Andrew Leigh

I spoke in parliament about privacy reforms, and their tie-in with Labor's tradition of consumer protection.

Privacy Amendment (Enhancing Privacy Protection) Bill, 23 August 2012

Personal information is becoming more sensitive and valuable in the expanding online world. Protecting the privacy of personal information is a real concern for consumers and business. On one estimate, identity theft and fraud affects half a million Australians every year. In 2007, my friend Joshua Gans wrote in his blog about his own experience of identity theft. He wrote that somebody had obtained his details using his birthdate, which was available on his CV. They then obtained a Medicare card and began to open bank accounts in his name. He discovered later that he was among the victims of a large scamming operation which has since been shut down by the authorities. He was pretty shocked by the experience. Joshua's experience shows the importance of privacy protection and why we need strong legislative protection of personal information.

The Labor Party has a tradition of consumer protection, and it is in this tradition that we are strong believers in protecting privacy. We understand that to protect individual freedoms, you need appropriate privacy laws. Consumers deserve protection from the disclosure of credit-reporting information and its use in direct marketing. Businesses will benefit from a credit-reporting system that is accurate and up to date. In this bill we are striking a balance between the needs of consumers and businesses to operate and adequate protections of the disclosure of personal information and credit reporting.

It was the Labor Party which, in 1990, introduced credit reporting. The Privacy Amendment Act  was directed at the activities of credit-reporting agencies. A number of other bodies, such as consumer groups, have expressed concern about the potential for breaches of privacy by the users of the agencies and about the inaccuracy of some of the information held by agencies. This inaccuracy has usually resulted from incorrect information being passed to the agency or from a failure to update information under such circumstances—for example, when a person has subsequently paid a debt on which they had previously defaulted.

Labor is committed to containing the growing level of unmanageable personal debt, and we want to make sure that credit providers have access to a wider range of information about an individual's financial situation. Credit providers themselves are an important check on individuals taking on unmanageable debt. So, in reforming credit reporting, we introduced requirements that records be kept of inquiries made by credit providers for payments that are overdue by at least 90 days. We limited the maximum period for which information can be kept to no more than seven years. We empowered credit consumers by enabling a person to request that their information be altered if they disagree with the information held by a credit-reporting agency.

This government also introduced the National Consumer Credit Protection Act 2009, which implemented a new consumer credit regulation framework to replace the state based regulatory framework known as the Uniform Consumer Credit Code. That reform addressed the problems that emerged with the operation of the Uniform Consumer Credit Code to guarantee consistency among jurisdictions. We knew that there were risks associated with the continued lack of comprehensive government supervision of finance-broking practices, and that is why we took action to protect consumers from onerous mortgages.

The Law Reform Commission's 2008 report For Your Information: Australian Privacy Law and Practice informs the measures proposed in this bill. The report argued:

‘As a recognised human right, privacy protection generally should take precedence over a range of other countervailing interests, such as cost and convenience.’

It noted that rapid advances in information, communication and surveillance technologies have created a range of previously unforeseen privacy issues. It also noted that regional political and economic blocs, such as the EU and APEC, have created pressure for Australia's privacy protection regime to align with those of Australia's key trading partners.

The Australian retail industry has noted the rapid rise of online shopping. According to Australian Bureau of Statistics data, in 2008-09 just under two-thirds of Australian adults had used the internet to purchase goods and services in the previous 12 months. The wife of one of my staff has said that, when she wants to buy new clothes for her baby daughter, she does it through Etsy. Etsy is a perfect example of the interconnectedness brought about by online retailing. Dresses from the United States, toys from Italy and hairclips from Turkey can all be purchased online—and, of course, online retailers are holding email addresses, credit card details and other personal information.

While it is terrific to be able to have access to a wider range of goods—and a wider range of goods is as important a benefit of trade as lower prices—it is also important to make sure that we manage the risks regarding the protection of private information. The Australian Crime Commission have described identity theft as one of the fastest growing crimes in Australia. They highlight how identity crime causes financial damage to consumers, lending institutions, retail establishments and the economy as a whole because of the confidence-sapping effect of identity crime and the tendency for victims to then cease engaging in online transactions.

Identity crime fuels other criminal activities. Criminals will sometimes use identity crime, for example, in order to rent a car to carry out another offence. It erodes the trust consumers have in service providers. It causes emotional distress for victims. Someone ultimately has to foot the bill, whether that is a business or an individual. It can even threaten the safety of people who have had their data exposed. We have seen some of these instances in the world of online socialising.

The sophistication and speed with which hackers can breach online security systems is, frankly, breathtaking. Here is a story from Wired magazine demonstrating how easily and quickly this was done to Mat Honan through breaching Amazon and Apple security systems. He related how in the space of just an hour his 'digital life' was destroyed. Here is his chronology:

‘At 5:02 p.m., they reset my Twitter password. At 5:00 they used iCloud’s “Find My” tool to remotely wipe my iPhone. At 5:01 they remotely wiped my iPad. At 5:05 they remotely wiped my MacBook. Around this same time, they deleted my Google account. At 5:10, I placed the call to AppleCare. At 5:12 the attackers posted a message to my account on Twitter taking credit for the hack. ’All of that happened in the space of 12 minutes. When we are up against hackers like that, it is critical that the law adapts as well, that we enhance the protections around the collection, storage, security and use of personal information in today's digital world.

With so many Australians conducting business online, dealing with identity theft through the internet and cybercrime are substantial concerns for this government and law enforcement agencies. On an online forum I found one story about somebody who had been a victim of internet identity theft. Told anonymously, it read as follows:

‘Not too long ago, I made a disturbing discovery. I received a statement in the mail for a department store credit card that I hadn’t authorized, and noticed a shipping address that was not my own. My name was listed on the bill, and my home address was recorded as the billing address – but the shipping address was for a location in an entirely different state.

‘I immediately called the credit card company to find out what was happening, thinking there must be some kind of mistake. I was connected with a helpful customer service representative who was able to quickly determine that I was a victim of fraud. Thankfully, she believed me when I insisted I had not authorized this card to be opened.

‘Once the customer service representative had notified her company’s fraud department, I asked if she might be able to give me any further information. She was very helpful and gave me the name of the person who had opened the account.

‘After hanging up with the credit card company, I immediately did a quick Internet search. Having the name of the women who opened the account, and knowing the state where the products were sent made my search rather easy. Soon I was able to locate a telephone number for the person who had opened this credit card in my name, without my permission.

‘I dialed the number and was a little surprised to hear an older woman’s voice on the phone. She was clearly unnerved when I told her my name and asked why she had opened an account using my identity. Out spilled her story of meeting a man with my name in an Internet chat room.

‘Nervously she shared how he had convinced her to open a few credit card accounts on his behalf. He gave her the necessary information and directed her to make store credit purchases at a major department store, a clothing store, and a toy store. I was a bit alarmed – the major department store was not the only place where an unauthorized credit card had been issued.

‘The woman continued to tell me that the impostor had convinced her he wasn’t able to purchase products from the United States on his own and needed her help. He told her she would be doing him a big favor if she would order items on his behalf, and have them sent to her address. Then, she was directed to ship the items to him at an address outside the country.

…   …   …

‘It did take a few weeks and some follow-up phone calls for the matter to be completely resolved with all the stores. However, it took longer to shake the feeling of being violated. It was unnerving to know that someone else had used my name and information to open a line of credit without my knowledge. It could happen again, and it could happen to anyone.’

And it does.

The extent and severity of identity theft and fraud in Australia are difficult to pinpoint, but one estimate from the Australian Transaction Reports and Analysis Centre found identity fraud costs $1 billion every year. That estimate is from 2003, so the cost is almost certainly higher now. The ABS conducted a personal fraud survey, as I noted earlier, and estimated about half a million victims of identity fraud over the prior 12 months.

We are tightening the rules on sending personal information outside Australia. Before an agency or organisation discloses personal information to an overseas recipient, it will have to take reasonable steps to make sure the recipient does not breach the Australian Privacy Principles. Under the reforms in the bill, the agency or organisation will remain responsible for the personal information even when it is in the hands of the overseas recipient. The security of personal information will be the responsibility of the overseas recipient only in limited circumstances.

This bill is part of the government's response to the For your information report. It introduces three key reforms to the Privacy Act 1988: new unified Australian Privacy Principles that will apply equally to the private and public sectors; more comprehensive credit reporting that will include positive information in consumers' credit reports; and new powers for the Australian Privacy Commissioner to handle complaints and give remedies to consumers. These three reforms will deal with the handling of personal information and include provisions for the collection, storage, security, use, disclosure and accuracy of information.

A new principle will give more power to consumers to opt out of receiving direct marketing materials—an issue that I know, Deputy Speaker Georganas, is close to your heart with your strong advocacy for a 'do not knock' register. This reform more tightly regulates the use of personal information for direct marketing. Companies will have to provide a clear and simple way of opting out. The reforms to consumer credit reporting, as I said earlier, sit very much in a Labor tradition.

These are reforms that will benefit consumers and benefit businesses. By minimising identity fraud and maximising confidence in online trading, we will ensure that Australians are able to continue socialising online and communicating with businesses with confidence that the laws that underpin their dealings are advancing as the technology of hackers moves on. We are providing new powers to enable the Australian Privacy Commissioner to accept enforceable undertakings and, if warranted, to pursue civil penalties for a serious breach of privacy. We understand that individual freedoms require the protection of well-made laws, and that is in the great Labor tradition of protecting private information and standing up on the side of consumers. I commend the bill to the House.