Digital ID regime could raise compliance costs, government told

The creation of a legislation, economy-wide, digital identification regime is a “highly significant and sensitive proposal” that will require careful consideration by the government, the Law Council of Australia has warned the government.

In a recent submission, the Law Council said, in principle, it supports the development of a a legislated voluntary accreditation scheme, which would strengthen the existing Trusted Digital Identity Framework (TDIF), and gradually expand the Australian Government Digital ID System (AGDIS) to include private sector organisations that choose to participate.

However, it also stressed the need for consistency and certainty with key concepts across Australia’s digital identity, privacy and identity verification frameworks.

“Consequently, as an overarching principle, the bill should be compatible with the proposals agreed upon by the Government in its response to the Privacy Act Review, particularly in relation to terminology. For instance, the Bill should mirror the Report’s proposed definitions for ‘collection’, 3 ‘disclosure’ 4 and ‘consent’,” it stated.

The submission noted that the expansive definition of ‘personal information’, proposed under clause 9 of the Bill, would include ‘attributes of individuals’.

“However, extending the meaning of ‘personal information’ under the Bill may further confuse what is already an uncertain concept, and undermine consistency across the relevant legislative schemes,” it said.

The Government’s in-principle agreement to the majority of the proposals in Chapter 4 of the Report signifies that further detailed consideration and impact analysis will be required before concrete amendments are made to, for instance, the definitions of ‘personal information’ and ‘sensitive information’ in the Privacy Act.

If the bill is passed, it will necessarily require revisions to reflect any new, or updated, terms that may arise, following anticipated reforms to the Privacy Act, as the primary and authoritative piece of privacy-related legislation in Australia, the submission said.

It also noted that the Senate Legal and Constitutional Affairs Legislation Committee is currently inquiring into the provisions of the Identity Verification Services Bill 2023 and the Identity Verification Services (Consequential Amendments) Bill 2023 (the IVS Bills).

These Bills were introduced into the House of Representatives on 13 September 2023 and were referred to the Committee the following day.

The IVS Bills seek to establish new primary legislation to provide a legal framework for the operation of the Commonwealth’s identity verification services, allowing government agencies and industry to match biometric information (such as a photograph or biographic information) with an existing government record.

“While the Law Council appreciates that the IVS Bills and the Digital ID Bill differ in terms of their objects and scope, both proposals appear to raise substantially similar issues concerning digital identity verification and usage,” the submission said.

“In particular, the bills relate to accredited identity service providers, such as myGovID, which employs identity verification services, with similar risks associated with the implementation of such services.”

The Law Council of Australia said while these reform processes are clearly linked, this Bill and the IVS Bills are “misaligned in terms of privacy protection and oversight”.

“While the Government clearly intends for these two legislative proposals to work in tandem, it is currently unclear how, and to what extent, they might interact. The Law Council would appreciate guidance from the Government on this matter,” it stated.

“Proceeding with these misaligned proposals, if passed, will increase the cost of compliance for government and business, as there will be multiple inconsistent schemes operating in an overlapping area of activity.”

Given the similarities between the two proposals, both thematically and in terms of concurrent timeframes for stakeholder engagement, the Law Council has called for improved coordination and integration of privacy-related, federal law reform initiatives across government.

“This approach would promote consistency in the law and enable correlations between the various proposals to be fully realised,” it stated.

The Law Council acknowledged that technology typically moves much faster than the law, and that, as a result, the fragmentation of reforms is, at times, unavoidable.

“Nonetheless, at a minimum, the Law Council seeks a roadmap for the harmonisation of Australia’s privacy and data laws, to ensure the development of a national privacy framework that is consistent, clear and accessible,” it said.