Division Description Changes — Bills — Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; Second Reading — 28th Nov 2022

Change	Division
senate vote 2022-11-28#2 Edited by mackay staff on 2022-12-02 09:43:02	Title Description The majority voted against a [second reading amendment](https://www.openaustralia.org.au/senate/?gid=2022-11-28.18.1) introduced by NSW Senator [David Shoebridge](https://theyvoteforyou.org.au/people/senate/nsw/david_shoebridge) (Liberal), which means it failed. The majority voted against a [second reading amendment](https://www.openaustralia.org.au/senate/?gid=2022-11-28.18.1) introduced by NSW Senator [David Shoebridge](https://theyvoteforyou.org.au/people/senate/nsw/david_shoebridge) (Greens), which means it failed. ### What are second reading amendments? Second reading amendments like these don't make legal changes themselves, but instead represent the will of the Senate. They add words to the usual second reading motion, which is "that the bill be [read a second time](https://peo.gov.au/understand-our-parliament/how-parliament-works/bills-and-laws/making-a-law-in-the-australian-parliament/)", which is parliamentary jargon for agreeing with the main idea of the bill. ### Motion text > At the end of the motion, add ", and the Senate calls on the Government to introduce a bill into the Parliament to insert a statutory civil cause of action for serious invasion of privacy in the Privacy Act 1988, modelled on the Australian Law Reform Commission's 2014 report entitled Serious Invasions of Privacy in the Digital Era". > At the end of the motion, add ", and the Senate calls on the Government to introduce a bill into the Parliament to insert a statutory civil cause of action for serious invasion of privacy in the Privacy Act 1988, modelled on the Australian Law Reform Commission's 2014 report entitled Serious Invasions of Privacy in the Digital Era".
senate vote 2022-11-28#2 Edited by mackay staff on 2022-12-02 09:40:23	Title Bills — Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; Second Reading Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 - Second Reading - Statutory civil cause of action Description ~~<p class="speaker">Paul Scarr</p>~~ <p>I rise to speak in favour of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, but also to make a number of points with respect to how the opposition believes the bill can actually be enhanced. I sat on the inquiry into this legislation as deputy chair of the Legal and Constitutional Affairs Legislation Committee, and there were a number of concerns that were identified during the course of considering this legislation. I note that Senator Shoebridge also attended and was part of those hearings, so he will also be familiar with some of these issues.</p> The majority voted against a [second reading amendment](https://www.openaustralia.org.au/senate/?gid=2022-11-28.18.1) introduced by NSW Senator [David Shoebridge](https://theyvoteforyou.org.au/people/senate/nsw/david_shoebridge) (Liberal), which means it failed. ### What are second reading amendments? Second reading amendments like these don't make legal changes themselves, but instead represent the will of the Senate. They add words to the usual second reading motion, which is "that the bill be [read a second time](https://peo.gov.au/understand-our-parliament/how-parliament-works/bills-and-laws/making-a-law-in-the-australian-parliament/)", which is parliamentary jargon for agreeing with the main idea of the bill. ### Motion text *> At the end of the motion, add ", and the Senate calls on** the Government to introduce a bill into the Parliament to insert a statutory civil cause of action for serious invasion of privacy in the Privacy Act 1988, modelled on the Australian Law Reform Commission's 2014 report entitled Serious Invasions of Privacy in the Digital Era".* <p>This bill proposes a substantial increase in the penalties that will be applicable to bodies corporate that engage in what is referred to as a serious or repeated interference with privacy obligations. The first point to note is that the bill is lacking a clear description of what 'serious' or 'repeated' means in this context. If we are applying a $50 million penalty on a body corporate, or in fact a penalty that could be upwards of 30 per cent—30 per cent!—of a body corporate's turnover, in the context of a serious or repeated interference with privacy then we need to clearly define what serious or repeated means. That should be clearly defined on the face of the bill. So there is a lack in that respect, because there is a lack of that definition as to what serious or repeated is. Is repeated twice? Is it three times or four times? What is 'serious' in this context? Those who are going to be impacted by these laws and have obligations to discharge under this legislation need to be given a clear and concise definition of what 'serious' or 'repeated' mean in this context.</p> <p>The second point I wanted to raise in relation to the penalty clause is that was prepared on the presumption that there's an actual benefit which is received by the body corporate that has breached its obligations in this regard. We all know that there are a number of scenarios in relation to which these privacy obligations can be breached. The first scenario is where a big corporate player actually intentionally and wilfully breaches our right to privacy—the right of the people whose information is kept by these large corporations. So we can have a wilful breach, where a body corporate is exploiting that information for its own commercial benefit. In that case there's an actual benefit which is yielded from the breach. In the second case we can have a passive actor, where a body corporate is hacked—and we've seen that recently—and the issue for the body corporate is that it had insufficient safeguards with respect to protecting the data which it keeps.</p> <p>Those are completely different situations. The first situation is where a body corporate has intentionally exploited private data for a commercial use and has obtained some benefit. The second scenario is where a body corporate has actually been hacked itself. That's where the criminal or the malicious intent to interfere with people's rights of privacy is held by an outside actor. Those are different situations. The problem with this bill, as it stands, is that there's no distinction that those are different situations. The first point I'd like to make in that regard is that the structure of the clause itself assumes that there's a benefit. Clause 13G(3)(b) it refers to 'the' benefit, it doesn't refer to 'any' benefit. So it's assuming that the company has actually received a benefit from the serious or repeated interference with privacy obligations. That's not always the case, we know that. So that needs to be clear.</p> <p>It should also be recognised that this penalty provision would apply to the largest of multinational corporations, which should be able to put in place the best and most robust safeguards to prevent hacking, but would also apply to, say, a medium-sized businesses or a charity which gets hacked by a malicious actor and which doesn't necessarily have the same resources as the multinational company. The same penalty provision applies. There's a major issue with respect to a regime that imposes the same type of penalty in relation to the largest of multinationals, which should have sophisticated cyberdefences in place, as opposed to medium-sized enterprises or even charities that get hacked by a malicious actor—in many cases, a foreign actor. There's no distinction on the face of this penalty clause to those different circumstances, and that's a major failing in this penalty clause. This issue was raised by the Law Council of Australia and by all sorts of associations representing civic society with expertise in this. So the government should address this obvious issue on the face of this legislation. The government really should address this issue.</p> <p>Thirdly, the Office of the Australian Information Commissioner should—especially given the nature of the penalties, which increase under this legislation—issue clear guidance material addressing the application of penalties and also provide guidance with respect to those medium-sized enterprises and charitable organisations et cetera as to what best practice means. That's so people who are operating in this space actually know what they need to do in order to discharge their obligations.</p> <p>The last point—and this point became clear through the course of the committee looking at the legislation—is we need to make sure that the Office of the Australian Information Commissioner and the Australian Cyber Security Centre are adequately resourced and staffed to carry out their important obligations. There's a mountain of work on this front and it gets more and more complicated each day. The number of malicious cyberattacks are increasing, so we need to make sure that the resourcing and staffing levels at the Office of the Information Commissioner and the Australian Cyber Security Centre are fit for purpose and resourced to the extent that they can actually discharge the obligations which are imposed upon them.</p> <p>Having outlined those points of concern, we do support the legislation. But we believe there are a number of issues, which I've outlined in the course of my remarks, where the legislation can be enhanced and improved.</p> ~~<p class='motion-notice motion-notice-truncated'>Long debate text truncated.</p>~~

~~Paul Scarr~~
I rise to speak in favour of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, but also to make a number of points with respect to how the opposition believes the bill can actually be enhanced. I sat on the inquiry into this legislation as deputy chair of the Legal and Constitutional Affairs Legislation Committee, and there were a number of concerns that were identified during the course of considering this legislation. I note that Senator Shoebridge also attended and was part of those hearings, so he will also be familiar with some of these issues.
The majority voted against a [second reading amendment](https://www.openaustralia.org.au/senate/?gid=2022-11-28.18.1) introduced by NSW Senator [David Shoebridge](https://theyvoteforyou.org.au/people/senate/nsw/david_shoebridge) (Liberal), which means it failed.
### What are second reading amendments?
Second reading amendments like these don't make legal changes themselves, but instead represent the will of the Senate. They add words to the usual second reading motion, which is "*that the bill be [read a second time](https://peo.gov.au/understand-our-parliament/how-parliament-works/bills-and-laws/making-a-law-in-the-australian-parliament/)*", which is parliamentary jargon for agreeing with the main idea of the bill.
### Motion text
> *At the end of the motion, add ", and the Senate calls on the Government to introduce a bill into the Parliament to insert a statutory civil cause of action for serious invasion of privacy in the Privacy Act 1988, modelled on the Australian Law Reform Commission's 2014 report entitled Serious Invasions of Privacy in the Digital Era".*
This bill proposes a substantial increase in the penalties that will be applicable to bodies corporate that engage in what is referred to as a serious or repeated interference with privacy obligations. The first point to note is that the bill is lacking a clear description of what 'serious' or 'repeated' means in this context. If we are applying a $50 million penalty on a body corporate, or in fact a penalty that could be upwards of 30 per cent—30 per cent!—of a body corporate's turnover, in the context of a serious or repeated interference with privacy then we need to clearly define what serious or repeated means. That should be clearly defined on the face of the bill. So there is a lack in that respect, because there is a lack of that definition as to what serious or repeated is. Is repeated twice? Is it three times or four times? What is 'serious' in this context? Those who are going to be impacted by these laws and have obligations to discharge under this legislation need to be given a clear and concise definition of what 'serious' or 'repeated' mean in this context.
The second point I wanted to raise in relation to the penalty clause is that was prepared on the presumption that there's an actual benefit which is received by the body corporate that has breached its obligations in this regard. We all know that there are a number of scenarios in relation to which these privacy obligations can be breached. The first scenario is where a big corporate player actually intentionally and wilfully breaches our right to privacy—the right of the people whose information is kept by these large corporations. So we can have a wilful breach, where a body corporate is exploiting that information for its own commercial benefit. In that case there's an actual benefit which is yielded from the breach. In the second case we can have a passive actor, where a body corporate is hacked—and we've seen that recently—and the issue for the body corporate is that it had insufficient safeguards with respect to protecting the data which it keeps.
Those are completely different situations. The first situation is where a body corporate has intentionally exploited private data for a commercial use and has obtained some benefit. The second scenario is where a body corporate has actually been hacked itself. That's where the criminal or the malicious intent to interfere with people's rights of privacy is held by an outside actor. Those are different situations. The problem with this bill, as it stands, is that there's no distinction that those are different situations. The first point I'd like to make in that regard is that the structure of the clause itself assumes that there's a benefit. Clause 13G(3)(b) it refers to 'the' benefit, it doesn't refer to 'any' benefit. So it's assuming that the company has actually received a benefit from the serious or repeated interference with privacy obligations. That's not always the case, we know that. So that needs to be clear.
It should also be recognised that this penalty provision would apply to the largest of multinational corporations, which should be able to put in place the best and most robust safeguards to prevent hacking, but would also apply to, say, a medium-sized businesses or a charity which gets hacked by a malicious actor and which doesn't necessarily have the same resources as the multinational company. The same penalty provision applies. There's a major issue with respect to a regime that imposes the same type of penalty in relation to the largest of multinationals, which should have sophisticated cyberdefences in place, as opposed to medium-sized enterprises or even charities that get hacked by a malicious actor—in many cases, a foreign actor. There's no distinction on the face of this penalty clause to those different circumstances, and that's a major failing in this penalty clause. This issue was raised by the Law Council of Australia and by all sorts of associations representing civic society with expertise in this. So the government should address this obvious issue on the face of this legislation. The government really should address this issue.
Thirdly, the Office of the Australian Information Commissioner should—especially given the nature of the penalties, which increase under this legislation—issue clear guidance material addressing the application of penalties and also provide guidance with respect to those medium-sized enterprises and charitable organisations et cetera as to what best practice means. That's so people who are operating in this space actually know what they need to do in order to discharge their obligations.
The last point—and this point became clear through the course of the committee looking at the legislation—is we need to make sure that the Office of the Australian Information Commissioner and the Australian Cyber Security Centre are adequately resourced and staffed to carry out their important obligations. There's a mountain of work on this front and it gets more and more complicated each day. The number of malicious cyberattacks are increasing, so we need to make sure that the resourcing and staffing levels at the Office of the Information Commissioner and the Australian Cyber Security Centre are fit for purpose and resourced to the extent that they can actually discharge the obligations which are imposed upon them.
Having outlined those points of concern, we do support the legislation. But we believe there are a number of issues, which I've outlined in the course of my remarks, where the legislation can be enhanced and improved.
~~Long debate text truncated.~~