CovidSafe legislation wins legal support, but with tweaks
May 5, 2020
Draft privacy legislation for the COVIDSafe app offers significant improvements but needs further strengthening according to legal practitioners. Technology lawyer, Nick Abrahams, said the support by his peers for the app was among the most gratifying of his career. AFR
Labor continued to support in principle the COVIDSafe app but reserved its position on the legislation. "I’m pleased we now have a draft bill and tomorrow’s hearing of the Senate inquiry provides us with an opportunity to ensure we get this right," the shadow attorney-general Mark Dreyfus said. The expert legal group comprises some of the cream of the technology, security and privacy advisory world, including Nick Abrahams (Norton Rose), Cameron Abbott (K&L Gates), Stuart Clark (consultant – ex Clayton Utz), Patrick Fair (Patrick Fair assoc – ex Baker Mckenzie), Peter Leonard (Datasynergies – ex Gilbert + Tobin), Ian McGill (Allens), Dudley Kneller (Gadens), Gavin Smith (Allens), Peter Jones (Freehills) and Peter Waters (Gilbert + Tobin). Advertisement
Their decision to download the app was made ahead of the release of the exposure draft legislation to entrench the temporary privacy protections imposed by a special bio-security determination. The convenor of the group, Mr Abrahams said each participant had made the decision to support the app after reaching out through LinkedIn and other channels. "Many of us sit opposite each other representing our clients. It has been a major joy of my professional career to see the group come together. " UNSW Law school privacy experts Graham Greenleaf and Katharine Kemp said the exposure bill included "some significant improvements, but it still falls short on substantial issues". They endorsed the proposal to allow a user to make a complaint to the federal privacy commissioner, and obtain compensation. And also supported a provision to ensure consent came from the person who registered the app, rather than anyone who can access the phone. "The bill fails to limit the collection and use of personal data as originally promised; the protections do not apply to all relevant data, and it does not close remaining loopholes in the rules against coercion. The government has also failed to provide transparency on some key matters." Advertisement
The academics said the bill enabled tracing of anyone within “the proximity” of the infected user within the previous 21 days, meaning the original limitation of only tracing contacts who were within 1.5 meters for 15 minutes had been legislated. They were joined by Mr Leonard, in their concerns to tighten the definition to ensure it included data transformed or derived from the original. "The definition of COVID app data refers to the operation of COVIDSafe, but COVIDSafe is defined only as the app, not the operation of the COVIDSafe data ecosystem as enabled through an input of COVID app data," Mr Leonard said. "The definition should include all data within the COVIDSafe data ecosystem." King & Wood Mallesons partner John Swinson suggested the ban might convince some businesses to develop their own app and circumvent the legislation. He noted there was no "reasonable excuse" provision: "If I was to say to my wife I am not going to let you inside the house without you downloading the app, I could go to jail for five years." Mr Swinson said the legislation may be problematic when people share a phone. Advertisement
According to the Attorney General's department, it includes these additional protections:
The national privacy regulator, the Office of the Australian Information Commissioner (OAIC), will have oversight of COVIDSafe. They can manage complaints about the mishandling of COVIDSafe data and conduct assessments relating to maintenance and handling of that data. The Privacy Act's Notifiable Data Breaches scheme will be extended to apply to COVIDSafe data. The interaction between the powers and obligations of the OAIC in relation to COVIDSafe data with the powers of state and territory privacy regulators and the Australian Federal Police will be clarified. The administrator of the National COVIDSafe Data Store will delete users' registration data upon request. An individual will be required to delete COVIDSafe data if they receive it in error. No data can be collected from users who have chosen to delete COVIDSafe. A process will be put in place for COVIDSafe data to be deleted at the end of the COVID-19 pandemic and users to be notified accordingly. The exposure legislation is to be considered by the Senate COVID-19 review committee on Wednesday. Digital Transformation Agency executives, including boss Randall Brugeaud, will give evidence, along with acting Health Department secretary Caroline Edwards and senior Attorney-General's Department officers. Chaired by Labor's Katy Gallagher, opposition senators on the committee are expected to probe the app's roll out, uptake by the public, privacy concerns and functionality. “Labor believes this app could be a critical tool in the COVID-19 exit strategy, but it’s important we get it right," health spokesman Chris Bowen said. "We will continue to consult with the government until the privacy legislation of the app is introduced to ensure any concerns are addressed." How the coronavirus is changing markets, business and politics. Coronavirus: Need to know. Our daily reporting, in your inbox.