James Paterson (Victoria, Liberal Party, Shadow Minister for Cyber Security) Share this | Hansard source

I rise to make a brief contribution on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 so that I have the opportunity to move the coalition's second reading amendment. In doing so, I commend Senator Scarr, who articulated the coalition's position on this bill more broadly, which is that we support the bill but that we are concerned with some of the drafting of the bill. I commend Senator Scarr and Senator Shoebridge for their work on the Senate Legal and Constitutional Affairs Legislation Committee, which inquired into this bill. I find myself, in addition to agreeing with my own colleague Senator Scarr, in strong agreement with Senator Shoebridge about the drafting and design issues of this bill, and the risk and potential for unintended consequences because of the way in which this has been done. I particularly commend the committee for the work they did in the very limited time they were allowed to do it; they were asked to report very quickly, but, nonetheless, even in that short time they have identified a number of serious issues with this bill.

The coalition's approach to this issue is going to be by way of a second reading amendment. The reason for that is that we believe this is a very complex issue and would not be assisted by amendments on the fly in the chamber from the opposition or the crossbench; it really is a matter for government to get these things right. We also don't want to stand in the way of the passage of these increased penalties because we agree increased penalties are necessary; Australians certainly feel that way after their data has been lost by major companies who should have been in a better place to defend their data. We need to send a very strong signal to corporate Australia that we have high expectations of them when they collect sensitive data from Australians.

Like Senator Scarr and Senator Shoebridge articulated, we are concerned about the definitions, particularly the meaning of 'serious and repeated' in relation to the act. We agree a tiered penalty regime would be preferable, which would allow us to take account of those less severe breaches and those more serious ones, and take into account companies who have been negligent in their handling of data compared to those who have taken all reasonable steps. We agree it's important for the Australian Information Commissioner and the Cyber Security Centre to have adequate resources, to make sure they can implement this in practice in an adequate way. We also believe the Australian Information Commissioner, particularly in light of any legislative amendments which clarify those definitions, should be providing some guidance material which makes it very clear to companies how they're supposed to comply with this law.

Just to sum up: we will be supporting this bill and moving a second reading amendment to articulate those concerns—particularly those raised by industry, including the Tech Council and independent third-party submitters like the Law Council, which we think were points well made in the inquiry process.

I move:

At the end of the motion, add ", but the Senate calls on the Government:

(a) to clarify key definitions in the bill, in particular the meaning of 'serious' and 'repeated' in relation to breaches under the Act;

(b) to develop a tiered penalty regime that could take into account less severe breaches, and that seeks to differentiate between companies that have acted with malice and those that have taken all reasonable steps but have fallen victim to a cyber attack;

(c) to direct the Office of the Australian Information Commissioner to issue guidance material that addresses the application of penalties, and clarifies best practice for compliance with the regime; and

(d) to consider the adequacy of current resourcing and staffing levels for the Office of the Australian Information Commissioner and the Australian Cyber Security Centre for each to perform their functions, and to address all of the concerns raised by the former government in the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021".