Parliament Passes COVIDSafe Privacy Legislation: Does it Stack Up?

On 26 April 2020, the Australian Government launched COVIDSafe, a contact tracing app. The launch was initially greeted with caution by privacy advocates but the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) is likely to allay many of those concerns.

This article builds on the background and the key privacy issues which were addressed in the earlier article, ‘Should You Download COVIDSafe? Consider These Privacy Concerns First’, published on 4 May 2020. In this article, the author summarises the key provisions of the Amendment Act.

Background on COVIDSafe 

The launch of COVIDSafe on 26 April 2020 was accompanied by the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020 (the Determination), together with a COVIDSafe Privacy Policy.  

The Determination was made on 25 April 2020, pursuant to the earlier Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 of 18 March, under s 475 of the Biosecurity Act 2015 (Cth). A determination of this nature overrides inconsistent provisions in other Commonwealth legislation. 

On 5 May 2020, the Federal Government released draft legislation which, after a short period of consultation, was introduced into the House of Representatives as the Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) on 12 May 2020 and passed both Houses of Parliament on 14 May. The Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (Act 44 of 2020) received assent on 15 May 2020. The legislation amended the Privacy Act 2007 (Cth) and replaced the Determination.

New COVIDSafe legislation

Overview

The Act introduces a series of new definitions into s 6 of the Privacy Act, together with a new Pt VIIIA (Public health contact information). The object of the amendments, as summarised in s 94B, is to encourage public uptake of COVIDSafe to enable faster and more effective contact tracing and thereby “to assist in preventing and controlling the entry, emergence, establishment or spread of the coronavirus known as COVID‑19 into Australia”.

Collection and use of COVID-19 app data

The newly inserted subs 94D(1) of the Privacy Act sets out a general prohibition on collecting, using or disclosing COVID app data unless the collection or disclosure is expressly permitted by the section.

Subsection 94D(2) sets out permissible collections, uses and disclosures of COVID app data, articulating how and in what circumstances COVID app data may be used by State or Territory health authorities, the data store administrator and law enforcement and regulatory bodies. In the latter regard, subs 94D(2)(e) emphasises that “law enforcement” is restricted to investigation and prosecution of breaches of the restrictions imposed by Pt VIIIA.

Uploading without consent

The newly inserted s 94E provides an offence for uploading COVID app data from a COVID app user’s communication device to the National COVIDSafe Data Store without the consent of the COVIDSafe user. As stated in the Explanatory Memorandum, s “94E prevents any person from compelling another person to upload their data to the Data Store under any circumstance”. 

Retention within Australia

Section 94F contains two offences which restrict COVID app data held in the National COVIDSafe Data Store from being transmitted overseas. Subsection 94F(1) prohibits the retention of COVID app data on a database outside Australia and subs 94F(2) prohibits the disclosure to any person outside Australia.

Decryption

Under s 94G, it is an offence to decrypt COVID app data. The Explanatory Memorandum emphasises that by virtue of s 94ZD, no powers in law enforcement or intelligence related legislation can override this prohibition.

RELATED: Coronavirus Surveillance Tactics Raise Questions About Civil Liberties

Voluntary participation

The effect of s 94H is that no person can require, coerce, or otherwise oblige (directly or indirectly) any other person to install or have COVIDSafe operating on their communication device, or to upload COVIDSafe data from a communication device to the National COVIDSafe Data Store. This prohibition is underpinned by a maximum penalty of five years’ imprisonment.

Subsection 94H(2) elaborates that circumstances which might constitute a breach of the prohibition include the following:

  • refusing to enter into, or continue, a contract or arrangement with another person;
  • taking “adverse action” (within the meaning of the Fair Work Act 2009 (Cth)) against another person;
  • refusing to allow another person to enter either premises that are otherwise accessible to the public, or premises that the other person has a right to enter;
  • refusing to allow another person to participate in an activity;
  • refusing to receive goods or services from another person; and
  • refusing to provide goods or services to another person.

Put another way, it is an offence to make any of the above activities conditional upon downloading the COVIDSafe app.

Other specific obligations

Division 3 of Pt VIIIA sets out “[o]ther obligations relating to COVID app data and COVIDSafe”. These include:

  • COVID app date will only be retained on a user’s communication device for a period of 21 days (s 94K);
  • a user may request that the data store administrator delete any registration data of the user that has been uploaded from the user’s communication device to the National COVIDSafe Data Store (s 94L); and
  • COVID app data received in error must be deleted (s 94M).

Expansion of existing protections

Division 4 of Pt VIIIA clarifies and expands existing provisions of the Privacy Act, consistent with the focus of Part VIIIA. These include:

  • COVID app data is deemed to be “personal information” for the purposes of s 6 (Definitions) (s 94Q);
  • a breach of Pt VIIIA is deemed to be an interference with the privacy of that individual for the purposes of s 13 (s 94R);
  • mandatory data breach notification requirements set out in Pt IIIC of the Act are extended to breaches involving COVIDSafe data (s 94S); and
  • the Commissioner’s assessment power under section 33C is extended to assessments of whether the acts or practices of an entity comply with the requirements of Pt VIIIA.

State and Territory authorities

The new Pt VIIIA enables various forms of interaction and cooperation between the federal Privacy Commissioner and the State and Territory privacy and health authorities.

In order to reduce the administrative burden on the federal Privacy Commissioner, s 94V allows the Commissioner to transfer a complaint made under s 36 of the Privacy Act about a potential breach of a requirement in Pt VIIIA to a State or Territory privacy authority.

Subsection 94W(1) allows the Commissioner to share information or documents with a State or Territory privacy authority for purposes relevant to the operation of Pt VIIIA or for the purpose of enabling a State or Territory privacy authority to exercise its powers, or perform its functions or duties.

Section 94X extends the operation of the Privacy Act, with some exceptions, to State and Territory health authorities as if they were “organisations” (that is, Commonwealth government agencies) for the purposes of the Privacy Act. This means, in turn, that State and Territory health authorities, which normally be subject only to State or Territory data protection legislation (where it exists), must now comply with the Privacy Act in their handing of COVID app data.

Duration

Section 94Y provides that use of the COVIDSafe app concludes when the Health Minister determines that the app is no longer required, or is no longer likely to be effective, in preventing or controlling “the entry, emergence, establishment or spread of the coronavirus known as COVID-19 into Australia or any part of Australia”.

Does the legislation address most privacy concerns?

The legislation largely addresses the privacy concerns which were widely raised prior to launch. The purpose of collection and the scope of use is clearly and restrictively articulated; offshoring of data storage is prohibited; coercion of the public or employees to download the app is not permitted; security is mandated, and a limited operative period is foreshadowed.

However, this may not be sufficient to convince some. To read more on the four main privacy concerns, refer to my first Legal Insight article on COVIDSafe.

Dr Gordon Hughes AM is a principal lawyer at Davies Collison Cave Law, Melbourne. He is the author of the Thomson Reuters online service Trade Secrets & Privacy and co-author of the texts Data Protection in Australia and Private Life in a Digital World.  A former president of the Law Council of Australia, Dr Hughes has practised in the area of privacy, technology and intellectual property law for over 30 years. 

Subscribe to Legal Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.