to an approach that leverages Australia’s existing legal frameworks to mitigate the risk of AI related harm, recommending that:

  • the Government should undertake a comprehensive set of ‘gap analyses’ to understand the risks stemming from AI and whether these risks can be dealt with under existing legal and regulatory frameworks;
  • where possible, the Government consider if any gaps in legal and regulatory frameworks created by the increased use of AI could be covered by existing regulatory frameworks with improved guidance and enforcement; and if not, how to modify existing regulatory frameworks to mitigate the additional risks;
  • only where the risk of harm cannot be adequately mitigated by changes to existing legal frameworks, should new laws be considered. New laws should be technology neutral, create a net benefit compared to the status quo, and (where possible) minimise divergences between Australian and overseas regulatory structures.

Finally, the Commission recognised that overall, most forecasts expect AI to increase the net number of jobs but could potentially displace some workers. If AI does displace a significant number of workers, the Australian Government may need to consider specific supports for retraining them, in addition to existing unemployment assistance.

We agree with and support this recommendation. It is consistent with our findings in our report for the Australian Finance Industry Association on the impact of AI on the Australian finance industry referred to here.

Copyright and AI

Acknowledging the Government’s decision to rule out the introduction of a text and data mining exception to the Copyright Act, the Commission recognised that Australia’s copyright settings make it difficult for AI developers to train their models in Australia.

However, it was not convinced that reforming copyright settings would necessarily incentivise AI training in Australia as there were other factors relevant to that decision, including the cost of electricity and availability of skilled labour. It considered that reform of copyright settings would only be justified if it did not greatly reduce the incentive to create new Australian works.

Ultimately the Commission considered that there was uncertainty in three key areas that made it difficult to design an effective policy response to the use of copyright material for AI training:

  • the scope and feasibility of AI related copyright exceptions overseas, and whether the laws in other countries did in fact allow unrestricted and unremunerated use of copyrighted material for AI training;
  • whether permitting unrestricted and unremunerated use of copyrighted material for AI training would reduce the incentive to create new Australian content; and
  • recognising the current impracticability of licensing open web material (which is a large part of what AI models are trained on), whether licensing markets for that material will emerge in the future without intervention.

Because of the uncertainties, the Commission recommended that the Government should wait and monitor them for three years. If, after three years, these issues have not resolved, the Government could (not ‘should’) establish an independent review of Australian copyright settings and the impact of AI.  

We think that the Commission’s task in relation to copyright settings was made more difficult by the Government’s decision to rule out a text and data mining exception to the Copyright Act. We think there is merit in re-examining the merits of introducing a broad fair use right in the Copyright Act that was previously recommended by the Productivity Commission in 2016 and the Australian Law Reform Commission in 2013.

CDR Reform

The Commission recognised the importance of the data economy to improving productivity but acknowledged concerns that the CDR, which was intended to improve data access and sharing in Australia was not currently operating optimally. It considered that overspecification of the CDR framework is preventing it from operating as intended.

Accordingly, the Commission recommended that the Government work to optimise existing data sharing initiatives, with the immediate goal of making the CDR work better for businesses and consumers in the banking and energy sectors (where it already operates). Some of the major optimisation proposals the Commission recommended are:

  • reducing duplication between the CDR framework’s bespoke privacy safeguards and the privacy protections under the Privacy Act which requires CDR participants to maintain two separate privacy systems for CDR and non CDR data. Importantly, this proposal is supported by the OAIC, which suggests the adoption of the Privacy Act as the sole regulatory regime;
  • consultation on introduction of a third party disclosure consent that would enable consumers to direct the disclosure of their CDR data to any third party of their choosing;
  • enabling government held datasets to be accessed through the CDR - for example, including Australian Tax Office (ATO) data to help improve access to credit, or integrating government data to speed up loan applications by reducing the need for manual documentation and verification; and
  • in the longer term, making the accreditation process accreditation model, technical standards and designation process less onerous.

While the Commission’s interim report suggested the introduction of simplified data access pathways for low risk data use cases, its final report acknowledges that this could add to existing regulatory complexity and data policy fragmentation without providing a net improvement in productivity outcomes for the economy.

Instead, the Commission supports rightsizing the existing CDR framework so that it has the potential, where necessary, to be used for a broader range of sectors and productive uses. What this means is that for designated use cases, the CDR framework could simply define which firms need to share data, what they need to share, and how. Additional blanket requirements should be kept to a minimum, and the Government should also avoid setting requirements that go above and beyond existing legislation, such as the Privacy Act.

We agree with and support these recommendations to improve the CDR and stimulate the data economy in Australia.

Mandating digital financial reporting

The Commission notes that Australia is one of only a few large, high-income economies where it is mandatory to submit financial reports in a non-digital form, such as in hard copy or as a PDF file. While the option to voluntarily submit digital financial reports has been available in Australia since 2010, but as of June 2025, no digital financial reports have been submitted.

Digital financial reporting would generate significant benefits:

  • Deloitte Access Economics has estimated that introducing a digital financial reporting mandate could add $7.7 billion per year to the Australian economy after five years.
  • Information in digital, machine-readable financial reports can be processed more efficiently and accurately which increases productivity by both saving workers’ time and improving the quality of their work.
  • It would assist bodies such as ASIC and the ATO in undertaking their functions and activities. For example, the US Securities and Exchange Commission has used digital financial reports to analyse its entire collection of submitted reports, including conducting automatic checks for missing disclosures and making aggregate queries relating to specific disclosures (such as gathering all reported research and development expenditures).
  • It could enable a number of innovative practices seen overseas, including the conduct of ‘big data’ research and analysis with the large volumes of data generated by digital financial reporting.

The Commission therefore recommended that:

  • digital financial reporting be made mandatory and should initially cover disclosing entities as defined in the Corporations Act; and
  • the transition to mandatory digital financial reporting should be phased and the appropriate thresholds for phased implementation be determined by the Treasury after consultation.

We agree with and support these recommendations to introduce digital financial reporting in Australia.

Comparison with Recommendations in Interim Report

The Commission’s interim report on data and digital technologies was issued on 5 August 2025. It received 75 questionnaire responses, 46 pre-interim submissions, and 728 post-interim submissions to that report.

We set out below the key recommendations of the Commission’s final report and how they changed from the interim report.

Theme
INTERIM POSITION
FINAL POSITION
AI regulation

AI‑specific regulation should be a last resort when existing frameworks cannot be adapted and technology‑neutral laws are not feasible. Gap analyses should be carried out as a matter of urgency.

Repeats the last‑resort test and explicitly identifies whole‑of‑economy frameworks (e.g., EU AI Act) and previously proposed Australian “mandatory guardrails” as measures that should not proceed absent proven gaps. 
AI and copyright

Considered copyright reform in the context of AI, and invited feedback on whether a text and data mining exception should be introduced into the Copyright Act.

Government should monitor the development of AI and its interaction with copyright by tracking licensing market development, creative incomes, and overseas legal developments over the next three years. 
Data access and portability

Proposed new, lower‑cost, flexible regulatory pathways outside the consumer data right (CDR), tailored by sector (e.g., industry‑led “snapshot” codes; standardised high‑frequency transfers), alongside existing regimes. 

The CDR should be “rightsized” by better supporting data access for high value uses while minimising compliance costs.

There is no need to create regulatory pathways or new data sharing regulations but supports rightsizing the CDR so that it has the potential to be used for a broader range of sectors and productive uses.
Privacy: regulatory model

Proposed the introduction of an “alternative compliance pathway” that enables regulated entities to fulfil their privacy obligations by meeting criteria that are targeted at outcomes, rather than controls-based rules. 

A more radical proposal to implement an overarching outcomes‑based privacy duty to handle personal information in a manner that is “fair and reasonable in the circumstances” and to phase out the Australian Privacy Principles. The outcomes-based duty would be supported by principles based factors for consideration including transparency, proportionality and necessity. 
Privacy: right to erasure

Recommended against implementing a GDPR‑style right to erasure due to high costs and uncertain benefits.

Maintained recommendation that a GDPR‑style right to erasure should not be implemented in Australia.
Digital financial reporting

Recommended mandating digital financial reporting for disclosing entities, removing hard‑copy/PDF requirements, and sought feedback on technical format, lodgement and access. 

Maintained recommendation 5.1 for digital annual and half‑yearly reporting by disclosing entities, and specified iXBRL as the format (with ASIC empowered to set format and update taxonomy). 

Now what?

It remains to be seen whether the Government will adopt the Commission’s key recommendations on privacy reform – we will wait with bated breath to see whether they will appear in the long anticipated Tranche 2 Privacy changes.

Reimagining Productivity: What should it look like?

As we support businesses confronting a myriad of tech-driven possibilities, we’re guided by the human imperative - the choices we make must provide us all with better long-term opportunity.

Categories

Key Contacts

Show MoreShow Less
Latest Thinking
Insight
Bendel: Commissioner ‘A loan’ in view that UPE was a loan for Division 7A purposes
The long-awaited High Court decision in Bendel has arrived!

12 June 2026

Insight
Queensland goes all in on critical minerals: Key changes under the SDPWO Amendment Bill 2026
Queensland has fired the legislative starting gun in the race for critical minerals investment.

05 June 2026

Insight
The forfeiture rule and superannuation death benefits: emerging issues for trustees
While the forfeiture rule is a longstanding position in law, its application to superannuation is not always clear.

05 June 2026

Explore Latest Thinking
Our People
Media Centre
About Us
Contact Us
Explore Our Expertise
Explore insights

Advertising and Targeting Cookies