House debates

Tuesday, 8 November 2022

Bills

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; Second Reading

5:29 pm

Photo of Graham PerrettGraham Perrett (Moreton, Australian Labor Party) Share this | | Hansard source

I rise to speak on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 without referring to the member for Berowra's contribution. The original bill is a clear demonstration of the Albanese government's commitment to taking privacy, security and data protection seriously. There aren't many people in Australia who haven't had to face the reality of some of their personal data being accessed after the recent Optus, Medibank and MyDeal cyberattacks and many others that have been in the media. I think everyone now has a better personal understanding of the potential for the serious financial and emotional harm that can be caused by a data breach. Since the reporting of the Optus data breach, the Queensland Department of Transport and Main Roads has had more than 180,000 applications from Queenslanders to change their licence numbers. Locally, at one of the transport and major road service centres in my electorate, in Sherwood, there were lines of hundreds of people wanting to apply for a new licence number. The Department of Transport and Main Roads reported that, in the first two days where Queenslanders affected by the Optus data breach could apply to change their licence, they received 16,000 applications to do so. Compare that with an average five-day week. In a normal five-day week, TMR would process around 30 applications—three zero—so you can see what one data breach can do, and this highlights the sheer size and effect this data breach had not only on Queenslanders but obviously all around the nation.

This has emphasised the need for all levels of government, all businesses and all organisations to have an obligation to make sure they are protecting Australians' personal data. The bill before the chamber will provide Australians with confidence that their data will be protected in four ways: (1) significantly increase the penalties, so the stick is there; (2) giving the Australian Information Commissioner new powers to make sure that stick is wielded properly; (3) strengthening the notifiable data breaches scheme; and (4) giving information-sharing powers to the Information Commissioner and the Australian Communications and Media Authority.

The Albanese government has moved swiftly at every stage of its response to the Optus data breach, unlike the Abbott-Turnbull-Morrison governments that sat on their hands and ignored the many cybersecurity warnings handed out over the past decade. In contrast, the Labor government's response has helped assure Australians that their compromised identity documents can be replaced. We assisted with coordinating actions between agencies and took steps to enable Optus to share information with financial institutions to detect and prevent fraud. This bill is yet another example of the Albanese government making decisions and acting on the many challenges we all face in the fast-changing digital age.

Returning to the first point, this bill will provide Australians with confidence their data will be protected by increased penalties for serious or repeated breaches of privacy. Right now a penalty for a serious or repeated breach is $2.2 million. This bill will increase the penalty to not more than $50 million or three times the value of any benefit obtained through the misuse of information or, if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the relevant period. In anyone's language, that is a substantial increase and it moves penalties away from just being about the cost of doing business to a substantial incentive to increase and invest in cyber and data safeguards and protections to look after Australians. These new penalties mirror those proposed in the government's Treasury Laws Amendment (More Competition, Better Prices) Bill 2022, ensuring an alignment of penalties across Australian privacy and consumer laws. Importantly these new penalties meet the community's expectations about the importance of protecting their personal data.

The second component of this bill is about strengthening the Notifiable Data Breaches scheme. It does this by empowering the Information Commissioner to assess an entity's compliance with the scheme's requirements. These assessments are an important educational tool and this power will assist entities in ensuring they are meeting all of their requirements.

The Information Commissioner will also have new information-gathering powers in the scheme's reporting and notification requirements. This is necessary to provide the Information Commissioner with a comprehensive understanding of the information that may or may not be compromised in a breach. It will allow the commissioner to assess the particular risk to individuals and to take actions, such as issuing a direction for the entity to notify individuals who have been affected by a data breach—so to avoid the cover-up.

The third part of this bill delivers more powers to the Information Commissioner to resolve privacy breaches, such as: powers empowering the Commissioner to publish notices about specific breaches of privacy or otherwise ensure those directed affected are informed; enabling the commissioner to compel entities to take external reviews to improve practices to reduce the likelihood of committing a breach again in the future; to provide the commissioner with new information-gathering powers to conduct assessments; and new infringement notice powers if an entity fails to provide information without the need for protracted litigation.

It will also ensure, even in this globalised world, that Australia's privacy laws remain fit for purpose. This bill will do so by ensuring that the Privacy Act can be enforced against global technology companies. Many of these companies will process Australia's information services in other countries, so this bill will amend the act's extraterritoriality provisions to encapsulate these companies in these provisions. This will mean that, even if these foreign organisations do not collect or hold Australians' information directly from a source in Australia, they must still meet the obligations under the act if they wish to carry out business in Australia.

One of the lessons learned from the recent breaches is that Australians want and need greater transparency and access to information about what has happened and, importantly, what is happening. To this end, the bill will ensure Australians are informed about privacy issues. It will provide the commissioner an express power to publish a final determination following a privacy investigation and information about a final assessment report. The commissioner will also be able to publish information about other matters, such as an update about an ongoing privacy investigation, if it is in the public interest. The commissioner will also be able to share information with enforcement bodies, alternative complaint bodies and privacy regulators for the purpose of the commissioner or the receiving body exercising their functions and powers. The Australian Communications and Media Authority will also be provided with better powers to share information within government for enforcement purposes. This will drive better cooperation between regulators in order to deliver better outcomes for Australians.

We have heard, from the opposition, complaint after complaint about the Albanese government not acting fast enough. However, when you look at things in perspective, those exact same people who complained the loudest about a lack of action need to have a good, long, hard look at themselves in the mirror. Many were part of the Abbott-Turnbull-Morrison government, which, for almost a decade, did close to nothing. Ultimately, no online privacy code was ever finalised or introduced to parliament. To make matters even worse, their proposed code wasn't even linked to responding to data breaches. It didn't contain any measures to improve the Notifiable Data Breaches scheme under the Privacy Act. They ignored the many stakeholders who indicated a preference for the code to be considered as part of the Privacy Act review. Compare that to the actions that the Albanese government has undertaken. Look at the tabling of this bill in just over six months after coming to office.

This bill is an important and pressing reform that will make sure penalties for privacy breaches adequately reflect community expectations, and it will ensure Australia's privacy regulator has the enforcement tools necessary to effectively deter the misuse of Australians' personal information. I recommend the original bill to the House.

5:37 pm

Photo of Zali SteggallZali Steggall (Warringah, Independent) Share this | | Hansard source

I rise to speak on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. Whilst the title may not give it all away, for the public and Warringah constituents, this is very much around data privacy and so very much at the forefront of many people's minds. This bill significantly increases penalties for serious or repeated privacy breaches. It provides the Australian Information Commissioner with a suite of improved and new powers to resolve privacy breaches efficiently and effectively. It ensures that the Information Commissioner has comprehensive knowledge of the information compromised in a breach, to assess the particular risk of harm to individuals. It gives the Information Commissioner and the Australian Communications and Media Authority greater information-sharing powers and it increases extraterritorial reach. In many ways, it is very welcome and much needed.

In December 2019, the then Attorney-General announced that the Australian government—the previous government—would conduct a review into the Privacy Act, which aimed to investigate the effectiveness of Australia's current data protection regime to ensure that it protected consumers and their data and best served the Australian economy. Since many of these amendments are the result of that inquiry and certainly very good, the carving out of the provisions of the online privacy bill and their inclusion in this enforcement bill has been prompted by the very recent and significant data breaches. As the minister said in his second reading speech:

These amendments are targeted and measured. They respond to the most pressing issues arising from the Optus data breach and other recent cyber incidents.

I should say that I've received a lot of correspondence from constituents on this issue, and they are greatly concerned.

Some of the aspects that I wholeheartedly support in relation to this measure are the greatly increased penalties, which will provide a real incentive for organisations to properly and thoroughly address how to best protect consumers' data and privacy. But there does need to be real consideration of just how much data is appropriate to hold.

I think this is also something that members in this place need to grapple with in relation to political parties and members of parliament: how much data is being held and whether that is being done in a safe way. We know there's a lot of accumulated data in relation to constituents, especially from the major parties, through the course of many years of being in the political system. On that information, there is a real question. What's good for the private sector should also be good for government and should also be good for politicians. I do think there is a question around the data retention policy around members of parliament and political parties that will need to be addressed, and I will be raising that in more detail with the government.

This bill also expands the enforcement and information-sharing powers granted to the Office of the Australian Information Commissioner, and these are tools which will enable far more comprehensive and proactive oversight and effective policy. However, simply leaving it on that basis would be inadequate and naive, and I want to make sure that this is very real for everyone inside and outside. We need to make sure that this is very well understood and that there are sufficient deterrents in the legislation to make sure the private sector in fact does better.

We know that modern-day commerce involves a lot of retention of data on how to understand consumers' behaviours and markets and to better target marketing and sales pitches. Of course, with that comes a high level of risk, as we've seen with recent incidents. Ultimately, the inconvenience, but also the risk, falls on the consumer, who inadvertently has that information being held and is really exposed in a way that I think is unacceptable. It is the reality of our modern world that we are all connected. So much of our habits, practices and lifestyles are in the form of data and are held, but we need to make sure legislation is updated and modernised to keep up with our modern world.

In relation to some of the feedback I've had from constituents, it's really important for me to convey to the government and to the parliament the concerns so many people have. A lot of them have been quite surprised at the extent of information and data that have been accessed, when they will know and when they will tell me. When data breaches occur, the issue is that need for very good, clear, prompt communication with impacted parties, and that, I think, has not always occurred from the private sector.

Another constituent has written to me and said that he felt his attempts to replace his licence and Medicare card, stop his credit agency's report and lodge a police report illustrated the disjointed processes, inconsistent information and number of agencies not knowing what was required. He found that incredibly difficult and time-consuming to navigate. Others have very much urged me to urge the government to fix these problems rather than waiting for the storm to pass. I would have to say that, so many times in this place, we have passed legislation in a reactive way. We are fixing a problem when the cat is already out of the bag and we've already had the problem. It's really important to have inquiries or audits around current legislation and whether it is, in fact, fit for purpose and fit for the challenges we are going to continue facing. We know cybersecurity and data is our current reality, but it is where so much will be determined in the future.

Another constituent raised with me the Optus events. From their perspective, the ongoing federal government has failed to deal with this, and they raised their feeling that Australia is out of step with many similar jurisdictions, such as the EU, in terms of having clear, unambiguous legal liability for individual directors for these types of data protection breaches and their feeling that the government still fails to listen to analysts, industry leaders and lobby groups around what best practice should look like in this case. I must say, I have certainly grappled with this myself, in trying to understand what is best practice in other jurisdictions and how that should be applied here to my own retention of information. So I think it behoves all of us to be very mindful of this aspect of our constituents' lives and how much this data retention impacts everyone.

But I do commend this bill to the House. I commend the government for acting upon it.

I have some questions, though, for the Attorney-General. For example, when will the Attorney-General's review of the Privacy Act be complete and a timeline provided for introduction and implementation? What additional changes are being considered to the review, given recent data breaches? When will the investigation into Optus be complete? How will its recommendations be handed out, and will they be made public? Will there be an investigation into the Medibank data breaches? As to the obligation to include how data breaches are managed as part of risk management, should that be mandatory for businesses and agencies, to ensure a seamless and efficient process? And, of course, how will the government ensure that this happens? We need to be more innovative, creative and collaborative in how we develop and implement regulations. The on-the-ground problems need to be remedied. What is the Attorney-General's plan to achieve this?

The Office of the Australian Information Commissioner can and should take a more active role in assisting and working with business, especially small business, to implement crucial legislation—in particular, this bill—and provide better consumer outcomes. We know that, for small and medium businesses, it is incredibly hard as soon as regulatory regimes change and they have to comply—especially if they are from a non-English-speaking or migrant background. So it always comes back to this: when we change laws, we must ensure there is adequate support for small business to be able to actually comply with and understand their obligations. We must also be diligent and thorough in pursuing those who fail to comply, and, for me, there is still a bit of a question about what action will happen in that space.

So this is a great first step, but I urge the government and the department to continue looking for more solutions, because data retention and breaches and privacy are very much our problem, now and for the future.

5:47 pm

Photo of Anne StanleyAnne Stanley (Werriwa, Australian Labor Party) Share this | | Hansard source

Over the past few months, we've seen significant, high-profile data breaches, with the personal data of millions of Australians being compromised. Many have been forced to suspend their lives to avoid serious financial consequences. And, unfortunately, this is becoming more common and will continue in frequency if nothing is done about it.

According to the 2020 Australian Community Attitudes to Privacy Survey conducted by the Office of the Australian Information Commissioner, Australians were already concerned about their data. Seventy per cent saw the protection of their personal information as a concern in their life, and yet only 24 per cent felt that their privacy was well protected.

Australians deserve to feel that their data is safe, because often the information at risk is about their identity. It's passport numbers, bank account details, licence numbers and Medicare details, and, with the latest Medibank Private breach, even health records. A leak has the potential to cause immeasurable damage to a person's life, and that potential can cause extreme stress. We've seen that in the recent high-profile data breaches at Optus and Medibank.

I've had affected constituents tell me that they are in a constant loop of anxiety and fear. They're unsure about what has been compromised, when it was compromised and whether the fact that they have changed their licences or passports will make a difference if the compromise continues.

These data breaches cost Australians not just financially but socially, and the companies that require personal information from their customers must ensure that it is secure. The industries most at risk are those that hold incredibly sensitive information, with health making up 18 per cent of the breaches that occurred between July and December 2021 and financial institutions coming second. Australians must be assured that these vital industries are protecting their data, and the government is doing all it can to ensure this is the case. That's why this legislation is so important. We can't let the breaches that have already occurred go by without a reaction, and we cannot ignore this moment; we must learn from it.

The Albanese government has introduced this bill as a targeted response, incorporating the lessons from the past data breaches. Unfortunately, despite the increased sensitivity and awareness of the personal data companies hold, it is users that are still being left to organise what has happened to them, and so many companies are still very underprepared both proactively to protect this data and reactively to ensure that, in the event of a breach, they assist their customers. That is what this legislation seeks to enact. That is why the bill will increase the penalties for privacy breaches from $2.22 million to $50 million. Companies that hold the personal data of Australians must know there are significant consequences if they fail to protect it. There is no longer an excuse for this.

The increased penalties will send a serious message to companies and to Australians that personal data is just that: personal, and it should be kept safe. Increasing penalties are important. However, in the absence of other measures, it will not be enough. The bill contains several measures to modernise the Privacy Act to better protect Australia. Enhanced enforcement powers will be given to the Australian Information Commissioner. The commissioner will have greater power and will be able to require entities to undertake external reviews in the event of the data breach and conduct assessments on compliance and obligation, even if they do not collect the data of Australians information directly.

In an increasingly interconnected world, data collection can be complex and intricate, and data can be transferred between entities that may not operate servers in Australia. It's time Australia's privacy laws were modernised to account for this type of data management. Australians can be assured that our government is doing what it can to ensure that data breaches do not occur and that, in the event they do, the regulatory bodies will be able to act fast to reduce the damage. It's the least that Australians can expect.

Two reiterate the point, this is not trivial. If leaked, it could be potentially destructive to a person's life and their financial security. In 2020, 59 per cent of Australians experienced issues with the handling of their personal data in the previous 12 months, including unsolicited marketing without consent and the collection of data that was unnecessary. That number is far too high, and this bill is the first step in reassuring Australians in the face of these latest data breaches, which unfortunately are not exceptional.

Between 1 April 2018 and 31 March 2019, the OAIC received approximately 1,000 data breach notifications. Between 1 July 2019 and 21 March 2020, it was almost 60,000. IBM has estimated in a report that they recently released that the average cost to businesses of a data breach is $4.1 billion. The report highlights the fact that many companies are deploying greater security frameworks, but there are still a substantial number of businesses who just aren't. The longer it takes a company to detect a breach, the worst off Australians are, and this metric isn't improving, with the report noting detection now takes weeks longer to be noticed. The increase to the penalty will incentivise companies to act proactively. And, if need be, our regulatory bodies will use the power given to them by the legislation to address the failings of entities that do not provide the information required by them under the Privacy Act.

Additionally, Australians expect all levels of government and regulatory bodies to work together when faced with a large-scale data breach. The commissioner will have increased powers to share and disclose information with enforcement bodies, complaint bodies and privacy regulators. Again, their situations are time sensitive, and information sharing between different levels of government and different regulators is essential for containing the potential damage.

Importantly, this legislation will only be the beginning. With a review of the Privacy Act due by the end of the year, the government will work to further strengthen and modernise our existing laws to suit the fast-growing digital environment. I, and I think many in my community, will be glad to see our government act to prevent future data breaches and to hold these companies to account. I commend the bill to the House.

5:55 pm

Photo of James StevensJames Stevens (Sturt, Liberal Party) Share this | | Hansard source

I start by sharing the extreme apprehension, concern and anger of members of my electorate who have been affected by data breaches in recent times. Obviously there have been two very high-profile examples—Optus and Medibank. In the case of Medibank we're still seeing the consequences of that unravel before our eyes. Many might be aware of the threats that have been reported in the media that the release of information could still possibly be imminent. People quite reasonably should expect their personal medical information to be protected. It is very much a concern that we could see—and I hope we don't—data that was stolen from Medibank released publicly and the privacy of potentially millions of people breached as a result of that. Like I said, medical information in particular is very sensitive and personal. We should have very great concern for people who may be potentially affected by that.

These two breaches have really shone a spotlight on the information that is collected by private companies, the apparent ease—evidently—of it being plundered by criminals and that fact that we probably haven't fully appreciated what information is recorded and retained by private companies. It has evidently been straightforward and easy for that information to be accessed. Why is there such a flimsy regime of protection in place for such sensitive data? I'm not defending either company involved, but we should also remember that clearly and obviously these are not two isolated examples. In fact, the examples we know about are a lot less concerning than the ones we don't know about.

The data breaches in recent times have shown that there is an enormous public relations impact on companies when it is revealed that they have lost important sensitive information on their customers. There is some indication now that Optus have lost about 10 per cent of their customer base since the revelation that they lost sensitive information on their customers. That 10 per cent may well increase in the future by way of reputational damage. I'm not aware of what the impact on Medibank has been, but I would think it's reasonable to assume that there will be an apprehensiveness amongst their existing customers and their future customers.

In the case of Optus we know that it was not only existing customers but also previous customers—in some cases going back years. They were no longer even customers of Optus, yet their information was stolen from a private telecommunications company, which you would think would have some of the highest data protection standards, given the line of business that they're in.

These are extremely concerning events that have happened in recent times. The point I make on reputational damage is that I'm also concerned, without any evidence, that there could be other companies that have suffered breaches that have considered—or will in the future consider—concealing those breaches on the basis that the damage to their business would be so significant, as they've seen the reputational impact on those businesses that have in different circumstances gone public on the data breach that they've had. That indicates even more that we need to respond by making sure that we've got the strongest possible regime in place.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is really an interim bill. The Attorney-General has indicated that the review into the Privacy Act that was initiated a few years ago is hopefully progressing as rapidly as possible and that more comprehensive legislative change will be able to be brought to this parliament as soon as possible, because what is proposed in this bill by no means addresses a whole range of other issues that I am certain will be identified through that review into the Privacy Act. The Privacy Act was really conceived in the 1980s and has no doubt been amended piecemeal on an ad hoc basis over the intervening decades, but the fundamental legislation was conceived in a time before all sorts of technologies and all sorts of abilities to retain data, particularly in the digital world, that now exist.

I certainly look forward to an opportunity to participate in legislating a dramatic overhaul of the Privacy Act insofar as what's required to better protect data, and also to put a much higher onus on all those that retain data, particularly major companies with major customer bases of Australians that keep information that can be used in a very harmful way against those people if misplaced or stolen. We know that data theft, particularly in the digital world, and the impersonation of people in the digital world is going to become an ever-growing area of crime to be greatly concerned about. We need to be acting to make sure that our legislative processes are as strong and robust as possible.

In the last parliament, we debated a number of bills related to critical infrastructure. I really think that data protection is in that same sort of place. I recall, in contributing on those debates, that we put significant requirements in place around critical infrastructure that was not in the government's hands as well as critical infrastructure that's in the government's hands. For privatised critical infrastructure we put a serious regime in place for reporting cyberattacks and other risks to those assets. The data of Australians is very much an asset and is very much critical. It's not just incumbent upon us; it's vital and it's a responsibility we have to the people of Australia to make sure that we've got the strongest protections in place. That includes making sure that penalties are in place. Where we're dealing with companies that keep a lot of data, there has to be a framework around what they can keep; what strength and hardening of the storage of that data is in place, perhaps putting stronger standards around what they can keep, what they can't keep and for what periods of time; and what the penalties are for them when, through clear negligence and not following those requirements, there is a breach.

I accept that in this bill there are some interim measures, but we are very much waiting for, as rapidly as possible, a broader set of legislative reform to come forward to the parliament. I definitely support the shadow Attorney-General's amendment on this bill. Nonetheless, we will support the bill beyond that through the parliament and look forward to further reform in this area and hopefully in the near future. I commend the bill to the chamber.

6:03 pm

Photo of Mark DreyfusMark Dreyfus (Isaacs, Australian Labor Party, Cabinet Secretary) Share this | | Hansard source

I thank the honourable members for their contributions to the debate on this important bill. The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is a priority for the Albanese government and sends a clear message that entities must take privacy, security and data protection seriously. Data breaches have the potential to cause serious financial and emotional harm to Australians.

Increasing penalties for a serious or repeated breach of privacy will incentivise entities to take stronger privacy and cybersecurity measures to protect the personal data that they hold. Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data. The maximum penalty, while operating as a statutory cap, does not otherwise constrain the exercise of the court's discretion to impose a penalty which is appropriate to the seriousness of the misconduct and harm or potential harm. This will be complemented by a range of enhanced enforcement powers to equip the Australian Information Commissioner with the tools necessary to take effective and efficient enforcement action where necessary.

Greater information sharing arrangements for privacy and telecommunications regulators will ensure Australians are informed about emerging privacy issues and will ensure these regulators are able to work together to take prompt action to minimise harm to Australians. The bill is an essential part of the government's agenda to ensure Australia's privacy framework is fit for purpose and responds to new challenges in the digital era. I confirm that the government will carefully consider submissions made to the inquiry of the Senate Standing Committee on Legal and Constitutional Affairs, including submissions from business, industry and consumer advocates, and will consider the committee's report and any recommendations made. I also note that a number of submissions have referred to issues which are relevant to the broader review of the Privacy Act being undertaken by my department, which is scheduled to report by the end of the year. This review will inform the government's consideration of further reforms to ensure our privacy law remains fit for purpose and responds to new challenges in the digital era.

This bill is an important and pressing reform that will make sure penalties effectively deter the misuse of Australians' personal data and that will ensure Australia's privacy regulator has the enforcement tools necessary to resolve privacy breaches efficiently and effectively. The bill is a reflection of community expectations and demonstrates the Albanese government's commitment to keeping Australians' data protected. I thank all honourable members of this House for their contributions to the debate and commend the bill to the House.

Photo of Andrew WilkieAndrew Wilkie (Clark, Independent) Share this | | Hansard source

The original question was that this bill be now read a second time. To this the honourable member for Berowra has moved as an amendment that all words after 'That' be omitted with a view to substituting other words. The immediate question is that the amendment be disagreed to.

Question agreed to.

Original question agreed to.

Bill read a second time.

Ordered that this bill be reported to the House without amendment.