Download Fragment

Thursday, 19 June 2014
Page: 3349

Senator LUDLAM (Western Australia) (10:03): I rise to add the Greens' support for the Privacy Amendment (Privacy Alerts) Bill 2014 and to acknowledge Senator Singh for bringing this matter before us today. This is very strongly in line with Greens policy; in fact, in the run up to the election last September, we announced and launched a digital rights package that had mandatory data breach notification as one of its components.

This is a bill that was on the Senate Notice Paperbefore the last election, and my understanding at that time was that the coalition, then in opposition, supported it. It is a shame that Senator Back has left us; I have got a lot of time for him. But I did find it somewhat puzzling that he admonished Senator Singh for somehow not giving people enough advance warning that this matter was being brought forward when it has been on the Notice Paper for years. It is a matter that has been canvassed certainly for as long as I have been involved in this field, and, as previous senators who have contributed to the debate have outlined, it is a matter of basic common sense. If a service provider or an organisation that you have trusted with private information—which can range from trivial personal details all the way up to your medical records, your credit card and quite intimate material—loses control of it, you have a right to know. I would have thought that was something the coalition—or the Liberal Party at least, with its supposed focus on the liberty and integrity of the individual—would have been falling over themselves to legislate.

Nonetheless, it has come forward as a private senator's bill. I was puzzled when, after the election, the government did not simply proceed with the matter. There were no significant voices raised in industry—maybe a little bit of grumbling—but the fact is that most people working in this field, in an Australian industry context, would be well aware that the reliability or the integrity of your business model depends on people trusting that their data is secure. Given that so much of our private information has now been shifted online, you have effectively lost control over it; so what you would hope is that the people you have entrusted with it would, at the very least, let you know if that material has been made insecure or lost.

Data breaches and the sort of stuff that we are talking about can range from the inconvenient all the way up to the life threatening. When the Department of Immigration let go of thousands of people's records not so long ago, that actually put people's lives at risk. Those people had a right to know about that, rather than finding out about it in the media. It affects people in this building. The fact is that we were not told for quite a long period of time that, allegedly—and there appear to be quite strong indications now that this is the case—hackers working for the Chinese government had penetrated the mail servers of this building, affecting staff, senators, representatives and journalists working here.

When Senator Singh closes the debate later in the morning, I would be interested if she could spell this out, because my reading of the way it is drafted is that it is intended to catch organisations such as those who run the mail servers here at Parliament House. I think that anybody in any quarter of Australian society, whether they work in Parliament House or not, has a right to know if their private material and data has been compromised.

Citizens absolutely have a right to privacy. That is something that is recognised globally and yet what we see is something of a patchwork. Mandatory data breach notification does exist in various jurisdictions but it is very unevenly applied. I would draw senators' attention to World Law Group's Global guide to data breach notifications which they published in 2013 that outlines just how uneven the regulatory environment is around the world. One thing that Australia could do, in taking a fairly strong stand about mandatory data breach notifications, is, apart from encouraging other countries around the world to step up as well, create a competitive advantage. Data is mobile. It can be stored all over the place. So why would Australia not take a strong stand in that regard? That is something that to me almost feels self-evident. I will be interested when Senator Birmingham stands up, as someone who has had quite a long association with these issues, to hear if he can put in black and white the position of the government as to why on earth you would not proceed with a matter like this.

Citizens absolutely have a right to privacy and the examples even from the last couple of years, where quite large corporations—major companies and government departments—have simply lost control of people's material, is almost too long to get into a 20 minute speech. Sony was one of the most high profile, Telstra, First Super, ANZ Bank. These are just examples from recent times. The Australian Privacy Commissioner in 2012 said that it appeared that these kinds of events were on the rise. The Australian Information Commissioner, Professor John McMillan, said that there is 'strong support for the notion that the Government must treat data breach notification is a mandatory process' and that 'internationally, the tide is moving in this direction'. He said that in 2012. It is not like this issue was new to this parliament. It is not even, in my view, a particularly complex matter, so I very much look forward to hearing the government's argument as to why it should not proceed. If it is the usual parliamentary tactic where you take a good idea and come up with some fabricated reason why you cannot pass it and then reintroduce it as a government bill—we see that happen from time to time—this is one instance where I would not begrudge it, as long as it gets done.

As I say, citizens have a right to privacy and corporations and powerful institutions and governments have an obligation to transparency. That is something, I suppose, of the Cypherpunk Manifesto. We see this government, particularly under this Attorney-General, as moving in the opposite direction—as annihilating privacy for ordinary people while withdrawing government operations behind a curtain of national security. Perhaps that will come out in Senator Birmingham's comments as a reason to oppose this kind of bill.

I do want to acknowledge while I have the floor someone who has done more than most to advance these issues around personal privacy, data security and also the obligation of governments and powerful institutions to transparency. It is two years today since Mr Julian Assange, an Australian citizen, entered the Ecuadorian embassy in the Knightsbridge in London and threw himself on the mercy of the Ecuadorian government in a bid for asylum because he was not getting any protection or any help from the Australian government at the time. Since the change of government we have seen absolutely no change in posture or policy from the incoming government. In fact, if anything, things have got substantially worse. But I do want to acknowledge Julian Assange, who has now spent two years in the close confines of a very small embassy premise. I also want to put firmly on the record my thanks and gratitude on behalf of millions of Australians to the Ecuadorian President and the Ecuadorian authorities for taking this stand. While sometimes the debates in here may seem somewhat abstract, these are issues that affect us all, whether we like it or not. Everything that we do in some sense is mapped and recorded online and the integrity of that material and our rights to its protection and our rights to privacy are something that should not simply be frittered away.

Again, I thank Senator Singh for bringing this bill forward for debate and look forward to putting it to a vote and sending it to the other place for consideration.