House debates

Wednesday, 15 May 2024

Bills

Digital ID Bill 2024; Second Reading

9:03 am

Photo of Stephen JonesStephen Jones (Whitlam, Australian Labor Party, Assistant Treasurer) Share this | | Hansard source

I present the revised explanatory memorandum to the Digital ID Bill 2024, and I move:

That this bill be now read a second time.

The Digital ID Bill will put in place the legislative framework to create an economy-wide digital ID system for Australia. Digital ID is a secure, convenient, voluntary and inclusive way to verify who you are online against existing government held identity documents without having to hand over any physical information.

Digital ID is not a card. It's not a unique number, nor a new form of ID.

Data breaches, such as Optus, Medibank and others, impacting millions of Australians show the need to protect people and their identities. This bill will help to address the challenge.

The digital IDs enabled by this bill will avoid the need for Australians to repeatedly share their ID documents, and reduce the need for government or business to retain documents that could then be at risk.

This bill does four things to ensure that Australians are in control of their digital IDs and that their digital IDs are safeguarded:

          The voluntary a ccreditation s cheme

          The voluntary accreditation scheme in the bill will enable more digital ID providers to demonstrate that they meet strong privacy protections, security safeguards, and accessibility requirements.

          The bill will replace an existing unlegislated policy framework for accreditation—the Trusted Digital Identity Framework—with a legislated accreditation scheme for public and private sector digital ID providers.

          The bill will ensure that only trustworthy and reliable private and public sector entities are accredited to provide digital ID services to Australians. Accreditation rules made under the bill will set out a range of requirements for each type of service an entity can be accredited for by the Digital ID Regulator.

          The bill will ensure that there are real consequences for accredited providers if they do not meet the high standards of their accreditation. The powers of the regulator in the bill to suspend, revoke or cancel accreditations and to seek civil penalties will ensure the accreditation rules and the safeguards and privacy protections in the bill are adhered to.

          The bill will provide for a trust mark for accredited providers to build consumer trust and awareness of digital IDs, imposing civil penalties on entities who falsely promote their services as meeting the strict requirements of accreditation.

          The accreditation scheme will give Australians who choose to create, use or reuse a digital ID issued by an accredited provider greater confidence that their personal information is being protected.

          The Australian Government Digital ID System

          The existing, unlegislated Australian Government Digital ID System is well established with more than 12 million myGovIDs which can be used to access more than 140 government services.

          However, the current system has limitations. It's not national—myGovID can only be used to access government services, and private sector services can't currently use myGovID to verify their customers. This falls short of the vision for a national, economy-wide system. The Digital ID Bill provides a legislative basis for broader use of digital IDs via a phased expansion the Australian Government Digital ID System.

          Initially, it's expected that states and territories will be able to apply to participate in the Australian Government Digital ID System as users or providers of accredited digital ID services. Then, within two years, all state, territory and private sector entities will be able to apply to the Digital ID Regulator to participate within the Australian Government Digital ID System as providers or users of accredited digital ID services, or both.

          Consistent with the phased approach to expansion, the bill provides for the Digital ID Regulator to manage arrangements for other matters, including statutory contracts between participants, liability and charging for providers and connected services, in the future. Rules to be made within 12 months of the act commencing must set out redress mechanisms to support individuals in the event of a digital ID fraud or cybersecurity incident within the Australian Government Digital ID System.

          Importantly, the Australian Government Digital ID System is based on the principle that people can choose which digital ID provider they use to access any website, app or other service that is connected to the system. In the legislation this is called the interoperability obligation.

          The minister will however have discretion to exempt some government services from this obligation and only allow a single digital ID provider, such as myGovID. Exemptions will only be granted in limited circumstances, such as for government services where there is potential for identity fraud to have a significant impact on the financial circumstances of individuals or businesses in Australia.

          For example, services within Australia's tax and transfer system, which currently enable about $154 billion per year in tax refunds, and our social security system, which supports about $220 billion in payments per year, present prominent fraud targets where it is critical to carefully manage risk.

          Additional privacy and consumer safeguards

          Privacy protections in the bill are designed to ensure that digital IDs meet community expectations.

          The bill contains a comprehensive range of privacy protections applying to the accreditation scheme that will operate in addition to existing protections in the Commonwealth's Privacy Act. If the Commonwealth Privacy Act does not apply, including providers that are small business operators, the bill will ensure that accredited providers are subject to equivalent privacy protections.

          The bill includes measures that will protect Australians' sensitive information, such as their passports, birth certificates, drivers licences, Medicare cards and biometric information that they may use to verify their identity by:

                The bill addresses the risk of commercialisation and misuse of digital IDs in the economy by:

                    The bill contains safeguards over law enforcement access to digital ID information held by accredited entities. Access to this information at the request of law enforcement is only permitted in very limited circumstances—where there is a warrant, where court proceedings have begun, or where a person consents to their digital ID information being disclosed to verify their identity or investigate or prosecute an offence. In addition, information on requests to access digital ID information made by law enforcement agencies and enforcement bodies will be reported to parliament on an annual basis.

                    The bill includes measures to ensure the Digital ID Regulator will be notified of any data breaches of accredited providers under Commonwealth, state or territory data breach schemes to facilitate quick mitigation of the risk, or remediation of the breach. If there is no state based scheme, the Digital ID Bill requires the entity to report breaches under the Commonwealth scheme.

                    To ensure these protections are meaningfully regulated and enforced, the bill will give the Information Commissioner a full suite of investigative and compliance powers. If an accredited entity breaches any of the privacy protections, they can be liable for a civil penalty.

                    Those less able, or willing, to get a digital ID will not be left behind.

                    An essential safeguard in the bill is that digital ID will continue to be voluntary for individuals accessing government services through the Australian Government Digital ID System. The bill will require Australian government agencies to continue to provide alternate channels for people to access services. I will repeat that: the bill will require Australian government agencies to continue to provide alternate channels for people to access services. There is an ongoing obligation that such alternative channels must be reasonably accessible and do not result in services a substantially less favourable service for Australians.

                    To ensure that digital IDs are inclusive by design, providers of digital ID services must take reasonable steps to ensure the services are accessible, including to individuals who may experience barriers to creating or using a digital ID. Consultation with groups that represent individuals experiencing barriers to creating or using a digital ID must be undertaken before rules are made about digital IDs.

                    Accredited providers of digital ID services must comply with usability and accessibility guidelines. Furthermore, any testing of biometric information must manage the risk of biometric matching disadvantaging or discriminating against any group.

                    Where an individual is accessing Australian government services on behalf of a business (or in another professional capacity) a digital ID may be required because digital IDs help address the increased fraud risk associated with some business services.

                    The regulator will monitor and regulate the compliance of entities participating in the Australian Government Digital ID System and may impose civil penalties for any breaches.

                    These safeguards will help ensure people who choose to create and reuse digital IDs can be confident that their information is safe and secure, and that their privacy will be protected.

                    S trengthened g overnance a rrangements

                    The bill will establish the Australian Competition and Consumer Commission as an independent digital ID regulator with responsibility for overseeing the accreditation scheme and the Australian Government Digital ID System.

                    The bill will also provide for the system administrator to perform day-to-day operational matters to ensure the performance and integrity of the Australian Government Digital ID System. Finally, the bill establishes a Data Standards Chair, to consult with industry and issue data standards.

                    The bill will make sure the regulatory watchdog has the teeth to enforce the safeguards with a broad suite of monitoring, compliance and enforcement powers, including civil penalty provisions, enforceable undertakings, and injunctions.

                    The Office of the Australian Information Commissioner will advise on and enforce privacy protections, provide complaint handling for breaches of the privacy safeguards, report on privacy aspects of, and the exercise of its powers and functions as well as regulate data retention, under the legislation.

                    Further transparency will be provided through public registers for accredited entities—including whether they have ever had their accreditation revoked or suspended—and services within the Australian Government Digital ID System.

                    The regulator will be required to report annually to the minister, for presentation to parliament, on applications and approvals for accreditation or participation, and fraud or cyber security incidents and responses. Further, a statutory review of the bill will be required within two years of commencement. The scope of the review would include any supporting rules and standards made after commencement of the bill.

                    Conclusion

                    In conclusion, there have been several stages of consultation over a number of years, including an inquiry by the Senate Economics Legislation Committee, eliciting feedback from all areas of the community to ensure the bill reflects community expectations.

                    I would like to thank the active and ongoing engagement by industry, consumer and privacy groups—as well as the contribution made by the Senate in making amendments to the bill—to the development of this important legislation.

                    The bill will provide Australians with the choice to use a secure, inclusive, convenient and voluntary way to verify themselves when interacting with government and businesses online. Digital ID will allow Australians to harness the advances of new technology and its benefits across the economy, if they so choose.

                    9:20 am

                    Photo of Paul FletcherPaul Fletcher (Bradfield, Liberal Party, Shadow Minister for Government Services and the Digital Economy) Share this | | Hansard source

                    I rise to speak on the Digital ID Bill 2024. Digital identity has the potential to deliver significant productivity efficiency and safety benefits across the Australian economy. But that potential will only be realised if the Australian people trust the digital identity system and the legislative safeguards and guarantees which form part of the system. Unfortunately, this issue has been very poorly handled by the Albanese Labor government, with the result that instead of trust being increased it has been eroded. For example, many Australians would be extremely suspicious of the way the government rammed this bill through the Senate using a guillotine motion, meaning there was no second reading debate or Committee of the Whole process in that chamber.

                    The coalition believes that digital identity holds real promise for Australia, but it has to be done right. Labor has made multiple grave misjudgements in its approach to digital identity and to this bill, and it is for this reason that the coalition opposed Labor's legislation in the Senate and we will oppose it in the House. In my remarks on this bill today, I want to speak first about the coalition's careful and methodical work on digital identity when in government, thus establishing a strong platform which Labor could have used to progress this issue. Next, I want to speak about the serious flaws in Labor's design of this legislation, and, finally, I want to speak about the work we did in good faith to seek to address these flaws—work which, regrettably, the government completely failed to engage with.

                    I want to start by reminding the House that the reason Australia has a digital identity system today with over 11 million Australians using it under the name myGovID is because of detailed work done under the previous coalition government. The coalition established the Australian Government Digital ID System (AGDIS) in the wake of the Murray inquiry commissioned by the Abbott government. The inquiry recommended in 2014 that the Commonwealth:

                    … develop a national strategy for a federated-style model of trusted digital identities.

                    During our time in government the coalition delivered on that recommendation. We established the Trusted Digital Identity Framework. We created myGovID and drove a steady take-up of this digital identity product by more and more Australians. We invested over $600 million in developing myGovID and the Trusted Digital Identity Framework. We made sure the framework allowed for private sector participants, and we secured private sector entities to become participants. The first private sector identity exchange to join the Australian Government Digital ID System was ConnectID, which is backed by Australia's major banks.

                    Importantly, we recognised that there needed to be a comprehensive legal and regulatory framework within which the Australian Government Digital ID System could work, particularly given the continuing and, indeed, expanded role we saw for private sector participants. We sought to allow governments and the private sector to participate in a legislated Australian government digital identity system from the outset—there was to be no phasing. We saw a simultaneous public-private design solution as key to realising a truly national whole-of-economy solution. We envisaged the system being overseen by an independent statutory officer, the oversight authority, to protect those Australians who wanted to use digital identity. We also sought to establish in law bespoke, best-practice privacy and security protections, including restrictions on the collection of biometric information and on the retention of attributes including single identifiers. We developed such a framework and set it out in the exposure draft of the Trusted Digital Identity Bill, which we released in late 2021. Unfortunately, the bills before the House are very different to the exposure draft we released in late 2021.

                    Later in my remarks, I will speak about the serious errors Labor has made. But let me now turn to why the coalition considered that a digital identity system offered promise to deliver benefits to Australians and why, therefore, we did all of the careful work we did on this issue when in government. Done right, the widespread use of digital identity can deliver many benefits. This was a key finding of the 2019 McKinsey Global Institute paper Digital identification: a key to inclusive growth. McKinsey found that extending full digital ID coverage could unlock economic value equivalent to three to 13 per cent of GDP in 2030. It could reduce institutional customer onboarding costs and payroll fraud, saving up to US$1.6 trillion globally, and it could save approximately 100 billion hours through streamlined e-government services.

                    Many of these benefits come through the saving of time and effort in the multiple interactions which are required today when you need to prove your identity, whether that's to a government agency, a business or another human being. Think of how much time is required to take and send photocopies of identity documents such as passports and drivers licences or to find a Justice of the Peace or somebody else who is qualified to give you a certified copy of such documents or to go physically to a bank branch or a lawyer's office or any one of the many other places where today you are frequently required to present yourself to demonstrate your identity.

                    One country which has very successfully introduced digital identity and obtained material economic productivity benefits as a result is India. Aadhaar, the modern Hindi word for foundation, is used to describe the digital identity which all Indian citizens and residents can now have. Over 1.3 billion Indians hold a digital identity, which has made it much quicker and easier to open bank accounts, to transfer money from one person to another and to receive government benefits. Today, if you are a bank customer in India, you can satisfy a bank's know-your-customer requirement in seconds with your Aadhaar. In Australia, by contrast, this is a long, cumbersome and painful process requiring certified copies of identity documents. It is a truly dreadful customer experience, and I resist the temptation to name the bank that I use where the customer experience has been absolutely appalling.

                    India also demonstrates the way that many private sector businesses have innovated and grown by using the national digital identity platform. For example, India's third mobile phone network Reliance Mobile launched its Jio mobile service in September 2016. It used a completely digital customer onboarding process, taking advantage of Aadhaar and achieving 160 million new customers by December 2017. It is all too typical that the Albanese Labor government has failed to grasp and to champion the way that a fully realised whole-of-economy digital identity system can boost productivity and innovation in the private sector. Its rhetoric about digital identity has been almost entirely about what it means for government and the public sector even though our national prosperity and economic growth depends overwhelmingly on the private sector, not the public sector.

                    I want to mention one other critical public policy benefit which a well-realised digital identity system can bring by protecting Australians from having to hand over voluminous amounts of private information to companies and government agencies and in turn being vulnerable to having that information stolen when those companies or agencies are hacked. The evidence is clear about how much damage cybercrime does to Australians. According to the ASD cyber threat report 2022-23 the average cost of reported cybercrime was up 14 per cent in 2023. ASD found that it costs small businesses an average of $46,000 in total losses per reported cybercrime. A key reason that recent data hacks such as those in clubs New South Wales, Optus, Medibank Private and Latitude Financial are so prevalent and so damaging is that these companies and organisations hold lots of data on their customers. This data includes copies of original documents like passports and drivers licenses. Digital ID avoids this through a data minimisation process. It reduces the information a company holds about its customers. The company receives only that information which is strictly necessary for the transaction to take place.

                    The key principle of digital ID is that there is a federated architecture; there is not one system which retains all the information and, in turn, becomes a honey pot to cyber criminals. The disparate system of identity providers, exchangers, relying parties and users has an added protection—the double-blind approach. Imagine if I'm about to sign a lease and I have to prove my identity to the real estate agent. I can use the ConnectID system established by the banks. I go to ConnectID and I authorise identity information held about me by my bank to be released to the real estate agent. Critically, because of the double-blind approach, my bank does not know where my data is going to and the real estate agent does not know where it has come from.

                    Another critical benefit is that only as much information is released as is necessary. For example, to get into a pub or a nightclub today, I'm advised, you need to prove that you're over 18. Typically, you do this by showing your driver's licence. But the pub or club does not need to know your name or address, or even your age, only the fact that you're over 18. With a digital identity system, evidence of this fact is provided in the form of a digital certificate or token sent to the pub or club from your digital identity provider. The digital certificate does not disclose your address or your actual age or anything about you, only the fact that you are over 18. This system is much safer and does a much better job of safeguarding your privacy than today's approach.

                    Having discussed the progress the coalition made on digital identity and some of the policy reasons for doing so, let me now turn to how things went badly off the rails once Labor got into government, leading to the grave flaws in the legislation before the House today. The first big problem is that there has been no political leadership exercised in developing these bills or in making the public case for digital identity. The Minister for Finance has not bothered to explain the purpose or operation of these bills in any systematic or persuasive way. And, of course, in any rationally organised government the Minister for Government Services would have had responsibility for digital ID and carriage of this legislation. That minister should have been making the case to Australians for the last two years about the way that digital identity could enhance the level of service they receive from government. Sadly, this portfolio is held by the member for Maribyrnong, who has very little interest in or understanding of how to deliver good customer service and the role of digital tools in doing just that, and he has been missing in action in the policy debate on this issue. This lack of political leadership is reflected very clearly in the bills and in the many weaknesses in them.

                    The governance structure set out in this bill is highly fragmented. The bill establishes a system administrator, which will be in the social services portfolio but would report to the Minister for Finance. The to-be-established data standards chair is in the finance portfolio. The regulator sits within Treasury. The Information Commissioner sits within the Attorney-General's Department. And the many other auxiliary agencies with responsibilities in the Australian Government Digital Identity System, such as ASIO, sit within Home Affairs. No board in the private sector would sign off on such an incoherent and unsustainable structure. There has been no serious effort by the Minister for Finance to explain how this mishmash will work, very likely because no plausible or credible explanation can be given.

                    The opposition's concerns are shared by industry. Submissions from both the Australian Banking Association and Australian Payments Plus argue that the proposed governance arrangements are too complex with too many entities spread across too many portfolios. The effect of Labor's confused governance structures will be to dampen citizens trust and confidence in the Australian government digital ID system. Basic private sector sales and marketing principles tell us that, if consumers do not trust a service, they are far less likely to use it. In turn, if the number of Australians who use digital identity is suppressed because of this lack of trust, we will not get the network effect, which has been seen, for example, in India, where digital identity is widely used. In turn, that encourages the growth of new government and private sector services which use digital identity, and this then reinforces the value and benefit to citizens of having and using a digital identity. For this virtuous cycle to develop, there must be a high take-up of digital identity, and unfortunately Labor's mishandling of these bills makes a high take-up considerably less likely.

                    The Australian public will only embrace the Australian Government Digital ID System if they can be confident that these bills provide them with adequate safeguards to protect their privacy. Unfortunately, this bill does not do that. The Digital ID Bill 2024 partly relies on provisions contained within the Privacy Act. It was reckless of this government to introduce this Digital ID Bill and its accompanying bill without first reforming the Privacy Act. The government has had since February 2023, when the Attorney-General's Department released the review of the Privacy Act, to progress the legislative response to that review. Instead, the Albanese government has dithered and delayed, as many observers have pointed out. In its submission to the Senate's inquiry into this bill, the University of Technology Sydney's Human Technology Institute said:

                    … it is essential that Privacy Act reforms be passed as soon as possible to prevent further fragmentation, inconsistencies, gaps in protections, and unnecessary compliance burdens.

                    There is a very real potential for competing or contradictory sets of arrangements to be established between this Digital ID Bill and the Privacy Act. Indeed, such a circumstance is contemplated within the bill's accompanying statement of compatibility with human rights, which states:

                    If the definition of personal information changes in the Privacy Act, consequential legislative amendments will be introduced to ensure the Bill remains consistent with any amended definition and additional requirements in the Privacy Act.

                    Moreover, the explanatory memorandum notes the following:

                    It is intended that the definition of 'personal information' (and other relevant terms) in the Bill will be reviewed against changes to that term in the Privacy Act …

                    The possibility for misalignment on such fundamental protections as the definition of 'personal information' is very serious.

                    Multiple stakeholders gave evidence to the Senate's inquiry into this bill that they too are concerned about the absence of reforms to the Privacy Act. For example, Woolworths submitted:

                    We also seek clarity whether a new definition of 'personal information' as is being considered as part of the Privacy Act reforms will capture tokens provided through Digital ID processes.

                    The Business Council of Australia argued in its submission:

                    The review of all legal provisions requiring retention of personal information (as agreed-in-principle in the Privacy Act Review) be undertaken as a matter of urgency …

                    Let me turn to one of the central weaknesses of these bills: that they seek to delay and minimise the role of the private sector. The coalition believes that there should be simultaneous public and private sector participation in the Australian Government Digital ID System from the outset. The first version of these bills proposed a so-called phased approach, which would have delayed indefinitely any meaningful role for private sector participants. The opposition moved amendments in the Senate to remove these phasing provisions. The government did not accept our amendments, but it agreed to other amendments, which now means that private sector participation will commence after the legislated Australian Government Digital ID System has been in operation for two years. While this is an improvement, there remains considerable uncertainty about how the government intends to work with the states and territories. Notwithstanding the two-year provision, the bill retains the original phasing-in clauses, which would mean that private sector expansion in the Australian Government Digital Identity System only occurs in phase 3, but, to get to phase 3, certain requirements must be met in phase 2. What are these requirements? The government requires that a state or territory government must integrate its own digital ID within the Australian Government Digital Identity System.

                    Each state and territory has approached establishing its own native digital ID in a different way. For example, Western Australia uses the Commonwealth government's myGov ID. The Northern Territory does not. Currently, Queensland is the only jurisdiction to have a fully operational digital ID system. Other states are still preparing theirs. This includes New South Wales's, which remains in closed public beta. In February it was reported by the Australian Financial Review that the Minister for Finance intended to obtain from the states and territories agreement to a roadmap for expansion of the Australian Government Digital Identity System and she was to do this at the data and digital ministers meeting, which took place on 23 February 2024. But what happened at that meeting fell a long way short of what the minister was promising. At that meeting, it was agreed only that ministers would 'work together towards a national digital identity and verifiable credential strategy to inform an update of the national digital ID service transformation road map'. From this statement it is clear the states and territories did not sign up to the finance minister's so-called national digital identity and verifiable credential strategy, merely stating that they would work together toward such a strategy.

                    When will the states and territories sign up to this so-called national strategy? The government hasn't said, and there is no mention of the so-called national strategy in the bill or the explanatory memorandum. If the states and territories are unable to sign up to so much as a national strategy, what confidence can this parliament and the Australian people have in this government's ability to manage the Australian Government Digital Identity System?

                    A real issue with the legislated two-year requirement before the private sector can participate in the Australian Government Digital Identity System is that separate private sector digital-identity providers are already gaining traction and delivering results. Australian Payments Plus's ConnectID system, which achieved accreditation under the coalition government, is already operational, with two of the big four banks participating and the others expected to join shortly. There is a risk that, within two years, many will be using ConnectID or another provider for their digital identity, rendering the digital identity landscape fragmented and the Australian Government Digital Identity System a poorer cousin of private sector solutions.

                    These flaws in the bill which I have mentioned were raised by many stakeholders, including through the Senate inquiry process. In the Senate the government had an opportunity to address the concerns raised by stakeholders. The coalition's sensible amendments, which were developed in close consultation with industry stakeholders, would have enhanced the privacy protections in the bill. Our amendments sought to establish a stronger guarantee that having a digital identity would be voluntary. Under our amendments it would have been clear that no Australian would be required to have a digital identity. It would have been clear that no Australian would face a lower quality of service should they wish to use traditional, paper based identity documents. In addition, we moved an amendment which sought to impose a clear requirement that changes to the Privacy Act must be made before these laws come into force. We sought to work in good faith with the government on these amendments, but, regrettably, the government chose not to support them. Accordingly, this House has been left in a very unsatisfactory position because of how the government has proceeded with this bill.

                    I conclude by reiterating that the coalition believes that digital identity has the potential to deliver significant productivity, efficiency and safety benefits across the Australian economy, but this bill before the House today is deeply flawed. The government has failed to engage with the opposition in our good-faith efforts to resolve those flaws by proposing amendments. For this reason, the coalition will not be supporting this bill.

                    Debate adjourned.