“Get on with it”: Ludlam tells Govt on data breach notification bill


news Greens Deputy Leader and Senator Scott Ludlam has successfully moved a Senate motion demanding the Government “get on with” its plans to introduce mandatory data breach legislation, pointing out that the concept had multi-partisan support and would be likely to pass Federal Parliament in quick order.

Mandatory data breach legislation would require Australian organisations to notify individuals and the national privacy regulator when a data breach — either accidentally or carried out maliciously — resulted in the release of their confidential information.

There have been a number of recommendations for such legislation to pass the Federal Parliament. The Parliamentary Joint Committee on Intelligence and Security recommended the passage of such measures in its report on last year’s controversial Data Retention legislation; and Attorney-General George Brandis committed at the time to bringing legislation before the Parliament by the end of 2015.

Labor Senator Lisa Singh has also tabled a Private Senator’s Bill that would bring effect to the measures.

The Government did take steps on the issue at the end of 2015. On 3 December the Attorney-General’s Department released an exposure draft of mandatory data breach legislation. The Department is taking comments on the bill until 4 March; it will likely be modified to a degree and then introduced into Parliament after that point.

However, today Ludlam successfully moved a motion in the Senate noting that the Government had previously started debating the issue; that Brandis had previously committed to such legislation and that no bill had yet hit the floor of Parliament. The motion calls for the Government to make a statement to the Senate explaining its behaviour (see its full text here).

“Where is the bill?” Ludlam asked the Senate.

“After stuffing around for more than two years, we get an exposure draft late last year. Why is this not already law? Why doesn’t the Government simply get on with it?”

And in a separate statement, Ludlam said:

“In the midst of the shambolic mandatory data retention debate, the government assured everyone that they would legislate a mandatory data breach scheme in 2015 – a measure that had been debated in the senate since 2013.”

“The Senate began debate on mandatory data breach notification legislation prior to the 2013 election. Attorney General George Brandis committed to introduce data breach notification laws before the end of 2015. He still hasn’t.”

“We’re still waiting.”

In response to Ludlam’s motion, Liberal Senator Scott Ryan made the following response, noting that the Government opposed the Greens Senator’s motion:

“The government has released an exposure draft to the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 to consult extensively with industry and other stakeholders on the proposed scheme, in particular with a view to minimising costs and regulatory impact. The draft legislation and explanatory memorandum regulation impact statement, along with the discussion paper, was released on 3 December last year, and submissions can be made until 4 March this year.”

“The government will closely consider the views of stakeholders and introduce the bill into parliament in the first half of this year. Strong privacy protections are a critical foundation for a vibrant digital economy. The proposed mandatory data breach notification scheme will give all Australians an added level of confidence in dealing with business and government online.”

To be honest, I’m not quite sure what Senator Ludlam really sought to achieve here (sorry, Scott!).

The fact that Brandis has already released an exposure draft of the proposed mandatory data breach notification bill makes it trivially easy for the Government to respond to Ludlam’s complaint.

All Ryan had to do was to point out that the Government released a draft of the bill and that it will be introduced into Parliament when the consultation period is finished.

At this point Ludlam would find himself in the uncomfortable position of either calling for the consultation period to be cut short (an unsightly position for the democracy-focused Greens) or criticising the Government for not getting the bill together fast enough. Neither is going to gain much political mileage, with the bill already in exposure draft stage.


  1. Choice: choose one of:
    a) get legislation up quickly to sort immediate problems we know about or sound reasonable;
    b) delay legislation by inertia and quietly prepare inserts to remove perceived civil rights when we pass it in an urgent hurry after a major breach.

  2. “After stuffing around for more than two years, we get an exposure draft late last year. Why is this not already law? Why doesn’t the Government simply get on with it?”

    Why do they have a live mandatory data retention bill without the requirement to notify users in the event of a breach? That’s what Ludlum is getting at, I sure do agree with him.

    You have begun this year in a very pessimistic tone Renai ;)

Comments are closed.