Monday, 28 November 2022
Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; In Committee
David Shoebridge (NSW, Australian Greens) Share this | Hansard source
tor SHOEBRIDGE () (): by leave—I move amendments (1) and (2) on sheet 1736, as circulated:
(1) Schedule 1, page 5 (after line 10), after item 11, insert:
11A At the end of Division 1 of Part III
13GA Other interferences with privacy
An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
Civil penalty: 2,000 penalty units
(2) Schedule 1, item 45, page 18 (after line 6), after subitem (3), insert:
(3A) Section 13GA of the Privacy Act 1988, as added by this Schedule, does not apply in relation to an act done, or a practice engaged in, before the commencement of this item.
As we noted in the second reading contribution, the amendments to the Privacy Act that have been presented by the government, which are going to be agreed, are going to create a one-size-fits-very-few penalty regime where the only penalty available to the regulator is a minimum maximum, if you like, of $50 million for a penalty and then potentially a higher penalty if a corporation has a turnover that would trigger the higher penalty. This amendment seeks to put in a new section 13GA into the Privacy Act, which would provide that an entity contravenes this subsection if the entity doesn't act and or engages in a practice that is in interference with the privacy of one or more individuals, and it seeks to retain the existing civil penalty of 2,000 penalty units for that breach. It also has a consequential amendment that provides that there's no retrospectivity in relation to that proposed provision.
The proposed new section 13GA would remove the necessity for 'repeated or serious' from the offence provision and provide for what pretty much every stakeholder said we need, whether it was Electronic Frontiers, Digital Rights Watch or even the business reps who came before the inquiry that we had: put in place a tiered approach. If the Greens amendment was successful, it would allow the regulator to have at least some nuance in how the regulator goes about enforcing privacy. But if they see a breach of the privacy laws—and it may well be a quite disturbing breach; it doesn't have to be serious or repeated, but it could be—then instead of having to go and press the nuclear launch button of the $50 million penalty they'd be able to seek a penalty that has a maximum value of some 2,000 penalty units for a corporation which would not see small or medium businesses or charities potentially going to the wall when the regulator takes action.
Without this, we're going to see no realistic way of enforcing the privacy laws against small and medium business or against the charitable and not-for-profit sector. If the only tool to hand for the regulator is a $50-million-plus maximum penalty, that is not going to be able to be used in any practical way against small and medium business or against NGOs and the not-for-profit sector; it just won't be. And we're going to pass a law here today that is actually going to mean less real power, less real capacity for the regulator to enforce our privacy laws.
The Greens amendment fills that gap. It puts in that tier, which is a realistic penalty that could actually be used by the regulator, who would therefore have a meaningful way of keeping our data and our privacy safe. Without this, let's be clear, the regulator won't have the resources for 99.9 per cent of privacy and data breaches, and it definitely won't have the political will to whack an entity with a $50 million maximum fine. It just won't happen. This is about sensible, measured, nuanced regulation. It's what pretty much every stakeholder said we should do with this bill, and I commend the amendment to the Senate.