Privacy protections for the COVIDSafe app will now be enforced through an Act of parliament, with the Federal Government successfully passing the Privacy Amendment (Public Health Contact Information) Act 2020 through the Senate last Thursday.

According to Federal Attorney-General, Christian Porter, the legislation more clearly defines the limited circumstances under which the COVIDSafe data can be collected, used, or disclosed.

The legislation also prescribes significant criminal and civil penalties for any misuse of data collected through the app.

“That includes jail terms of up to five years or a fine of $63,000 per offence,” Porter said.

“It is also a criminal offence under the legislation for anyone to coerce a person to use the app, to store or transfer COVIDSafe data to a country outside Australia, and to decrypt app data.”

Porter earlier noted that the privacy legislation would serve to increase take-up of the app, giving Australians confidence to download COVIDSafe whilst also more clearly defining enforcement mechanisms and penalties.

Criminal offences under the legislation can also be investigated by the Australian Federal Police.

The new amendments beef-up existing protections under the Privacy Act 1988, Porter said.

He stressed that the Government would satisfy its obligation to delete all COVIDSafe data from the National COVIDSafe Data Store once the pandemic is over.

Individuals can have their complaints heard by the Office of the Australian Information Commissioner (OAIC) or relevant State or Territory privacy regulator where appropriate.

Five million downloads down

According to Minister for Health Greg Hunt, the COVIDSafe app has already been downloaded more than 5.68 million times – more than one-fifth of Australia’s population.

He said the new legislation gives the Government the “confidence it needs” to continue easing restrictions and reopen the economy.

“The COVIDSafe app will help protect people and the community,” Hunt said. “It will enable public health officials to quickly notify individuals who have been in contact with a person who has tested positive.”

The contact tracing app aims to stop Covid-19’s spread by “tracing” interactions between users via Bluetooth and alerting those who may have been in proximity with a confirmed case.

Legislation welcomed by privacy groups

The privacy legislation has been welcomed by legal entities, among these, the Law Council.

The Council’s president, Pauline Wright, said she was gratified to see that the Government had incorporated several amendments suggested by her organisation.

“While some issues of concern remain, we were pleased to be able to work with government to achieve an outcome that goes a considerable way towards satisfying our concerns raised on the Exposure Draft Bill,” she said.

“There is a preference to see core parameters for the app prescribed in legislation – such as a requirement for the app to be strictly voluntary in every respect, and not ‘pushed out’ to users’ devices – to remove any risk that the ‘opt-in’ model could be unilaterally changed by the executive government from time-to-time.”

Protecting derivative data

However, Wright said the council remained concerned that several issues were not dealt with in the legislation. These included an absence of protections for derivative data obtained from COVIDSafe app data and prohibitions on reverse engineering of de-identified data.

“It is important that the legislation and its practical application, and the operation of the app and data store, are kept under ongoing Parliamentary scrutiny, despite the urgent passage of this legislation,” Wright said.

The council also supported the call for the Government to make the app available in languages other than English, ensuring greater reach into Australia’s diverse communities.

In the future, the Privacy Commissioner will be able to continue investigations after the COVIDSafe app and data store have ceased operations.

Source code released

The source code for the iOS and Android versions of the COVIDSafe app has been released by the Digital Transformation Agency (DTA).

However, code that relates to the COVIDSafe National Information Storage System – the repository for storing app data – will not be released.

The DTA’s chief executive, Russell Brugeaud, testified before a Senate Select Committee on May 6 noting that the Bluetooth signal “progressively deteriorates” if phones are locked and the app is in the background.

Bruguead said, however, that the government is working with Apple and Google on improvements to the app’s Bluetooth capability, with Australia to be “one of the first adopters” of this improved Bluetooth connectivity function.

Privacy & encryption concerns

In response to committee questions on notice, the DTA noted the contact tracing app contract was awarded to AWS under a standing arrangement between the cloud giant and the Commonwealth.

Being headquartered in the US, concerns over the security of the COVIDSafe data housed in AWS servers had previously been raised, including fears the data could be accessed by US law enforcement.

However, an official spokesperson for Minister for Government Services Stuart Robert said the minister had “the utmost confidence in how the information is being managed”.

“Uploaded contact information will be stored in Australia in a highly secure information storage system and protected by additional laws to restrict access to health professionals only,” the spokesperson said.

Vanessa Teague, a Melbourne-based cryptologist, and chief executive of Thinking Cybersecurity said the important encryption was done on the server side.

“We need to see the server code and read some justification of the design decisions so that we can identify and fix other bugs in #CovidSafeApp and have a genuine public debate about how it should change,” she tweeted.