COVIDSafe App – Part Two Legislation passed by Parliament seeks to address privacy concerns with the COVIDSafe App and what it means for you
Whilst more than 5.7 million Australians have downloaded the COVIDSafe App, millions are still considering whether to download the App released a fortnight ago. Many have expressed privacy concerns with the App launched well before the release of the source code and the passing of draft legislation aimed at addressing privacy issues. This legislation has now passed both Houses of Parliament.
Immediately prior to the release of the App so as to address the public’s privacy concerns, the Federal Government:
- made a Determination under the Biosecurity Act 2015 which was intended to provide strong interim privacy protections for information that Australians provide through COVIDSafe. The Determination is now repealed and replaced by the Legislation; and
- released a COVIDSafe Application Privacy Impact Assessment, which was intended to provide Australians with the details of how the App impacted their privacy rights and recommendations for improvement. The Government has agreed to all of the recommendations.
There are two new developments regarding the App, since our last article:
- On 8 May 2020, the Digital Transformation Agency (“DTA”) released the source code for the App and is seeking feedback from the general public on security and usability functions.
- On 14 May 2020 Parliament passed The Privacy Amendment (Public Health Contact Information) Bill 2020 (“COVIDSafe Legislation”) that addresses the appropriateness and effectiveness of the operation and protections of the App.
For Australians who have and those who are considering downloading the App
The Government says the COVIDSafe Legislation will provide clear safeguards for the protection of our data which is collected by the App.
More specifically, the COVIDSafe Legislation includes protections for data collected by the App which are contained in the Determination (noted in our previous article) and summarised by the Attorney General and, in addition, the COVIDSafe Legislation provides additional protections under the Privacy Act 1995 including the following:
- The Office of the Australian Information Commissioner will have oversight over the collection and use of data by the COVIDSafe App.
- The operation of the Notifiable Data Breach Scheme is extended include the protection of data collected by the App at risk from eligible data breach.
- In addition to criminal sanctions (including imprisonment of up to 5 years), the COVIDSafe Legislation sets penalties for any unauthorised disclosure of your data to also include penalties imposed under the Privacy Act.
These protections are achieved under the COVIDSafe Legislation through defining ‘COVID app data’ and classifying it as personal information thereby allowing individuals to seek protection and remedies under the Privacy Act. In particular, by classifying COVID app data as personal information under the Privacy Act, the COVIDSafe Legislation clarifies the boundaries for authorised use and disclosure and sets the triggers for when the proposed penalties of up to 5 years imprisonment and/or up to $63,000 penalty may be sanctioned.
Definitions are a double edge sword because they inevitably reduce the coverage of what could be considered as COVID app data. Initially, the exposure draft explicitly excluded de-identified data from the definition of COVID app data. This raised concerns as App users would have been exposed to risk of re-identification when the de-identified data is taken into consideration with other data sources held by the Government or other recipients of the de-identified data. However, to address this issue, the COVIDSafe Legislation provides for the narrowing of the exclusion to de-identified statistical information on registration numbers, thus reducing the concerns.
However, it is unclear as to whether or not it the definition captures derived data such as metadata. By the ambiguous treatment of derived data, a gap in privacy protection is created as App users may not understand nor control use of any derived data. Derived data includes metadata. Metadata is data that provides information about other data such as the source, destination, date, time and duration of a communication or connection to a device or service. You can read more about metadata here.
An addition to the COVIDSafe Legislation, which was not found in the exposure draft of the Bill is the addition of a prohibition on appointing certain enforcement bodies and intelligence bodies named in the COVIDSafe Legislation as the data store administrator.
Protections against coercion
The protections against coercion which are contained in the Determination are brought across in the COVIDSafe Legislation. In short, a person or entity cannot do any of the following:
- Download the COVIDSafe App.
- Refuse to provide services or refuse entry to individuals without the COVIDSafe App.
- Charge higher rates to customers without the COVIDSafe App.
- Pay lower rates to suppliers without the COVIDSafe App.
Anyone found to contravene this protection against coercion can be liable for up to 5 years imprisonment and/or $63,000 penalty.
At the time of debate on the draft Bill, some parts of the Australian business community were seeking permission to refuse entry to places of business for anyone without the COVIDSafe App downloaded.
As the App was pitched by Government as an essential tool in its strategy to reopen the economy, businesses were pushing for compulsory adoption to fast-track economic activity thereby liberating social interactions and movements. Many restaurants and other businesses were asking for the right to refuse entry to individuals without the App as a safety precaution for their patrons and the survival of their business. Employers were also seeking the ability to make their employees download the App before returning to their place of work.
Ultimately, the Government did not diminish the protections against coercion which were in the exposure draft of the Bill. In fact, the protections are increased as the legislation with the inclusion of the prohibitions on price discrimination.
For the Australians who have already downloaded the app
The COVIDSafe Legislation clarifies the deletion procedure for users to request the removal of their data (if technically permissible) from the National COVIDSafe Data Store. This gives users control over their participation and allows them to withdraw from contact tracing if they have concerns.
Further, under the COVIDSafe Legislation it is clear that only the registered user of the App may consent to uploading their data into the National COVIDSafe Data Store and not just any user of the device.
The App is not a silver bullet.
Some users have reported usage issues on Apple devices, which contradict the purported functionalities stated by the Government.
Whilst technical issues are understandable when rolling out a newly developed and relatively untested app across millions of users, the lack of a clear and early Government response in addressing any known technical shortcomings will prove disastrous. Many issues that have been identified are being worked through. The making of clear protective legislation will not overcome issues with the effectiveness of the app to protect data. In particular, the sense of confidence and security in the App which has developed due to Government statements about the effectiveness of the app and the making of the COVIDSafe legislation will quickly erode if the App fails.
We acknowledge that through making the App’s source code publicly available, the DTA have created a platform for enabling the improvement of the technical capability of the App and we trust the Government will be proactive in dealing with and openly addressing any technical issues with the App as they arise.
Where to next?
The COVID19 pandemic has shown the importance for swift Government action, consistent messaging and an iterative approach in addressing new challenges. Australians have asked the Government when legislating in our new normal, to strike a careful balance between protecting our health by controlling the pandemic, restarting the economy and protecting personal autonomy.
Ultimately, beyond the making of the new legislation, it is important for the dialogue regarding the App continues so that Australians are empowered to make informed choices regarding whether they should download it and if they have downloaded it, whether to retain the App.
Other useful links:
Link to previous article on ‘The COVIDSafe App – What we know and questions that remain unanswered’, published on 27 April 2020 by Patricia Monemvasitis and Yue Lucy Han.