Nick McKim (Tasmania, Australian Greens) Share this | Hansard source

The Australian Greens will be supporting the Privacy Amendment (Public Health Contact Information) Bill 2020, because it is not enabling legislation for the app—because the app is already out there on people's devices in significant numbers—but is in fact enabling legislation in the main around privacy protections associated with the data collected via the app. That's a very important distinction. This bill is an improvement on the determination that it effectively replaces. It introduces additional privacy protections that were not present in Minister Hunt's determination. It introduces other remedies that were not present in the determination and it introduces oversight under the Privacy Act that was not present in the determination. It also provides coverage over state and territory health officials. I will speak more about that later.

I want to commend the government for releasing a draft of this legislation publicly. Obviously, this has been a far quicker process than we would normally go through, both in terms of how the government has dealt with it and in terms of how the Senate has dealt with it, but we understand the urgency here, driven by the pandemic we all are living through. I also want to commend the government for introducing protections in this legislation that the Australian Greens and others argued were lacking in the determination. The privacy protections contained in this bill are in fact far more robust than the privacy protections contained in regard to many other data that the government holds. It begs the question as to why the government believes that this data should be protected by more robust privacy protections than, for example, the metadata that the government requires corporations to keep. These privacy protections should be standard, not the exception.

We understand the urgency and respect the need for this legislation, particularly as the COVIDSafe app has been live since 26 April and has been downloaded by approximately 5½ million people. However, we retain concerns around the security provisions associated with the data that this app will collect and we also retain concerns around transparency.

To set a bit of context, I want to touch off on this government's record of privacy breaches and data security mismanagement over the last few years. To say this government has a cavalier attitude towards data security would be a gross understatement. This is the government responsible for our metadata laws in Australia. The metadata laws were sold to the Australian people on the basis of protecting us from terrorism and are now being used by local councils to investigate littering and to investigate people for having unregistered pets. To describe that as scope creep would again be a gross understatement. This is the government that deliberately leaked to a media outlet the private information of a Centrelink client who was critical of Centrelink's illegal robodebt scheme. This is the government that repeatedly leaked private medical information of people seeking asylum to the media in an attempt to undermine the medevac legislation. This is the government responsible for the census fail. This is the government that failed to properly de-identify Medicare data which ended up for sale on the dark web. This app is being championed among others by Minister Robert, who falsely claimed the Centrelink website fell apart because of a denial-of-service attack. If there's scepticism in the community about this government's capacity to protect people's personal information, that is entirely down to the government's own actions and failure to protect people's data in the past and to its cavalier attitude towards data protection.

Nearly two weeks after releasing the app and three weeks after Minister Robert said he would, the government did finally release the source code for COVIDSafe. This is an important step for transparency, and I thank the government and congratulate it for doing that. But the government has also said that it's considering publicly releasing the data management protocols that either have been or will be signed between the Commonwealth government and state and territory governments. Those protocols will govern how state and territory governments handle the data that, in the event of a positive test for coronavirus, is then provided to state and territory health authorities to allow them to go through the contact tracing process. I would ask the minister, if she's able, to update the Senate about whether or not those protocols have been signed and whether the government still intends to make those data management protocols or agreements public.

Another concern the Greens have, and Senator Watt referred to this in his contribution, and this is a concern that's also shared widely through the tech sector and the privacy sector, is around the US CLOUD Act—that is, the Clarifying Lawful Overseas Use of Data Act in the US. The CLOUD Act was enacted in 2018 to provide that US based cloud and technology companies could be compelled to hand over data held offshore, under warrant, to US security agencies. We don't have a bilateral CLOUD Act agreement in place with the US. The government has assured everyone there's nothing to see here and we should move along. However, Home Affairs, in its submission to the Parliamentary Joint Committee on Intelligence and Security inquiry into the Telecommunications Amendment International Production Orders Bill 2020, along with numerous international law firms around the world have advised otherwise. The issue is that, because Amazon Web Services is an American company with its head office in the US, it is entirely possible a US court could exercise personal jurisdiction over its Australian operations and require that data be handed over to US security agencies. When I asked the Attorney-General's Department about this last week in the Senate select committee, they were unable to give a 100 per cent guarantee that this data would not be handed over under US warrant to a US intelligence agency.

The great tragedy of all this, though, is that this situation could have been avoided if the government had awarded or even opened tendering for the hosting contract to one of the three Australian cloud service providers with Australian Signals Directorate certification. They are Australian companies with Australian infrastructure employing Australians technicians and they would not fall under the jurisdiction of the US CLOUD Act. But the government didn't do that. It made the inexplicable and so far unexplained decision to award this contract to AWS, a company with its head office in Seattle. Despite saying we should stay together and we will get through this together, despite continually saying we need to secure Australian jobs and livelihoods, this contract was awarded to a company with a head office overseas.

I also want to refer briefly to some of the messaging that the government's been using around this app, which the Australian Greens regard as reckless or dangerous. The Prime Minister saying that using the app was like putting on sunscreen to go out in the sun was misleading at best, dangerous at worst, because, of course, the app does not offer users any direct protection from contracting coronavirus; likewise, 'slip, slop, slap the app'—again, misleading at best, dangerous at worst. The government shouldn't be cavalier around this issue. It's a pandemic, for goodness sake; people's lives are at stake here.

I also want to touch on the way that the data will be collected by this app and misrepresentations about it. The government has said that when a user tests positive the app will allow the user to consent to the upload of only contacts that came within 1.5 metres of the user for 15 minutes or more, but according to the government's own privacy impact assessment, by law firm Maddocks, the app in fact collects and uploads data about all users who have come within bluetooth signal range for even a minute within the past 21 days. Mobile device bluetooth has a range of around 10 metres, which means it will collect data on anyone who spends time within a 10-metre range of the user. Although the Department of Health has said in response to the PIA that it would put in place restrictions to bluetooth digital handshakes, this bill, not unreasonably, includes no such protections. So I ask the minister whether she is able to respond to that concern in her second reading contribution later.

About 5.5 million people have now downloaded the app, which is about 21 per cent of the total population. It's getting close to the government's goal, although it's worth pointing out that a mathematical model from Oxford University suggests that around 60 per cent of the population needs to use a tracing app to 'stop the epidemic'. This government's goal appears to be only 40 per cent.

As I said, we'll support this legislation, but we do have concerns around the lack of some privacy protections. We believe this bill could be improved, and we'll be moving amendments in the committee stage to give the government the opportunity to beef up protections around the data collected by this app. Those concerns, specifically, regard the limited prohibitions on COVIDSafe app data, which we'd like to see broadened, and the fact that there is no fixed trigger for the sunsetting of this bill. We hold concerns regarding coverage of rules against coercion and transparency of COVIDSafe operations. We hold concerns also about assurances of data being deleted under this bill. These have been met part way by the government in the latest iteration of this legislation; however, more needs to be done, which we will address in our amendments. I also want to touch on the fact that this app is only in English. There are a lot of people in this country for whom English is a second language, and there are many people in Australia who do not have a high level of English comprehension. This app needs to be made available in ways that people can easily understand, and that includes being available in different languages so that people whose first language is not English also have the opportunity to make an informed decision about whether or not to download this app.

I won't be downloading this app, because I simply don't trust the government with data about who I am proximate to. I wish the government had gone down a different route, one that many other governments in the world have gone down, in which there is no centralised store of data. The data simply remains on people's mobile devices and, should someone test positive for coronavirus, a message is sent to people who that person was proximate to, letting them know that they've been proximate to someone who has tested positive, and therefore gives them the opportunity to decide to go and get tested themselves.

The Australian Greens will support this legislation because it's not enabling legislation for the app but is enabling legislation for privacy protections associated with the data collected by the app, and that is a very important distinction.