The Digital ID Act and Aussie businesses: A match made in heaven?

The national economy-wide Digital ID system that new legislation envisions is still in its infancy. Whether businesses will embrace the Digital ID system as it expands into the private sector in the next two years remains to be seen, writes Hamish Fraser.

Hamish Fraser • 23 July 2024 • Politics

Providing “Australians with the choice to use a secure, convenient and voluntary way to verify themselves when interacting with government and businesses online” and “allow Australia to harness the advances of new technology and its benefits across the economy” is the stated goal of Finance Minister Senator Katy Gallagher for the Digital ID Act 2024 (Cth) (Act).

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Lawyers Weekly. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

It’s a lofty goal, to be sure, and it’s useful to understand what the act does and where it takes us.

Implications for businesses in Australia

A simpler way to verify identity

The objective of the act is to establish a national Digital ID system under which individuals can set up and use their Digital ID to facilitate identity verification for online transactions in both the public and private sectors.

The act envisions an identity verification process that occurs in real time and without the need to hand over any physical documents or unnecessary personal information to the business.

VIEW ALL

Data minimisation

The Digital ID system is built upon the principle of data minimisation – the idea that businesses should only collect personal data that is reasonably necessary for them to provide their service to the customer.

This data minimisation principle benefits not only customers (the less data the customer shares with the business, the less likely the customer will be exposed to the risks of a data breach) but also businesses.

By participating in the Digital ID system, businesses will collect less customer data and, in turn, reduce the risks associated with data breaches (see, for example, the ongoing OAIC civil penalty proceedings against Medibank over its 2022 data breach in which the Federal Court may impose a total potential maximum penalty of about $21 trillion against Medibank for contravening the Privacy Act 1988 (Cth)).

Indeed, the reality is that data can be a liability as much as a benefit, and it requires appropriate management.

Expansion into the private sector

The vision of expanding the Digital ID system into the private sector has excited many, but there remains a lot of uncertainty about how this will be done. With the expansion into the private sector only taking place in phase three out of four (we are currently in phase one), the government is still trying to find the right balance between advancing consumer interests and ensuring that the Digital ID system will be commercially attractive and not too burdensome for businesses to participate in.

Therefore, businesses interested in participating in the Digital ID system should watch the implementation of which are currently either postponed or under public consultation:

Data localisation rules: the act requires accredited Digital ID service providers to keep data used in the Digital ID system in Australia, but it has yet to clarify whether this requirement precludes users from benefiting from, for example, best-in-class security solutions that rely on internationally hosted cloud services.
Interoperability obligations: the act imposes an interoperability obligation on all participating entities, but it has yet to confirm exemptions to this obligation, which businesses may wish to benefit from in certain circumstances.
Conditions on approval to participate: in addition to being an Australian entity or a foreign registered company, the draft 2024 Digital ID Rules also require businesses to conduct fraud and cyber security risk assessments and have in place plans to manage such incidents, the details of which are currently subject to consultation.
Statutory contract and liability arrangements: the content of the statutory contract applicable to the private sector has yet to be released, but it could stipulate specific conducts or circumstances that would constitute a breach of contract, limits on liability, interoperability arrangements and intellectual property rights.

How these provisions will pan out come phase THREE could determine whether the Digital ID system will be sufficiently attractive to businesses.

Part of Australia’s larger data privacy reforms

Businesses should also be aware that the act is part of Australia’s larger data privacy reforms and interacts with other data privacy laws.

For instance, the upcoming Privacy Act reforms (which the government intends to table to Parliament in August this year) will impact how entities operate under the Digital ID system and could encourage more businesses to participate in the Digital ID system to overcome the risk of breaching the soon-to-be-more-stringent Privacy Act.

A match made in heaven?

The national economy-wide Digital ID system that the recently enacted Digital ID Act envisions is still in its infancy. Whether businesses will embrace the Digital ID system as it expands into the private sector in the next two years remains to be seen.

Businesses should be aware of the act, and those that want to offer services should familiarise themselves with the act and associated rules, participate in public consultations and be ready to play a role in building Australia’s digital economy.

Hamish Fraser is a partner at Bird & Bird.

You need to be a member to post comments. Become a member for free today!

Lawyers Weekly - legal news for Australian lawyers

SECTIONS

MORE

The Digital ID Act and Aussie businesses: A match made in heaven?

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED