27/05/2020

Peter Leonard, UNSW Business School Professor and G+T consultant, was in the midst of the effort to improve the COVIDSafe app law. In this article, he throws out the challenge that – hurried as it was – the Government’s approach to the COVIDSafe law should be how all privacy and data laws are made going forward.

BC (before COVID-19), legislative drafters operated within "a special sealed bubble within the Canberra bubble", instructed by departments preparing drafting instructions that reflect what the Government says it wants legislated. Exposure or working drafts of bills, common in some other democracies, were the exception in Australia.

BC, as Peter points out, the result was that we often end up with sub-optimally drafted bills entering the Parliament. As Parliament itself has become more partisan, changes to sort out the problems introduced through Parliamentary committees or on the floor rarely succeed (unless you can get enough cross benchers onside).

Then, as Peter puts it, “enter from stage left the villain and random disrupter of 2020, COVID-19, and from stage right, its would-be vanquisher, the CovidSafe app.”

The Morrison Government’s mission in legislating in support of the COVIDSafe app was simple: get take-up of the COVIDSafe app above 40% of mobile phone users.

Achieving this goal required building trust of a large segment of citizens that don’t trust governments with their data. The argument that you give more data to Facebook did not fly with many people. Federal governments have been woeful at nurturing digital trust: witness mandatory decryption, Robodebt, Censusfail, and MyHealth Record mandatory opt-in.

The Government had to find a new course up the mountain: it couldn’t just say, "trust us."

First, there is a marked absence in the COVIDSafe law of the woolly language that has characterised so-called ‘safeguards’ in the suite of national security laws enacted BC. For example, there is a clear, explicit statutory commitment to keep Federal, State and Territory enforcement agencies, and courts out of COVIDSafe data.

Second, the COVIDSafe law needed to provide that a responsible Federal authority would take end-to-end responsibility for management of COVIDSafe app data on mobile phones and as the data passed all the way through to the State or Territory contact tracer. BC, government authorities disliked assuming responsibility for acts and omissions of others, even when others handle data within data ecosystems created and managed by the authority. However, the COVIDSafe law accepts that with great data power should come great responsibility.

Third, the COVIDSafe law requires the responsible Federal agency to implement controls and safeguards (including functional separation of the COVIDSafe data) and to expose itself to independent oversight. BC, governments proved stubbornly resistant to state in law precisely what the Government is saying its departments and agencies have no intention of ever doing.

Fourth, the Attorney-General’s Department listened to privacy advocates and rights lawyers, among others, and took into account a fair bit of what they had to say. If this can be done in the rushed timeframe for the COVIDSafe law, this opennes in drafting legislation should be that much more feasible in the ‘back-to-normal’ legislative process.

Peter concludes that the Government, by and large, succeeded in demonstrating that it “should be gifted digital trust in the COVIDSafe app by a sceptical segment of citizens who collectively held in their hands the power to withhold that gift."

Then we come to Peter's challenge for the “new normal”:

“Will we see a reprise of this newly consultative process and legislating for demonstrably good data governance and data accountability by government agencies? Maybe. If so, that would be one of those few excellent things to come out of this very bad crisis.”

Expertise Area
""