Providing “Australians with the choice to use a secure, convenient and voluntary way to verify themselves when interacting with government and businesses online” and “allow Australia to harness the advances of new technology and its benefits across the economy” is the stated goal of Finance Minister Senator Katy Gallagher for the Digital ID Act 2024 (Cth) (Act).

It’s a lofty goal, to be sure, and it’s useful to understand what the act does and where it takes us.

Implications for businesses in Australia

1. A simpler way to verify identity

The act envisions an identity verification process that occurs in real time and without the need to hand over any physical documents or unnecessary personal information to the business.

2. Data minimisation

This data minimisation principle benefits not only customers (the less data the customer shares with the business, the less likely the customer will be exposed to the risks of a data breach) but also businesses.

By participating in the Digital ID system, businesses will collect less customer data and, in turn, reduce the risks associated with data breaches (see, for example, the ongoing OAIC civil penalty proceedings against Medibank over its 2022 data breach in which the Federal Court may impose a total potential maximum penalty of about $21 trillion against Medibank for contravening the Privacy Act 1988 (Cth)).

VIEW ALL

Indeed, the reality is that data can be a liability as much as a benefit, and it requires appropriate management.

3. Expansion into the private sector

Therefore, businesses interested in participating in the Digital ID system should watch the implementation of which are currently either postponed or under public consultation:

• Data localisation rules: the act requires accredited Digital ID service providers to keep data used in the Digital ID system in Australia, but it has yet to clarify whether this requirement precludes users from benefiting from, for example, best-in-class security solutions that rely on internationally hosted cloud services.
• Interoperability obligations: the act imposes an interoperability obligation on all participating entities, but it has yet to confirm exemptions to this obligation, which businesses may wish to benefit from in certain circumstances.
• Conditions on approval to participate: in addition to being an Australian entity or a foreign registered company, the draft 2024 Digital ID Rules also require businesses to conduct fraud and cyber security risk assessments and have in place plans to manage such incidents, the details of which are currently subject to consultation.
• Statutory contract and liability arrangements: the content of the statutory contract applicable to the private sector has yet to be released, but it could stipulate specific conducts or circumstances that would constitute a breach of contract, limits on liability, interoperability arrangements and intellectual property rights.

4. Part of Australia’s larger data privacy reforms

For instance, the upcoming Privacy Act reforms (which the government intends to table to Parliament in August this year) will impact how entities operate under the Digital ID system and could encourage more businesses to participate in the Digital ID system to overcome the risk of breaching the soon-to-be-more-stringent Privacy Act.

A match made in heaven?

The national economy-wide Digital ID system that the recently enacted Digital ID Act envisions is still in its infancy. Whether businesses will embrace the Digital ID system as it expands into the private sector in the next two years remains to be seen.

Businesses should be aware of the act, and those that want to offer services should familiarise themselves with the act and associated rules, participate in public consultations and be ready to play a role in building Australia’s digital economy.

Hamish Fraser is a partner at Bird & Bird.