Legislation enshrining privacy protections around the COVID-19 contact tracing app into law is set to be passed by the Senate on Thursday with bipartisan support after government agreed on a number of changes with Labor.
Attorney-General Christian Porter introduced the Privacy Amendment (Public Health Contact Information) Bill 2020 to the House of Representatives on Tuesday afternoon. The legislation replaces the Biosecurity Act determination which is currently governing the COVIDSafe app, and introduces a number of new requirements and rules.
The bill was passed by the lower house unamended on Tuesday evening and was debated in the Senate on Wednesday evening. It is now law and has replaced the determination currently governing the COVIDSafe app.
The bill introduces criminal and civil penalties for the unauthorised collection, use or disclosure of app data, the uploading of data to the national store without consent, the storing of any data outside of Australia or the decrypting of any of the stored data.
The Opposition has been working with the Coalition since the draft legislation was released last week, with both parties agreeing to a number of changes to the bill, paving the way for its quick passage through Parliament this week.
But a number of proposals put forward by Labor, including for extra funding for the privacy office to conduct its oversight role, were rejected by the Coalition. The Opposition also called on the government to explain why AWS was awarded the contract for cloud storage of the app’s data, and to address some security issues put forward by experts in the community.
Shadow Attorney-General Mark Dreyfus confirmed that Labor would be supporting the legislation in both houses.
“One of the reasons I support the passage of this bill is the very positive engagement I have had with the Attorney-General over the last week. Following the release of the draft legislation, I approached the Attorney-General with a number of suggestions for improving the bill and boosting confidence,” Mr Dreyfus said.
“To his credit he considered in good faith all of the concerns raised and sought to address most of them in the version of the bill now before the House.”
These changes from the draft legislation include greater clarity around what data is protected by the privacy safeguards, greater oversight from the Office of the Australian Information Commissioner (OAIC), the ability for the OAIC to continue an investigation even if there is a concurrent criminal investigation and new public reporting requirements.
Under the new legislation, both the Attorney-General and the OAIC will have to report every six months on the operation and effectiveness of COVIDSafe. The changes also prevent the Department of Health from delegating any of its administrator functions over the national data store to an enforcement or intelligence agency.
“This is now a stronger and better piece of legislation as a result of the constructive engagement between Labor and the government. And this is not the case of set and forget. We will be keeping an eye on how the measures are being implemented to ensure they are effective and working as intended,” Mr Dreyfus said.
Mr Porter confirmed that once the legislation is passed, the Department will move to delegate some of its role to the Digital Transformation Agency.
But Mr Dreyfus said that some of Labor’s recommendations on the draft legislation were not adopted by the government.
“Each is important but must be kept in perspective, particularly when it comes to the issue of privacy. This bill will introduce the strongest privacy safeguards ever put in place by any Australian parliament. That is despite the fact the COVIDSafe app is voluntary and the data it collects is relatively innocuous. This bill takes privacy seriously,” he said.
These recommendations included extra funding for the OAIC to conduct its oversight role on the COVIDSafe app, and the appointment of a standalone privacy commissioner.
Mr Dreyfus said the government’s claims that the office did not need any additional resources to take on this work were “not credible”.
“There’s no question in my mind that additional funding is required, the only question is how much,” Mr Dreyfus said.
“The appointment of a full-time and properly resourced Privacy Commissioner, rather than a commissioner forced to split her time between three different and demanding roles, would make a further valuable contribution to building public confidence in the COVIDSafe app.”
Labor did attempt to move an amendment in the lower house, stating that the Opposition would not be blocking the bill but calling on the government to provide more funding for the OAIC, address security and technical concerns about the app raised by experts, explain the decision to award the cloud contract to AWS over a local company and make more of an effort to make the app more accessible in different languages and for people with a disability.
A number of Labor MPs and Senators spoke in Parliament, offering broad support of the legislation but criticising various aspects of how the government has handled the app and its national roll-out.
These critics included a lack of transparency over how the app performs on iPhones, the use of AWS to handle cloud storage, its poor track record on tech projects and accessibility issues.
The legislation will not be referred to the relevant committee for review, and Mr Dreyfus admitted this would mean it would not receive the same scrutiny as other bills.
Instead, the senate committee tasked with overseeing the government’s response to COVID-19 will be overseeing the COVIDSafe app and accompanying legislation, with the first public hearing on the topic held last week.
Speaking in Parliament during Question Time, Prime Minister Scott Morrison said the government “has no real target” for the percentage of the population having downloaded COVIDSafe, marking a major back-down from previous statements by him and Health Minister Greg Hunt that 40 per cent of the population was the figure needed for the app to be effective.
In the Senate the government also confirmed that uptake of the app is not linked at all with the easing of social restrictions around the country. This is despite Mr Morrison previously labelling it the “ticket” to getting out of these restrictions.