There is no contention on this side of the House that we need to do more to ensure that the privacy of Australians is protected. As the digital revolution becomes embedded through all the ways we conduct business and engage in life in common together, data has become almost a currency of its own—a new type of asset that can be traded and given. And in recent weeks we have been reminded that it can be stolen.
On this side of the House, we invested significant time, money and work while in government to advance online safety. We’re strongly in support of action to address cybercrime and to ensure greater responsibility and healthy practices when it comes to the storing of people’s private information. However, we’re very disappointed with the way the government is handling this Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 and with the pattern that’s emerging with the Albanese government’s decisions to clean up PR blunders and then hold inquiries or consultations which are nothing more than box-ticking exercises. To be discussing this bill when a Senate inquiry is currently underway and due to report in a fortnight, when a two-year substantial review of the Privacy Act is to be delivered very soon—and to completely ignore what has been learned from these processes—indicates the attitude of the government to lawmaking. While we don’t oppose this bill—because the data breach incidents of recent weeks cannot go unattended—I want to indicate that we will be considering the findings of the Senate inquiry and the concerns that have been raised by submitters carefully in the coming days. We hope that the Senate scrutiny will be given properly. It may result in amendments made in the other place.
The reason we must take action to guard people’s privacy more carefully in the online space has been made very evident through the recent headline breaches that have affected Optus and Medibank customers. Thirty years ago, someone could have their wallet stolen from their pocket and their losses would be substantial: cash would disappear, cards would need replacing and a child’s photo would be gone forever. It was a fear we all guarded against. Today, the theft we’re more likely to experience is online and our capacity to prevent it is minimal. It can happen without our knowledge and without any fault of our own, and its consequence can be extraordinarily far-reaching. Again, there’s the risk of financial loss and the nuisance of passwords and identification being replaced. But, as we’ve seen recently, it can have far more damaging long-term consequences as privacy is thoroughly and, in some cases, permanently invaded.
Businesses no longer simply possess our phone number and address, significant as that information is. They may also have our fingerprints, our face ID, our preferences, our email history, our shopping habits and our relationship information. This is extraordinary information which can be used very effectively to improve the standards of care or service we receive, but it also makes us very vulnerable if that data is mismanaged or taken without consent. The Australian Cyber Security Centre’s Annual cyber threat report from 1 July 2020 to 31 June 2021 highlighted that self-reported losses due to cybercrime totalled more than $33 billion during the 2020-21 financial year. In 2013, the estimated cost of cybercrime in Australia was $2 billion according to the 2013 National Plan to Combat Cyber Crime. The growth in the impact of this area of criminal activity is extraordinary. Based on those statistics, we’re looking at a more than 15-fold increase in less than a decade. And outside of the dollar value of the crimes is the incalculable cost to people whose personal information is taken without their consent.
I want to turn to some of the recent breaches we’ve seen. On 22 September, Optus reported a cyberattack which resulted in a data breach in which the personal information of as many as 9.7 million of its customers was affected. Just a few weeks after the Optus hacking incident Medibank reported another cyberattack, resulting in another major data breach. Initially, Medibank suggested the breach was restricted to its budget option, ahm and its international students insurance. On 25 October, however, Medibank revealed that the hacker had access to the personal data and medical information of as many as two million Australians. Even that starting figure has risen, with Medibank confessing that in fact almost 10 million Australians’ data has been exposed.
Although these two data breaches have triggered the most media attention, we should not overlook the millions of other Australians who have had their personal data compromised. On 19 October, mydeal.com.au, a subsidiary of the Woolworths Group, reported a cyberattack after 2.2 million of its customers had their names, email addresses and phone numbers exposed in a data breach. Before that, on 17 October, Vinomofo, an online wine dealer reported a cyberattack resulting in a data breach of more than half a million of its customers. At risk of exposure are the names, dates of birth, addresses, email addresses, phone numbers and gender of its customers. On 30 September, EnergyAustralia, too, reported a cyberattack. That fallout was a data breach of 323 residential and small business customers, with customer names, addresses, electricity and gas bills, phone numbers and the first six and last three digits of their credit cards included on the accounts breached.
Jim Marinis, the husband of Mary Jane and the father of two young children, is a small business owner of the Elsternwick Cafe and is one of the 2.1 million Australians whose data was exposed when Optus was hacked in September. A few days after the Optus breach, Jim had $10,000 stolen from his account. It was a significant sum of money for the young family. Nor did the hardship stop there, because it was soon followed by fraudulent applications for credit cards, online shopping vouchers and personal loans. The combined worth totalled more than $60,000. Even more withdrawals followed from Jim’s account. He and his family have lost more than $40,000 from teller withdrawals. ‘It’s just destroying us,’ Jim said.
In the Australian Cyber Security Centre’s most recent annual report, to June 2022, the warnings were clear: cyberspace is a battleground and Australia’s prosperity is both attractive and vulnerable to cyberattacks. Indeed, Australian organisations have been indiscriminately targeted by malicious cyberactors. Organisations and businesses must take the appropriate steps to protect the privacy and vulnerability of those Australians who vest their trust with them.
I want to look at the coalition’s record in government of proactively addressing issues of privacy. We were proactive in addressing the issues that come with the rapid technological change we’re seeing. This was particularly so under the leadership of my colleague Karen Andrews as home affairs minister, and I commend her for the substantial work done in this space. In 2020 the Morrison government announced a $1.6 billion cybersecurity strategy. That funding was directed in large part to agencies to enable them to recruit and enhance capacity in the cybersecurity field. Among the measures included in that strategy, the Australian Signals Directorate was funded to hire 500 more cybersecurity specialists, and funding was also allocated to enable small and medium businesses to prepare themselves for cyber threats.
The coalition also undertook legislative reforms that enabled agencies to better investigate and prosecute online offences. Among those reforms was the Surveillance Legislation Amendment (Identify and Disrupt) Act, which gave powers to key agencies to engage online with criminal networks, allowing our AFP and Australian Criminal Intelligence Commission to collect intelligence on criminal networks and take control of the online accounts of alleged offenders. As organised crime moved online, we gave the police the ability to follow them there and track them down in places where they were operating. Without this power, it’s like telling the police they can only enter a house where a crime is being committed if they’re welcomed in when they knock at the door. If we want to see online criminal activity dealt with, we have to give our agencies the ability to do their work, and I am pleased to say that, in government, the coalition did that.
In June last year we saw what was possible when police are given the tools they need to do their job. Operation Ironside was an extraordinary accomplishment of the AFP and state and territory police. With the assistance of international law enforcement agencies such as the FBI, more than 200 offenders and 100 organised crime members were charged after encrypted messages being used by criminals were decrypted. The operation ran over three years and in that time, through Operation Ironside, 3.7 tonnes of drugs, 104 weapons and nearly $45 million in cash were seized. The AFP also acted on 20 threats to kill through the operation.
As the AFP made clear at the time, many criminal networks use other encrypted platforms to fuel serious organised crime in Australia. That’s why, in government, we made sure the agencies had the tools they need to intervene and to apprehend these criminals. We also signed an agreement with the United States to allow Australian and US law enforcement agencies to obtain certain electronic data more efficiently from communication service providers operating in the other’s jurisdiction, thereby significantly reducing the time taken to obtain information relevant to ongoing investigations. The agreement under the CLOUD Act and access to the electronic data enables agencies to prevent, detect, investigate and prosecute serious crime, including child sexual abuse, ransomware attacks, terrorism and the sabotage of critical infrastructure over the internet. Not only did we empower agencies to deal with traditional criminal activity that is augmented by online tools and systems; we also dealt with crime that’s unique to the cyberspace.
Throughout our National Plan to Combat Cybercrime and our Ransomware Action Plan, we tightened legislation to ensure that those cybercriminals would feel the force of the law and, again, ensured that agencies would have the funding they need to do the essential work of tracking down and prosecuting cybercriminals. When the Ransomware Action Plan was announced, then Home Affairs Minister Karen Andrews said that the plan would:
Introduce a new stand-alone aggravated offence for all forms of cyber extortion to ensure that cyber criminals who use ransomware face increased maximum penalties, giving law enforcement a stronger basis for investigations and prosecution of ransomware criminals;
Introduce a new stand-alone aggravated offence for cybercriminals seeking to target critical infrastructure. This will ensure cybercriminals targeting critical infrastructure face increased penalties, recognising the significant impact on assets that deliver essential services to Australians;
Criminalise the act of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence, so that cybercriminals who deprive a victim of their data, or publicly release a victim’s sensitive data, face increased penalties;
Criminalise the buying or selling of malware for the purposes of undertaking computer crimes; and
Modernise legislation to ensure that cybercriminals won’t be able to realise and benefit from their ill-gotten gains, and law enforcement can better track and seize or freeze cybercriminals’ financial transactions in cryptocurrency.
This was coupled with the 2022 National Plan to Combat Cybercrime, endorsed by state and territory police ministers. A key measure of that plan was the opening of the new Australian Federal Police led centre dedicated to combating cybercrime online. The new centre, the Joint Policing Cybercrime Coordination Centre, is based in the AFP’s New South Wales headquarters. All these measures have placed Australia on the front foot in dealing with cybercrime.
I now want to look at the bill and how it fits into the broader picture and, in turn, at some provisions in the bill. This bill essentially seeks to make companies that hold data more afraid of data breaches. It seeks to scare them into better practices by increasing the penalties for data breaches and giving the Office of the Australian Information Commissioner more enforcement powers. This may be warranted. But given that submissions to the Senate inquiry closed only yesterday, that the committee is yet to report and that we’re yet to see what the two-year-long review of the Privacy Act has found, it’s very difficult to determine whether this is or is not the case. We need to ask ourselves some key questions. Would this bill have prevented the Optus and Medibank data breaches? Would it prevent a data breach from a business that is completely confused about the data it needs to maintain and is ill equipped with the systems to properly manage that data? And will it encourage better practice, or the avoidance of transparency?
Turning to some of the particular provisions, item 14 of the bill inserts proposed section 13G(3) into the Privacy Act to set out the penalty for serious or repeated interference with privacy by a body corporate. This increases the maximum civil penalty to an amount that is the greater of $50 million or three times the value of the benefit that the body corporate and any related body corporate obtained from the conduct constituting the serious or repeated interference with privacy, if the court can determine this value, or 30 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention—again, if the court can determine this value.
In October 2021 the Privacy Act review discussion paper released by the Morrison government acknowledged that there could be a benefit in more clearly identifying the type of conduct captured by serious or repeated interference with privacy, which is the conduct that applies to those increased penalties. This would increase the clarity for the OAIC APP entities regulated by the Privacy Act and the courts. Although that idea is not taken up by the bill, the proposed maximum penalties in the bill are identical to those proposed under the Australian Consumer Law and the Treasury Laws Amendment (More Competition, Better Prices) Bill, which passed both houses in October. In this way, the government has adopted recommendation 16(f) of the ACCC’s July 2019 Digital Platforms Inquiry final report that the maximum penalties for serious or repeated interferences of privacy under the Privacy Act should be increased to mirror the penalties for breaches of the ACL to achieve effective deterrence.
Tougher penalties may have an important deterrent effect. It’s important that thinking shifts across the Australian economy when it comes to the storage of personal information. The imposition of significant obligations on companies holding personal information should see that information treated as a liability rather than an asset. Stronger penalties may make businesses more likely to take the necessary steps to protect the personal information they hold, instead of considering data breaches to be a cost of doing business. However, it’s unfortunate that these thresholds have not had appropriate scrutiny and that considerations like the significance of the breach are not also being considered, including possible unintended consequences when applied to smaller businesses.
Alongside the introduction of tougher penalties, the bill also increases the Office of the Australian Information Commissioner’s enforcement powers to ensure greater compliance from foreign organisations. Currently the Privacy Act has extraterritorial reach to any foreign organisation that has an Australian link, which is enlivened by satisfying two criteria: first, that the organisation carries on a business in Australia or an external territory and, second, that the organisation collected or held personal information in Australia or an external territory either before or at the time of the act or practice. Item 10 of the bill repeals the existing paragraph 5B(3)(c), which would leave carrying on a business effectively the only requirement for a foreign organisation to have an Australian link.
I want to look at the Notifiable Data Breaches scheme. Under the Notifiable Data Breaches scheme at part IIIC of the Privacy Act, any organisation or agency covered by that act must notify the OAIC and take reasonable steps to notify affected individuals when a data breach is likely to result in serious harm to the affected individuals. Entities covered by this scheme are also required to prepare a statement for the commissioner under section 26WK of the Privacy Act. That statement must include information on the kind or kinds of information considered. Item 17 provides that a reporting entity must include information about the particular kinds of personal information involved in the eligible data breach as opposed to just the kinds of personal information.
In practice what this means, for example, is instead of notifying that contact information has been involved in an eligible data breach, which is one of the categories of personal information in the OAIC’s online notifiable data breach form, the reporting entity must state the specific kinds of contact information—for example, home addresses, phone numbers or email address.
The bill contains enhanced information-sharing powers. As in the online privacy bill exposure draft, new powers are created for the commissioner to share information with law enforcement entities. The bill requires that information is only shared when the receiving entity has appropriate mechanisms in place to store the information and that that information is only used for the purpose for which it was shared. There are powers to disclose certain information that’s in the public interest. Again, as in the online privacy exposure draft, the bill gives the commissioner power to disclose information acquired in the course of exercise of their functions and is satisfied the disclosure is in the public interest. As noted in submissions received on the online privacy bill, there may be benefit in the commissioner consulting impacted entities prior to making a disclosure.
As I’ve outlined, there’s no doubt that more needs to be done to protect the privacy of Australians. As I’ve also said, the contention we have with this bill is that the government is, yet again, failing to give due consideration to the implication of this legislation by properly consulting all impacted stakeholders. There is no doubt that we need to do more to protect Australians from the kinds of data breaches we’ve seen through Optus and Medibank, but there’s also no doubt that making laws without proper consideration is a bad principle. This government seems more intent on turning consultation into a PR exercise and nothing more.
The Privacy Act review that’s due to be presented to the Attorney-General before the end of the year includes, among other things, consideration of whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices, the impact of the notifiable data breach scheme and its effectiveness in meeting its objectives, and the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks. This review should surely be feeding into the legislation we are debating.
There have been substantial concerns raised about the bill by some of the people making submissions to the Senate inquiry. I want to touch on a couple of those. The Australian Institute of Company Directors raise concerns that the increased penalties may be crippling for businesses who are themselves victims of an attack and suffering substantial financial impact from the crime itself. The bill risks taking an attitude that business is in collusion with cybercriminals, businesses being asked to shoulder the burden of crimes that they are victims of. This approach needs to be more carefully thought through and we need to see evidence that it’s genuine negligence that is the cause of these privacy breaches. In government the coalition took a strong approach that focused on stamping out the crime rather than making victims pay. This should continue to be the first priority of the Albanese government’s approach on these matters.
The Institute of Company Directors also raises the concern that this would disincentivise open, transparent reporting of breaches. Their submission states:
The Bill focuses on strengthening the ‘stick’ or deterrent elements of the Privacy Act. What is absent from these reforms are measures to support Australian businesses in building cyber security resilience and data management practices.
This echoes concerns raised by the Council of Small Business Organisations of Australia. In their submission they state:
Small business owners are time-poor and they often have fewer financial resources readily available.
… … …
COSBOA recommends the Government focuses on educating and upskilling small businesses so that they feel empowered to take ownership, voluntarily upskill their staff, and ensure safe data collection, data storage, removal of unnecessary data, and ongoing risk mitigation occurs. Greater resources need to be invested in making practices more effective, for example making it easier for small businesses to remove unnecessary data. When small businesses send out an email newsletter, there is a voluntary ‘unsubscribe’ button. It should be an ‘unsubscribe and remove me from your database’ button so that if the database is compromised, the individual will not be compromised. Small businesses should not feel that they have to retain data for any longer than is necessary, or that they are obligated to collect unnecessary information. Small businesses owners and staff simply require greater clarity about what information they should be collecting and retaining.
… … …
The introduction of a Small Business Privacy Code, including a best practice guide and checklist for compliance, would be a helpful solution.
The Business Council also raised a number of salient points in their critique of the bill, which points to the need for wholesale reform, not bandaids. Among the numerous recommendations of the Business Council are a few that I think are worth noting. They are: a request for the government to undertake an urgent review of the various laws and regulations that require, either directly or indirectly, businesses to collect and hold information about Australians; streamlining of the reporting requirements for privacy and cybersecurity breaches to ensure the focus remains on protecting Australian citizens, not navigating bureaucracy and mitigating the potential liability issues for government; and a request that the government continue to prioritise cybersecurity and privacy, including addressing cybersecurity skills challenges and progressing the option of digital identity to allow for data minimisation across the public and private sectors.
The opposition is supporting this bill at this stage because we believe more needs to be done to deal with data breaches. However, we note that the government has rushed this through to give the appearance of taking these matters seriously after having failed to act quickly when the Optus data breach occurred. This does not mean that the job is done. As the Information and Privacy Commissioner, Angelene Falk, stated in her submission to the Senate inquiry:
The Government’s ongoing review of the Privacy Act is intended to ensure that our privacy framework empowers consumers, protects their data and best serves the Australian economy. The OAIC has engaged closely with the review since its commencement in 2020 and we have made two substantial submissions to the Attorney-General’s Department with over 180 recommendations for reform designed to strengthen the privacy framework to prevent harms to individuals and that benefit the community and economy overall.
Wider reform through the Privacy Act review is necessary to ensure that this framework is proportionate, sustainable and responsive to emerging privacy risks into the future.
The few measures contained in this bill are not a complete answer to Australia’s privacy challenges. We want to see the government tackle the issue head on in the coming months, such that I move an amendment that’s been circulated in my name:
That all words after “That” be omitted with a view to substituting the following words:
“whilst not declining to give the bill a second reading, the House expresses concern at the Government’s approach to this bill and calls on the Government to:
(1) give due regard to ongoing consideration of the bill by the Senate Committee on Legal and Constitutional Affairs;
(2) give due regard to concerns raised in relation to the application of the bill to small businesses; and
(3) agree to a review of the bill following implementation to consider the effectiveness and appropriateness of the measures”.
The Deputy Speaker (Mr Goodenough ): Is the amendment seconded?
Mr Ted O’Brien: It is seconded, and I reserve my right to speak.