David Shoebridge (NSW, Australian Greens) Share this | Hansard source

The Identity Verification Services Bill 2023 and the Identity Verification Services (Consequential Amendments) Bill 2023 were rushed through by the government, for reasons that they have still not come clean about. The conclusion that pretty much every stakeholder has drawn is that the current identity verification services procedure is unlawful, and, in the absence of any statutory underpinning, is open to legal challenge.

Unless that's is resolved rapidly by the government, they face, potentially, significant civil damages claims—potentially aggravated by the fact that they continue to operate a service knowing full well that it is unlawful, and in breach of, amongst other matters, the privacy laws. It would be useful, in terms of a frank exchange with the government if they would tell us, and also tell the Australian public. That kind of frankness should be expected from the government, particularly for service that's used some 120-odd million times a year and which involves the intimate personal details of pretty much every adult Australian. But we don't have that degree of transparency and clarity from the government, and I think that that's unfortunate, to say the least.

I commend the various stakeholders who engaged with the Senate inquiry into the Identity Verification Services Bill 2023 and who spent countless hours pointing out the deficiencies in the government's initial draft—the huge privacy gaps in the initial draft and the deeply problematic nature of its drafting. There were things as obvious as allowing implied consent when, on any valid privacy principle, if you're talking about sharing your biometric or other personal data, clearly, express consent is needed. There were things like ensuring clarity of drafting. There were very real and significant concerns about the bill, as drafted by the Attorney-General, and initially introduced into the parliament. That's why there were some 12 recommendations by the Legal and Constitutional Affairs Legislation Committee, ranging from ensuring that breaches of participation agreements can be dealt with properly through to ensuring that something as obvious as participation agreements be privacy-enhancing and consistent with Australia's privacy principles; ensuring that an entity's legal obligations under privacy laws can't be watered down by agreements entered into under the scheme; ensuring that there are rule-making powers to actually enhance the privacy elements in the bill; and ensuring that there be an interim review—an urgent interim review—within 12 months of operation.

When dealing with such important issues as the private details of millions and millions of Australian citizens—details which are essential for obtaining financial services or for accessing the many essential services we now require through online activity, it's remarkable that the bill, as initially drafted, failed to deal with all of that. We had the benefit of incredibly detailed submissions from entities such as UNSW's Allen's Hub for Technology; Digital Rights Watch—and I particularly want to highlight the clarity of the evidence from Ms Lizzie O'Shea; the Law Council of Australia; the Australian Human Rights Commission; and the Human Technology Institute at UTS. It would also be wrong not to give a shout-out to Professor Ed Santow for the help he gave to the committee in his evidence.

The government having received not just the majority report but the excellent dissenting report from Senator Paul Scarr—which, I have to say, grappled with the complex evidentiary and legal issues and set out a roadmap for reform of the bill—and evidence from critical stakeholders, thankfully we now see a raft of amendments from the government that make this bill passable. It's far from perfect but probably, on balance, it's passable.

But that's not what the sector wants. It may be what the financial sector, the Australian Banking Association and the Attorney want, but it's not what the engaged stakeholders in the privacy space want. What they want is consistency in privacy laws. What they want is a set of privacy laws that will stand the test of time. One of the most extraordinary things about this little legislative venture from the Attorney-General was that, whilst the Identity Verification Services Bill 2023 was working through one track with very inadequate privacy protections in it—no doubt they would have been cutting-edge in 1983 but they don't cut the mustard in 2023—the draft Digital ID Bill 2023, which had substantially higher privacy protections, was going through under another minister. There was a draft digital ID bill out on public exhibition with substantially higher privacy protections. They were much closer to what you'd expect in 2023 in the draft Digital ID Bill, which was out on consultation at the same time as the government was trying to force through the Identity Verification Services Bill. The stakeholders said to do them together—do them once and make them coherent. For that reason, we have a second reading amendment that aims to do just that—to defer this bill until we can have a coherent set of privacy reforms and do the two bills together as core business in the first half of next year. If that doesn't succeed, then we will with some reluctance support the bill, but only because of the very significant amendments that have been drafted.

I raise one significant issue that we would normally address in committee but that, given the guillotine motion that's been moved today, there won't be an opportunity for—that is, the Greens amendments to prohibit the identity verification system from collecting or disseminating protected information. Protected information is information about an individual's health, criminal record, membership of a professional or trade association, membership of a trade union, racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, or disability status. For the Greens, this is a critical amendment. Information of this nature should never find its way into a federal database about us. We'll be moving amendments to expressly prohibit this information being captured or disseminated through the identity verification services process, and we would expect wholehearted cross-party support for those amendments.

We understand that the government won't support them, because they say that there's a policy in place, that they don't collect this stuff about us now, and that this bill isn't really about limiting what information we can use; it's just about making it happen. That bells the cat for us. That raises concerns for us. There should be clear legal constraints preventing critical information, which we've outlined in our amendments, ever being collected under this system, held by the government and distributed under this system.

We would urge members in this chamber to have close regard to those amendments and think, 'Do I want the next government to be collecting this information about us?' Do you want to have the protections just founded under policy which can be changed from Attorney-General to Attorney-General? Why not make it clear in black and white that this is information the government should not be collecting about us, should not be storing about us and should not be disseminating about us. I note the time, and I know other senators have contributions, so I'll conclude my observations there. I move a second reading amendment:

Omit all words after "that", substitute "further consideration of this bill be postponed until the Government's comprehensive privacy reforms are available to ensure the best possible privacy protections are in place for personal information".