HON MARK DREYFUS KC MP
MEMBER FOR ISAACS
SATURDAY, 22 OCTOBER 2022
SUBJECTS: Privacy breach legislation; Lidia Thorpe.
ATTORNEY-GENERAL MARK DREYFUS: When Australians hand over their personal information they have a right to expect it will be protected. As we've seen in recent week our existing privacy laws were left hopelessly outdated by the former Coalition Government. They are not strong enough to ensure that our companies protect private information of Australians. The Albanese Government is getting on with fixing privacy laws. Next week I'll introduce legislation to significantly increase penalties for these serious or repeated data breaches and give the Information Commissioner the power to make companies comply with their obligations to protect our data. The penalties will not be just a cost of doing business. They mean big companies could face penalties up to hundreds of millions of dollars if they have serious or repeated data breaches.
REPORTER: Attorney-General, could you define what you mean by serious data breaches?
ATTORNEY-GENERAL: Serious is going to be determined by how many people are affected, by how serious the information that has been leaked is, what the consequences of the breach are, and how reckless the company was. So, there's a combination of factors that are going to determine how serious the breach is.
REPORTER: Attorney-General, I understand that these are not retrospective, but if it were to be the occasion that a situation like Optus or Medibank happened in the future, would they fall under the jurisdiction of these fines and face bigger penalties?
ATTORNEY-GENERAL: I don't want to be commenting at all on any of the current breaches that we are working through. Those are matters which are being investigated. I can only say that this is to deal with serious or repeated breaches. It is a very, very substantial increase in the penalties. It's designed to make companies think. It's designed to be a deterrent so that companies will protect the data of Australians.
REPORTER: Attorney-General, I just wanted to ask. the additional powers being given to the Information Commissioner, is that move a response to any particular instance that's occurred. Has Optus, for example, proved difficult to deal with? Have any of these companies proved difficult to deal with? Is that why these additional powers been given?
ATTORNEY-GENERAL: The Information Commissioner has been asking for these powers now for years. The former government, more than two years ago, commenced the review of the Privacy Act but they never completed it. So, the Information Commissioner has been on the record for quite a long time as asking for these additional powers. We're not going to wait for that review of the Privacy Act to be completed. We're getting on with the job. We're going to give the Information Commissioner the powers that she needs to pursue companies, to investigate properly, to make sure that companies properly notify when there's been a data breach, and most importantly, to enable the Information Commissioner to work with other agencies by sharing information that's come to her through her privacy function to make sure that government is working seamlessly together.
REPORTER: So, the current fines, would you classify them as so minor they don't really matter to some of these big companies that are not taking them seriously?
ATTORNEY-GENERAL: The maximum fine at the moment is $2.2 million, and for a really big company that's just a cost of doing business. It's something that they can safely ignore. What we need is really large penalties that will concentrate the minds of corporations who are storing Australians' data, making sure that in the future they will look after that. Australians who share their personal information with companies are entitled to expect that that information will be cared for properly and if what it takes is really large increases in penalties that's what we're going to do. As I've explained, this is alternatively a penalty of up to $50 million or three times the turnover for the relevant period. That could mean, for a large corporation, fines in the order of hundreds of millions of dollars and we think that that will concentrate the minds of directors of the boards of these companies.
REPORTER: Attorney-General, is this mostly about deterrence, or is the Government really willing to dish out fines of hundreds of millions of dollars beyond the reputational damage that some of Australia's biggest companies would have already suffered as a result of these breaches?
ATTORNEY-GENERAL: We need to make sure that when a data breach occurs the penalty is large enough, that it's a really serious penalty on the company and can't just be disregarded or ignored or just paid as a part of a cost of doing business. The fine will be imposed by a court, of course. It's not going to be a minister in the Government that's deciding how much the fines should be. A court will decide what is the appropriate penalty, but by setting the limits for fines much, much higher than they are at the moment, it's very likely that when there is a breach, and a court is considering what penalty to impose in the future, that a much heavier penalty will be imposed, and simply changing the law so that there's a possibility of these much heavier penalties will be a deterrent.
REPORTER: In the case of Lidia Thorpe Attorney-General, is this the type of thing that the Government would consider making a referral to the National Anti-Corruption Commission over?
ATTORNEY-GENERAL: As I've said before, I won't be directing the National Anti-Corruption Commission, when we establish it next year, on what it should be investigating.
REPORTER: Is your opinion though that there's a conflict of interest there?
ATTORNEY-GENERAL: I won't become any further on Lidia Thorpe or her conduct. It's a matter for the Greens and a matter for the Parliamentary committee of which she was a member, which is just about to start an investigation into her conduct, as it should.
REPORTER: Do you think it's unbecoming of a Senator, though, Attorney-General?
ATTORNEY-GENERAL: I'm not going to comment further. It's a matter for the Greens Party to deal with Senator Thorpe, as they think appropriate and it's a matter for the Parliamentary committee, which is going to be investigating. It's announced an investigation into Senator Thorpe's conduct while she was a member of that important Law Enforcement Integrity Committee of the Parliament.
Thank you very much.