Insight,

Digital Identity Bill introduced to Parliament

19 December 2023

Our People
GLOBAL | EN
Current site :    GLOBAL   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tell me in one minute

On 30 November 2023, the federal government introduced the Digital ID Bill 2023 (Bill) to Parliament. The government has acted quickly on this Bill, readying the Exposure Draft for introduction within a month from the end of the consultation period.

While a few minor amendments have been made in response to the consultation with industry, the Bill is substantially similar to the Exposure Draft published on 20 September 2023. Most material changes relate to the administration of the Act rather than to substantive requirements or obligations imposed on entities. Of note are the considerable increases to the civil penalties under the Bill, which increased fivefold from the penalties proposed in the Exposure Draft. Importantly, the Bill does not provide any more detail on how the phased rollout of the scheme will operate, meaning that secondary legislation will be required before reciprocal use of digital identity in the private and government sectors is enabled.

The Digital ID Bill has been referred to the Senate Economics Legislation Committee, which is due to provide a report on 28 February 2024. The Committee is accepting submissions from the public until 19 January 2024. Given Parliament has now risen for the year, we do not expect any further updates on the Digital ID Bill this year. However, the Bill may be debated once parliamentary sitting resumes on 6 February 2024.

Quick recap: what did the Exposure Draft propose?

In September 2023, the government published draft legislation to:

  • legislate a voluntary accreditation scheme for digital identity service providers
  • expand the existing Australian Government Digital ID System (AGDIS) through a phased roll-out of an economy-wide digital identity system.

We discussed the concept of digital identity, the Exposure Draft and each phase of the proposed roll-out in detail in this previous insight. After publishing the draft legislation, the Government invited submissions from the public in a 3-week consultation.

What material changes have been made to the Exposure Draft?

  • Substantial increase to penalties: The penalty for each civil penalty provision has been increased fivefold. This means that the penalty for most contraventions under the Bill has increased from 300 penalty units (currently $93,900) to 1,500 penalty units (currently $469,500). This includes penalties for a breach of:
    • the rules on collection, use, disclosure and destruction of biometric information
    • data localisation requirements
    • the prohibitions on data profiling to track online behaviour, using or disclosing information for marketing purposes, and retaining certain attributes post-authentication.

Breach of lower-level penalty provisions, such as for using a Digital ID trustmark without authority, or for a failure to follow a direction given by the Digital ID Regulator, keep appropriate records or not destroying or de-identifying held information, have increased from 200 penalty units (currently $62,600) to 1,000 penalty units (currently $313,000).  

A new penalty prohibition has also been added to the Bill, which prohibits an entity from holding out that it is accredited or that it holds an approval to participate in the AGDIS. Breach of these provisions will result in a civil penalty of 1,500 penalty units (currently $469,500).

The increase to civil penalties is significant, especially given that under the Regulatory Powers (Standard Provisions) Act 2014 (Cth), bodies corporate may be fined up to five times more than the penalty specified in an Act. This means that a body corporate may be fined up to $1,565,000 for each of the lower-level penalties under the Bill, and up to $2,347,500 for the more serious penalties. 

  • Clarity on functions of the digital identity regulator: The Exposure Draft provided that the Australian Competition and Consumer Commission (ACCC) was to be appointed as the new Digital ID regulator (Regulator). The Bill confirms this appointment, and inserts a section setting out the functions of the Digital ID Regulator, which include to:
    • promote compliance with the Act
    • make available guidance information about how it will carry out its functions or exercise its powers under the Act
    • advise and share information with the Minister, the Information Commissioner, the System Administrator and the Digital ID Data Standards Chair
    • consult with various bodies such as the Australian Securities and Investments Commission (ASIC), the Australian Prudential Regulation Authority (APRA), the Australian Financial Complaints Authority (AFCA) and the Australian Cyber Security Centre (ACSC).

The section also includes a catch-all provision that enables other functions to be conferred upon the Regulator, and for the Regulator to do anything incidental or conducive to perform the above functions.

  • Introduction of Services Australia as System Administrator: The Bill introduces the new concept of ‘System Administrator’ and provides that the Chief Executive Officer of Services Australia will take on this role for the AGDIS. This appointment is unsurprising, given Services Australia was one of two entities providing the existing, non-legislated AGDIS (the other being the other Australian Taxation Office). The functions of the System Administrator include to:
    • assist entities participating in the AGDIS, including to connect to, and deal with incidents involving, the system
    • facilitate and monitor the use of the AGDIS for testing purposes
    • monitor and manage the availability of the AGDIS
    • identify and manage operational risks relating to the performance and integrity of the AGDIS
    • manage digital identity fraud incidents and cyber security incidents involving entities participating in the AGDIS
    • perform similar advisory, reporting, and information sharing roles to the Regulator.
  • Entities may apply for multiple accreditations: During the consultation process, industry raised concerns that the wording of the Exposure Draft seemed to limit entities to applying for accreditation as one type of provider. This would mean that an entity applying to be an accredited attribute service provider could not, for example, also apply to be an attribute service provider. This has been amended under the Bill so it is clear that an entity may apply for more than one type of accreditation.

  • Privacy safeguards only apply to accredited services: The privacy safeguards in Chapter 3 of the Bill only apply to the extent that the entity is providing accredited services. This wording has been tightened from the Exposure Draft, which applied the privacy safeguards to an entity in its provision of the accredited services, as well as actions that are incidental or ancillary to the provision of those services. However, industry raised that this broader wording had the potential to cause unintended negative consequences, such as capturing existing practices and services that such entities already offer (and that are regulated by other laws) and applying the privacy safeguards to such practices.

  • Accreditation not to be suspended for cyber security incident attempts unless there is an unacceptable risk: Previously, accreditation could be suspended for a cyber security incident attempt. However, during consultation, industry commented that entities and government agencies are routinely subject to ‘attempts’, which are successfully prevented. Accordingly, allowing accreditation to be suspended for cyber security incident attempts may overburden regulators and participants, who may be subject to unnecessary notification requirements where there has been no actual breach. The wording has since been amended so that an entity’s accreditation cannot be suspended unless the Regulator is satisfied that the relevant cyber security attempts involve an unacceptable risk to the provision of the entity’s accredited services.

Perhaps more notably, what has not changed?

  • No further information on the phased rollout: Neither the Bill nor its Second Reading Speech provide any further indication on how the government intends to roll out Phases 3 and 4 of the framework, which enable use of government digital identity in private sector services, and use of private sector digital identity in some government services. Rather, the Bill simply retains the existing provisions from the Exposure Draft that enable the Minister to determine the entities that may apply to participate in the AGDIS. This means that secondary legislation will be required before there is reciprocal use of digital identity in the private and government sectors.

  • No changes to data localisation requirements: Concerns were raised during public consultation that the requirement to hold, store or handle information generated or collected in relation to the AGDIS in Australia would prevent accredited entities from procuring the services of cloud service providers that are located offshore, despite the strong data and cyber security protocols of such providers. However, no changes have been made to allow holding of information outside of Australia.

  • No changes to exemptions for interoperability: The Exposure Draft provided that the Digital ID Rules may include requirements relating to interoperability and that an entity can apply to the Minister for an exemption to the interoperability obligation. The Minister may grant an exemption from the interoperability requirement under a range of circumstances, including where the Minister is satisfied that it is necessary to limit access to some government services to a government-issued Digital ID. During consultation, industry noted that, to ensure consumer and citizen choice, there needs to be clear grounds on when interoperability should not be required. For instance, the legislation should be clearer about where it may be necessary to limit access to government services to a government-issued Digital ID. However, the interoperability provision of the Bill has not been amended from the Exposure Draft.

What do we think about the Bill?

In order for the Digital ID system to be successful, consumers must understand what the system is, how it can be used and how the phased rollout is being implemented. The government should ensure that there is clear messaging on these topics, so that consumers are equipped with the information that they need to benefit from the system. Digital literacy campaigns will also play an important role in ensuring that consumers are clear on how to protect their personal data and digital identity information, and how to assess and consider the right provider for them.

As we previously noted, the benefits of a digital identity regime may not begin to be realised in the broader economy until digital identity may be used reciprocally between the private and government sectors. Accordingly, it is disappointing that the Bill does not provide further detail on how this will be implemented, or an indication of timing. Clarity around the timing of each phase is essential in enabling a competitive level-playing field where private Digital IDs can compete with government Digital IDs.

Without detail about the timing or duration of each phase, private sector entities who are interested in participating in the scheme have little ability to plan for the development of their product and little incentive to make relevant investments. This may impact the range of providers who are prepared to enter the market when we arrive at the latter phases of the scheme, and, in turn, the choice of providers available to consumers.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
Trade Volatility: Adopting a "Trump Majeure Clause" in Commercial Contracts
In today’s disrupted global trade environment, where policy shifts and trade sanctions can emerge unexpectedly, buyers and sellers of goods face heightened legal and financial uncertainty and risk. Sudden changes in trade laws, particularly tariffs and sanctions, can materially affect contract performance and pricing. To mitigate these risks, parties to commercial contracts may benefit from incorporating a tailored provision, which we shall refer to as the "Trump Majeure Clause" (TMC). The TMC is a hybrid of the traditional force majeure clause and a change in law clause, designed specifically to address disruptions caused by newly imposed tariffs or trade sanctions. Its purpose is to allow contractual flexibility in the face of government actions that frustrate the original purpose of entering into the agreement.

08 May 2025

Insight
Vietnam Sets the Stage for Carbon Trading
Vietnam has released an approved roadmap for a domestic carbon market, in a significant step towards achieving net-zero emissions by 2050. A phased approach will see a pilot start in June 2025, working towards full implementation by 2029.

05 May 2025

Insight
Climate governance & reporting trends of the ASX50 in 2024: Healthcare
It is estimated that the health system is responsible (either directly or indirectly) for 5% of Australia’s greenhouse gas emissions, with clinical care contributing to over half of greenhouse gas emissions produced by health systems.[2]

29 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
VIEW FROM ASIA
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies