A deeper dive into Australia's Digital ID Bill
06 December 2023
06 December 2023
In our previous article and webinar we discussed the Australian Government's recent consultation on draft Digital ID laws, what Digital ID is and how it works, and the Government's phased plan to expand its trusted Digital ID ecosystem across the entire economy.
In this article we examine the Australian Government's new Digital ID Bill 2023, take a closer look at the exposure drafts of related rules, and explore new transitional arrangements.
The Digital ID Bill was introduced on 30 November 2023 and immediately referred for inquiry to the Senate Economics Legislation Committee. The Committee is accepting submissions until 29 January 2024. With the Committee's report due 28 February 2024, the new bill is expected to be debated in March 2024.
The new laws look to drive two linked initiatives:
These initiatives are supported by two bills currently before the Senate:
These bills will enable:
Exposure drafts of the Digital ID Rules and Accreditation Rules were released as part of recent consultations.
In addition, legally enforceable data and technical standards will be made by the Digital ID Data Standards Chair dealing with issues such as data standards for accredited service providers, and technical standards and service levels for the AGDIS.
Service providers in the Digital ID ecosystem, including Commonwealth, state and territory government bodies and private sector businesses can become accredited for specified types of services, although initially only Commonwealth non-corporate entities will participate in the AGDIS.
Accreditation provides a baseline set of obligations and regulatory oversight that apply to all accredited service providers displaying an Australian Government trustmark, whether they provide services in the AGDIS or in a separate system.
While accreditation is generally voluntary, a service provider needs to be accredited to provide services in the AGDIS. Participation rules for other Digital ID systems might also require accreditation, but there is no statutory requirement for them to do so.
Accreditation requires an applicant to demonstrate how its Digital ID services meet requirements relating to accessibility and usability, privacy protection, security and fraud control, risk management and technology integrity – a process to be overseen by the ACCC as Digital ID regulator. This recognises the sensitive nature of Digital ID services, and assists in ensuring that robust privacy, cyber security, and user experience standards are met. Draft Accreditation Rules contain detailed technical and procedural requirements that applicants will need to satisfy to become accredited and continue to satisfy once accredited.
Once accredited, a service provider is also required to comply with a range of obligations under the Digital ID Bill and the draft Accreditation Rules, concerning things such as:
The Digital ID regulator will also have the power to impose, vary and revoke specific conditions on an accreditation if the regulator considers that doing so is appropriate in the circumstances. Such conditions might, for example, address perceived security concerns, limit the extent of an entity’s authorisation (eg to exclude biometric information) or specify the use of particular technology or systems.
The Digital ID regime is a federated model under which different types of service providers must cooperate to deliver a seamless and secure experience for the end user.
The bill includes the three types of service accreditation, reflecting roles under the current Trusted Digital Identity Framework:
(Initially, participation will be limited to Commonwealth Government non-corporate entities, with state and territory and private sector services on-boarded as part of the phased expansion – see our previous article.)
The Minister will have rule-making powers to add additional types of services over time as the Digital ID ecosystem evolves. For example, trusted digital wallets managing portable credentials will be a key part of the ecosystem, and policy development for digital wallets is already underway.
The current Trusted Digital Identity Framework (and the previous consultation draft of the Bill) includes an additional category of “credential service providers”. This function will now fall within the remit of identity service providers (now known as authentication management). Authentication management covers the same ground as credential services, and includes the management of passwords and other access restrictions (such as facial or voice recognition).
The exemptions framework built into the Digital ID Bill will provide some flexibility within these categories. For example, where a service might fulfil some, but not all, of the responsibilities of an existing category of service the service provider could apply for targeted exemptions rather than lobbying for the addition of a new category of service. This could be particularly relevant for state and territory services.
Participation in the AGDIS is voluntary. However, if an accredited entity or a relying party wishes to participate, it must go through a further onboarding process and comply with additional obligations. One reason the AGDIS includes additional obligations is that it is currently used to access Commonwealth services.
A relying party is an organisation that uses the AGDIS, for example by accepting an AGDIS Digital ID as proof of identity. A relying party does not need to be accredited, but access to the AGDIS will need to be approved by the Digital ID regulator.
Service providers must be accredited in order to provide services in the AGDIS, and initially only non-corporate Commonwealth entities will be able to provide services in the AGDIS. The Digital ID regulator’s decision to permit participation in the AGDIS is separate to accreditation – the regulator must consider whether the accredited entity can meet the additional requirements of the AGDIS.
Key principles underlying the AGDIS include:
Relying parties have more limited obligations than accredited service providers – these include ensuring that users can choose their identity service provider, allowing interoperability within the AGDIS, and reporting and supporting end users following digital identity fraud or cyber security incidents.
In addition, in granting approval for relying parties or service providers to participate in the AGDIS, the Digital ID regulator can impose conditions that it considers appropriate in the circumstances. Example categories of conditions are wide-ranging and include conditions on the way services can be provided, kinds of information (including biometric information) which can be collected, and even specify the technology systems through which services are provided and place restrictions on changes to those systems. Further conditions can also be imposed under the rules.
Delivery of a Digital ID solution requires the various providers to work together, trusting that other providers are performing their roles appropriately. Currently, the providers involved in delivering the AGDIS are all Commonwealth bodies – but extending participation to state and territory and private sector raises questions about how liability will be allocated if things go wrong.
Service providers in the AGDIS are accountable not only to the Digital ID regulator, but to each other service provider and relying party in the AGDIS – a statutory contract is created between each accredited entity in the AGDIS and:
Entities can take action in the Federal Circuit and Family Court of Australia, which can make a broad range of orders, including a broad power to make any order considered appropriate.
While the relationships between service providers and relying parties appear relatively straightforward with the currently very small number of AGDIS participants, we may see multiple identity exchanges operating within the AGDIS in the future – and interoperability requirements will mean that in the future service providers connected to one exchange may interact with service providers or relying parties connected to a completely different exchange.
The statutory contract framework facilitates interoperability in a way that traditional contracts would not – accredited service providers connected to any exchange will be automatically subject to a statutory contract with every other accredited service provider and every other relying party in the AGDIS, including those connected to different identity exchanges.
Under the statutory contract, an accredited entity agrees to comply with a limited set of obligations:
The bill has been updated since consultation to exclude service levels set by the Digital ID Data Standards Chair from this contract.
This means that the direct recourse that a party to a statutory contract will be able to seek from the other party to the statutory contract is limited, as it will be restricted to these set obligations. It also means that only accredited entities, and not relying parties, have obligations under the statutory contract.
Accredited entities are protected from liability in certain limited circumstances. An accredited entity will have no civil or criminal liability if:
The bill has been updated since consultation to also provide a liability shield where a non-compliance occurs, but the non-compliance is not the ground or cause of the relevant action or proceeding. This change should mean that the liability shield will not be lost due to unrelated non-compliances (such as technical or irrelevant ones).
The exclusion of service levels will allow the Data Standards Chair to set expectations that drive better performance, without exposing participants to unreasonable and unpredictable liability.
The statutory contract and liability shield leaves participants in the position where demonstrating compliance can mean the difference between absolute immunity and unpredictable liability – without the benefit of normal commercial tools like liability caps, exclusions of consequential or indirect loss, or force majeure regimes.
The Government has recognised this concern and included rule-making powers that will enable the Minister to limit the types of loss recoverable, introduce liability caps, exclude obligations from the statutory contract, or to exclude certain conduct or circumstances as breaches of the statutory contract. While no such modifications were included in the exposure draft Digital ID Rules, participants and potential participants will likely want further clarity.
The exact balance struck will have significant implications for risk management, insurance, and customer and supplier contract terms – on the one hand, potential liability to other participants presents an obvious financial risk – for example, if non-compliance by a participant enables a threat actor to create wide-spread harm. On the other hand, an inability to claim against other participants due to the liability shield can leave an organisation bearing financial loss caused by another participant.
Consumer Data Right legislation includes a similar (but different) liability shield and statutory contract arrangement, and we expect to see the models align over time.
Digital ID systems outside of the AGDIS will impose different rules – for example, through contracts signed by participants in private sector solutions. The statutory contract that applies to AGDIS participants can be seen as a transparent and regulated replacement of the commercial participation terms used in private sector solutions.
Penalties under the Digital ID Bill are now five times higher than those proposed in the exposure draft.
Failure to comply with various obligations under the updated Digital ID Bill can result in civil penalties of up to 1,000 (up from 200 in the consultation draft) penalty units, or 1,500 (up from 300 in the consultation draft) penalty units in some cases, such breach of an additional privacy safeguard or offshoring AGDIS data unlawfully. For government entities and corporations this currently means $1,565,000 and $2,347,500 respectively.
Importantly, failure to comply with new privacy safeguards is considered an interference with privacy under the Privacy Act – exposing entities to recently increased penalties potentially exceeding $50 million.
In addition, as part of its response to the Privacy Act Review Report, the Government will introduce new lower tiers of penalties, a new direct right of action for breaches of the Privacy Act, and a statutory tort for a serious invasion of privacy.
The liability shield discussed above will be particularly important given the potential privacy risks that could flow from a systemic failure in the Digital ID system – strict compliance with the Digital ID regime may protect service providers from massive new privacy penalties, and potential class actions or other claims under coming privacy reforms.
Oversight and enforcement of the Digital ID laws will be shared between:
The Government has previously described the Australian Competition and Consumer Commission (ACCC) as the "initial" regulator – consistent with earlier comments from Minister Katy Gallagher that the Government may hand oversight over to a "digital-specific regulator" as the system matures.
The Digital ID regulator will be responsible for governing the Accreditation Scheme and approving entities who wish to become accredited providers in the AGDIS.
From a monitoring perspective, the Digital ID Bill gives the regulator powers including to give directions, require production of information or documents, and suspend or revoke accreditation or approval. In relation to enforcement, the regulator has powers to issue infringement notices, seek enforceable undertakings, injunctions, and civil penalties.
In its submission to the Statutory Review of the Consumer Data Right, the ACCC supported a functional separation of the entities responsible for rule-making, operations and enforcement – similar to the approach taken in energy and UK open banking regulation. It also raised the possibility that responsibility, skill set, and capabilities required of an accreditation registrar might be better placed with another organisation. Functional separation has been adopted to a degree in the Digital ID Bill by placing rule-making powers with the Minister rather than the Digital ID regulator, reflecting current arrangements under the Consumer Data Right (where rule-making powers originally sat with the ACCC, but were subsequently transferred to the responsible Minister).
It is possible that future Digital ID regulation will adopt greater functional separation – we may see the role of the Digital ID regulator split, with a registrar focussed on accreditation, and a regulator focussed on compliance and enforcement. Such an arrangement might encourage more open engagement on accreditation challenges.
The Digital ID Bill has been clarified since consultation to provide that the "Chief Executive Centrelink" (ie the Chief Executive Officer of Services Australia) will be the "System Administrator” of the AGDIS, reflecting one of the roles that Services Australia plays in today's unlegislated AGDIS. Key functions of the System Administrator include:
The Digital ID Bill supplements existing notifiable data breach obligations in the Privacy Act or state or territory equivalents – reports that must be given to privacy regulators must be given to the Digital ID regulator at the same time.
Where another regime does not apply to an accredited entity, the Digital ID Bill will extend the notifiable data breach regime under the Commonwealth Privacy Act to that entity. Mandatory data breach reporting is only recently coming to some state and territory privacy regimes – for example, data breach laws for NSW commenced just last month, and data breach laws for Queensland were passed last month, and are due to commence July 2025 for state government and 2026 for local government.
In addition, the Digital ID Rules require accredited service providers in the AGDIS to notify and manage "reportable incidents". There are a number of reportable incidents listed in the exposure draft of the Digital ID Rules – and unsurprisingly given the subject matter of the legislation – this includes cyber security incidents.
The exposure draft of the Digital ID Rules prescribed twelve items which must be included in a cyber security notification to the Digital ID regulator – including whether individuals have been informed of the incident. A reportable incident must be notified as soon as practicable after, and in any event, no later than 24 hours after the entity becomes aware of the incident or a suspected incident. Helpfully the draft rules acknowledge that it may not be possible to provide all information in relation to a cyber security incident within the prescribed timeframe, and so provides for a process of interim notifications to be given every 48 hours as additional information becomes available.
However, this regime does not align with other data breach reporting obligations, such as under the Commonwealth Privacy Act (or state/territory equivalents) or security of critical infrastructure legislation. Accredited entities will need to update their cyber response plans to manage different reporting obligations and timelines.
In addition to the notification requirements, the Digital ID regulator has the power to suspend the accreditation of an accredited entity in a range of circumstances, including serious cyber security incident involving the entity, or one is imminent. These powers have been refined since consultation - for example, in relation to attempted (and not actual) compromise, the incident must involve an unacceptable risk to provision of the accredited service to trigger suspension.
The Digital ID regulator can also revoke accreditation or approval to participate in the AGDIS for a "serious" cyber security incident.
The ability to in effect exclude service providers may on the one hand help triage compromised systems and protect other parts of the Digital ID ecosystem – but may also cause significant interruption at a particularly challenging time. In theory, a network of interoperable service providers would provide a level of redundancy – but in practice, relying parties and individuals may lose their ability to access services if their chosen identity service provider is excluded. If an identity exchange is excluded, the service providers connected to that identity exchange might be unable to operate. Building true redundancy will require service providers to be connected to multiple exchanges, and relying parties and individuals will need identity credentials maintained by multiple identity service providers.
Organisations will need to factor both cyber risks, and the risk of potential business interruption, into their business continuity plans.
End users will not be charged for creating or using an AGDIS Digital ID. Relying parties looking to verify identities using the AGDIS will need to build Digital ID costs into their overall commercial framework rather than passing costs on to users directly.
The Government will not charge entities for accreditation and participation in the first two phases of expansion (across Commonwealth and state and territory governments). However, the Department of Finance will develop and conduct public consultations on an approach for charging ahead of private sector participation in the AGDIS.
As submissions to the recent consultation have shown, the charging model, and how charges may be recouped, will be an important factor impacting industry uptake, participation and use of AGDIS. The model may also have knock-on effects on commercial models and investment in private sector and state and territory Digital ID solutions (whether part of the AGDIS or not).
Commercial models adopted overseas will also need to be considered – not only must Australian Digital ID systems be technically interoperable with overseas solutions, but also commercially interoperable.
The Digital ID (Transitional and Consequential Amendments) Bill prioritises making sure that Commonwealth Government bodies currently using and relying on the (unlegislated) AGDIS can continue to operate with minimal disruption. Commonwealth Government bodies and services accredited under the (unlegislated) Trusted Digital Identity Framework (TDIF) are deemed accredited under the new regime, and those approved to participate in the current unlegislated AGDIS are deemed approved under the new regime.
Accreditation and approvals are subject to conditions similar to those that currently apply (for example, limiting accreditation and approvals to specified services, and requiring services to directly connect to Services Australia). This means new or changed services, or changes to how services interconnect, will require review and changes to accreditations and approvals.
The bill does not automatically transfer accreditation or approval for non-Commonwealth entities, recognising that the Accreditation Rules would only be made after the Digital ID Bill commences. But the door has been left open for the Minister to make further transitional rules (including to similarly deem accreditation and approval) in the first 12 months after commencement, allowing the Minister to transfer existing accreditation and approval (potentially subject to conditions).
The explanatory materials call out an important use of transitional rules – to allow the Commonwealth to test plans, systems and business processes for future expansion of the AGDIS by:
This ability for the Commonwealth to test systems and processes is in addition to the AGDIS System Administrator (ie: Services Australia) power under the Digital ID Bill to authorise entities to conduct testing in the AGDIS without holding an approval to participate from the Digital ID regulator, which may be granted for up to three months and can be conditional.
Digital ID is clearly high on the Government's agenda – a key initiative underpinning its recently announced cyber security strategy, as well as its National Strategy for Identity Resilience. The new laws are expected to result in an annual economy-wide compliance cost of almost $1.5m annually, but whole of economy savings in the order of $3.3bn.
In addition to the new bill, we've seen significant developments in the world of Digital ID:
Australia is not unique in pursuing a homogenous, interoperable Digital ID. The European Union is edging closer to a pan-European digital identity framework, with European Parliament and Council reaching agreement on the regulation of European Digital Identity Wallets that will require public services, very large online platforms, and services that are legally required to authenticate users to accept the EU Digital Identity Wallet. The EU continues to work on large-scale pilots testing the effectiveness.
Read more about what Digital ID is, how it works and what it means for your organisation in our previous article Whole-of-economy Digital ID laws by the end of the year.
Digital ID is a key enabling technology for Australia's recently announced cybersecurity strategy. You can read more about the strategy in Australia's cyber strategy – a bold regulatory reform agenda.
You can also catch up on our past articles on Digital ID:
Authors: Tim Brookes, Partner; Rebecca Cope, Partner; Anthony Lloyd, Partner; Clare Doneley, Counsel; Sashini Walpola, Senior Associate; Andrew Hilton, Expertise Counsel; Kerry Liang, Lawyer; and Shir Rosenberg, Clerk
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 6 December 2023 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.