Privacy Amendment (Privacy Alert) Bill 2014

Senator IAN MACDONALD (Queensland) (10:32): I start my contribution by suggesting to Senator Ludwig that his attempt at humour at the expense of the Attorney-General was not only tawdry but a complete failure. I am sure Senator Brandis enjoyed it! I can see him now trembling at the vicious attack with a lettuce leaf! I suggest to Senator Ludwig that he sticks to his day job, like single-handedly destroying the northern beef cattle industry. I have been here awhile and Senator Brandis is one of the best attorneys-general I have seen in this parliament. Certainly in the last six years there is no comparison. He is a lawyer, a deep thinker and someone who understands the importance of his role. He is able to contribute not only with style but with expertise, common sense and a deep understanding of the law. Senator Ludwig's attempt at a humorous attack on the best Attorney-General I have seen was a complete failure.

Senator Ludwig did suggest that the Privacy Amendment (Privacy Alerts) Bill 2014 was sitting on the Attorney's windowsill going yellow in the sunlight, or some other such analogy. If this bill is so important, why did the former government leave it until the dying days of the Rudd-Gillard-Rudd governments to try to get it through? If it is as important as Senator Ludwig is saying, one wonders why it took the Labor Party 5½ years to get to where it is?

I do want to comment on the provisions of the bill. Before I do that, I pose this question to the other speakers in this debate, particularly to the Greens political party. I would guess that because it is a Labor bill, the Greens political party will be supporting it. I have no rationale for that, except Labor and the Greens seem to vote together on everything and have done for years. I wonder what Senator Ludlam will say in his contribution to this bill? It might be a little hard for him to contribute to the bill because I understand he is wagging it from his paid job in the Senate these last couple of weeks and is in Western Australian campaigning in a political campaign. As I understand it, he is being paid to be here working in this chamber.

He is not here contributing to the debate, but perhaps other Greens senators who will speak might be able to answer this query. What do the Greens say about Senator Ludwig's attempt to bring into the parliament two people of questionable legality to give evidence at a parliamentary committee? I refer to Senator Ludwig's attempt to call as witnesses Mr Assange and Mr Snowdon. Mr Snowdon has been described in this chamber as a traitor to his country. Those two gentlemen, as I understand it, have no respect for anyone's privacy and certainly no respect for their nation's privacy—that is, their nation's security. Yet, here we have the Greens talking about privacy, indicating how important it is, when they are wanting to bring to a parliamentary committee two people who do not respect privacy at all and in fact disrespect privacy to the highest degree in that they have no regard for the security of their own nations.

So it will be interesting to see how the Greens will distinguish their support for their friends in the Labor Party on this and every other bill with their attempt to destroy everyone's privacy by getting Snowdon and Assange to give evidence. If they do give evidence, it might be interesting if they tell the world just how they hacked into everyone's privacy, into the national privacy. Perhaps we can all learn something from them if we can get the details on how they hacked into the nation's privacy. So I will be listening to the debate very keenly to hear how the Greens address those issues.

The Privacy Amendment (Privacy Alerts) Bill 2014 is similar to a bill that, as I mentioned, was introduced by the Labor government in 2013. I again repeat the point that if there is a concern about the passage of this bill, why didn't the Labor government do something about it in the previous six years rather than leaving it to a couple of days before the last parliament was prorogued? It did actually pass through the House of Representatives in June last year.

The bill was considered by the Senate Legal and Constitutional Legislation Committee, which reported to the Senate on 24 June. Senator Boyce in her quite distinguished and perceptive contribution—she was a member of the Senate Legal and Constitutional Legislation Committee at the time it considered the bill—to this debate spoke with some authority. She had actually sat through the hearings of the legislation committee's inquiry into the forerunner of this bill.

Senator Boyce and then Senator Humphries provided some additional comments to the report of the committee, which of course had a Labor majority. They expressed some concern at the lack of definition of the terms 'serious breach' or 'serious harm' in the legislation. As I read their report and listened to Senator Boyce, they also cited concerns about the regulatory overload for business.

The regulatory overload for business is costing our country money. We have made it quite clear in our pre-election commitments and by actions since then that we understand the impost of regulatory burden on business, particularly small business, and we are trying to do something about it. We have introduced several bills into the other house trying to get rid of some of the regulation that costs Australia so dearly, that makes Australia uncompetitive in its trading activities around the world and uncompetitive within our own country.

Here we are, as a government, trying to reduce the regulatory burden to encourage business activity—that is, to encourage employment, to heighten our standard of living in this country. At the same time, the Labor Party and the Greens are doing everything possible to, again, impose regulation on the Australian public, and particularly on business. That is because the Labor Party and the Greens particularly have this inflated view that people are not capable of looking after themselves; that they in the Labor Party and the Greens know better how to regulate people's lives and people's businesses than people, business men and women. A classic example of this was the embarrassment of the Senate inquiries into the Qantas issue where the Green senators tried to suggest to one of the biggest businesses in the world how they should run a business. It was laughable. If anyone had a look at the transcript of those two Senate inquiries, they would appreciate just how embarrassing it is to sit in on those committees and hear some of the inane questions that were asked by Greens and Labor senators about a multinational business—I digress slightly. I want to get back to my point: we are trying to reduce regulation; the Labor Party and the Greens are trying to increase it.

Comment on the regulatory impact of this bill was made in the dissenting report of coalition senators when this bill last came before the parliament. The last bill was intended to strengthen the existing voluntary data breach notification framework in order to counter underreporting of data breaches and to help prevent or reduce the effects of serious crimes like identity theft. The previous bill, on which this bill is based, was predicated on the general requirements of the Australian Privacy Principle 11, which requires regulated entities to hold personal information to prevent loss, unauthorised disclosure or misuse of that personal information. The 2014 bill, the one we are debating today, operates in much the same way.

The proposed model would create a requirement to identify the Office of the Australian Information Commissioner, which I will subsequently refer to as OAIC, and affected individuals where there has been a data breach which has given rise to a real risk of serious harm to the affected individual. That was the ALRC's recommended approach. A 'real risk' is defined as a risk that is not a remote risk. This would mean that entities would not be required to report less serious privacy breaches to affected individuals or to the OAIC.

If I can pause there again and refer to the Assange and Snowden issue, where the Greens are trying to get these people to give evidence in some Senate inquiry about electronic security, electronic transmission of data and electronic storage of data. As I say, it is going to be fascinating to see what the Greens think that Mr Assange and Mr Snowden can tell us about maintaining people's privacy when, quite clearly, they are two persons who have no regard for anyone's privacy.

The bill before us has a requirement to notify that would apply to data breaches involving personal information, credit-reporting information, credit eligibility information and tax file number information. So where there were breaches relating to those things there would be a requirement to notify. I wonder whether—again, referring to Assange and Snowden—we should perhaps even put into the legislation where there are data breaches involving the nation's personal information, that is, its security.

But the content requirements of the notification are, at a minimum, a description of the breach, a list of the kinds of personal information concerned, contact information for affected individuals to obtain more information and assistance, and recommendations about the steps that individuals would take in response to the breach. There are several other provisions of this bill, which my colleague Senator Boyce has explained and which, I am sure, others will as well during their contribution.

I believe that this is a bill that the parliament should not be pressured into agreeing to without giving it full and proper consideration. I would suggest that the move by the Labor Party to introduce the bill without appropriate consultation is premature. This was the thought of coalition senators on the committee that inquired into a similar bill last year.

Can I suggest that, if the opposition were serious about privacy issues and this bill in particular, they might have introduced this bill in a proper way, which would have included informing us a bit earlier of their proposals to bring this forward. I understand there was very little notice given by the opposition to anyone or to the government generally that this bill was to be introduced. If they wanted to really address the issue, I suggest that they should have taken the opportunity to consult more widely.

It is clear that the government is not opposed to considering proposals that improve data security practices. Measures that enhance the protection of security of personal information of Australians are critical. However, I do refer the Senate to some comments made by business figures when the matter came before the Senate committee last time. The Communications Alliance argued that specific actions outlined in one of the provisions are contrary to good business practice, as reflected in the OAIC guide. Indeed, they said:

… good business practice would be to (a) contain the breach and do an assessment; (b) evaluate the risks; and then, if necessary, notify those affected by the breach. It is concerning that the Bill places more emphasis on notifying—and potentially confusing or alarming customers—than containing the breach, rectifying the issue and preventing its reoccurrence.

That indicates the sort of concerns that were raised, which I think are still current.

As I say, I am not opposed and I understand that the government is not opposed to considering proposals that improve data security services. But a lot more work has to be done, including consulting broadly on the implications of a mandatory notification scheme. I suggest to the mover of this motion that this has not been done and that we need to consult broadly with both community and industry. Until that is done and until all of the matters that were raised and, I might say, highlighted in the additional comments by coalition senators in the report of the committee that looked at the previous bill have been considered, then I do not think we should be rushed into this.

The government is not prepared to agree to a proposal without giving it full and proper consideration. I emphasise that we on this side of the chamber have always thought of the broader principles of privacy protection for individuals. We have previously expressed concerns about the detail of this bill. Given the importance of the matter, we continue to express those same concerns, including that a thorough and detailed scrutiny be afforded to this bill.

Back to List