Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive
16 August 2024
16 August 2024
Australia’s new national Digital ID laws are due to commence by the end of the year, providing the legislative basis for broader adoption of Digital ID – and expansion of the Australian Government Digital Identity System (AGDIS, better known as myGov / myGovID).
Digital ID is a key initiative underpinning the Australia’s cyber security strategy and national strategy for identity resilience.
The Government estimates that economy-wide compliance costs for Digital ID will be almost $1.5m annually, delivering estimated savings in the order of $3.3bn.
Rolling out economy-wide Digital ID and growing myGov capability is a long-term mission – but we’ve seen renewed focus on launching new uses:
In Part 1 of this article, we’ll take a close look at recent developments, including the new Trust Exchange and what changed in passing Digital ID laws through the Senate. In Part 2, we’ll take a deep dive into the Digital ID Act 2024 to explain how it works.
Just this week, the Minister for Government Services unveiled new functionality for myGov wallets that will allow people to verify their identity or associated attributes without sharing their sensitive documents – for example, using a QR Code or NFC on a phone to verify your age without providing your drivers’ licence.
Key principles of the system will be choice, consent and trust.
TEx will connect to a user's digital wallet (such as a myGov wallet), allowing the user to verify their identity and credentials based on official information already held by the Australian Government.
End users will opt in – able to choose and provide their consent to share necessary personal information with the relevant business. In the case of age verification, TEx could just provide confirmation without disclosing the user’s actual age or date of birth – only a “token” showing that a fact has been verified would need to be shared.
Individuals won’t be charged to use TEx – but there may be charges to business. The technology is currently being trialled by Services Australia, with plans to launch a 6-month pilot very soon – meaning we may see full roll-out in 2025.
Australia's new Digital ID Act 2024 was passed in May and will commence on proclamation – expected to be 1 December 2024.
The new laws drive two linked initiatives:
The Digital ID Act 2024 will be supported by:
The new Digital ID (Transitional and Consequential Provisions) Act 2024 focusses on automatically transitioning approvals and accreditations for Commonwealth Government entities from the existing unlegislated framework with minimal disruption.
You can read more about how Digital ID works in our earlier publication.
Digital ID laws were passed with support from minor parties and independents – which required agreeing some significant amendments from the Greens focussed on accessibility and digital inclusion.
A private member's bill to repeal the Digital ID laws was introduced in late June. A focus of resistance to Digital ID laws is whether Digital ID will be truly voluntary. The second reading speech of the repeal bill focused on exemptions to the requirement that underlying services be accessible without using a Digital ID (the voluntariness principle, in section 74 of the new Digital ID Act). It is argued these exemptions could make having a Digital ID de facto mandatory.
While we don’t expect this repeal bill to pass, with an election coming we may see pressure on both the Government and the opposition to modify Digital ID laws further.
Significant changes were made in the Senate, responding to concerns raised in Senate committees.
The Government has consulted on updated Digital ID Rules, Accreditation Rules and Data Standards to support the new Digital ID Act. Rules and standards are expected to be made in time for commencement of the Digital ID Act in December 2024.
The rules will be progressed in two tranches.
As part of a recent reset to Australia's Consumer Data Right (CDR), the Assistant Treasurer wrote to the CDR Data Standards Chair:
A key part of the CDR's reset is reducing costs with a more disciplined and predictable approach to standards changes – with a fixed number of scheduled data standards releases per year, and an explicit focus on implementation and cost impacts. We expect a similar approach to Digital ID data standards, particularly as the AGDIS expands to the private sector.
These changes have been proposed amid a very ambitious and busy digital, technology and cyber agenda for the Government, not long before the end of its term.
The Government’s plan to expand Digital ID economy-wide focuses initially on government, before a broader economy-wide integration. The expansion will follow four overlapping phases over a two-year period.
Detailed rules for private sector participants have not yet been laid down – the Government’s recent consultation draft of underlying rules (discussed above) focusses on what is necessary for "day one” of the new regime, with further rules expected within 12 months.
While the proposed legislation sets a framework for the Government’s vision, we expect it will need to change over time to facilitate these phases. Significant flexibility has been built in through exemptions, conditions and rule-making powers, similar to the approach adopted in the Consumer Data Right legislation – meaning the regime may be more easily tailored to deal with specific issues as they arise.
Service providers in the Digital ID ecosystem, including Commonwealth, state and territory government bodies and private sector businesses, can become accredited for specified types of services, although initially only Commonwealth non-corporate entities will participate in the AGDIS.
Accreditation provides a baseline set of obligations and regulatory oversight for accredited service providers displaying an Australian Government trustmark, whether they provide services in the AGDIS or in a separate system.
While accreditation is generally voluntary, a service provider needs to be accredited to provide services in the AGDIS. Participation rules for other Digital ID systems might also require accreditation, but there is no statutory requirement for them to do so.
Accreditation requires an applicant to demonstrate how its Digital ID services meet requirements relating to accessibility and usability, privacy protection, security and fraud control, risk management and technology integrity – a process overseen by the ACCC as Digital ID regulator.
Once accredited, a service provider must comply with a range of obligations, including:
The Digital ID regulator also has the power to impose, vary and revoke specific conditions on an accreditation if the regulator considers that doing so is appropriate in the circumstances. Such conditions might, for example, address perceived security concerns, limit the extent of an entity’s authorisation (for example, to exclude biometric information) or specify the use of particular technology or systems.
The Digital ID regime is a federated model under which different types of service providers must cooperate to deliver a seamless and secure experience for the end user.
There are three types of service accreditation:
Image text (for accessibility)
The infographic is a diagram that illustrates the roles and relationships of different entities involved in the Digital Identity system in Australia. The system allows people to access online services from the government and the private sector using a verified digital identity account. The diagram shows four main types of entities: the identity service provider, the relying party, the attribute service provider, and the digital ID regulator. The identity service provider helps people set up and manage their digital identity account, which requires a 100-point paper-based ID check and a biometric face verification. The relying party is the entity that provides the online service that people want to access, such as a government agency or a private business. The attribute service provider is the entity that verifies additional information about the person, such as their business or customer status, that may be required by the relying party. The digital ID regulator is the entity that oversees the system and protects against fraud and privacy breaches.
The Minister can add additional types of services over time as the Digital ID ecosystem evolves. For example, trusted digital wallets managing portable credentials will be a key part of the ecosystem, and policy development for digital wallets is already underway.
The exemptions framework will provide some flexibility within these categories. For example, where a service might fulfil some, but not all, of the responsibilities of an existing category of service the service provider could apply for targeted exemptions rather than lobbying for the addition of a new category of service. This could be particularly relevant for state and territory services.
Participation in the AGDIS is voluntary. However, if an accredited entity or a relying party wishes to participate, it must go through a further onboarding process and comply with additional obligations. One reason the AGDIS includes additional obligations is its importance in providing Commonwealth services.
Service providers must be accredited to provide services in the AGDIS. As part of “Phase 1” of the rollout, only non-corporate Commonwealth entities will be able to provide services in the AGDIS. State and territory governments will be able to apply for participation as part of Phase 2. Due to amendments made in the Senate, non-Commonwealth entities (like private sector participants and Commonwealth corporations) will be able to apply to participate in the AGDIS after two years (or earlier if determined by the Minister).
The Digital ID regulator’s decision to permit participation in the AGDIS is separate to accreditation – the regulator must consider whether the accredited entity can meet the additional requirements of the AGDIS.
A relying party is an organisation that uses the AGDIS, for example by accepting an AGDIS Digital ID as proof of identity. A relying party does not need accreditation, but access to the AGDIS will need to be approved by the Digital ID regulator.
Key principles underlying the AGDIS include the following.
Relying parties have more limited obligations – such as ensuring that users can choose their identity service provider to allow interoperability within the AGDIS, and to report (and support end users who suffer) incidents such as digital identity fraud or related cyber security incidents.
In granting approval to participate in the AGDIS, the Digital ID regulator can impose conditions that it considers appropriate in the circumstances – for example, conditions on the way services can be provided, kinds of information (including biometric information) which can be collected, and even specify the technology systems through which services are provided and place restrictions on changes to those systems. Further conditions can also be imposed under the rules.
Delivery of a Digital ID solution requires the various providers to work together, trusting that other providers are performing their roles appropriately. Currently, the providers involved in delivering the AGDIS are all Commonwealth bodies – but extending participation to state and territory and private sector raises questions about how liability will be allocated if things go wrong.
Liability under the Digital ID Act is managed using a combination of a statutory contract and a liability shield – a shield that was significantly narrowed in Senate debates. We noted in our previous publications that private sector participants would want to see more clarity around liability in the Digital ID Rules. Recognising the need to have a workable regime in place by December, the Government updated consultation drafts of the Digital ID Rules to defer detailed liability arrangements for a second tranche of rules expected within 12 months.
In the meantime, the rules include an interim arrangement reflecting the current (unlegislated) Trusted Digital Identity Framework. Under this interim arrangement, participants will not be able to make claims to be compensated for a breach of the statutory contract. Any compliance or non-compliance with the statutory contract is not considered a breach of the statutory contract, and no amount of compensation is payable for any kind of loss directly or indirectly attributable to non-compliance.
Once the second tranche of rules are introduced, service providers in the AGDIS can expect to be accountable not only to the Digital ID regulator, but to each other service provider and relying party in the AGDIS – a statutory contract is created between each accredited entity in the AGDIS and:
Entities will be able to take action in the Federal Circuit and Family Court of Australia, which can make a broad range of orders, including any order considered appropriate.
While the relationships between service providers and relying parties appear relatively straightforward with the currently very small number of AGDIS participants, we may see multiple identity exchanges operating within the AGDIS in the future – and interoperability requirements will mean that in the future service providers connected to one exchange may interact with service providers or relying parties connected to a completely different exchange.
The statutory contract framework facilitates interoperability in a way that traditional contracts would not – accredited service providers connected to any exchange will be automatically subject to a statutory contract with every other accredited service provider and every other relying party in the AGDIS, including those connected to different identity exchanges.
Under the statutory contract, an accredited entity agrees to comply with a limited set of obligations:
The recourse that a party to a statutory contract will be able to seek from the other party to the statutory contract is limited to these set obligations. Importantly, only accredited entities, and not relying parties, have obligations under the statutory contract. Accredited entities are protected from liability in limited circumstances – but the drafting of the liability shield was significantly tightened in the Senate. While the Digital ID Bill as introduced provided immunity to civil and criminal liability, the final liability shield will only apply to claims and proceedings brought by another participant or relying party in the AGDIS. The shield will not apply to, for example, claims brought by end users or regulators.
This change emphasises the need for strategic risk and obligations management – taking a holistic view of regulatory and legal risks. Understanding and complying with Digital ID requirements will not necessarily protect a provider from claims that it has breached other laws – which may have significant implications, particularly in the event of serious or systemic failures.
Under the final Digital ID laws, an accredited entity will have no civil or criminal liability:
The exclusion of service levels will allow the Data Standards Chair to set expectations that drive better performance, without exposing participants to unreasonable and unpredictable liability.
The statutory contract and liability shield leaves participants in the position where demonstrating compliance can mean the difference between absolute immunity and unpredictable liability – without the benefit of normal commercial tools like liability caps, exclusions of consequential or indirect loss, or force majeure regimes.
The Government has recognised this concern and included rule-making powers that will enable the Minister to limit the types of loss recoverable, introduce liability caps, exclude obligations from the statutory contract, or to exclude certain conduct or circumstances as breaches of the statutory contract. This detail hasn’t been included in consultation draft of the Digital ID Rules due to the interim arrangements that prevent claims under the statutory contract – however, we will see a more nuanced approach to liability in the second tranche of rules expected within 12 months.
The exact balance struck will have significant implications for risk management, insurance, and customer and supplier contract terms. On the one hand, potential liability to other participants presents an obvious financial risk – for example, if non-compliance by a participant enables a threat actor to create wide-spread harm. On the other hand, an inability to claim against other participants due to the liability shield can leave an organisation bearing financial loss caused by another participant.
Consumer Data Right legislation includes a similar (but different) liability shield and statutory contract arrangement, and we may see the models align over time.
Digital ID systems outside of the AGDIS will impose different rules – for example, through contracts signed by participants in private sector solutions. The statutory contract that applies to AGDIS participants can be seen as a transparent and regulated replacement of the commercial participation terms used in private sector solutions.
Penalties under the Digital ID Act are five times higher than those proposed in early exposure drafts – reflecting a growing trend towards higher penalties, particularly in areas of consumer, data and cyber safety.
Maximum penalties can be up to 1,000 penalty units, or 1,500 penalty units in some cases, such breach of an additional privacy safeguard or offshoring AGDIS data unlawfully. Government bodies and bodies corporate can face maximum penalties five times this amount – currently amounting to maximum penalties of $1,565,000 or $2,347,500 per breach.
Failure to comply with new privacy safeguards is considered an interference with privacy, exposing entities to maximum penalties potentially exceeding $50 million. In addition, new privacy laws expected this month are likely to include new lower tiers of penalties, a new direct right of action for breaches of the Privacy Act, and a statutory tort for a serious invasion of privacy.
The liability shield discussed above is particularly important given the potential privacy risks that could flow from a systemic failure in the Digital ID system – the liability shield will not protect service providers from massive new privacy penalties, and potential class actions or other claims under new privacy reforms – whether or not they have complied with Digital ID laws.
Oversight and enforcement of the Digital ID laws are shared between:
The Government continues to describe the Australian Competition and Consumer Commission (ACCC) as the "initial" regulator – consistent with earlier comments from Minister Katy Gallagher that the Government may hand oversight over to a "digital-specific regulator" as the system matures.
The Digital ID regulator is responsible for governing the Accreditation Scheme and approving entities who wish to become accredited providers in the AGDIS.
The Digital ID regulator’s powers allow it to give directions, require production of information or documents, and suspend or revoke accreditation or approval. In relation to enforcement, the regulator has powers to issue infringement notices, and seek enforceable undertakings, injunctions, and civil penalties. Functional separation has been adopted (to a degree) by placing rule-making powers with the Minister rather than the Digital ID regulator to reflect current arrangements under the Consumer Data Right (the ACCC originally held rule-making powers).
It is possible that future Digital ID regulation will adopt greater functional separation – we may see the role of the Digital ID regulator split, with a registrar focussed on accreditation, and a regulator focussed on compliance and enforcement. Such an arrangement might encourage more open engagement on accreditation challenges.
The new Digital ID laws supplement existing notifiable data breach obligations in the Privacy Act or state or territory equivalents – reports to privacy regulators must be given to the Digital ID regulator at the same time. Where another regime does not apply to an accredited entity, the Commonwealth notifiable data breach regime will apply.
In addition, the Digital ID Rules require accredited service providers in the AGDIS to notify and manage "reportable incidents". These incident notification obligations have been simplified in latest consultation drafts of the rules – notifications now need to be made within one business day (rather than 24 hours) after an entity becomes aware of an incident or suspected incident. Incidents must now be reported to the Digital ID System Administrator (Services Australia).
The rules provide a degree of flexibility – if an initial notification is verbal, a written notification must be provided within three working days. Acknowledging that it may not be possible to provide all information in relation to a cyber security incident within the prescribed timeframe, interim further notifications can be given every 48 hours as additional information becomes available. This flexibility can be extremely important in the initial aftermath of a cyber incident where, for example, computer systems normally used for incident reporting might be compromised, or where the full picture is not yet clear.
However, this regime does not align with other data breach reporting obligations, such as under the Commonwealth Privacy Act (or state/territory equivalents) or security of critical infrastructure legislation. Accredited entities will need to update their cyber response plans to manage different reporting obligations and timelines.
In addition to the notification requirements, the Digital ID regulator has the power to suspend the accreditation of an accredited entity in a range of circumstances, including serious cyber security incident involving the entity, or if one is imminent. The Digital ID regulator can also revoke accreditation or approval to participate in the AGDIS for a "serious" cyber security incident.
The ability to in effect exclude service providers may on the one hand help triage compromised systems and protect other parts of the Digital ID ecosystem – but may also cause significant interruption at a particularly challenging time. In theory, a network of interoperable service providers would provide a level of redundancy – but in practice, relying parties and individuals may lose their ability to access services if their chosen identity service provider is excluded. If an identity exchange is excluded, the service providers connected to that identity exchange might be unable to operate. Building true redundancy will require service providers to be connected to multiple exchanges, and relying parties and individuals will need identity credentials maintained by multiple identity service providers.
Organisations will need to factor both cyber risks, and the risk of potential business interruption, into their business continuity plans.
End users will not be charged for creating or using an AGDIS Digital ID. Relying parties looking to verify identities using the AGDIS will need to build Digital ID costs into their overall commercial framework rather than passing costs on to users directly. The legislation was amended in the Senate to require the Attorney-General to table reviews and feedback regarding Digital ID fees in Parliament.
The Government will not charge entities for accreditation and participation in the first two phases of expansion (across Commonwealth and state and territory governments). However, the Department of Finance will develop and conduct public consultations on an approach for charging ahead of private sector participation in the AGDIS.
The charging model, and how charges may be recouped, will be an important factor impacting industry uptake, participation, and use of AGDIS. The model may also have knock-on effects on commercial models and investment in private sector and state and territory Digital ID solutions (whether part of the AGDIS or not).
Commercial models adopted overseas will also need to be considered – not only must Australian Digital ID systems be technically interoperable with overseas solutions, but also commercially interoperable.
The Digital ID (Transitional and Consequential Amendments) Act 2024 prioritises making sure that Commonwealth Government bodies currently using and relying on the (unlegislated) AGDIS can continue to operate with minimal disruption. Commonwealth Government bodies and services already accredited are deemed accredited under the new regime, and those approved to participate in the current unlegislated AGDIS are deemed approved under the new regime.
Accreditation and approvals are subject to conditions similar to those that currently apply (for example, limiting accreditation and approvals to specified services, and requiring services to directly connect to Services Australia). This means new or changed services, or changes to how services interconnect, will require review and changes to accreditations and approvals.
The Act does not automatically transfer accreditation or approval for non-Commonwealth entities, who would need to meet the Accreditation Rules. But the door has been left open for the Minister to make further transitional rules (including to similarly deem accreditation and approval) in the first 12 months after commencement, allowing the Minister to transfer existing accreditation and approval (potentially subject to conditions).
Explanatory materials call out an important use of transitional rules – to allow the Commonwealth to test plans, systems and business processes for future expansion of the AGDIS by:
This ability for the Commonwealth to test systems and processes is in addition to the AGDIS System Administrator (Services Australia) power under the Digital ID Bill to authorise entities to conduct testing in the AGDIS without holding an approval to participate from the Digital ID regulator, which may be granted for up to three months and can be conditional.
A deeper dive into Australia's Digital ID Bill (6 December 2023)
Whole-of-economy Digital ID laws by the end of the year (29 September 2023)
Identity Resilience and digital identity – key defences against cyber threats (23 August 2023)
Australian digital identity gains traction – a new national strategy, and legislation on its way (7 August 2023)
Managing cyber risk digital identity comes back into focus in Australia (18 April 2023)
A trusted digital identity framework for Australia (13 October 2021)
This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.
The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.
The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.
For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com
This material is current as at 15 August 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.
Sign-up to select your areas of interest
Sign-up