Bills Digest No.
98, 2019–20
PDF version [579KB]
Claire Petrie
Law and Bills Digest Section
12
May 2020
Contents
Purpose of the Bill
Background
Key issues and provisions
Date introduced: 12
May 2020
House: House of
Representatives
Portfolio: Attorney-General
Commencement: Sections
1–3 commence on Royal Assent; Schedule 1 and item 1 of Schedule 2 commence
the day after Royal Assent; and Schedule 2, items 2 to 4 commence at the end
of 90 days after the day determined by the Health Minister to be the end of
the COVIDSafe data period.
Links: The links to the Bill,
its Explanatory Memorandum and second reading speech can be found on the Bill’s
home page, or through the Australian
Parliament website.
When Bills have been passed and have received Royal Assent,
they become Acts, which can be found at the Federal Register of Legislation
website.
All hyperlinks in this Bills Digest are correct as
at May 2020.
Purpose of
the Bill
The purpose of the Privacy Amendment (Public Health
Contact Information) Bill 2020 (the Bill) is to amend the Privacy Act 1988
to provide for a range of offences and privacy protections in relation to the
collection, use, disclosure and deletion of data in connection with the
COVIDSafe contact tracing app (the app).
Background
COVIDSafe
app
The COVIDSafe app was made available for download on 26
April 2020, as one component of the Government’s response to the COVID-19
pandemic.[1]
The app is designed to enhance existing contact tracing processes in relation
to those who test positive to COVID-19, by maintaining a log of the Bluetooth
connections a person’s phone makes with the phones of those they come in
contact with. These connections, referred to as ‘digital handshakes’, involve
the exchange of anonymised, temporary IDs (generated every two hours) which are
stored in encrypted form on the mobile devices of the two users, along with
data concerning the date, time, Bluetooth signal strength and duration of the
contact. The app does not collect location data.[2]
This data is stored on a person’s device for a rolling 21
day period. If an app user tests positive to COVID-19, they may consent to this
encrypted data being uploaded to the National COVIDSafe Data Store, which then
provides the relevant State or Territory health authority with the registration
data (name or pseudonym, mobile phone number, age range and post code) of other
app users who spent more than 15 minutes within 1.5 metres of the confirmed
case. State and Territory health authorities then use the data in connection
with existing contact tracing processes.[3]
The Government states the app will ‘speed up the process
of identifying people who have been in close contact with someone diagnosed
with coronavirus, quickly stopping further spread of the virus in the
community’.[4]
The National COVIDSafe Data Store is operated by the Digital Transformation
Agency and is hosted by Amazon Web Services in Australia. The Commonwealth is reported
to have entered into MOUs with State and Territory health authorities in regard
to the use of data obtained through the app.[5]
The COVIDSafe app has been the subject of considerable
public scrutiny, in respect of its effectiveness, transparency surrounding its
operation, and the security of data collected.[6]
Similar issues are being considered around the world, as governments look to
use technology to assist in controlling and limiting the spread of COVID-19,
particularly as lockdown restrictions ease.[7]
The Australian Government has released the privacy
impact assessment of the COVIDSafe app, conducted by Maddocks, as well as
the Department’s
response. On 8 May 2020, the Digital Transformation Agency released the
source code for the app.[8]
As at 10 May 2020, it was reported that there have been
5.4 million downloads of the app.[9]
Biosecurity
Determination
To date, the legislative protections for the collection,
use and disclosure of COVIDSafe app data have been contained in the Biosecurity
(Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential)
(Emergency Requirements—Public Health Contact Information) Determination 2020
(COVIDSafe Determination), made by Minister for Health, Greg Hunt, exercising
his human biosecurity emergency powers under the Biosecurity Act
2015 (Cth).[10]
Section 477 of the Biosecurity Act, under which the COVIDSafe
Determination has been made, allows the Health Minister, during a human
biosecurity emergency period, to determine any requirement the Minister is
satisfied is necessary to:
- prevent
or control the entry, emergence, establishment or spread of the declaration
listed human disease in Australian territory, or a part of Australian territory
- prevent
or control the spread of the disease into another country or
- give
effect to any recommendation made to the Minister by the World Health
Organisation in relation to the disease.
Determinations made by the Minister under this power are
non-disallowable, and have effect until the end of the biosecurity emergency
period (unless revoked earlier). Any requirement determined by the Minister
under section 477 applies ‘despite any provision of any other Australian law’.[11]
The COVIDSafe Determination sets out the limited
circumstances in which a person may collect, use or disclose COVID app data;
limits the retention of COVID app data on a mobile device to 21 days and
requires all data in the National COVIDSafe Data Store to be deleted after the
conclusion of the pandemic; prevents data uploaded to the Data Store being held
on a database outside Australia; prohibits the decryption of encrypted
COVIDSafe data that is stored on a mobile device; and contains a range of prohibitions
on coercing another person to download or operate the app. It is an offence to
engage in conduct which contravenes a requirement set out in the determination,
with a maximum applicable penalty of five years imprisonment and/or 300 penalty
units.[12]
Concerns have been raised about potential gaps in the
protections provided by the COVIDSafe Determination, including the absence of
oversight or reporting mechanisms and the fact that as delegated legislation,
the Determination may be amended or repealed by the Minister at any time.[13]
Law Council of Australia President, Pauline Wright, has stated:
The Law Council does not consider that an executive order is
the optimum way to make laws, especially laws that determine criminal offences
and make provisions for important protections of privacy and security of
personal information, so it is critical that legislation be introduced as soon
as possible.
As an executive instrument, the Determination is inherently
susceptible to unilateral executive amendment or repeal and must be considered
as a strictly interim measure, pending the introduction of legislation in the
Parliament to put the regulatory framework on a comprehensive statutory
footing.[14]
The Government released an Exposure
Draft of the current Bill on 4 May 2020.[15]
Privacy experts and lawyers have suggested the Exposure Draft addresses a
number of concerns raised in respect of the COVIDSafe Determination, including
by: providing for oversight of the laws by the Office of the Australian
Information Commissioner (OAIC); providing opportunities for individuals
affected by a breach to seek a remedy; and clarifying that State and Territory
health authorities are captured by data use restrictions.[16]
However, they also argued that uncertainties and other issues remain. Some of
these have been addressed in the first reading version of the Bill, as
introduced into Parliament on 12 May 2020. Other concerns are discussed below.
Key issues
and provisions
The Bill substantially reproduces the obligations and
prohibitions contained in the COVIDSafe Determination, with some amendments to
strengthen potential gaps in protection. It also provides for Privacy
Commissioner oversight over the collection, use and disclosure of data obtained
through the COVIDSafe app. Item 1 of Schedule 2 repeals the COVIDSafe
Determination—this will occur the day after the Act receives Royal Assent.[17]
Item 2 inserts proposed Part VIIIA into the Privacy
Act, to set out offences and obligations in connection with the COVIDSafe
app and COVID app data. The object of the proposed Part is to ‘assist in
preventing and controlling the entry, emergence, establishment or spread of the
coronavirus known as COVID-19’ in Australia, by ‘providing stronger privacy
protections for COVID app data and COVIDSafe users’, in order to encourage public
acceptance and uptake of the app, and enable faster and more effective contact
tracing.[18]
Provisions
to prevail over other laws
Proposed section 94ZD expressly cancels the effect
of any Australian law which would otherwise permit or require conduct, or an
omission to act, that is prohibited under proposed Part VIIIA. There is
an exception for a provision of an Act, where the provision commences later
than the current legislation, and expressly permits or requires the conduct or
omission despite the provisions under this Part.
In response to concerns as to whether Australian police
would be able to access such data by applying for a warrant, the Government has
stated the legislation ‘overrides all other Commonwealth and state and
territory laws that would provide for any form of law enforcement access’.[19]
United
States law enforcement access to data
A source of contention has been the potential reach of the
United States Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD
Act), which enables US federal law enforcement agencies to require US-based
organisations to provide data requested under a warrant or subpoena, even where
the data is stored outside the US. Amazon Web Services, as a subsidiary of a US
incorporated entity, falls within the reach of the CLOUD Act.[20]
Law firm Allens explains that under the CLOUD Act:
[a] company can refuse to provide data where doing so would
violate the law of a 'qualifying foreign government'.
Australia is not currently a qualifying foreign government
and will not become one until Australia and the US execute a bilateral
agreement. The [Telecommunications Legislation Amendment (International
Production Orders) Bill 2020] is a precursor and enabler to this. This means
that data held by [Amazon Web Services] could, at least theoretically, be at
risk of access by the US Government until these arrangements are finalised.
While we consider that to be highly unlikely, we do expect further discussion
and Parliamentary scrutiny on this topic.[21]
In evidence given before a hearing of the Senate Select
Committee on COVID-19, the Attorney-General’s Department said that it received
advice from the Australian Government Solicitor on the potential interaction
between COVIDSafe laws and the CLOUD Act, and while it could not ‘give
complete guarantees about foreign laws’, believed it was:
...not conceivable that there would be such access by US
agencies for a series of reasons, including the arrangements the US Department
of Justice has in place and also the provisions of US law which enable US
courts to quash such requests in those circumstances.[22]
Privacy law academics, Dr Katharine Kemp and Professor
Graham Greenleaf, have noted that the issue of whether records held by Amazon
Web Services as part of its COVIDSafe contract could be subject to the CLOUD
Act ‘is not straightforward’, and have recommended the Government make
public any advice received on this issue.[23]
Access to
COVID app data
What is
COVID app data?
The term COVID app data is defined under proposed
subsection 94D(5) to mean data relating to a person that has been collected
or generated through the operation of the COVIDSafe app, and either is
registration data[24]
or is stored or has been stored on a communication device.[25]
It does not include information that is obtained from a
source other than directly from the COVIDSafe Data Store, in the course of
contact tracing—for example, information obtained through manual tracing
activities. It also does not include de-identified statistical information
about the total number of registrations through COVIDSafe that is produced by
either an officer or employee of the data store administrator, or a contracted
service provider for a government contract with the data store administrator.[26]
Some privacy experts and lawyers have suggested that the
scope of the definition needs to be expanded further, arguing that it is
currently unclear whether the definition of COVID app data
extends to:
- records
which have been uploaded in encrypted form to the COVIDSafe Data Store and then
decrypted or
- data
which has been ‘transformed or derived from that data by state and territory
health officers’, such as where data generated by the app is merged with data
otherwise available to State and Territory health authorities.[27]
When is
access to COVID app permitted?
The Bill specifies the circumstances in which the
collection, use and/or disclosure of COVID app data is permitted. Access to
COVID app data outside of these circumstances will constitute an offence.[28]
The permitted circumstances are substantially the same as provided for under
the COVIDSafe Determination, and cover:
- where
the person is an employee of, or in the service of, a State or Territory health
authority, and the collection, use or disclosure is for the purpose of
undertaking contact tracing
- where
the person is an officer or employee of the data store administrator,[29]
or a contracted service provider for a government contract with the data store
administrator, and the collection, use or disclosure is for the purposes of
enabling contract tracing by State or Territory health authorities, or ensuring
the proper functioning, integrity or security of the COVIDSafe app or COVIDSafe
Data Store
- where
collection or disclosure is for the purpose of transferring encrypted data
between mobile devices through COVIDSafe, or from the mobile device to the
COVIDSafe Data Store
- where
the collection, use or disclosure is for the purpose of investigating a
possible contravention of proposed Part VIIIA or prosecuting a person
for an offence against the Part
- where
COVID app data is used by the data store administrator for the purpose of
producing de-identified statistical information about the total number of
registrations through COVIDSafe and
- in
the case of COVID app data that the data store administrator has a statutory
obligation to delete under proposed section 94L, where the use consists
of access by the data store administrator for the purpose of confirming the
correct data is being deleted.[30]
An additional permitted circumstance under the Bill is
where the collection, use of disclosure is for the purpose of the Privacy
Commissioner performing their functions or exercising their powers under, or in
relation to, proposed Part VIIIA. This will assist the Commissioner to
fulfil their oversight functions in relation to the proposed provisions.
In each case, the collection, use and/or disclosure of
data is permitted only to the extent required for the relevant purpose.
Offence
provisions
Proposed Division 2 contains the following proposed
offences in connection with COVIDSafe and COVID app data:
- collecting,
using or disclosing COVID app data outside of the circumstances permitted by
the Bill (outlined above)[31]
- retaining
uploaded COVID app data which has been uploaded to the COVIDSafe Data Store on
a database outside Australia, or disclosing such data to another person outside
Australia (other than for contact tracing purposes)[32]
- uploading,
or causing to be uploaded, COVID app data from a communication device to the
COVIDSafe Data Store without the consent of the COVIDSafe user in relation to
that device (or the consent of their parent, guardian or carer, where the user
is unable to consent or has requested that person act on their behalf)[33]
- decrypting
COVID app data that is stored on a communication device[34]
and
- coercive
actions in respect of the COVIDSafe app, including: requiring a person to
download or use the app or upload data from the app, or taking a range of
adverse measures against a person on this basis, including: refusing to enter
into a contract, taking adverse action, refusing entry to public premises,
refusing to allow participation in an activity, refusing the receipt of or
insisting on receiving more monetary consideration for goods or services, or
refusing the provision of or insisting on providing less monetary consideration
for goods or services..[35]
Each offence carries a maximum penalty of five years
imprisonment and/or 300 penalty units ($63,000).[36]
This is the same as the maximum penalty applicable under the Biosecurity Act
for breaches of the COVIDSafe Determination.
Privacy
obligations and Commissioner oversight
Proposed Division 3 sets out a range of obligations
relating to the deletion of COVID app data, and ceasing collection of such data
in certain circumstances. These include requirements that the data store
administrator: take all reasonable steps to ensure data is not retained on a
user’s device for more than 21 days;[37]
delete a user’s registration data on request (except for de-identified data);[38]
not collect COVID app data from former users of the app;[39]
and at the end of the COVIDSafe data period, delete all COVID app data from the
COVIDSafe Data Store.[40]
Additionally, any person who receives COVID app data in error is required to,
as soon as practicable, delete the data and notify the data store administrator.[41]
Failure to comply with these obligations will not
constitute a criminal offence, but may constitute an interference with privacy
and be subject to investigation and civil penalties under the Privacy Act.[42]
Privacy Commissioner powers
Proposed section 94S provides that a breach of the
requirements under proposed Part VIIIA, either by the data store
administrator or a State or Territory health authority, is an eligible data
breach for the purposes of the notifiable
data breaches scheme under Part IIIC of the Privacy Act.[43]
Under this scheme, the operation of which is modified by proposed
subsection 94S(3), the data store administrator or relevant health
authority is required to notify the Privacy Commissioner where they have
reasonable grounds to believe they have breached a requirement in relation to
COVID app data.[44]
The Commissioner will determine whether the administrator/health authority is
required to comply with the data breach notification requirements by preparing
a statement about the data breach and notifying affected individuals of (or
otherwise publicising) the contents of this statement.[45]
The Privacy Commissioner also has the power to:
- conduct
an assessment of whether the acts of an entity or a State or Territory
authority in relation to COVID app data, comply with the requirements of proposed
Part VIIIA[46]
and/or
- conduct
an investigation either in response to an individual complaint about an
interference with their privacy,[47]
or on the Commissioner’s own initiative.[48]
Following an investigation, the Commissioner may require
an entity to take specific steps to prevent recurrence of a breach and/or to
redress any loss or damage suffered or pay compensation.[49]
The Commissioner or complainant may commence proceedings in the Federal Court
or Federal Circuit Court for an order to enforce such a determination.[50]
To a large extent these provisions address a concern,
raised by some privacy experts, that the COVIDSafe Determination provides only
criminal enforcement mechanisms and no avenue for civil remedies in respect of
the misuse of COVID app data.[51]
Reporting
requirements
The version of the Bill as introduced into Parliament
includes reporting requirements which were not contained in the Exposure Draft.
Proposed section 94ZA provides that the Health
Minister must cause a report to be prepared on the operation and effectiveness
of COVIDSafe and the National COVIDSafe Data Store:
- at
the end of the 6 month period starting with the Act’s commencement and
- at
the end of each subsequent 6 month period (if any) before the end of the
COVIDSafe data period.
The Health Minister must cause copies of any report
prepared to be laid before each House of parliament within 15 sitting days
after completion of the report.
Proposed section 94ZB requires the Privacy
Commissioner to cause a report to be prepared on the performance of the
Commissioner’s functions, and exercise of the Commissioner’s powers, under or
in relation to proposed Part VIIIA:
- at
the end of the 6 month period starting with the Act’s commencement and
- at
the end of each subsequent 6 month period (if any) before the end of the
COVIDSafe data period.
The report must be published on the Commissioner’s
website.
Strengthening
protections and oversight
Recommendations to further strengthen protections in the
Bill have included:
- prescribing
the minimum design specifications of the app and Data Store, rather than
leaving them to be determined from time-to-time—for example, that the app must
operate on a voluntary opt-in basis[52]
- requiring
the Privacy Commissioner to inspect and certify data deletion obligations have
been complied with at the end of the app’s period of operation[53]
and
- the
creation of a COVIDSafe Privacy Advisory Committee, including the various
Privacy Commissioners, to provide collective advice to the National Cabinet and
the public regarding the operation of COVIDSafe.[54]
End of COVIDSafe
data period and repeal of provisions
Proposed section 94Y requires the Health Minister
to determine a day to be the end of the COVIDSafe data period, if the Minister
is satisfied that by that day, the use of the app is no longer required to
prevent or control, or no longer likely to be effective in preventing or
controlling, COVID-19 in Australia. Before making this determination, the
Minister must consult with, or consider recommendations from, the Commonwealth
Chief Medical Officer (CMO) or the Australian Health Protection Principal
Committee (AHPPC). Under proposed subsection 94Y(3), the CMO or AHPPC
may also recommend to the Minister that such a determination be made.
At the end of the COVIDSafe data period, the data store
administrator must not collect any COVID app data or make COVIDSafe available
for download. They must also:
- delete
all COVID app data from the COVIDSafe Data Store and
- after
the deletion:
- inform
the Health Minister and Privacy Commission that all COVID app data has been
deleted and
- take
all reasonable steps to inform current users of the app of this fact, as well
as that COVID app data can no longer be collected and that users should delete
the app from their devices.[55]
Items 2 and 3 of Schedule 2 of the Bill
provide for the repeal of all the provisions inserted into the Act by Schedule
1. The repeal will occur at the end of 90 days after the date specified by
the Health Minister as the end of the COVIDSafe data period.[56]
Scope of
proximity
Dr Katharine Kemp and Professor Graham Greenleaf have
argued that in not defining or placing restrictions around the concept of
‘proximity’, the Bill allows the collection of more personal data than is
required for contact tracing. They note:
According to the Privacy Impact Assessment of COVIDSafe, the
app collects and – with consent of a user who tests positive – uploads to the
central data store, data about all other users who came within Bluetooth signal
range even for a minute within the preceding 21 days.
While the Department of Health more recently said it would
prevent state and territory health authorities from accessing contacts other
than those that meet the “risk parameters”, the bill includes no data
collection or use restrictions based on the distance or duration of contact.[57]
[1]. S
Morrison (Prime Minister), G Hunt (Minister for Health), S Robert (Minister for
Government Services), B Murphy (Chief Medical Officer), COVIDSafe:
new app to slow the spread of coronavirus, joint media release, 26
April 2020; Department of Health (DOH), ‘COVIDSafe
app’, DOH website.
[2]. DOH,
‘Privacy
policy for COVIDSafe app’, DOH website, last updated 11 May 2020; J Taylor,
‘Covidsafe
app: how to download Australia’s coronavirus contact tracing app, how it works,
what it does and problems’, The Guardian (Australia), 11 May 2020; G
Smith, P O’Sullivan and C Hall, ‘COVIDSafe—what
we now know’, Allens, 27 April 2020.
[3]. Ibid.
[4]. Morrison,
Hunt, Robert and Murphy, COVIDSafe:
new app to slow the spread of coronavirus, op. cit.
[5]. T
Burton, ‘Green
light on virus-tracing data’, The Australian Financial Review, 9 May
2020, p. 4.
[6]. For
example: JJ Kang and P Haskell-Dowland, ‘How
safe is COVIDSafe? What you should know about the app’s issues, and
Bluetooth-related risks’, The Conversation, 7 May 2020; D Watts, ‘COVIDSafe,
Australia's digital contact tracing app: the legal issues’, 3 May 2020; A
Bogle, ‘COVIDSafe's
effectiveness on iPhone in question as Government releases coronavirus contact
tracing app’, ABC News online, 26 April 2020; S Langford, ‘Questions
remain about the effectiveness of Australia’s COVIDSafe contact tracing app’,
The Feed, SBS, updated 8 May 2020.
[7]. S
Meixner, ‘Australia
has COVIDSafe. Here is how other countries are using contact tracing apps in
the fight against coronavirus’, ABC News online, 28 April 2020; C Criddle
and L Kelion, ‘Coronavirus
contact-tracing: World split between two types of app’, BBC News online, 7
May 2020.
[8]. Digital
Transformation Agency (DTA), ‘DTA
publicly releases COVIDSafe application source code’, DTA website, 8 May
2020.
[9]. P
Brewer, ‘Weekend's
easing brings no new cases in the ACT’, The Canberra Times, 11 May
2020, p. 3.
[10]. For
more information about these powers, see: H Maclean and K Elphick, ‘COVID-19
Legislative response—Human Biosecurity Emergency Declaration Explainer’,
FlagPost, Parliamentary Library, Canberra, 19 March 2020 (updated 27 March
2020).
[11]. Biosecurity Act
2015 (Cth), subsections 477(1), (2), (5), (7).
[12]. Ibid.,
section 479.
[13]. P
Wright (President, Law Council of Australia), Tracing
app has been released but privacy concerns still exist, media release,
26 April 2020; G Greenleaf and K Kemp, ‘Australia's
'COVIDSafe App': An experiment in surveillance, trust and law’, Work-in-Progress
Draft, 30 April 2020; Watts, ‘COVIDSafe,
Australia's digital contact tracing app: the legal issues’, op. cit.
[14]. Wright
(President, Law Council of Australia), Tracing
app has been released but privacy concerns still exist, op. cit.
[15]. P
Karp, ‘Government
releases draft legislation for Covidsafe tracing app to allay privacy concerns’,
The Guardian (Australia),
4 May 2020.
[16]. See,
for example: S McGregor, M Fai and M Bennett, ‘Does
the 80:20 rule apply?—Federal Government releases draft COVIDSafe app privacy
legislation’, Gilbert + Tobin Lawyers, 7 May 2020; Kemp and Greenleaf, ‘The
COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs
to change’, op. cit.; P Wright (President, Law Council of Australia), Law
Council President’s statement on the COVIDSafe exposure draft, media
release, 5 May 2020.
[17]. See
the commencement details in clause 2 of the Bill (item 3 in table).
[18]. Proposed
section 94B. The term contact tracing is defined under proposed
subsection 94D(6).
[19]. S
Chidgey (Attorney-General’s Department), Evidence
to Senate Select Committee on COVID-19, Australian Government’s response
to the COVID-19 pandemic, 6 May 2020, pp. 16–17; for discussion of
concerns regarding police access, see Watts, ‘COVIDSafe,
Australia's digital contact tracing app: the legal issues’, op. cit., pp. 9–10.
[20]. Smith,
O’Sullivan, Hall, ‘COVIDSafe—what
we now know’, op. cit.; Watts, ‘COVIDSafe,
Australia's digital contact tracing app: the legal issues’, op. cit., pp.
11–12; D Welch and L Besser, ‘Experts
warn there are still legal ways the US could obtain COVIDSafe data’, ABC
News online, 28 April 2020.
[21]. G
Smith, P O’Sullivan, C Hall, ‘The
COVIDSafe Bill—good progress, but there's more to do’, Allens Lawyers, 6
May 2020; Also see: Parliament of Australia, ‘Telecommunications
Legislation Amendment (International Production Orders) Bill 2020 homepage’,
Australian Parliament website.
[22]. Chidgey,
Evidence
to Senate Select Committee on COVID-19, op. cit., 6 May 2020, p. 9.
[23]. Greenleaf
and Kemp, ‘Australia's
'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit.,
p. 6.
[24]. Item
1 of Schedule 1 inserts a definition of registration data
into subsection 6(1) of the Privacy Act, meaning ‘the information about
the person that was uploaded from a communication device when the person was
registered through COVIDSafe’.
[25]. Item
1 of Schedule 1 inserts a definition of communication device
into subsection 6(1) of the Privacy Act, meaning ‘an item of customer
equipment (within the meaning of the Telecommunications
Act 1997)’. Customer equipment is defined under section
21 of the Telecommunications Act.
[26]. Proposed
paragraphs 94D(5)(c) and (d).
[27]. K
Kemp and G Greenleaf, ‘The
COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs
to change’, The Conversation, 6 May 2020; McGregor, Fai and Bennett,
‘Does
the 80:20 rule apply?—Federal Government releases draft COVIDSafe app privacy
legislation’, op. cit.; Smith, O’Sullivan, Hall, ‘The
COVIDSafe Bill—good progress, but there's more to do’, op. cit.
[28]. Proposed
section 94D.
[29]. Item
1 of Schedule 1 inserts a definition of data store
administrator into subsection 6(1) of the Privacy Act, to mean
the Health Department, other than to the extent provided for under proposed
section 94Z. This allows the Secretary of the Health Department to, by
notifiable instrument, determine another agency to be the data store
administrator for the purposes of one or more particular provisions
under proposed Part VIIIA. However, proposed subsection 94Z(3)
provides that the Secretary must not determine any of the following to be the
data store administrator: an enforcement body (as defined under subsection 6(1)
of the Privacy Act), intelligence agency, the Australian
Geospatial-Intelligence Organisation or the Defence Intelligence Organisation.
[30]. Proposed
subsection 94D(2).
[31]. Proposed
subsection 94D(1).
[32]. Proposed
section 94F.
[33]. Proposed
section 94E.
[34]. Proposed
section 94G.
[35]. Proposed
section 94H. Dr Katharine Kemp and Professor Graham Greenleaf have
suggested amendments to strengthen the coercion offence, including to expressly
capture requiring a person to disclose whether they have the app installed or
in operation, and to provide that the offence extends to any requirement
imposed as a condition of exceptions to ‘stay at home’ orders: Greenleaf and
Kemp, ‘Australia's
'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit.,
pp. 9–10.
[36]. Crimes Act 1914
(Cth), section 4AA specifies that a penalty unit is currently $210.
[37]. Proposed
section 94K.
[38]. Proposed
section 94L. Where it is not practicable to delete the data immediately,
the data store administrator must not use or disclose the data for any purpose.
[39]. Proposed
section 94N.
[40]. Proposed
section 94P.
[41]. Proposed
section 94M.
[42]. Proposed
section 94Q states that COVID app data relating to an individual is taken
to be personal information about the individual. Proposed section 94R
provides that an act or practice in breach of a requirement under the Part in
relation to an individual, constitutes an interference with the privacy of that
individual for the purposes of section 13 of the Privacy Act.
[43]. A
breach by an officer or employee of the data store administrator, or a
contracted service provider for a government contract with the data store
administrator, is taken to be an eligible data breach by the data store
administrator (proposed paragraphs 94S(1)(b) to (d)); a breach by a
person employed by, or in the service of, a State or Territory health
authority, is taken to be an eligible data breach by that authority (proposed
paragraphs 94S(2)(b)–(c)).
[44]. Proposed
sub-paragraph 94S(3)(b)(i). The Australian Information Commissioner is also
the Privacy Commissioner: Office of the Australian Information Commissioner
(OAIC), ‘Our
structure’, OAIC website.
[45]. Privacy
Act, sections 26WK and 26WL; proposed sub-paragraph 94S(3)(b)(ii). Proposed
subsections 94S(4) to (6) provide for circumstances in which the
Commissioner must, and may not, require compliance with the notification
requirements.
[46]. Privacy
Act, section 33C; proposed section 94T.
[47]. Privacy
Act, section 36, subsections 40(1)–(1A).
[48]. Privacy
Act, subsection 40(2).
[49]. Privacy
Act, section 52.
[50]. Privacy
Act, section 55A.
[51]. G
Greenleaf and K Kemp, ‘Australia's
'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit.,
pp. 13–14. Note that under proposed section 94U, the
Commissioner must cease an investigation if the matter becomes subject to a
criminal investigation by the Commissioner of Police or Director of Public
Prosecutions.
[52]. Wright,
Law
Council President’s statement on the COVIDSafe exposure draft, op. cit.
[53]. Wright,
Law
Council President’s statement on the COVIDSafe exposure draft, op. cit.
[54]. Greenleaf
and Kemp, ‘Australia's
'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit.,
p. 15.
[55]. Proposed
section 94P.
[56]. See
the commencement details in clause 2 of the Bill (item 4 in table).
[57]. Kemp
and Greenleaf, ‘The
COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs
to change’, op. cit. Also see Watts, ‘COVIDSafe,
Australia's digital contact tracing app: the legal issues’, op. cit., p.
12; Greenleaf and Kemp, ‘Australia's
'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit.,
p. 8.
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia
Creative Commons
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.
Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.
Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.