Senate debates

Monday, 28 November 2022

Bills

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; Second Reading

10:57 am

Photo of Paul ScarrPaul Scarr (Queensland, Liberal Party) Share this | | Hansard source

I rise to speak in favour of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, but also to make a number of points with respect to how the opposition believes the bill can actually be enhanced. I sat on the inquiry into this legislation as deputy chair of the Legal and Constitutional Affairs Legislation Committee, and there were a number of concerns that were identified during the course of considering this legislation. I note that Senator Shoebridge also attended and was part of those hearings, so he will also be familiar with some of these issues.

This bill proposes a substantial increase in the penalties that will be applicable to bodies corporate that engage in what is referred to as a serious or repeated interference with privacy obligations. The first point to note is that the bill is lacking a clear description of what 'serious' or 'repeated' means in this context. If we are applying a $50 million penalty on a body corporate, or in fact a penalty that could be upwards of 30 per cent—30 per cent!—of a body corporate's turnover, in the context of a serious or repeated interference with privacy then we need to clearly define what serious or repeated means. That should be clearly defined on the face of the bill. So there is a lack in that respect, because there is a lack of that definition as to what serious or repeated is. Is repeated twice? Is it three times or four times? What is 'serious' in this context? Those who are going to be impacted by these laws and have obligations to discharge under this legislation need to be given a clear and concise definition of what 'serious' or 'repeated' mean in this context.

The second point I wanted to raise in relation to the penalty clause is that was prepared on the presumption that there's an actual benefit which is received by the body corporate that has breached its obligations in this regard. We all know that there are a number of scenarios in relation to which these privacy obligations can be breached. The first scenario is where a big corporate player actually intentionally and wilfully breaches our right to privacy—the right of the people whose information is kept by these large corporations. So we can have a wilful breach, where a body corporate is exploiting that information for its own commercial benefit. In that case there's an actual benefit which is yielded from the breach. In the second case we can have a passive actor, where a body corporate is hacked—and we've seen that recently—and the issue for the body corporate is that it had insufficient safeguards with respect to protecting the data which it keeps.

Those are completely different situations. The first situation is where a body corporate has intentionally exploited private data for a commercial use and has obtained some benefit. The second scenario is where a body corporate has actually been hacked itself. That's where the criminal or the malicious intent to interfere with people's rights of privacy is held by an outside actor. Those are different situations. The problem with this bill, as it stands, is that there's no distinction that those are different situations. The first point I'd like to make in that regard is that the structure of the clause itself assumes that there's a benefit. Clause 13G(3)(b) it refers to 'the' benefit, it doesn't refer to 'any' benefit. So it's assuming that the company has actually received a benefit from the serious or repeated interference with privacy obligations. That's not always the case, we know that. So that needs to be clear.

It should also be recognised that this penalty provision would apply to the largest of multinational corporations, which should be able to put in place the best and most robust safeguards to prevent hacking, but would also apply to, say, a medium-sized businesses or a charity which gets hacked by a malicious actor and which doesn't necessarily have the same resources as the multinational company. The same penalty provision applies. There's a major issue with respect to a regime that imposes the same type of penalty in relation to the largest of multinationals, which should have sophisticated cyberdefences in place, as opposed to medium-sized enterprises or even charities that get hacked by a malicious actor—in many cases, a foreign actor. There's no distinction on the face of this penalty clause to those different circumstances, and that's a major failing in this penalty clause. This issue was raised by the Law Council of Australia and by all sorts of associations representing civic society with expertise in this. So the government should address this obvious issue on the face of this legislation. The government really should address this issue.

Thirdly, the Office of the Australian Information Commissioner should—especially given the nature of the penalties, which increase under this legislation—issue clear guidance material addressing the application of penalties and also provide guidance with respect to those medium-sized enterprises and charitable organisations et cetera as to what best practice means. That's so people who are operating in this space actually know what they need to do in order to discharge their obligations.

The last point—and this point became clear through the course of the committee looking at the legislation—is we need to make sure that the Office of the Australian Information Commissioner and the Australian Cyber Security Centre are adequately resourced and staffed to carry out their important obligations. There's a mountain of work on this front and it gets more and more complicated each day. The number of malicious cyberattacks are increasing, so we need to make sure that the resourcing and staffing levels at the Office of the Information Commissioner and the Australian Cyber Security Centre are fit for purpose and resourced to the extent that they can actually discharge the obligations which are imposed upon them.

Having outlined those points of concern, we do support the legislation. But we believe there are a number of issues, which I've outlined in the course of my remarks, where the legislation can be enhanced and improved.

11:05 am

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | | Hansard source

I rise on behalf of the Greens to indicate that we will be supporting, with reservations, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. I acknowledge the contribution of Senator Scarr, who sat with me on the Senate Legal and Constitutional Affairs Legislation Committee when we reviewed this bill. I also acknowledge many of the observations that Senator Scarr has made about the inadequacies of the bill and the adequacies of its fit in the overall privacy protection regime.

This bill amends the Privacy Act 1988 and the Australian Information Commissioner Act, as well as the Australian Communications and Media Authority Act, to increase penalties under the Privacy Act. It provides the Australian Information Commissioner with greater enforcement powers, and it provides the information commissioner and the Australian Communications and Media Authority with greater information-sharing powers. One of the concerns we heard from multiple stakeholders was that we're passing a bill that is meant to be about keeping our data safer and increasing protections for our data, but at the core of it are provisions that make it easier for our data to be shared amongst government agencies. That's an irony at the centre of the bill that many stakeholders pointed out and that I haven't yet heard the government address. I want to be clear that we do have concerns about that.

The headline for this bill is that it increases the penalty under section 13G of the Privacy Act for serious or repeated interference with privacy from the current penalty of about $2½ million to a maximum penalty that will not exceed the greater of $50 million or three times the value of any benefit that's obtained by a corporation or, if a court can't determine the value of the benefit, up to 30 per cent their adjusted turnover in the financial year.

The bill provides the Office of the Australian Information Commissioner with additional enforcement powers, modest though they are, that include expanding the types of declarations that the commissioner can make in a determination after an investigation is done and amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the act, even if they do not collect or hold Australians' information directly from a source in Australia. We know, for example, that Meta is in the High Court at the moment, challenging the existing provisions based upon the law's current requirement to have a direct connection between whoever breached the privacy rules and the obtaining of the data from Australia. The High Court challenge has pointed out a flaw in the law, which this bill seeks to remedy. We wholeheartedly support that element of the bill.

The bill also provides the commissioner with new powers to conduct assessments, subject to having the resources, and provides the commissioner with new infringement notice powers to penalise entities for failing to provide information in the course of an investigation—so not in relation to a privacy breach but in the course of an investigation—without having to go to court. It also strengthens the notifiable data breaches scheme to provide the commissioner with more knowledge of the information contained in an eligible data breach.

In relation to enhanced information-sharing powers, the bill gives the commissioner increased ability to share information by clarifying that the commissioner is able to share information gathered through the commissioner's information-commissioner functions, freedom of information functions and privacy functions. It also provides the commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body or a state, territory or foreign privacy regulator for the purpose of the commissioner exercising their powers, or performing their functions. It provides the commissioner with the power to publish a determination or information relating to an assessment on the commissioner's website and to disclose certain information acquired in the course of exercising their powers if it's in the public interest. It also provides some other, more technical, amendments to the ACMA Act.

As Senator Scarr noted, there was significant concern amongst stakeholders and witnesses regarding the structure of this new proposed penalty regime. While there was near-universal support for having a substantially increased penalty—an increase in the scale of $50 million for most serious and repeated breaches—the lack of any tiered penalty regime and the manner of the drafting of the amendments to section 13G of the Privacy Act expose significant weaknesses in the government's proposed model.

The proposed model seeks to link the maximum penalty for breaches to some benefit received through the privacy breach. That was modelled on competition laws. There is some common sense in linking maximum penalties to the benefit received when the offence is a question about breaching competition laws. The manipulation of markets, or other anticompetitive practices, can often see extraordinarily large returns in the hundreds of millions or billions of dollars. For that reason, in the competition space, a fine that's linked to the benefit received by a corporation has a large amount of sense to it. In fact, it may be the only way of discouraging large-scale anticompetitive behaviour in corporate Australia, and we've seen it in other jurisdictions.

But, in the privacy space, the benefit that corporations may obtain from privacy beaches is far more ambiguous. For many entities—and we're seeing this play out in real time at the moment with Medibank, Optus and others—there's actually a net loss from privacy breaches. If you think for a moment about the reputational damage that's been done to Optus and Medicare for their data breaches—they may have some notional benefit in having underinvested in IT and other support mechanisms in the past. Maybe that's a notional benefit. It's unclear from the bill whether that's the kind of benefit that's being referred to in the proposed section 13G, and it will be interesting to hear from the government what their views on that are. That may be a benefit, but then they've had a huge disbenefit in the reputational damage and the harm to their customer base that's come about from these data breaches. In neither of those cases does it appear that the privacy breach was intentional, so the benefit is, at best, that historical underinvestment in cybersecurity. How does that work with the proposed 13G?

It would be fair to say that, after the committee hearing, how that works is as clear as mud. It's also not clear from the drafting—as I said, if the benefit is some kind of net benefit, you have to weigh up the positives and the negatives. And it's also not clear how the proposed alternative maximum fine of up to a third of annual turnover will be engaged where that benefit is hard to determine.

You may get the bizarre situation where a corporation may intentionally and deliberately breach the privacy laws and may enter into a contract, some kind of deal, to breach the privacy laws, for maybe a $20 million payment. For a deliberate, intentional, noxious breach of our privacy laws, they get $20 million, and they may be a large corporation with a billion-dollar turnover. You can identify what that benefit is: it's $20 million. The third element of the proposed section 13G says that where you can't determine the benefit you use 30 per cent of the turnover as the maximum, so if your turnover is a billion dollars that could be up to $300 million. In this case, that corporation which had a very noxious, intentional breach of the act has a capped maximum of $50 million because it didn't go above the first element of the proposed section13G.

Another corporation may have had no malice but just some kind of negligent breach of the Privacy Act and had their data hacked because they didn't put the proper measures in place. If they had a $1 billion turnover—perhaps the benefit they got was an historic underinvestment in cyber; you can't really work out what the value of that benefit is—that corporation may face a maximum penalty of up to $300 million. So the corporation with a noxious, deliberate breach of privacy, in that instance, gets a significantly lower penalty than the corporation that was negligent and didn't intend to but did have a serious breach. That makes no sense. And we're yet to see from the government some kind of explanation about how that's going to work in practice. Those difficulties arise from taking provisions that are designed from one part of the law—in this case, competition law—and just unthinkingly cutting and pasting them and whacking them into privacy law. So there is a very real need for the government to closely consider these drafting issues and do it as a matter of urgency.

Also, with these amendments, we have just one penalty, and I'd describe it as the nuclear option. After these amendments succeed, the only penalty that can be imposed for the breach of privacy laws is the $50 million maximum or, as we discussed earlier, potentially an even greater maximum penalty for corporations with large turnovers. There's no subtlety or nuance in the law. Removing that existing penalty and having a one-size-fits-all offence with a maximum penalty of $50 million leaves the regulator in an almost impossible situation.

Say there's a charity which has a $25 million annual turnover, and it has breached the privacy laws. It might be quite a serious breach. They failed to invest in the necessary IT measures, and there was a serious breach. They were put on notice, and they breached. What does the regulator do? Does the regulator bring a penalty with a maximum $50 million fine against the charity which has a $25 million annual turnover and, just by dint of bringing in the prosecution, effectively kills the charity? Think of a small business with a similar turnover. If you're a director in a small business and you get whacked with a penalty which may carry a maximum $50 million fine, you'd be having a chat with your insurers and your lawyers and thinking, 'Can we continue business the day after we get the fine?' There's no subtlety. How is that going to make our privacy any safer?

As the majority of contributors to the inquiry made clear, there's a need for a far more nuanced approach, with tiered penalties. For that reason, there's real benefit in agreeing to the larger maximum fine for serious or repeated breaches, rather than keeping the existing penalty for lesser breaches which are not necessarily serious or repeating. The Greens will have an amendment to do just that, in the committee stage.

I also indicate we're moving an amendment to the second reading to provide another enforcement measure, one that has been waiting decades to happen in this country. It urges this parliament—urges this house—to insert a new statutory civil cause of action for the serious invasion of privacy in the Privacy Act, modelled on what the Australian Law Reform Commission did in its 2014 report entitled Serious invasions of privacy in the digital era.

I'll finish by saying this. When it comes to resourcing, one thing was abundantly clear from the inquiry and from other investigations we've had in budget estimates. The Office of the Australian Information Commissioner is grossly underfunded. As the commissioner noted in her evidence on this inquiry, her UK equivalent has 10 times the number of staff of the Office of the Australian Information Commissioner. The commissioner also noted that the $5½ million obtained to undertake her investigation into just one breach, the Optus breach, fairly represents what a complex investigation would cost under these new penalty provisions. So it's fair to ask how the office will properly investigate the raft of other data breaches that we've already seen, not least Medibank, or what else happened this morning before we came in here to speak in the chamber.

With a total budget of just over $33 million annually, from which all of the FOI and privacy work must be undertaken—and we know the FOI work is chronically underfunded—there is an obvious lack of practical capacity for the Information Commissioner to undertake any more than one serious privacy investigation at a time. That lack of financial capacity is, as I said, even clearer when you look at how chronically delayed and underfunded the FOI aspect of the Information Commissioner's work is.

The end result is that the parliament might agree to these tougher penalties—and it looks like they will—but the government has starved the regulator of the funds to seriously enforce them. At the end of this, we might have a Pyrrhic victory for data security. We get a headline, we get a new penalty—we get a penalty that's almost impossible to use because of the size and the scale of it—and we give it to a regulator which barely has the money needed to keep the lights on, let alone bring an actual prosecution in this space.

I move:

At the end of the motion, add ", and the Senate calls on the Government to introduce a bill into the Parliament to insert a statutory civil cause of action for serious invasion of privacy in the Privacy Act 1988, modelled on the Australian Law Reform Commission's 2014 report entitled Serious Invasions of Privacy in the Digital Era".

11:19 am

Photo of James PatersonJames Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | | Hansard source

I rise to make a brief contribution on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 so that I have the opportunity to move the coalition's second reading amendment. In doing so, I commend Senator Scarr, who articulated the coalition's position on this bill more broadly, which is that we support the bill but that we are concerned with some of the drafting of the bill. I commend Senator Scarr and Senator Shoebridge for their work on the Senate Legal and Constitutional Affairs Legislation Committee, which inquired into this bill. I find myself, in addition to agreeing with my own colleague Senator Scarr, in strong agreement with Senator Shoebridge about the drafting and design issues of this bill, and the risk and potential for unintended consequences because of the way in which this has been done. I particularly commend the committee for the work they did in the very limited time they were allowed to do it; they were asked to report very quickly, but, nonetheless, even in that short time they have identified a number of serious issues with this bill.

The coalition's approach to this issue is going to be by way of a second reading amendment. The reason for that is that we believe this is a very complex issue and would not be assisted by amendments on the fly in the chamber from the opposition or the crossbench; it really is a matter for government to get these things right. We also don't want to stand in the way of the passage of these increased penalties because we agree increased penalties are necessary; Australians certainly feel that way after their data has been lost by major companies who should have been in a better place to defend their data. We need to send a very strong signal to corporate Australia that we have high expectations of them when they collect sensitive data from Australians.

Like Senator Scarr and Senator Shoebridge articulated, we are concerned about the definitions, particularly the meaning of 'serious and repeated' in relation to the act. We agree a tiered penalty regime would be preferable, which would allow us to take account of those less severe breaches and those more serious ones, and take into account companies who have been negligent in their handling of data compared to those who have taken all reasonable steps. We agree it's important for the Australian Information Commissioner and the Cyber Security Centre to have adequate resources, to make sure they can implement this in practice in an adequate way. We also believe the Australian Information Commissioner, particularly in light of any legislative amendments which clarify those definitions, should be providing some guidance material which makes it very clear to companies how they're supposed to comply with this law.

Just to sum up: we will be supporting this bill and moving a second reading amendment to articulate those concerns—particularly those raised by industry, including the Tech Council and independent third-party submitters like the Law Council, which we think were points well made in the inquiry process.

I move:

At the end of the motion, add ", but the Senate calls on the Government:

(a) to clarify key definitions in the bill, in particular the meaning of 'serious' and 'repeated' in relation to breaches under the Act;

(b) to develop a tiered penalty regime that could take into account less severe breaches, and that seeks to differentiate between companies that have acted with malice and those that have taken all reasonable steps but have fallen victim to a cyber attack;

(c) to direct the Office of the Australian Information Commissioner to issue guidance material that addresses the application of penalties, and clarifies best practice for compliance with the regime; and

(d) to consider the adequacy of current resourcing and staffing levels for the Office of the Australian Information Commissioner and the Australian Cyber Security Centre for each to perform their functions, and to address all of the concerns raised by the former government in the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021".

11:22 am

Photo of Malcolm RobertsMalcolm Roberts (Queensland, Pauline Hanson's One Nation Party) Share this | | Hansard source

ERTS () (): As a servant to the people of Queensland and Australia, I note the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 makes a number of piecemeal amendments to our privacy legislation. It gives some more power to the Australian Information Commissioner and increases penalties for interferences with privacy. The Labor Party wants to look like it's doing something about protecting privacy, yet this bill is the equivalent of putting a bandaid on an amputated leg.

Let's start with the Australian Information Commissioner. This agency is clearly not fit for purpose. It doesn't matter how much information-sharing power the commissioner has or how big the penalties are; if the cop on the block is so busy with a legacy caseload, it can't be expected to protect Australians.

Let me give you an example of how the commission is currently broken. The commission is responsible for dealing with appeals in relation to freedom-of-information requests. We heard shocking evidence at Senate estimates from the commission. In 2021, 670 applications to review freedom-of-information decisions more than a year old had not been resolved. At estimates we heard that, as of November, 2,042 applications for review were outstanding, with 1,055 older than 12 months. Concerningly, 60 appeals more than four years old are still outstanding. This blowout represents a 150 per cent increase in freedom-of-information appeals over 12 months old.

Freedom of information is about timely access to documents that government wants to keep secret. This is not acceptable. The government is supposed to serve the people. Instead of getting on top of its current responsibilities, the commission is being snowed under at a rapid and increasing pace. This is the commission this bill is giving more powers to and that we are meant to rely on to protect Australians' privacy. Their track record does not inspire confidence they will be able to do that.

Nothing in this bill addresses one of the greatest perpetrators of data breaches from hacks in this country, the government. Worldwide, the greatest breaches of privacy come from governments and big tech. I will say it again: nothing in this bill addresses one of the greatest perpetrators of data breaches from hacks in this country, the government. If they thought the Optus and Medibank hacks were the main story, they're just the tip of the iceberg. ABC reports this morning indicate that logins for Australian tax office accounts, medical and personal data of thousands of NDIS recipients, the login details of individual myGov accounts, and confidential details of an alleged assault of a Victorian school student by their teacher are among terabytes of hacked data being openly traded online. This is government data—data that the government gathers, that the government stores—that has been hacked and leaked, sometimes destroying lives as well as destroying privacy. Will this bill ensure the government is held to account for that?

We need a much larger conversation around privacy than this bill allows. The hacks of government databases show nowhere is safe from hacking, least of all government. In we are going to improve privacy protections in Australia, we need to oppose the trusted digital identity. The digital identity will centralise all Australians' private, sensitive data into one place. It will be a hacker's one-stop shop to steal sensitive information.

We will support this bill and note it is completely inadequate to ensure Australians' privacy while the Information Commissioner continues to fail its current responsibilities and the government pushes a centralised digital identity that will be a hacker's paradise. We need much more than this bill offers. It's a first step, but we need much, much more to secure people's privacy. We have one flag, and it's above this building. We are one community. We are one nation. The individual's security, privacy, freedom and sovereignty are fundamental to a strong nation.

11:27 am

Photo of Murray WattMurray Watt (Queensland, Australian Labor Party, Minister for Agriculture, Fisheries and Forestry) Share this | | Hansard source

I thank all honourable senators for their contributions to the debate on this important bill, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

I would also like to thank the Senate Legal and Constitutional Affairs Legislation Committee, who have carefully considered the bill and recommended it be passed. The detailed work that was undertaken by that committee was also reflected in a number of the more thoughtful contributions in this debate. The government also accepts the committee's recommendations that the Attorney-General's Department, as part of its Privacy Act review, should firstly consider amending section 13G of the Privacy Act to define the terms 'serious' and 'repeated' interference with privacy; and secondly examine whether it is appropriate to provide for any additional Australian link to the extraterritorial jurisdiction provision. I would thank the chair and deputy chair of the Legal and Constitutional Affairs Committee, Senators Green and Scarr, the members of that committee and all those who made submissions and gave evidence to the committee's inquiry.

This bill is a priority for the Albanese government and sends a clear message that entities must take privacy, security and data protection seriously. Recent data breaches have caused considerable distress and alarm for millions of Australians and have the potential to cause serious financial and emotional harm well into the future. Increasing penalties for a serious or repeated breach of privacy will incentivise entities to take strong privacy and cybersecurity measures to protect the personal data they hold. Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data and the significant impact caused by serious privacy breaches.

The maximum penalty, while operating as a statutory cap, does not otherwise constrain the exercise of the court's discretion to impose a penalty that is appropriate to the seriousness of the misconduct and harm or potential harm in the particular circumstances of the case. This discretion that a court would have would deal with the hypothetical example, characterised by Senator Shoebridge, relating to an NGO and the potential effect on them. That would be a matter for the court's discretion. We think that provides some protection and an overwhelming fine against an NGO. This measure is complemented by a range of targeted enhancements to the enforcement powers to equip the Australian Information Commissioner with the tools necessary to take effective and efficient enforcement action where necessary.

I note the calls that have been made by a number of senators for adequate resourcing for the commissioner, and this is a matter that is being considered part of the government's broader review of privacy rules and legislation. Greater information-sharing arrangements for privacy and telecommunications regulators will also ensure Australians are informed about emerging privacy issues and will ensure these regulators are able to work together to take prompt action to minimise harm to Australians.

The bill is an essential first step of the government's agenda to ensure Australia's privacy framework is fit for purpose and responds to new challenges in the digital era. Further reforms will be considered next year, following consideration of the Attorney-General's Department review of the Privacy Act. This bill is an important and pressing reform that will make sure penalties effectively deter the misuse of Australians' personal data and will ensure Australia's privacy regulator has the enforcement tools necessary to resolve privacy breaches efficiently and effectively. The bill is a reflection of community expectations and demonstrates the Albanese government's commitment to keeping Australians' data protected.

I think now is probably the appropriate time for me to respond to the second reading amendments that have been moved both by the opposition and by Senator Shoebridge. Dealing with the opposition's second reading amendment to begin with, the government does not support this amendment, as it's appropriate to await the Attorney-General's Department's review of the Privacy Act. The bill that we are debating here is a targeted and proportionate response to the recent data breaches. The government is acting now to increase the penalties, as the current maximum penalties are inadequate. The penalties need to be increased to incentivise entities to have appropriate privacy and cybersecurity settings, and they reflect the harm that data breaches can cause. Reforms to: clarify key definitions in the Privacy Act; develop a tiered penalty regime; provide greater clarity on the application of penalties; and enhance security guidelines are being considered through the Privacy Act review. It's appropriate that these reforms be considered holistically in this process, given the range of complex and interconnected issues and other work across government. This will also allow the necessary time to carefully consider the need to balance potential new privacy obligations with any regulatory burden on entities.

In the October 2022-23 budget, the government provided the Office of the Australian Information Commissioner with $5.5 million over two years to investigate the Optus data breach, including to undertake preparatory work to support any future legal action. We also confirmed $17 million over two years to ensure the office is adequately resourced to meet the increasing complexity and potential increases of privacy complaints in the digital age and take the strategic enforcement action that was announced in the March 22-23 budget. The government will be carefully looking at the resourcing requirements of the Office of the Information Commissioner as part of the Privacy Act review process. In 2023, there will be an overhaul of the Privacy Act, and it will be important to consider the resourcing needs of the office in that context.

In relation to Senator Shoebridge's second reading amendment, which, effectively, seeks to introduce a statutory tort in relation to privacy, the government does not support this amendment as it is appropriate, again, to await the Attorney-General's Department's review of the Privacy Act. As part of this review, the department is giving consideration as to whether a statutory tort of privacy should be introduced. We should not pre-empt the outcomes of this review. It is appropriate that broader reforms be considered holistically in this process, given—again—the range of complex and interconnected issues, including whole-of-economy implications. A statutory tort would allow private citizens to seek remedies for serious invasions of their privacy and may create a more effective framework for individuals to seek compensatory damages for invasions of privacy. But this, along with the matters raised in the opposition's second reading amendment, are things that we think are best dealt with through the review of the Privacy Act that is now underway.

Photo of James McGrathJames McGrath (Queensland, Liberal National Party, Shadow Assistant Minister to the Leader of the Opposition) Share this | | Hansard source

The question before the chair is that the second reading moved by Senator Shoebridge be agreed to.

11:41 am

Photo of James PatersonJames Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | | Hansard source

I move the second reading amendment on sheet 1765, circulated in my name:

At the end of the motion, add ", but the Senate calls on the Government:

(a) to clarify key definitions in the bill, in particular the meaning of 'serious' and 'repeated' in relation to breaches under the Act;

(b) to develop a tiered penalty regime that could take into account less severe breaches, and that seeks to differentiate between companies that have acted with malice and those that have taken all reasonable steps but have fallen victim to a cyber attack;

(c) to direct the Office of the Australian Information Commissioner to issue guidance material that addresses the application of penalties, and clarifies best practice for compliance with the regime; and

(d) to consider the adequacy of current resourcing and staffing levels for the Office of the Australian Information Commissioner and the Australian Cyber Security Centre for each to perform their functions, and to address all of the concerns raised by the former government in the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021".

Photo of Sue LinesSue Lines (President) Share this | | Hansard source

The question is that the second reading amendment, as moved by Senator Paterson, be agreed to.

11:48 am

Photo of Sue LinesSue Lines (President) Share this | | Hansard source

The question now is that the second reading, as amended, be agreed to.

Question agreed to.

Bill read a second time.