Monday, 13 February 2017
Privacy Amendment (Notifiable Data Breaches) Bill 2016; In Committee
I have a couple of questions that I would like to put to you, Minister Fierravanti-Wells, recognising that you are here in a representative capacity. Firstly, regarding the issue that we just took the second reading vote on, can the minister explain, just in case senators are not aware, why political parties are exempt from the Privacy Act? The second reading amendment that we just voted on is, as a second reading amendment, basically guidance to the government. It does not oblige the government to do anything, but we believe that political parties and businesses that are carrying large amounts of personal information, whether they are operating above or below a really arbitrary $3 million turnover threshold, should be obliged to notify users if they lose control of their private information. Why are political parties exempt from the parent act that we are amending and, therefore, from the operation of this bill?
I am advised that this has been a longstanding provision since 2001, and that it enables political parties to go out and engage with their membership and the general public.
Senator Ludlam, I just wanted to advise you: Senator Brandis is on his way. He has just been caught up. So he should be here soon. I am just holding the fort in the interim.
I mean no disrespect, Senator Fierravanti-Wells. I know that you are also carrying a lot of other issues. Just to confirm then, according to your response if the Liberal Party or the Labor Party, the Greens, the Xenophon party—or anybody at all who is collecting information on the electorate, on their voters, supporters and people who are not supporters—are hacked, and if that information of fairly intimate details of people's political leanings gets into the public domain, are the parties in question still not obliged under any law of this country to disclose that to the people whose interests they might have harmed?
So the status quo remains. I guess that is confirmation. So it is voluntary for everybody at the moment, and we are tightening the net for some entities but not for political parties. Similarly, then, can the minister explain why it is the government's view that there should be an arbitrary $3 million turnover threshold for disclosure rather than relying on whether or not harm is being done to people through the disclosure of their private information? What is with the $3 million?
I think it was the Australian Bankers' Association which made the point that this potentially puts larger entities who will be subject to obligations under the bill at a commercial or a competitive disadvantage. I think this is probably the first time I have ever quoted the Australian Bankers' Association in here, but there you go! They said:
… small businesses often have the least mature privacy and security capabilities; nevertheless, in the information economy and with modern computing tools, a small business may still have a large customer base, or collect personal information about large numbers of individuals.
That is a statement of fact. I hope there is nothing controversial about that. Why are they not included within the Privacy Act let alone within the ambit of this bill?
Acting Chair, I just wonder if the government could indicate how long Senator Brandis would be. In terms of the expeditious handling of this legislation—I do not agree with anything that Senator Ludlam, I am sure, will be putting to the chamber—it just seems that we are in a position where we are likely to have a double handling of it, where the same questions might, indeed, be asked again of Senator Brandis. If he is going to be a while, I wonder whether the government might want to consider how they want to handle that.
I am advised that he will be here shortly. So, in the interim, if Senator Ludlam is happy to continue with the way we have been going then I can get him answers to his questions. You asked about small business, Senator Ludlam. I am told that, in relation to small business, it would impose an unnecessary burden on them. However, in relation to health services, irrespective of turnover, those entities providing health services are bound.
I understand that there are some carveouts for health service providers and for credit reporting agencies, as well as a couple of other carveouts. In the writs attached to the explanatory memorandum, the government is boasting that the proposed scheme will only apply to around six per cent of Australian businesses. So 94 per cent of Australian businesses will not be caught by this bill. I do not understand why it should relate to turnover rather than the fact that some of these small businesses will hold considerable amounts of people's private information, and, yet, that will be exempt from the bill. Rather than just a blanket statement that it would be unwieldy for them, why not move, as the Australian Privacy Foundation and many others have pointed out, to have the threshold be related to harm to the user base rather than to turnover of the small business? I genuinely do not understand why the government has gone that way.
Senator Ludlam, some metric or some basis had to be determined. It is better that that be an empirically verifiable basis. The proposal that, I understand, you are putting to me would involve a degree of judgement in relation to the circumstances of a particular business. So the reason that the government has legislated in this way is so that there can be some known and certain basis of discrimination.
I understand the point that you make. However, that judgement will exist if you are a bank, if you are a government department, if you are a large company, if you are Coles or any of the other entities that I mentioned in my contribution earlier. You are already going to need to be exercising judgement, as is explained in the EM and in the bill, around whether you have caused your user base, or people you have been collecting information on, serious harm. Why not extend that to anybody who is holding considerable amounts of information on their users? I would have thought that the purpose of the bill, which is going to be supported by everybody in here when we come to the final vote, is about protecting people. So we are imposing an obligation on one sector of the economy and on one big part of the public service but not on others not through any arbitrary distinction about whether they are holding information or not but around scale. I would have thought that scale, as the kind of metric that you are describing, is actually irrelevant under this circumstance.
I suppose, Senator Ludlam, lines have to be drawn somewhere. This is where the government has chosen to draw the line on this issue. Different minds could, in good faith, arrive at different views but that is where the government has landed.
That being the case, I move, on behalf of the Australian Greens, amendment (1) on sheet 8055:
(1) Schedule 1, item 3, page 11 (line 19), omit "30 days", substitute "3 days".
This amendment relates to how long entities that are caught by this bill have to notify people that their interests might have been compromised. I quoted from item 80 in the explanatory memorandum a little earlier and pointed out data that was presented there—and I presume that 'the last 12 months' represents 2016 or 2015-16—that shows:
… the average number of days between a data breach and an individual being notified of the breach was 405 days …
So the primary intention of this bill is to bring that notification period way down.
It goes on:
… whereas the average time between a data breach and the misuse of compromised information was 72 hours—
three days. Why has the government set 30 days, which, as its own explanatory memorandum acknowledges, is 10 times longer than the average time between a breach and the misuse of compromised information?
Can I indicate to the chamber that the government will be opposing this and the other Greens amendments. The legislation, which I think even the Greens would acknowledge is a step in the right direction—although you do not agree, obviously, with every detail of it—has had to come up with a reasonably complex scheme. This is where we have landed having taken into account all relevant considerations in the interests of the various stakeholder groups and affected parties. We are satisfied that this is the best set of arrangements in the circumstances. They will not be improved by your amendment, so it will be opposed.
Just to indicate the opposition's position, we will not be supporting this amendment. This bill, as I outlined in my speech in the second reading debate, has gone through a very extensive consultation process and this is the time frame that has been identified as part of that process. I think it is difficult for senators to determine what is reasonably practicable for some of these entities simply by having a discussion on the Senate floor. I share some of the concerns of Senator Griff and Senator Ludlam regarding expeditious notification. I would note that there were changes to this section, 26WH, as a result of the consultations, so our view is that it would be best at the moment to proceed with the time frame that was the subject of lengthy consultation.
I would add, though, that there are processes in this parliament—estimates committees, the annual report of the Privacy Commissioner—which would enable the Senate to consider, in the future, whether or not the 30-day time frame has proved to be an appropriate one in light of some of the concerns which have been raised.
Can I just add an observation, please, Senator Griff. The 30 days is a maximum under section 26WH, but section 26WH also imposes a requirement that the party upon whom the obligation is cast must undertake an 'expeditious assessment'. So it may well be that an assessment is able to be undertaken in a much shorter period of time than 30 days. Thirty days is the outside, it is a statutory maximum, but against an obligation to deal with the matter expeditiously. It is the obligation, in fact, to deal with the matter expeditiously that is the governing obligation here, and then some guidance is to be given as to what is beyond reasonable compliance with that obligation of expedition. That is within at least 30 days but it may be sooner.
I thank the minister for his answer and thank other senators for their contributions. The second two amendments—which I will move shortly, once we have dealt with this one—go to the fact that with many data breaches, such as those that I, Labor senators and Senator Griff identified during our contributions, it takes some time before some of these companies or departments even know that they have had a breach. So the clock is not ticking from the time they realise they have lost control of people's information but from the time that the breach occurs. That could be weeks, months or, in some cases, years after the breach is discovered. I believe that in most cases in the list of examples I read earlier it was a period of weeks before the breach was actually discovered, at which point your obligations begin.
I take Senator Brandis's point; 'expeditious' is entirely appropriate. That implies that the ICT teams get moving and try to identify what has actually happened. What we do not want to have is companies and departments being tied up for up to 30 days, working as rapidly as they can, trying to figure out whether they are obliged to report the breach. We would rather just see, on balance, that the reporting happens earlier. That will go to the second amendment that we are going to move shortly. We think 30 days is far too long and we also believe you have identified the reason that it is far too long in your own explanatory memorandum, where you have said—I am going to put this on the record one last time:
… the average number of days between a breach and the individual being notified was 405 days, whereas the average time between a data breach and the misuse of compromised information was 72 hours—
three days. You have made the case for three days in your EM, probably more eloquently than I am this morning. I am seeking your guidance, Mr Temporary Chair. I am taking Senator Griff's advice in the interests of compromise and wish to substitute 'five days' for 'three days'. Do I need leave to amend 'three days' to read 'five days'?
I seek leave.
Do I need to move that or is that done?
The TEMPORARY CHAIR: Perhaps you could explain your amendment for us.
Amendment (1) on sheet 8055 is substituting 'five days' for 'three days' as circulated.
The TEMPORARY CHAIR: The question is that that amendment be agreed to. Those of that opinion say aye and against say no. I think the noes have it on that amendment.
In that case I will put the amendment. If Senator Brandis is not interested in even two days—
The TEMPORARY CHAIR: Just one moment, Senator Ludlam. I think the Attorney may have something to share, so could you resume your seat.
Senator Ludlam, I thought you were moving the amendment with the 'three' substituted with 'five'. I do not think you needed to move a motion to substitute 'three' with 'five' because the government had given you leave to substitute 'three' with 'five'. So from the government's point of view—and I suspect Senator Wong may be in the same position—our opposition is to your substantive amendment not to your request to substitute 'five' for 'three' within the amendment.
The TEMPORARY CHAIR: The Attorney is correct. We have accepted that the amendment has been amended by leave. The question being put is that the amended amendment on sheet 8055 be agreed to.
by leave—I move together amendments (1) to (3) on sheet 8053 revised:
(1) Schedule 1, item 3, page 4 (line 1), omit "is likely to result in serious", substitute "results in".
[significant data breach]
(2) Schedule 1, item 3, page 6 (lines 25 to 28), omit subparagraph 26WE(2) (a) (ii), substitute:
(ii) a reasonable person would conclude that the access or disclosure:
(A) would be likely to result in harm to any of the individuals to whom the information relates; or
(B) is a significant data breach; or
[significant data breach]
(3) Schedule 1, item 3, page 6 (lines 32 to 36), omit subparagraph 26WE(2) (b) (ii), substitute:
(ii) assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure:
(A) would be likely to result in harm to any of the individuals to whom the information relates; or
(B) is a significant data breach;
[significant data breach]
I will explain the nature of the revision because there will be earlier copies of this sheet floating around the chamber. These amendments go to the issues I foreshadowed in my speech during the second reading debate. How serious should the breach have to be before you have to disclose it to the people at risk? This relates to the amendment the chamber has just disposed of relating to how long people should be given to think about whether they are caught by this act or not.
The threshold has shifted around a little bit since the 2013 bill and the exposure draft that informed this bill. The issue to me is crucial. It defines whether the bill works as intended. If the threshold is set too high then almost nothing will get reported and we can pat our backs and say that we all worked here in a very crosspartisan way to improve the law but in real life almost nothing will have changed because these breaches can still occur and people will not be notified. If the threshold is set too low then you risk what some submitters have identified as notification fatigue. If you get emailed by your bank every couple of days that something might have happened then eventually you will start ignoring those messages.
The Australian Privacy Foundation's very detailed submission goes into this issue at length. What they have said really is that the term 'serious' is a big part of the problem. They have said:
In practical terms what is the difference between harm and serious harm?
I think, Mr Temporary Chair Bernardi, when you made a contribution earlier you alluded to this issue as well. There is confusion about whether you have obligations under this act or not. The Privacy Foundation continued:
The intent of this distinction seems to raise the threshold for reporting. What it is more likely to do is to create confusion as to where the threshold lies. Vaguely drafted and ambiguous terms such as this invariably reduce the effectiveness of the operative provisions when enacted.
We do not want to pass this bill into law if the threshold is set so high that people will be given their 30 days and will decide that serious harm has not been done. These amendments effectively amend two different parts of the bill to say that if the disclosure 'would be likely to result in harm to any of the individuals to whom the information relates or is a significant data breach' then you are caught, then you report, then you disclose, then you notify. That should really cut down on some of the red tape that Senator Bernardi was referring to. It should cut down on the need for 30 days. The assumption is one of disclosure, and we think that is entirely appropriate.
Senator Ludlam, it is a fair point that you make, to which I respond in this way. It is, I hope you would agree, important that legislation that imposes what is potentially 'quite an onerous obligation' on those who hold data applies only to non-trivial breaches, breaches that are causative of harm and are significant. It is very difficult—indeed, I dare say impossible—to legislatively define the threshold at which one considers a breach to be non-harmful or non-trivial and therefore in these circumstances it is necessary to use reasonably generic language.
If it be accepted that the obligations imposed by the legislation should apply only to harmful or to non-trivial breaches then a body of precedent and practice will develop as the legislation operates and the development of those more particular guidelines will be assisted by the publication of compliance guidance by the Office of the Australian Information Commissioner so that a clearer picture can emerge as to where one draws the line. I readily acknowledge that different minds will differ as to where the line should be drawn between trivial and non-trivial breaches and harmful and non-harmful breaches, but, as I said, if one accepts that the legislation should apply only to non-trivial breaches and should apply only to harmful breaches then in the absence of any more precise capacity to formulate that in the statute it will be formulated by practice and the development of precedent guided by the guidelines of the Office of the Australian Information Commissioner.
Thank you, Minister—that was actually quite helpful, and it feels as though we are not that far apart. In fact, I think I agree with everything that you put. The distinction that I am trying to draw is that, the way the bill is currently drafted, an obligation will not apply to an entity unless it believes that serious harm has occurred. The distinction that you are drawing between trivial or nonharmful conduct and harmful conduct is precisely where I think we should be drawing the line, but the bill, as drafted, does not do that. Presently, an entity can decide—after the maximum of 30 days and after it has expeditiously done its assessment—that it has in fact caused harm and still not be caught by the bill, because it might have decided that it was not serious harm. I am at a bit of a loss, Senator Brandis, because I agree with your description of how the bill should work but I do not think it is how the bill will work. My reading is that the amendment the Australian Greens are putting forward would draw the bill closer to the way that you just described you believe it should operate.
I think we are not all that far apart. One further point I should have made in the observations that I made a few moments ago is that this is subject to a reasonable person test. In section 26WE the test is whether a reasonable person would likely believe that the data breach would cause significant harm. Senator Ludlam, as you know, it is a very commonplace device in the law to subject these kinds of criteria—which cannot be defined on a case-by-case basis, because of the infinite variety of potential circumstances to which they might attach—to a reasonable person test, and that has been done. I think I will stop there. What we are trying to achieve is not very far apart, if not essentially the same. There are various ways of testing this. As a result of quite extensive consultations, the government has landed at adopting the test that I have expressed. That is a test that is workable and can be informed by practice, precedent and the guidelines of the Information Commissioner.
If I do not have the numbers in this chamber to carry this amendment, I am not going to detain us for too much longer; we will wait until we hear from Senator Wong and then we will put this one to rest. I believe we are fairly close in what we are trying to do and I have no problem with the reasonable person test or with their reasonableness—that is a longstanding practice—but the test that this abstract reasonable person would be applying is not between whether nontrivial or nonharmful and trivial or harmful conduct has occurred; the distinction that they would be asked to draw is whether or not serious harm has been done. That is where I have a problem. As the Privacy Foundation and other submitters suggested, an entity would be able to draw the conclusion that it had caused harm to people and yet still not be subject to the operation of this bill. That is certainly, Senator Brandis, not how you have been describing it. You have been describing it in the way that I would hope the law would operate. Under this bill, an entity would be able to draw the conclusion that it had caused harm to its users but that, because it was not serious harm, it did not need to disclose it. I think that is completely unacceptable. That is all we are trying to fix this morning.