Privacy Amendment (Notifiable Data Breaches) Bill 2016 - Second Reading Speech

 I rise to speak on the Privacy Amendment (Notifiable Data Breaches) Bill 2016 with a sense of relief but also with a sense of deja vu. As the Senate would recall, I introduced a private senator's bill of the very same intent in 2014—the Privacy Amendment (Privacy Alerts) Bill 2014, a bill that was thwarted by this government. So, I would like to take a step back and actually highlight the history of this important issue—and it is an incredibly important issue.

After extensive consultation, Labor introduced legislation in government in 2013 to implement mandatory data breach alerts. This bill was passed on 6 June 2013 by the House of Representatives with bipartisan support. It was introduced into the Senate and was referred on 18 June 2013 to the Legal and Constitutional Affairs Legislation Committee for inquiry. The committee reported on 24 June 2013, its sole recommendation being that the Senate pass this bill. The bill then lapsed, on prorogation of the 43rd parliament, so I reintroduced an almost identical bill—the privacy alerts bill—as a private senator's bill in 2014, a bill to make it compulsory for corporations and governments to notify people if their privacy is breached and personal details are released without authorisation.

At the time, the coalition senators in this place filibustered extensively to ensure that this piece of legislation did not pass. Despite their record of bipartisan support, time and time again they came into this chamber and filibustered on this important legislation—this legislation that today we similarly have in this place. So it is now clear that it was not the piece of legislation that was the issue; it was that Labor had introduced it—clear, plain politics, on such an important issue as people's privacy and the breach of their privacy.

Labor has always been committed to mandatory data breach notification provisions and of course therefore supports that the government is finally enacting these protections. Unlike the coalition senators, we will not play politics with people's lives or with their privacy and the breach thereof. Labor believes that Australians should be told when there has been a breach of their privacy. And at this very moment in time, and since 2013, when Labor first introduced this legislation, there is nothing in place to notify someone if there data has been breached, if their privacy has been breached, in that sense. So it is very much time that companies, corporations and government agencies who are required to protect Australians' personal data should also have the complementary duty to tell a customer when their personal data has been the subject of unauthorised public release.

Businesses that already implement good privacy practices and comply with the current voluntary guide from the Office of the Australian Information Commissioner will have little difficulty in transitioning to this new scheme, because they are already showing an obligation towards their customers. But the risk of data breaches and the seriousness of their consequences has grown as new technology has allowed government and the private sector to collect more and more personal information about Australians. A consumer should have the right to know if their personal information has been compromised or if their bank or their telecommunications provider has lax security standards. Consumers need to have the power to change their passwords, improve their security settings online, cancel their credit cards or completely change providers such as banks or telecommunications companies if they need to do so. But how can they do any of that when, at the moment, they do not even know that their data has been released?

That is what this legislation is all about. That is what makes this legislation so important, and that is why Labor introduced it in 2013 and I similarly introduced it in 2014. Yet it did not pass this place, because of those coalition senators filibustering and not having it pass because they did not want Labor to have that win of being the side that introduced it, and that is shameful.

So, let's look at some of the breaches in recent years—and there have been a number, because, as I said, we are living more and more in a digital world, and more and more data and personal information is being collected about Australian families. This bill puts in place some kind of compulsory notification regime in order to strengthen those protections around that information and build on the privacy regime that I talked about that Labor implemented when in government. Some of those highly publicised data breaches have included sensitive and very personal details of customers, such as the 15,775 Telstra customers who were affected by a breach that made their names, telephone numbers and home and business addresses accessible through a global Google search. That was only one example of several Telstra privacy breaches, in fact.

There was, of course, that shocking case of one billion Yahoo customers who were affected by hacks—again, private information including names, email addresses, telephone numbers, dates of birth and some passwords were accessed—and it took two years for news of that breach to be made public. It took two years before those one billion customers had any understanding that their data had been breached. Aussie Travel Cover, one of Australia's largest insurance companies, had its computer system hacked, and around 750,000 records of personal details were stolen, which included names, phone numbers, email addresses, travel dates and the cost of their policies. Addresses and partial credit card details were stolen, and that company opted not to tell customers about the hacking—it left them completely in the dark. This is why this legislation is so important; and this is why Labor has been pushing it for so many years.

The hacking of Catch of the Day, in which personal information credit card numbers were stolen, took three years to be made public—three years in which customers were unaware that their personal details were not secure. Catch of the Day has not released the number of consumers that were affected by this breach, but Australian consumers reported fraudulent activity on their cards shortly after the breach. So go figure—the poor old consumer had to figure it out for themselves.

These breaches have also affected the government sector. In 2014 the personal details of almost 10,000 asylum seekers were accidentally published on the Department of Immigration and Border Protection's website. The details included full names, gender, citizenship, date of birth, period of immigration detention, location, boat arrival details and reasons for the individual being deemed unlawful. Absolutely appalling!

McAfee Labs Threats Report for August 2015, which reviewed changes in cyber threats and cybersecurity from 2010 to 2015, states that there has been a 'monumental increase in the number of major data breaches and in the volume of records stolen'. There could not be clearer evidence of why this legislation is so important to get through this place. Yet it is now 2017, some four years on since Labor first introduced our bill of similar intent, and finally the government is going to act on it. It should not have taken so long. In fact, if it had not taken so long, a number of data breaches could have been managed much better than they were—they simply left consumers in the dark.

Data breaches are not a concern only for individuals, although first and foremost the individual is of utmost concern. The security of personal data is of commercial importance to Australian companies. Data breaches are simply bad for business and can be incredibly costly. Companies stand to lose not just time and money rectifying a data breach, but also their reputation. In the modern information economy the trust of consumers in a company's privacy compliance is an incredibly important part of a company's goodwill. What happened when Telstra had that massive data breach of thousands and thousands people's information is clearly in people's minds; what happened to those one billion Yahoo customers is clearly in people's minds. Did they want to stay with Yahoo after that?

When Kmart and David Jones experienced data breaches, both companies notified affected customers. That is good corporate policy; it shows a company's goodwill towards its consumers. That is the sort of positive step that some companies adopt; it stands in contrast to those corporations I highlighted earlier that hide the breaches. A mandatory data breach notification scheme is the most basic of privacy protections, allowing consumers to take action such as cancelling credit cards when their data has been hacked. It is that simple, and yet it has taken so long for this parliament to act on it, due to those coalition senators. While it is customary for many banks, government departments, retailers and telecommunications providers to notify customers of breaches, it is not compulsory. They do not have to do it. In practice this means that victims of serious breaches are not aware that their data has been corrupted.

The bill before us today amends the Privacy Act 1988 to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Privacy Act. The bill is so important because it requires those agencies and organisations regulated by the Privacy Act to provide notice first and foremost to the Australian Information Commissioner and then affected individuals of an eligible data breach. At the moment that requirement does not exist. I have highlighted some examples of companies which inform their customers and others which have hidden breaches.

A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. The bill will introduce a new consumer privacy protection for Australians that will keep their personal information more secure in the digital age. It will also encourage agencies and private sector organisations to improve their data security practices. It is an important general step that they should be taking any way. If an entity suspects that an eligible data breach has occurred, it must undertake an assessment into the relevant circumstances and, in the event of an actual data breach, an entity is required to notify the Information Commissioner and affected individuals as soon as practicable after the entity becomes aware that there are reasonable grounds to believe that there has been an eligible data breach. To give rise to an eligible data breach, the reasonable person would need to be satisfied that the risk of serious harm occurring is likely—that is, more probable than not. In deciding whether this is the case, entities are required to have regard to a list of relevant matters, which, I understand, are included in this bill. Failure to comply with an obligation included in the bill will be deemed to be an interference with the privacy of an individual for the purposes of the Privacy Act and that will engage the commissioner's existing powers to investigate, make determinations and provide remedies in relation to non-compliance with the Privacy Act.

So despite the delay tactics of the coalition, this important issue has remained on the agenda. There has been a number of reports about it. I know that the Australian Financial Review has reported a number of times about this issue and also the Parliamentary Joint Committee on Intelligence and Security recommended in its report on the mandatory data legislation in 2015 that if the legislation went forward, it was vital that data breach notification legislation be introduced as well.

The coalition government, I understand, was committed to introducing mandatory data breach notification provisions by the end of 2015. It is now 2017. It has taken the government more than three years to bring itself to introduce this legislation that it voted in favour of back when Labor was in government in 2013. If the government had introduced that legislation three years ago, thousands of customers would have been promptly notified that their data was breached. If they had put aside their partisan antics, we could have had privacy alerts legislation when I introduced the bill in this place in 2014. I am pleased to see the government has finally caught up with Labor's proposed legislation—the mandatory notification of consumers when their data has been breached. I am very relieved indeed that the government is finally getting on with honouring its commitment but the impact its delay tactics have had on the people of Australia should not be underestimated. That is why Labor supports this bill but notes very clearly that it is long overdue.