One Nation Senators' Dissenting Report

1.1One Nation Senators consider that the Committee was not open to make the recommendations presented in this dissenting report. The weight of criticism of the legislation in submissions and witness testimony should have predicated a recommendation to consult and amend the Digital ID Bill 2023. Rather the Committee has recommended the bill be passed as introduced.

1.2One Nation’s position aligns with the NSW Council for Civil Liberties (NSWCCL) (Submission 21) which correctly set out the problem Australia currently has with the use of personal data for identification:

A number of recent high-profile data breaches has highlighted the lack of regulation and enforcement of identity protection in Australia. This has been the impetus for fast tracking the legislation. The NSWCCL endorses the codification of the Australian Government Digital Identity System (AGDIS), which along with the Document Verification service and facial verification technology has not been operating within an effective legal framework.

1.3Continuing from the NSWCCL submission:

The COVID pandemic normalised the mandatory mass collection, use and storage of personal data using contact-tracing apps and as a result NSWCCL has increased concerns generally with ongoing data centralisation and datafication of Australians. More particularly, recent amendments to the bill after the consultation period have not gone far enough in addressing critical issues, such as the safe collection, use, and storage of sensitive data and ensuring that data is not used for other, unintended purposes like law enforcement.

1.4One Nation is in full agreement with these two statements from the NSWCCL. It is our position that the bill does not solve the issues that gave rise to the bill and is most likely to create more problems than it solves.

Privacy concerns

1.5The bill relies on privacy protections being introduced in regulation after the bill passes. This ignores the presence of the Treasury Laws Amendment (Consumer Digital Right) Bill 2023 on the Senate Notice Paper. This bill would have gone a good way to ensuring the data being collected under the Digital ID Bill 2023 would have been protected.

1.6Instead the Treasury Laws Amendment (Consumer Digital Right) Bill 2023 has been kicked down the notice paper on multiple occasions by this Labor Government as though consumer data rights are of no concern.

1.7The Treasury Laws Amendment (Consumer Data Right) Bill 2022 be passed by the Senate prior to resumption of the second reading debate on the Digital ID Bill 2023.

1.8The Digital ID Bill 2023 requires accredited service providers to follow a baseline set of obligations and regulatory oversight. Many of these obligations will be set out in rules issued by the Minister following the passing of the bill. The provisions may go beyond the provisions of the Privacy Act however without seeing the provisions how can the Senate be sure the bill will be implemented as presented?

1.9One Nation is unable to accept the bill on the basis of rules that have not been presented in their final form. Given the development arc for this bill there is no excuse for these rules to have not been presented with the bill.

1.10The Privacy rules relating to the operation of the Digital ID Bill 2023 be circulated to Senators prior to the resumption of the second reading debate.

1.11The privacy provisions in part 2, division 2 of the bill rely on the individual providing express consent for the sharing of their data. Express consent is the lowest consent standard. When an internet streaming video supplier, for instance, updates their terms of service and presents a subscriber with a ‘click to accept new terms and conditions’ panel, if that change included permission to share a subscriber’s viewing habits that would constitute express consent.

1.12The inclusion of express consent in this bill has the effect of allowing an individual’s digital ID to be checked multiple times a day without the individual’s knowledge or consent.

1.13The bill be amended to raise the consent from express to active consent on each occasion, or once for a repetitious action, such as credit card transaction provided provision is made for withdrawing that consent. This recommendation relates to every instance of the phrase “express consent”.

1.14This recommendation will no doubt be considered unworkable. That objection should be a give-away as to how frequently digital IDs will be checked in order to authorise what used to be everyday life.

Overreach

1.15The Director’s ID is a good example of how government and private partnerships can overstep their authority. The enabling legislation for the Director’s ID, the Treasury Laws Amendment (Registries Modernisation and Other Measures) Act 2020 provided for tax file numbers to be offered as identification for persons applying for an ID.

1.16Once passed, applicants were required to provide not only tax file number, but driver’s license, superannuation accounts, bank account details, passport, and at one point their Centrelink account details. Applicants were also required to get a myGovID. There was no legislative basis for this additional information. That data is still out there in the possession of the consulting firm that collected the data, a firm which specialises in providing data profiles of individual Australians for profit.

1.17With this previous track record, the Government is now asking for new powers to collect and share even more information with insufficient protections against the same unauthorised exploitation.

1.18The Digital ID Bill 2023 be reviewed by the Office of Parliamentary Council to identify provisions that may require an explicit limitations clause and report prior to the resumption of the second reading debate.

Access

1.19Digital ID requires digital connection. In parts of Australia digital connection is a bad joke, this is not just limited to remote areas. Blackspots exist in the city and can be event-based as a large event overwhelms mobile phone towers. The recent Optus outage is a good example – if one of our largest Telcos can’t do a routine software upgrade without bringing half the country’s internet down then we have a problem that needs to be provided for. As the most common use for the digital ID will be in-person verification for a routine transaction such as a purchase, travel or access to a public space, allowance must be made for a backup to be held in, for instance, a secure mobile phone app.

1.20The design of a digital ID must allow for offline use.

1.21If a person chooses to not have a digital ID the bill requires an alternative must be available. The inclusion of this option is achieved with few protections. As the alternative to digital identification in rural and regional Australia will likely be some form of in-person procedure, this will seriously disadvantage residents in regional and remote Australia. This is especially the case with banking services, where branch closures are forcing residents to travel a full day to visit a bank and return.

1.22Australia Post does have a role to play in providing physical identification services, especially as their staff become familiar with regular customers on a personal basis over time, facilitating identification.

1.23The provision for alternative identification should include explicitly providing for Australia Post to provide physical identification services through Australia Post outlets, with suitable cost recovery from the accredited service, not the individual.

Overseas access to data

1.24The bill allows for data to be stored overseas ‘to cater for a changing security environment’. There should be no situation in which holding data overseas is allowable. I understand the government is putting in place a provision that will allow data storage and processing to be completed in a low cost jurisdiction away from the scrutiny of the Digital ID Regulator and Australian authorities generally. This is not an acceptable situation to One Nation.

1.25Amend the bill to remove the provision for the rules to allow the location of data outside Australian jurisdiction.

Law enforcement

1.26The bill requires law enforcement to produce a warrant to access personal information held under this bill. One Nation welcomes that requirement. There is however fine print that negates this provision.

1.27Under the bill every Australian over 16 will now have a unique identification number. Law enforcement will be able to require that number be disclosed should they require it for ‘detecting, reporting, investigating or prosecuting an offence under any Commonwealth or State law’.

1.28Once law enforcement has the unique identifier they can match that back to a person using their own processes. Law enforcement is widely defined and would likely include public servants enforcing administrative penalties.

1.29This provision could be misused by law enforcement to police “wrong think” on social media, arrest protestors at a rally who may have not broken any law themselves and allow the policing of restricted movement zones which are being deployed as part of “15 minute cities”.

1.30Amend the bill to require that law enforcement must have a reasonable suspicion a crime is being committed by an individual before accessing their digital ID data.

Redress framework

1.31An individual whose digital identity has been compromised or misused, or for whom provisions around alternative identification or consent have not been met must have access to an effective redress scheme. This bill fails to set out the details of the redress scheme. Passing a bill without any idea of how redress will be provided is not acceptable to One Nation.

1.32Details of the redress scheme must be incorporated into the primary legislation.

Voluntariness

1.33The bill requires adoption to be voluntary. The government’s own myGov was not mandatory either, until it was. Will a bank decide a digital ID is necessary for any new banking product, and simply not reveal why an applicant without a digital ID was refused a product? How would they know?

1.34The protections on voluntariness are weak and will have the effect of individuals being forced into adopting digital ID by government or corporations.

1.35Taking all 10 objections together it is our opinion that the bill be returned to the Department for further development.

1.36The bill not be passed in the current form.

Senator Malcolm Roberts

Senator for Queensland