Wed, 15 May 2024 - 12:37

Second Reading Speech: Digital Id Bill 2024

I rise to speak on the Digital ID Bill 2024. Digital identity has the potential to deliver significant productivity efficiency and safety benefits across the Australian economy. But that potential will only be realised if the Australian people trust the digital identity system and the legislative safeguards and guarantees which form part of the system. Unfortunately, this issue has been very poorly handled by the Albanese Labor government, with the result that instead of trust being increased it has been eroded. For example, many Australians would be extremely suspicious of the way the government rammed this bill through the Senate using a guillotine motion, meaning there was no second reading debate or Committee of the Whole process in that chamber.

The coalition believes that digital identity holds real promise for Australia, but it has to be done right. Labor has made multiple grave misjudgements in its approach to digital identity and to this bill, and it is for this reason that the coalition opposed Labor's legislation in the Senate and we will oppose it in the House. In my remarks on this bill today, I want to speak first about the coalition's careful and methodical work on digital identity when in government, thus establishing a strong platform which Labor could have used to progress this issue. Next, I want to speak about the serious flaws in Labor's design of this legislation, and, finally, I want to speak about the work we did in good faith to seek to address these flaws—work which, regrettably, the government completely failed to engage with.

I want to start by reminding the House that the reason Australia has a digital identity system today with over 11 million Australians using it under the name myGovID is because of detailed work done under the previous coalition government. The coalition established the Australian Government Digital ID System (AGDIS) in the wake of the Murray inquiry commissioned by the Abbott government. The inquiry recommended in 2014 that the Commonwealth:

… develop a national strategy for a federated-style model of trusted digital identities.

During our time in government the coalition delivered on that recommendation. We established the Trusted Digital Identity Framework. We created myGovID and drove a steady take-up of this digital identity product by more and more Australians. We invested over $600 million in developing myGovID and the Trusted Digital Identity Framework. We made sure the framework allowed for private sector participants, and we secured private sector entities to become participants. The first private sector identity exchange to join the Australian Government Digital ID System was ConnectID, which is backed by Australia's major banks.

Importantly, we recognised that there needed to be a comprehensive legal and regulatory framework within which the Australian Government Digital ID System could work, particularly given the continuing and, indeed, expanded role we saw for private sector participants. We sought to allow governments and the private sector to participate in a legislated Australian government digital identity system from the outset—there was to be no phasing. We saw a simultaneous public-private design solution as key to realising a truly national whole-of-economy solution. We envisaged the system being overseen by an independent statutory officer, the oversight authority, to protect those Australians who wanted to use digital identity. We also sought to establish in law bespoke, best-practice privacy and security protections, including restrictions on the collection of biometric information and on the retention of attributes including single identifiers. We developed such a framework and set it out in the exposure draft of the Trusted Digital Identity Bill, which we released in late 2021. Unfortunately, the bills before the House are very different to the exposure draft we released in late 2021.

Later in my remarks, I will speak about the serious errors Labor has made. But let me now turn to why the coalition considered that a digital identity system offered promise to deliver benefits to Australians and why, therefore, we did all of the careful work we did on this issue when in government. Done right, the widespread use of digital identity can deliver many benefits. This was a key finding of the 2019 McKinsey Global Institute paper Digital identification: a key to inclusive growth. McKinsey found that extending full digital ID coverage could unlock economic value equivalent to three to 13 per cent of GDP in 2030. It could reduce institutional customer onboarding costs and payroll fraud, saving up to US$1.6 trillion globally, and it could save approximately 100 billion hours through streamlined e-government services.

Many of these benefits come through the saving of time and effort in the multiple interactions which are required today when you need to prove your identity, whether that's to a government agency, a business or another human being. Think of how much time is required to take and send photocopies of identity documents such as passports and drivers licences or to find a Justice of the Peace or somebody else who is qualified to give you a certified copy of such documents or to go physically to a bank branch or a lawyer's office or any one of the many other places where today you are frequently required to present yourself to demonstrate your identity.

One country which has very successfully introduced digital identity and obtained material economic productivity benefits as a result is India. Aadhaar, the modern Hindi word for foundation, is used to describe the digital identity which all Indian citizens and residents can now have. Over 1.3 billion Indians hold a digital identity, which has made it much quicker and easier to open bank accounts, to transfer money from one person to another and to receive government benefits. Today, if you are a bank customer in India, you can satisfy a bank's know-your-customer requirement in seconds with your Aadhaar. In Australia, by contrast, this is a long, cumbersome and painful process requiring certified copies of identity documents. It is a truly dreadful customer experience, and I resist the temptation to name the bank that I use where the customer experience has been absolutely appalling.

India also demonstrates the way that many private sector businesses have innovated and grown by using the national digital identity platform. For example, India's third mobile phone network Reliance Mobile launched its Jio mobile service in September 2016. It used a completely digital customer onboarding process, taking advantage of Aadhaar and achieving 160 million new customers by December 2017. It is all too typical that the Albanese Labor government has failed to grasp and to champion the way that a fully realised whole-of-economy digital identity system can boost productivity and innovation in the private sector. Its rhetoric about digital identity has been almost entirely about what it means for government and the public sector even though our national prosperity and economic growth depends overwhelmingly on the private sector, not the public sector.

I want to mention one other critical public policy benefit which a well-realised digital identity system can bring by protecting Australians from having to hand over voluminous amounts of private information to companies and government agencies and in turn being vulnerable to having that information stolen when those companies or agencies are hacked. The evidence is clear about how much damage cybercrime does to Australians. According to the ASD cyber threat report 2022-23 the average cost of reported cybercrime was up 14 per cent in 2023. ASD found that it costs small businesses an average of $46,000 in total losses per reported cybercrime. A key reason that recent data hacks such as those in clubs New South Wales, Optus, Medibank Private and Latitude Financial are so prevalent and so damaging is that these companies and organisations hold lots of data on their customers. This data includes copies of original documents like passports and drivers licenses. Digital ID avoids this through a data minimisation process. It reduces the information a company holds about its customers. The company receives only that information which is strictly necessary for the transaction to take place.

The key principle of digital ID is that there is a federated architecture; there is not one system which retains all the information and, in turn, becomes a honey pot to cyber criminals. The disparate system of identity providers, exchangers, relying parties and users has an added protection—the double-blind approach. Imagine if I'm about to sign a lease and I have to prove my identity to the real estate agent. I can use the ConnectID system established by the banks. I go to ConnectID and I authorise identity information held about me by my bank to be released to the real estate agent. Critically, because of the double-blind approach, my bank does not know where my data is going to and the real estate agent does not know where it has come from.

Another critical benefit is that only as much information is released as is necessary. For example, to get into a pub or a nightclub today, I'm advised, you need to prove that you're over 18. Typically, you do this by showing your driver's licence. But the pub or club does not need to know your name or address, or even your age, only the fact that you're over 18. With a digital identity system, evidence of this fact is provided in the form of a digital certificate or token sent to the pub or club from your digital identity provider. The digital certificate does not disclose your address or your actual age or anything about you, only the fact that you are over 18. This system is much safer and does a much better job of safeguarding your privacy than today's approach.

Having discussed the progress the coalition made on digital identity and some of the policy reasons for doing so, let me now turn to how things went badly off the rails once Labor got into government, leading to the grave flaws in the legislation before the House today. The first big problem is that there has been no political leadership exercised in developing these bills or in making the public case for digital identity. The Minister for Finance has not bothered to explain the purpose or operation of these bills in any systematic or persuasive way. And, of course, in any rationally organised government the Minister for Government Services would have had responsibility for digital ID and carriage of this legislation. That minister should have been making the case to Australians for the last two years about the way that digital identity could enhance the level of service they receive from government. Sadly, this portfolio is held by the member for Maribyrnong, who has very little interest in or understanding of how to deliver good customer service and the role of digital tools in doing just that, and he has been missing in action in the policy debate on this issue. This lack of political leadership is reflected very clearly in the bills and in the many weaknesses in them.

The governance structure set out in this bill is highly fragmented. The bill establishes a system administrator, which will be in the social services portfolio but would report to the Minister for Finance. The to-be-established data standards chair is in the finance portfolio. The regulator sits within Treasury. The Information Commissioner sits within the Attorney-General's Department. And the many other auxiliary agencies with responsibilities in the Australian Government Digital Identity System, such as ASIO, sit within Home Affairs. No board in the private sector would sign off on such an incoherent and unsustainable structure. There has been no serious effort by the Minister for Finance to explain how this mishmash will work, very likely because no plausible or credible explanation can be given.

The opposition's concerns are shared by industry. Submissions from both the Australian Banking Association and Australian Payments Plus argue that the proposed governance arrangements are too complex with too many entities spread across too many portfolios. The effect of Labor's confused governance structures will be to dampen citizens trust and confidence in the Australian government digital ID system. Basic private sector sales and marketing principles tell us that, if consumers do not trust a service, they are far less likely to use it. In turn, if the number of Australians who use digital identity is suppressed because of this lack of trust, we will not get the network effect, which has been seen, for example, in India, where digital identity is widely used. In turn, that encourages the growth of new government and private sector services which use digital identity, and this then reinforces the value and benefit to citizens of having and using a digital identity. For this virtuous cycle to develop, there must be a high take-up of digital identity, and unfortunately Labor's mishandling of these bills makes a high take-up considerably less likely.

The Australian public will only embrace the Australian Government Digital ID System if they can be confident that these bills provide them with adequate safeguards to protect their privacy. Unfortunately, this bill does not do that. The Digital ID Bill 2024 partly relies on provisions contained within the Privacy Act. It was reckless of this government to introduce this Digital ID Bill and its accompanying bill without first reforming the Privacy Act. The government has had since February 2023, when the Attorney-General's Department released the review of the Privacy Act, to progress the legislative response to that review. Instead, the Albanese government has dithered and delayed, as many observers have pointed out. In its submission to the Senate's inquiry into this bill, the University of Technology Sydney's Human Technology Institute said:

… it is essential that Privacy Act reforms be passed as soon as possible to prevent further fragmentation, inconsistencies, gaps in protections, and unnecessary compliance burdens.

There is a very real potential for competing or contradictory sets of arrangements to be established between this Digital ID Bill and the Privacy Act. Indeed, such a circumstance is contemplated within the bill's accompanying statement of compatibility with human rights, which states:

If the definition of personal information changes in the Privacy Act, consequential legislative amendments will be introduced to ensure the Bill remains consistent with any amended definition and additional requirements in the Privacy Act.

Moreover, the explanatory memorandum notes the following:

It is intended that the definition of 'personal information' (and other relevant terms) in the Bill will be reviewed against changes to that term in the Privacy Act …

The possibility for misalignment on such fundamental protections as the definition of 'personal information' is very serious.

Multiple stakeholders gave evidence to the Senate's inquiry into this bill that they too are concerned about the absence of reforms to the Privacy Act. For example, Woolworths submitted:

We also seek clarity whether a new definition of 'personal information' as is being considered as part of the Privacy Act reforms will capture tokens provided through Digital ID processes.

The Business Council of Australia argued in its submission:

The review of all legal provisions requiring retention of personal information (as agreed-in-principle in the Privacy Act Review) be undertaken as a matter of urgency …

Let me turn to one of the central weaknesses of these bills: that they seek to delay and minimise the role of the private sector. The coalition believes that there should be simultaneous public and private sector participation in the Australian Government Digital ID System from the outset. The first version of these bills proposed a so-called phased approach, which would have delayed indefinitely any meaningful role for private sector participants. The opposition moved amendments in the Senate to remove these phasing provisions. The government did not accept our amendments, but it agreed to other amendments, which now means that private sector participation will commence after the legislated Australian Government Digital ID System has been in operation for two years. While this is an improvement, there remains considerable uncertainty about how the government intends to work with the states and territories. Notwithstanding the two-year provision, the bill retains the original phasing-in clauses, which would mean that private sector expansion in the Australian Government Digital Identity System only occurs in phase 3, but, to get to phase 3, certain requirements must be met in phase 2. What are these requirements? The government requires that a state or territory government must integrate its own digital ID within the Australian Government Digital Identity System.

Each state and territory has approached establishing its own native digital ID in a different way. For example, Western Australia uses the Commonwealth government's myGov ID. The Northern Territory does not. Currently, Queensland is the only jurisdiction to have a fully operational digital ID system. Other states are still preparing theirs. This includes New South Wales's, which remains in closed public beta. In February it was reported by the Australian Financial Review that the Minister for Finance intended to obtain from the states and territories agreement to a roadmap for expansion of the Australian Government Digital Identity System and she was to do this at the data and digital ministers meeting, which took place on 23 February 2024. But what happened at that meeting fell a long way short of what the minister was promising. At that meeting, it was agreed only that ministers would 'work together towards a national digital identity and verifiable credential strategy to inform an update of the national digital ID service transformation road map'. From this statement it is clear the states and territories did not sign up to the finance minister's so-called national digital identity and verifiable credential strategy, merely stating that they would work together toward such a strategy.

When will the states and territories sign up to this so-called national strategy? The government hasn't said, and there is no mention of the so-called national strategy in the bill or the explanatory memorandum. If the states and territories are unable to sign up to so much as a national strategy, what confidence can this parliament and the Australian people have in this government's ability to manage the Australian Government Digital Identity System?

A real issue with the legislated two-year requirement before the private sector can participate in the Australian Government Digital Identity System is that separate private sector digital-identity providers are already gaining traction and delivering results. Australian Payments Plus's ConnectID system, which achieved accreditation under the coalition government, is already operational, with two of the big four banks participating and the others expected to join shortly. There is a risk that, within two years, many will be using ConnectID or another provider for their digital identity, rendering the digital identity landscape fragmented and the Australian Government Digital Identity System a poorer cousin of private sector solutions.

These flaws in the bill which I have mentioned were raised by many stakeholders, including through the Senate inquiry process. In the Senate the government had an opportunity to address the concerns raised by stakeholders. The coalition's sensible amendments, which were developed in close consultation with industry stakeholders, would have enhanced the privacy protections in the bill. Our amendments sought to establish a stronger guarantee that having a digital identity would be voluntary. Under our amendments it would have been clear that no Australian would be required to have a digital identity. It would have been clear that no Australian would face a lower quality of service should they wish to use traditional, paper based identity documents. In addition, we moved an amendment which sought to impose a clear requirement that changes to the Privacy Act must be made before these laws come into force. We sought to work in good faith with the government on these amendments, but, regrettably, the government chose not to support them. Accordingly, this House has been left in a very unsatisfactory position because of how the government has proceeded with this bill.

I conclude by reiterating that the coalition believes that digital identity has the potential to deliver significant productivity, efficiency and safety benefits across the Australian economy, but this bill before the House today is deeply flawed. The government has failed to engage with the opposition in our good-faith efforts to resolve those flaws by proposing amendments. For this reason, the coalition will not be supporting this bill.