Follow us

Follow us

0%

Australia’s Digital ID Act 2024 signed into law

Key contacts
12 6月 2024 Insight Australia
Article - By Julian Lincoln Patrick Clark Kaman Tsoi Neeharika Palachanda Kathryn Quinn

Australia’s Digital ID scheme

On 30 May 2024, nearly three years after the initial exposure draft was released and following a $288.1 million boost from the federal Budget, the Digital ID Act 2024 and the Digital ID (Transitional and Consequential Provisions) Act 2024 (together, Digital ID Acts) were given final approval (Royal Assent) and signed into Australian law, with the inclusion of private sector entities in the Digital ID scheme fast-tracked. Similar to the approach taken in the UK, the new national Digital ID system will involve a phased roll-out, including an expansion of the existing Australian Government Digital ID System (AGDIS) to State and Territory governments and a voluntary accreditation scheme of Digital ID service providers, initially based around government services but which will be expanded within the next two years to participating private sector organisations. Banks, credit card operators and Australia Post are set to be the first private sector entities to benefit from inclusion in the Digital ID scheme, by initially allowing access to their private sector services with a government Digital ID and eventually offering their own Digital ID accreditation services to individuals.

The Australian Competition and Consumer Commission (ACCC) has been appointed as the initial Digital ID regulator, which aligns with its consumer-based knowledge and expertise, as well as its similar role in accrediting service providers and enforcing compliance under the Consumer Data Right (CDR). A more digital-specific regulator is likely to be established as the Digital ID system expands and grows. The Digital ID Acts are expected to commence by 1 December 2024 and will be accompanied by supporting rules and data standards (see ‘Overview of framework’  below). New drafts of these have recently been published for comment, with submissions open until 25 June 2024. The additional funding allocated as part of the Budget will now be used by the government to run a series of pilot programs with private sector entities, to test the application of the AGDIS to the private sector.

The Digital ID system will better protect the privacy and security of Australians, by introducing safeguards to prevent personal information from being collected, profiled, used or sold for a variety of other purposes. An individual’s Digital ID is a distinct electronic representation of that individual that enables them to be sufficiently distinguished when interacting online with services. A Digital ID allows an individual to verify their identity for certain online services, without having to repeatedly provide copies of their most sensitive personal information and documents, such as a passport, birth certificate and driver licence. This will also better protect consumers in the instance of a data breach, as the Digital ID system is designed to only share the minimum amount of personal data required for each specific transaction, as opposed to copies or images of entire identity documents. myGovID (administered by the ATO) will initially remain as the sole Digital ID service provider that can be used by individuals to access certain government online services (such as Medicare, Centrelink and the Australian Taxation Office (ATO)). However, under the Digital ID Acts, Australians will soon be able to access an expanded range of government services and some private sector services, and eventually may opt to verify their digital identity used to access those services with an accredited private sector provider of their choice. Under the new Digital ID scheme, the name of the government’s online verification tool will change from “myGovID” to “myID”, to avoid confusion with the myGov online platform. 

Legislation

Overview of framework

The legal framework will include the following key components:

 

Name

Status

Acts

Digital ID Act 2024

Royal Assent 30 May 2024

Digital ID (Transitional and Consequential Provisions) Act 2024

Royal Assent 30 May 2024

Rules

Digital ID Rules

Draft May 2024 – submissions open to 25 June 2024

Digital ID (Accreditation) Rules

Draft May 2024 – submissions open to 25 June 2024

Data Standards

Digital ID Data Standards

Draft expected shortly

Digital ID (Accreditation) Data Standards

Draft May 2024 – submissions open to 25 June 2024

The key objectives of the Digital ID Acts include:

  • to provide individuals with secure, convenient, voluntary and inclusive ways to verify their identity in online transactions with government and businesses;
  • to facilitate the inclusion of individuals in digital society by supporting the provision of Digital ID services that are accessible for individuals who experience barriers in using such services;
  • to promote privacy and the security of personal information used to verify the identity or attributes of individuals;
  • to facilitate economic benefits for, and reduce burdens on, the Australian economy by encouraging the use of Digital IDs and online services; and
  • to promote trust in Digital ID services amongst the Australian community.

The Digital ID legislation aims to achieve this by:

  • establishing an accreditation scheme for entities providing Digital ID services;
  • providing additional privacy safeguards for the provision of accredited Digital ID services;
  • establishing an AGDIS that is secure, easy to use, voluntary, accessible, inclusive and reliable; and
  • strengthening the oversight and regulation of (1) accredited Digital ID service providers, (2) entities participating in the AGDIS and (3) the integrity and performance of the AGDIS.

The Digital ID Acts are supplemented by the following rules and data standards:

  • The Digital ID Rules, which deal with transparency measures, the use of trustmarks by accredited service providers, and government system onboarding requirements (including technical standards and service levels).
  • The Digital ID (Accreditation) Rules, which set out a nationally consistent set of accreditation standards and requirements for identity service providers, attribute service providers and identity exchanges.
  • The Digital ID Data Standards, which set out technical requirements for entities participating in the AGDIS.
  • The Digital ID (Accreditation) Data Standards, which set out technical requirements relating to the accreditation scheme,

(together, the Digital ID Rules and Data Standards).

Accreditation will relate to three roles, as described below, with examples taken from the current Trusted Digital ID Framework (TDIF) pilot.

Role

Description

TDIF pilot examples

Identity service provider

Generates, manages, maintains or verifies identity information about an individual to create or manage a digital ID.

ATO (myGovID), Australia Post, IDVerse, Mastercard, Makesure (RatifyID)

Attribute service provider

Verifies and manages attributes, being additional items of information that can be associated with an individual’s Digital ID.

ATO (RAM), Services Australia (myGov)

Identity exchange

Facilitates interactions and information flow between identity service providers, attribute service providers and relying parties in a digital ID system.

Services Australia, Mastercard, eftpos

 

The Digital ID legislation allows for a phased expansion of the AGDIS (see ‘Phased Implementation’ for more on the ‘phased approach’).

The Digital ID Bills were first introduced to Parliament in November 2023, following three years of development. A number of amendments have since been made following public consultation and Senate committee input.

The Supplementary Explanatory Memorandum notes that, overall, the amendments aim to enhance existing consumer and privacy safeguards, including relating to destruction or de-identification of personal information, an individuals’ ability to de-activate and reactivate a Digital ID, and certainty as to when the AGDIS will be fully available for private sector participation.

In particular, key amendments include to:

  • limit the period for the phasing-in of private sector participation in the AGDIS to two years after the commencement of the Digital ID Acts;
  • establish a reporting framework for enforcement agencies who access, or seek to access, biometric information or other personal information held by accredited entities, with associated reporting to Parliament on those matters by the Attorney-General;
  • specify that a Digital ID which has been deactivated at the request of an individual must not be used and must not be reactivated without the individual’s express consent;
  • authorise legislative rules to prescribe Commonwealth laws that cannot override the requirements for accredited entities operating in the AGDIS to destroy or de-identify personal information;
  • transfer responsibility for regulation of those destruction/‌de-identification requirements from the Digital ID Regulator to the Information Commissioner;
  • clarify that the protection from liability for accredited entities operating in the AGDIS is not a general one, and applies only where an action or proceeding is brought by another participating accredited entity or a participating relying party;
  • clarify that entities approved to conduct testing in the AGDIS are not required to first be approved to participate in the AGDIS; and
  • strengthen transparency by requiring reports of periodic reviews of the charging rules to be tabled in Parliament.

The Digital ID Acts and framework have significant crossover with both privacy laws and cybersecurity laws, both of which are currently undergoing significant reform. For example, the Digital ID Acts and framework provide specific and extended requirements for cyber incident reporting, increasing the compliance burden on accredited service providers and businesses that are already required to comply with corresponding obligations under privacy and cybersecurity laws. Further, many obligations under the Privacy Act 1988 (Cth) (Privacy Act) are already applicable to a digital environment, evidenced by the government’s decision to allow the Information Commissioner to oversee certain privacy-related aspects of the Digital ID scheme and apply the powers and penalty provisions available under the Privacy Act to Digital IDs, despite not being the appointed Digital ID Regulator.

The Information Commissioner, Australian Cyber Security Centre and Digital ID Regulator will need to work together to ensure their powers and responsibilities are applied consistently and fairly. Two of the key objectives of the Digital ID Acts are to build upon protections in the Privacy Act to enshrine additional privacy safeguards for Australians creating and using a Digital ID, and to introduce penalties for accredited Digital ID service providers who fail to protect privacy and security to the standard that their accreditation requires. With major Privacy Act reforms now underway, the continuing interoperability of both the privacy and Digital ID regimes will need to be monitored, and some further adjustments to either or both regimes may be required.

Commentary on the proposed framework

The Digital ID Acts provide for independent regulation of the Digital ID system and names the ACCC as the Digital ID Regulator. While the ACCC has been appointed as the initial regulator (given its consumer focus and expertise), the Government expects that a more digital-specific regulator may be established as the Digital ID system expands and grows.

The Digital ID Regulator will be responsible for accreditation (determined against the Digital ID (Accreditation) Rules), approvals to participate in the AGDIS, compliance and enforcement (through broad powers to issue infringement notices, seek enforceable undertakings, injunctions or civil penalties). We note that the accreditation and enforcement functions overlap with the ACCC’s ongoing role in relation to the CDR, which is undergoing a gradual and phased expansion.

Alongside the Digital ID Regulator, the Digital ID Acts sets out further functions and responsibilities split across:

  • Services Australia as an accredited identity exchange provider managing the flow of data between approved participants of the AGDIS, as a participating relying party authenticating Digital IDs, and for the more operational aspects of the AGDIS (such as risk, fraud and cybersecurity incident management), noting that Services Australia currently has responsibility for certain day-to-day operational matters relating to the AGDIS;
  • the Information Commissioner in relation to the privacy-related aspects of the scheme;
  • Centrelink as the System Administrator, responsible for administering the Digital ID scheme; and
  • a Digital ID Data Standards Chair to develop nationally consistent standards to regulate technical, data and design aspects required for participation in the AGDIS (including by emerging technologies, such as verifiable credentials and digital wallets).

Currently, the AGDIS allows Australians to verify their identity digitally via the myGovID application software developed by the ATO and Digital Transformation Agency, to access more than 140 government services. The expansion of the proposed Digital ID scheme under the phased implementation will allow Australians to access a broader range of government and private sector services using their Digital ID.

The Digital ID scheme will be rolled out in four phases, namely:

  • Phase One: establish the Digital ID legislation and accompanying Digital ID Rules and Data Standards, set up the Digital ID Regulator, expand use of the Digital ID across government services, and continue accreditation of public and private providers;
  • Phase Two: allow State and Territory digital IDs to be used to access Commonwealth government services;
  • Phase Three: expand use of the Digital ID to the private sector; and
  • Phase Four: allow certain accredited private sector Digital IDs to verify individuals when accessing some government services.

The government has not specified timeframes for the phases and has indicated that the phases may overlap. To date, only Phase One has commenced.

This approach seeks to first implement the Digital ID nationally, and then economy-wide (being the expansion into the private sector). During the public consultation process late last year, the Opposition and the private sector criticised this phased approach, arguing that it heavily favours the public sector and prevents individuals from being able to elect to use an accredited provider of their choice for verification to access government services. Further, there is risk of creating an uncompetitive Digital ID sector and may lead to issues with achieving interoperability between the public and private sectors.

The phased implementation is similar to the approach taken in the UK, which also seeks to first create a trusted legislative framework, and then second, expand the digital ID across both the public and private sector. The UK’s Data Protection and Digital Information (No. 2) Bill is almost in the final stages of its passage through UK Parliament.

Given the cross-border nature of the digital world and given that Australia is in the process of actively rolling out its own Digital ID framework, it is a crucial time to consider international approaches to Digital ID systems, and how Australia can work towards achieving harmonisation with countries such as the UK and Singapore, where we have strong people-to-people links. 

Currently, the Digital ID Acts do not contemplate application of the Digital ID to non-Australian citizens or permanent residents, or non-Australian entities. While this may not pose any issues during the implementation period, it will become increasingly important for Australia to align its approach with its international partners to promote global harmonisation in relation to the use of Digital IDs. As noted by the UK Government during its rollout, the UK intends to work with Australia and other countries to allow citizens to use their Digital IDs around the world, and for UK businesses to trust Digital IDs created elsewhere. These types of collaborations are likely to support greater adoption of Digital IDs by individuals and entities alike, but cybersecurity and national security issues will need to be evaluated in implementing these arrangements.

Related insights

The IP in AI: What you need to know

Emma and Rebekah Talk IP EP24: AI Miniseries – Part 1 – Generative AI meets copyright

Australian online safety

Cyber Risk Report 2023

Key contacts

Julian Lincoln photo

Julian Lincoln

Partner, Head of TMT & Digital Australia, Melbourne

View profile
Patrick Clark photo

Patrick Clark

Partner, Melbourne

View profile
Kaman Tsoi photo

Kaman Tsoi

Special Counsel, Melbourne

View profile

Legal Notice

The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.

© Herbert Smith Freehills 2024

Stay in the know

We’ll send you the latest insights and briefings tailored to your needs

Subscribe now
Sydney Australia Perth Brisbane Melbourne Technology, Media and Entertainment, and Telecommunications Data Protection and Privacy Intellectual Property Cyber Risk Advisory Technology, Media and Telecommunications Consumer Tech Regulation Cyber Security Online safety Emerging Technologies Digital Transformation AI and Emerging Technologies Julian Lincoln Patrick Clark Kaman Tsoi