Privacy Act Amended to Regulate COVIDSafe App Data
Overview – Australian contact tracing app
The launch on 26 April 2020 of the Australian government’s contact tracing app, COVIDSafe, has raised some privacy concerns within the community. Some of these may be well-founded, others less so.
Whilst the Privacy Act 1988 (Cth) (the Privacy Act) sets clear parameters for how the government uses personal information which it collects, there are a number of factors which could influence the effectiveness of the Privacy Act in the context of this initiative.
These factors include: (1) how the information will be used; (2) how it will be stored; and (3) how long it will be retained.
The government sought to alleviate community concerns with the passage of the Privacy Amendment (Public Health Contact Information) Act 2020 on 14 May 2020.
Background – international context and basis for an Australian app
Contact tracing is a well-established epidemic control measure which is used to identify, educate and monitor individuals who have had close contact with someone who is infected with a virus.
Contact tracing is not unique to the current COVID-19 pandemic, but modern location-tracking technology has enhanced the methods by which it can be implemented. South Korea and Taiwan were the earliest adopters in response to COVID-19, followed by China which made a WeChat plugin app available for use on a voluntary basis.
Singapore then introduced its TraceTogether mobile app, using Bluetooth which enables participating devices to exchange proximity information, including the duration of contact. The Singapore app stores information in an encrypted form on a person’s phone for 21 days on a rolling basis, with no location data being collected. If a person is infected by COVID-19, authorities can upload a list of anonymised IDs for the past 14 days for contact tracing.
When the Australian government announced its COVID-19 support package on 30 March 2020, it committed $30m to provide people with “practical advice” as to how to contain the virus and stay healthy. In this context, the possible use of a contact tracing app was foreshadowed.
On 16 April 2020, Prime Minister Scott Morrison announced that the Australian Signals Directorate was assessing an app which would be similar to the Singapore TraceTogether App. Mr Morrison initially indicated that use of the app would be on a voluntary basis, but the following day he indicated that he “would not entirely rule out” making it mandatory.
Experts have generally agreed that 40–50% community participation would be necessary for the initiative to be effective. Given that Singapore has reportedly achieved a take-up rate of only 25%, the Australian target for voluntary participation may be optimistic, meaning that mandatory use of the app must be regarded as a realistic possibility.
Any personal tracking app raises privacy concerns, specifically in the context of the collection, security and potential misuse of personal information.
Australians do not, however, have an inalienable right to privacy. Despite much agitation from some quarters over many years, Australia does not have a Bill of Rights which would impede the enactment of legislation perceived as being contrary to privacy or other human rights. Our superior courts have consistently rejected the concept of a common law privacy right.
Privacy is, nevertheless, a fundamental right enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Australia signed the ICCPR in 1972 and ratified it in 1980. The Convention has not been adopted directly into Australian law, but it did provide a mechanism for the enactment by the Commonwealth government of the Privacy Act, as the government was able to rely on the external affairs power in section 51(xxix) of the Constitution.
The extent to which “privacy” is recognised under Australian law at national level is, as a consequence, as set out in the Privacy Act. The Act is not, however, all-encompassing. It addresses “data protection” rather than “privacy” in a more generic sense. Like any other Commonwealth Act, it be amended or overridden by other Commonwealth legislation. Moreover, the Privacy Act expressly reserves the right of states and territories to enact their own laws relating to the collection and use of personal information.
The Commonwealth legislative process nevertheless acknowledges the significance of human rights and the importance of ensuring that new legislation strikes the right balance. Since 2012 it has been a legislative requirement that all Commonwealth bills be accompanied by a Statement of Compatibility with Human Rights, containing an assessment of whether the legislation is compatible with rights and freedoms recognised or declared by international treaties which Australia has ratified. This embraces a review of the impact on privacy, if any, of all new legislation.
Ultimately, however, the introduction of a contact tracing app need not be impeded by law – it becomes more a question of whether the use of the app infringes community privacy standards. Circling back, “community standards” tend to be informed by existing privacy (or data protection) legislation which shapes public expectations as to how their personal data will be used.
The essence of privacy and data protection law is that individuals should have the right to control the collection and use of information about themselves, subject to any overriding public interest.
Against this background, the release of a contact tracing app inevitably raised the following questions:
- Where will the information be stored? Concerns were expressed that the creation of a central database concentrated too much information in one location, thus creating unacceptable security risks. This was the same concern which derailed the introduction of the Australia Card in 1986;
- How will the information be used? The immediate purpose of collecting the personal data was obviously to facilitate contact tracing in the event that a person is diagnosed with COVID-19. Concerns were expressed, however, about the potential for ”scope-creep”, with government and law enforcement agencies being unable to resist the temptation to access the data for unanticipated, albeit defensible, purposes;
- How long will the information be retained? The longer that information is retained, the more susceptible it is to unauthorised access or to use in a historical context for purposes unconnected to the original reason for its collection;
- How long will the scheme run? Whilst there may have been broad community acceptance of the value of a contact tracing app and perhaps even the need for mandatory use – at least amongst those who possess a smartphone – this acquiescence would inevitably abate with the virus itself. Would there be justification for the government utilising the technology on an ongoing basis, whether ostensibly for the purpose of combatting future epidemics or, more insidiously, for other purposes?
Existing legislative protections – the Australian Privacy Principles
Even prior to the legislative amendments introduced on 14 May 2020, the Privacy Act provided an adequate framework within which the scheme can operate.
Provisions of particular relevance are as follows:
- Australian Privacy Principle 3 – personal information must be collected only by lawful and fair means. Given that the function of the app was well understood and was not covert, and particularly whilst the function could be activated only on an opt-in basis, this Principle would be satisfied;
- Australian Privacy Principle 5 – at or before the time of collection of their personal data, individuals must be advised, inter alia, as to the legal basis of collection and the purpose of collection. Typically, this requirement is addressed by written information when an app is downloaded;
- Australian Privacy Principle 6 – personal information may only be used in connection with the primary purpose of collection or a reasonably related secondary purpose. Assuming that the “purpose” of collection has been adequately confined by the disclosure under APP 5, APP 6 provides a buffer against the possibility of “function creep”;
- Australian Privacy Principle 8 – restrictions are imposed on the ability to disclose personal information to an overseas recipient. In the context of the COVID-19 privacy debate, concerns had been raised with the announcement that Amazon Web Services would host the data, thus potentially providing US law enforcement agencies to access to data stored on US servers;
- Australian Privacy Principle 11.1 – personal information must be protected from misuse, interference and loss, and from unauthorised access, modification and disclosure. The government was from the outset well aware that this Principle is the key to public confidence in the contact tracing app, engaging the Australian Cyber Security Centre to assist in the conduct of a Privacy Impact Assessment of the scheme as a precursor to launch;
- Australian Privacy Principle 11.2 – personal information must not be kept longer than required in connection with the original purpose of collection, unless otherwise provide by law. Compliance with this principle is contingent upon two things: (1) a suitably restrained definition of “purpose”; and (2) a realistic determination of how long the data can be useful for coronavirus contact tracing following collection.
Legislation underpinning the rollout
The Determination was made on 25 April 2020 pursuant to an earlier declaration, the Biosecurity (Human Biosecurity Emergency)(Human Coronavirus with Pandemic Potential) Declaration (“Biosecurity Declaration”), which was made on 18 March under section 475 of the Biosecurity Act 2015.
The Biosecurity Declaration created a 3-month “human biosecurity emergency period”, during which the Health Minister may determine emergency requirements. It was on this basis that the Determination was issued, with the effect of overriding any inconsistent provisions in other Commonwealth legislation.
On 5 May 2020, the government released draft legislation which, after a short period of public consultation and political negotiation, was introduced as the Privacy Amendment (Public Health Contact Information) Bill 2020 on 12 May 2020, and passed on 14 May. The legislation amends the Privacy Act and replaces the Determination and, apart from anything else, provided some measure of reassurance to those who felt uneasy about a legislative instrument, in the form of the Determination, which could be changed at the whim of a Minister.
The legislation: Privacy Amendment (Public Health Contact Information) Act 2020 (“the Amendment Act“)
The Amendment Act introduced a series of new definitions into section 6 of the Privacy Act, together with a new Part VIIIA (Public health contact information). The object of the amendments, as summarised in s 94B, is to encourage public uptake of COVIDSafe to enable faster and more effective contact tracing and thereby “to assist in preventing and controlling the entry, emergence, establishment or spread of the coronavirus known as COVID‑19 into Australia”.
Collection and use of COVID-19 app data
The new subsection 94D(1) of the Privacy Act, introduced by the Amendment Act, sets out a general prohibition on collecting, using or disclosing COVID app data unless the collection or disclosure is expressly permitted by the section.
Subsection 94D(2) sets out permissible collections, uses and disclosures of COVID app data, articulating how and in what circumstances COVID app data may be used by State or Territory health authorities, the data store administrator and law enforcement and regulatory bodies. In the latter regard, subsection 94D(2)(e) emphasises that “law enforcement” is restricted to investigation and prosecution of breaches of the restrictions imposed by Part VIIIA.
Uploading without consent
The new section 94E provides an offence for uploading COVID app data from a COVID app user’s communication device to the National COVIDSafe Data Store without the consent of the COVIDSafe user. As stated in the Explanatory Memorandum, “section 94E prevents any person from compelling another person to upload their data to the Data Store under any circumstance”.
Retention within Australia
Section 94F contains two offences which restrict COVID app data held in the National COVIDSafe Data Store from being transmitted overseas. Subsection 94F(1) prohibits the retention of COVID app data on a database outside Australia; and subsection 94F(2) prohibits the disclosure to any person outside Australia.
Under section 94G, it is an offence to decrypt COVID app data. The Explanatory Memorandum emphasises that by virtue of section 94ZD, no powers in law enforcement or intelligence related legislation can override this prohibition.
The effect of section 94H is that no person can require, coerce, or otherwise oblige (directly or indirectly) any other person to install or have COVIDSafe operating on their communication device, or to upload COVIDSafe data from a communication device to the National COVIDSafe Data Store. This prohibition is underpinned by a maximum penalty of five years’ imprisonment.
Subsection 94H(2) elaborates that circumstances which might constitute a breach of the prohibition include the following:
- refusing to enter into, or continue, a contract or arrangement with another person;
- taking “adverse action” (within the meaning of the Fair Work Act 2009) against another person;
- refusing to allow another person to enter either premises that are otherwise accessible to the public, or premises that the other person has a right to enter;
- refusing to allow another person to participate in an activity;
- refusing to receive goods or services from another person; and
- refusing to provide goods or services to another person.
Put another way, it is an offence to make any of the above activities conditional upon downloading the COVIDSafe app.
Other specific obligations
Division 3 of Part VIIIA sets out “other obligations relating to COVID app data and COVIDSafe”. These include:
- COVID app data will only be retained on a user’s communication device for a period of 21 days: section 94K;
- a user may request that the data store administrator delete any registration data of the user that has been uploaded from the user’s communication device to the National COVIDSafe Data Store: section 94L; and
- COVID app data received in error must be deleted: section 94M.
Expansion of existing protections
Division 4 of Part VIIIA clarifies and expands existing provisions of the Privacy Act, consistent with the focus of Part VIIIA. These include:
- COVID app data is deemed to be “personal information” for the purposes of section 6 (Definitions): section 94Q;
- a breach of Part VIIIA is deemed to be an interference with the privacy of that individual for the purposes of section 13: section 94R;
- mandatory data breach notification requirements set out in Part IIIC of the Act are extended to breaches involving COVID app data: section 94S; and
- the Commissioner’s assessment power under section 33C is extended to assessments of whether the acts or practices of an entity comply with the requirements of Part VIIIA.
State and Territory authorities
The new Part VIIIA enables various forms of interaction and cooperation between the federal Privacy Commissioner and the State and Territory privacy and health authorities.
In order to reduce the administrative burden on the federal Privacy Commissioner, section 94V allows the Commissioner to transfer a complaint made under section 36 of the Privacy Act about a potential breach of a requirement in Part VIIIA to a State or Territory privacy authority.
Subsection 94W(1) allows the Commissioner to share information or documents with a State or Territory privacy authority for purposes relevant to the operation of Part VIIIA or for the purpose of enabling a State or Territory privacy authority to exercise its powers, or perform its functions or duties.
Section 94X extends the operation of the Privacy Act, with some exceptions, to State and Territory health authorities as if they were “organisations” (that is, Commonwealth government agencies) for the purposes of the Privacy Act. This means in turn that State and Territory health authorities, which would normally be subject only to State or Territory data protection legislation (where it exists), must now comply with the Privacy Act in their handing of COVID app data.
Section 94Y provides that use of the COVIDSafe app concludes when the Health Minister determines that the app is no longer required, or is no longer likely to be effective, in preventing or controlling “the entry, emergence, establishment or spread of the coronavirus known as COVID-19 into Australia or any part of Australia”.
Overall, the response of the legal community to the legislation has been positive, although some lingering issues continue to surface.
Prior to the launch, there had been calls for the scheme to be accompanied by a “sunset clause”, meaning that rollout and use of the app would not continue beyond a specified date, at least not without further review of the initiative. Six months had been suggested as an appropriate initial term. Critics remain concerned about the imprecision of section 94Y in this regard.
Concerns have also been expressed about the ability of US law enforcement agencies to access information stored on US servers pursuant to the USA Patriot Act of 2001 and, more recently, the US CLOUD Act. In this regard, the concern arises from the fact that Amazon Web Services will host the data. The fact that the data will be hosted in Australia provides insufficient comfort to some, although the threat is probably more illusory than real – APP 6.2(b) permits the disclosure of personal information under an “Australian law”, but does not expressly authorise disclosure pursuant to a foreign law in circumstances where the data storage is otherwise subject to Australian law. In other words, it would be a beach of the Privacy Act to disclose personal data to US authorities pursuant to the Patriot Act or the CLOUD Act.
One other lingering concern, which appears to have been put to rest by the Amendment Act, relates to the prospect of law enforcement agencies accessing data pursuant to a mandatory industry assistance scheme introduced by amendments to the Telecommunications (Assistance and Access) Act 1979 in December 2018. This loophole appears to have been adequately addressed by the new section 94ZD which “cancels the effect of any Australian law…that, but for this section, would have the effect of permitting …conduct… that would otherwise be prohibited under this Part”. As stated in the Explanatory Memorandum, “powers in the enabling legislation of law enforcement or other regulatory bodies which would otherwise allow for the collection, use or disclosure of COVID app data prohibited by Part VIIIA will be overridden to the extent of the inconsistency”.
Dr Gordon Hughes AM discusses these issues further in a 20-minute video recorded on 1 May 2020 (which counts towards substantive law CPD requirements for Australian lawyers).
The article was originally published on Monday, 27 April 2020. The content was last updated on Monday, 18 May 2020.