Last night the Australian government released an exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020 (‘the COVIDSafe Bill’) as a first step towards parliamentary legislation to provide privacy protections for the COVIDSafe contact tracing app, which the government released just over a week ago.
The COVIDSafe Bill includes some significant improvements on the protections offered by the Health Minister’s Determination released alongside the COVIDSafe app, but it still falls short on substantial issues.
The Bill fails to limit the collection and use of personal data as originally promised; the protections do not apply to all relevant data; and it does not close remaining loopholes in the rules against coercion. The government has also failed to provide transparency on some key matters.
The government has indicated that, although 4.5 million people have downloaded the app to date, millions more will need to download the app for effective coverage. The Bill will need to be improved to gain the trust of those potential users.
This article briefly explains the improvements, the remaining deficiencies and why it’s time to put the “Google knows everything about you anyway” argument out to pasture.
Improvements: individual remedies, consent to upload and Privacy Commissioners
The COVIDSafe Bill includes a number of amendments to the privacy protections originally set out in the Health Minister’s Determination, which the legislation is intended to replace. If passed, the Bill will amend the federal Privacy Act to this effect.
Importantly, the Bill adds a mechanism for individuals to take some enforcement action on their own behalf if the privacy protections are breached. It does this by making a breach of those protections an “interference with privacy” under the Privacy Act. This would allow a user to make a complaint to the federal privacy commissioner, and obtain compensation and other remedies that the Act provides.
We recommended last week that at least this method of individual recourse should be included in the Bill, so that individuals would not need to depend on the government deciding to bring criminal proceedings for any contravention.
Another significant improvement in the Bill concerns the consent necessary to upload a user’s list of contacts to the central data store if the user tests positive for COVID-19. Under the Determination, anyone with possession or control of a person’s mobile phone can consent to this upload. The Bill, however, bolsters protection by requiring consent to come from the person who registered as the COVIDSafe user on that device.
This Commonwealth law has been made applicable to state and territory health officials, so as to cover ‘downstream’ uses of data generated by the app. Commonwealth, State and Territory Privacy Commissioners all now have more of a role in ensuring that protections are effective. It would be simple to require them to act collectively as a National Privacy Council to advise both government and the public on the app’s use and effectiveness.
Misstatements about data collected: not 1.5 metres, not 15 minutes
A critical deficiency in the COVIDSafe Bill is that it continues the Determination’s failure to appropriately minimise the personal data that is collected by the COVIDSafe app and decrypted at the central data store.
This contradicts the government’s promotion of the app as one that only collects data about other users who come within 1.5 metres for at least 15 minutes.
Just before the app’s release, Government Services Minister, Stuart Roberts, repeatedly stated that the app would only collect data within those parameters. He also stated that when a user tests positive the app would allow the user to consent to the upload of only those contacts that came within 1.5 metres for at least 15 minutes.
Neither of those statements is true. Although this understanding of the app’s data collection was widely reported in the media, the government has not taken steps to admit and correct these misstatements.
According to the Privacy Impact Assessment conducted by Maddocks law firm, the app in fact collects, and (with consent of a user who tests positive) uploads to the central data store, data about all other users who came within Bluetooth signal range even for a minute within the last 21 days. All these contacts are connected with their personal data at the central data store.
While the Department of Health responded to Maddocks’ recommendations to appropriately limit the collection of personal data by saying it would prevent state and territory health authorities from accessing contacts other than those that came within 1.5 metres for at least 15 minutes, the Bill includes no such restriction.
According to the Bill, the state and territory health authorities may include in their contact tracing activities any user who was within “the proximity” of the infected user within the previous 21 days. It contains no limit on the distance or duration of that “proximity”.
Overly narrow definition of protected data
The protections in the Bill only apply to certain data and the definition of that data does not capture critical personal data created and used in the process of COVIDSafe contact tracing.
“COVID app data” is defined as data collected or generated through the operation of the app which has been stored on a mobile phone or device. This would capture the encrypted contacts stored on a user’s phone.
However, if the user tests positive and uploads those encrypted contacts to the national data store, the decrypted records of their contacts over the last 21 days do not clearly fall within that definition. The decrypted records are not collected or generated through the operation of the app or stored on the mobile phone. Nor is data transformed from that data by state and territory health officers.
The legislation will need to redefine COVID app data to expressly include data transformed or derived from the data originally collected or generated through the operation of the app, including data transformed or derived by state or territory health authorities.
Loopholes in the rules against coercion
The Bill contains some good protections against coercing individuals to use the COVIDSafe app, but these need to be made stronger by closing loopholes. This is especially necessary given that various groups, including chambers of commerce, have already proposed (illegal) plans to make participation or entry conditional on app usage.
A number of behavioural economists have proposed making government payments, tax break and other financial rewards dependent on individuals using the app. In light of these proposals, the Bill should make clear that no discount, payment or other financial incentives may be contingent on a person downloading or using the app. Nor should individuals be asked to show that their mobile has the app loaded, in order to avoid discriminatory treatment.
The app is claimed to be voluntary, and this must be enforceable. Coercion must not be used to circumvent the need for trustworthy design.
No source code, or other transparency
Media reports cite Ministers saying that the source code of the app – or at least those parts of it which do not pose “security issues” – would be made available in the fortnight after the app’s release. There is no sign of the “source code” yet, even as Parliament prepares to debate the Bill.
The full source code for the app should be made public, at least a week prior to the COVIDSafe Act being enacted, so that experts can verify the privacy protections the government claims to have incorporated.
The advices by Chief Medical Officers and others supporting the effectiveness of the app have not been made public. Nor does the Bill provide any guarantee of independent scientific advice on whether the app is continuing to be of practical benefit or should be terminated.
“Google knows everything about you” doesn’t cut it
Numerous commentators from business and tech, journalists, and footballers’ wives on Instagram, have argued that Australians who do not yet trust the app should download since Google / Facebook / Uber / Amazon “knows everything about you anyway”, or the like.
First, this is simply not true. While these digital platforms have justifiably been accused of excessive data collection, they do not yet collect “everything”, or even a list of the proximity and duration of each of your physical interactions on a daily basis, as the COVIDSafe app seeks to collect.
Second, Google, Facebook and others are being investigated by regulators around the globe for potentially exploitative or misleading data practices and there are numerous proposals for law reform – including in Australia – to protect consumers from inappropriate data practices. The fact that some entities degrade our privacy is not a reason to discard what remains.
Third, while we have written extensively about the harm done by corporate data practices, these companies do not yet have powers to arrest, detain, interrogate or search. Excessive invasions of privacy by government can have far more immediate and dramatic effects on a person’s liberty.
Where are we now?
At the moment, the app will collect data, but health officials cannot yet access it to do tracing. Parliament will now debate the Bill, in the sitting expected to start May 12, and a Senate Committee will continue to investigate it among other pandemic issues. As we said last week, whether individuals decide to download and use the app is a matter of individual circumstances and choice. Some will wish to see the final legislation, and whether it continues to improve.
Graham Greenleaf is a Professor of Law & Information Systems at UNSW Law. His research concerns the inter-relationships between information technology and law: legal information systems, cyberspace law, and the global development of data privacy laws and agreements.
Dr Katharine Kemp is a senior lecturer in UNSW Law and Academic Lead on the UNSW Grand Challenge on Trust. Her research focuses on competition law (particularly misuse of market power), consumer protection and data privacy in financial services regulation.