Australia’s Tsunami of Data Laws – ID, Open Data, Cyber Front Doors. What + Why

From IIW

Australia's Tsunami of Data Laws - ID, Open Data, Cyber Front Doors. What & Why?

Day/Session:Tuesday 3I

Convener:Greg Adamson

Notes-taker(s): Greg Adamson

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The session looked at a large number of digital changes in Australian this year, and whether this is similar to other countries. The lower level of protections in Australia, particularly absence of a Bill of Rights, means that poorly structured ideas (from a consumer perspective) could be adopted in Australia and then be introduced into other countries.

  1. The Digital Transformation Agency is currently implementing the Trusted Digital Identity Framework, an enormous digital identification initiative. This is advocated based on a definition from the UN Commission on International Trade Law. Work on this project is well advanced, with 16 documents running to hundreds of pages released this year.
  2. World Bank Identification for Development (ID4D) is a World Bank program to implement digital identity systems across Africa in particular, supported by the Gates Foundation, Omidyar Network, and the Australian Government. The program is modelled on the Aadhar biometric identification system in India, introduced without a legislative framework. Australia has taken on as its mission the introduction of identity systems to vulnerable populations in Africa.
  3. Consumer Data Right. The Treasury Laws Amendment (Consumer Data Right) Bill 2018 is the first legislative step in the creation of an “open data” environment in Australia. The ACCC CDR Rules Framework supports the sharing of data by consumers with Accredited Data Receivers (ADRs) “for any lawful use”. Because the benefit is framed as commodification of personal data, including of minors, rather than an increase in public good, the design focusses on preventing any block to the release of that data, rather than on protection of the individuals from avaricious company behaviour. If a customer is given a warning, it is okay to share data with an organisation anywhere in the world, without limits.
  4. Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018: The government takes a dim view of encrypted information. In this bill the government significantly lowers the barrier for demands that it can decrypt encrypted traffic for: Enforcing the criminal law and laws imposing pecuniary penalties; Assisting the enforcement of the criminal laws in force in a foreign country; Protecting the public revenue; or the interests of Australia’s national security, the interests of Australia’s foreign relations or the interests of Australia’s national economic well-being.

Outcome from discussion

In discussion, two interesting points emerged:

First, some equivalent programs can be found in Europe, particularly: electronic IDentification, Authentication and trust Services (eIDAS) provides a framework for use of digital signature. This is a guideline for national legislation, as is Revised Directive on Payment Services (PSD2), guidelines for payments. The missing part in Australia is a data protection framework equivalent to the General Data Protection Regulation. Unlike guidance, this is a regulation applying throughout the European Union.

Second, a key insight from a global corporate perspective was that within the Australian market attitudes to privacy are considered to be similar to those in Europe. Therefore, we face a potential mismatch between community attitudes to privacy, and intrusive legislation and programs introduced without concomitant protections.