The protections, described by one leader in the legal community as ‘basic’, are yet to surface. Max Chalmers reports.
The Coalition government is yet to reveal a key safeguard designed to alert citizens to breaches of their privacy, despite the fact it promised to introduce the changes by the end of the year in order to help win support from Labor for its controversial data retention laws.
As of today Australian phone and internet service providers will be forced to collect and store a range of their customers’ data for two years, and can be made to hand it over to a number of government agencies on request and without a warrant.
When the Coalition announced the plans they sparked fears the massive amounts of information collected would be misused and enable serious breaches of privacy, provoking a Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry to recommend the government introduce a so-called mandatory breach notification scheme. The government agreed to that recommendation, and said it would introduce legislation by the end of 2015.
Laws of this kind are designed to let citizens know when a breach of their privacy has taken place, for instance if their internet service provider has its servers hacked and their information is accessed, or if somebody peeks at their data in a way not authorised by law.
In evidence to the PJCIS inquiry the Australian Privacy Commissioner said such a scheme would help manage the risks associated with data retention.
“This is because the challenge of effectively securing that information from misuse, interference and loss, and from unauthorised access, modification or disclosure will become more difficult as technology evolves,” they told the Committee. “For example, the large volume of personal information held by service providers will be an attractive target for people with malicious intent and/or criminal intent.”
But with just 15 joint sitting days of Parliament left in the year Labor, the Greens, and groups asking to be consulted on the changes are flagging their concerns that legislation is yet to surface, and that little to no consultation appears to have been undertaken so far.
A spokesperson for the Shadow Attorney-General Mark Dreyfus told New Matilda Labor had not been consulted on any advances in the legislation.
“Labor is concerned about the Government’s apparent failure to take action on this commitment it made when the Data Retention Bill was passed,” they said. “Mandatory data breach notification was one of the numerous safeguards Labor insisted on before we were willing to support the Data Retention Bill.”
Katie Miller, President of the Law Institute of Victoria, told New Matilda that without mandatory breach notifications privacy rights are “essentially useless”. She said it was not so much a significant safeguard as a base one.
“You can’t enforce a right if you don’t know it’s been breached,” Miller said.
Miller noted that aside from the threat of data being hacked, there was also a risk that telcos and internet service providers, security, and law enforcement officials could also engage in unauthorised access.
“We’ve seen time and time again that the most common source of data breaches are from within,” she said.
The Law Institute of Victoria has been a notable voice in the debate on data retention and was quoted by the PJCIS in the section of its report dedicated to mandatory breach notifications, but Miller said she was not aware of any consultation on new laws.
Greens deputy leader Scott Ludlam said his party had not been consulted either, taking aim at Labor for helping the Coalition pass the data retention laws in March.
“It was a commitment that was made, that was part of Labor’s price, part of their 30 pieces of silver, was that this [mandatory breach notification]Bill would be brought forward and passed, and there’s been nothing,” he said.
The Greens Senator shared his tips for avoiding data retention with New Matilda yesterday.
A spokesperson for Attorney-General George Brandis said an exposure draft of the mandatory data breach notification legislation would be released shortly.
“The Government will consider the views of industry and other stakeholders before finalising the legislation,” they noted. When contacted for comment, a spokesperson for the Office of the Australian Information Commissioner said there had been “some discussions” with the Attorney-General’s department on the issue.
In an unfortunate coincidence of timing, those laws would likely already be in place if not for the 2013 election.
The previous Labor government had attempted to legislate mandatory data breach notification laws, an effort which drew support from the Coalition in the House of Representatives. The Bill looked set to become law but didn’t find its way through the Senate before the 2013 election.
It was reintroduced in 2014.
“There is no clear reason why this Bill, or a substantially similar Government Bill, could not be passed by the Parliament,” a spokesperson for Dreyfus said.
Miller said the Bill would be a good start point.