George Brandis

The government has dawdled in bringing in new laws to punish businesses for failing to disclose data breaches but is rushing to punish people who point out the government’s own privacy bungles.

There are currently two amendments to the Privacy Act due to be debated in the Senate in the near future. One law languished through two parliaments, the other was rushed in a matter of months. One punishes businesses for doing the wrong thing, the other punishes people for trying to fix the government’s stuff-up. One will sail through Parliament; the other is facing imminent defeat.

The first one was first floated almost four years ago, proposed by the former Labor government. The legislation will require businesses to disclose when there has been a breach of personal data. Many businesses are now voluntarily disclosing these breaches, but many wait, sometimes years, before telling the public about their stuff-ups — like Catch of the Day. The legislation has bipartisan support and is likely to pass quickly without much fuss. There have been countless data breaches since the time the legislation was first proposed, but the length of time it took to be introduced is indicative of how opposed businesses are to the legislation.

The second piece of legislation, by contrast, faces a tough battle to get out of the Senate. Legislation criminalising the re-identification of data that has been anonymised was quickly introduced into Parliament in October last year after researchers in Melbourne pointed out to the government that recently released data sets of claims made to Medicare and the PBS over the past 30 years were able to be partly decrypted. Under the proposed legislation, those researchers would face up to two years in jail for their efforts, unless they got explicit permission from the government first to attempt to re-identify the data.

The government defended the harsh penalty, stating that a two-year jail term would deter people from re-identifying data. The Attorney-General’s Department also claims that merely informing the government that data could be re-identified, without actually re-identifying the data, would not constitute an offence. The Coaltion senators on the committee examining the legislation also came to the view that because people employed by state and territory governments — such as university researchers — were exempt from the law, then most researchers would be just fine. And the minister can issue an exemption if required.

The legislation will face difficulty passing the Senate, however, because Labor and the Greens senators on the committee said the legislation was a disproportionate response and sought to punish researchers working in the public interest. They argue that rather than addressing the cause of the problem — holding agencies responsible for de-identifying data properly in the first place — it is penalising researchers for doing proper investigations on data sets, and also reverses the burden of proof when determining guilt or innocence.

The data breach notification law looks set to pass, but unless the government can secure the numbers on the crossbench, the re-identification legislation will be waiting around for a while.

Peter Fray

Fetch your first 12 weeks for $12

Here at Crikey, we saw a mighty surge in subscribers throughout 2020. Your support has been nothing short of amazing — we couldn’t have got through this year like no other without you, our readers.

If you haven’t joined us yet, fetch your first 12 weeks for $12 and start 2021 with the journalism you need to navigate whatever lies ahead.

Peter Fray
Editor-in-chief of Crikey