George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Hansard source

Senator Ludlam, I start by pointing out to you that Mr Irvine's views about the location of cloud storages have been misrepresented. There is no more enthusiastic supporter of the bill in its current form than Mr David Irvine. I do not think he would mind me telling you that, when the bill passed the House of Representatives last week, I received a message from Mr Irvine expressing his happiness and satisfaction with the fact that the bill was through the House of Representatives and looking forward to its passage through the Senate this week. I am not accusing you of misrepresenting him, but I think a remark that Mr Irvine made has been rather taken out of context and exaggerated. Mr Irvine wants legislators, senators, to know that he supports this bill in its current form and is very happy with it.

On the broader issue, the government does not have a closed mind. Australian law currently permits companies to store personal information in the cloud or offshore, provided that the appropriate risk-management strategies are in place. But they are subject—as I imagine you would know, Senator Ludlam—to some obligations, particularly under the Privacy Act. That act requires them to take reasonable steps to notify consumers if their information will be disclosed to an overseas recipient and the countries where the information will be held, and to ensure that any overseas recipient of personal information does not breach the Australian privacy principles.

As well, Senator Ludlam, you would be familiar with recommendation 36 of the 2015 PJCIS report, which recommends that the government introduce the telecommunications sector security reforms promptly. In the latter part of this year, that legislation will be introduced. The telecommunications sector security reforms will contain protections. It would, in particular, operate to provide a statutory framework for security agencies to work with industry to identify and mitigate security risks. Carriers and carriage-service providers would be required to manage security risks, including outsourcing and offshoring, by demonstrating effective control and competent supervision of their networks, the data on them and their facilities. The security framework would be based on a government and industry partnership to effectively manage national security risks and protect data stored and carried across telecommunications networks. So that is the answer to your question. There are, at the moment, under the Privacy Act, obligations, and there is in prospect, later this year, under the telecommunications sector security reforms, additional safeguards.