Senate debates

Monday, 28 November 2022


Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; Second Reading

11:05 am

Photo of David ShoebridgeDavid Shoebridge (NSW, Australian Greens) Share this | Hansard source

I rise on behalf of the Greens to indicate that we will be supporting, with reservations, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. I acknowledge the contribution of Senator Scarr, who sat with me on the Senate Legal and Constitutional Affairs Legislation Committee when we reviewed this bill. I also acknowledge many of the observations that Senator Scarr has made about the inadequacies of the bill and the adequacies of its fit in the overall privacy protection regime.

This bill amends the Privacy Act 1988 and the Australian Information Commissioner Act, as well as the Australian Communications and Media Authority Act, to increase penalties under the Privacy Act. It provides the Australian Information Commissioner with greater enforcement powers, and it provides the information commissioner and the Australian Communications and Media Authority with greater information-sharing powers. One of the concerns we heard from multiple stakeholders was that we're passing a bill that is meant to be about keeping our data safer and increasing protections for our data, but at the core of it are provisions that make it easier for our data to be shared amongst government agencies. That's an irony at the centre of the bill that many stakeholders pointed out and that I haven't yet heard the government address. I want to be clear that we do have concerns about that.

The headline for this bill is that it increases the penalty under section 13G of the Privacy Act for serious or repeated interference with privacy from the current penalty of about $2½ million to a maximum penalty that will not exceed the greater of $50 million or three times the value of any benefit that's obtained by a corporation or, if a court can't determine the value of the benefit, up to 30 per cent their adjusted turnover in the financial year.

The bill provides the Office of the Australian Information Commissioner with additional enforcement powers, modest though they are, that include expanding the types of declarations that the commissioner can make in a determination after an investigation is done and amending the extraterritorial jurisdiction of the Privacy Act to ensure foreign organisations that carry on a business in Australia must meet the obligations under the act, even if they do not collect or hold Australians' information directly from a source in Australia. We know, for example, that Meta is in the High Court at the moment, challenging the existing provisions based upon the law's current requirement to have a direct connection between whoever breached the privacy rules and the obtaining of the data from Australia. The High Court challenge has pointed out a flaw in the law, which this bill seeks to remedy. We wholeheartedly support that element of the bill.

The bill also provides the commissioner with new powers to conduct assessments, subject to having the resources, and provides the commissioner with new infringement notice powers to penalise entities for failing to provide information in the course of an investigation—so not in relation to a privacy breach but in the course of an investigation—without having to go to court. It also strengthens the notifiable data breaches scheme to provide the commissioner with more knowledge of the information contained in an eligible data breach.

In relation to enhanced information-sharing powers, the bill gives the commissioner increased ability to share information by clarifying that the commissioner is able to share information gathered through the commissioner's information-commissioner functions, freedom of information functions and privacy functions. It also provides the commissioner with the power to disclose information or documents with an enforcement body, an alternative complaint body or a state, territory or foreign privacy regulator for the purpose of the commissioner exercising their powers, or performing their functions. It provides the commissioner with the power to publish a determination or information relating to an assessment on the commissioner's website and to disclose certain information acquired in the course of exercising their powers if it's in the public interest. It also provides some other, more technical, amendments to the ACMA Act.

As Senator Scarr noted, there was significant concern amongst stakeholders and witnesses regarding the structure of this new proposed penalty regime. While there was near-universal support for having a substantially increased penalty—an increase in the scale of $50 million for most serious and repeated breaches—the lack of any tiered penalty regime and the manner of the drafting of the amendments to section 13G of the Privacy Act expose significant weaknesses in the government's proposed model.

The proposed model seeks to link the maximum penalty for breaches to some benefit received through the privacy breach. That was modelled on competition laws. There is some common sense in linking maximum penalties to the benefit received when the offence is a question about breaching competition laws. The manipulation of markets, or other anticompetitive practices, can often see extraordinarily large returns in the hundreds of millions or billions of dollars. For that reason, in the competition space, a fine that's linked to the benefit received by a corporation has a large amount of sense to it. In fact, it may be the only way of discouraging large-scale anticompetitive behaviour in corporate Australia, and we've seen it in other jurisdictions.

But, in the privacy space, the benefit that corporations may obtain from privacy beaches is far more ambiguous. For many entities—and we're seeing this play out in real time at the moment with Medibank, Optus and others—there's actually a net loss from privacy breaches. If you think for a moment about the reputational damage that's been done to Optus and Medicare for their data breaches—they may have some notional benefit in having underinvested in IT and other support mechanisms in the past. Maybe that's a notional benefit. It's unclear from the bill whether that's the kind of benefit that's being referred to in the proposed section 13G, and it will be interesting to hear from the government what their views on that are. That may be a benefit, but then they've had a huge disbenefit in the reputational damage and the harm to their customer base that's come about from these data breaches. In neither of those cases does it appear that the privacy breach was intentional, so the benefit is, at best, that historical underinvestment in cybersecurity. How does that work with the proposed 13G?

It would be fair to say that, after the committee hearing, how that works is as clear as mud. It's also not clear from the drafting—as I said, if the benefit is some kind of net benefit, you have to weigh up the positives and the negatives. And it's also not clear how the proposed alternative maximum fine of up to a third of annual turnover will be engaged where that benefit is hard to determine.

You may get the bizarre situation where a corporation may intentionally and deliberately breach the privacy laws and may enter into a contract, some kind of deal, to breach the privacy laws, for maybe a $20 million payment. For a deliberate, intentional, noxious breach of our privacy laws, they get $20 million, and they may be a large corporation with a billion-dollar turnover. You can identify what that benefit is: it's $20 million. The third element of the proposed section 13G says that where you can't determine the benefit you use 30 per cent of the turnover as the maximum, so if your turnover is a billion dollars that could be up to $300 million. In this case, that corporation which had a very noxious, intentional breach of the act has a capped maximum of $50 million because it didn't go above the first element of the proposed section13G.

Another corporation may have had no malice but just some kind of negligent breach of the Privacy Act and had their data hacked because they didn't put the proper measures in place. If they had a $1 billion turnover—perhaps the benefit they got was an historic underinvestment in cyber; you can't really work out what the value of that benefit is—that corporation may face a maximum penalty of up to $300 million. So the corporation with a noxious, deliberate breach of privacy, in that instance, gets a significantly lower penalty than the corporation that was negligent and didn't intend to but did have a serious breach. That makes no sense. And we're yet to see from the government some kind of explanation about how that's going to work in practice. Those difficulties arise from taking provisions that are designed from one part of the law—in this case, competition law—and just unthinkingly cutting and pasting them and whacking them into privacy law. So there is a very real need for the government to closely consider these drafting issues and do it as a matter of urgency.

Also, with these amendments, we have just one penalty, and I'd describe it as the nuclear option. After these amendments succeed, the only penalty that can be imposed for the breach of privacy laws is the $50 million maximum or, as we discussed earlier, potentially an even greater maximum penalty for corporations with large turnovers. There's no subtlety or nuance in the law. Removing that existing penalty and having a one-size-fits-all offence with a maximum penalty of $50 million leaves the regulator in an almost impossible situation.

Say there's a charity which has a $25 million annual turnover, and it has breached the privacy laws. It might be quite a serious breach. They failed to invest in the necessary IT measures, and there was a serious breach. They were put on notice, and they breached. What does the regulator do? Does the regulator bring a penalty with a maximum $50 million fine against the charity which has a $25 million annual turnover and, just by dint of bringing in the prosecution, effectively kills the charity? Think of a small business with a similar turnover. If you're a director in a small business and you get whacked with a penalty which may carry a maximum $50 million fine, you'd be having a chat with your insurers and your lawyers and thinking, 'Can we continue business the day after we get the fine?' There's no subtlety. How is that going to make our privacy any safer?

As the majority of contributors to the inquiry made clear, there's a need for a far more nuanced approach, with tiered penalties. For that reason, there's real benefit in agreeing to the larger maximum fine for serious or repeated breaches, rather than keeping the existing penalty for lesser breaches which are not necessarily serious or repeating. The Greens will have an amendment to do just that, in the committee stage.

I also indicate we're moving an amendment to the second reading to provide another enforcement measure, one that has been waiting decades to happen in this country. It urges this parliament—urges this house—to insert a new statutory civil cause of action for the serious invasion of privacy in the Privacy Act, modelled on what the Australian Law Reform Commission did in its 2014 report entitled Serious invasions of privacy in the digital era.

I'll finish by saying this. When it comes to resourcing, one thing was abundantly clear from the inquiry and from other investigations we've had in budget estimates. The Office of the Australian Information Commissioner is grossly underfunded. As the commissioner noted in her evidence on this inquiry, her UK equivalent has 10 times the number of staff of the Office of the Australian Information Commissioner. The commissioner also noted that the $5½ million obtained to undertake her investigation into just one breach, the Optus breach, fairly represents what a complex investigation would cost under these new penalty provisions. So it's fair to ask how the office will properly investigate the raft of other data breaches that we've already seen, not least Medibank, or what else happened this morning before we came in here to speak in the chamber.

With a total budget of just over $33 million annually, from which all of the FOI and privacy work must be undertaken—and we know the FOI work is chronically underfunded—there is an obvious lack of practical capacity for the Information Commissioner to undertake any more than one serious privacy investigation at a time. That lack of financial capacity is, as I said, even clearer when you look at how chronically delayed and underfunded the FOI aspect of the Information Commissioner's work is.

The end result is that the parliament might agree to these tougher penalties—and it looks like they will—but the government has starved the regulator of the funds to seriously enforce them. At the end of this, we might have a Pyrrhic victory for data security. We get a headline, we get a new penalty—we get a penalty that's almost impossible to use because of the size and the scale of it—and we give it to a regulator which barely has the money needed to keep the lights on, let alone bring an actual prosecution in this space.

I move:

At the end of the motion, add ", and the Senate calls on the Government to introduce a bill into the Parliament to insert a statutory civil cause of action for serious invasion of privacy in the Privacy Act 1988, modelled on the Australian Law Reform Commission's 2014 report entitled Serious Invasions of Privacy in the Digital Era".


No comments