On March 3, 2015, then-Attorney-General George Brandis and the then-Communications Minister, Malcolm Turnbull, gave a solemn undertaking in response to the parliamentary committee that had examined, and approved, Tony Abbott’s data retention legislation. In the view of the Joint Committee on Intelligence and Security, if the government was going to force companies to retain the private information of citizens, citizens needed to know they would be told if their stored information was stolen. “The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015,” its final report said.
Brandis and Turnbull supported that. “The Government agrees to introduce a mandatory data breach notification scheme by the end of 2015, and will consult on draft legislation,” they said. It was clear cut, and the government had more than nine months to get it up and running.
If Turnbull and Brandis had fulfilled their commitment, the Commonwealth Bank’s customers would not now be wondering why the bank had left them in the dark over a major data breach involving 12 million accounts, leaving it for Buzzfeed to tell them. Instead, the CBA deliberately refused to inform them that account information had gone missing and, to date, remains unaccounted for. The timing is perfect given it was only on Tuesday that an Australian Prudential Regulation Authority found that the CBA was complacent and had little interest in customer outcomes.
What happened to the promise from Turnbull and Brandis? They sat on their hands and did nothing while the Attorney-General’s Department, having secured its ambition to impose mass surveillance on Australians, dithered. Nothing happened until December 2015, when the bureaucrats finally released a discussion paper. The Greens’ Scott Ludlam had already asked Brandis why nothing had happened by that point. Brandis — ever the careful parser of words — had changed his position. “I should have said the government intends to introduce legislation before the end of this year,” he corrected himself in Question Time in October of 2015. Remember, his and Turnbull’s commitment was that the scheme would be introduced in 2015 — not just the legislation establishing it.
As it turned out, courtesy of Turnbull’s decision to call an early election, they didn’t even meet that watered-down deadline. It wasn’t until a year later, in October 2016 — after the Commonwealth Bank had decided to keep secret its massive data breach — that the bill was introduced. If that could be blamed on the election, the government then dawdled and the bill wasn’t passed in the House of Representatives, and then the Senate, until February last year — almost exactly two years since Brandis and Turnbull promised it would be done. And even then, there was a year’s delay between royal assent to the Act, and its commencement. So, in the shadows on the third anniversary of Turnbull and Brandis promising a data breach notification law by year’s end, the actual scheme commenced on 22 February this year, way too late for the CBA’s customers.
A cynical observer might think the government had been trying to protect big companies from public exposure of their stuff-ups. But of course, we know that couldn’t be true.