The Opposition and privacy and civil liberties experts have welcomed the release of draft legislation enshrining privacy safeguards and protections around the COVID-19 contact tracing app, but there is room for improvements, with several “deficiencies” identified.
Attorney-General Christian Porter released the draft legislation on Monday night, just two days before it is scrutinised by the Senate committee investigating the government’s response to COVID-19 and a week before it is introduced to Parliament.
The Privacy Amendment (Public Health Contact Information) Bill 2020 is largely a copy of the current Biosecurity Act determination governing the COVIDSafe app, putting in law a criminal offense to use the contact data for anything other than contact tracing by state and territory authorities.
It also makes it illegal for any of the contact data to be sent offshore, for a business or venue to coerce anyone to download and use the app, and for anyone to decrypt data associated with the app.
These offences come with a potential jail sentence of five years and a fine of $63,000.
The legislation also builds on the determination, handing an oversight role to the Australian Information Commissioner and making any misuse of the data an “interference with privacy”, meaning individuals can make a civil complaint without needing to go to the police.
The Opposition is reviewing the legislation and consulting on it after receiving it when it was made public on Monday night. It’s understood that Labor will support the legislation’s passage through Parliament but will use Wednesday’s senate hearing to probe a number of issues.
“Labor believes this app could be a critical tool in the COVID-19 exit strategy, but it’s important we get it right. We have consistently supported the concept of the tracing app and would like to see legislation on the app implemented as soon as possible to protect privacy and safety,” shadow health minister Chris Bowen said.
“We will continue to consult with the government until the privacy legislation of the app is introduced to ensure any concerns are addressed. Tomorrow’s hearing will provide opportunity for any concerns to be answered by the relevant departments.”
This will include asking for further information around the role of the Office of the Australian Information Commissioner and whether that agency is adequately funded to do so.
Labor senators are also likely to question how the government plans to ensure that state and territory authorities are also properly handling the data, and the powers given to the secretary of health to delegate responsibilities, as included in the draft legislation.
Law Council of Australia president Pauline Wright said the legislation provides “greater clarity and certainty” and addressed a major concern by handing oversight power to the OAIC.
But there is still room for improvement, Ms Wright said. The Law Council has recommended that the OAIC be tasked with certifying that the app data has been deleted properly when it should be, periodic reporting to be tabled in Parliament and a streamlined arrangement to manage interactions between the OAIC and law enforcement agencies if there has been a potential breach of the laws.
UNSW Professor of Law and Information Systems Graham Greenleaf and UNSW Law senior lecturer Dr Katharine Kemp said the legislation includes some “significant improvements” on the current determination but that there remains a number of important deficiencies.
The legislation would make it a criminal offence to coerce anyone to download and use the app, such as a venue requiring patrons to have the app to gain entry, or an employer forcing an employee to use it.
But the UNSW experts said there are still loopholes in these rules, especially around recent proposals to make government payments, tax breaks or financial rewards conditional on the downloading and use of the app.
“In light of these proposals, the bill should make clear that no discount, payment or other financial incentives may be contingent on a person downloading or using the app. Nor should individuals be asked to show that their mobile has the app loaded, in order to avoid discriminatory treatment,” Dr Kemp and Professor Greenleaf said.
“The app is claimed to be voluntary, and this must be enforceable. Coercion must not be used to circumvent the need for trustworthiness.”
A “critical deficiency” in the legislation is that it does not restrict the amount of data collected or sent to the national database, they said. Despite public statements about the app, it will be recording Bluetooth contact with all users, not just those within 1.5 metres for 15 minutes.
“According to the bill, the state and territory health authorities may include in their contact tracing activities any user who was within ‘the proximity’ of the infected user within the previous 21 days. It contains no limit on the distance or duration of that ‘proximity’,” Dr Kemp and Professor Greenleaf said.
Opening up the data scheme to civil penalties and the strengthening of consent requirements around uploading data to the national store if a user is diagnosed with COVID-19 were also welcomed by the UNSW experts.
The legislation also states the data store administrator must “take all reasonable steps” to ensure data is not stored on devices for more than the allotted 21 days.
The decision of when to stop the use of the app will be made by Health Minister Greg Hunt.
This will be made when the app is no longer required to prevent or control the spread of COVID-19 or when it is no longer effective. Then, “as soon as reasonably practicable after the end day”, all data in the store must be deleted, and users will be told to delete the app.
Data held in the national data store and by state and territory authorities will also be subject to the mandatory data breach notification scheme.