Parliamentary Updates

Zali Steggall MP speaks on privacy in the digital world

6 November 2024

 

In today's digital world, privacy is becoming an increasingly precious commodity, with so much of our lives shared online Australians are rightly concerned about how to safeguard their personal information. A recent survey shows that 89 per cent of people want stronger laws to protect their personal information. Although, concerningly, only 32 per cent of Australians feel they have control over their own data - that is telling. Our current Privacy Act is outdated and does not account for the complexities of the internet, smartphones, or digital identities we all have. The massive amounts of data we generate come with risks and make us particularly vulnerable to scams or exploitation. In fact, 74 per cent of Australians feel data breaches are one of the biggest privacy risks they face today. It's clear that we must strengthen our privacy laws so that Australians can confidently navigate the digital landscape without fear of losing control of their most personal information.

As I mentioned in this place only a few weeks ago, scams are rising and causing a lot of heartache to so many in our community, including in Warringah, and it impacts people of all ages - we have to be clear about that. 96 per cent of Australians were exposed to scams in the five years up to 2021 alone, and that is increasing in the last few years. In 2023, we lost some $2.74 billion to scammers, and that is more than $5,200 per minute, and much of it is online. We need strong, robust, and up-to-date privacy laws that the public can trust and that can be a key part of our economic success. It means government and companies of all stripes must invest in the appropriate measures to keep people's information and data safe. Too often, we hear of data breaches that are impacting a huge amount of Australians. We've seen so many of those incidents in recent years. Think to the hacks of Medibank and Optus - trusted brands, but there you go, data taken - where people's personal information was hacked and used for malicious purposes.

So, almost four years since the Privacy Act Review commenced, we now have the first stage of reform before the house that many feel does not quite hit the mark and address how many feel about privacy in Australia in 2024. The big does finally introduce a statutory tort for serious invasion of privacy, and that has been for more than a decade. Good to finally be there. It will allow Australians to sue for damages for serious invasions of privacy. This is either an intrusion into seclusion - for example, being filmed in a private place, or misinformation relating to a person where they had a reasonable expectation of privacy. I think it's important to emphasise the threshold has been put at 'serious invasions of privacy'. So, the law will only apply if that invasion is considered serious, it meets that threshold, and it's committed intentionally or recklessly. Serious harms caused by an organisation's negligence would not be enough. Which is concerning, because they are certainly the most high-profile and, sort of, and data breaches that have impacted the highest number of people. The bill also includes an anti-doxing offence, with prison sentences of up to seven years. It's, in part, a response to an incident earlier this year, when the personal details of hundreds of Jewish members of an online support group were published without their consent, leading to great concerns about so many in the community. It also provides a process for a potential Children's Privacy Code, and tiered penalties that provide lower fines for minor breaches of the Act. It is good to see this bill not place any further compliance obligations on small businesses - we know that is a difficulty. And whilst we want everyone's privacy and information protected, it falls to larger companies and corporations to do much of the heavy lifting in this area, particularly the social media companies and platforms. Small businesses are already under immense pressure and have faced a plethora of new laws and compliance obligations in the last few years, and so whilst many are still struggling from the effects of the pandemic and subsequent cost-of-living crisis, the exemption in the Privacy Act for entities with less than $3 million annual turnover ensures a degree of nuance between small and medium enterprises and larger ones, that have the resources required to fulfil the obligations of the Act. Nevertheless, it is a high-stakes road map.

However, there are some shortcomings in this bill to modernise our privacy laws. The most significant, impactful proposals to reform Privacy Act, long flagged as its policy intent by government and expected by the industry, have all been left out of the bill. So, I do have questions for the Attorney-General of why that has happened, with the suggestion being that they will be in a second tranche bill sometime after the next election. Unfortunately, that doesn't give much confidence when people are concerned about those elements being missing in this legislation. The bill as it stands will not address any of the systemic problems with toxic social media, intrusive data brokering, online tracking, profiling and targeting, or the algorithms which push hate speech, misinformation, and other harmful content.

However, there are two potential changes that could be made to this bill now that the government already says it plans to make, dealing with foundational matters, and I would urge the Attorney-General to consider these changes to do to the bill now, to make sure we have those additional protections. As such, the two suggested amendments would go a long way to tackling the excessive practices of larger companies, such as recent news about Meta scraping all of its Australians users' data to train its AI, which they don't do to Facebook users in Europe because the EU's definition of consent in their equivalent law is stronger. So, Australians have been left less protected than Facebook users in Europe because of that definition. And so that is something I urge the Attorney-General to turn his mind to and to consider in this legislation now rather than delaying. The change includes to clarify and update the definition of 'personal information' to ensure that modern digital practises are within the scope of the regulation. And to clarify an update the definition of 'consent' to reflect community expectations that individual consumers should not be tricked into online and offline surveillance activities without their active choice and consent.

So I urge the government to consider such amendments that they will enhance this bill as it stands now and goes some way to assure Australians that they - we in this place and the government are making changes that are up-to-date in a very rapidly-changing digital wall. I would also ask the government to consider amending the laws of contempt as part of its wider privacy reform considerations. Specifically with the way court materials are and have been leaked to the media in recent instances, in particular in the case of the proceedings relating to incidents in this place, and such as the Lehrmann civil trial which concluded earlier this year. It's clear the material reached the media that was obtained under court order but there was no repercussions for this breach.

Our privacy laws allows exceptions for news and media which is appropriate in a democracy, we want free media, but with that freedom comes responsibilities for it to be used in accordance with the law, in accordance with the rules especially our rules in court, and with due care and responsibility and I feel that that has been lacking. That line has been blurring for some time and it's time for there to be some regulatory catch-up to ensure all in our public discourse deal with information sensitively and appropriately, especially when it involves private material that is then used in the media inappropriately. It's an issue I intend to keep looking at in particular through legislative amendments.

So I will support the bill, I welcome increasing and amending - or bringing the Privacy Act up-to-date and increasing those protections but again urge the government to be bolder, more quickly look at what outside experts are proposing and asking for, and consider these two specific amendments in relation to definition of 'consent' and' private information' to ensure this current tranche of reform meets the desired intent of providing greater protection for privacy for Australians online.