Goodbye job applications, hello dream career
Seize control of your career and design the future you deserve with LW career
GET STARTED

The Digital ID Act and Aussie businesses: A match made in heaven?

The national economy-wide Digital ID system that new legislation envisions is still in its infancy. Whether businesses will embrace the Digital ID system as it expands into the private sector in the next two years remains to be seen, writes Hamish Fraser.

user iconHamish Fraser 23 July 2024 Politics
expand image

Providing “Australians with the choice to use a secure, convenient and voluntary way to verify themselves when interacting with government and businesses online” and “allow Australia to harness the advances of new technology and its benefits across the economy” is the stated goal of Finance Minister Senator Katy Gallagher for the Digital ID Act 2024 (Cth) (Act).

You’re out of free articles for this month
It’s a lofty goal, to be sure, and it’s useful to understand what the act does and where it takes us.

Implications for businesses in Australia

  1. A simpler way to verify identity
The objective of the act is to establish a national Digital ID system under which individuals can set up and use their Digital ID to facilitate identity verification for online transactions in both the public and private sectors.

The act envisions an identity verification process that occurs in real time and without the need to hand over any physical documents or unnecessary personal information to the business.

  1. Data minimisation
The Digital ID system is built upon the principle of data minimisation – the idea that businesses should only collect personal data that is reasonably necessary for them to provide their service to the customer.

This data minimisation principle benefits not only customers (the less data the customer shares with the business, the less likely the customer will be exposed to the risks of a data breach) but also businesses.

By participating in the Digital ID system, businesses will collect less customer data and, in turn, reduce the risks associated with data breaches (see, for example, the ongoing OAIC civil penalty proceedings against Medibank over its 2022 data breach in which the Federal Court may impose a total potential maximum penalty of about $21 trillion against Medibank for contravening the Privacy Act 1988 (Cth)).

Indeed, the reality is that data can be a liability as much as a benefit, and it requires appropriate management.

  1. Expansion into the private sector
The vision of expanding the Digital ID system into the private sector has excited many, but there remains a lot of uncertainty about how this will be done. With the expansion into the private sector only taking place in phase three out of four (we are currently in phase one), the government is still trying to find the right balance between advancing consumer interests and ensuring that the Digital ID system will be commercially attractive and not too burdensome for businesses to participate in.

Therefore, businesses interested in participating in the Digital ID system should watch the implementation of which are currently either postponed or under public consultation:

  • Data localisation rules: the act requires accredited Digital ID service providers to keep data used in the Digital ID system in Australia, but it has yet to clarify whether this requirement precludes users from benefiting from, for example, best-in-class security solutions that rely on internationally hosted cloud services.
  • Interoperability obligations: the act imposes an interoperability obligation on all participating entities, but it has yet to confirm exemptions to this obligation, which businesses may wish to benefit from in certain circumstances.
  • Conditions on approval to participate: in addition to being an Australian entity or a foreign registered company, the draft 2024 Digital ID Rules also require businesses to conduct fraud and cyber security risk assessments and have in place plans to manage such incidents, the details of which are currently subject to consultation.
  • Statutory contract and liability arrangements: the content of the statutory contract applicable to the private sector has yet to be released, but it could stipulate specific conducts or circumstances that would constitute a breach of contract, limits on liability, interoperability arrangements and intellectual property rights.
How these provisions will pan out come phase THREE could determine whether the Digital ID system will be sufficiently attractive to businesses.

  1. Part of Australia’s larger data privacy reforms
Businesses should also be aware that the act is part of Australia’s larger data privacy reforms and interacts with other data privacy laws.

For instance, the upcoming Privacy Act reforms (which the government intends to table to Parliament in August this year) will impact how entities operate under the Digital ID system and could encourage more businesses to participate in the Digital ID system to overcome the risk of breaching the soon-to-be-more-stringent Privacy Act.

A match made in heaven?

The national economy-wide Digital ID system that the recently enacted Digital ID Act envisions is still in its infancy. Whether businesses will embrace the Digital ID system as it expands into the private sector in the next two years remains to be seen.

Businesses should be aware of the act, and those that want to offer services should familiarise themselves with the act and associated rules, participate in public consultations and be ready to play a role in building Australia’s digital economy.

Hamish Fraser is a partner at Bird & Bird.

Tags
You need to be a member to post comments. Become a member for free today!