Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

November 08, 2022

I rise to speak on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 without referring to the member for Berowra's contribution. The original bill is a clear demonstration of the Albanese government's commitment to taking privacy, security and data protection seriously. There aren't many people in Australia who haven't had to face the reality of some of their personal data being accessed after the recent Optus, Medibank and MyDeal cyberattacks and many others that have been in the media. I think everyone now has a better personal understanding of the potential for the serious financial and emotional harm that can be caused by a data breach. Since the reporting of the Optus data breach, the Queensland Department of Transport and Main Roads has had more than 180,000 applications from Queenslanders to change their licence numbers. Locally, at one of the transport and major road service centres in my electorate, in Sherwood, there were lines of hundreds of people wanting to apply for a new licence number. The Department of Transport and Main Roads reported that, in the first two days where Queenslanders affected by the Optus data breach could apply to change their licence, they received 16,000 applications to do so. Compare that with an average five-day week. In a normal five-day week, TMR would process around 30 applications—three zero—so you can see what one data breach can do, and this highlights the sheer size and effect this data breach had not only on Queenslanders but obviously all around the nation.

This has emphasised the need for all levels of government, all businesses and all organisations to have an obligation to make sure they are protecting Australians' personal data. The bill before the chamber will provide Australians with confidence that their data will be protected in four ways: (1) significantly increase the penalties, so the stick is there; (2) giving the Australian Information Commissioner new powers to make sure that stick is wielded properly; (3) strengthening the notifiable data breaches scheme; and (4) giving information-sharing powers to the Information Commissioner and the Australian Communications and Media Authority.

The Albanese government has moved swiftly at every stage of its response to the Optus data breach, unlike the Abbott-Turnbull-Morrison governments that sat on their hands and ignored the many cybersecurity warnings handed out over the past decade. In contrast, the Labor government's response has helped assure Australians that their compromised identity documents can be replaced. We assisted with coordinating actions between agencies and took steps to enable Optus to share information with financial institutions to detect and prevent fraud. This bill is yet another example of the Albanese government making decisions and acting on the many challenges we all face in the fast-changing digital age.

Returning to the first point, this bill will provide Australians with confidence their data will be protected by increased penalties for serious or repeated breaches of privacy. Right now a penalty for a serious or repeated breach is $2.2 million. This bill will increase the penalty to not more than $50 million or three times the value of any benefit obtained through the misuse of information or, if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the relevant period. In anyone's language, that is a substantial increase and it moves penalties away from just being about the cost of doing business to a substantial incentive to increase and invest in cyber and data safeguards and protections to look after Australians. These new penalties mirror those proposed in the government's Treasury Laws Amendment (More Competition, Better Prices) Bill 2022, ensuring an alignment of penalties across Australian privacy and consumer laws. Importantly these new penalties meet the community's expectations about the importance of protecting their personal data.

The second component of this bill is about strengthening the Notifiable Data Breaches scheme. It does this by empowering the Information Commissioner to assess an entity's compliance with the scheme's requirements. These assessments are an important educational tool and this power will assist entities in ensuring they are meeting all of their requirements.

The Information Commissioner will also have new information-gathering powers in the scheme's reporting and notification requirements. This is necessary to provide the Information Commissioner with a comprehensive understanding of the information that may or may not be compromised in a breach. It will allow the commissioner to assess the particular risk to individuals and to take actions, such as issuing a direction for the entity to notify individuals who have been affected by a data breach—so to avoid the cover-up.

The third part of this bill delivers more powers to the Information Commissioner to resolve privacy breaches, such as: powers empowering the Commissioner to publish notices about specific breaches of privacy or otherwise ensure those directed affected are informed; enabling the commissioner to compel entities to take external reviews to improve practices to reduce the likelihood of committing a breach again in the future; to provide the commissioner with new information-gathering powers to conduct assessments; and new infringement notice powers if an entity fails to provide information without the need for protracted litigation.

It will also ensure, even in this globalised world, that Australia's privacy laws remain fit for purpose. This bill will do so by ensuring that the Privacy Act can be enforced against global technology companies. Many of these companies will process Australia's information services in other countries, so this bill will amend the act's extraterritoriality provisions to encapsulate these companies in these provisions. This will mean that, even if these foreign organisations do not collect or hold Australians' information directly from a source in Australia, they must still meet the obligations under the act if they wish to carry out business in Australia.

One of the lessons learned from the recent breaches is that Australians want and need greater transparency and access to information about what has happened and, importantly, what is happening. To this end, the bill will ensure Australians are informed about privacy issues. It will provide the commissioner an express power to publish a final determination following a privacy investigation and information about a final assessment report. The commissioner will also be able to publish information about other matters, such as an update about an ongoing privacy investigation, if it is in the public interest. The commissioner will also be able to share information with enforcement bodies, alternative complaint bodies and privacy regulators for the purpose of the commissioner or the receiving body exercising their functions and powers. The Australian Communications and Media Authority will also be provided with better powers to share information within government for enforcement purposes. This will drive better cooperation between regulators in order to deliver better outcomes for Australians.

We have heard, from the opposition, complaint after complaint about the Albanese government not acting fast enough. However, when you look at things in perspective, those exact same people who complained the loudest about a lack of action need to have a good, long, hard look at themselves in the mirror. Many were part of the Abbott-Turnbull-Morrison government, which, for almost a decade, did close to nothing. Ultimately, no online privacy code was ever finalised or introduced to parliament. To make matters even worse, their proposed code wasn't even linked to responding to data breaches. It didn't contain any measures to improve the Notifiable Data Breaches scheme under the Privacy Act. They ignored the many stakeholders who indicated a preference for the code to be considered as part of the Privacy Act review. Compare that to the actions that the Albanese government has undertaken. Look at the tabling of this bill in just over six months after coming to office.

This bill is an important and pressing reform that will make sure penalties for privacy breaches adequately reflect community expectations, and it will ensure Australia's privacy regulator has the enforcement tools necessary to effectively deter the misuse of Australians' personal information. I recommend the original bill to the House.