Privacy and Other Legislation Amendment Bill 2024 beginning of second reading speeches
October 16, 2024 |
There have been 3 further 2nd reading speeches published; from Paul Fletcher (Liberal) on 8 October 24, Graham Perrett (Labor) and Max Chandler Mather (Greens). None are particularly illuminating. All follow predictable paths. Perrett recounts what is in the bill and how that is for the good. Fletcher makes fair criticisms about the selective approach to reform, less fair criticisms about the delay in banning doxxing and a generally confused complaint about the statutory tort, as much about the process as the benefit of otherwise of having a tort. The problem with the process argument is that the statutory tort has been recommended by the Australian Law Reform Commission since 2008. It’s 2014 Report also recommended such a tort. The Attorney General Department’s Report also recommended the tort. There can be no serious complaint about ambush and lack of knowledge. The reality is that the Coalition has always been hostile to a statutory tort. At least they are reserving their position until the completion of the Senate Committee process. Where there will be long and loud complaining by the business sector.
The Cross benches have proposed amendments:
By Kylea Tink:
(1) Schedule 2, item 10, page 67 (line 19), after “privacy was”, insert “expressly”.
[defences]
(2) Schedule 2, item 10, page 71 (line 13), after “journalistic material”, insert “about matters of public interest”.
[public interest journalism]
(3) Schedule 2, item 10, page 72 (lines 6 to 8), omit all the words from and including “reasonably believes” to the end of clause 16, substitute:
: (a) reasonably believes that the invasion of privacy is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; and
(b) is conducting a lawful investigation in respect of a serious crime.
[enforcement bodies]
(4) Schedule 2, item 10, page 72 (line 15), at the end of clause 17, add:
; to the extent that the intelligence agency is conducting a lawful national security operation.
[intelligence agencies]
By Zoe Daniel:
(1) Clause 2, page 2 (after table item 7), insert:
7A. Schedule 1, Part 16
The day after this Act receives the Royal Assent.
[commencement]
(2) Schedule 1, page 58 (after line 27), at the end of the Schedule, add:
Part 16—Miscellaneous amendments
Privacy Act 1988
90 Subsection 6(1) (definition of consent)
Repeal the definition, substitute:
consent means voluntary, informed, current, specific, and unambiguous indication through clear action, which has not since been withdrawn.
91 Subsection 6(1) (definition of personal information)
Repeal the definition, substitute:
personal information: see section 6AAA.
92 After section 6
Insert:
6AAA Meaning of personal information
(1) In this Act, personal information means information or an opinion that relates to an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Note: Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5-1A of that Act.
(2) For the purposes of this section, an individual is reasonably identifiable if they are capable of being distinguished from all other individuals, regardless of whether or not their identity is known.
93 Application of amendments
The amendments of section 6 of the Privacy Act 1988 made by this Part, and section 6AAA of the Privacy Act 1988 as inserted by this Part, apply in relation to acts done, or practices engaged in, after the commencement of this item.
[definitions]
Fletcher’s second reading speech provides:
I rise to speak on the Privacy and Other Legislation Amendment Bill 2024. This is a bill that’s been in the pipeline for some time, yet it is a very curious creation. It seems to have been cobbled together from a range of different parts. Each of these parts does something different. They have different objectives, and they respond to different stakeholders. They are all somehow related to privacy, but they each have their own merits and drawbacks. It just does not sit together well as a whole. All the indications are that this bill was hastily stitched together at the last minute.
When, on this side of the House, we first heard that the Attorney-General wished to introduce measures along the lines of those we’re considering today, the coalition anticipated that the bill would address the matters previously intended to be addressed in the Privacy Amendment and Other Measures Bill 2024 and the Privacy (Statutory Cause of Action for Serious Invasions) Bill 2024. We had not seen the first of those bills, but we assumed it was intended to make changes to the Privacy Act and introduce various other measures. We had also not seen the second of those bills, but we again assumed that this was a bill which was intended to introduce a new statutory cause of action for serious invasions of privacy. When the Attorney-General stood at the dispatch box on 12 September to introduce the bill being debated, he didn’t introduce either of those two bills which had been foreshadowed earlier. Instead, we got this strange and confused mishmash of legislation.
On analysis, there are three substantive parts to this bill. Schedule 1 is essentially a suite of what might be described as the less controversial changes to the regulatory regime in the Privacy Act. For more than a year, the government has been promising a major overhaul of the Privacy Act’s regulatory regime. Some of the proposed changes were highly contentious. They included things like stripping away protections for small businesses and changing the definition of ‘personal information’, which is, of course, the very core of the matter that is regulated by the Privacy Act. The changes would have reached into every part of our economy and may, in turn, have required changes to the way that every Australian business handles information. Other changes that were foreshadowed went to foundational issues on which many of our modern digital businesses are built, such as data segmentation and value adding. In extreme scenarios, those changes would have had the potential to destroy existing markets and potentially to create new ones. We can only guess at the potential regulatory costs.
Those changes, at least for the time being, seem to have been left on the cutting room floor, and that is not necessarily a bad thing. Instead, we’ve been provided with a slimmed down suite of changes, set out in schedule 1 to this bill. When I say ‘slimmed down’, that is only in comparison to what had originally been foreshadowed, not to what might be considered the community standard of what is slim and what is not. There are still 15 different parts in schedule 1, and each part deals with a different topic. On the whole, schedule 1 avoids some of the more contentious changes to Australia’s privacy regime that had been foreshadowed by this government. Instead, it focuses on issues such as the regulatory and enforcement powers of the Information Commissioner. These changes are important, but they’re not foundational.
Why has there been this late change in approach? That is not clear. The government has not adequately explained it. The official line, as best can be discerned, is that the government has decided to consult further on these matters before pressing ahead. It may be that the looming election has sharpened the government’s focus. I can only speculate—it is up to the Attorney-General to explain why this has happened. In the meantime, some of the more radical reforms are presumably sitting in a bottom drawer in the Attorney-General’s Department, no doubt in the hope that they can be dusted off in the next term of parliament.
Let me turn to schedule 2 of this bill. Schedule 2 does not concern the existing regulatory regime that deals with privacy in Australia. It’s not about regulation at all. It is about private disputes commenced by parties to civil litigation who seek compensation through the courts. How, then, did these unrelated reforms make their way into this bill? Again, on this side of the House, we don’t know the answer to that question, but we have a theory. Our theory is that the Attorney-General must have felt somewhat embarrassed about having promised major privacy reforms for more than a year before shelving them at the last minute. There’s every appearance that the Attorney was looking for something to pad out his bill and decided to jam schedules 2 and 3 into the package. That is certainly the theory that we on this side of the House have developed as to why schedule 2 contains a suite of measures to introduce a new statutory tort for serious invasions of privacy.
The tort would allow an individual to sue, where that individual believed a person had invaded their privacy by ‘intruding upon their seclusion’ or ‘misusing their personal information’. It has to be said that both the merits and the drafting of this statutory tort are highly contestable. The invasion of privacy must be serious, but, equally, it’s actionable without proof of damage. There are exemptions in relation to journalists, law enforcement bodies, intelligence agencies and children, but there’s no clarity about how well these would work in practice. Some of the definitions are extraordinarily broad. The explanatory memorandum suggests that, in some cases, merely storing data might constitute a misuse of information. Crucially, the tort is completely separate and additional to the general regulatory regime in the Privacy Act, and it appears that an individual can sue any ‘person’ for such a breach.
The word ‘person’ is a defined term at Commonwealth law. It includes bodies corporate and politic, as well as natural persons. So, even though the government granted a temporary reprieve to small businesses in schedule 1, it puts those businesses straight back in the firing line in schedule 2. They will continue to be exempt from regulatory action but will instead be exposed to legal action. This raises some immediate questions. For example, what is the impact of this tort on small businesses? Are we likely to see insurance premiums go up because the government has now opened them up to a new type of legal exposure? It’s not hard to imagine how this might play out. After all, your beauty salon and your mechanic deal with your personal information, just as your bank and your insurance company do. If your beauty salon’s booking system were compromised, would they now be exposed to a lawsuit? Will your beauty salon now need higher levels of cover to deal with the legal risk? Do small businesses now need to change their operational procedures, or indeed the services they offer, in order to deal with this new legal risk? It is not hard to see how the impacts of this new statutory tort would flow through to higher prices for Australian consumers.
Where are the stakeholders on this? Well, it turns out that the strong supporters of this proposed new statutory tort include class action law firms and litigation funders. That is not particularly surprising. They stand to make quite a lot of money out of this. We need only look at the number of Labor politicians who are former class action lawyers to know where their heart is on this matter.
Of course, we’ll hear some standard lines about access to justice. It’s amazing how often these pious public statements dovetail with private financial gain. On the other hand, we know that in the past media organisations have been highly critical of the statutory tort—for example, Australia’s Right to Know Coalition, which represents media organisations across a very diverse spectrum, from the ABC and the Guardian at one end to News Corp at the other. The Right to Know Coalition has previously warned that the proposal to have a statutory tort would be ‘contrary to the public interest and result in a significant curtailing of press freedom in Australia’. They’ve argued that the proposal will primarily benefit wealthy and high-profile individuals and that it fails to provide any clear public benefit.
The Council of Small Business Organisations Australia have said that they are highly concerned by the unexplored and unintended consequences from the broad proposed drafting of the tort. In COSBOA’s words: ‘Whilst the wrecking ball of the removal of the small business exemption has been narrowly avoided, the clumsy and poor approach being pursued by government in respect to schedule 2 creates high degrees of anxiety for small business.’ For other groups, the changes in schedule 2 have caught them off guard. Many simply did not know they were coming. Again, that is not very surprising. Stakeholders have been asking for an exposure draft for months. The government refused and instead dropped these changes for the first time just a few weeks ago. It is very clear that this proposed statutory tort warrants careful scrutiny.
That brings me, finally, to the third schedule of this bill, which creates new offences for doxxing. The term ‘doxxing’ refers to the practice of publishing private or identifying information on the internet about a particular individual, typically with malicious intent. We know that doxxing can expose victims to physical threats, public humiliation, discrimination, identity theft, financial fraud and other serious harms. These risks have become all too apparent since the malicious doxxing of more than 600 Jewish writers, academics, artists and small-business owners by pro-Palestinian activists and Hamas sympathisers in February this year.
Like other parts of this bill, this schedule raises immediate questions. The first question to ask the government is: what on earth took you so long? Jewish groups have been calling for our criminal laws to be tightened up in this space since February. We have known for months that the current criminal laws do not cut it, and the coalition has been on the record as saying that we would work with the government to devise a legal framework that is fit for purpose.
In the past eight months, as just one example of how problematic this practice of doxxing can be, we have seen reports of anti-Jewish activists distributing pictures of Jewish family trees online. This is a form of intimidation that we have not seen since the days of the Nazis. But, for whatever reason, addressing doxxing has not until now, it would seem, been a priority for the Albanese government. Now that these provisions have finally been introduced into this parliament, these doxxing laws have, however, been shoehorned into a bill which makes peripheral changes to the privacy regime and introduces a highly contestable measure to throw a bone to Labor’s class action lawyer mates. If any further proof were required that the Albanese government has its priorities all wrong, this bill provides ample such proof.
The coalition will treat each of the three parts of this hurriedly cobbled together bill on their merits. Firstly, in relation to doxxing, these are reforms which should have been brought forward months ago. They’re criminal law reforms that make changes to the Criminal Code. They deal with an urgent and unprecedented surge in criminal behaviour. Yet, to Labor’s discredit, they appear to have chosen to hold these laws hostage to unrelated reforms that change a regulatory regime and give a boost to class action lawyers, who are, of course, well-known big donors to the Labor Party. It seems that the needs of Jewish Australians have come second to Labor’s sectional interests.
Secondly, in relation to the reforms to the regulatory regime concerning privacy, we welcome the decision not to progress with the more contentious reforms at a time when Australians can least afford it. The remaining changes warrant scrutiny, but we are cautiously receptive. We will test them through the committee process before arriving at a final position.
Thirdly, in relation to the statutory tort, there are clear and immediate issues that have been identified by several groups and stakeholders, including media organisations and small business organisations. These groups have only had the opportunity to see the drafting for a matter of weeks. They should be given the opportunity to air their concerns through the Senate committee process. To date, the process leaves everything to be desired, but the coalition are open to being convinced that the statutory tort is in Australia’s best interests. We will watch carefully as the arguments play out over coming weeks and we will finalise our position in the light of the Senate inquiry.
Debate adjourned.
Graham Perrett’s speech provides:
Deputy Speaker, this speech might be strangely familiar to you. The Albanese Labor government takes the job of protecting Australians very seriously when it comes to the economy, to health, to the borders and to international security. Nowadays, in 2024, this includes safeguarding individuals’ privacy in this increasingly digital world. There are many reasons why it’s vital to keep our personal information safe. They include the prevention of identity theft and subsequent fraud and the protection of our financial information.
The growth of the digital economy and the change in the way we live have both created new ways for our privacy to be exploited. You only have to think back to the devastating data breaches of a couple of years ago, which affected up to 10 million Australians. These breaches saw Australians’ names, birthdates, home addresses, phone numbers, email contacts, and passport and drivers licence numbers stolen and made available on the web for sale. Apart from the administrative burden then placed on all of those affected, this also created significant anxiety about further breaches, identity fraud and scams. Sadly, the consequences of personal information being accessed without permission can even be violent or life-threatening. Women fleeing family violence can be targeted, their personal information can be shared with their abuser, and they can be tracked.
The National Cabinet held in May focused on our national crisis of gendered violence, and at that time the Albanese Labor government committed to criminalising the practice of doxxing. Doxxing is the act of releasing personal information online without permission and with malicious intent. This includes circulating personal data such as the names, addresses, emails and phone numbers of private citizens. The popularity of social media, online platforms and messaging apps has made it easy to publish private information online, especially in an age where many people, including teenagers, are intent on publicising themselves to the world. Victims of doxxing are at risk of physical threats, public humiliation and shaming, discrimination, identify theft and financial fraud, and this can be an enduring risk, with the information floating around cyberspace indefinitely and able to be purchased. A devastating example of this was the release of the personal details of a WhatsApp group of hundreds of Jewish Australians earlier this year.
The practice of doxxing is unacceptable, and this bill, the Privacy and Other Legislation Amendment Bill 2024, provides for substantial criminal and civil justice pathways. You can see that it’s critical to amend the Privacy Act 1988 and the related sections of the Commonwealth Criminal Code. We need to make this outdated legislation, from a time before the internet, fit for purpose for the modern age so that we can ensure that the increased privacy risks of the digital age are contained and that all Australians are protected. This is a reasonable expectation for Australians to have, and it is one that the Albanese Labor government is determined to uphold. It is also important to bolster our privacy legislation to protect Australian businesses and keep them competitive. We need to keep in line with international privacy standards.
To the detriment of Australians, the former coalition government did nothing to bolster privacy in a period of change. They did nothing to strengthen privacy laws, and they even scrapped the position of the standalone Privacy Commissioner. They were full of plans but lacked any follow-through, and they didn’t guarantee funding for the privacy watchdog, the Office of the Australian Information Commissioner. This was left for the Albanese Labor government to do when we came in. We allocated $66 million to this office and ensured that much of its funding is ongoing.
Now we are implementing measures via the Privacy and other Legislation Amendment Bill 2024. These responsible reforms are the product of a considerable approach stemming from the Australian Competition and Consumer Commission’s 2019 Digital Platforms Inquiry. This inquiry recommended a review of the Privacy Act. The consultation process was extensive, with feedback from the business sector, the media, cybersecurity experts and, most importantly, everyday Australians. The Privacy Act review report was released in February last year, and the Albanese government responded in September 2023. This bill now seeks to implement the first tranche of agreed recommendations from the Privacy Act review.
Under this legislation, doxxing will become a criminal offence. This legislation also amends the Criminal Code so that the maximum policy for the malicious use of personal data will be six years imprisonment. This is applicable when someone uses a carriage service to make available, publish or distribute personal data in a way that is regarded as being menacing or malicious towards the individual. The maximum penalty will be seven years imprisonment where the personal details of members of a group are released due to their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality, or national or ethnic origin.
The legislation details ‘personal data’ as information that enables the individual or members of a group to be identified, contacted or located. This includes, obviously, someone’s name, their photograph or other image, their telephone number, their email address, online account details, their residential or work address, their place of education or their place of worship.
The bill takes into account that doxxing can occur in different ways. For example, it can be publishing someone’s details for a third party to harass them without even knowing their identity. A key part of this legislation is recognising that it’s not always malicious when personal information is shared, such as ordinary social media posts or reports in the media. To attract a criminal charge a ‘reasonable person’ needs to view the conduct as menacing.
This bill also puts forward a new statutory tort that will enable victims of a serious privacy breach, including doxxing, to seek redress in the courts. This can be in the form of damages or other remedies. This new tort will balance privacy rights with legitimate public interests such as something crucial for a healthy democracy, the freedom of the media, public health and safety, freedom of expression and the proper administration of government. These measures work for the individual, and also ensure that our privacy legislation is keeping pace with technological changes. Importantly, they meet the expectations of Australians.
It was first recommended by the Australian Law Reform Commission in its report a decade ago, titled Serious invasions of privacy in the digital era. The wide-ranging reforms in the bill before the chamber include clarifying the purpose of the Privacy Act—that is, that entities are responsible for protecting people’s personal information rather than just treating it as a commercial asset. It also gives the Information Commissioner the provision to develop codes to address certain technologies or industry practices. This provides flexibility to deal with emerging technologies.
The bill also focusses on boosting privacy protection for children, who are particularly vulnerable online. A Children’s Online Privacy Code will be developed, applying to internet services which are likely to be accessed by children. This code will outline how entities must comply with privacy requirements for children. We’ve directed $3 million over three years to the Office of the Australian Information Commissioner to develop this. It will be closely aligned to similar codes in countries such as the United Kingdom. Other measures include the reinstatement of the privacy commissioner and gives the Australian Information Commissioner enhanced powers to share information in a timely way about data breaches.
The bill introduces notifiable data breach declarations. These enable entities such as banks to act quickly and decisively to prevent compromised personal information being misused. Under these amendments, the Information Commissioner will have strengthened powers to enforce the act, including new civil penalties for a range of privacy breaches and an infringement notice system. The Information Commissioner will also be able to require a respondent to undertake any reasonable act to rectify or reduce the foreseeable loss.
One amendment I’m particularly pleased to see included is increased transparency regarding automated decisions that require the use of personal information. We all know the devastating effect that automated systems can have. You just need to think about the ramifications of the former government’s appalling robodebt scheme. This bill gives individuals transparency about the use of their personal information in automated decisions which affect them. Privacy policies will have to outline the personal information to be used and individuals will be able to request information about the decision.
Another benefit of the amendments include targeted responses in disasters or emergencies. The bill builds on previous reforms delivered by the Albanese Labor government. After those big data breaches in 2022, we implemented the Privacy Legislation Amendment (Enforcement and Other Measures) Act, and that increased the maximum penalties for serious or repeated privacy breaches from $2.2 million to whatever is the greater of $50 million or three times the value of the benefit obtained through the misuse of the information.
This bill addresses the views expressed by Australians. The Office of the Australian Information Commissioner’s Australian Community Attitudes to Privacy Survey found that 89 per cent of Australians want stronger legislation to protect their privacy online. The overarching benefit of enhanced privacy regulation is the bolstering of confidence in a digital economy, which supports innovation and its growth. This bill represents the first phase of Labor’s intention to give Australians enhanced control over their personal information. It answers the need that the Attorney-General outlined and I quote, since he’s in the chamber:
It is essential that Australians are protected by a legal framework that is flexible and agile enough to adapt to changes in the world around them.
I commend the legislation to the House.
Mr Chandler Maher’s speech provides:
The Greens will support this bill, the Privacy and Other Legislation Amendment Bill 2024, in the House but reserve our position in the Senate. We do this because although this first tranche of reforms is generally positive it fails to deliver what is needed to truly protect privacy in a way that meets the expectations of the community in this country.
This bill includes a handful of reforms in response to the Privacy Act review such as increased protection for children’s privacy and modest enhanced regulatory powers. It also includes a statutory tort of privacy, which is a right of action to seek damages for serious breaches of privacy, in the criminalisation of doxxing—the malicious release of personal information online. This tort will also allow individuals to sue for serious invasions of privacy in circumstances where the individual has a reasonable expectation of privacy, but subject to some limitations. That’s a long overdue reform, though we acknowledge concerns that it will be very hard for regular people to use this to protect their privacy due to the costs and legal complexity.
The bill also provides for transparency for automated decision-making, requiring privacy policies to disclose any use of personal information in automated decision-making which significantly affects individuals’ interests. This needs to happen within two years of the reforms coming into effect. This is a positive and sensible change. The bill will also give the OAIC increased oversight powers but no new funding. The OAIC is already chronically overallocated and underfunded, not least in FOI matters. This bill does nothing to remedy that.
After more than two years in government and a decade of promises in opposition, this set of reforms from Labor is embarrassingly inadequate. It will not change the core fact that, even with these changes, Australia will still have a privacy law basically written in 1988 to deal with privacy issues in 2024 that were not even conceived of last century. It is increasingly clear that privacy reforms have not kept pace with the development of technology, and the result is that millions of Australians’ data is at risk. We are lagging behind the world on making laws to protect privacy and limit corporate tracking of people. The government’s failure to take this opportunity to act on that is deeply disappointing.
Under these laws, people will continue to be tracked across the internet, with their data sold through real-time bidding to advertisers but also potentially to scammers and others. Under these laws, corporations will monetise the data of individuals and be able to create profiles of them through data matching. Under these laws, poorly regulated data will continue to proliferate and everyone will be at risk as a result. It doesn’t have to be this way. Jurisdictions around the world are drawing lines in the sand on privacy and standing up to the commercialisation of private data. In these places, governments have been willing to stand up against corporations exploiting personal and private information. It’s time for that to happen here.
There is plenty more that should be in this bill, and the government’s only response is that it might come at some unspecified point in the future in some tranche 2 privacy reforms. With the glacial pace of reform we have seen so far, no serious stakeholder, apart from the big social media platforms and online advertisers resisting privacy changes, has expressed any hope that the next round will be either timely or adequate. This is why we are reserving our position in the Senate and will be actively engaging in the Senate inquiry to make the changes needed now to keep our privacy, and that of our kids and friends, safe.
Question agreed to.
Bill read a second time.
Ordered that this bill be reported to the House without amendment.