MARK DREYFUS MP

Member for Isaacs

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022

26 October 2022

This Bill sends a clear message that the Albanese Government takes privacy, security and data protection seriously.

THE HON MARK DREYFUS KC MP
ATTORNEY-GENERAL
CABINET SECRETARY
MEMBER FOR ISAACS

SECOND READING SPEECH

PRIVACY LEGISLATION AMENDMENT (ENFORCEMENT AND OTHER MEASURES) BILL 2022

This Bill sends a clear message that the Albanese Government takes privacy, security and data protection seriously.

As the Optus, Medibank and MyDeal cyberattacks have recently highlighted, data breaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable.

Governments, businesses and other organisations have an obligation to protect Australians’ personal data, not to treat it as a commercial asset. The law must reflect this.

This Bill will provide Australians with confidence that their data will be protected in four ways.

First, the Bill will significantly increase penalties under the Privacy Act for serious or repeated privacy breaches to incentivise businesses to take strong privacy and cyber security measures to protect the personal data they hold.

Second, the Australian Information Commissioner will be provided with a suite of improved and new powers to resolve privacy breaches efficiently and effectively.

Third, the Notifiable Data Breaches scheme will be strengthened to ensure the Information Commissioner has comprehensive knowledge of the information compromised in a breach to assess the particular risk of harm to individuals.

Fourth, the Information Commissioner and the Australian Communications and Media Authority will have greater information sharing powers to ensure regulators are able to work together and take prompt action to minimise harm to Australians.

These amendments are targeted and measured. They respond to the most pressing issues arising from the Optus data breach and other recent cyber incidents.

I am introducing this Bill at the earliest opportunity. The Government has moved swiftly at every stage of the response to the Optus data breach – giving Australians confidence that their compromised identity documents can be replaced, coordinating action between regulators, and taking steps to enable Optus to share information with financial institutions to detect and prevent fraud. I also acknowledge the work of the Office of the Australian Information Commissioner, Australian Federal Police and other federal regulators and agencies that have supported the response to this breach.

The novel privacy challenges posed by the rise of digital platforms and the unprecedented volume and variety of data that these platforms collect from users underscores the importance of reforming our privacy laws.

The Attorney-General’s Department’s review of the Privacy Act will recommend further reform proposals to ensure Australia’s privacy framework protects the personal information of Australians, supports an innovative economy and responds to new challenges in the digital age.

Increased penalties
The Bill will increase penalties for a serious or repeated breach of privacy from $2.22 million, to not more than the greater of $50 million, three times the value of any benefit obtained through the misuse of the information, or, if the value of the benefit obtained cannot be determined, 30 per cent of a company’s domestic turnover in the relevant period.

Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data.

Further, penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.

These new penalties mirror those proposed in the Treasury Laws Amendment (More Competition, Better Prices) Bill 2022, which implements the Government’s Better Competition election commitment. This will ensure alignment of penalties across Australian privacy law and consumer law.

Strengthened Notifiable Data Breaches Scheme
The Bill will strengthen the existing Notifiable Data Breaches scheme by empowering the Information Commissioner to assess an entity’s compliance with the scheme’s requirements. Assessments are an important educative tool, and this power will assist entities in ensuring they are meeting their requirements.

The Information Commissioner will also have new information-gathering powers in regards to the scheme’s reporting and notification requirements. This is necessary to provide the Information Commissioner with a comprehensive understanding of the information compromised in a breach in order to assess the particular risks to individuals, and take actions such as issue a direction for the entity to notify individuals who have been affected by a data breach.

Enhanced enforcement powers
The Bill will improve the powers available to the Information Commissioner to resolve privacy breaches by empowering the Commissioner to publish notices about specific breaches of privacy or otherwise ensure those directly affected are informed. The Bill enables the Commissioner to compel entities to undertake external reviews to improve their practices to reduce the likelihood of them committing a breach again.

The Bill will also provide the Commissioner new information-gathering powers to conduct assessments, and new infringement notice powers that can be used if an entity fails to provide information when required, without the need to engage in protracted litigation.

To ensure Australia’s privacy laws remain fit for purpose in a globalised world, and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore, the Bill will amend the Act’s extraterritoriality provisions. This will mean that even if foreign organisations do not collect or hold Australians’ information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they “carry on a business” in Australia.

Greater information sharing arrangements
To ensure Australians are informed about privacy issues, the Bill will provide the Commissioner an express power to publish a final determination following a privacy investigation, and information about a final assessment report. The Commissioner will also be able to publish information about other matters, such as an update about an ongoing privacy investigation, if it is in the public interest.

The Commissioner will also be able to share information with enforcement bodies, alternative complaint bodies and privacy regulators for the purpose of the Commissioner or the receiving body exercising their functions and powers. The Australian Communications and Media Authority will also be provided better powers to share information within Government for enforcement purposes.

This will drive better cooperation between regulators in order to deliver better outcomes for Australians.

Conclusion
The Bill is an important and pressing reform that will make sure penalties for privacy breaches adequately reflect community expectations, and will ensure Australia’s privacy regulator has the enforcement tools necessary to effectively deter the misuse of Australians’ personal information.