Dissenting Report by Senator Paul Scarr
1.1These are important Bills where the balance must be struck between the privacy rights of Australian citizens and the scourge of identity theft and fraud. Ifpassed, these Bills will form part of a complicated matrix of both existing legislation (which is subject to review) and proposed legislation. Hence, it is profoundly disappointing that the Attorney-General has been responsible for a legislative process which has been (at least thus far) shambolic and less than satisfactory.
1.2The Senate is now placed in the invidious position of having to balance the merits of introducing a legislative basis for identity verification services against the material concerns raised by expert stakeholders with respect to the adequacy of the proposed Bills which have been presented for the scrutiny of this Committee.
1.3In preparing this Dissenting Report, I reviewed the contributions made by both the Attorney-General and the Hon. Paul Fletcher MP, Shadow Minister for Government Services and the Digital Economy, in the House of Representatives.
1.4In a speech made on 17 October 2023, the Hon. Paul Fletcher MP, ShadowMinister for Government Services and the Digital Economy, concluded as follows:
I conclude by making the point that there are too many unknowns for the opposition to support these bills as they stand. We will consider our position carefully, including through the committee process. Once the committee has completed its review and it has been possible to properly consider these questions and the answers that have been provided, it may be that the opposition will be in a position to support these bills at that time. I simply cannot make a commitment on that now. At their heart, these bills involve a good idea and follow a policy direction that was set down by the former government; but they also represent a missed opportunity, a failure to follow through on commitments and a botched process. These bills need proper scrutiny, and this opposition will not be waiving anything through until that proper scrutiny has occurred.[1]
1.5These comments were made only 22 days ago. That is all the time that this Committee has had to consider this complicated piece of legislation. During that time, serious concerns have been raised by expert stakeholders. If anything, there are now even more unknowns at the end of the Committee process, then there were at the start. First and foremost of these is to what extent is the government prepared to accept the eleven recommendations made in the majority report? If so, to what extent will the amendments truly address the deep concerns of stakeholders? Will expert stakeholders have the opportunity to consider and comment on amendments made to the Bills (if any) in response to the majority report? (In the absence of such an opportunity, Senators need to be extremely wary of passing Bills which deal with complicated subject matter of grave concern to Australians). Moreover, what is the road map (if any) to implement a cohesive review and implementation of reform of a complicated matrix of legislation including the Privacy Act1988 (Privacy Act), the Digital ID Bill and the Bills the subject of this inquiry?
1.6The unsatisfactory position the Senate now finds itself in is perhaps best exemplified by the following exchange I had with Professor Edward Santow (an expert in the field who is well known to the Committee through his previous position as Human Rights Commissioner with the Australian Human Rights Commission) during the public hearing of the Committee inquiry held on 30October2023 and his subsequent answer to my question taken on notice:
Senator SCARR: I appreciate the answers you've both given to those questions. It is likely— I'm just trying to be realistic here—that this bill is going to be put forward without substantive amendment for consideration of the parliament. Unless those changes which you're proposing in terms of protection of privacy are made, do you think the parliament should pass the legislation?
Prof. Santow: I think we're put in an invidious position here, because, at the moment—
Senator SCARR: We are, but that's the position we're in, I'm afraid.
Prof. Santow: I accept that. So, being pragmatic, in a perfect world, you'd go first with the privacy reform and then move forward with this idea. Still, I understand why the government may not wish to do that. I think what that then means is that you need to bring those two bills in line.
I absolutely endorse Professor Bennett Moses's suggestion of sunsetting, but you could bring the digital ID bill in line with this bill. Most of chapter 3 of the digital ID bill can be imported into this bill. That would be very easy to do. If there were such extraordinary urgency, then it could be done through subordinate legislation. That's the least attractive option, but it would still be better than the bill as it currently appears. It would require a relatively small amendment to clause 44 of the bill. That would then put the onus on the minister to uplift those privacy protections so you don't have a completely fragmented regime, which would not only be very difficult for business and government agencies to comply with but also would leave Australians inadequately protected with respect to their privacy rights.
Senator SCARR: What if none of those things occur and the parliament is left with the bill unamended, without the sunsetting, without the regulations and without the privacy obligations being imported from the draft digital ID bill?
Prof. Santow: I feel very uncomfortable answering that question because it's entirely within the gift of the parliament, and especially the minister, the government, to fix that. I need to, perhaps, take that question on notice. Butit would not be difficult to, at the very least amend, clause 44 in the way I just described.
Senator SCARR: Could you take the question on notice? I'm anticipating that could well be the position that parliament's in...[2]
1.7Professor Santow’s answer to the question on notice:
My answer to this question is as follows. The Government has not made a compelling argument that it would be impossible or impractical to improve the privacy protections applicable to these two Bills – at least by adopting one of the solutions proposed in the Human Technology Institute’s written submission. I recommend that these Bills proceed only if those privacy protections have been enhanced, adopting one of the solutions proposed in the Institute’s submission or another mechanism proposed by the Government itself.[3]
1.8As Professor Santow has commented, it is indeed an “invidious” position. Itdoes not reflect well on the Attorney-General’s management of this legislative process.
1.9It is noted that the previous Coalition Government introduced identity legislation bills; however, those Bills dealt with other safety and security functions which are not contained in the current Bills. Why? There is no coherent explanation provided by the Attorney-General.Again, I quote from the remarks made by the Hon. Paul Fletcher MP, Shadow Minister for Government Services and the Digital Economy:
This is not the first time the parliament has been asked to deal with identity legislation. Like much of the legislation that we have seen from the AlbaneseLabor government, these bills draw on and are based on coalition legislation, at least in theory.
In 2018, the coalition introduced the Identity-matching Services Bill and a related bill amending the Australian Passports Act. We referred them to the Parliamentary Joint Committee on Intelligence and Security. Together they lapsed at the 2019 election, and we reintroduced them.
This government would have you believe that the bills currently before the House are successors to these original coalition bills, but scratch beneath the surface and much has changed—indeed, almost changed beyond recognition.
The coalition bills were not solely about identity matching. The coalition bills aimed to give effect to commitments made by the Commonwealth government in an intergovernmental agreement with all of the states and territories. That agreement is called the Intergovernmental Agreement on Identity Matching Services, and the very first page describes it as: “An Agreement to share and match identity information, with robust privacy safeguards, to prevent identity crime and promote law enforcement, national security, road safety, community safety and service delivery outcomes” [my emphasis].
The coalition's bills dealt with services to share and match identity information with robust privacy safeguards for the purposes of preventing identity crime and promoting law enforcement, national security, road safety, community safety and service delivery outcomes. None of these purposes are addressed by the bill which is now before the House.
The only point at which national security is mentioned in a substantive way in either the main bill or the explanatory memorandum is in relation to a clause which allows the secretary to redact participation agreements. This is despite the states and territories having agreed to share photos and data for the express purposes of identity protection and community safety. This raises many questions. What gaps have been left by the Attorney-General's failure to follow through on the purposes of the intergovernmental agreement? Has he weakened our national security? Is he asking police to fight crime with their hands tied? Is he opening the door to fraudsters and identity thieves? Will our roads be more dangerous? We should know these things before we vote.
The Attorney-General sat on the PJCIS when in opposition and scrutinised these coalition bills. A review of the public hearing transcripts suggests he was very keen to avoid following through on the national security obligations. As the Attorney-General knows, the PJCIS recommended the bills be redrafted and then come back to the PJCIS. Instead, the Attorney-General has redrafted the bills and, in doing so, ensured that they do not include the safety and security functions that our state and territory partners might expect. He's graciously taken the view that, because of the way he redrafted them, it was not necessary for him to refer them back to the PJCIS, even though he, himself, sitting on that committee, contributed to the request that the bills come back to the PJCIS.[4]
1.10Again, there is a lack of explanation for, and coherency in, the approach adopted by the Attorney-General.
1.11Expert stakeholders raised concerns with the short time frame for the inquiry into these Bills.The Law Council of Australia (Law Council) stated:
It is troubling that such a short reporting period has been imposed on this inquiry, providing a little over two weeks for stakeholders to make submissions about a proposed legislative framework for identity verification services…The Law Council is concerned that the timeframe for this inquiry does not reasonably enable the Committee to carefully scrutinise whether the Bills strike the correct balance.[5]
1.12The concern raised by the Law Council is compounded by the complicated nature of the legislation and the risk of 'unintended consequences', including in a situation where the Bills may be the subject of detailed amendments.
1.13Ms Lizzie O'Shea, Digital Rights Watch, made the following point:
Partly, it's also quite concerning in this instance, given that there was a bill proposed which was withdrawn and that a number of years passed in which the scheme was implemented notwithstanding, apparently without a legislative basis, and then we're given three weeks to consider both that context and the proposal to implement the legislative basis. It feels pretty disappointing, given this has been going on for some time, that the pressure is applied at this point in the process.[6]
1.14Of additional concern is how the Bills operate in conjunction with the Digital ID Bill and the review of the Privacy Act. The concerns of Digital Rights Watch are relevant in this regard:
The legislative framework proposed in the [Identity Verification Bills] must be consistent with the [proposed] Digital ID Bill. These systems are inextricably linked, and will inevitably end up complementing (or contradicting) each other. Inconsistencies between them risk the creation of loopholes and ineffective governance processes.
…
The current deficiencies in Australia’s privacy law leave a number of privacy risks unaddressed in the IVS Bill. As privacy is a core part of making this scheme work safely, we strongly urge that reform of the Privacy Act be completed before such potentially pivotal systems such as IVS are built on top of its guarantees.[7]
1.15Ms Shohini Sengupta of the UNSW Allens Hub for Technology, Law and Innovation also added:
We've made an argument for both the IVS bill and the IVS consequential amendments bill to be considered congruously with the digital ID bill because we believe that the issues we raise refer to the subject matter in both. Broadly, we recommend a more considered approach towards the adoption of biometric technology in identification, specifically on facial recognition technology.[8]
1.16Similar concerns were raised by Professor Lyria Bennett Moses, Director of the University of New South Wales Allens Hub for Technology, Law and Innovation, in evidence to the Committee:
What we are essentially arguing is that these bills cannot achieve their full objectives, including protecting Australians from some of the risks inherent in the deidentification systems and services, until they are considered holistically alongside the digital identity legislation and, as has also been mentioned, the Privacy Act reform.
Clause 6 of that bill, inserting section 46A into the Australian Passports Act, gives the minister carte blanche to arrange for the use of an automated system to disclose personal information to those participating in two of the schemes. Robodebt highlighted that automated systems can yield errors at scale. It also goes without saying that there are significant cybersecurity risks associated with any automated process for personal information disclosure. So we need to worry not only about bugs but also about vulnerabilities that might be exploited by malicious actors. We strongly suggest—either now or when the bills come back for review in more depth after a sunset provision—that consideration is given to adding requirements around evaluation, including that they meet performance standards in accordance with statutory criteria for disclosure, that regular threat assessment is done, that security testing is done, and so forth.[9]
1.17Ms Lizzie O’Shea, Digital Rights Watch, made the following point to the Committee:
Partly, it's also quite concerning in this instance, given that there was a bill proposed which was withdrawn and that a number of years passed in which the scheme was implemented notwithstanding, apparently without a legislative basis, and then we're given three weeks to consider both that context and the proposal to implement the legislative basis. It feels pretty disappointing, given this has been going on for some time, that the pressure is applied at this point in the process.
Also, it's surprising to me that you would have different privacy regimes in each, given the way in which they are linked. There's also a regulatory burden that's been created for government. They're implementing two different privacy regimes, one of which is much more substandard than the other, which is this one. Also, in a context where we're going through pretty significant privacy reforms, it looks likely, if the Attorney's plan is enacted, that we will have considerable reforms made to the Privacy Act, which will again create another change to the scenario in which these schemes are implemented. All of these seem excessively cumbersome, unclear for people who are subjected to these schemes and costly in terms of regulatory burden.
In terms of protecting people from criminal conduct, among other things, including what we'd call identity theft, I think the reform of the Privacy Act is the most urgent priority of the current parliament. That ought to be brought on as quickly as possible. We completely understand the need for this scheme—we're not suggesting that such a scheme not be implemented at all—but, in our opinion, it's simply inappropriate to do that without proper protection for people's rights. It is vital that privacy reform take place. In the absence of that, at a very minimum, we would have thought that the same protections that apply in the digital identity bill would be introduced here; it would make sense, obviously. We understand the urgency of protecting people from criminal conduct, but we don't think this rushed process without proper protections is necessarily the solution that we ought to adopt. There are better ones available, in the form of the privacy reform, that are straightforward and already in progress. It's not clear to us why this position is justified or why this particular bill is justified in those contexts.[10]
1.18The Law Council made the same point during its evidence at the public hearing:
Much of the Law Council's submission, like those of many other contributors, focuses on the interaction between the proposed scheme and the Commonwealth Privacy Act. As a general comment, the fragmented approach to privacy and data reform that is illustrated by these bills is not conducive to promoting harmonisation and clarity across Australia's digital identity, privacy and identity verification frameworks. TheLawCouncil reiterates its call for a roadmap of the harmonisation of Australia's privacy and data laws to ensure the development of a national privacy framework that is consistent, clear and accessible [my emphasis].
Ideally, it would be, in our view, much more efficient to have a consolidated review of the privacy regime, which is one of the core topics of debate regarding this legislative theme. As many of the contributors, in our view, rightly pointed out, the comprehensive review of the Privacy Act and the government responses issued on 28 September which agreed either directly or in principle with most of the recommendations, that would be our proposed more efficient way of dealing with these types matters.[11]
1.19The Human Rights Commissioner of the Australian Human Rights Commission echoed the concerns of the other stakeholders:
We have concerns about proceeding with the Verification Services Bills (which rely upon the yet-to-be-modernised Privacy Act, before the privacy law reform process is completed. For this reason, the privacy protections built into the Verification Services Bills are currently incomplete and not appropriate to safeguard privacy against verification technologies. ThePrivacy Act reforms must be completed before the Verification Services Bills are enacted.[12]
1.20Commissioner Finlay also made the following point at the public hearing for the Inquiry:
The first thing we would say is that, as a bare minimum—and I'd refer to our written submission here—we'd see the need for a subsequent review mechanism to be built into the legislation to ensure that, once those privacy law reforms are completed, there is a subsequent review so that we can try and ensure not only that the current bill now, if it is passed, has those minimum protections but that, in the longer term, we're not creating an additional problem of disjointed regimes when it comes to privacy and that, even if it is in the long term rather than today, we end up with a harmonised regime.[13]
1.21There was strong evidence from the expert stakeholders with respect to the inadequacy of the privacy protections in the Bills.
1.22Professor Edward Santow of the Human Technology Institute, University of Technology Sydney, advised:
The goal of digital ID is to increase convenience for citizens, reduce privacy and other risks and save money for the government and the private sector. But this goal can only be achieved if the underlying technology is sound and if there are strong legal safeguards; otherwise digital IT brings enormous risks, especially to Australians' privacy rights.
Our submission recognises that improvement and points to a number of good provisions in the bill. However, the privacy protections in the IVS bill are inadequate. Essentially the bill provides that an organisation need only comply with the existing federal, state, territory or New Zealand privacy laws. That position is untenable.
The government recently committed to reform the Privacy Act in accordance with recommendations from the Attorney-General's Department; however, there's no time line for that reform. If this bill is passed, it will rely on fundamentally inadequate privacy protections. Meanwhile, the finance minister has released an exposure draft Digital Identity Bill—legislation that is intimately connected to the IVS bill. The digital ID bill recognises the flaws with existing privacy legislation, and it contains an entire chapter with additional privacy protections for digital ID.
We urge the committee to recommend clearer legislation to govern all uses of one-to-many facial-recognition technology.[14]
1.23Ms Lizzie O’Shea of Digital Rights Watch made the following point to the Committee:
In terms of protecting people from criminal conduct, among other things, including what we'd call identity theft, I think the reform of the Privacy Act is the most urgent priority of the current parliament. That ought to be brought on as quickly as possible. We completely understand the need for this scheme—we're not suggesting that such a scheme not be implemented at all—but, in our opinion, it's simply inappropriate to do that without proper protection for people's rights. It is vital that privacy reform take place. In the absence of that, at a very minimum, we would have thought that the same protections that apply in the digital identity bill would be introduced here; it would make sense, obviously. We understand the urgency of protecting people from criminal conduct, but we don't think this rushed process without proper protections is necessarily the solution that we ought to adopt. There are better ones available, in the form of the privacy reform, that are straightforward and already in progress. It's not clear to us why this position is justified or why this particular bill is justified in those contexts.[15]
1.24The Law Council stated:
Given the sensitive personal information, including biometric information, held within the framework, higher standards of compliance should apply to parties, beyond reliance on the existing Privacy Act, which is not fit for purpose in the digital landscape. Clause 10 of the Bill imposes minor additional privacy obligations on parties to a participation agreement that proposes to request identity verification services, however these are limited in scope and unlikely to promote public trust in the scheme.[16]
1.25The Human Rights Commissioner, Mrs Lorraine Finlay, stated to the Committee:
… the privacy protections currently contained within the bills are, in our view, incomplete and insufficient. The bills rely primarily on the protections provided under the existing Privacy Act, which the Attorney-General himself has stated has 'not kept pace with changes in the digital world'. ThePrivacy Act review conducted by the Attorney-General's Department and released last year made 116 recommendations to reform the Privacy Act so it remains fit for purpose. The government response to this review, which was released just over a month ago, recognises that stronger privacy protections for Australians are needed and acknowledges that there is still work to be done before this reform process is completed. Given this, we have concerns about proceeding with the current bills, which substantially rely upon the yet-to-be-completed privacy law reforms, before that reform process is completed. Our primary submission, therefore, is that the PrivacyAct reform should be completed before the identity verification services bills are enacted. The final point we wish to highlight is that these bills are inextricably linked to not only the Privacy Act reforms but also the exposure drafts that have been released for the proposed digital identification legislation rules. It is highly desirable for Australia's digital identity, privacy and identity verification framework to be consistent, and we would encourage this committee to emphasise the need for these three reform processes to be more expressly and effectively harmonised.[17]
Should the government decide to proceed with passing the Verification Services Bills prior to reforming the Privacy Act, an additional privacy-focused review mechanism should be included. Such a mechanism would ensure that 12 months after receiving royal assent, the VerificationServices Bills would be reviewed alongside the Privacy Act to ensure that subsequent privacy reforms are adequate to protect individuals’ data. Should privacy reform still be ongoing, the Verification Services Bills should be reviewed at 12-month intervals until the Privacy Act reforms are passed. Then a final examination of the interaction between the Privacy Act and Verification Services Bills should be undertaken with the aim of determining the adequacy of privacy protection for individuals.
Another solution while the Privacy Act is under review, would be to create a privacy framework specifically for the Verification Services Bills. This may offer a solution in the short to medium term, while waiting for the PrivacyAct reforms to be finalised. However, a distinct privacy framework would further complicate the already highly technical privacy legislative landscape– which is why reliance on a reformed Privacy Act is preferred.[18]
1.26Digital Rights Watch stated:
In particular, we note that the Digital ID Bill proposes markedly more robust privacy protections, and as a bare minimum, the IVS Bill ought to be amended to match the privacy protections proposed under the Digital ID framework.[19]
1.27Privacy concerns were also raised by the Parliamentary Joint Committee on Human Rights which noted:
The committee is concerned about the impact on the right to privacy for the millions of Australians whose data is contained in the National Driver Licence Facial Recognition Solution database and the use of biometric identity verification services. The committee also considers that facilitating the use of biometric identity verification for the purposes of accessing social security and other government services engages and may limit the right to social security. In addition, the measures may engage and limit the right to equality and non-discrimination if the measures were to have a disproportionate impact on members of certain groups or if biased or erroneous data led to discriminatory decisions. Further, if the measures impermissibly limited one or more of these rights, it is not clear whether an individual would have access to an effective remedy with respect to any violation of rights.[20]
1.28There is a material question as to whether the Attorney-General would be open to making appropriate amendments to the Bills. In this regard, I note the following commentary by the Attorney-General's Department during the course of this inquiry:
On this basis, the department does not accept that identical privacy protections are necessarily required and thinks that the privacy protections for each scheme are appropriate to their context and policy intent.[21]
1.29The Attorney-General’s Department stated in response to the following question asked at the public hearing:
Senator SCARR: A number of stakeholders have put forward the proposition that, as a bare minimum, this bill should be amended to include additional privacy protections, and they've referred to the exposure draft of the Digital Identity Bill 2023. In fact, I asked at least one witness, maybe two, to take on notice specific provisions in that bill which could be transplanted into this bill. From your opening statement it seems you don't think that's going to work.
Ms Inverarity: We don't think it would work for them to be identical in every respect; they are doing slightly different things in slightly different ways. But we are extremely open to sensible suggestions for privacy enhancements. We have had productive conversations with the Office of the Australian Information Commissioner about the suggestions that they have made. We think, in many ways, the privacy protections are aligned; although, they are slightly different in how they are described between the two pieces of legislation. If there are aspects of the digital ID bill that could sensibly be replicated in this bill then we are certainly not closed to that, but it is not immediately clear to us what those protections necessarily are and how they would sit within the scheme that this bill creates [myemphasis].[22]
1.30In response to a question taken on notice, the UNSW Allens Hub for Technology, Law and Innovation raised the following issue with respect to 'mission creep' based on the experience overseas during the COVID–19 pandemic:
We believe that the fundamental issue of excessive delegated legislation, without adequate Parliamentary checks and balances may lead to an eventual mission creep of identification technologies as highlighted in our earlier submission to the Committee. We draw attention to India’s Digital identity Program (Aadhaar) which saw a similar creeping expansion, without adequate legal safeguards particularly during the COVID-19 pandemic. In 2020, India introduced a contact tracing app (Aarogya Setu), connecting each individual user with their unique identification number (Aadhaar number) for validation of their data. Although the app was introduced as ‘voluntary’, it was soon pushed aggressively by multiple State authorities including the Ministry of Home Affairs. Aarogya Setu derived its legality from the Disaster Management Act 2005 which is a comparable legislation to Australia’s Biosecurity Act 2015. The Disaster Management Act 2005 in India allowed the Union Government to lay down guidelines for, or give directions to other State authorities, Ministries and Departments regarding any measures to be taken in light of a disaster. The law also allowed the State to make, or amend any rule, regulation, notification, guideline, instruction, order, scheme or bye-laws for the prevention or mitigation of disasters.
The other issue with excessive and unchecked delegated power, especially during times of disasters is the convergence of multiple digital technologies of identification that exacerbate conditions of surveillance and data breaches. In the case of India, COVID-19 saw the roll-out of a dozen government applications that used a combination of features, including GPS surveillance, facial recognition and thermal imaging, to identify and trace the potential carriers of the virus, enforce quarantines and lockdowns, and allocate additional healthcare resources. Despite privacy protections, and the collection of aggregated and anonymised data through such digital technologies, the threats of such data being leaked and anonymised information being re-identified nevertheless persist. Scholars have persistently pointed out how Aarogya Setu violated the proportionality principle through expansive provisions giving the executive wide powers, lacked a sunset clause, and facilitated excessive collection, processing, storage, and sharing of sensitive personal data with an increasing number of State authorities. This poses concerns for both cybersecurity and surveillance.
As such, we advise caution and careful consideration of the impacts of other legislation such as the Biosecurity Act 2005 on privacy and the IVS Bill. This is because certain provisions of the Biosecurity Act 2005 may lay the foundations for indiscriminate use of digital identification technologies, in combination with other technologies, particularly in times of national disasters. As has been seen in the context of COVID, this can lead to legitimate cybersecurity and surveillance concerns [myemphasis]. There is a need for adequate legislative safeguards around actual practices surrounding the national digital identity system, voluntary or otherwise, and to protect against any future mission creep.
Following on from our oral testimony, we suggest that further consideration be given to amending the Bills either before they are passed or, if that is not possible due to urgency, then after a sunset period that would enable full consideration alongside the digital identity system as a whole and the Privacy Act 1988 reforms.[23]
1.31The above issue of 'mission creep' is compounded by the scrutiny concerns raised by the Senate Legislation Scrutiny Committee in relation to the Bills.
1.32Under the proposed amendment to the Australian Passports Act 2005, the Minister may by determination nominate additional services for the sharing or matching of information relating to the identity of a person.[24] There is no guidance provided in the proposed amendment in relation to what matters should be considered by the Minister in making such a determination.
1.33It is noted that the Acting Attorney-General was not prepared to make any material amendments to the Bill to address the concern of the Senate Scrutiny of Legislation Committee. In response to the legitimate and material concern raised by the committee, the most recent digest summarises the ActingAttorney‑General’s response as follows:
2.61 In relation to whether high-level guidance could be provided about what can be included in a ministerial determination under proposed paragraph 46(da)(iii) and any considerations the minister must make before making such a determination, the Acting Attorney-General advised that it is not necessary to include these matters in the bill. TheActing Attorney-General advised that it is intended to provide flexibility should the need arise for a new type of identity verification service to share or match information and any such service would operate in accordance with the legislative framework set out in the IdentityVerification Services Bill 2023.[25]
1.34With respect, that is the concern. The executive government’s desire for 'flexibility' undermines the Parliament’s legislative function to consider the ambit of the legislation and its application. As the Scrutiny Committee noted in its most recent digest:
2.68 The committee draws this matter to the attention of senators and leaves to the Senate as a whole the appropriateness of expanding the purposes for which personal information may be disclosed by ministerial determination, with limited high-level guidance as to what can be included in a ministerial determination and any considerations that must be taken into account before such a determination is made.[26]
1.35This scrutiny issue should be considered in the context of the concerns raised by expert specialist stakeholders in the context of identity verification legislation of so called 'mission creep' in relation to such legislation.[27] Given the sensitivity and privacy issues arising in connection with such services, this is not acceptable.
1.36Material issues were raised around the transition issues for the private sector, including the content of 'participation agreements' and the time required to prepare for transition.As stated by Equifax management at the public hearing:
Our three areas of consideration relate to the participation agreement. Wedo understand that these will be different to our existing agreements with the department; however, we haven't seen a draft of those agreements yet. For us, this creates uncertainty around the level of investment required to establish our compliance with these obligations. It could mean new business capability is required. That's especially in the light of the digital ID regime. The costs of the services are yet to be shared, which generates further uncertainty for industry around our ability to recover costs.[28]
1.37In addition, Equifax gave an example of the time taken to implement an operational change to simply add an additional field for a driver's licence number:
…our second point of consideration relates to the time frame of the participation agreements to come into effect, which right now is listed as being 12 months after the bill has been given royal assent. By way of example, when we added one field for a drivers licence verification, the card number field, this took over two years to implement nationally. So we expect significant time will be required to operationalise our compliance and the compliance of our 600 customers with these new participation agreements. Really, we're seeing that that's a significant risk that those new obligations cannot be met within 12 months. We recommend a longer transition period.[29]
1.38This highlights issues relating to the practical implementation of this legislation. If there needs to be such a lengthy transition, why can't a more coherent legislative approach be adopted?
1.39The issue of consent was discussed at the hearing. A number of stakeholders recommended defining the required consent as being 'express'. However, the Attorney-General’s Department appeared to consider it appropriate that the current approach be adopted, which permits both express and implied consent. A further issue is what happens if the services will not be provided unless consent is granted – does this then become a Hobson’s choice for the consumer?
1.40The concerns in this regard were put in the following terms by the Law Council in their evidence at the public inquiry:
There may be no real or practical opportunity for individuals to opt out of these schemes, thereby placing a heavy onus on the government to ensure that adequate safeguards and oversight mechanisms are in place.[30]
Yes, there are a number of safeguards in that other bill which we think could easily apply in this instance. The issue of consent has come up quite a bit in this morning's discussions. I think the digital ID bill's reference to 'express consent' is something that could easily make its way into this bill. Thereference to 'implied consent' in the explanatory memorandum is concerning. We also think that, with the oversight of the Information Commissioner in the digital ID bill, there is a stronger role for the commissioner there, and we think that could certainly improve this current bill.[31]
1.41In all the circumstances detailed above, I cannot in good faith recommend the passage of the Bills. It is noted that the Majority Report recognises that amendments are required to the Bills. However, I am not convinced that the recommendations provided by the Majority Report would be sufficient (even if adopted in full) to address the material and significant concerns raised by a range of expert stakeholders. This is an entirely unsatisfactory situation. At the very least, there would need to be detailed amendments made to the Bills with a reasonable opportunity for expert stakeholders to provide detailed comments prior to further consideration of the Bills by the Senate. Ideally, the Bills would be reworked in conjunction with the review of the Privacy Act and consideration of the Digital ID Bill. An explanation should also be provided as to the exclusion of the safety and security matters provided for in the previous iteration of these Bills proposed by the previous government. Why have these matters been excluded? What is proposed in this regard?
Recommendation 1
1.42It is recommended that the Bills not be passed in their current form and that they be withdrawn for further detailed consideration and rework (informed by the expert evidence received by this inquiry) in conjunction with the review of the Privacy Act and the consideration of the Digital ID Bill.
Senator Paul Scarr
Deputy Chair
Liberal Senator for Queensland
Footnotes
[1]The Hon. Paul Fletcher MP, Shadow Minister for Government Services and the Digital Economy, House of Representatives Proof Hansard, 17 October 2023, p. 13.
[2]Human Technology Institute responses to spoken questions on notice, taken at a public hearing on 30 October 2023 (received 3 November 2023).
[3]Human Technology Institute responses to spoken questions on notice, taken at a public hearing on 30 October 2023 (received 3 November 2023).
[4]The Hon. Paul Fletcher MP, Shadow Minister for Government Services and the Digital Economy, House of Representatives Proof Hansard, 17 October 2023, p. 11.
[5]Law Council of Australia (Law Council), Submission 12, p. 1.
[6]Ms Lizzie O'Shea, Chair, Digital Rights Watch, Committee Hansard, 30 October 2023, p. 16.
[7]Digital Rights Watch, Submission 9, pp. 2–3.
[8]Ms Shohini Sengupta, PhD student, University of New South Wales Allens Hub for Technology, Law and Innovation, Committee Hansard, 30 October 2023, p. 9.
[9]Professor Lyria Bennett Moses, Director, University of New South Wales Allens Hub for Technology, Law and Innovation, Committee Hansard, 30 October 2023, p. 9.
[10]Ms Lizzie O'Shea, Chair, Digital Rights Watch, Committee Hansard, 30 October 2023, pp. 16–17.
[11]Ms Olga Ganopolsky, Chair, Privacy Law Committee of the Business Law Section, Law Council, Committee Hansard, 30 October 2023, pp. 20–21.
[12]Australian Human Rights Commission, Submission 7, p. 2.
[13]Mrs Lorraine Finlay, Human Rights Commissioner, Australian Human Rights Commission, Committee Hansard, 30 October 2023, p. 29.
[14]Professor Edward Santow, Director, Policy and Governance, Human Technology Institute, University of Technology Sydney, Committee Hansard, 30 October 2023, p. 8.
[15]Ms Lizzie O'Shea, Chair, Digital Rights Watch, Committee Hansard, 30 October 2023, pp. 16–17.
[16]Law Council, Submission 12, p. 5.
[17]Mrs Lorraine Finlay, Human Rights Commissioner, Australian Human Rights Commission, Committee Hansard, 30 October 2023, pp. 27–28.
[18]Australian Human Rights Commission, Submission 7, p. 2.
[19]Digital Rights Watch, Submission 9, p. 2.
[20]Parliamentary Joint Committee on Human Rights, Report 11 of 2023, 18 October 2023, p. 39.
[21]Ms Tara Inverarity, Acting Deputy Secretary, National Security and Criminal Justice Group, Attorney-General's Department, Committee Hansard, 30 October 2023, pp. 36–37.
[22]Ms Tara Inverarity, Acting Deputy Secretary, National Security and Criminal Justice Group, Attorney-General's Department, Committee Hansard, 30 October 2023, p. 38.
[23]UNSW Allens Hub for Technology, Law and Innovation, responses to spoken questions on notice taken at a public hearing on 30 October 2023 (received 6 November 2023).
[24]Item 3 of Schedule 1 of the Identity Verification Services (Consequential Amendments) Bill 2023.
[25]Senate Standing Committee for the Scrutiny of Bills, Scrutiny Digest 13/23, 8 November 2023, p. 54.
[26]Senate Standing Committee for the Scrutiny of Bills, Scrutiny Digest 13/23, 8 November 2023, p. 55.
[27]Senate Standing Committee for the Scrutiny of Bills, Scrutiny Digest 13/23, 8 November 2023, p. 55.
[28]Ms Tehani Legeay, General Manager, Identity, Fraud and Anti-Money Laundering Compliance, Equifax, Committee Hansard, 30 October 2023, p. 2.
[29]Ms Tehani Legeay, General Manager, Identity, Fraud and Anti-Money Laundering Compliance, Equifax, Committee Hansard, 30 October 2023, pp. 2–3.
[30]Ms Olga Ganopolsky, Chair, Privacy Law Committee of the Business Law Section, Law Council, Committee Hansard, 30 October 2023, p. 20.
[31]Mr Nathan MacDonald, Deputy Director of Policy, Law Council, Committee Hansard, 30October2023, p. 21.
A short description of the inquiry
Senate
House of Representatives
Get informed
Bills
Committees
Get involved
Visit Parliament
Website features
Parliamentary Departments