Zoe Daniel (Goldstein, Independent) Share this | Hansard source

by leave—I move amendments 1 and 2 as circulated in my name together:

(1) Clause 2, page 2 (after table item 7), insert:

(2) Schedule 1, page 58 (after line 27), at the end of the Schedule, add:

Part 16 — Miscellaneous amendments

Privacy Act 1988

90 Subsection 6(1) (definition of consent )

Repeal the definition, substitute:

consent means voluntary, informed, current, specific, and unambiguous indication through clear action, which has not since been withdrawn.

91 Subsection 6(1) (definition of personal information )

Repeal the definition, substitute:

personal information: see section 6AAA.

92 After section 6

Insert:

6AAA Meaning of personal information

(1) In this Act, personal information means information or an opinion that relates to an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.

Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act.

(2) For the purposes of this section, an individual is reasonably identifiable if they are capable of being distinguished from all other individuals, regardless of whether or not their identity is known.

93 Application of amendments

The amendments of section 6 of the Privacy Act 1988 made by this Part, and section 6AAA of the Privacy Act 1988 as inserted by this Part, apply in relation to acts done, or practices engaged in, after the commencement of this item.

One must only read the title of the act which determines Australian privacy law today, the Privacy Act 1988, to realise we might have a problem. The world was very different in 1988. Office desks had in-trays and out-trays for physical letters. The word 'email' was mostly used in the vernacular of academic and other niche circles, and the idea of a personal computer was one for science fiction. Throughout the 21st century, successive Australian governments have iteratively amended the Privacy Act to manage the rapidly accelerating and unpredictable change brought by technological progress to account for the once nascent but now fundamental concept of digital privacy. Europe's General Data Protection Regulation, the gold standard, inspired various other countries to enact similarly ambitious law, but not here—not for Australia.

The failure of our Privacy Act to fully scale to the demands of the digital era has been as dramatic as it has destructive. Just look to the headlines of recent years. The Guardian in November 2022 said, 'Hackers release records they claim are related to mental health and alcohol issues.' ABC in April 2024, following the Optus breach, said, 'More than 300,000 attempts of identity fraud blocked.' If these headlines show one thing, it's that the modern challenges of cyberspace have been too much for our Privacy Act to withstand, and individual Australians have largely been left to manage the deeply personal and lasting consequences of its failure, with many the victims of scams and other invasive offences.

A new tort to combat doxxing is a start, but it's too little, too late for the Jewish Australian creatives impacted earlier this year, many of whom live in my electorate of Goldstein. The problem is pervasive. According to the Consumer Policy Research Centre, if an Australian user were to maximise the privacy settings for all the apps and websites they use daily, it would take 30 minutes of toggling every day to do it. That's two minutes for every app we tap and website we visit. This takes a European user on average just 30 seconds. My question to this is: why? I'm not sure that the government has given us a good answer. There's no reason Australia can't legislate a regime of privacy reform on par with international best practice.

That is why I'm moving amendments which amend the definitions of 'personal information' and 'consent' in line with both the best international practice and the expectations of the Australian public. The low bar at which these two concepts are defined in Australian law enables the internet activity of Australians to be tracked across the internet to a greater extent than many other OECD nations. These two amendments are targeted improvements and do not represent the full scope of reform that needs to be done for our Privacy Act to meet international best practice, but redefining these two pivotal concepts is a start. Doing so would deal with a range of digital harms and offer certainty to businesses currently subject to Privacy Act regulation. Rather than wait, we can do this now.

The definition of 'personal information' needs to be expanded to include information that's both inferred and technical, such as IP addresses and device identifiers, where this information could be used to identify an individual. As it stands, if data does not meet this definition, none of the Australian privacy principles apply. This amendment creates a framework whereby the privacy of individuals is protected from systems which track their behaviour online, and this includes the unique fingerprints left by their devices, like the type of device that they use, their geographic location and various other forms of metadata. This includes where a person could be individuated in a data set by such inferred or technical information, even when their name isn't known.

My second amendment updates the definition of 'consent' and brings it in line with the digital era. Instead of consent being something that can currently only be expressed or implied, my amendment would revise it to one which must be voluntary, informed, current, specific and unambiguous. If this definition had been in place earlier, Meta may not have been able to scrape the social media profile data of Australians to train their AI models. These amendments are a strong start to improving the privacy of Australian citizens. Each is not only in line with international best practice but in line with the expectations of the Australian public. I commend these amendments to the house.

See this speech in context