Zali Steggall (Warringah, Independent) Share this | Link to this | Hansard source

In today's digital world, privacy is becoming an increasingly precious commodity. With so much of our lives shared online, Australians are rightly concerned about how to safeguard their personal information. A recent survey shows that 89 per cent of people want stronger laws to protect their personal information. Although, concerningly, only 32 per cent of Australians feel they have control over their own data. That is telling. Our current Privacy Act is outdated and does not account for the complexities of the internet, smartphones or the digital identities we all have. The massive amounts of data we generate come with risks and make us particularly vulnerable to scams or exploitation. In fact, 74 per cent of Australians feel data breaches are one of the biggest privacy risks they face today.

It's clear that we must strengthen our privacy laws so that Australians can confidently navigate the digital landscape without fear of losing control of their most personal information. As I mentioned in this place only a few weeks ago, scams are rising and causing a lot of heartache to so many in our community, including in Warringah. It impacts people of all ages—we have to be clear about that. Ninety-six per cent of Australians were exposed to scams in the five years up to 2021 alone, and that has been increasing in the last few years. In 2023, we lost some $2.74 billion to scammers, which is more than $5,200 per minute. Much of it is online.

We need strong, robust and up-to-date privacy laws that the public can trust and that can be a key part of our economic success. It means government and companies of all stripes must invest in the appropriate measures to keep people's information and data safe. Too often, we hear of data breaches that are impacting a huge amount of Australians. We've seen so many of those incidents in recent years. Think back to the hacking of Medibank and Optus. These are trusted brands, but there you go—data was taken. People's personal information was hacked and used for malicious purposes.

Almost four years since the privacy act review commenced, we now have the first stage of reform before the House. Many feel it does not quite hit the mark and address how many feel about privacy in Australia in 2024. The bill does finally introduce a statutory tort for serious invasion of privacy, and that has been anticipated for more than a decade. It's good to finally be there. It will allow Australians to sue for damages for serious invasions of privacy. This is either an intrusion into seclusion—for example, being filmed in a private place—or misuse of information relating to a person where they had a reasonable expectation of privacy.

I think it's important to emphasise that the threshold has been put at 'serious invasions of privacy', so the law will only apply if that invasion is considered serious—it meets that threshold—and is committed intentionally or recklessly. Serious harms caused by an organisation's negligence would not be enough, which is concerning, because those are certainly the most high-profile data breaches and have impacted the highest number of people.

The bill also includes an anti-doxxing offence, with prison sentences of up to seven years. It's in part a response to an incident earlier this year, when the personal details of hundreds of Jewish members of an online support group were published without their consent, leading to great concerns about so many in the community. It also provides a process for a potential children's privacy code and tiered penalties that provide lower fines for more minor breaches of the act.

It is good to see this bill not place any further compliance obligations on small businesses. We know that is a difficulty. And, whilst we want everyone's privacy and information protected, it falls to larger companies and corporations, particularly the social media companies and platforms, to do much of the heavy lifting in this area. Small businesses are already under immense pressure and have faced a plethora of new laws and compliance obligations in the last few years. Whilst many are still struggling from the effects of the pandemic and subsequent cost-of-living crisis, the exemption in the Privacy Act for entities with less than $3 million annual turnover ensures a degree of nuance between small and medium enterprises and larger ones that have the resources to fulfil the compliance obligations of the act.

Nevertheless, it is a high-stakes road map. (Extension of time granted.) There are some shortcomings in this bill to modernise our privacy laws. The most significant, impactful proposals to reform the Privacy Act, long flagged by the government as its policy intent and expected by the industry, have all been left out of the bill. I do have questions for the Attorney-General as to why that has happened. The suggestion is that these will be in a second-tranche bill sometime after the next election. Unfortunately, that doesn't give much confidence when people are concerned about those elements being missing in this legislation.

The bill as it stands will not address any of the systemic problems with toxic social media, intrusive data brokering, online tracking, profiling and targeting or the algorithms which push hate speech, misinformation and other harmful content. However, there are two potential changes, dealing with foundational matters, that could be made now to this bill that the government already says it plans to make. I would urge the Attorney-General to consider these changes to the bill now to make sure we have those additional protections.

As such, the two suggested amendments would go a long way to tackling the excessive practices of larger companies, such as—in recent news—Meta scraping all of its Australian users' data to train its AI, which they don't do to Facebook users in Europe because the EU's definition of consent in their equivalent law is stronger. So Australians have been left less protected than Facebook users in Europe because of that definition, and so that is something I urge the Attorney-General to turn his mind to and to consider in this legislation now, rather than delaying.

The change includes clarifying and updating the definition of 'personal information' to ensure that modern digital practices are within the scope of the regulation, and clarifying and updating the definition of 'consent' to reflect community expectations that individual consumers should not be tricked into online and offline surveillance activities without their active choice and consent. I urge the government to consider such amendments, as they will enhance this bill as it stands now and will go some way to assure Australians that we in this place and the government are making changes that are up to date in a very rapidly changing digital world.

I would also ask the government to consider amending the laws of contempt as part of its wider privacy reform considerations—specifically, as to the way court materials are and have been leaked to the media in recent instances: in particular, in the case of the proceedings relating to incidents in this place, and such as the Lehrmann civil trial that concluded earlier this year. It's clear that material that reached the media was obtained under court order, but there were no repercussions for this breach. The difficulty is that our privacy laws allow exceptions for news and media. That is appropriate in a democracy; we want free media. But with that freedom come responsibilities: for it to be used in accordance with the law, in accordance with the rules—especially our rules in court—and with due care and responsibility, and I feel that that has been lacking. That line has been blurring for some time, and it's time for there to be some regulatory catch-up to ensure all in our public discourse deal with information sensitively and appropriately, especially when it involves private material that is then used in the media inappropriately. It's an issue I intend to continue looking at, in particular through legislative amendments.

So I will support the bill. I welcome amending the Privacy Act to bring the act up to date and increase those protections, But again I urge the government to be bolder and to more quickly look at what outside experts are proposing and asking for and to consider these two specific amendments in relation to the definition of 'consent' and 'private information', to ensure this current tranche of reform meets the desired intent of providing greater protection for privacy for Australians online.

Mark Dreyfus (Isaacs, Australian Labor Party, Cabinet Secretary) Share this | Link to this | Hansard source

I welcome the support of the member for Warringah for the bill, the Privacy and Other Legislation Amendment Bill 2024. Just in relation to the questions that she's asked in respect of possible amendments, particularly the updating of the wording in the definitions of 'personal information' and 'consent': as I've made clear in introducing this bill, this is the first stage of the government's commitment to amending the Privacy Act overall, with the intent of providing individuals with greater control over their personal information. The particular matters that the member for Warringah has mentioned—that is, the definitions of 'personal information' and 'consent'—were matters that were considered as part of the broad Privacy Act review that was undertaken by the Attorney-General's Department. We published both the review and the government's response to that review earlier this year. The government has agreed in principle that the definitions of both of those terms should be updated, and I want to make it clear that we intend to continue to advance the proposals that we have agreed in principle to progress in our response to the Privacy Act review. We are continuing with targeted consultation with stakeholders on draft provisions. It's very important to ensure that amended definitions, which are obviously foundational to the operation of the Privacy Act, are drafted carefully, so that they're fit for purpose and workable in a diverse range of contexts. At this point in the process, the government doesn't support amending the definitions as currently proposed.

Josh Burns (Macnamara, Australian Labor Party) Share this | Link to this | Hansard source

I want to start by reading some words, published in the Jewish Independent, from the wonderful Lee Kofman, a Jewish writer in my community:

The covert and overt antisemitism my Jewish peers and I began experiencing ... I had to do something, otherwise I feared I'd sink into depression ... This led to the establishment of the WhatsApp group—for mutual support and self-preservation.

Lee started a WhatsApp group with Jewish artists so they could support one another and have a safe space to grieve. Six hundred members of the community joined because they too needed a space to share. In January this year, the names and details of members of this WhatsApp group were published online, including photos of Jewish artists with the caption 'genocidal'. The workplaces of Jewish business owners were boycotted. Jewish artists were declined job opportunities. Their children were threatened. Some people even had to move home. What we saw happening to the Jewish community was more than a trend. It wasn't just hurtful; it was dangerous. It had real consequences.

To me, what was just as concerning was how people were responding to the stories about doxxing. People said they deserved it. As Lee said in her article:

Many Australian Jewish artists and academics are still living the doxing consequences, but new anti-doxing legislation was just introduced for debate in Federal Parliament—

the legislation we are debating today—

following what happened to us. So perhaps our adversity will benefit Australian society at large.

That's why I am so proud of this bill and why I'm so pleased to speak on and support this bill, because it will protect every single Australian online.

What happened to members of my community is unacceptable, but the sad reality of the online world is that it was not an isolated incident. The digital world is changing and becoming more dangerous. The threats and dangers are evolving. The Australian Institute of Criminology has found that one in 20 Australians have been doxxed and that young people are more likely to be affected by it.

Online spaces have increasingly become unsafe for women as well. This is a universal problem. Data shows us that women across the world are experiencing abuse and discrimination online. I have seen it with my own eyes. When prominent women express their views online they face a torrent of misogynist abuse. The harms of doxxing are magnified for women when the release of their personal data is used in the context of domestic and family violence. The publishing of a woman's photo, workplace, home address, phone number or any other personal details online is often used as a tool of intimidation and escalated into major emotional and physical abuse. While doxxing happens online, the harms extend far beyond it. It impacts people's safety and sense of security. Doxxing is often accompanied by other forms of harassment, such as the non-consensual sharing of intimate images or AI deepfakes. The situation facing women in this country is not new but it is, without question, a national crisis. This legislation is part of keeping women and families safer online.

The Albanese Labor government has already acted to improve online safety for women, including by quadrupling ongoing base funding for the eSafety Commissioner. We also initiated a review of the Online Safety Act, to ensure our laws are keeping up with the emerging online threats and harms. This legislation protects each and every woman. This legislation seeks to protect every single Australian.

I have met countless academics, artists, business owners and other members of the Macnamara community who have had similar experiences to Lee's. In every conversation I've had with them they have spoken about the pain they endured after the doxxing. We spoke about what can be done to fix it. We spoke about making sure it doesn't happen in the future to any minority, any person of faith, any woman or any child. The legislation before us seeks to fix this.

This bill will impose a maximum six years imprisonment for publishing online private details, such as names, addresses and numbers, with the intent of causing harm. Importantly, this will be increased to seven years when a person or group is targeted on the basis of their race, religion, sexual orientation, gender identity, intersex status, disability, nationality or ethnic origin.

It not only makes the practice of online doxxing a criminal offence with high penalties but, importantly, gives victims an avenue to seek redress before the courts—redress for the emotional distress but also for the impacts on businesses and livelihoods. This bill creates a new course of action which empowers victims to seek compensation directly from any person who commits a serious invasion of their privacy. It is important to note that this bill does include safeguards for journalists and law enforcement officers in the proper discharge of their duties.

By criminalising the release of an individual's personal data online in a manner that would be menacing or harassing, we not only hold perpetrators to account but set a tone for the standard of behaviour that is acceptable online. Most importantly, this legislation was developed after consultation with victims of online doxxing, and it is designed to protect every single Australian. We must not accept abuse, harassment, misogyny and racism in our workplaces or schools. That behaviour would not be tolerated on the street, and now, with this legislation, it will be targeted online as well.

This legislation also reforms the Privacy Act framework. The people of Macnamara and all other Australians expect their private information to be exactly that: private. The reforms in this bill follow from the Privacy Act Review. It clarifies the objects of the Privacy Act and reaffirms our position that entities have a responsibility to protect Australians' personal information.

It will increase transparency around automated decisions using personal information. As the robodebt scheme highlighted, significant harms can materialise when decision-making processes are automated. This bill will provide members of our community with transparency about the use of their personal information. Privacy policies will be required to specify the kinds of personal information used in these sorts of decisions, and individuals will be able to request an explanation about how such automated decisions are made.

Importantly, we are strengthening the Australian Information Commissioner's enforcement powers. It will enhance the regulator's investigation powers to ensure that entities are handling personal information in a manner that Australians can respect and have confidence in.

The other part of this bill which is vital is the development of a children's online privacy code, which will apply to social media and other internet services which are likely to be accessed by children. The Children's Online Privacy Code will specify how these entities must comply with privacy obligations in relation to children. Right now, young people and children don't remember a world without the online space. While the online world can be a fantastic way to connect with the world and to learn and explore new ideas, the risks young people are exposed to cannot be understated.

The Privacy Act framework is currently not sufficient. It has not adapted to the needs of the digital age, nor has it responded to the large-scale data breaches of the last few years. Australians have a right to expect their personal information will be safe and protected, but, more than that, they have a right to expect that those who treat their privacy with contempt will face the full force of the law. A poll by the Office of the Australian Information Commissioner found that 89 per cent of Australians want stronger legislation to protect their personal information, and 87 per cent of parents want more protections for their children. And that is what this bill is all about.

This bill is about strengthening the online space so it's safer for everyone. It's about protecting women and children from abuse. It's about protecting our communities' most vulnerable online. It's about ensuring every single person of faith is safe and protected online. It's about stamping out discrimination and hatred.

The reality of the online world is that we have seen massive changes in digital technology, and, with that, we have seen emerge insidious opportunities for invasions of privacy. This affects thousands of people every single day. Every one of us in this place has struggled to keep up, but this bill has taken us all a major step forward. There is more work to do, but I commend this bill to the House.

I also want to thank members of my community—in particular, those Jewish community members who have gone through this really stressful ordeal and have come through it, making strong recommendations to government. I'm proud that we've been able to achieve this bill together, and I commend it to the House.

Sam Birrell (Nicholls, National Party) Share this | Link to this | Hansard source

I, too, rise to speak on the Privacy and Other Legislation Amendment Bill 2024. I understand that there will be further scrutiny of this bill, and I think that's a good thing because some of the elements of this bill are contested and they deserve further scrutiny. Schedules 1 and 3 of the legislation are relatively uncontentious, and they revolve around doxxing. So the bill addresses the practice of doxxing. Doxxing can take several forms, but essentially it's the public release of private information or personal details without consent. The eSafety Commissioner has outlined several types of doxxing:

Deanonymizing doxing

Revealing the identity of someone who was previously anonymous (for example, someone who uses a pseudonym).

Targeting doxing

Revealing specific information about someone that allows them to be contacted or located, or their online security to be breached (for example, their phone number or home address, or their account username and password).

Delegitimizing doxing

Revealing sensitive or intimate information about someone that can damage their credibility or reputation …

The most recent example of doxxing was very high-profile and involved details of hundreds of Jewish members of a private WhatsApp group being published by pro-Palestinian advocates. Indeed, it was the impetus to bring this bill forward. The victims, amid a disgraceful and rising tide of antisemitism in Australia, reported being shunned, suffering adverse professional and personal consequences and, in some cases, suffering death threats.

The coalition rightly condemned the doxxing of Jewish creatives and offered to work constructively to improve the legal framework. We have for some time been supportive of laws to respond to doxxing. The former coalition government commissioned a review of the Privacy Act during the previous parliament. The purpose of the inquiry was to examine whether Australia's privacy laws were fit for purpose.

The bill is not without controversy, and I do just want to make a few comments about schedule 2 of the bill. That is the schedule that would establish a statutory tort for serious invasions of privacy. The merits of putting that statutory tort into the bill are highly contestable, and we need to think about what the consequences of that would be. Any individual could sue any other individual, including a body corporate or a government, for misusing a person's personal information or intruding on their seclusion.

What that could lead to is more litigation, more people finding their way into courts and the driving up of insurance premiums. Plaintiff and class action law firms are, unsurprisingly, very supportive of this, but there are many business organisations that are not, including ACCI and the BCA, which have expressed concern about schedule 2. Coming from such an entrepreneurial place as my electorate of Nicholls—it is really based on private enterprise—I continue to say to the government in this place that, often, the more of this legislation you put forward, the more cost it puts on business.

Now, we can't have no legislation in relation to this, but we do need to think about what costs it puts on business and what impositions it puts on people trying to run private enterprise—insurance premiums, risk of litigation and all of those things—and I do think there are unintended consequences that I would like to see examined by further scrutiny of this bill. Ultimately, as we understand in this cost-of-living crisis, greater cost to business will be potentially passed on to consumers, and we need to consider that. So, while the new doxxing offence is a welcome element of this bill—and I congratulate the government on it—I think that schedule 2 needs more scrutiny. I worry about the unintended consequences and I would welcome further scrutiny of this bill, particularly schedule 2.

Monique Ryan (Kooyong, Independent) Share this | Link to this | Hansard source

The Privacy and Other Legislation Amendment Bill 2024 represents a significant legislative effort to modernise Australia's privacy framework and to address emerging challenges in the digital age. The bill proposes substantial changes to the Privacy Act 1988, reflecting the fact that it has not kept pace with Australians' widespread adoption of and reliance upon digital technologies and the concomitant risks associated with these technologies—specifically, that personal data could be subject to misuse or mishandling. Digital technologies can also be used as platforms for doxxing, in which personal information is maliciously disclosed with the intent to cause harm. Doxxing exposes victims to physical threats, to public embarrassment, to humiliation and shaming, to discrimination, to identity theft, to financial fraud and to other serious harms.

While the objectives of this bill are laudable, I'm quite concerned that this bill lacks clarity and specificity and that its broad scope and its somewhat vague language could engender potential for overreach and unintended consequences. One of the most significant concerns raised by this bill, concerns which have been raised by many of my constituents, is its potential to stifle freedom of expression. The bill introduces a new statutory tort for serious invasions of privacy. The model of the statutory tort set out in the bill was informed by the Australian Law Reform Commission. It's intended to provide individuals with legal recourse against those who wrongfully intrude upon their private lives, and that's a worthy intent. However, the bill's broad language and its lack of clear definitions could create ambiguity that could chill legitimate forms of expression, particularly those that engage in investigative journalism or political satire.

The bill attempts to address this concern by arguing that the tort will only capture actions that reasonable persons would regard as being menacing or harassing. However, the bill fails to provide a clear definition of what it constitutes as menacing or harassing behaviour. Its reliance on the concept of 'reasonable persons' in its justification for limiting freedom of expression is also somewhat problematic. This ambiguity could lead to uncertainty. It could potentially disadvantage individuals who hold minority views or people who express themselves in unconventional ways. The bill also fails to provide sufficient guidance on what constitutes serious interference with privacy.

There is no doubt that doxxing is loathsome behaviour, and victims may have to take significant steps to mitigate the harm which, unfortunately, can result from this process. However, I'm concerned that this legislation's establishment of criminal offences for doxxing doesn't adequately define the intent required for the act to be considered an offence. This bill could potentially criminalise the sharing of information that is publicly available or information which is shared for legitimate purposes, such as whistleblowing or public interest reporting. Information is sometimes shared to reveal criminal behaviour. The bill relies heavily on a court based enforcement mechanism for both the statutory tort for serious invasions of privacy and the criminal offences for doxxing. That gives us the prospect of airing additional sensitive, potentially private information, which could be a disincentive to seeking redress under the legislation. Conversely, the threat of expensive and lengthy legal action could be a disincentive to freedom of expression.

The bill introduces a new framework for eligible data breaches, empowering the minister to expand the collection, use and disclosure of personal information following significant data breaches. But the broad scope of those powers raises concerns about their potential to exacerbate privacy breaches. Moreover, I'm told by experts with whom I've consulted that the bill lacks robust oversight mechanisms to ensure that decisions are proportionate and necessary. An independent body or tribunal to review the minister's decisions and to provide greater transparency and accountability might be desirable.

This bill could represent a missed opportunity to create a truly comprehensive and balanced framework for privacy considerations. Engagement and further consultation with stakeholders could ensure that the bill strikes a better balance between privacy and other rights. The bill should be strengthened to effectively protect Australians' privacy while upholding fundamental freedoms. A more nuanced and balanced approach is needed to ensure that the law effectively protects privacy rights without unduly infringing upon other essential freedoms.

James Stevens (Sturt, Liberal Party, Shadow Assistant Minister for Government Waste Reduction) Share this | Link to this | Hansard source

I join with the other contributors who have essentially all made a very similar point—that is, we're very happy to be debating and passing what hopefully is the beginnings of reform and tightening of the law when it comes to the protection of privacy. I think it's fair to say that most contributions have suggested that we need to go further than what Privacy and Other Legislation Amendment Bill 2024 does, and I strongly agree with that contention made in debate by other speakers. When we had the debate recently around the Digital ID Bill, I certainly recall making this point—I think a lot of speakers made the point—in debate on that bill, which was that we were really waiting for the government to tell us where they were heading when it came to reforms to the protection of people's privacy. This bill would have been nice to have had sooner, and, indeed, it would have been nice to look at what this bill does and doesn't do in the context of some of the other legislation that we've had brought on for debate that is very relevant to the topic of privacy.

We've got very deep concerns, and I think there's unanimity around this. Data on people is much more abundant and kept in a form very different to that of years, decades and millennia gone by. Really, at a computer screen, a lot of people have access to people's personal information. Are the protections in our legislation strong enough? Clearly, they're not, because this bill is the beginnings of reform in this area. I desperately hope it's not the end.

I commend the beginnings of reform that I'm sure most members think need to be more robust than what this legislation does. Yes, the reform creates strong criminal penalties and an incrementally improved civil framework for dealing with breaches of privacy. But, frankly, this is an area of law and an area of dispute that I think will be extremely significant in the years and decades ahead. I hope this parliament is always landing on the side of protecting the privacy of Australians where government keeps information, where people within government have access to the information of Australian citizens and indeed where corporations and other entities in civil society are doing the same. This legislation has the beginnings of heading in the right direction. But, as other members have talked about in their contributions, we really hope the government has got a lot more planned than what is before us in this legislation. Given we're in the consideration in detail stage, my question to the Attorney-General would be to seek a clear understanding of what the government has planned beyond this legislation. Obviously, speakers have talked about a desire for a lot more than just what's in this legislation to be considered. I say in good faith that I'm sure the government has a lot more planned with regard to strengthening protections of people's privacy. But there are legitimate issues that have already been raised, and it would be good to know what plans, if any, the government for further reform in this area.

This bill is the beginning of certain steps in a certain direction, but we certainly would like to see a lot of other issues around privacy protection considered. Members have talked about some of the specific elements in the legislation, like doxxing et cetera. We absolutely condemn some of the awful examples of doxxing that we've seen in recent times, which this legislation touches upon. There are obviously a lot of other potential risks into the future. We mentioned that in the debate on the Digital ID Bill. I'm very concerned about the amount of data that governments in particular collect on people. We obviously reflect on medical data and other information that we are providing to government, but it's being more and more centralised and shared, and protections and appropriate penalties to dissuade misuse are very important as well. I'll leave those comments for any response to the issues that I've raised.

Allegra Spender (Wentworth, Independent) Share this | Link to this | Hansard source

Earlier this year, almost 600 Jewish writers, artists and academics found themselves the targets of a cruel and malicious act. Their names and personal details were published online by activists. They were part of a private WhatsApp group, a forum where they could support each other in the face of a rising tide of antisemitism many had never experienced before. This space, meant for safety, solidarity and questioning and sharing views, was cruelly violated when a 900-page transcript of their private conversations, along with their personal information, was leaked by one of the group's members. This transcript, containing the intimate details of their lives, was then published online, and the consequences were devastating. In the words of one Jewish member of the WhatsApp group:

Imagine you wake up one morning to find your name, photo, contact details, and workplace published on social media, where you are wrongly accused of all manners of sins in an antisemitic online campaign that spreads on the internet in what seems like milliseconds.

Death threats follow. You are afraid to leave the house.

You lose your job, friends, or customers. Or you are shunned by colleagues. Or all of these things happen based on the false information disseminated online.

This is not an isolated case. This person reflects the broader experience of many in that group. The doxxing unleashed a wave of antisemitism, and what makes it most harrowing for the community is it echoes some of the antisemitism and some of the vilification of the Jewish people for generations, starting with the 1930s, when people were outed for being Jewish and targeted in various ways, including through their businesses. We know where that ended; that ended in the Holocaust. Members of the group were labelled as a cabal of Zionist conspirators reminiscent of the antisemitic tropes that have plagued Jewish communities for centuries. No-one should be vilified in this country. No-one's privacy should be breached in this country on the basis of their religion, their beliefs or their sexuality. No-one should be subject to what has happened to these people. Despite the clear harm caused by this act of doxxing, and despite the undeniable malicious intent behind it, this behaviour was not illegal under Australian law. This is a profound failure of our legal system. Alongside leaders of the Jewish community, I have called loudly and repeatedly for change from the moment this came out.

We need laws that recognise the severity of doxxing and treat it as the criminal and intimidating act that is. This bill does that, and so takes an important step forward. I thank the Attorney-General in particular for his work in driving this. He creates two new criminal offences specifically addressing doxxing. The first offence makes it illegal to publish or distribute someone's personal data in a way that is menacing, harassing or harmful. The second provision goes further, making it a crime to publish or share the personal information of members of a group where the group is distinguished by a protected attribute such as race, religion or sexual orientation. These offences come with significant penalties, including a maximum sentence of up to seven years imprisonment. These are serious crimes and they will now be treated by such as the law.

This legislation and the new offences it introduces have been welcomed by people in my electorate and by leaders of the Australian Jewish community. It's a significant and necessary step in criminalising some of the most egregious acts of antisemitism and hate speech we have witnessed over the past year. However, while this legislation is a positive step, it is not sufficient in its own to stem the rising tide of antisemitism and hate that we are seeing in our country. It is vital that we continue to build on these reforms. In particular, I will continue to urge the government to deliver on its promise to introduce further protections against serious vilification as part of changes to the Criminal Code, as the Attorney-General committed to earlier this year. This has support of leaders of the Jewish community and of the LGBTQ+ community, another very important part of my community. We need robust, comprehensive legal protections that not only punish the acts of serious vilification but also deter them. I'm making a submission to the Senate inquiry in relation to this bill at the moment because, while I support where the bill is going, it is not going far enough, and we need greater protections for Australians of all beliefs to make sure that this sort of hateful vilification is not acceptable in this country and carries punishment. This is not just about protecting one community. This is about upholding the values of tolerance, respect and safety for all Australians regardless of their backgrounds or beliefs.

I respect these legal frameworks. I respect the work that has been done on doxxing and I want to extend it in relation to vilification hate speech. But I think we have a deeper thing we need to do in this country—that is, we need to reflect on what is happening in relation to how we treat each other and how we behave. We need to guard against it—every single one of us in our country—in terms of how we behave.

Let me give you an example. I have students who come to see me every term, and this term I had a group of year 10 and year 11 students from many of my schools around my community. I always ask the students: 'What's important to you? What do you want me to know? What should be on my list?' One young woman stood up and said, 'I'm worried about going to university in two years time.' She is a young Jewish woman in my community and that was one of her greatest concerns—whether she would be welcome, whether she would be safe and whether she would be able to participate in university in a way that any other Australian student should anticipate participating in university life. This was absolutely devastating to hear, and she was not alone in this group of about 16 kids. This was one of the biggest concerns that this young woman had. This, for me, is one of the reasons why I'm most concerned about the attitudes and some of the behaviour we are seeing across our community.

I see this in my schools. I had a young man in a similar forum last term tell me about his experience of walking down the street, wearing his school uniform, and being concerned about whether he was safe wearing his school uniform, which shows he goes to a Jewish school. He told me of a person driving along the street, slowing down, pulling over and swearing at him about being Jewish, and then making a Nazi salute—in the streets, in my community. This sort of behaviour is unacceptable. It is un-Australian. As a non-Jewish member of the community, it's shocking to me that people would think that this is some sort of behaviour that can fit within this country.

We can change the laws. We need to take much stronger action to change the behaviour at the universities, and to change the mindset of our universities. In my community, we need to make sure that all of our kids are standing up against antisemitism and, frankly, any kind of hate or any kind of vilification. There is no place for this.

We need to all reflect on ourselves in terms of how we can make sure that, in all of our actions and in all of our words, we are bringing people together and we are trying to build on the strength of this country. My mum came out to this country, like many people, as a 10-year-old Italian who didn't speak English. She had a wonderful life and found a wonderful acceptance in the Australian community. I think that acceptance and that sort of equality is what we need to continue to build. It is up to everybody; as well, it is up to us and what we do in our legislation. It is up to me and others to constantly lead and constantly call out the behaviour that we see and say, 'This is unacceptable.' I will continue to say that antisemitic behaviour—basically, vilification, hate towards anyone on the basis of their characteristics—is unacceptable in this country and is un-Australian.

Kylea Tink (North Sydney, Independent) Share this | Link to this | Hansard source

by leave—I move amendments (1) to (4) as circulated in my name together:

(1) Schedule 2, item 10, page 67 (line 19), after "privacy was", insert "expressly".

(2) Schedule 2, item 10, page 71 (line 13), after "journalistic material", insert "about matters of public interest".

(3) Schedule 2, item 10, page 72 (lines 6 to 8), omit all the words from and including "reasonably believes" to the end of clause 16, substitute:

: (a) reasonably believes that the invasion of privacy is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; and

(b) is conducting a lawful investigation in respect of a serious crime.

(4) Schedule 2, item 10, page 72 (line 15), at the end of clause 17, add:

; to the extent that the intelligence agency is conducting a lawful national security operation.

Australia's Privacy Act is not only outdated; it's simply not fit for purpose anymore, and it fundamentally failing to keep up with the rapid rise of technologies that rely on vast quantities of personal information. But given the act was introduced in 1988, prior to Australia even joining the global internet—the same year that the Brisbane Expo, I might add, here in Australia, espoused that by 1988 we would all be living lives of wonderful luxury because the internet would have helped us become obsolete—it's not surprising that this act no longer works.

Fast forward to today, and the reality is that digital technologies are rapidly making all elements of this act almost obsolete. Artificial intelligence has stretched beyond the confines of science fiction. Our biometric data is used by shopping centres for targeted advertising. Our social media photos are used to train AI. Our devices record and often share the details of our daily lives, our habits and our behaviours. I am sure every single person in this room has had that experience where they will have a discussion with someone that they love about something that they might be considering purchasing or doing, only to then to find, when they go onto a social platform on the next iteration on their device, that option is sitting right in front of them amongst its advertising.

Recent major data breaches have definitely raised public awareness and have further highlighted the need for wide-ranging reform of our privacy safeguards. According to the Office of the Australian Information Commissioner, just under half of all Australians say that they were affected by a data breach in the previous year, and three-quarters have experienced harm as a result of that breach. They report having their personal information stolen, being unable to unsubscribe from marketing communications and having to provide sensitive information when they preferred not to. As a result, many are left feeling disempowered, stressed and anxious.

The bill before us then is welcome, particularly the new civil penalties, the pathway towards establishing a children's online privacy code and the statutory tort for serious invasions. However, while the measures in the bill will strengthen Australia's privacy law, this modest legislation alone will not bring Australian privacy law into line with global best practice, and it is disappointing that the government has stopped short of truly modernising our privacy legislation. Ultimately the Privacy Act review report put forward 116 proposals for reform of Australia's privacy framework, of which the government has agreed or agreed in principle to 106. Yet this bill aims to implement just 23 of those proposals. For this reason I will continue to call on the government to introduce the second tranche of privacy reforms before the next federal election.

But dealing with what we have here, among the many shortfalls in this bill are: the absence of a fair and reasonable test for dealing with personal information; no requirement that entities take steps to mitigate harm to individuals following a data breach; no clarification of timeframes for notification of data breaches; and no updated definitions of personal information or consent. Yet one of the most significant reforms that is included in this bill is the introduction of a statutory tort, or a civil wrong, that will allow Australians to sue for damages for serious invasions of privacy and enable courts to award damages, grant injunctions and make a range of other orders. While I do think this is a good development, I am concerned that the proposed exemptions are unnecessarily broad.

Specifically the bill introduces new and broad exemptions for journalists, enforcement bodies and intelligence agencies that deviate from the model proposed by the Australian Law Reform Commission and endorsed by the Privacy Act review. The journalism exemption would exclude any acts ostensibly done while developing journalistic material and would apply regardless of the content or the purpose of the journalism. This would mean that blatantly illegal and unjustifiable infringements of privacy by journalists that are not in the public interest would be exempt from the right of action. This might include illegal phone hacking by a news corporation or upskirting photos taken of celebrities by a tabloid. I can't help but think that many people would rightly expect that this is precisely the type of infringement that this tort should apply to—serious infringements of privacy without a principled justification.

In addition, the exemptions for enforcement bodies and intelligence agencies are unjustifiably broad, in my opinion, given there is a separate defence already for invasions of privacy that are required or authorised by law that would already cover lawful government interference with privacy. The detailed amendments I'm moving today would narrow the journalism exemption to apply to public interest journalism and better clarify the application of the enforcement bodies and national security agencies exemptions. I commend the amendments to the government.

Mark Dreyfus (Isaacs, Australian Labor Party, Cabinet Secretary) Share this | Link to this | Hansard source

The government does not support the amendments that have been moved by the member for North Sydney, but I am grateful for the support that the member for North Sydney has expressed for the bill itself. The government has given careful consideration to the breadth of the proposed exemptions and defences to ensure that the protection of privacy is appropriately balanced with other legitimate activities. The defence for conduct authorised by law would apply to conduct that is expressly authorised or impliedly authorised where the conduct is clearly necessary to carry out an activity authorised under statute. This is consistent with a similar exception to a number of the Australian privacy principles.

Exempting all journalistic material from the tort will protect the free flow of information to the public through the media. Seeking to confine the exception to material that is in the public interest would lead to arguments about the merits of publications and would only serve to increase the length and expense of court proceedings. The exemptions for enforcement bodies and intelligence agencies are intended to ensure that these entities are not unduly restricted in carrying out their legitimate functions. They recognise that, in some instances, these may need to be privacy intrusive. These agencies do have their own oversight processes and mechanisms that regulate their conduct, which are designed to suit their operating environment.

Kylea Tink (North Sydney, Independent) Share this | Link to this | Hansard source

Thank you for your response, Attorney-General. Can I ask a clarifying point. To your commentary just then, this bill does introduce broad exemptions for journalism. I'm concerned they will potentially cover unjustifiable infringements like upskirting, which is where a photographer will take a photo of a celebrity with the camera going directly up underneath their clothing, or even phone hacking, which we saw in the not-too-distant past, specifically in the UK. Can you please confirm whether under the current bill these activities would be exempt?

Mark Dreyfus (Isaacs, Australian Labor Party, Cabinet Secretary) Share this | Link to this | Hansard source

To answer the question that has been raised by the member for North Sydney, I can say that this bill introduces what will be a new tort to Australian law for serious invasions of privacy. As with the development of other parts of tort law, we will see, as proceedings are brought, what the courts choose to describe as the full extent of the tort, the civil wrong that's been created by this legislation and the extent of the defences. I'm not going to predict in advance exactly what the parameters of this tort are going to be. That's going to be a matter for case law to work through.

Question unresolved.

Karen Andrews (McPherson, Liberal Party) Share this | Link to this | Hansard source

As the question is unresolved, in accordance with standing order 188, the question will be included in the Federation Chamber's report to the House on the bill.

Zoe Daniel (Goldstein, Independent) Share this | Link to this | Hansard source

by leave—I move amendments 1 and 2 as circulated in my name together:

(1) Clause 2, page 2 (after table item 7), insert:

(2) Schedule 1, page 58 (after line 27), at the end of the Schedule, add:

Part 16 — Miscellaneous amendments

Privacy Act 1988

90 Subsection 6(1) (definition of consent )

Repeal the definition, substitute:

consent means voluntary, informed, current, specific, and unambiguous indication through clear action, which has not since been withdrawn.

91 Subsection 6(1) (definition of personal information )

Repeal the definition, substitute:

personal information: see section 6AAA.

92 After section 6

Insert:

6AAA Meaning of personal information

(1) In this Act, personal information means information or an opinion that relates to an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act.

(2) For the purposes of this section, an individual is reasonably identifiable if they are capable of being distinguished from all other individuals, regardless of whether or not their identity is known.

93 Application of amendments

The amendments of section 6 of the Privacy Act 1988 made by this Part, and section 6AAA of the Privacy Act 1988 as inserted by this Part, apply in relation to acts done, or practices engaged in, after the commencement of this item.

One must only read the title of the act which determines Australian privacy law today, the Privacy Act 1988, to realise we might have a problem. The world was very different in 1988. Office desks had in-trays and out-trays for physical letters. The word 'email' was mostly used in the vernacular of academic and other niche circles, and the idea of a personal computer was one for science fiction. Throughout the 21st century, successive Australian governments have iteratively amended the Privacy Act to manage the rapidly accelerating and unpredictable change brought by technological progress to account for the once nascent but now fundamental concept of digital privacy. Europe's General Data Protection Regulation, the gold standard, inspired various other countries to enact similarly ambitious law, but not here—not for Australia.

The failure of our Privacy Act to fully scale to the demands of the digital era has been as dramatic as it has destructive. Just look to the headlines of recent years. The Guardian in November 2022 said, 'Hackers release records they claim are related to mental health and alcohol issues.' ABC in April 2024, following the Optus breach, said, 'More than 300,000 attempts of identity fraud blocked.' If these headlines show one thing, it's that the modern challenges of cyberspace have been too much for our Privacy Act to withstand, and individual Australians have largely been left to manage the deeply personal and lasting consequences of its failure, with many the victims of scams and other invasive offences.

A new tort to combat doxxing is a start, but it's too little, too late for the Jewish Australian creatives impacted earlier this year, many of whom live in my electorate of Goldstein. The problem is pervasive. According to the Consumer Policy Research Centre, if an Australian user were to maximise the privacy settings for all the apps and websites they use daily, it would take 30 minutes of toggling every day to do it. That's two minutes for every app we tap and website we visit. This takes a European user on average just 30 seconds. My question to this is: why? I'm not sure that the government has given us a good answer. There's no reason Australia can't legislate a regime of privacy reform on par with international best practice.

That is why I'm moving amendments which amend the definitions of 'personal information' and 'consent' in line with both the best international practice and the expectations of the Australian public. The low bar at which these two concepts are defined in Australian law enables the internet activity of Australians to be tracked across the internet to a greater extent than many other OECD nations. These two amendments are targeted improvements and do not represent the full scope of reform that needs to be done for our Privacy Act to meet international best practice, but redefining these two pivotal concepts is a start. Doing so would deal with a range of digital harms and offer certainty to businesses currently subject to Privacy Act regulation. Rather than wait, we can do this now.

The definition of 'personal information' needs to be expanded to include information that's both inferred and technical, such as IP addresses and device identifiers, where this information could be used to identify an individual. As it stands, if data does not meet this definition, none of the Australian privacy principles apply. This amendment creates a framework whereby the privacy of individuals is protected from systems which track their behaviour online, and this includes the unique fingerprints left by their devices, like the type of device that they use, their geographic location and various other forms of metadata. This includes where a person could be individuated in a data set by such inferred or technical information, even when their name isn't known.

My second amendment updates the definition of 'consent' and brings it in line with the digital era. Instead of consent being something that can currently only be expressed or implied, my amendment would revise it to one which must be voluntary, informed, current, specific and unambiguous. If this definition had been in place earlier, Meta may not have been able to scrape the social media profile data of Australians to train their AI models. These amendments are a strong start to improving the privacy of Australian citizens. Each is not only in line with international best practice but in line with the expectations of the Australian public. I commend these amendments to the house.

Mark Dreyfus (Isaacs, Australian Labor Party, Cabinet Secretary) Share this | Link to this | Hansard source

It's reflective of the complete lack of interest that the former government had in the Privacy Act that the only set of amendments that were produced by the former government for the whole of the nine years between 2013 and 2022 were amendments that I brought to the House in May of 2013 to create a scheme of notifiable data breaches. The then Liberal opposition said that they were in favour of the scheme of notifiable data breaches that were contained in the bill that I gave the catchy title Privacy Amendment (Privacy Alerts) Bill. Unfortunately, the bill, having passed the House of Representatives in 2013, lapsed on the proroguing of parliament for the election in 2013. The bill, despite the support expressed for it by the then Liberal opposition, did not reappear for another three years, and the scheme of notifiable data breaches did not become law until January of 2018. That is reflective of the near-complete lack of interest that the Liberal opposition, when they were in government, had in bringing the Privacy Act, which the member for Goldstein rightly points out was passed in 1988, into the digital age.

I don't detect from any of the things that any members have said about this legislation that it's other than supported. Indeed, everybody appears to recognise the need for the very substantial updating of the Privacy Act to bring it into the digital age. That's, of course, the process that the government has now embarked on, but it's going to be a big process.

The amendments that were moved by the member for Goldstein propose updated wording for the definitions of 'personal information' and 'consent'. These were among the matters that were considered by the very broad review of the Privacy Act that was carried out by the Attorney-General's Department, which the government has published, along with a later response by our government to that very broad review of the Privacy Act. We have agreed, in principle, that the definitions of both of those terms—that is, 'personal information' and 'consent'—should be updated to make it clear, as I did when I was introducing this bill, that the Privacy and Other Legislation Amendment Bill 2024 is just the first stage of the government's commitment to providing individuals with greater control over their personal information and bringing this legislation into the digital age so that it's fit for purpose.

The government has clearly stated that it intends to continue to advance proposals that it has agreed to in principle to progress the response to the Privacy Act review. We are conducting targeted consultations with stakeholders on draft provisions.

It's really important to ensure that the amended definitions, which are foundational to the operation of the act, are drafted carefully so that they are fit for purpose and workable in a diverse range of contexts. For that reason, the government does not support the amendments moved by the member for Goldstein, which is not to say in any way that there's a disagreement in principle that, along with many other provisions in the Privacy Act, there is a need for amendment and for the whole of the act to be brought up to date.

Kylea Tink (North Sydney, Independent) Share this | Link to this | Hansard source

I rise in support of the amendments moved by the member for Goldstein because I just want to take a moment and reflect on how infinitely reasonable the amendments were that she has suggested to the government of today.

I thank the Attorney-General for giving us the background on reviews of the Privacy Act since it was introduced in 1988. But I would posit that the challenge we now face is that we have a moment in time where there is a government that is prepared to move forward in reform in this area, but it is moving so slowly that we may find ourselves in a situation where, in the next year, we go back to the polls and we have a change in government which means we get no further.

So, in reflecting on the fact that the Attorney-General has just rejected the amendments moved by the member for Goldstein, I would ask the Attorney-General: what is the timeline for the government doing this work which we have all, universally, agreed today in the chamber is needed? It's well past due. Can Australians expect to see this reform before the next election?

Mark Dreyfus (Isaacs, Australian Labor Party, Cabinet Secretary) Share this | Link to this | Hansard source

The government is consulting, as I've said, on further amendments to the Privacy Act. That is a targeted consultation about draft provisions, and I'm hopeful of bringing a further stage of amendment to the Privacy Act to the parliament in coming months.

Question unresolved.

Karen Andrews (McPherson, Liberal Party) Share this | Link to this | Hansard source

As it is necessary to resolve this question to enable further questions to be considered in relation to this bill, in accordance with standing order 195 the bill will be returned to the House for further consideration.