Clifford Chance

In May 2024, Australia introduced a new Digital ID Act implementing a system for enabling Government and private sector services to verify an individual's identity against existing government documents with no collection or retention of personal information by those service providers. In the same legislation, the Australian Government is also implementing long-awaited data privacy reforms.

The future of Digital ID in Australia is now certain after agreement was reached in the Australian Senate on the final amendments to the Digital ID Bill 2023 (Cth) (Digital ID Bill) on 27 March 2024, paving the way for House of Representatives to pass the bill on 16 May 2024 (Digital ID Act). The Digital ID Act contains several privacy-enhancing measures that align with, or go further than, the ongoing reforms to the Privacy Act 1988 (Cth) (Privacy Act).

The Australian Government's existing Digital ID system – myGovID – enables access to more than 130 government services, but the private sector is currently excluded from using this system to verify their customers. This is all about to change with the phased expansion of this system to include State, Territory, and private sector entities who opt-in, which enables individuals to choose their own accredited identity service provider in accessing services connected to the system (also referred to as the 'interoperability obligations').

Whether you are investing in or selling equity in Australian start-ups, SMEs, or established businesses that collect, use, and store information to verify customer identities, you should be keenly aware of technological innovations aimed at reducing the flow of regulated information in and out of a business.

Why invest in Digital ID?

The retention of personal and sensitive information is an emerging risk to the value and governance of a business. Private health insurance providers, telecommunications providers, banks, and service providers in other heavily regulated sectors may be required to collect information to verify an individual's identity before providing services. This can create future risks where that information is retained and then accessed or disclosed without authorisation in a data breach.

Digital ID is a technological innovation for verifying an individual's identity that reduces the volume of personal and sensitive information collected, used, and stored by organisations. A digital ID for an individual is a distinct representation of the individual that enables the individual to be sufficiently distinguished when interacting with services online. This is not a new form of identification like a driver's licence or passport, but rather an online system for verifying an individual's identity against existing government documents without the exchange of physical copies or information from those documents. This enables businesses to reduce the risk of unauthorised access or disclosure in the event of data breaches, scams, and cybercrime, as well as achieve operational efficiencies in reducing the flow of regulated information in and out of the business.

Interaction with the Privacy Act

For investors interested in the ongoing reforms to the Privacy Act, it is unsurprising that the Digital ID Act interacts with several proposals that were agreed or agreed-in-principle in the Australian Government response to the Privacy Act Review Report 2022 (Privacy Act Review Report). There are also privacy-enhancing mechanisms introduced in the Act that go beyond the current requirements of the Privacy Act. We cover the key reforms below.

1. Attributes and the definition of personal information

The definition of "personal information" has been extended by the Digital ID Act to include "attributes".

An "attribute" of an individual is defined as information that is associated with the individual and includes information that is derived from another attribute. This is contrasted with the definition of "personal information" in the Privacy Act, which requires that the individual is identified or reasonably identifiable and that the information is about an identified or reasonably identifiable individual.

The ordinary meaning of "association" is "to connect by some relation". This extension of the definition aligns with the proposal that was approved in principle in the Privacy Act Review Report to change 'about' to 'relates to' in the definition of personal information, in order to capture a broader range of an individual's information. This is illustrated by the non-exhaustive list provided in the Digital ID Act, capturing a range of information that would otherwise be included as personal and sensitive information, including an individual's current and former name, address, and date of birth, and an individual's biometric information.

Previously, the operative word "identifiable" or "reasonably identifiable" in the definition of personal information placed a boundary on information where the individual is unidentified or de-identified. The definition of attribute in the Digital ID Act has no such boundary.

This means that the amount of information that will be regulated for accredited Digital ID providers under the Digital ID Act is broader than information otherwise captured by the Privacy Act, but users of an accredited Digital ID provider's service will interact with far less regulated information than if the organisation undertook to verify an individual's identity on its own.

2. Biometric information

The definition of "biometric information" in the Digital ID Act means information about any measurable biological characteristic relating to an individual that could be used to identify the individual or verify the individual’s identity and includes biometric templates. Biometric information will cover features of a person's face, fingerprints, iris, palm, signature, or voice.

[Note. Biometric templates are by-products of biometric verification and identification technologies that are 'created and stored when [biometric] information is 'enrolled' into a biometric system'. Biometric templates can be distinguished from verifiable credentials under the Act, which are tamper-evident credentials with authorship that can be cryptographically verified]

The definition and treatment of biometric information in the Digital ID Act is more specific and restrictive than its treatment in the Privacy Act.

In the Privacy Act, biometric information is captured as a type of sensitive personal information based on the purpose of its use in the context of automated biometric verification and biometric identification, with biometric templates included as a separate type of sensitive information. Hence, the Privacy Act definition only brings biometric information into the definition of sensitive information should it be translated into biometric data and used for some automated process. Otherwise, it would likely be treated as personal information. This meant a digital photograph of an individual would not be sensitive information unless it was used in an automated process for verification or identification (a limitation which was flagged in the Privacy Act Review Report).

It was agreed in the Government Response to the Privacy Act Review Report that enhanced risk assessment requirements identified for facial recognition technology and biometric information should be coordinated with the Digital ID agenda, as well as the National Strategy for Identity Resilience. Those enhanced requirements have clearly flowed through into the Digital ID Act.

There will be enhanced restrictions on how biometric information is used in the Digital ID Act. This includes that accredited entities can only collect, use, or disclose biometric information if it is authorised, and if it is not authorised then if the individual expressly consents to it.

There are general rules for how an accredited entity obtains this authorisation, but a major protection is to prevent the use of biometric information for identification purposes. A general prohibition is placed on accredited entities from collecting, using, or disclosing biometric information for one-to-many matching, which is defined as the process of comparing a kind of biometric information of an individual against that kind of biometric information of individuals generally to identify the particular individual. An example of identification in this context is using facial matching services or facilities to compare a facial image against a gallery of other images to identify an unknown person.

The exclusion of identification is also confirmed by the objects of the Digital ID Act, which aims to promote privacy and the security of personal information used to verify the identity or attributes of individuals.

3. Express consent

Express consent from individuals features prominently throughout the Digital ID Act.

Express consent from the individual is required to reactivate a deactivated Digital ID, disclose certain attributes and restricted attributes, and collect, use, disclose and destroy biometric information.

The current consent requirements under the Privacy Act cover both implied and express consent. The Privacy Act Review Report proposal for amending the definition of consent takes the Information Commissioner's understanding of consent established in the Clearview AI determination, which outlined the "four elements of consent" that were included in the Privacy Act Review Report proposal and added that "[e]xpress consent is given explicitly, either orally or in writing". That proposal has now flowed through to the Digital ID Act.

4. Trusted Digital Identity Framework (TDIF)

The TDIF is an accreditation system that regulates which entities can become Digital ID service providers. The types of roles that can be accredited include identity providers, identity exchanges, attribute providers, and credential providers.

The pathway for private sector providers obtaining this accreditation requires a commitment to a higher-level of privacy protection than currently expected under the Privacy Act, which requires Government agencies to conduct privacy impact assessments (PIAs).

Accreditation of a Digital ID service provider and its authorised activities can be conditional on a PIA and we expect this will likely be a requirement for activities involving high risks to the privacy of individuals.

The TDIF reforms indicate the Government expects a high degree of privacy risk management for providers looking to enter the Digital ID system and will impose a system of rules (Accreditation Rules) on accredited entities.

5. Notifiable data breaches extended

The notifiable data breaches scheme under the Digital ID Act is the same as for APP entities under Part IIIC of the Privacy Act. However, the Digital ID Act contemplates that accredited entities could also include non-APP entities.

Where the non-APP accredited entity does not need to comply with an equivalent notifiable data breach scheme at the State or Territory level, then the Digital ID Act imposes those Part IIIC Privacy Act obligations on the non-APP accredited entity.

The Privacy Act Review considered the notifiable data breaches scheme and mostly contemplated an improvement in the timing for notifying the Information Commissioner and affected individuals about the data breach and that the entity takes reasonable steps to respond to the data breach, including reducing the harm to individuals. Given that most Australians consider data breaches to be one of their biggest privacy risks, the imposition of Part IIIC of the Privacy Act on non-APP accredited entities under the Digital ID system will provide greater confidence that any data breach will be notifiable.

6. Discrimination and bias

The Digital ID Act expressly requires accredited entities to take reasonable steps to continuously improve its biometric systems to ensure such systems do not selectively disadvantage or discriminate against any group. This requirement will form part of the Accreditation Rules.

Currently the Privacy Act does not contemplate the effects of discrimination and bias on individuals alongside interferences with the privacy of individuals, which is considered under anti-discrimination legislation.

Continuous improvement of Digital ID systems to avoid selective disadvantage or discrimination addresses key risks of biometric systems beyond privacy risks.

7. Tracking, marketing, and advertising

The Digital ID Act places strict prohibitions on accredited entities using or disclosing personal information for direct marketing – including on-selling to third parties for the same purpose – and marketing research. Similarly, accredited entities are also prohibited from data profiling using personal information, including with unidentifiable information on the Digital ID service that was accessed, the means of access, the method of access, and the date and time the identity was verified.

These additional prohibitions align with the Privacy Act Review's attempt to grapple with these emerging privacy risks, including the technological improvements for consolidating high volumes of consumer data to create complex understandings of a user's preferences or broader consumer or psychological profile.

Currently, only direct marketing is expressly contemplated in the Australian Privacy Principles at APP 7 but remains undefined in the Privacy Act. The Government response to the Privacy Act Review agreed in principle to expressly define direct marketing, targeted advertising, targeting and trading, alongside several additional protections for individuals related to these emerging technologies.

The Minister for Finance, Senator Katy Gallagher, in a Second Reading Speech explained that these additional protections on direct marketing, targeting, and profiling in the Digital ID Act aim to address the risk of commercialisation and misuse of an individual's Digital ID. This highlights the expectation that accredited entities within the Digital ID system will manage privacy risks over and above what is expected by APP entities under the Privacy Act.

8. Retention and destruction

The Digital ID Act expressly contemplates record keeping or retention periods for current and former entities in the Digital ID system. The retention periods are subject to civil penalties under the Act, and the Digital ID Rules may only prescribe a 7-year retention period for those records. Accredited entities must destroy or de-identify personal information obtained through the Digital ID system, if it is not required to retain it for other lawful reasons.

The Digital ID Act also considers additional requirements for destroying information, including destroying biometric information used for verifying an individual's identity, testing or preventing digital ID fraud, and destroying certain unsolicited attributes. This includes destruction in specified circumstances where the authentication of an individual's digital ID has completed, where an individual withdraws express consent for the collection of biometric information, and after the entity completes testing on biometric information.

These requirements align with the Australian Privacy Principles under APP 11.2, but the Digital ID Act provides additional circumstances that are not expressly contemplated under the Privacy Act.

Data retention is a critical issue for addressing data breaches. The Government response to the Privacy Act Review agreed in principle that a review of all legislated retention periods for personal information under Commonwealth laws should take place, and that APP entities should properly create and communicate retention periods to individuals, being further reforms which may follow.

Where to from here?

The Digital ID system is a novel technological innovation that seeks to fulfil the Government's agenda of limiting the amount of information retained across the economy in the inevitable event of a data breach.

The Digital ID Act is set to commence in November 2024 and a review of the Digital ID Act is required to be undertaken in November 2026. This will provide organisations with enough time to consider and test whether and how to adopt this new technology and limit the amount of regulated information entering and being stored in their IT systems.