Attorney-General, Christian Porter, yesterday released draft COVIDSafe legislation detailing protections to individuals' data following the app’s launch last week.
The Privacy Amendment (Public Health Contact Information) Bill 2020, due to go before Parliament on May 12, will make it a criminal offence to collect, use or disclose data collected by the app which more than 4.5 million Australians have so far registered to use.
Current registrations make up roughly half the number required to meet the government’s started target of a 40 per cent take up rate for the app to be effective in helping stop spread the virus’ spread.
Despite the bill’s provisions, privacy advocates warned there were weaknesses in the legislation and the government’s tardy release of the source of the source code remains a concern for many in the technology industry.
Attorney-General, Christian Porter, said "the draft Bill I have released today will enshrine these protections in primary legislation and gives Australians confidence to download COVIDSafe, continue the fight against COVID-19 and get our nation back to business as usual.
"As the final step of our 'triple lock' of privacy protections, this draft Bill will build upon the Biosecurity Determination and agreements with the States and Territories to comprehensively guarantee that Australians' data is in safe hands when they download and use COVIDSafe.
"The draft Bill clarifies the enforcement mechanisms for the penalties that are already in place against misuse of data from the COVIDSafe app. Criminal offences under the Bill can be investigated by the Australian Federal Police. Individuals can also have their complaints heard by the Office of the Australian Information Commissioner or the relevant State or Territory privacy regulator if appropriate."
In response to the draft, UNSW academics Dr Katherine Kemp and Professor Graham Greenleaf released a paper examining the bill saying “the COVIDSafe Bill includes some significant improvements on the protections offered by the Health Minister’s Determination released alongside the COVIDSafe app, but it still falls short on substantial issues.
“The Bill fails to limit the collection and use of personal data as originally promised; the protections do not apply to all relevant data; and it does not close remaining loopholes in the rules against coercion. The government has also failed to provide transparency on some key matters.”
The authors also rejected the ‘Google already knows everything about you’ claim being made by public defenders of the app, saying “while we have written extensively about the harm done by corporate data practices, these companies do not yet have powers to arrest, detain, interrogate or search. Excessive invasions of privacy by government can have far more immediate and dramatic effects on a person’s liberty.”
Security researcher Vanessa Teague also posted her concerns about the delays in releasing the app’s source code, writing “I'm keen to see the #Covidsafeapp cloud code. The Singaporean equivalent is already open; the Australian one still secret. This would let us understand how they're encrypting the IDs that everyone broadcasts, and allow us to identify mistakes and hopefully get them fixed.”
Under the bill, it will be a criminal offence to collect, use or disclose COVIDSafe app data for a purpose that is not related to contact tracing. It will also be a criminal offence to coerce a person to use the app, to store or transfer COVIDSafe app data to a country outside Australia and to decrypt app data. A maximum penalty of 5 years imprisonment or $63,000 will apply to breaches.
Attorney-General Porter also pointed out the proposed law will ensure the deletion of data when the crisis has passed. "In addition to the protections provided by the Biosecurity Determination this Bill puts in place a clear process outlining how the Government will satisfy its obligation to delete all COVIDSafe data from the National COVIDSafe Data Store once the pandemic is over," he said.
