Murray Watt (Queensland, Australian Labor Party, Minister for Agriculture, Fisheries and Forestry) Share this | Hansard source

I thank all honourable senators for their contributions to the debate on this important bill, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022.

I would also like to thank the Senate Legal and Constitutional Affairs Legislation Committee, who have carefully considered the bill and recommended it be passed. The detailed work that was undertaken by that committee was also reflected in a number of the more thoughtful contributions in this debate. The government also accepts the committee's recommendations that the Attorney-General's Department, as part of its Privacy Act review, should firstly consider amending section 13G of the Privacy Act to define the terms 'serious' and 'repeated' interference with privacy; and secondly examine whether it is appropriate to provide for any additional Australian link to the extraterritorial jurisdiction provision. I would thank the chair and deputy chair of the Legal and Constitutional Affairs Committee, Senators Green and Scarr, the members of that committee and all those who made submissions and gave evidence to the committee's inquiry.

This bill is a priority for the Albanese government and sends a clear message that entities must take privacy, security and data protection seriously. Recent data breaches have caused considerable distress and alarm for millions of Australians and have the potential to cause serious financial and emotional harm well into the future. Increasing penalties for a serious or repeated breach of privacy will incentivise entities to take strong privacy and cybersecurity measures to protect the personal data they hold. Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data and the significant impact caused by serious privacy breaches.

The maximum penalty, while operating as a statutory cap, does not otherwise constrain the exercise of the court's discretion to impose a penalty that is appropriate to the seriousness of the misconduct and harm or potential harm in the particular circumstances of the case. This discretion that a court would have would deal with the hypothetical example, characterised by Senator Shoebridge, relating to an NGO and the potential effect on them. That would be a matter for the court's discretion. We think that provides some protection and an overwhelming fine against an NGO. This measure is complemented by a range of targeted enhancements to the enforcement powers to equip the Australian Information Commissioner with the tools necessary to take effective and efficient enforcement action where necessary.

I note the calls that have been made by a number of senators for adequate resourcing for the commissioner, and this is a matter that is being considered part of the government's broader review of privacy rules and legislation. Greater information-sharing arrangements for privacy and telecommunications regulators will also ensure Australians are informed about emerging privacy issues and will ensure these regulators are able to work together to take prompt action to minimise harm to Australians.

The bill is an essential first step of the government's agenda to ensure Australia's privacy framework is fit for purpose and responds to new challenges in the digital era. Further reforms will be considered next year, following consideration of the Attorney-General's Department review of the Privacy Act. This bill is an important and pressing reform that will make sure penalties effectively deter the misuse of Australians' personal data and will ensure Australia's privacy regulator has the enforcement tools necessary to resolve privacy breaches efficiently and effectively. The bill is a reflection of community expectations and demonstrates the Albanese government's commitment to keeping Australians' data protected.

I think now is probably the appropriate time for me to respond to the second reading amendments that have been moved both by the opposition and by Senator Shoebridge. Dealing with the opposition's second reading amendment to begin with, the government does not support this amendment, as it's appropriate to await the Attorney-General's Department's review of the Privacy Act. The bill that we are debating here is a targeted and proportionate response to the recent data breaches. The government is acting now to increase the penalties, as the current maximum penalties are inadequate. The penalties need to be increased to incentivise entities to have appropriate privacy and cybersecurity settings, and they reflect the harm that data breaches can cause. Reforms to: clarify key definitions in the Privacy Act; develop a tiered penalty regime; provide greater clarity on the application of penalties; and enhance security guidelines are being considered through the Privacy Act review. It's appropriate that these reforms be considered holistically in this process, given the range of complex and interconnected issues and other work across government. This will also allow the necessary time to carefully consider the need to balance potential new privacy obligations with any regulatory burden on entities.

In the October 2022-23 budget, the government provided the Office of the Australian Information Commissioner with $5.5 million over two years to investigate the Optus data breach, including to undertake preparatory work to support any future legal action. We also confirmed $17 million over two years to ensure the office is adequately resourced to meet the increasing complexity and potential increases of privacy complaints in the digital age and take the strategic enforcement action that was announced in the March 22-23 budget. The government will be carefully looking at the resourcing requirements of the Office of the Information Commissioner as part of the Privacy Act review process. In 2023, there will be an overhaul of the Privacy Act, and it will be important to consider the resourcing needs of the office in that context.

In relation to Senator Shoebridge's second reading amendment, which, effectively, seeks to introduce a statutory tort in relation to privacy, the government does not support this amendment as it is appropriate, again, to await the Attorney-General's Department's review of the Privacy Act. As part of this review, the department is giving consideration as to whether a statutory tort of privacy should be introduced. We should not pre-empt the outcomes of this review. It is appropriate that broader reforms be considered holistically in this process, given—again—the range of complex and interconnected issues, including whole-of-economy implications. A statutory tort would allow private citizens to seek remedies for serious invasions of their privacy and may create a more effective framework for individuals to seek compensatory damages for invasions of privacy. But this, along with the matters raised in the opposition's second reading amendment, are things that we think are best dealt with through the review of the Privacy Act that is now underway.