Zali Steggall supports data privacy legislation amendments

8 November 2022


I rise to speak on the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022. Whilst the title may not give it all away, for the public and Warringah constituents, this is very much around data privacy and so very much at the forefront of many people's minds. This bill significantly increases penalties for serious or repeated privacy breaches. It provides the Australian Information Commissioner with a suite of improved and new powers to resolve privacy breaches efficiently and effectively. It ensures that the Information Commissioner has comprehensive knowledge of the information compromised in a breach, to assess the particular risk of harm to individuals. It gives the Information Commissioner and the Australian Communications and Media Authority greater information-sharing powers and it increases extraterritorial reach. In many ways, it is very welcome and much needed.

In December 2019, the then Attorney-General announced that the Australian government—the previous government—would conduct a review into the Privacy Act, which aimed to investigate the effectiveness of Australia's current data protection regime to ensure that it protected consumers and their data and best served the Australian economy. Since many of these amendments are the result of that inquiry and certainly very good, the carving out of the provisions of the online privacy bill and their inclusion in this enforcement bill has been prompted by the very recent and significant data breaches. As the minister said in his second reading speech:

These amendments are targeted and measured. They respond to the most pressing issues arising from the Optus data breach and other recent cyber incidents.

I should say that I've received a lot of correspondence from constituents on this issue, and they are greatly concerned.

Some of the aspects that I wholeheartedly support in relation to this measure are the greatly increased penalties, which will provide a real incentive for organisations to properly and thoroughly address how to best protect consumers' data and privacy. But there does need to be real consideration of just how much data is appropriate to hold.

I think this is also something that members in this place need to grapple with in relation to political parties and members of parliament: how much data is being held and whether that is being done in a safe way. We know there's a lot of accumulated data in relation to constituents, especially from the major parties, through the course of many years of being in the political system. On that information, there is a real question. What's good for the private sector should also be good for government and should also be good for politicians. I do think there is a question around the data retention policy around members of parliament and political parties that will need to be addressed, and I will be raising that in more detail with the government.

This bill also expands the enforcement and information-sharing powers granted to the Office of the Australian Information Commissioner, and these are tools which will enable far more comprehensive and proactive oversight and effective policy. However, simply leaving it on that basis would be inadequate and naive, and I want to make sure that this is very real for everyone inside and outside. We need to make sure that this is very well understood and that there are sufficient deterrents in the legislation to make sure the private sector in fact does better.

We know that modern-day commerce involves a lot of retention of data on how to understand consumers' behaviours and markets and to better target marketing and sales pitches. Of course, with that comes a high level of risk, as we've seen with recent incidents. Ultimately, the inconvenience, but also the risk, falls on the consumer, who inadvertently has that information being held and is really exposed in a way that I think is unacceptable. It is the reality of our modern world that we are all connected. So much of our habits, practices and lifestyles are in the form of data and are held, but we need to make sure legislation is updated and modernised to keep up with our modern world.

In relation to some of the feedback I've had from constituents, it's really important for me to convey to the government and to the parliament the concerns so many people have. A lot of them have been quite surprised at the extent of information and data that have been accessed, when they will know and when they will tell me. When data breaches occur, the issue is that need for very good, clear, prompt communication with impacted parties, and that, I think, has not always occurred from the private sector.

Another constituent has written to me and said that he felt his attempts to replace his licence and Medicare card, stop his credit agency's report and lodge a police report illustrated the disjointed processes, inconsistent information and number of agencies not knowing what was required. He found that incredibly difficult and time-consuming to navigate. Others have very much urged me to urge the government to fix these problems rather than waiting for the storm to pass. I would have to say that, so many times in this place, we have passed legislation in a reactive way. We are fixing a problem when the cat is already out of the bag and we've already had the problem. It's really important to have inquiries or audits around current legislation and whether it is, in fact, fit for purpose and fit for the challenges we are going to continue facing. We know cybersecurity and data is our current reality, but it is where so much will be determined in the future.

Another constituent raised with me the Optus events. From their perspective, the ongoing federal government has failed to deal with this, and they raised their feeling that Australia is out of step with many similar jurisdictions, such as the EU, in terms of having clear, unambiguous legal liability for individual directors for these types of data protection breaches and their feeling that the government still fails to listen to analysts, industry leaders and lobby groups around what best practice should look like in this case. I must say, I have certainly grappled with this myself, in trying to understand what is best practice in other jurisdictions and how that should be applied here to my own retention of information. So I think it behoves all of us to be very mindful of this aspect of our constituents' lives and how much this data retention impacts everyone.

But I do commend this bill to the House. I commend the government for acting upon it.

I have some questions, though, for the Attorney-General. For example, when will the Attorney-General's review of the Privacy Act be complete and a timeline provided for introduction and implementation? What additional changes are being considered to the review, given recent data breaches? When will the investigation into Optus be complete? How will its recommendations be handed out, and will they be made public? Will there be an investigation into the Medibank data breaches? As to the obligation to include how data breaches are managed as part of risk management, should that be mandatory for businesses and agencies, to ensure a seamless and efficient process? And, of course, how will the government ensure that this happens? We need to be more innovative, creative and collaborative in how we develop and implement regulations. The on-the-ground problems need to be remedied. What is the Attorney-General's plan to achieve this?

The Office of the Australian Information Commissioner can and should take a more active role in assisting and working with business, especially small business, to implement crucial legislation—in particular, this bill—and provide better consumer outcomes. We know that, for small and medium businesses, it is incredibly hard as soon as regulatory regimes change and they have to comply—especially if they are from a non-English-speaking or migrant background. So it always comes back to this: when we change laws, we must ensure there is adequate support for small business to be able to actually comply with and understand their obligations. We must also be diligent and thorough in pursuing those who fail to comply, and, for me, there is still a bit of a question about what action will happen in that space.

So this is a great first step, but I urge the government and the department to continue looking for more solutions, because data retention and breaches and privacy are very much our problem, now and for the future.