Australia to implement landmark national Digital ID system
Written By
The Australian Federal Government passed the Digital ID Bill 2024 on 16 May 2024.
The soon-to-be Digital ID Act 2024 (Cth) (Act) paves the way for a national Digital ID system, that will, when implemented, allow individuals to verify their identity for online transactions with government agencies and businesses without having to hand over any unnecessary personal information.
The current regime
Currently, individuals wishing to engage in certain transactions, for example applying for a rental property or a mobile plan, must verify their identity by providing physical or digital copies of various identification documents until 100 points of ID are collected.
To strengthen identity management in the digital economy, in 2015, the government created the Trust Digital Identity Framework (TDIF), which established:
- the Australian Government Digital ID System (AGDIS), which enables individuals to access approximately 130 government services via a government-issued Digital ID called “myGovID”; and
- an accreditation scheme for Digital ID service providers in both the public and private sectors.
The purpose of the Digital ID Act 2024 (Cth) (the Act) is to legislate the TDIF and build upon the existing AGDIS and accreditation scheme.
Key changes brought by the Digital ID Act 2024 (Cth)
1. It’s “Digital ID”, not “Digital Identity”
A key objective of the Act is to establish a national Digital ID system (an expanded version of the existing AGDIS) under which individuals can set up and use their Digital ID to facilitate identity verification for online transactions.
Digital ID is “a distinct electronic representation of the individual that enables the individual to be sufficiently distinguished when interacting online with services.” The Act does not create a digital identity or any new identification document. This is consistent with previous comments including the second reading speech: “Digital ID is not a card, it's not a unique number, nor a new form of ID.”
2. Voluntary participation
A business must not, as a condition of providing a service, require an individual to create or use a Digital ID. This means that even if the entity participates in the AGDIS, it must provide individuals with another means to access that services that does not involve the creation or use of a Digital ID – creating and using a Digital ID must be voluntary.
3. Legislated accreditation scheme
The Act replaces the existing unlegislated TDIF accreditation scheme with a legislated voluntary accreditation scheme that requires all public and private sector Digital ID service providers to demonstrate high standards for privacy, security and accessibility. The Digital ID Regulator will be responsible for determining all accreditation applications and is given the power to suspend, revoke or cancel accreditations if certain baseline obligations are not met.
4. Additional privacy safeguards
The Act provides additional privacy safeguards in two ways. Firstly, the Act implements strict privacy obligations around the handling of sensitive information by accredited Digital ID service providers, like prohibiting the collection of certain sensitive information (e.g., a person’s political opinions or sexual orientation) and requiring express consent before certain personal information can be disclosed to entities participating in the AGDIS.
Secondly, the Act indicates that these additional privacy obligations operate in addition to the Australian Privacy Principles imposed under the Privacy Act 1988 (Cth). If the Privacy Act 1988 (Cth) does not apply to the Digital ID service provider, the Act allows the Minister to enter into an agreement with the service provider to ensure that it is subject to equivalent privacy protections.
5. Phased expansion of the AGDIS
The Act envisages a phased expansion of the AGDIS to achieve a national Digital ID system in both the public and private sector by 2026. Phases 1 and 2 will see the AGDIS expand to incorporate more Commonwealth, state and territory government services. Phase 3 will allow the use of public sector Digital ID service providers, such as myGovID, for private sector services. Finally, phase 4 will permit private sector Digital ID service providers to facilitate certain government services.
6. Interoperability obligations
The Act empowers the Minister to make rules about interoperability obligations, that is, provisions that prohibit participating entities and Digital ID service providers from refusing to provide certain services to participants in the ADGIS. The effect of these obligations is that end users will be able to choose which Digital ID service provider they want to use to verify their identity for their online transaction. More details on these interoperability obligations are expected once the Digital ID Rules are released.
7. Liability and redress framework under the AGDIS
The Act introduces a liability and redress framework to manage the relationship between entities and service providers participating in the AGIDS. A key feature under the framework is the provision of a statutory contract between entities participating in the AGDIS. Subject to further obligations stipulated in the forthcoming Digital ID Rules, the statutory contract will facilitate the interoperability obligations noted above and impose obligations in relation to intellectual property rights. Any dispute arising from the statutory contract will be heard in the Federal Circuit and Family Court of Australia.
Another key feature is the provision of a limited liability shield, which provides an accredited Digital ID service provider immunity from civil and criminal liability if it provides or does not provide an accredited service within the AGDIS in good faith and in compliance with the Act (other than the service levels obligations).
8. Regulatory oversight and enforcement
The Australian Competition and Consumer Commission is appointed as the independent Digital ID Regulator responsible for overseeing and enforcing the Act.
Other regulators under the Act include:
- the Office of the Australian Information Commissioner, who will advise on and enforce privacy protections under the Act;
- Services Australia as the System Administrator, who will perform the day-to-day operational matters under the Act; and
- the Digital ID Data Standards Chair, who will consult with industry and issue data standards.
A failure to comply with the Act can attract a maximum civil penalty of 1,000 units (currently, $313,000) or 1,500 units (currently, $469,500), depending on the offence. In addition to that, a failure to comply with privacy safeguards under the Act could constitute an “interference with privacy” under the Privacy Act 1988 (Cth), attracting a maximum penalty of $2.5 million for individuals or more than $50 million for corporations.
What’s next?
The Digital ID Bill 2024 received Royal Assent on 30 May 2024 and the associated Act will commence in November by 1 December 2024.
In the meantime, the latest Budget Papers indicate that the government will invest $288.1 million to deliver the Digital ID system envisioned under the Act, including $23.4 million over the next two years for the Australian Taxation Office, Department of Finance and Services Australia to pilot the use of government digital wallets and verifiable credentials.
Draft 2024 Digital ID Rules, Accreditation Rules and Accreditation Data Standards were also recently released for public consultation. Submissions will close on 25 June 2024.
Overall, the implementation of this long-awaited national Digital ID system will significantly impact how Australians navigate the digital landscape in the years ahead, with a particular focus on privacy, security and accessibility.
For more information about the Digital ID Act 2024 (Cth) and its impact on your business, please contact our team at Bird & Bird Australia.
