Skip navigation

AGAINST – Bills — Identity Verification Services Bill 2023, Identity Verification Services (Consequential Amendments) Bill 2023; Second Reading

Michaelia Cash

I rise to speak on the Identity Verification Services Bill 2023 and the Identity Verification Services (Consequential Amendments) Bill 2023. This legislation came forward in strange circumstances and was rushed into this place without warning.

No-one knew it was coming, and certainly a major stakeholder in this area, that I had spoken to some time ago, was not aware that this legislation was coming; it was a shock to them. And it left many questions unanswered. But what it does do is deal with something very fundamental: the Document Verification Service that underpins the operation of many of our anti-money-laundering and counterterrorism-financing laws, and it also deals with like services.

As we made clear in the other place, we have no fundamental objection to putting those services onto a statutory footing. Let's go through, though, what those services are.

The Document Verification Service has been in operation since at least 2009 and open to the private sector since 2014. It is used by the Commonwealth, by state and territory government agencies and by the private sector to confirm that the details on a person's identity document, such as a driver's licence or passport, match the original record held by the government. The Face Verification Service allows a person's face to be biometrically matched to their driver's licence or passport photo. The Face Verification Service is currently in use and only used by Commonwealth agencies—for example, to set up a myGov account. The Face Identification Service will be a service which enhances law enforcement—in particular, in relation to undercover police—and will crossmatch photos biometrically against driver's licence photos to find potential matches. The Face Identification Service will be used solely to protect lawfully assumed identities. The driver's licence photos are provided by states and territories through a database called the National Driver Licence Facial Recognition Solution.

As I have already indicated, the coalition has never had an in-principle concern with putting these services on a legislative basis. The coalition is now in a position where we, on this side, can support the legislation, because of the very significant concessions that have been made by the government.

In that regard, I want to particularly call out the work of Senator Scarr. Senator Scarr led the coalition efforts in the inquiry into this bill, and his excoriating additional comments make clear that, as it was presented to the parliament, there were very significant shortfalls in the bill that the Attorney-General of Australia wanted us to agree to. Senator Scarr called for the bill to be rewritten to address his significant concerns.

I am pleased that the government has taken up Senator Scarr's work and has seen it as a wake-up call to indeed remedy the deficiencies that were in the bill that were initially presented to the parliament. In fact, in the wake of Senator Scarr's work, the Attorney-General's office reached out to engage with us on the passage of this bill. The approach was certainly late, but it was welcome. The Attorney-General and I have since exchanged letters about the basis upon which this bill should proceed. The Attorney-General has agreed to implement, as Senator Scarr had set out in his dissenting report, every one of the 11 substantive recommendations in the committee report. The Attorney-General has also agreed to the further changes that the coalition, both Senator Scarr and I, have requested.

The many changes that have been agreed, and the supporting work around the edges, have improved this legislation. The legislation is now in a position where the coalition can support it.

David Shoebridge

The Identity Verification Services Bill 2023 and the Identity Verification Services (Consequential Amendments) Bill 2023 were rushed through by the government, for reasons that they have still not come clean about. The conclusion that pretty much every stakeholder has drawn is that the current identity verification services procedure is unlawful, and, in the absence of any statutory underpinning, is open to legal challenge.

Unless that's is resolved rapidly by the government, they face, potentially, significant civil damages claims—potentially aggravated by the fact that they continue to operate a service knowing full well that it is unlawful, and in breach of, amongst other matters, the privacy laws. It would be useful, in terms of a frank exchange with the government if they would tell us, and also tell the Australian public. That kind of frankness should be expected from the government, particularly for service that's used some 120-odd million times a year and which involves the intimate personal details of pretty much every adult Australian. But we don't have that degree of transparency and clarity from the government, and I think that that's unfortunate, to say the least.

I commend the various stakeholders who engaged with the Senate inquiry into the Identity Verification Services Bill 2023 and who spent countless hours pointing out the deficiencies in the government's initial draft—the huge privacy gaps in the initial draft and the deeply problematic nature of its drafting. There were things as obvious as allowing implied consent when, on any valid privacy principle, if you're talking about sharing your biometric or other personal data, clearly, express consent is needed. There were things like ensuring clarity of drafting. There were very real and significant concerns about the bill, as drafted by the Attorney-General, and initially introduced into the parliament. That's why there were some 12 recommendations by the Legal and Constitutional Affairs Legislation Committee, ranging from ensuring that breaches of participation agreements can be dealt with properly through to ensuring that something as obvious as participation agreements be privacy-enhancing and consistent with Australia's privacy principles; ensuring that an entity's legal obligations under privacy laws can't be watered down by agreements entered into under the scheme; ensuring that there are rule-making powers to actually enhance the privacy elements in the bill; and ensuring that there be an interim review—an urgent interim review—within 12 months of operation.

When dealing with such important issues as the private details of millions and millions of Australian citizens—details which are essential for obtaining financial services or for accessing the many essential services we now require through online activity, it's remarkable that the bill, as initially drafted, failed to deal with all of that. We had the benefit of incredibly detailed submissions from entities such as UNSW's Allen's Hub for Technology; Digital Rights Watch—and I particularly want to highlight the clarity of the evidence from Ms Lizzie O'Shea; the Law Council of Australia; the Australian Human Rights Commission; and the Human Technology Institute at UTS. It would also be wrong not to give a shout-out to Professor Ed Santow for the help he gave to the committee in his evidence.

The government having received not just the majority report but the excellent dissenting report from Senator Paul Scarr—which, I have to say, grappled with the complex evidentiary and legal issues and set out a roadmap for reform of the bill—and evidence from critical stakeholders, thankfully we now see a raft of amendments from the government that make this bill passable. It's far from perfect but probably, on balance, it's passable.

But that's not what the sector wants. It may be what the financial sector, the Australian Banking Association and the Attorney want, but it's not what the engaged stakeholders in the privacy space want. What they want is consistency in privacy laws. What they want is a set of privacy laws that will stand the test of time. One of the most extraordinary things about this little legislative venture from the Attorney-General was that, whilst the Identity Verification Services Bill 2023 was working through one track with very inadequate privacy protections in it—no doubt they would have been cutting-edge in 1983 but they don't cut the mustard in 2023—the draft Digital ID Bill 2023, which had substantially higher privacy protections, was going through under another minister. There was a draft digital ID bill out on public exhibition with substantially higher privacy protections. They were much closer to what you'd expect in 2023 in the draft Digital ID Bill, which was out on consultation at the same time as the government was trying to force through the Identity Verification Services Bill. The stakeholders said to do them together—do them once and make them coherent. For that reason, we have a second reading amendment that aims to do just that—to defer this bill until we can have a coherent set of privacy reforms and do the two bills together as core business in the first half of next year. If that doesn't succeed, then we will with some reluctance support the bill, but only because of the very significant amendments that have been drafted.

I raise one significant issue that we would normally address in committee but that, given the guillotine motion that's been moved today, there won't be an opportunity for—that is, the Greens amendments to prohibit the identity verification system from collecting or disseminating protected information. Protected information is information about an individual's health, criminal record, membership of a professional or trade association, membership of a trade union, racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, sexual orientation or practices, or disability status. For the Greens, this is a critical amendment. Information of this nature should never find its way into a federal database about us. We'll be moving amendments to expressly prohibit this information being captured or disseminated through the identity verification services process, and we would expect wholehearted cross-party support for those amendments.

We understand that the government won't support them, because they say that there's a policy in place, that they don't collect this stuff about us now, and that this bill isn't really about limiting what information we can use; it's just about making it happen. That bells the cat for us. That raises concerns for us. There should be clear legal constraints preventing critical information, which we've outlined in our amendments, ever being collected under this system, held by the government and distributed under this system.

We would urge members in this chamber to have close regard to those amendments and think, 'Do I want the next government to be collecting this information about us?' Do you want to have the protections just founded under policy which can be changed from Attorney-General to Attorney-General? Why not make it clear in black and white that this is information the government should not be collecting about us, should not be storing about us and should not be disseminating about us. I note the time, and I know other senators have contributions, so I'll conclude my observations there. I move a second reading amendment:

Omit all words after "that", substitute "further consideration of this bill be postponed until the Government's comprehensive privacy reforms are available to ensure the best possible privacy protections are in place for personal information".

Paul Scarr

I will speak very briefly on the Identity Verification Services Bill 2023 because I know other senators want to speak, and there's not much time to speak. I will make three points.

The first point is in relation to timing of the process. The Law Council of Australia said:

It is troubling that such a short reporting period has been imposed on this inquiry, providing a little over two weeks for stakeholders to make submissions about a proposed legislative framework for identity verification services …

… … …

The Law Council is concerned that the timeframe for this inquiry does not reasonably enable the Committee to carefully scrutinise whether the Bills strike the correct balance.

It is very disturbing when the Law Council of Australia makes that comment with respect to a process.

The second point I will make is again a quote from the Law Council of Australia. I think the government needs to reflect on this as it takes forward its review of the Privacy Act and also of the Digital ID Bill. The Law Council said:

As a general comment, the fragmented approach to privacy and data reform that is illustrated by these bills is not conducive to promoting harmonisation and clarity across Australia's digital identity, privacy and identity verification frameworks. The Law Council reiterates its call for a roadmap of the harmonisation of Australia's privacy and data laws to ensure the development of a national privacy framework that is consistent, clear and accessible.

The government would do well to heed those words. My colleague Senator Shoebridge, who makes an outstanding contribution on the Legal and Constitutional Affairs committees on which I serve with him, raised the issue of consent. Can I just say that expressed consent is one thing, but it also can't be Hobson's choice. It's got to be a real choice for people with respect to these matters.

The last point is to thank the members of the Attorney-General's Department for their work in relation to the bill. There were a lot of amendments that had to be made in a short period of time, and it was a pleasure to engage with them through the committee process, so thank you very much. I acknowledge Senator Anita Green for her chairing of the Legal and Constitutional Affairs Legislation Committee. We have robust debate, but she always chairs it very well. Lastly, I would like to acknowledge the input from Ms Shohini Sengupta, of the University of New South Wales Allens Hub for Technology, Law and Innovation, and also Ms Olga Ganopolsky, the chair of the Privacy Law Committee of the Business Law Section of the Law Council of Australia.

Long debate text truncated.


Date and time: 7:16 PM on 2023-12-06
Senator Pocock's vote: No
Total number of "aye" votes: 6
Total number of "no" votes: 33
Total number of abstentions: 37
Related bill: Identity Verification Services Bill 2023

Adapted from information made available by