The Albanese government settled on an outdated privacy framework for long-overdue laws to govern its document and face matching systems, despite acknowledging the protections are inadequate.
That’s according to the Human Rights Commissioner, as well as other legal and digital rights groups, who have called for strong privacy protections to be built into the Identity Verification Services (IVS) Bill, like has been done for the forthcoming Digital Identity Bill.
The IVS Bill was introduced to Parliament last month to fill a legal vacuum ahead of the expansion of the government’s digital ID scheme, which will rely on the services, such as the one-to-one face matching system, known as the Face Verification Service.
The bill replaces an earlier bill that was thrown out by the Parliamentary Joint Committee on Intelligence and Security in 2019 over privacy and transparency concerns, which the Albanese government sought to address by banning authorities from using the systems.
But while the changes have been welcomed, the new bill remains dependent on the Privacy Act, which Attorney-General Mark Dreyfus has previously acknowledged has “not kept pace with the changes in the digital world”.
In September, just two weeks after the IVS Bill was introduced, the government released its response to the Privacy Act Review, agree or agreeing in principle to most of the 116 recommendations. It has provided not indication when this might occur.
Australian Human Rights Commissioner Lorraine Finlay said proceeding with the IVS Bill before modernising the Privacy Act was concerning and called for the changes be completed before the bill is enacted.
“The privacy protections built into the Verification Services Bills are currently incomplete and not appropriate to safeguard privacy against verification technologies,” she said in a submission to the parliamentary inquiry into the IVS Bill.
The Human Technology Institute, which sits within the University of Technology Sydney, described the government’s decision to base the IVS Bill on the outdated Privacy Act as “troubling” when it is widely known to be inadequate.
The think tank said amending the Privacy Act prior to the passage of the IVS Bill would be the “most logical” way forward, but that the government could include the additional privacy protections afforded to the Digital ID Bill.
The Law Council of Australia also made this recommendation, arguing that the Digital ID Bill, which was released as an exposure draft last month, had a “specific division that sets out several additional privacy safeguards that go beyond those in the Privacy Act”.
“The inclusion of these safeguards in the draft Digital ID Bill indicates that compliance with the Privacy Act in its current form is not regarded as providing adequate protections for the collection and handling of biometric data,” the Law Council said.
Digital Rights Watch also said the Digital ID Bill proposes “markedly more robust privacy protections” and recommended the government, as a “bare minimum”, amend the IVS Bill make the two consistent.
“These systems are inextricably linked, and will inevitably end up complementing (or contradicting) each other. Inconsistencies between them risk the creation of loopholes and ineffective governance processes,” it said.
But the group said finalising Privacy Act reforms before continuing with the IVS Bill was “preferable”, noting that the decision not to include separate civil penalties or criminal offences in the IVS Bill, knowing the penalties in the Privacy Act are under baked, is “woefully inadequate”.
“As privacy is a core part of making this scheme work safely, we strongly urge that reform of the Privacy Act be completed before such potential pivotal systems such as IVS are built on top its guarantees,” Digital Rights Watch added.
The Human Rights Commission (HRC), as well as the UTS Human Technology Institute, said that should the government not pass changes to the Privacy Act prior to the IVS Bill, it should review the operation of the bill after 12 months.
The government could also create a privacy framework specifically for the IVS Bill to fill the void while the Privacy Act reforms are finalised, though said this would “further complicate the already highly technical privacy legislative landscape”.
The HRC, UTS Human Technology Institute, Digital Rights Watch and the Law Council all complained about the short timeframe for the consultation, which had reduce the potential for feedback on the legislation.
“Short, concurrent consultation periods that do not enable meaningful public contribution undermine public trust. This is made worse given the circumstances in which the previous iteration of the bill was rejected for an absence of proper rights protections,” Digital Rights Watch said.
The IVS Bill was briefly debated in Parliament on Tuesday and referred to the Federation Chamber. A report from the Senate Legal and Constitution Affairs Legislation Committee is due on November 9.
Do you know more? Contact James Riley via Email.