The privacy protections behind Australia’s COVIDSafe contact tracing app are now enshrined in law after the underpinning legislation passed through parliament with minor improvements.
The Privacy Amendment (Public Health Contact Information) Bill cleared the senate without amendments on Thursday morning, two days after it was introduced by the government.
It introduces strict penalties of up to five years jail for those that collect, use, disclose (include outside of Australia) or decrypt COVIDSafe data for any purpose other than contact tracing.
The legislation also makes it illegal to force someone to use COVIDSafe and outlines the data handling requirements expected of the health department and Digital Transformation Agency.
Since the draft legislation was released last week, Labor has secured several amendments to improve the laws after constructive engagement with attorney-general Christian Porter.
“This is now a stronger and better piece of legislation as a result of constructive engagement between Labor and the government,” shadow attorney-general Mark Dreyfus said on Tuesday.
Improvements include “greater clarity about what data is protected”, restrictions on law enforcement becoming the COVIDSafe data store administrator and six-monthly public reporting requirements about COVIDSafe’s operation.
The bill also gives the Office of the Australian Information Commissioner “greater oversight” of the app and the data it collects, and ensures the office can investigate privacy breaches even when they overlap with an law enforcement investigation.
“To be clear: this bill will introduce the strongest privacy safeguards that have ever been put in place by any Australian parliament,” Dreyfus told the house of representatives on Tuesday.
“That is despite the fact that the COVIDSafe app is voluntary and the data that it collects is, compared to other personal information that's routinely collected by governments and corporations, relatively innocuous. This bill takes privacy seriously.”
But serious questions over the app’s effectiveness remain, which Labor, the Australian Greens and Centre Alliance have argued cannot be addressed by legislation alone.
These include technical issues with COVIDSafe’s Bluetooth performance on iOS, which the DTA has admitted could limit the app’s effectiveness capturing ‘digital handshakes’ with other devices.
The DTA’s decision to hand Amazon Web Services the contract for the COVIDSafe app and national data store using a limited tender process has also been questioned.
Labor has insisted that Australian-owned providers offering protected-level cloud services like Sliced Tech, Macquarie Telecom and Vault should have been given the opportunity to bid for the contract.
DTA CEO Randall Brugeud last week gave some reasoning for the selection, with the contract covering hosting, development and operational of the COVIDSafe app and national data store.
This line was reiterated by foreign affairs minister Marise Payne on Wednesday, who said “the contract with AWS is a combination of hosting, development and operational services, which is more extensive than services provided by pure hosting providers”.
“While there are several Australian cloud providers that could have provided elements of the service that AWS has provided, AWS's ability to scale very quickly in this pandemic context and to provide a broader range of services is beneficial for the purposes to which the COVIDSafe app is to be put.
“In relation to the CLOUD Act, any transfer of data to any country outside Australia will constitute a criminal offence under the provisions of the bill and attract a penalty of five years imprisonment.”
After a short debate on Thursday morning, the bill was passed after Labor opposed any further amendments to the legislation, including the introduction of a strict sunset clause.
“Labor believes that there is a strong public interest in putting these privacy protections in place as soon as possible, and so Labor will not be supporting any amendments that delay the passage of this bill,” Labor senator Murray Watt said.
More than 5.6 million Australians have now downloaded and registered for COVIDSafe since it was released two-and-a-half weeks ago.
Deputy chief medical officer Paul Kelly on Wednesday said that the portal allowing state and territory health officials to access data collected by the app was now up and running.
He said all agreements with states and territories had now been signed and that health professionals involved in the contract tracing process trained to use the portal.
The DTA released the source code for COVIDSafe app late last week, but will not be releasing the code that relates to the national data store.