Bills Digest No. 98, 2019–20

Privacy Amendment (Public Health Contact Information) Bill 2020

Attorney General's

Author

Claire Petrie

Go to a section

Introductory Info Date introduced: 12 May 2020
House: House of Representatives
Portfolio: Attorney-General
Commencement: Sections 1–3 commence on Royal Assent; Schedule 1 and item 1 of Schedule 2 commence the day after Royal Assent; and Schedule 2, items 2 to 4 commence at the end of 90 days after the day determined by the Health Minister to be the end of the COVIDSafe data period.

Purpose of the Bill

The purpose of the Privacy Amendment (Public Health Contact Information) Bill 2020 (the Bill) is to amend the Privacy Act 1988  to provide for a range of offences and privacy protections in relation to the collection, use, disclosure and deletion of data in connection with the COVIDSafe contact tracing app (the app).

Background

COVIDSafe app

The COVIDSafe app was made available for download on 26 April 2020, as one component of the Government’s response to the COVID-19 pandemic.[1] The app is designed to enhance existing contact tracing processes in relation to those who test positive to COVID-19, by maintaining a log of the Bluetooth connections a person’s phone makes with the phones of those they come in contact with. These connections, referred to as ‘digital handshakes’, involve the exchange of anonymised, temporary IDs (generated every two hours) which are stored in encrypted form on the mobile devices of the two users, along with data concerning the date, time, Bluetooth signal strength and duration of the contact. The app does not collect location data.[2]

This data is stored on a person’s device for a rolling 21 day period. If an app user tests positive to COVID-19, they may consent to this encrypted data being uploaded to the National COVIDSafe Data Store, which then provides the relevant State or Territory health authority with the registration data (name or pseudonym, mobile phone number, age range and post code) of other app users who spent more than 15 minutes within 1.5 metres of the confirmed case. State and Territory health authorities then use the data in connection with existing contact tracing processes.[3]

The Government states the app will ‘speed up the process of identifying people who have been in close contact with someone diagnosed with coronavirus, quickly stopping further spread of the virus in the community’.[4] The National COVIDSafe Data Store is operated by the Digital Transformation Agency and is hosted by Amazon Web Services in Australia. The Commonwealth is reported to have entered into MOUs with State and Territory health authorities in regard to the use of data obtained through the app.[5]

The COVIDSafe app has been the subject of considerable public scrutiny, in respect of its effectiveness, transparency surrounding its operation, and the security of data collected.[6] Similar issues are being considered around the world, as governments look to use technology to assist in controlling and limiting the spread of COVID-19, particularly as lockdown restrictions ease.[7] The Australian Government has released the privacy impact assessment of the COVIDSafe app, conducted by Maddocks, as well as the Department’s response. On 8 May 2020, the Digital Transformation Agency released the source code for the app.[8]

As at 10 May 2020, it was reported that there have been 5.4 million downloads of the app.[9]

Biosecurity Determination

To date, the legislative protections for the collection, use and disclosure of COVIDSafe app data have been contained in the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (COVIDSafe Determination), made by Minister for Health, Greg Hunt, exercising his human biosecurity emergency powers under the Biosecurity Act 2015 (Cth).[10] Section 477 of the Biosecurity Act, under which the COVIDSafe Determination has been made, allows the Health Minister, during a human biosecurity emergency period, to determine any requirement the Minister is satisfied is necessary to:

  • prevent or control the entry, emergence, establishment or spread of the declaration listed human disease in Australian territory, or a part of Australian territory
  • prevent or control the spread of the disease into another country or
  • give effect to any recommendation made to the Minister by the World Health Organisation in relation to the disease.

Determinations made by the Minister under this power are non-disallowable, and have effect until the end of the biosecurity emergency period (unless revoked earlier). Any requirement determined by the Minister under section 477 applies ‘despite any provision of any other Australian law’.[11]

The COVIDSafe Determination sets out the limited circumstances in which a person may collect, use or disclose COVID app data; limits the retention of COVID app data on a mobile device to 21 days and requires all data in the National COVIDSafe Data Store to be deleted after the conclusion of the pandemic; prevents data uploaded to the Data Store being held on a database outside Australia; prohibits the decryption of encrypted COVIDSafe data that is stored on a mobile device; and contains a range of prohibitions on coercing another person to download or operate the app. It is an offence to engage in conduct which contravenes a requirement set out in the determination, with a maximum applicable penalty of five years imprisonment and/or 300 penalty units.[12]

Concerns have been raised about potential gaps in the protections provided by the COVIDSafe Determination, including the absence of oversight or reporting mechanisms and the fact that as delegated legislation, the Determination may be amended or repealed by the Minister at any time.[13] Law Council of Australia President, Pauline Wright, has stated:

The Law Council does not consider that an executive order is the optimum way to make laws, especially laws that determine criminal offences and make provisions for important protections of privacy and security of personal information, so it is critical that legislation be introduced as soon as possible.

As an executive instrument, the Determination is inherently susceptible to unilateral executive amendment or repeal and must be considered as a strictly interim measure, pending the introduction of legislation in the Parliament to put the regulatory framework on a comprehensive statutory footing.[14]

The Government released an Exposure Draft of the current Bill on 4 May 2020.[15] Privacy experts and lawyers have suggested the Exposure Draft addresses a number of concerns raised in respect of the COVIDSafe Determination, including by: providing for oversight of the laws by the Office of the Australian Information Commissioner (OAIC); providing opportunities for individuals affected by a breach to seek a remedy; and clarifying that State and Territory health authorities are captured by data use restrictions.[16] However, they also argued that uncertainties and other issues remain. Some of these have been addressed in the first reading version of the Bill, as introduced into Parliament on 12 May 2020. Other concerns are discussed below.

Key issues and provisions

The Bill substantially reproduces the obligations and prohibitions contained in the COVIDSafe Determination, with some amendments to strengthen potential gaps in protection. It also provides for Privacy Commissioner oversight over the collection, use and disclosure of data obtained through the COVIDSafe app. Item 1 of Schedule 2 repeals the COVIDSafe Determination—this will occur the day after the Act receives Royal Assent.[17]

Item 2 inserts proposed Part VIIIA into the Privacy Act, to set out offences and obligations in connection with the COVIDSafe app and COVID app data. The object of the proposed Part is to ‘assist in preventing and controlling the entry, emergence, establishment or spread of the coronavirus known as COVID-19’ in Australia, by ‘providing stronger privacy protections for COVID app data and COVIDSafe users’, in order to encourage public acceptance and uptake of the app, and enable faster and more effective contact tracing.[18]

Provisions to prevail over other laws

Proposed section 94ZD expressly cancels the effect of any Australian law which would otherwise permit or require conduct, or an omission to act, that is prohibited under proposed Part VIIIA. There is an exception for a provision of an Act, where the provision commences later than the current legislation, and expressly permits or requires the conduct or omission despite the provisions under this Part.

In response to concerns as to whether Australian police would be able to access such data by applying for a warrant, the Government has stated the legislation ‘overrides all other Commonwealth and state and territory laws that would provide for any form of law enforcement access’.[19]

United States law enforcement access to data

A source of contention has been the potential reach of the United States Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act), which enables US federal law enforcement agencies to require US-based organisations to provide data requested under a warrant or subpoena, even where the data is stored outside the US. Amazon Web Services, as a subsidiary of a US incorporated entity, falls within the reach of the CLOUD Act.[20]

Law firm Allens explains that under the CLOUD Act:

[a] company can refuse to provide data where doing so would violate the law of a 'qualifying foreign government'.

Australia is not currently a qualifying foreign government and will not become one until Australia and the US execute a bilateral agreement. The [Telecommunications Legislation Amendment (International Production Orders) Bill 2020] is a precursor and enabler to this. This means that data held by [Amazon Web Services] could, at least theoretically, be at risk of access by the US Government until these arrangements are finalised. While we consider that to be highly unlikely, we do expect further discussion and Parliamentary scrutiny on this topic.[21]

In evidence given before a hearing of the Senate Select Committee on COVID-19, the Attorney-General’s Department said that it received advice from the Australian Government Solicitor on the potential interaction between COVIDSafe laws and the CLOUD Act, and while it could not ‘give complete guarantees about foreign laws’, believed it was:

...not conceivable that there would be such access by US agencies for a series of reasons, including the arrangements the US Department of Justice has in place and also the provisions of US law which enable US courts to quash such requests in those circumstances.[22]

Privacy law academics, Dr Katharine Kemp and Professor Graham Greenleaf, have noted that the issue of whether records held by Amazon Web Services as part of its COVIDSafe contract could be subject to the CLOUD Act ‘is not straightforward’, and have recommended the Government make public any advice received on this issue.[23]

Access to COVID app data

What is COVID app data?

The term COVID app data is defined under proposed subsection 94D(5) to mean data relating to a person that has been collected or generated through the operation of the COVIDSafe app, and either is registration data[24] or is stored or has been stored on a communication device.[25]

It does not include information that is obtained from a source other than directly from the COVIDSafe Data Store, in the course of contact tracing—for example, information obtained through manual tracing activities. It also does not include de-identified statistical information about the total number of registrations through COVIDSafe that is produced by either an officer or employee of the data store administrator, or a contracted service provider for a government contract with the data store administrator.[26]

Some privacy experts and lawyers have suggested that the scope of the definition needs to be expanded further, arguing that it is currently unclear whether the definition of COVID app data extends to:

  • records which have been uploaded in encrypted form to the COVIDSafe Data Store and then decrypted or
  • data which has been ‘transformed or derived from that data by state and territory health officers’, such as where data generated by the app is merged with data otherwise available to State and Territory health authorities.[27]

When is access to COVID app permitted?

The Bill specifies the circumstances in which the collection, use and/or disclosure of COVID app data is permitted. Access to COVID app data outside of these circumstances will constitute an offence.[28] The permitted circumstances are substantially the same as provided for under the COVIDSafe Determination, and cover:

  • where the person is an employee of, or in the service of, a State or Territory health authority, and the collection, use or disclosure is for the purpose of undertaking contact tracing
  • where the person is an officer or employee of the data store administrator,[29] or a contracted service provider for a government contract with the data store administrator, and the collection, use or disclosure is for the purposes of enabling contract tracing by State or Territory health authorities, or ensuring the proper functioning, integrity or security of the COVIDSafe app or COVIDSafe Data Store
  • where collection or disclosure is for the purpose of transferring encrypted data between mobile devices through COVIDSafe, or from the mobile device to the COVIDSafe Data Store
  • where the collection, use or disclosure is for the purpose of investigating a possible contravention of proposed Part VIIIA or prosecuting a person for an offence against the Part
  • where COVID app data is used by the data store administrator for the purpose of producing de-identified statistical information about the total number of registrations through COVIDSafe and
  • in the case of COVID app data that the data store administrator has a statutory obligation to delete under proposed section 94L, where the use consists of access by the data store administrator for the purpose of confirming the correct data is being deleted.[30]

An additional permitted circumstance under the Bill is where the collection, use of disclosure is for the purpose of the Privacy Commissioner performing their functions or exercising their powers under, or in relation to, proposed Part VIIIA. This will assist the Commissioner to fulfil their oversight functions in relation to the proposed provisions.

In each case, the collection, use and/or disclosure of data is permitted only to the extent required for the relevant purpose.

Offence provisions

Proposed Division 2 contains the following proposed offences in connection with COVIDSafe and COVID app data:

  • collecting, using or disclosing COVID app data outside of the circumstances permitted by the Bill (outlined above)[31]
  • retaining uploaded COVID app data which has been uploaded to the COVIDSafe Data Store on a database outside Australia, or disclosing such data to another person outside Australia (other than for contact tracing purposes)[32]
  • uploading, or causing to be uploaded, COVID app data from a communication device to the COVIDSafe Data Store without the consent of the COVIDSafe user in relation to that device (or the consent of their parent, guardian or carer, where the user is unable to consent or has requested that person act on their behalf)[33]
  • decrypting COVID app data that is stored on a communication device[34] and
  • coercive actions in respect of the COVIDSafe app, including: requiring a person to download or use the app or upload data from the app, or taking a range of adverse measures against a person on this basis, including: refusing to enter into a contract, taking adverse action, refusing entry to public premises, refusing to allow participation in an activity, refusing the receipt of or insisting on receiving more monetary consideration for goods or services, or refusing the provision of or insisting on providing less monetary consideration for goods or services..[35]

Each offence carries a maximum penalty of five years imprisonment and/or 300 penalty units ($63,000).[36] This is the same as the maximum penalty applicable under the Biosecurity Act for breaches of the COVIDSafe Determination.

Privacy obligations and Commissioner oversight

Proposed Division 3 sets out a range of obligations relating to the deletion of COVID app data, and ceasing collection of such data in certain circumstances. These include requirements that the data store administrator: take all reasonable steps to ensure data is not retained on a user’s device for more than 21 days;[37] delete a user’s registration data on request (except for de-identified data);[38] not collect COVID app data from former users of the app;[39] and at the end of the COVIDSafe data period, delete all COVID app data from the COVIDSafe Data Store.[40] Additionally, any person who receives COVID app data in error is required to, as soon as practicable, delete the data and notify the data store administrator.[41]

Failure to comply with these obligations will not constitute a criminal offence, but may constitute an interference with privacy and be subject to investigation and civil penalties under the Privacy Act.[42]

Privacy Commissioner powers

Proposed section 94S provides that a breach of the requirements under proposed Part VIIIA, either by the data store administrator or a State or Territory health authority, is an eligible data breach for the purposes of the notifiable data breaches scheme under Part IIIC of the Privacy Act.[43]

Under this scheme, the operation of which is modified by proposed subsection 94S(3), the data store administrator or relevant health authority is required to notify the Privacy Commissioner where they have reasonable grounds to believe they have breached a requirement in relation to COVID app data.[44] The Commissioner will determine whether the administrator/health authority is required to comply with the data breach notification requirements by preparing a statement about the data breach and notifying affected individuals of (or otherwise publicising) the contents of this statement.[45]

The Privacy Commissioner also has the power to:

  • conduct an assessment of whether the acts of an entity or a State or Territory authority in relation to COVID app data, comply with the requirements of proposed Part VIIIA[46] and/or
  • conduct an investigation either in response to an individual complaint about an interference with their privacy,[47] or on the Commissioner’s own initiative.[48]

Following an investigation, the Commissioner may require an entity to take specific steps to prevent recurrence of a breach and/or to redress any loss or damage suffered or pay compensation.[49] The Commissioner or complainant may commence proceedings in the Federal Court or Federal Circuit Court for an order to enforce such a determination.[50]

To a large extent these provisions address a concern, raised by some privacy experts, that the COVIDSafe Determination provides only criminal enforcement mechanisms and no avenue for civil remedies in respect of the misuse of COVID app data.[51]

Reporting requirements

The version of the Bill as introduced into Parliament includes reporting requirements which were not contained in the Exposure Draft.

Proposed section 94ZA provides that the Health Minister must cause a report to be prepared on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store:

  • at the end of the 6 month period starting with the Act’s commencement and
  • at the end of each subsequent 6 month period (if any) before the end of the COVIDSafe data period.

The Health Minister must cause copies of any report prepared to be laid before each House of parliament within 15 sitting days after completion of the report.

Proposed section 94ZB requires the Privacy Commissioner to cause a report to be prepared on the performance of the Commissioner’s functions, and exercise of the Commissioner’s powers, under or in relation to proposed Part VIIIA:

  • at the end of the 6 month period starting with the Act’s commencement and
  • at the end of each subsequent 6 month period (if any) before the end of the COVIDSafe data period.

The report must be published on the Commissioner’s website.

Strengthening protections and oversight

Recommendations to further strengthen protections in the Bill have included:

  • prescribing the minimum design specifications of the app and Data Store, rather than leaving them to be determined from time-to-time—for example, that the app must operate on a voluntary opt-in basis[52]
  • requiring the Privacy Commissioner to inspect and certify data deletion obligations have been complied with at the end of the app’s period of operation[53] and
  • the creation of a COVIDSafe Privacy Advisory Committee, including the various Privacy Commissioners, to provide collective advice to the National Cabinet and the public regarding the operation of COVIDSafe.[54]

End of COVIDSafe data period and repeal of provisions

Proposed section 94Y requires the Health Minister to determine a day to be the end of the COVIDSafe data period, if the Minister is satisfied that by that day, the use of the app is no longer required to prevent or control, or no longer likely to be effective in preventing or controlling, COVID-19 in Australia. Before making this determination, the Minister must consult with, or consider recommendations from, the Commonwealth Chief Medical Officer (CMO) or the Australian Health Protection Principal Committee (AHPPC). Under proposed subsection 94Y(3), the CMO or AHPPC may also recommend to the Minister that such a determination be made.

At the end of the COVIDSafe data period, the data store administrator must not collect any COVID app data or make COVIDSafe available for download. They must also:

  • delete all COVID app data from the COVIDSafe Data Store and
  • after the deletion:
    • inform the Health Minister and Privacy Commission that all COVID app data has been deleted and
    • take all reasonable steps to inform current users of the app of this fact, as well as that COVID app data can no longer be collected and that users should delete the app from their devices.[55]

Items 2 and 3 of Schedule 2 of the Bill provide for the repeal of all the provisions inserted into the Act by Schedule 1. The repeal will occur at the end of 90 days after the date specified by the Health Minister as the end of the COVIDSafe data period.[56]

Scope of proximity

Dr Katharine Kemp and Professor Graham Greenleaf have argued that in not defining or placing restrictions around the concept of ‘proximity’, the Bill allows the collection of more personal data than is required for contact tracing. They note:

According to the Privacy Impact Assessment of COVIDSafe, the app collects and – with consent of a user who tests positive – uploads to the central data store, data about all other users who came within Bluetooth signal range even for a minute within the preceding 21 days.

While the Department of Health more recently said it would prevent state and territory health authorities from accessing contacts other than those that meet the “risk parameters”, the bill includes no data collection or use restrictions based on the distance or duration of contact.[57]