COVIDSafe App Draft Law updated

One issue which we flagged in our earlier post this week, was that the Determination made by the Federal Health Minister could be amended at any time.

To address this issue, the Federal Government has now released the exposure draft of the Privacy Amendment (Public Health Contact Information) Bil 2020 which is expected to go before Federal Parliament on 12 May 2020 for debate and rapidly become law.

The Bill proposes, at s94D, a specific offence, punishable by up to 5 years in prison, for any person who collects, uses or discloses data collected by the COVIDSafe App which is not otherwise permitted under the framework set by the Bill.

Not all are convinced, with Prof Graham Greenleaf and Dr Katherine Kemp of UNSW Law saying:

The COVIDSafe Bill includes some significant improvements … but it still falls short on substantial issues.

Some other improvements include that individuals can now take action to enforce a breach of their privacy rights, which is an important step to ensuring compliance by bringing the obligations surrounding the COVIDSafe App into the Federal Privacy Act.

There’s a technical improvement to make the Federal law apply to State and Territory health officials.

What else has been improved from the Determination?

1. The App still doesn’t work in Apple’s IOS – NOT FIXED Unless the app is open in the foreground (i.e. is on your screen) the App cannot access bluetooth to work. Apple needs to patch this urgently or the App is next to useless for a large number of users.

2. Consent for upload of data – FIXED The requirement in the Determination for consent from the person “in control” of the phone to upload the COVIDSafe has been fixed in s94E(c) to “the COVIDSafe user” or a parent, guardian or carer if the user cannot consent or has pre-approved them to consent.

3. Oversight – NOT FIXED While the Senate will review the Bill in committee, there is a lack of ongoing oversight which would be useful in protecting privacy.

4. Determination can be amended – FIXED The Determination can be amended at will by the Health Minister, so it should be replaced with an actual law which requires parliament to amend it.

5. Technology not as good as Apple/Google approach – NOT FIXED The Apple/Google contact tracing models are likely to have better baked in systems for tracing outbreaks.

6. The App still logs ALL contacts, not just those for more than 15 minutes – NOT FIXED There is still an issue in that the App at a technically level collects all bluetooth connections which register at all for a user. The government has repeatedly said only contacts for more than 15 minutes at 1.5m (the former can be ascertained but the latter is essentially impossible to do with bluetooth signals). This is not correct. In response, the Department of Health has said it would limit the data being released to those contacts which were recorded for more than 15 minutes. However the Bill doesn’t include this in the text and there appears to be no way to legislate and technologically implement the 1.5m rule.

What other issues are there?

Prof Greenleaf and Dr Kemp have expressed their concerns that:

1. The definition of the COVIDSafe data could technically not fall under the definition in the Bill once decrypted This could lead to the data theoretically being outside the Bill and free to use for other purposes. I’m not sure I agree with this point given the decrypted data was still created in the first instance on the COVIDSafe App and so should fall within the definitions of the Determination and the Bill, but it can’t hurt to make it clearer that data, whether decrypted or not, is protected.

2. Stronger anti-coersion are not included in the Bill There is a prohibition on the refusal of service / trade for someone without the App, but nothing preventing discounts being offered for those who do have the App installed (for example). We already have Apps which give discounts to insurance arising from behaviour so I’m not persuaded this is really needed and it could be a really useful incentive to people to adopt (get a free drink if you have the App installed would encourage a LOT of people to sign up).

3. The government source code hasn’t been officially released The government should provide a full source code (including cloud code) release so that experts in reviewing code can see that the system designed in fact operates as promised. While we have this in relation to the phone apps in a de facto manner, we do not yet have an official source code release from the government.

So what’s next?

Given we know that the App stores data only locally, there is next to no downside in downloading the App and installing it so as to automate any contact tracing you may need to assist with if you are unfortunate enough to contract COVID-19. Together with that, we should continue to press for improvements to the privacy protections of our data being collected by the Government to help drive a better standard of privacy by design now and in the future.