Zali Steggall (Warringah, Independent) Share this | Hansard source

In today's digital world, privacy is becoming an increasingly precious commodity. With so much of our lives shared online, Australians are rightly concerned about how to safeguard their personal information. A recent survey shows that 89 per cent of people want stronger laws to protect their personal information. Although, concerningly, only 32 per cent of Australians feel they have control over their own data. That is telling. Our current Privacy Act is outdated and does not account for the complexities of the internet, smartphones or the digital identities we all have. The massive amounts of data we generate come with risks and make us particularly vulnerable to scams or exploitation. In fact, 74 per cent of Australians feel data breaches are one of the biggest privacy risks they face today.

It's clear that we must strengthen our privacy laws so that Australians can confidently navigate the digital landscape without fear of losing control of their most personal information. As I mentioned in this place only a few weeks ago, scams are rising and causing a lot of heartache to so many in our community, including in Warringah. It impacts people of all ages—we have to be clear about that. Ninety-six per cent of Australians were exposed to scams in the five years up to 2021 alone, and that has been increasing in the last few years. In 2023, we lost some $2.74 billion to scammers, which is more than $5,200 per minute. Much of it is online.

We need strong, robust and up-to-date privacy laws that the public can trust and that can be a key part of our economic success. It means government and companies of all stripes must invest in the appropriate measures to keep people's information and data safe. Too often, we hear of data breaches that are impacting a huge amount of Australians. We've seen so many of those incidents in recent years. Think back to the hacking of Medibank and Optus. These are trusted brands, but there you go—data was taken. People's personal information was hacked and used for malicious purposes.

Almost four years since the privacy act review commenced, we now have the first stage of reform before the House. Many feel it does not quite hit the mark and address how many feel about privacy in Australia in 2024. The bill does finally introduce a statutory tort for serious invasion of privacy, and that has been anticipated for more than a decade. It's good to finally be there. It will allow Australians to sue for damages for serious invasions of privacy. This is either an intrusion into seclusion—for example, being filmed in a private place—or misuse of information relating to a person where they had a reasonable expectation of privacy.

I think it's important to emphasise that the threshold has been put at 'serious invasions of privacy', so the law will only apply if that invasion is considered serious—it meets that threshold—and is committed intentionally or recklessly. Serious harms caused by an organisation's negligence would not be enough, which is concerning, because those are certainly the most high-profile data breaches and have impacted the highest number of people.

The bill also includes an anti-doxxing offence, with prison sentences of up to seven years. It's in part a response to an incident earlier this year, when the personal details of hundreds of Jewish members of an online support group were published without their consent, leading to great concerns about so many in the community. It also provides a process for a potential children's privacy code and tiered penalties that provide lower fines for more minor breaches of the act.

It is good to see this bill not place any further compliance obligations on small businesses. We know that is a difficulty. And, whilst we want everyone's privacy and information protected, it falls to larger companies and corporations, particularly the social media companies and platforms, to do much of the heavy lifting in this area. Small businesses are already under immense pressure and have faced a plethora of new laws and compliance obligations in the last few years. Whilst many are still struggling from the effects of the pandemic and subsequent cost-of-living crisis, the exemption in the Privacy Act for entities with less than $3 million annual turnover ensures a degree of nuance between small and medium enterprises and larger ones that have the resources to fulfil the compliance obligations of the act.

Nevertheless, it is a high-stakes road map. (Extension of time granted.) There are some shortcomings in this bill to modernise our privacy laws. The most significant, impactful proposals to reform the Privacy Act, long flagged by the government as its policy intent and expected by the industry, have all been left out of the bill. I do have questions for the Attorney-General as to why that has happened. The suggestion is that these will be in a second-tranche bill sometime after the next election. Unfortunately, that doesn't give much confidence when people are concerned about those elements being missing in this legislation.

The bill as it stands will not address any of the systemic problems with toxic social media, intrusive data brokering, online tracking, profiling and targeting or the algorithms which push hate speech, misinformation and other harmful content. However, there are two potential changes, dealing with foundational matters, that could be made now to this bill that the government already says it plans to make. I would urge the Attorney-General to consider these changes to the bill now to make sure we have those additional protections.

As such, the two suggested amendments would go a long way to tackling the excessive practices of larger companies, such as—in recent news—Meta scraping all of its Australian users' data to train its AI, which they don't do to Facebook users in Europe because the EU's definition of consent in their equivalent law is stronger. So Australians have been left less protected than Facebook users in Europe because of that definition, and so that is something I urge the Attorney-General to turn his mind to and to consider in this legislation now, rather than delaying.

The change includes clarifying and updating the definition of 'personal information' to ensure that modern digital practices are within the scope of the regulation, and clarifying and updating the definition of 'consent' to reflect community expectations that individual consumers should not be tricked into online and offline surveillance activities without their active choice and consent. I urge the government to consider such amendments, as they will enhance this bill as it stands now and will go some way to assure Australians that we in this place and the government are making changes that are up to date in a very rapidly changing digital world.

I would also ask the government to consider amending the laws of contempt as part of its wider privacy reform considerations—specifically, as to the way court materials are and have been leaked to the media in recent instances: in particular, in the case of the proceedings relating to incidents in this place, and such as the Lehrmann civil trial that concluded earlier this year. It's clear that material that reached the media was obtained under court order, but there were no repercussions for this breach. The difficulty is that our privacy laws allow exceptions for news and media. That is appropriate in a democracy; we want free media. But with that freedom come responsibilities: for it to be used in accordance with the law, in accordance with the rules—especially our rules in court—and with due care and responsibility, and I feel that that has been lacking. That line has been blurring for some time, and it's time for there to be some regulatory catch-up to ensure all in our public discourse deal with information sensitively and appropriately, especially when it involves private material that is then used in the media inappropriately. It's an issue I intend to continue looking at, in particular through legislative amendments.

So I will support the bill. I welcome amending the Privacy Act to bring the act up to date and increase those protections, But again I urge the government to be bolder and to more quickly look at what outside experts are proposing and asking for and to consider these two specific amendments in relation to the definition of 'consent' and 'private information', to ensure this current tranche of reform meets the desired intent of providing greater protection for privacy for Australians online.

See this speech in context