Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Privacy Amendment (Public Health Contact Information) Bill 2020



Download PDFDownload PDF

ISSN 1328-8091

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

BILLS DIGEST NO. 98, 2019-20 12 MAY 2020

Privacy Amendment (Public Health Contact Information) Bill 2020 Claire Petrie Law and Bills Digest Section

Contents

Purpose of the Bill ........................................................... 2

Background ..................................................................... 2

COVIDSafe app ............................................................ 2

Biosecurity Determination .......................................... 3

Key issues and provisions ................................................ 4

Provisions to prevail over other laws .......................... 4

United States law enforcement access to data ........ 5 Access to COVID app data ........................................... 6

What is COVID app data? .......................................... 6

When is access to COVID app permitted? ................ 6 Offence provisions ...................................................... 7

Privacy obligations and Commissioner oversight ....... 8 Privacy Commissioner powers .................................. 8

Reporting requirements ............................................ 9

Strengthening protections and oversight ................. 9 End of COVIDSafe data period and repeal of provisions .................................................................. 10

Scope of proximity .................................................... 10

Date introduced: 12 May 2020

House: House of Representatives

Portfolio: Attorney-General

Commencement: Sections 1-3 commence on Royal Assent; Schedule 1 and item 1 of Schedule 2 commence the day after Royal Assent; and Schedule 2, items 2 to 4 commence at the end of 90 days after the day determined by the Health Minister to be the end of the COVIDSafe data period.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website.

All hyperlinks in this Bills Digest are correct as at May 2020.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 2

Purpose of the Bill The purpose of the Privacy Amendment (Public Health Contact Information) Bill 2020 (the Bill) is to amend the Privacy Act 1988 to provide for a range of offences and privacy protections in relation to the collection, use, disclosure and deletion of data in connection with the COVIDSafe contact tracing app (the app).

Background

COVIDSafe app The COVIDSafe app was made available for download on 26 April 2020, as one component of the Government’s response to the COVID-19 pandemic.1 The app is designed to enhance existing contact tracing processes in relation to those who test positive to COVID-19, by maintaining a log of the Bluetooth connections a person’s phone makes with the phones of those they come in contact with. These connections, referred to as ‘digital handshakes’, involve the exchange of anonymised, temporary IDs (generated every two hours) which are stored in encrypted form on the mobile devices of the two users, along with data concerning the date, time, Bluetooth signal strength and duration of the contact. The app does not collect location data.2

This data is stored on a person’s device for a rolling 21 day period. If an app user tests positive to COVID-19, they may consent to this encrypted data being uploaded to the National COVIDSafe Data Store, which then provides the relevant State or Territory health authority with the registration data (name or pseudonym, mobile phone number, age range and post code) of other app users who spent more than 15 minutes within 1.5 metres of the confirmed case. State and Territory health authorities then use the data in connection with existing contact tracing processes.3

The Government states the app will ‘speed up the process of identifying people who have been in close contact with someone diagnosed with coronavirus, quickly stopping further spread of the virus in the community’.4 The National COVIDSafe Data Store is operated by the Digital Transformation Agency and is hosted by Amazon Web Services in Australia. The Commonwealth is reported to have entered into MOUs with State and Territory health authorities in regard to the use of data obtained through the app.5

The COVIDSafe app has been the subject of considerable public scrutiny, in respect of its effectiveness, transparency surrounding its operation, and the security of data collected.6 Similar issues are being considered around the world, as governments look to use technology to assist in

1. S Morrison (Prime Minister), G Hunt (Minister for Health), S Robert (Minister for Government Services), B Murphy (Chief Medical Officer), COVIDSafe: new app to slow the spread of coronavirus, joint media release, 26 April 2020; Department of Health (DOH), ‘COVIDSafe app’, DOH website.

2. DOH, ‘Privacy policy for COVIDSafe app’, DOH website, last updated 11 May 2020; J Taylor, ‘Covidsafe app: how to download Australia’s coronavirus contact tracing app, how it works, what it does and problems’, The Guardian (Australia), 11 May 2020; G Smith, P O’Sullivan and C Hall, ‘COVIDSafe—what we now know’, Allens, 27 April 2020.

3. Ibid.

4. Morrison, Hunt, Robert and Murphy, COVIDSafe: new app to slow the spread of coronavirus, op. cit. 5. T Burton, ‘Green light on virus-tracing data’, The Australian Financial Review, 9 May 2020, p. 4. 6. For example: JJ Kang and P Haskell-Dowland, ‘How safe is COVIDSafe? What you should know about the app’s issues, and Bluetooth-related risks’, The Conversation, 7 May 2020; D Watts, ‘COVIDSafe, Australia's digital contact tracing app: the legal

issues’, 3 May 2020; A Bogle, ‘COVIDSafe's effectiveness on iPhone in question as Government releases coronavirus contact tracing app’, ABC News online, 26 April 2020; S Langford, ‘Questions remain about the effectiveness of Australia’s COVIDSafe contact tracing app’, The Feed, SBS, updated 8 May 2020.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 3

controlling and limiting the spread of COVID-19, particularly as lockdown restrictions ease.7 The Australian Government has released the privacy impact assessment of the COVIDSafe app, conducted by Maddocks, as well as the Department’s response. On 8 May 2020, the Digital Transformation Agency released the source code for the app.8

As at 10 May 2020, it was reported that there have been 5.4 million downloads of the app.9

Biosecurity Determination To date, the legislative protections for the collection, use and disclosure of COVIDSafe app data have been contained in the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (COVIDSafe Determination), made by Minister for Health, Greg Hunt, exercising his human biosecurity emergency powers under the Biosecurity Act 2015 (Cth).10 Section 477 of the Biosecurity Act, under which the COVIDSafe Determination has been made, allows the Health Minister, during a human biosecurity emergency period, to determine any requirement the Minister is satisfied is necessary to:

• prevent or control the entry, emergence, establishment or spread of the declaration listed human disease in Australian territory, or a part of Australian territory

• prevent or control the spread of the disease into another country or

• give effect to any recommendation made to the Minister by the World Health Organisation in relation to the disease.

Determinations made by the Minister under this power are non-disallowable, and have effect until the end of the biosecurity emergency period (unless revoked earlier). Any requirement determined by the Minister under section 477 applies ‘despite any provision of any other Australian law’.11

The COVIDSafe Determination sets out the limited circumstances in which a person may collect, use or disclose COVID app data; limits the retention of COVID app data on a mobile device to 21 days and requires all data in the National COVIDSafe Data Store to be deleted after the conclusion of the pandemic; prevents data uploaded to the Data Store being held on a database outside Australia; prohibits the decryption of encrypted COVIDSafe data that is stored on a mobile device; and contains a range of prohibitions on coercing another person to download or operate the app. It is an offence to engage in conduct which contravenes a requirement set out in the determination, with a maximum applicable penalty of five years imprisonment and/or 300 penalty units.12

Concerns have been raised about potential gaps in the protections provided by the COVIDSafe Determination, including the absence of oversight or reporting mechanisms and the fact that as

7. S Meixner, ‘Australia has COVIDSafe. Here is how other countries are using contact tracing apps in the fight against coronavirus’, ABC News online, 28 April 2020; C Criddle and L Kelion, ‘Coronavirus contact-tracing: World split between two types of app’, BBC News online, 7 May 2020.

8. Digital Transformation Agency (DTA), ‘DTA publicly releases COVIDSafe application source code’, DTA website, 8 May 2020. 9. P Brewer, ‘Weekend's easing brings no new cases in the ACT’, The Canberra Times, 11 May 2020, p. 3. 10. For more information about these powers, see: H Maclean and K Elphick, ‘COVID-19 Legislative response—Human Biosecurity Emergency Declaration Explainer’, FlagPost, Parliamentary Library, Canberra, 19 March 2020 (updated 27 March 2020).

11. Biosecurity Act 2015 (Cth), subsections 477(1), (2), (5), (7). 12. Ibid., section 479.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 4

delegated legislation, the Determination may be amended or repealed by the Minister at any time.13 Law Council of Australia President, Pauline Wright, has stated:

The Law Council does not consider that an executive order is the optimum way to make laws, especially laws that determine criminal offences and make provisions for important protections of privacy and security of personal information, so it is critical that legislation be introduced as soon as possible.

As an executive instrument, the Determination is inherently susceptible to unilateral executive amendment or repeal and must be considered as a strictly interim measure, pending the introduction of legislation in the Parliament to put the regulatory framework on a comprehensive statutory footing. 14

The Government released an Exposure Draft of the current Bill on 4 May 2020.15 Privacy experts and lawyers have suggested the Exposure Draft addresses a number of concerns raised in respect of the COVIDSafe Determination, including by: providing for oversight of the laws by the Office of the Australian Information Commissioner (OAIC); providing opportunities for individuals affected by a breach to seek a remedy; and clarifying that State and Territory health authorities are captured by data use restrictions.16 However, they also argued that uncertainties and other issues remain. Some of these have been addressed in the first reading version of the Bill, as introduced into Parliament on 12 May 2020. Other concerns are discussed below.

Key issues and provisions The Bill substantially reproduces the obligations and prohibitions contained in the COVIDSafe Determination, with some amendments to strengthen potential gaps in protection. It also provides for Privacy Commissioner oversight over the collection, use and disclosure of data obtained through the COVIDSafe app. Item 1 of Schedule 2 repeals the COVIDSafe Determination—this will occur the day after the Act receives Royal Assent.17

Item 2 inserts proposed Part VIIIA into the Privacy Act, to set out offences and obligations in connection with the COVIDSafe app and COVID app data. The object of the proposed Part is to ‘assist in preventing and controlling the entry, emergence, establishment or spread of the coronavirus known as COVID-19’ in Australia, by ‘providing stronger privacy protections for COVID app data and COVIDSafe users’, in order to encourage public acceptance and uptake of the app, and enable faster and more effective contact tracing.18

Provisions to prevail over other laws Proposed section 94ZD expressly cancels the effect of any Australian law which would otherwise permit or require conduct, or an omission to act, that is prohibited under proposed Part VIIIA. There is an exception for a provision of an Act, where the provision commences later than the

13. P Wright (President, Law Council of Australia), Tracing app has been released but privacy concerns still exist, media release, 26 April 2020; G Greenleaf and K Kemp, ‘Australia's 'COVIDSafe App': An experiment in surveillance, trust and law’, Work-in-Progress Draft, 30 April 2020; Watts, ‘COVIDSafe, Australia's digital contact tracing app: the legal issues’, op. cit.

14. Wright (President, Law Council of Australia), Tracing app has been released but privacy concerns still exist, op. cit. 15. P Karp, ‘Government releases draft legislation for Covidsafe tracing app to allay privacy concerns’, The Guardian (Australia), 4 May 2020. 16. See, for example: S McGregor, M Fai and M Bennett, ‘Does the 80:20 rule apply?—Federal Government releases draft

COVIDSafe app privacy legislation’, Gilbert + Tobin Lawyers, 7 May 2020; Kemp and Greenleaf, ‘The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change’, op. cit.; P Wright (President, Law Council of Australia), Law Council President’s statement on the COVIDSafe exposure draft, media release, 5 May 2020. 17. See the commencement details in clause 2 of the Bill (item 3 in table). 18. Proposed section 94B. The term contact tracing is defined under proposed subsection 94D(6).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 5

current legislation, and expressly permits or requires the conduct or omission despite the provisions under this Part.

In response to concerns as to whether Australian police would be able to access such data by applying for a warrant, the Government has stated the legislation ‘overrides all other Commonwealth and state and territory laws that would provide for any form of law enforcement access’.19

United States law enforcement access to data A source of contention has been the potential reach of the United States Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act), which enables US federal law enforcement agencies to require US-based organisations to provide data requested under a warrant or subpoena, even where the data is stored outside the US. Amazon Web Services, as a subsidiary of a US incorporated entity, falls within the reach of the CLOUD Act.20

Law firm Allens explains that under the CLOUD Act:

[a] company can refuse to provide data where doing so would violate the law of a 'qualifying foreign government'.

Australia is not currently a qualifying foreign government and will not become one until Australia and the US execute a bilateral agreement. The [Telecommunications Legislation Amendment (International Production Orders) Bill 2020] is a precursor and enabler to this. This means that data held by [Amazon Web Services] could, at least theoretically, be at risk of access by the US Government until these arrangements are finalised. While we consider that to be highly unlikely, we do expect further discussion and Parliamentary scrutiny on this topic.

21

In evidence given before a hearing of the Senate Select Committee on COVID-19, the Attorney-General’s Department said that it received advice from the Australian Government Solicitor on the potential interaction between COVIDSafe laws and the CLOUD Act, and while it could not ‘give complete guarantees about foreign laws’, believed it was:

…not conceivable that there would be such access by US agencies for a series of reasons, including the arrangements the US Department of Justice has in place and also the provisions of US law which enable US courts to quash such requests in those circumstances. 22

Privacy law academics, Dr Katharine Kemp and Professor Graham Greenleaf, have noted that the issue of whether records held by Amazon Web Services as part of its COVIDSafe contract could be subject to the CLOUD Act ‘is not straightforward’, and have recommended the Government make public any advice received on this issue.23

19. S Chidgey (Attorney-General’s Department), Evidence to Senate Select Committee on COVID-19, Australian Government’s response to the COVID-19 pandemic, 6 May 2020, pp. 16-17; for discussion of concerns regarding police access, see Watts, ‘COVIDSafe, Australia's digital contact tracing app: the legal issues’, op. cit., pp. 9-10.

20. Smith, O’Sullivan, Hall, ‘COVIDSafe—what we now know’, op. cit.; Watts, ‘COVIDSafe, Australia's digital contact tracing app: the legal issues’, op. cit., pp. 11-12; D Welch and L Besser, ‘Experts warn there are still legal ways the US could obtain COVIDSafe data’, ABC News online, 28 April 2020.

21. G Smith, P O’Sullivan, C Hall, ‘The COVIDSafe Bill—good progress, but there's more to do’, Allens Lawyers, 6 May 2020; Also see: Parliament of Australia, ‘Telecommunications Legislation Amendment (International Production Orders) Bill 2020 homepage’, Australian Parliament website.

22. Chidgey, Evidence to Senate Select Committee on COVID-19, op. cit., 6 May 2020, p. 9. 23. Greenleaf and Kemp, ‘Australia's 'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit., p. 6.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 6

Access to COVID app data

What is COVID app data? The term COVID app data is defined under proposed subsection 94D(5) to mean data relating to a person that has been collected or generated through the operation of the COVIDSafe app, and either is registration data24 or is stored or has been stored on a communication device.25

It does not include information that is obtained from a source other than directly from the COVIDSafe Data Store, in the course of contact tracing—for example, information obtained through manual tracing activities. It also does not include de-identified statistical information about the total number of registrations through COVIDSafe that is produced by either an officer or employee of the data store administrator, or a contracted service provider for a government contract with the data store administrator.26

Some privacy experts and lawyers have suggested that the scope of the definition needs to be expanded further, arguing that it is currently unclear whether the definition of COVID app data extends to:

• records which have been uploaded in encrypted form to the COVIDSafe Data Store and then decrypted or

• data which has been ‘transformed or derived from that data by state and territory health officers’, such as where data generated by the app is merged with data otherwise available to State and Territory health authorities.27

When is access to COVID app permitted? The Bill specifies the circumstances in which the collection, use and/or disclosure of COVID app data is permitted. Access to COVID app data outside of these circumstances will constitute an offence.28 The permitted circumstances are substantially the same as provided for under the COVIDSafe Determination, and cover:

• where the person is an employee of, or in the service of, a State or Territory health authority, and the collection, use or disclosure is for the purpose of undertaking contact tracing

• where the person is an officer or employee of the data store administrator,29 or a contracted service provider for a government contract with the data store administrator, and the collection, use or disclosure is for the purposes of enabling contract tracing by State or Territory

24. Item 1 of Schedule 1 inserts a definition of registration data into subsection 6(1) of the Privacy Act, meaning ‘the information about the person that was uploaded from a communication device when the person was registered through COVIDSafe’. 25. Item 1 of Schedule 1 inserts a definition of communication device into subsection 6(1) of the Privacy Act, meaning ‘an item of customer equipment (within the meaning of the Telecommunications Act 1997)’. Customer equipment is defined under

section 21 of the Telecommunications Act. 26. Proposed paragraphs 94D(5)(c) and (d). 27. K Kemp and G Greenleaf, ‘The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change’, The

Conversation, 6 May 2020; McGregor, Fai and Bennett, ‘Does the 80:20 rule apply?—Federal Government releases draft COVIDSafe app privacy legislation’, op. cit.; Smith, O’Sullivan, Hall, ‘The COVIDSafe Bill—good progress, but there's more to do’, op. cit. 28. Proposed section 94D. 29. Item 1 of Schedule 1 inserts a definition of data store administrator into subsection 6(1) of the Privacy Act, to mean the Health Department, other than to the extent provided for under proposed section 94Z. This allows the Secretary of the Health Department to, by notifiable instrument, determine another agency to be the data store administrator for the purposes of one or more particular provisions under proposed Part VIIIA. However, proposed subsection 94Z(3) provides that the Secretary must not determine any of the following to be the data store administrator: an enforcement body (as defined under subsection 6(1) of the Privacy Act), intelligence agency, the Australian Geospatial-Intelligence Organisation or the Defence Intelligence Organisation.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 7

health authorities, or ensuring the proper functioning, integrity or security of the COVIDSafe app or COVIDSafe Data Store

• where collection or disclosure is for the purpose of transferring encrypted data between mobile devices through COVIDSafe, or from the mobile device to the COVIDSafe Data Store

• where the collection, use or disclosure is for the purpose of investigating a possible contravention of proposed Part VIIIA or prosecuting a person for an offence against the Part

• where COVID app data is used by the data store administrator for the purpose of producing de-identified statistical information about the total number of registrations through COVIDSafe and

• in the case of COVID app data that the data store administrator has a statutory obligation to delete under proposed section 94L, where the use consists of access by the data store administrator for the purpose of confirming the correct data is being deleted.30

An additional permitted circumstance under the Bill is where the collection, use of disclosure is for the purpose of the Privacy Commissioner performing their functions or exercising their powers under, or in relation to, proposed Part VIIIA. This will assist the Commissioner to fulfil their oversight functions in relation to the proposed provisions.

In each case, the collection, use and/or disclosure of data is permitted only to the extent required for the relevant purpose.

Offence provisions Proposed Division 2 contains the following proposed offences in connection with COVIDSafe and COVID app data:

• collecting, using or disclosing COVID app data outside of the circumstances permitted by the Bill (outlined above)31

• retaining uploaded COVID app data which has been uploaded to the COVIDSafe Data Store on a database outside Australia, or disclosing such data to another person outside Australia (other than for contact tracing purposes)32

• uploading, or causing to be uploaded, COVID app data from a communication device to the COVIDSafe Data Store without the consent of the COVIDSafe user in relation to that device (or the consent of their parent, guardian or carer, where the user is unable to consent or has requested that person act on their behalf)33

• decrypting COVID app data that is stored on a communication device34 and

• coercive actions in respect of the COVIDSafe app, including: requiring a person to download or use the app or upload data from the app, or taking a range of adverse measures against a person on this basis, including: refusing to enter into a contract, taking adverse action, refusing entry to public premises, refusing to allow participation in an activity, refusing the receipt of or insisting on receiving more monetary consideration for goods or services, or refusing the provision of or insisting on providing less monetary consideration for goods or services..35

30. Proposed subsection 94D(2). 31. Proposed subsection 94D(1). 32. Proposed section 94F. 33. Proposed section 94E. 34. Proposed section 94G. 35. Proposed section 94H. Dr Katharine Kemp and Professor Graham Greenleaf have suggested amendments to strengthen the

coercion offence, including to expressly capture requiring a person to disclose whether they have the app installed or in

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 8

Each offence carries a maximum penalty of five years imprisonment and/or 300 penalty units ($63,000).36 This is the same as the maximum penalty applicable under the Biosecurity Act for breaches of the COVIDSafe Determination.

Privacy obligations and Commissioner oversight Proposed Division 3 sets out a range of obligations relating to the deletion of COVID app data, and ceasing collection of such data in certain circumstances. These include requirements that the data store administrator: take all reasonable steps to ensure data is not retained on a user’s device for more than 21 days;37 delete a user’s registration data on request (except for de-identified data);38 not collect COVID app data from former users of the app;39 and at the end of the COVIDSafe data period, delete all COVID app data from the COVIDSafe Data Store.40 Additionally, any person who receives COVID app data in error is required to, as soon as practicable, delete the data and notify the data store administrator.41

Failure to comply with these obligations will not constitute a criminal offence, but may constitute an interference with privacy and be subject to investigation and civil penalties under the Privacy Act.42

Privacy Commissioner powers Proposed section 94S provides that a breach of the requirements under proposed Part VIIIA, either by the data store administrator or a State or Territory health authority, is an eligible data breach for the purposes of the notifiable data breaches scheme under Part IIIC of the Privacy Act.43

Under this scheme, the operation of which is modified by proposed subsection 94S(3), the data store administrator or relevant health authority is required to notify the Privacy Commissioner where they have reasonable grounds to believe they have breached a requirement in relation to COVID app data.44 The Commissioner will determine whether the administrator/health authority is required to comply with the data breach notification requirements by preparing a statement about the data breach and notifying affected individuals of (or otherwise publicising) the contents of this statement.45

operation, and to provide that the offence extends to any requirement imposed as a condition of exceptions to ‘stay at home’ orders: Greenleaf and Kemp, ‘Australia's 'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit., pp. 9-10. 36. Crimes Act 1914 (Cth), section 4AA specifies that a penalty unit is currently $210. 37. Proposed section 94K. 38. Proposed section 94L. Where it is not practicable to delete the data immediately, the data store administrator must not use or disclose the data for any purpose. 39. Proposed section 94N. 40. Proposed section 94P. 41. Proposed section 94M. 42. Proposed section 94Q states that COVID app data relating to an individual is taken to be personal information about the individual. Proposed section 94R provides that an act or practice in breach of a requirement under the Part in relation to an individual, constitutes an interference with the privacy of that individual for the purposes of section 13 of the Privacy Act. 43. A breach by an officer or employee of the data store administrator, or a contracted service provider for a government contract with the data store administrator, is taken to be an eligible data breach by the data store administrator (proposed paragraphs 94S(1)(b) to (d)); a breach by a person employed by, or in the service of, a State or Territory health authority, is taken to be an eligible data breach by that authority (proposed paragraphs 94S(2)(b)-(c)). 44. Proposed sub-paragraph 94S(3)(b)(i). The Australian Information Commissioner is also the Privacy Commissioner: Office of the Australian Information Commissioner (OAIC), ‘Our structure’, OAIC website. 45. Privacy Act, sections 26WK and 26WL; proposed sub-paragraph 94S(3)(b)(ii). Proposed subsections 94S(4) to (6) provide for circumstances in which the Commissioner must, and may not, require compliance with the notification requirements.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 9

The Privacy Commissioner also has the power to:

• conduct an assessment of whether the acts of an entity or a State or Territory authority in relation to COVID app data, comply with the requirements of proposed Part VIIIA46 and/or

• conduct an investigation either in response to an individual complaint about an interference with their privacy,47 or on the Commissioner’s own initiative.48

Following an investigation, the Commissioner may require an entity to take specific steps to prevent recurrence of a breach and/or to redress any loss or damage suffered or pay compensation.49 The Commissioner or complainant may commence proceedings in the Federal Court or Federal Circuit Court for an order to enforce such a determination.50

To a large extent these provisions address a concern, raised by some privacy experts, that the COVIDSafe Determination provides only criminal enforcement mechanisms and no avenue for civil remedies in respect of the misuse of COVID app data.51

Reporting requirements The version of the Bill as introduced into Parliament includes reporting requirements which were not contained in the Exposure Draft.

Proposed section 94ZA provides that the Health Minister must cause a report to be prepared on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store:

• at the end of the 6 month period starting with the Act’s commencement and

• at the end of each subsequent 6 month period (if any) before the end of the COVIDSafe data period.

The Health Minister must cause copies of any report prepared to be laid before each House of parliament within 15 sitting days after completion of the report.

Proposed section 94ZB requires the Privacy Commissioner to cause a report to be prepared on the performance of the Commissioner’s functions, and exercise of the Commissioner’s powers, under or in relation to proposed Part VIIIA:

• at the end of the 6 month period starting with the Act’s commencement and

• at the end of each subsequent 6 month period (if any) before the end of the COVIDSafe data period.

The report must be published on the Commissioner’s website.

Strengthening protections and oversight Recommendations to further strengthen protections in the Bill have included:

46. Privacy Act, section 33C; proposed section 94T. 47. Privacy Act, section 36, subsections 40(1)-(1A). 48. Privacy Act, subsection 40(2). 49. Privacy Act, section 52. 50. Privacy Act, section 55A. 51. G Greenleaf and K Kemp, ‘Australia's 'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit., pp. 13-14. Note

that under proposed section 94U, the Commissioner must cease an investigation if the matter becomes subject to a criminal investigation by the Commissioner of Police or Director of Public Prosecutions.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 10

• prescribing the minimum design specifications of the app and Data Store, rather than leaving them to be determined from time-to-time—for example, that the app must operate on a voluntary opt-in basis52

• requiring the Privacy Commissioner to inspect and certify data deletion obligations have been complied with at the end of the app’s period of operation53 and

• the creation of a COVIDSafe Privacy Advisory Committee, including the various Privacy Commissioners, to provide collective advice to the National Cabinet and the public regarding the operation of COVIDSafe.54

End of COVIDSafe data period and repeal of provisions Proposed section 94Y requires the Health Minister to determine a day to be the end of the COVIDSafe data period, if the Minister is satisfied that by that day, the use of the app is no longer required to prevent or control, or no longer likely to be effective in preventing or controlling, COVID-19 in Australia. Before making this determination, the Minister must consult with, or consider recommendations from, the Commonwealth Chief Medical Officer (CMO) or the Australian Health Protection Principal Committee (AHPPC). Under proposed subsection 94Y(3), the CMO or AHPPC may also recommend to the Minister that such a determination be made.

At the end of the COVIDSafe data period, the data store administrator must not collect any COVID app data or make COVIDSafe available for download. They must also:

• delete all COVID app data from the COVIDSafe Data Store and

• after the deletion:

- inform the Health Minister and Privacy Commission that all COVID app data has been deleted and - take all reasonable steps to inform current users of the app of this fact, as well as that COVID app data can no longer be collected and that users should delete the app from their

devices.55

Items 2 and 3 of Schedule 2 of the Bill provide for the repeal of all the provisions inserted into the Act by Schedule 1. The repeal will occur at the end of 90 days after the date specified by the Health Minister as the end of the COVIDSafe data period.56

Scope of proximity Dr Katharine Kemp and Professor Graham Greenleaf have argued that in not defining or placing restrictions around the concept of ‘proximity’, the Bill allows the collection of more personal data than is required for contact tracing. They note:

According to the Privacy Impact Assessment of COVIDSafe, the app collects and - with consent of a user who tests positive - uploads to the central data store, data about all other users who came within Bluetooth signal range even for a minute within the preceding 21 days.

While the Department of Health more recently said it would prevent state and territory health authorities from accessing contacts other than those that meet the “risk parameters”, the bill includes no data collection or use restrictions based on the distance or duration of contact. 57

52. Wright, Law Council President’s statement on the COVIDSafe exposure draft, op. cit. 53. Wright, Law Council President’s statement on the COVIDSafe exposure draft, op. cit. 54. Greenleaf and Kemp, ‘Australia's 'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit., p. 15. 55. Proposed section 94P. 56. See the commencement details in clause 2 of the Bill (item 4 in table).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

Privacy Amendment (Public Health Contact Information) Bill 2020 11

© Commonwealth of Australia

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library’s Central Enquiry Point for referral.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2500.

57. Kemp and Greenleaf, ‘The COVIDSafe bill doesn’t go far enough to protect our privacy. Here’s what needs to change’, op. cit. Also see Watts, ‘COVIDSafe, Australia's digital contact tracing app: the legal issues’, op. cit., p. 12; Greenleaf and Kemp, ‘Australia's 'COVIDSafe App': An experiment in surveillance, trust and law’, op. cit., p. 8.