All changes made to the description and title of this division.

View division | Edit description

Change Division
senate vote 2022-11-28#4

Edited by mackay staff

on 2022-12-02 10:01:24

Title

  • Bills — Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022; in Committee
  • Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 - in Committee - A new section 13GA

Description

  • <p class="speaker">Murray Watt</p>
  • <p>I move:</p>
  • The majority voted against [amendments](https://www.openaustralia.org.au/senate/?gid=2022-11-28.29.1) introduced by NSW Senator [David Shoebridge](https://theyvoteforyou.org.au/people/senate/nsw/david_shoebridge) (Greens), which means it failed.
  • ### What does this amendment do?
  • Senator Shoebridge [explained that](https://www.openaustralia.org.au/senate/?gid=2022-11-28.29.1):
  • > *This amendment seeks to put in a new section 13GA into the Privacy Act, which would provide that an entity contravenes this subsection if the entity doesn't act and or engages in a practice that is in interference with the privacy of one or more individuals, and it seeks to retain the existing civil penalty of 2,000 penalty units for that breach. It also has a consequential amendment that provides that there's no retrospectivity in relation to that proposed provision.*
  • >
  • > *The proposed new section 13GA would remove the necessity for 'repeated or serious' from the offence provision and provide for what pretty much every stakeholder said we need, whether it was Electronic Frontiers, Digital Rights Watch or even the business reps who came before the inquiry that we had: put in place a tiered approach. If the Greens amendment was successful, it would allow the regulator to have at least some nuance in how the regulator goes about enforcing privacy. But if they see a breach of the privacy laws—and it may well be a quite disturbing breach; it doesn't have to be serious or repeated, but it could be—then instead of having to go and press the nuclear launch button of the $50 million penalty they'd be able to seek a penalty that has a maximum value of some 2,000 penalty units for a corporation which would not see small or medium businesses or charities potentially going to the wall when the regulator takes action.*
  • >
  • > *Without this, we're going to see no realistic way of enforcing the privacy laws against small and medium business or against the charitable and not-for-profit sector. If the only tool to hand for the regulator is a $50-million-plus maximum penalty, that is not going to be able to be used in any practical way against small and medium business or against NGOs and the not-for-profit sector; it just won't be. And we're going to pass a law here today that is actually going to mean less real power, less real capacity for the regulator to enforce our privacy laws.*
  • ### Amendment text
  • > *(1) Schedule 1, page 5 (after line 10), after item 11, insert:*
  • >
  • >> *11A At the end of Division 1 of Part III*
  • >>
  • >> *Add:*
  • >>
  • >> *13GA Other interferences with privacy*
  • >>
  • >> *An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.*
  • >>
  • >> *Civil penalty: 2,000 penalty units*
  • >
  • > *(2) Schedule 1, item 45, page 18 (after line 6), after subitem (3), insert:*
  • >
  • >> *(3A) Section 13GA of the Privacy Act 1988, as added by this Schedule, does not apply in relation to an act done, or a practice engaged in, before the commencement of this item.*
  • <p class="italic">(1) Schedule 1, item 14, page 5 (before line 17), before subsection 13G(2), insert:</p>
  • <p class="italic">(1A) Subsection (1) is a civil penalty provision.</p>
  • <p class="italic">Note: Section 80U deals with civil penalty provisions in this Act.</p>
  • <p>This amendment inserts a new subsection 13G(1A) to make it clear on the face of the legislation that section 13G of the Privacy Act is a civil penalty provision and triggers part 4 of the Regulatory Powers (Standard Provisions) Act 2014. This technical amendment expressly clarifies that the increased penalties proposed in this bill are civil penalties. The amendment will enable the updated civil penalty provision in section 13G to be enforced under the Regulatory Powers (Standard Provisions) Act. I table a supplementary explanatory memorandum relating to the government amendment to be moved to this bill.</p>
  • <p class="speaker">James Paterson</p>
  • <p>The opposition will be supporting these amendments, which go to drafting issues in the bill. All I will add is that of course these are not the only drafting issues identified in the bill. Through the committee process, as articulated by Senator Scarr and Senator Shoebridge in their contributions, it is our view that those other drafting issues should have also been addressed at this opportunity, but that is a matter for the government. If they don't think these are problems and they think that they won't materialise in practice, then we hope they're right and we will be supporting these amendments.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>We don't oppose this amendment, but it's not the issue.</p>
  • <p class="speaker">James McGrath</p>
  • <p>The question before the chair is that amendment (1) on sheet PC128 moved by Minister Watt be agreed to.</p>
  • <p>Question agreed to.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>tor SHOEBRIDGE () (): by leave&#8212;I move amendments (1) and (2) on sheet 1736, as circulated:</p>
  • <p class="italic">(1) Schedule 1, page 5 (after line 10), after item 11, insert:</p>
  • <p class="italic">11A At the end of Division 1 of Part III</p>
  • <p class="italic">Add:</p>
  • <p class="italic">13GA Other interferences with privacy</p>
  • <p class="italic">An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.</p>
  • <p class="italic">Civil penalty: 2,000 penalty units</p>
  • <p class="italic">(2) Schedule 1, item 45, page 18 (after line 6), after subitem (3), insert:</p>
  • <p class="italic">(3A) Section 13GA of the <i>Privacy Act 1988</i>, as added by this Schedule, does not apply in relation to an act done, or a practice engaged in, before the commencement of this item.</p>
  • <p>As we noted in the second reading contribution, the amendments to the Privacy Act that have been presented by the government, which are going to be agreed, are going to create a one-size-fits-very-few penalty regime where the only penalty available to the regulator is a minimum maximum, if you like, of $50 million for a penalty and then potentially a higher penalty if a corporation has a turnover that would trigger the higher penalty. This amendment seeks to put in a new section 13GA into the Privacy Act, which would provide that an entity contravenes this subsection if the entity doesn't act and or engages in a practice that is in interference with the privacy of one or more individuals, and it seeks to retain the existing civil penalty of 2,000 penalty units for that breach. It also has a consequential amendment that provides that there's no retrospectivity in relation to that proposed provision.</p>
  • <p>The proposed new section 13GA would remove the necessity for 'repeated or serious' from the offence provision and provide for what pretty much every stakeholder said we need, whether it was Electronic Frontiers, Digital Rights Watch or even the business reps who came before the inquiry that we had: put in place a tiered approach. If the Greens amendment was successful, it would allow the regulator to have at least some nuance in how the regulator goes about enforcing privacy. But if they see a breach of the privacy laws&#8212;and it may well be a quite disturbing breach; it doesn't have to be serious or repeated, but it could be&#8212;then instead of having to go and press the nuclear launch button of the $50 million penalty they'd be able to seek a penalty that has a maximum value of some 2,000 penalty units for a corporation which would not see small or medium businesses or charities potentially going to the wall when the regulator takes action.</p>
  • <p>Without this, we're going to see no realistic way of enforcing the privacy laws against small and medium business or against the charitable and not-for-profit sector. If the only tool to hand for the regulator is a $50-million-plus maximum penalty, that is not going to be able to be used in any practical way against small and medium business or against NGOs and the not-for-profit sector; it just won't be. And we're going to pass a law here today that is actually going to mean less real power, less real capacity for the regulator to enforce our privacy laws.</p>
  • <p>The Greens amendment fills that gap. It puts in that tier, which is a realistic penalty that could actually be used by the regulator, who would therefore have a meaningful way of keeping our data and our privacy safe. Without this, let's be clear, the regulator won't have the resources for 99.9 per cent of privacy and data breaches, and it definitely won't have the political will to whack an entity with a $50 million maximum fine. It just won't happen. This is about sensible, measured, nuanced regulation. It's what pretty much every stakeholder said we should do with this bill, and I commend the amendment to the Senate.</p>
  • <p class="speaker">Murray Watt</p>
  • <p>As Senator Shoebridge is aware, this issue is being considered more broadly as part of the Privacy Act review, and that's why we will be opposing the amendment at this point in time&#8212;so that the review can do its work.</p>
  • <p>The powers that are currently available to the Information Commissioner in this area are based on an enforcement-pyramid approach to regulation. The act initially relies upon the Information Commissioner encouraging compliance, and then there are determinations and enforcement in the courts if that is not successful. For the most egregious interferences with privacy, section 13G of the act provides for the Information Commissioner to take civil penalty action against the entity in the Federal Court.</p>
  • <p>The question that the review is considering is whether the regulatory options available are too limited to target the different levels of seriousness with which interference with privacy occurs. The review is considering two additional categories of civil penalty provisions that cover less serious conduct than that in section 13G but that still might warrant enforcement action. The first new category would be a new mid-tier civil penalty for any interference with privacy, with a lesser maximum penalty amount. The second new category would be a series of very low level civil penalty provisions for administrative breaches of the APPs, with attached infringement notice powers for the Information Commissioner.</p>
  • <p>Given these proposals are about creating entirely new civil penalty provisions, it's appropriate that these issues are considered thoroughly as part of the review. However, the increase to the maximum penalty of the existing provision of the act which we are in the process of putting through this chamber is a targeted amendment to ensure the maximum penalty available reflects the fact that it is the most serious enforcement action that can be taken by the Information Commissioner where there has been a serious breach of privacy.</p>
  • <p class="speaker">James Paterson</p>
  • <p>While the opposition supports, in principle, the amendments moved by the Greens&#8212;and in fact included a similar call for such a regime in our second reading amendment which the chamber has just agreed to&#8212;as I articulated in my speech in the second reading debate, we are concerned about and we should not be doing complex amendments to complex legislation like this on the fly in the chamber. There is a risk of unintended consequences.</p>
  • <p>I do welcome the minister's statement that the government will consider this as part of their wider reforms. That is important, because Senator Shoebridge is right; it will be very difficult to apply a $50 million penalty to a very small entity, and it will be very difficult to apply it in the instance of an inadvertent breach rather than a serious one. We are concerned about that&#8212;and industry and stakeholders and third-party groups in the inquiry process made that very clear, as Senator Shoebridge has explained to the chamber. But, as a matter of principle, we think the government are in the best place to address this issue, with the access to drafting resources and expertise that they have through the department.</p>
  • <p>The only concern I want to finish on and put on the record is that that process not take too long. If too much time elapses between the passage of these increased penalties and the more comprehensive privacy reforms that the government is talking about, I think Senator Shoebridge is right that we won't have made any meaningful improvement to the cybersecurity and privacy of Australians. It is important that that more comprehensive reform come forward as soon as possible to address these wider and more complex issues.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>I thank the minister for the contribution. I note the minister said there is a pyramid of enforcement measures. If it is a pyramid, it is absolutely built on sand, with minimal actual enforcement measures. Most of us, if we're honest, would accept that cranky letters, rude notices or angry reports from the Information Commissioner have not worked in the past to keep our privacy safe, and those kinds of existing remedies will not work, going into the future, to keep our privacy safe. So, if that's the pyramid the government thinks has any kind of utility or use, I think reality and what everyday Australians are feeling on a day-in, day-out basis with the privacy breaches they've been suffering would suggest otherwise. That being said, I do acknowledge the government has now given the commitment to move to have a tiered approach, which is what I understand the minister was saying, that the intent is to deliver a tiered approach which will give some capacity for the regulator to actually use the powers. But I would be interested to know from the minister what the time frame is to deliver that tiered approach, because the longer we go without it the longer we go in basically having lawless provisions. That is, no real, enforceable provisions for privacy.</p>
  • <p class="speaker">Murray Watt</p>
  • <p>The report from the privacy review will be handed down and provided to the Attorney-General by end of this calendar year, so I would anticipate then that we'd get moving on this in the New Year.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>Thank you, Minister. Is there a commitment from the government to make that report public, and, if so, what's the time frame for that?</p>
  • <p class="speaker">Murray Watt</p>
  • <p>I'm probably not in a position to make that commitment at this point. I know that the review and the report will be also considered by cabinet, so I guess it will be a matter for cabinet as to what is publicly released.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>On a different point, if I may, to the minister: is it the government's intention that the concept of benefit in the proposed new subsections 13G(2) and (3) is a net benefit or is it any benefit that would trigger the provisions of 13G(2) to (3)?</p>
  • <p class="speaker">Murray Watt</p>
  • <p>It will be any benefit.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>Minister, in those circumstances, is it true that if a corporation had put measures in place but not sufficient measures, and maybe therefore had had a hard to determine but fairly modest benefit from an underspend in the IT, yet they may have suffered a huge commercial loss with customers leaving and remedies being put in place as a result of an attack on their IT, and therefore be potentially tens or hundreds of millions in the red, that they'll be perceived as having received a benefit and therefore will be potentially liable for the 13G(3) penalty?</p>
  • <p class="speaker">Murray Watt</p>
  • <p>It's a little difficult to comment on any possible hypotheticals that you are putting forward, but obviously it would be a matter for the court to determine whether a company has had a benefit and whether its actions or inactions warrant any type of penalty.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>Minister, will the government be engaging with the not-for-profit and charitable sector, who are very concerned about this maximum penalty being in place? Will you be engaging with the charitable and not-for-profit sector and potentially, as part of that, engaging with them in guidelines for the Information Commissioner about how this new penalty provision will be used? And, are you intending to provide some additional resources for the charitable and not-for-profit sector so that they can effectively meet their privacy obligations, given what may otherwise be a ruinous penalty being delivered to them under this new regime?</p>
  • <p class="speaker">Murray Watt</p>
  • <p>I'm advised that the government will be consulting and engaging with non-government organisations, because, as you say, they do have legitimate concerns, and it's in everyone's interest to assist NGOs to meet their obligations in this space. I'm also advised that guidelines and other information material will be provided to NGOs so that they can comply with their legal requirements.</p>
  • <p class="speaker">David Shoebridge</p>
  • <p>Is any part of the government's plans to provide the charitable and not-for-profit sector with the kinds of funds they're going to need to meet their obligations? We're passing a bill now which is saying that if they have a repeat or serious breach then they may face a penalty of up to $50 million. Are you going to provide them with the kind of funds that they need to meet their privacy obligations? The anxiety in the sector is very real.</p>
  • <p class="speaker">Murray Watt</p>
  • <p>Those matters around funding, Senator Shoebridge, will be considered as part of the implementation of the Privacy Act review.</p>
  • <p class='motion-notice motion-notice-truncated'>Long debate text truncated.</p>