Coalition Senators' Dissenting Report

Coalition Senators' Dissenting Report

Background

1.1Coalition Senators note that the Murray Inquiry, commissioned by the Abbott Government, recommended in 2014 that the Commonwealth “develop a national strategy for a federated-style model of trusted digital identities”.[1]Furthermore, the Inquiry argued that Digital ID should be a competitive sector, recommending that:

Government (in consultation with the private sector) sets up a trust framework and standards to facilitate a competitive market in identity services, and enable consumer and business choice in credentials.[2]

1.2The Murray Inquiry considered a “syndicated model” under which a single government identity credential would be issued with single sign-on access to public and private sector services, but this was not recommended on the basis that it would be too costly, and would impede the adoption of innovative solutions and reduce overall efficiency over time.[3]

1.3Furthermore, the Inquiry noted that Australians could reject such a centralised model on the basis of privacy concerns, similar to the Australia Card initiative in 1987.[4]

1.4At the public hearing for this Bill, the Business Council of Australia extolled the benefits of a federated approach to Digital ID:

This means that … individuals can choose the provider they use for different services. This means that no single entity, including government, can unilaterally stop an individual from being able to access essential services. They will have choice and options.[5]

1.5The Coalition Government began developing the Trusted Digital Identity Framework (TDIF) in 2016, and it was launched in March 2018. In June 2019, myGovID went live as an accredited digital identity provider under the TDIF.

1.6Coalition Senators note that in the midst of the COVID-19 pandemic in September 2020, the then Senate Select Committee on Financial Technology and Regulatory Technology recommended that:

… the Digital Identity reforms led by the Digital Transformation Agency be accelerated in order to deliver a national, economy-wide framework for the operation of a federated digital identity ecosystem as soon as possible.[6]

1.7This recommendation reflected the aspiration of the fintech sector and disruptive industry to expand choice and cut costs faced by consumers.

1.8During the FinTech and RegTech Inquiry, FinTech Australia gave evidence that the “development and implementation of Digital ID is vital in driving fintech … payment innovation, and to support the rapid digitisation of businesses”, and would be “a significant cost saver”.[7]Furthermore, Digital ID was deemed to be “key to the fintech industry’s success”.[8]

1.9In September 2021, Eftpos’ ConnectID service became the first private sector exchange to receive TDIF accreditation.

1.10In the 2021-22 Budget, $256 million was allocated in a Digital Business strategy to progress the rollout of Digital ID into a whole-of-economy solution via legislation.

1.11In October 2021, the former Government released exposure draft legislation in the form of the Trusted Digital Identity Bill 2021.

1.12The Labor Government has decided to take a different approach to Digital ID by developing a big government approach.

1.13Labor’s Bill, instead of proposing a collaborative framework with the private sector, proposes a phased approach to Digital ID expansion. Private sector involvement is only planned for stages 3 and 4, the timelines for which have yet to be determined.

1.14This approach is highly flawed and risky. By delaying economy-wide expansion, the Bill risks creating an uncompetitive Digital ID sector, and increases risks for consumers and businesses. Without a whole-of-economy approach, there is a risk that interoperability is disregarded. Digital ID services outside the accreditation framework will not have the same safeguards that are established by this Bill.

1.15There is considerable uncertainty in the private economy about when and how the phased approach will occur. Without a clear collaborative approach, as recommended by the 2014 Financial System Inquiry, there is a risk that the Australian Government Digital Identity System (AGDIS) will lack the trust and confidence of business and consumers, which will hamper its ability to provide efficiency and productivity boosts to the Australian economy.

1.16It seems that Labor has decided on a more syndicated model that centralises Digital ID in government hands, disregarding the Murray Review’s warnings. By departing from a truly federated approach to Digital ID, Labor is risking the integrity of the entire premise of such a framework.

1.17Ultimately, a federated Digital ID framework is a good idea, but Labor have gone about it the wrong way. Once again, the Albanese Government is taking an anti-business approach.

Big government approach

1.18The Labor Government is proposing a phased approach to the roll out of the Digital ID accreditation framework. There is significant uncertainty and concern from the private sector, particularly fintechs, about the timeline, which has yet to be disclosed. As the Tech Council noted, “private digital ID providers are going to be excluded from participating in the government system until the final phase of the rollout.”[9] This is essentially a big-government approach which centralises Digital ID in government hands. Furthermore, submitters expressed concern that the phased approach itself could negatively impact the viability of the whole scheme.

1.19In their submission, the Australian Retail Credit Association (ARCA) expressed concern “that there is a lack of clarity around the timing of Phase 3 and Phase 4” and were also concerned “with the phased approach being proposed, i.e. Phase 3 (which allows the use of government digital ID and attribute providers in private sector services) and Phase 4 (which allows the use of private sector digital ID and attribute providers in some government services)”.[10] They said that they did not support the Government’s approach:

We do not support the phasing of 3 and 4 and would prefer to see both myGovID and private sector accredited digital ID providers both access government services concurrently.[11]

1.20Noting further, they argued that the lack of certainty on phases 3 and 4 would risk continuing private sector investment in Digital ID products.[12]

1.21At the Committee’s public hearing, the Australian Banking Association (ABA) emphasised the importance of consumer choice to the success of any Digital ID framework:

As we elaborated on in our opening statement, we believe that choice is a foundation of trust for digital identities, and the greater the options for choice for consumers the more likely they are to use digital ID and to benefit from the enhanced safety that comes from utilising a digital ID and protecting their identity. … We would reiterate that choice for consumers to either use or not use a digital ID, and then choosing which entity they would like or who they'd like to develop that digital ID with is foundational for the success of digital ID.[13]

1.22National Australia Bank (NAB), in their submission, expressed concern that the phased approach would put the Digital ID framework at risk:

NAB remains concerned regarding the intended approach with the private sector to not be able to participate fully in the Digital ID ecosystem until the fourth and final phase of the rollout. With multiple private sector Digital ID offerings either in-market or preparing to enter in 2024, slowing the ability for the private sector to fully participate risks inhibiting innovation and uptake of Digital ID, and restricting community awareness to only a small number of use cases and government providers.[14]

1.23Furthermore, Australian Payments Plus (AP+) submitted that they were against the phased approach, arguing that it would not be conducive to a successful Digital ID rollout:

AP+ does not however support the proposed phased approach to the sequential expansion of the Australian Government Digital Identity System (AGDIS), particularly as ConnectID is purposely designed to help transform the way Australians manage and protect their identity to help address the growing issue of identity theft and data breaches.

Overseas experience shows a successful national digital identity ecosystem relies on interoperability and mutual recognition of digital credentials between the public and private sectors, which in the case of the AGDIS is the proposed ‘Phase 4’.[15]

1.24The Tech Council of Australia submitted that they are “concerned about the timing of the proposed phasing of the expansion, whereby private providers would not be integrated into the Australian Government system until “phase 4” at an unspecified time.”[16] This uncertainty poses a risk to competition and innovation in Digital ID:

The current lack of clarity regarding the timing of these rollout phases poses a challenge for private sector planning and industry preparedness, and could also put private providers at a competitive disadvantage to public sector providers.[17]

1.25ARCA has said that the phased approach is a “disappointing outcome”, and that they are concerned that “a phased approach will result in more consumers choosing to uptake the myGovID over private sector digital ID products”.[18] This would discourage private sector investment, leading to “to less choice for consumers and potentially less innovation.”[19]

1.26When asked at the public hearing, data analytics and technology company Equifax explained the potential security risks of not having a private sector roll out alongside the public sector:

…we believe in an economy-wide digital ID as opposed to a government-focused ID. This would allow, for example, consumers to be able to choose from a mix of both public sector and private sector identity providers from the start. We are concerned that, based on the suggested phasing, the delay to the rollout to the private sector will create confusion for consumers around who they can trust for identity providers, and in which cases. More importantly, it creates an opportunity for fraudsters to exploit a system that may have two different methods of verifying identity and preventing fraud. It is critical for those three reasons that private sector and public sector are rolled out at the same time.[20]

1.27In their submission, the Commonwealth Bank of Australia agreed that private sector involvement should be brought forward. One of their recommendations included:

Bringing forward the proposed phasing of the expansion of the Digital ID System to the private sector, so that citizens will have a choice of providers sooner.[21]

1.28ARCA agreed, saying there should be “no phasing between public and private sector access services for commercial or government accredited digital ID providers.”[22]

1.29In their submission, the Business Council of Australia asked that the Committee “seek clarity on the timelines for private sector access to and use of digital identity”.[23] Unfortunately, clarity was not provided by the Department of Finance when questioned at the public hearing.

1.30The Department of Finance said that the phasing out of private sector involvement had been a decision of the Labor Government:

Senator BRAGG: Effectively, your evidence is that the government has decided to do it with this staged approach rather than providing for a method where there would be simultaneous public and private development?

Mr Shepherd: That is correct.[24]

1.31The Department did not shed any light on when the phasing and private sector involvement will occur, noting that “the timing on that expansion has not been announced”.[25]

1.32It’s unacceptable that businesses, particularly fintechs, have been left in the dark on when their participation in the AGDIS will occur.

1.33There doesn’t seem to be any credible reason why the Labor Government has decided to take a Big Government approach in this Bill. Coalition Senators are of the view that it should be amended to ensure that the rollout of the Digital ID system occurs with both public and private sector involvement concurrently.

1.34Without the involvement of the private sector, the main objectives of lower prices and innovation will be defeated.

Recommendation 1

1.35The Bill be amended to remove the phasing-in provisions, allowing for private sector involvement in the AGDIS from commencement. The Bill should not be progressed without simultaneous involvement of the private sector.

Alignment with the Privacy Act and other legislation

1.36In their submission, the ABA recommended that in order to ensure the take-up of Digital ID, it was necessary for the Bill to align with “the proposed reforms to the Privacy Act 1988 (Cth) with a particular focus on document retention obligations”.[26] As AP+ noted:

…on 28 September 2023, the Government responded to the Attorney-General's report on the review of the Privacy Act 1988 (Cth) by indicating that, of the 116 proposals made, it agreed with 38 of them and a further 68 in principle. Where the Government agreed in principle, it indicated that further engagement with organisations and a comprehensive impact analysis is required before it makes a final decision on the proposal.[27]

1.37It is possible that if this Bill proceeds before the reforms to the Privacy Act are complete, there could be competing or contradictory requirements to the ones set down in the Digital ID Bill. AP+ says that they were concerned “that the proposed changes to the Privacy Act will conflict with obligations in the Digital ID legislation.”[28]

1.38The UTS Human Technology Institute argued that “it is essential that Privacy Act reforms be passed as soon as possible to prevent further fragmentation, inconsistencies, gaps in protections, and unnecessary compliance burdens.”[29]They noted it would’ve been better if the Digital ID reforms had proceeded after the Privacy Act amendments were introduced, and recommended that a consistent and coordinated approach to federal privacy protections be adopted across the Privacy Act review and Digital ID.[30]

1.39The BCA has noted that the Bill could involve duplication and overlap, such as with metadata retention requirements, with the Telecommunications Act 1997, and that a review of such legislation should be urgently undertaken to identify “necessary legislative or regulatory change to enable organisations to meet government requirements through the digital identity system.”[31]

1.40Furthermore, the ABA recommended that the Bill should be aligned with “the proposed reforms to the AML/CTF Act [Anti-Money Laundering and Counter-Terrorism Financing Act 2006] and Rules including any necessary clarification of suitability of Digital ID to meet KYC [Know Your Client] obligations.”[32]In their submission, the Financial Advice Association Australia noted “the very limited reference to KYC and AML/CTF in the Explanatory Memorandum.”[33]AP+ also submitted that changes to the AML/CTF regime may need to be considered concurrently to ensure it is consistent with the proposed Bill.[34]

1.41In order for a Digital ID accreditation system to be viable, it must be consistent with existing legislation, particularly with respect to privacy protections and data retention requirements. Coalition Senators are of the view that we cannot have a situation where the credibility of and trust in the AGDIS is undermined by conflicting compliance requirements and privacy protections in legislation.

Recommendation 2

1.42That the Bill only be considered once the reforms of the Privacy Act are introduced to the Parliament, to ensure that privacy, data protections and compliance requirements are consistent and coordinated across various related legislation.

Voluntariness

1.43It is vital that any Digital ID framework is fully voluntary for businesses and consumers alike. As the UTS Human Technology Institute noted:

Consent is only meaningful when people are not unreasonably disadvantaged if they opt to use traditional methods of proving their identity; in other words, they must retain equal entitlements and access to the same services and products.[35]

1.44They therefore recommend the bill be amended to include “an ongoing guarantee of equal access to services for those who choose to opt out of using a digital ID” and that the Bill require “the Digital ID Regulator to consider whether granting an exemption would unduly determine access to services for individuals …”[36]

1.45In their submission to the Inquiry, the UNSW Allens Hub for Technology, Law and Innovation expressed concern that the exemptions built into the legislation could become a de facto compulsory system:

… the availability of alternatives does not create a system where service providers can be precluded from offering digital identity as the more convenient and cheaper option. Further, sub-clause (4) states that the Digital ID Regulator may grant an exemption to a participating relying party if satisfied that it is appropriate to do so. While the provision has safeguards against arbitrary grant of exemptions, a creeping expansion of businesses that superficially satisfy the prescriptive requirements of the law may lead to a slow expansion of the exemption clause. This can, over time, create an ecosystem where despite claims of voluntariness, digital identity becomes both the de facto and de jure DI system …[37]

1.46Digital Rights Watch expressed similar concerns in their submission:

While we appreciate the need for some level of flexibility, we remain concerned that instances where Digital ID is effectively mandatory will essentially cut off a proportion of the population from accessing those services.[38]

1.47Some expressed concerns about the interoperability of the scheme, noting that Government agencies may exempt themselves from having to accept certain accredited Digital ID providers, accepting only government providers. As DSPNZ noted:

For Digital ID to be a truly interoperable economy-wide system, government agencies (particularly the ATO, Department of Education, Department of Foreign Affairs and Trade and Department of Social Services) should not tie able to exempt themselves from accepting any Digital ID providers accredited within the AGDIS.

DSPANZ is concerned that government agencies will seek exemptions and only accept myGovlD or other government issued credentials for certain interactions.[39]

1.48ARCA submitted they were concerned that the exemptions could lead to digital exclusion:

We are concerned though, that the Bill does not prevent private companies excluding the acceptance of traditional forms of ID. Some businesses might choose to decide only to accept digital ID as a way to minimise their risk of collecting data on individuals, or because it is a more reliable form of identity.[40]

1.49Many submissions to the Inquiry expressed concerns about the voluntariness of the Digital ID framework. On paper, the scheme may be voluntary, but many are concerned that in practice it will not be. If the AGDIS lacks public credibility with-respect-to its voluntariness, for both consumers and businesses, then it will not be successful.

Recommendation 3

1.50That the Bill be amended to include further guarantees for consumers and businesses to ensure the AGDIS is fully voluntary.

Senator Andrew BraggSenator Dean SmithSenator for New South WalesLiberal Senator for Western Australia

Footnotes

[1]Financial System Inquiry, Final Report, 2014, p. xxiv.

[2]Financial System Inquiry, Final Report, 2014, p. 156.

[3]Financial System Inquiry, Final Report, 2014, p. 159.

[4]Financial System Inquiry, Final Report, 2014, p. 159.

[5]Ms Wendy Black, Head of Policy, Business Council of Australia, Committee Hansard, 9 February 2024, pp. 24-25.

[6]Select Committee on Financial Technology and Regulatory Technology, Interim Report, 2020, p. 211.

[7]FinTech Australia, Submission 19.3, Select Committee on Financial Technology and Regulatory Technology, p. 20.

[8]FinTech Australia, Submission 19, Select Committee on Financial Technology and Regulatory Technology, p. 111.

[9]Mr Ryan Black, Acting Chief Executive Officer, Tech Council of Australia, Committee Hansard, 9February 2024, p. 24.

[10]Australian Retail Credit Association, Submission 48, p. 3.

[11]Australian Retail Credit Association, Submission 48, p. 3.

[12]Australian Retail Credit Association, Submission 48, pp. 3­–4.

[13]Mr Christopher Taylor, Chief of Policy, Australian Banking Association, Committee Hansard, 9February 2024, p. 5.

[14]National Australia Bank, Submission 18, p. 1.

[15]Australian Payments Plus (AP+), Submission 43, p. 3.

[16]Tech Council of Australia, Submission 45, p. 4.

[17]Tech Council of Australia, Submission 45, p. 4.

[18]Australian Retail Credit Association, Submission 48, p. 4.

[19]Australian Retail Credit Association, Submission 48, p. 4.

[20]Ms Tehani Legeay, General Manager, Identity, Fraud and AML, Equifax, Committee Hansard, 9February 2024, p. 21.

[21]Commonwealth Bank of Australia, Submission 41, p. 2.

[22]Australian Retail Credit Association, Submission 48, p. 4.

[23]Business Council of Australia, Submission 38, p. 3.

[24]Mr John Shepherd, First Assistant Secretary, Digital ID and Data Policy Division, Department of Finance, Committee Hansard, 9 February 2024, p. 33.

[25]Mr John Shepherd, First Assistant Secretary, Digital ID and Data Policy Division, Department of Finance, Committee Hansard, 9 February 2024, p. 33.

[26]Australian Banking Association, Submission 33, p. 2.

[27]Australian Payments Plus, Submission 43, p. 9.

[28]Australian Payments Plus, Submission 43, p. 9.

[29]Human Technology Institute, Submission 39, p. 6.

[30]Human Technology Institute, Submission 39, pp. 6–7.

[31]Business Council of Australia, Submission 38, p. 3.

[32]Australian Banking Association, Submission 33, p. 2

[33]Financial Advice Association Australia, Submission 22, p. 3.

[34]Australian Payments Plus, Submission 43, p. .

[35]Human Technology Institute, Submission 39, p. 13.

[36]Human Technology Institute, Submission 39, p. 14.

[37]UNSW Allens Hub for Technology, Law and Innovation, Submission 12, p. 5.

[38]Digital Rights Watch, Submission 14, p. 9.

[39]Digital Service Providers Australia New Zealand, Submission 9, p. 4.

[40]Australian Retail Credit Association, Submission 48, p. 6.