Viewing entries tagged
Digital Identity Legislation

Digital ID Bill introduced to the Senate

Digital ID Bill introduced to the Senate

By Natasha Roberts

On 30 November 2023, the Minister for Finance and the Attorney General announced that the Digital ID Bill had been introduced into the Senate, a historic step to strengthen and expand Australia’s Digital ID System and do more to protect Australians’ privacy and security settings in the digital age.

The Government released an Exposure Draft of a Digital ID Bill in September 2023, aimed at formalising in legislation a digital ID system that has been under development in Australia for many years. IIS Partners made a submission on the 2023 Exposure Draft and a submission to an earlier 2021 Exposure Draft identifying ways in which its protections could be strengthened.

It is gratifying to see suggestions presented in our submission taken up in the Bill as introduced – or at least this is our understanding from an admittedly quick review of the Bill.

Voluntariness

In particular, it is pleasing to see a strengthening of provisions protecting the voluntariness of digital IDs. Guaranteeing that participation in digital ID systems will be voluntary and non-compulsory is one of the strongest protections available to individuals to avoid overreach by government or other entities and worsening of the power imbalance over individuals.

To that end, our submission raised concern over an exception in the Exposure Draft that would override the voluntary use requirement where ‘a law of the Commonwealth, a State or a Territory requires verification of the individual’s identity solely by means of a digital ID.’ Such a provision, we pointed out, would allow future encroachment on voluntary use. We are pleased to see the removal of that exception from the Bill.

Law enforcement and national security exceptions

Another major area of concern for us was the permissiveness of law enforcement and national security exceptions in the Exposure Draft. IIS has been on the record in a July 2021 submission and again in a October 2021 submission regarding our concern about such exceptions which we find to be too broad, establishing too low a bar for disclosure to these agencies, and too weak a framework for oversight.

With this Bill, we see some narrowing of law enforcement and national security exceptions. For example, one of the main clauses enabling disclosure for law enforcement purposes (clause 54) now formally excludes biometric information – disclosure of biometric information for law enforcement purposes is regulated under a separate provision and requires the higher bar of a warrant before disclosure.

We also see that certain exceptions within clause 54 appear to have been narrowed. In the Exposure Draft personal information could be disclosed for law enforcement purposes where the accredited entity was satisfied that the enforcement body reasonably suspected that a person had committed an offence or breached a law imposing a penalty or sanction. In the Bill this has been narrowed to allow disclosure where the accredited entity is satisfied that the enforcement body has started proceedings against a person for an offence or in relation to a breach of a law imposing a penalty or sanction. The penalty for breaching clause 54 has also been increased from 300 penalty units in the Exposure Draft to 1500 penalty units in the Bill as introduced.

IIS remains of the view that the Minister’s stated goal of ‘inclusivity’ is likely to be threatened by an overly permissive approach to law enforcement access to information handled and generated by digital ID systems. Law enforcement or national security access has the potential to negatively impact trust in the system which in turn will negatively impact inclusion, especially for individuals who already have a low trust in government or generally on the margins of society.

Looking ahead

In our view, these changes are in the right direction and we will continue to advocate for strict limits on law enforcement and national security access to digital ID system information. IIS continues to be very engaged in this space with Malcolm Crompton, Founder and Partner at IIS, appointed to the Ministerial Digital ID Expert Panel to provide independent advice on Australia’s digital ID program.

The Digital ID Bill was introduced to the Senate where it was referred to the Senate Economics Legislation Committee. The Committee is due to report on the Bill by the end of February 2024. Noting that much of the Committee review period is over December and January when people are busy or away, IIS urges anybody with a point of view on the Digital ID Bill to prioritise making a submission.

News and notables – November 2021

By Mike Trovato and Chong Shao

In our third newsletter in 2021, we pointed to two recent privacy and security stories of note:

  • The Critical Infrastructure Bill

  • IIS makes submission on DTA Digital Identity Legislation

The Critical Infrastructure Amendment Bill 2020 

The rapidity with which cyber threats are evolving and the stress on the systems created by the COVID-19 crisis have been driving further government response. Following Australia’s Cyber Security Strategy 2020, the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Draft Bill) into Parliament.

The Draft Bill seeks to amend the Security of Critical Infrastructure Act 2018 which currently applies to operators of assets in only four critical infrastructure sectors: electricity, gas, water and ports. It proposes to extend the Act to 11 sectors, including communications, financial services, data storage and processing, defence industry, higher education and research, energy, food and grocery and transports.

The proposed amendments introduce wider powers to the Federal Government, with the ability to intervene and direct organisations to provide information or do specified acts when responding to cyber security. It also puts forward new obligations: ‘positive security obligation’ for critical infrastructure, including mandatory cyber incident reporting and a risk management program, and enhanced cyber security obligations for systems deemed to be of ‘national significance’.

The Draft Bill creates opportunities but also challenges for the concerned sectors, as it increases the complexity of the regulatory landscape applying to information security and creates additional reporting burden. It has also raised concerns across professional cyber security industry in relation to excessive Government powers.

IIS is supportive of the government’s efforts for improving cyber security resilience and hope that numerous submissions offered in November 2020 will be used to improve the legislation so that entities take a primary role in improving their resilience to attacks.

IIS makes submission on Exposure Draft of the DTA’s Trusted Digital Identity Bill

IIS participated in the Digital Transformation Agency’s call for submissions on the DTA Trusted Digital Identity Legislation. IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato drafted an extensive paper addressing the Legislation’s intention to help expand the Australian Government’s Digital Identity system into a whole-of-economy Digital Identity solution by establishing robust governance, strengthening data and consumer protections, and enabling entities in other digital identity systems to apply for Trusted Digital Identity Framework (TDIF) accreditation.

IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato submitted an extensive paper during the consultation process, with an emphasis on respecting and protecting individuals’ interests. IIS subsequently consulted with DTA and provided a submimssion for the Draft Exposure Bill. 

Key to IIS’ position on the design of the Legislation is to recognise that digital identities obtained and verified through TDIF are likely to dominate every aspect the lives of individuals as digital continues to increase its dominance of how lives, business and government are conducted. Indeed, the policy intent is that TDIF facilitates this evolution. 

Overall, IIS identified that more emphasis needs to be placed on the system being respectful of Users as individual people not just economic units and be symmetric in its treatment of the parties. 

We raised the following key points:

  • Ensuring that Users / advocates will have continuing and genuine influence as the system evolves.

  • Effective governance, compliance, enforcement, and remediation/redress for the individual User.

  • Protection from (or genuine oversight of) surveillance by law enforcement and national security agencies.

  • Ensuring that alternatives to using the TDIF system continue to be available for years to come, if not forever. There must be genuine alternatives to the use of digital identities (i.e., practical, available, not cumbersome or coerced); otherwise, any ‘consent’ is rendered meaningless and arguably invalid under law.  

Once again, you can read the full submission here.