Our journalism usually sits behind a paywall, but we believe this is the time to make more of our content freely available to as many readers as possible. For more free coverage, sign up to COVID-19 Watch.

On March 3, 2015, then-Attorney-General George Brandis and the then-Communications Minister, Malcolm Turnbull, gave a solemn undertaking in response to the parliamentary committee that had examined, and approved, Tony Abbott’s data retention legislation. In the view of the Joint Committee on Intelligence and Security, if the government was going to force companies to retain the private information of citizens, citizens needed to know they would be told if their stored information was stolen. “The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015,” its final report said.

Brandis and Turnbull supported that. “The Government agrees to introduce a mandatory data breach notification scheme by the end of 2015, and will consult on draft legislation,” they said. It was clear cut, and the government had more than nine months to get it up and running.

If Turnbull and Brandis had fulfilled their commitment, the Commonwealth Bank’s customers would not now be wondering why the bank had left them in the dark over a major data breach involving 12 million accounts, leaving it for Buzzfeed to tell them. Instead, the CBA deliberately refused to inform them that account information had gone missing and, to date, remains unaccounted for. The timing is perfect given it was only on Tuesday that an Australian Prudential Regulation Authority found that the CBA was complacent and had little interest in customer outcomes.

What happened to the promise from Turnbull and Brandis? They sat on their hands and did nothing while the Attorney-General’s Department, having secured its ambition to impose mass surveillance on Australians, dithered. Nothing happened until December 2015, when the bureaucrats finally released a discussion paper. The Greens’ Scott Ludlam had already asked Brandis why nothing had happened by that point. Brandis — ever the careful parser of words — had changed his position. “I should have said the government intends to introduce legislation before the end of this year,” he corrected himself in Question Time in October of 2015. Remember, his and Turnbull’s commitment was that the scheme would be introduced in 2015 — not just the legislation establishing it.

As it turned out, courtesy of Turnbull’s decision to call an early election, they didn’t even meet that watered-down deadline. It wasn’t until a year later, in October 2016 — after the Commonwealth Bank had decided to keep secret its massive data breach — that the bill was introduced. If that could be blamed on the election, the government then dawdled and the bill wasn’t passed in the House of Representatives, and then the Senate, until February last year — almost exactly two years since Brandis and Turnbull promised it would be done. And even then, there was a year’s delay between royal assent to the Act, and its commencement. So, in the shadows on the third anniversary of Turnbull and Brandis promising a data breach notification law by year’s end, the actual scheme commenced on 22 February this year, way too late for the CBA’s customers.

A cynical observer might think the government had been trying to protect big companies from public exposure of their stuff-ups. But of course, we know that couldn’t be true.

Peter Fray

This crisis will cut hard and deep but one day it will be over.

What will be left? What do you want to be left?

I know what I want to see: I want to see a thriving, independent and robust Australian-owned news media. I want to see governments, authorities and those with power held to account. I want to see the media held to account too.

Demand for what we do is running high. Thank you. You can help us even more by encouraging others to subscribe — or by subscribing yourself if you haven’t already done so.

If you like what we do, please subscribe.

Peter Fray
Editor-In-Chief of Crikey

Support us today