1.1
On 27 October 2022, the Senate referred the provisions of the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) to the Senate Legal and Constitutional Affairs Legislation Committee (the committee) for inquiry and report by 22 November 2022.
1.2
The Bill would amend three Commonwealth Acts to increase penalties for serious or repeated interferences with privacy, enhance enforcement powers for the Australian Information Commissioner (the Commissioner), and provide the Commissioner and the Australian Communications and Media Authority (ACMA) with greater information sharing powers.
Conduct of the inquiry and acknowledgement
1.3
In accordance with its usual practice, the committee advertised the inquiry on its website and wrote to organisations and individuals inviting submissions by 7 November 2022. The committee received 32 submissions, which are listed at Appendix 1.
1.4
The committee held a public hearing in Canberra on 17 November 2022. A list of the witnesses who appeared at the hearing is at Appendix 2.
1.5
The committee thanks those individuals and organisations who made submissions and gave evidence at the public hearing.
Scope of the report
1.6
This report comprises three chapters:
Chapter 1 provides background information relating to the Bill, outlines the Bill's key provisions, and notes any consideration of the Bill undertaken by other parliamentary committees;
Chapter 2 examines some of the key issues raised by stakeholders; and
Chapter 3 sets out the committee's findings and recommendations.
Note on references
1.7
In this report, references to the Committee Hansard are to the proof (that is, uncorrected) transcript. Page numbers may vary between the proof and the official transcript.
Background to the inquiry
1.8
On 22 September 2022, Australia’s second largest telecommunications company, SingTel Optus Pty Limited (Optus), a fully owned subsidiary of Singapore Telecommunications Limited, announced that the personal and other sensitive information of up to 9.8 million customers had been accessed and stolen during a cyberattack (Optus data breach).
1.9
In the following weeks, MyDeal.com.au Pty Ltd (MyDeal), an online retail company and subsidiary of the Woolworths Group, and Medibank Private Limited (Medibank), one of Australia’s largest private health insurers, announced that they had also been the subject of cyberattacks, where millions of customers’ personal and sensitive data had been stolen by criminals.
1.10
The Privacy Act 1988 (Privacy Act) establishes the Notifiable Data Breaches (NDB) scheme, which requires regulated entities to notify affected individuals and the Commissioner if an entity has reasonable grounds to believe that an ‘eligible data breach’ (as defined in section 26WE) has occurred.
1.11
On 22 September 2022, the Office of the Australian Information Commissioner (OAIC) was notified of the Optus data breach and on 11 October 2022 commenced an investigation into the personal information handling practices of Optus and its associated companies, Optus Mobile Pty Ltd and Optus Internet Pty Ltd (all three collectively called ‘the Optus companies’).
1.12
On 25 October 2022, the Australian government delivered the 2022-2023 Federal Budget, in which an additional $5.5 million over two years was allocated to the OAIC to investigate and respond to the Optus data breach.
1.13
In addition, as a result of the data breaches, on 12 November 2022 the Australian government announced an ongoing, joint standing operation by the Australian Federal Police and the Australian Signals Directorate to investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups.
Introduction of the Bill
1.14
The Attorney-General, the Hon Mark Dreyfus KC MP, introduced the Bill into the House of Representatives on 26 October 2022, stating:
…the Albanese government takes privacy, security and data protection seriously. As the Optus, Medibank and MyDeal cyberattacks have recently highlighted, data beaches have the potential to cause serious financial and emotional harm to Australians, and this is unacceptable.
1.15
The Attorney-General stated that the Bill would give Australians confidence that their data will be protected, with a targeted and measured response to the most pressing issues arising from the Optus data breach and other recent cyberattacks.
1.16
The Attorney-General also highlighted the Attorney-General’s Department (AGD) ongoing review of the Privacy Act, which will recommend further reforms designed to ensure ‘Australia's privacy framework protects the personal information of Australians, supports an innovative economy and responds to new challenges in the digital age’.
Key provisions of the Bill
1.17
The Bill comprises one schedule that sets out proposed amendments to the Privacy Act, the Australian Information Commissioner Act 2010 (AIC Act) and the Australian Communications and Media Authority Act 2005 (ACMA Act).
Penalties
1.18
The Bill would amend the Privacy Act to increase the civil penalty for a serious interference with the privacy of an individual, or a repeated interference with the privacy of one or more individuals:
by a person other than a body corporate, from 2000 penalty units to an amount not exceeding $2.5 million (proposed subsection 13G(2)); and
by a body corporate, from 10 000 penalty units to an amount calculated with reference to a formula:
…not more than the greater of: $50 million; three times the value of any benefit obtained through the misuse of the information; or, if the value of the benefit obtained cannot be determined, 30 per cent of a company's domestic turnover in the relevant period [proposed subsection 13G(3)].
1.19
In his second reading speech, the Attorney-General stated:
Setting these penalties at a higher level will accord with Australian community expectations about the importance of protecting their personal data. Further, penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.
Enforcement powers
1.20
The Attorney-General highlighted that the Bill would also provide the Commissioner with ‘a suite of improved and new powers to resolve privacy breaches efficiently and effectively’.
Extra-territorial operation
1.21
The Privacy Act, a ‘registered APP code’ (as defined in section 26B) and a ‘registered CR code’ (as defined in section 26M) currently extend to organisations or small business operators that have an ‘Australian link’. The term ‘Australian link’ is defined in subsections 5B(2)-(3) of the Act.
1.22
The Explanatory Memorandum (EM) explains that part of the definition of ‘Australian link’ has become problematic:
A foreign organisation will have an Australian link if the organisation or operator carries on business in Australia and collects or holds information from a source inside Australia. However, when a breach of the Privacy Act occurs, it may be difficult to establish that these foreign organisations collect or hold personal information from a source in Australia. For example, foreign organisations may collect personal information about Australians but do not collect Australians’ information directly from Australia, and instead collect the information from a digital platform that does not have servers in Australia and may therefore not be considered ‘in Australia’.
1.23
The Bill would remove the requirement for an organisation or small business operator to collect or hold personal information in Australia or an external territory, before or at the time of the act or practice in question, in order to have an ‘Australian link’.
1.24
The Attorney-General explained:
To ensure Australia's privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians' information on servers offshore, the bill will amend the act's extraterritoriality provisions. This will mean that, even if foreign organisations do not collect or hold Australians' information directly from a source in Australia, they must still meet the obligations under the Privacy Act so long as they 'carry on a business' in Australia.
Commissioner’s declarations
1.25
The Privacy Act provides a discretion for the Commissioner, following an investigation, to make binding and enforceable determinations (subsections 52(1) and 52(1A)).
1.26
The Bill would insert proposed subparagraph 52(1)(b)(iia) and proposed paragraph 52(1A)(ba) to enable the Commissioner to make a declaration that the respondent must prepare and publish, or otherwise communicate, a statement about the conduct that was the subject of the investigation.
Information gathering and assessment
1.27
The Bill would insert Division 4 into Part IIIC of the Privacy Act to give the Commissioner the power to require the giving of information, the production of documents or the answering of questions in relation to actual or suspected ‘eligible data breaches’, or an entity’s compliance with the notification requirements (proposed section 26WU).
1.28
The EM states that the proposed information gathering power would strengthen the NDB scheme, by ensuring that the Commissioner has ‘a comprehensive knowledge of the information compromised in an actual or suspected eligible data breach in order to assess the particular risk of harm to individuals’.
1.29
Proposed section 26WU of the Privacy Act would be complemented by proposed amendments to section 33C of the Act:
to extend the Commissioner’s power to assess an entity’s compliance with the Act to specifically include compliance with the NDB scheme (proposed paragraph 33C(1)(ca)); and
to give the Commissioner the power to require an entity or ‘file number recipient’ (as defined in section 11) to produce information or a document that is relevant to the Commissioner undertaking an assessment of that entity or file number recipient under section 33C when conducting an assessment relating to the Australian Privacy Principles (proposed subsection 33C(3)).
1.30
According to the EM:
The purpose of subsection 33C(3) is to ensure entities cooperate with an assessment by providing the relevant information and documents the Commissioner needs to undertake an assessment. This will ensure that assessments are thorough, and not limited to information that is publicly available.
Infringement notice
1.31
The Bill would replace the criminal penalty in subsection 66(1) of the Privacy Act with a civil penalty for a person’s failure to give information, produce documents or records, or answer questions when required to do so under the Act (the basic contravention, proposed new subsection 66(1)). The penalty would be 60 penalty units for a person and 300 penalty units for a body corporate.
1.32
According to the EM:
The purpose of converting subsection 66(1) from a criminal offence to a civil penalty provision is to allow the Commissioner to issue a civil penalty or an infringement notice for minor instances of non-compliance without having to resort to the prosecution of a criminal offence. Infringement notices will provide the Commissioner with a timely, cost-efficient enforcement outcome in relation to minor contraventions of section 66. The infringement notice provision will provide an alternative to litigation of a civil matter. This will enable the Commissioner to resolve privacy complaints and investigations more efficiently.
1.33
The Bill would also insert proposed subsection 66(1AA) into the Privacy Act to create a criminal offence for a body corporate that engages in conduct that constitutes a system of conduct or a pattern of behaviours resulting in at least two contraventions of the basic contravention. The penalty for the offence would be 300 penalty units.
1.34
The EM acknowledges:
Although this matches the civil penalty units for a basic contravention under subsection 66(1) by a body corporate, conduct regarded as criminal carries a greater stigma and this reflects the more serious nature of an offence under subsection 66(1AA). The purpose of subsection 66(1AA) is to enable the OAIC to refer matters to the Commonwealth Director of Public Prosecutions involving more serious, systemic conduct.
1.35
The civil penalty set out in proposed subsections 66(1) and 66(1AA) of the Privacy Act would not apply if a person has a reasonable excuse (subsection 66(1B) of the Act). A person who relies on this defence would bear an evidential burden.
1.36
In addition, the Bill would insert Division 1A into Part VIB of the Privacy Act to enable the basic contravention for failing to provide information, etc. to be subject to an infringement notice under Part 5 of the Regulatory Powers (Standard Provisions) Act 2014 (proposed subsection 80UB(1)).
1.37
The EM reiterates that the purpose of this proposed provision is to allow:
…an infringement officer to issue an infringement notice instead of seeking a civil penalty for contraventions of subsection 66(1) where a person is required to give information, answer a question, produce a document or record, and the person refuses or fails to do so. This will enable the OAIC to resolve matters more efficiently.
Information sharing powers
1.38
The AIC Act currently prohibits unauthorised dealings with information that has been acquired while performing functions or exercising powers conferred for the purposes of an information commissioner, a freedom of information or a privacy function. There are a limited number of exceptions to the statutory offence (section 29 of the Act).
1.39
The Bill would amend the AIC Act by replacing paragraph 29(2)(a) with proposed paragraphs 29(2)(a), (aa) and (ab). According to the EM, the amendment would clarify that there is an exception for:
…any uses of information for the same function (being either an information commissioner function, freedom of information function, or a privacy function) under the AIC Act for which it was collected. This would allow, for example, information from a [notification of a data breach in the prescribed form] to be used in a subsequent investigation into potential Australian Privacy Principle (APP) 11 breaches, as they both fall within the Commissioner’s privacy functions.
1.40
The Bill would insert proposed section 33A into the Privacy Act to enable the Commissioner to share information or documents with a ‘receiving body’ (as defined in proposed subsection 33A(2) of the Act) for the purposes of the Commissioner or the ‘receiving body’ exercising their powers or performing their functions or duties.
The purpose of this section is to ensure the Commissioner is able to transfer a complaint to a receiving body, and also share information for the purposes of the Commissioner or the receiving body exercising their powers, or performing their functions and duties. This may occur when, for example, the Commissioner is holding information that relates to both an investigation under the Privacy Act, and under the receiving body’s framework.
1.42
The Bill would also insert proposed section 33B into the Privacy Act to give the Commissioner a discretion to disclose information acquired in the course of exercising powers, or performing functions or duties, under the Act if the Commissioner were satisfied that it is in the public interest to do so.
1.43
According to the EM:
The purpose of subsection 33B(1) is to empower the Commissioner to disclose or publish information relating to privacy and personal information, for example information about an ongoing investigation on the OAIC’s website. This will ensure Australians are informed about privacy issues and to reassure the community that the OAIC is discharging its duties.
1.44
Similarly, the Bill would amend the ACMA Act to enable the ACMA to disclose information to a ‘non-corporate Commonwealth entity’ (as defined in section 11 of the Public Governance, Performance and Accountability Act 2013) that is responsible for enforcing one or more laws of the Commonwealth.
The amendment is important because for many functions and powers that non-corporate Commonwealth entities are exercising, taking prompt action is critical to help ensure further harm is minimised or avoided. For example, prompt disclosure of information by the ACMA following a data breach could help ensure that financial crime and fraud does not occur.
The Attorney-General noted also that the proposed information sharing powers for the Commissioner and the ACMA will ‘drive better cooperation between regulators in order to deliver better outcomes for Australians’.
Examination by other parliamentary committees
1.46
When examining a bill, the committee takes into account any relevant comments published by the Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) and the Parliamentary Joint Committee on Human Rights (Human Rights Committee).
1.47
The Scrutiny of Bills Committee assesses legislative proposals against a set of accountability standards that focus on the effect of proposed legislation on individual rights, liberties and obligations, the rule of law and on parliamentary scrutiny. As at the time of writing, the Scrutiny of Bills Committee has not examined the Bill.
1.48
The Human Rights Committee examines bills and legislative instruments for compatibility with human rights, and reports its findings to both Houses of Parliament. As at the time of writing, the Human Rights Committee has not examined the Bill.