The majority voted against amendments introduced by NSW Senator David Shoebridge (Greens), which means it failed.
What does this amendment do?
Senator Shoebridge explained that:
This amendment seeks to put in a new section 13GA into the Privacy Act, which would provide that an entity contravenes this subsection if the entity doesn't act and or engages in a practice that is in interference with the privacy of one or more individuals, and it seeks to retain the existing civil penalty of 2,000 penalty units for that breach. It also has a consequential amendment that provides that there's no retrospectivity in relation to that proposed provision.
The proposed new section 13GA would remove the necessity for 'repeated or serious' from the offence provision and provide for what pretty much every stakeholder said we need, whether it was Electronic Frontiers, Digital Rights Watch or even the business reps who came before the inquiry that we had: put in place a tiered approach. If the Greens amendment was successful, it would allow the regulator to have at least some nuance in how the regulator goes about enforcing privacy. But if they see a breach of the privacy laws—and it may well be a quite disturbing breach; it doesn't have to be serious or repeated, but it could be—then instead of having to go and press the nuclear launch button of the $50 million penalty they'd be able to seek a penalty that has a maximum value of some 2,000 penalty units for a corporation which would not see small or medium businesses or charities potentially going to the wall when the regulator takes action.
Without this, we're going to see no realistic way of enforcing the privacy laws against small and medium business or against the charitable and not-for-profit sector. If the only tool to hand for the regulator is a $50-million-plus maximum penalty, that is not going to be able to be used in any practical way against small and medium business or against NGOs and the not-for-profit sector; it just won't be. And we're going to pass a law here today that is actually going to mean less real power, less real capacity for the regulator to enforce our privacy laws.
Amendment text
(1) Schedule 1, page 5 (after line 10), after item 11, insert:
11A At the end of Division 1 of Part III
Add:
13GA Other interferences with privacy
An entity contravenes this subsection if the entity does an act, or engages in a practice, that is an interference with the privacy of one or more individuals.
Civil penalty: 2,000 penalty units
(2) Schedule 1, item 45, page 18 (after line 6), after subitem (3), insert:
(3A) Section 13GA of the Privacy Act 1988, as added by this Schedule, does not apply in relation to an act done, or a practice engaged in, before the commencement of this item.
Summary
Date and time: 12:09 PM on 2022-11-28
Senator Pocock's vote: Abstained
Total number of "aye" votes: 12
Total number of "no" votes: 31
Total number of abstentions: 33
Related bill: Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022
Adapted from information made available by theyvoteforyou.org.au