3.1
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) comprises the Australian government’s earliest possible and interim response to recent large-scale data breaches.
3.2
The committee recognises that millions of Australians have been harmed by the hacking of and subsequent criminal release of personal and other sensitive data that individuals provided to government and business for legitimate reasons.
3.3
The committee supports the Australian government, its departments and agencies in developing comprehensive and robust policies and measures to combat cybercrime, to protect personal and other sensitive data, and to assure Australians that the security of their personal information is of the utmost importance.
3.4
The Attorney-General’s Department (AGD) review of the Privacy Act 1988 (Privacy Act) was referenced throughout the inquiry, with several suggestions for matters that should be included as part of that holistic review.
3.5
The committee acknowledges that the AGD is aware of these suggestions, many of which are already being considered. While not part of this inquiry, the committee especially notes data minimisation, safe harbour mechanisms for compliant regulated entities, compensation for identifiable harms and civil actions (such as a statutory tort for serious invasions of privacy), as particular matters for consideration.
3.6
AGD advised that the Privacy Act review is nearing completion, with the Australian government keen to introduce reform to Australian privacy law. The committee agrees that this reform, more than 30 years after introduction of the Privacy Act and in a dynamic digital landscape, is long overdue. The committee would welcome a five-year statutory review of the privacy law reforms, following completion of the Privacy Law Review.
3.7
The committee welcomes the Australian government’s attention to modernising and strengthening Australian privacy law. With this report, the committee makes recommendations that are aimed at enhancing these objectives. In particular, the committee accepts submitters’ and witnesses’ views that certain provisions in the Bill require further examination.
3.8
Strictly speaking, proposed subsection 13G(1) of the Privacy Act is a technical amendment in the Bill, however, submitters and witnesses raised concerns about the clarity of two key definitions: ‘serious interference’ and ‘repeated’ interference. Given the proposed quantum for contraventions of this provision, and notwithstanding that the Office of the Australian Information Commissioner (OAIC) has provided some guidance on the matter, the committee agrees that the legislation should provide more clarity about what would comprise a ‘serious interference’ and a ‘repeated’ interference.
3.9
The committee recommends that the Attorney-General’s Department, as part of its review of the Privacy Act 1988, recommend amending section 13G of the Act to define the terms ‘serious interference’ and ‘repeated’ interference and that the Australian government implement such a recommendation.
3.10
The committee received considerable evidence on the maximum penalties in proposed subsection 13G(3) of the Privacy Act, as well as the practical operation of that provision.
3.11
The committee is concerned about the proposed mechanism for determining the maximum penalty for a regulated entity in the event of a data breach. In its view, the difficulty in identifying and determining the requisite ‘benefit’ has the potential to lead to perverse outcomes. The committee suggests that the incorporation of the term ‘benefit’ from the Competition and Consumer Act 2010 has not been helpful. While the test of ‘reasonable steps’ might mitigate the operation of the proposed provision, the committee considers that the AGD should further consider the way in which this provision has been drafted.
3.12
In principle, the committee supports the proposed repeal of paragraph 5B(3)(c) of the Privacy Act. As highlighted by Electronic Frontiers Australia, ‘Australians should expect data about them to be kept safe no matter how it came to be in the possession of an organisation’.
3.13
The committee acknowledges, however, the argument raised by multiple submitters and witnesses—including the Law Council of Australia—that the proposed provision has been too broadly drafted and must retain some connection with Australians’ information, as is the case in the European Union’s General Data Protection Regulation.
3.14
The committee recommends that the Attorney-General’s Department, as part of its review of the Privacy Act 1988, examine the appropriateness of section 5B providing for any additional ‘Australian link’.
3.15
The Australian government provided additional funding to the Office of the Australian Information Commissioner in the Federal Budget 2022-2023. The committee heard that there are concerns about the OAIC’s ability to perform its functions without ongoing and stable funding. However, the Commissioner assured the committee that both the OAIC and the AGD closely monitor the situation and to date, extra funding has been provided as and when required.
3.16
Subject to the above recommendations, the committee recommends that the Bill be passed.