A deeper dive into Australia's Digital ID Bill

A closer look at Australia's draft laws on a national "whole-of-economy" Digital ID

What you need to know

• The Government's Digital ID Bill has been introduced and immediately referred to Senate inquiry – meeting the Government's commitment to introduce Digital ID laws by the end of the year. You can make submissions on the new laws before 19 January 2024, and the bill is likely to be debated in March 2024.
• Digital ID is a fundamental enabler for Australia's digital economy – aiming to enhance trust, privacy and digital convenience, and is a key component of Australia's recently announced cybersecurity strategy.
• Digital ID laws will enable a phased expansion of a national "whole of economy" interoperable Digital ID framework – first across government services and then the broader economy. The new laws support two related initiatives – an accreditation scheme for Digital ID service providers, and expansion of the Australian Government Digital Identity System (AGDIS, commonly known as myGovID). You can learn more about the initiatives and how Digital ID works in our previous article and webinar.
• Accreditation provides a trust baseline – Under the draft laws, accredited Digital ID service providers will be required to comply with privacy, security, consumer protection, record-keeping, data destruction, and other requirements. Accreditation provides a baseline set of obligations and regulatory oversight that apply to all accredited service providers, whether they provide services in the Australian Government Digital Identity System or in a separate Digital ID system. Regulated trustmark logos communicate this trust to the public.
• Additional protections will apply to the Australian Government Digital Identity System (AGDIS) – including a statutory contract that makes participants accountable to other service providers and organisations relying on the AGDIS, localisation rules to ensure data is processed and stored in Australia, and requirements that ensure that having a Digital ID is voluntary, and that services are interoperable.
• Digital ID laws will be overseen by a Digital ID regulator – initially the Australian Competition and Consumer Commission. However, multiple agencies and regulators will have roles relating to Digital ID, including the Office of the Australian Information Commissioner and Services Australia as the AGDIS System Administrator.
• Digital ID laws include flexibility to deal with issues as they emerge, for example through exemptions, conditions, and transitional and longer term rule-making powers – similar to the Consumer Data Right. In building this flexibility in, the legislation treads a fine line between providing regulatory certainty and being able to adapt to emerging circumstances. We expect ongoing consultation, and transparency about how and when this flexibility will be exercised, will help provide regulatory certainty to drive participation.
• Additional privacy protections are a key feature of the bill, with a dedicated chapter. The protections exceed those in the Identity Verification Services Bill 2023 (which will apply to identity checking services that support Digital ID). Enhanced privacy protections also overlap with the Government's broader privacy law reform agenda. We expect further moves to harmonise privacy protections over time, including to minimise duplication of regulatory requirements.
• Expect early experiments for private sector and state and territory services – Transitional rule-making powers that apply only in the first 12 months include flexibility to test Digital ID systems with private sector, state and territory services. The Government has also previously signalled it is looking to accelerate private sector accreditation.

What you need to do

• Will you make submissions to a Senate inquiry? Senate committee inquiries are an increasingly important opportunity to make specific and targeted recommendations. You can make submissions until 19 January 2024.
• Understand how investment in Digital ID can impact customer relationships, risk exposure and costs – including reduced consumer friction and customer attrition during ID verification processes, operational savings from fewer ID checks, changes to identity fraud risk, reduced retention of high-risk data and related changes to security costs and cyber risk exposure.
• Understand your current capability and the pathway to adopting Digital ID – Where does Digital ID sit in your technology roadmap? Are there underlying systems and processes that need to be modernised?
• Consider broader business implications – The capability to identify customers and avoid identity fraud is a significant investment. Consider whether Digital ID will mean you need to do fewer ID checks, or whether your current ID checking can be lifted to a higher standard by using an identity service provider. How will Digital ID impact risk, and is your industry regulation ready for Digital ID?
• Understand the connection between risk, liability, and compliance – Service providers in the AGDIS face liability under a statutory contract. Carve outs for liability that benefit accredited participants are subject to compliance with the legislated rules in good faith. Understand how this framework will interact with your contracts, insurance, and risk arrangements.
• Be able to demonstrate compliance – Obtaining and maintaining accreditation means demonstrating compliance. For service providers, demonstrating compliance can mean the difference between immunity and significant liability.
• Understand the different options – Digital ID systems outside of the AGDIS have their own rules, requirements, and liability arrangements to get across – and may require service providers to hold accreditation.

A closer look at Australia's draft Digital ID future

In our previous article and webinar we discussed the Australian Government's recent consultation on draft Digital ID laws, what Digital ID is and how it works, and the Government's phased plan to expand its trusted Digital ID ecosystem across the entire economy.

In this article we examine the Australian Government's new Digital ID Bill 2023, take a closer look at the exposure drafts of related rules, and explore new transitional arrangements.

The Digital ID Bill was introduced on 30 November 2023 and immediately referred for inquiry to the Senate Economics Legislation Committee. The Committee is accepting submissions until 29 January 2024. With the Committee's report due 28 February 2024, the new bill is expected to be debated in March 2024.

Bills, rules and standards

The new laws look to drive two linked initiatives:

• an expanded Australian Government Digital Identity System (AGDIS), enabling greater participation by state and territory government bodies and the private sector. The AGDIS is currently most recognisable as the myGov and myGovID systems.
• a legislated accreditation scheme to accredit providers of Digital ID services. The scheme is an evolution of the current unlegislated Trusted Digital Identity Framework (TDIF). Accreditation is mandatory to participate in the AGDIS. While accreditation is not a statutory requirement to participate in other Digital ID systems, those other systems might require accreditation as part of their terms.

These initiatives are supported by two bills currently before the Senate:

• Digital ID Bill 2023 – the primary legislation governing both the Accreditation Scheme and the AGDIS.
• Digital ID (Transitional and Consequential Provisions) Bill 2023 – focussed on automatically transitioning approvals and accreditations for Commonwealth Government entities from the existing unlegislated framework with minimal disruption (read more at the end of this article).

These bills will enable:

• Digital ID Rules – dealing with issues such as cyber and other incident reporting, trustmarks and record keeping, and system onboarding requirements for the AGDIS.
• Accreditation Rules – covering requirements for obtaining and maintaining accreditation, whether a service provider is onboarded to the AGDIS or not.
• Transitional Rules – enabling a smoother transition during the first 12 months, and the flexibility to address unforeseen consequences.

Exposure drafts of the Digital ID Rules and Accreditation Rules were released as part of recent consultations.

In addition, legally enforceable data and technical standards will be made by the Digital ID Data Standards Chair dealing with issues such as data standards for accredited service providers, and technical standards and service levels for the AGDIS.

The accreditation scheme

Service providers in the Digital ID ecosystem, including Commonwealth, state and territory government bodies and private sector businesses can become accredited for specified types of services, although initially only Commonwealth non-corporate entities will participate in the AGDIS.

Accreditation provides a baseline set of obligations and regulatory oversight that apply to all accredited service providers displaying an Australian Government trustmark, whether they provide services in the AGDIS or in a separate system.

While accreditation is generally voluntary, a service provider needs to be accredited to provide services in the AGDIS. Participation rules for other Digital ID systems might also require accreditation, but there is no statutory requirement for them to do so.

Accreditation requires an applicant to demonstrate how its Digital ID services meet requirements relating to accessibility and usability, privacy protection, security and fraud control, risk management and technology integrity – a process to be overseen by the ACCC as Digital ID regulator. This recognises the sensitive nature of Digital ID services, and assists in ensuring that robust privacy, cyber security, and user experience standards are met. Draft Accreditation Rules contain detailed technical and procedural requirements that applicants will need to satisfy to become accredited and continue to satisfy once accredited.

Once accredited, a service provider is also required to comply with a range of obligations under the Digital ID Bill and the draft Accreditation Rules, concerning things such as:

• being bound by Australian Privacy Principles (or state/territory equivalent) and data breach laws;
• compliance with extensive additional privacy safeguards, including in respect of what information about a person (attributes) may be collected, consents, restrictions on dealing with biometric information and prohibitions on data profiling and marketing unrelated to Digital ID (regardless of consent);
• deactivation of Digital ID and accessible/inclusive services;
• blocking transactions involving compromised Digital IDs;
• authorised use of trustmarks;
• record-keeping and destruction of certain records; and
• directions from the Digital ID Regulator and the production of documents and information.

The Digital ID regulator will also have the power to impose, vary and revoke specific conditions on an accreditation if the regulator considers that doing so is appropriate in the circumstances. Such conditions might, for example, address perceived security concerns, limit the extent of an entity’s authorisation (eg to exclude biometric information) or specify the use of particular technology or systems.

Types of accredited service provider

The Digital ID regime is a federated model under which different types of service providers must cooperate to deliver a seamless and secure experience for the end user.

The bill includes the three types of service accreditation, reflecting roles under the current Trusted Digital Identity Framework:

• Identity exchange provider – acts like a switchboard and manages the private and secure flow and transfer of information between identity service providers, attribute service providers and relying parties. In the AGDIS, this role is currently performed by Services Australia using the myGov website and app.
• Identity service provider – generates and manages an individual's digital identity by collecting, verifying, and validating attributes that confirm a person's identity. The current Australian Government service provider is myGovID, operated by the Australian Taxation Office (ATO). To initially set up a myGovID, the ATO will verify your identity documents. After that point, the myGov app can use your myGovID to access various government services (without needing to re-check your identity documents).
• Attribute service provider – verifies and manages attributes that relate to a person's authorisation or characteristics (such as whether a person holds a licence, qualification, or permission). It manages information about a person other than identity. The Relationship Authorisation Manager operated by the ATO manages the fact that an individual is authorised to access services on behalf of a business. Similarly, myGov operated by Services Australia manages the fact that users have linked their myGov account with particular government services.

(Initially, participation will be limited to Commonwealth Government non-corporate entities, with state and territory and private sector services on-boarded as part of the phased expansion – see our previous article.)

The Minister will have rule-making powers to add additional types of services over time as the Digital ID ecosystem evolves. For example, trusted digital wallets managing portable credentials will be a key part of the ecosystem, and policy development for digital wallets is already underway.

The current Trusted Digital Identity Framework (and the previous consultation draft of the Bill) includes an additional category of “credential service providers”. This function will now fall within the remit of identity service providers (now known as authentication management). Authentication management covers the same ground as credential services, and includes the management of passwords and other access restrictions (such as facial or voice recognition).

The exemptions framework built into the Digital ID Bill will provide some flexibility within these categories. For example, where a service might fulfil some, but not all, of the responsibilities of an existing category of service the service provider could apply for targeted exemptions rather than lobbying for the addition of a new category of service. This could be particularly relevant for state and territory services.

Participating in the Australian Government Digital ID System (AGDIS)

Participation in the AGDIS is voluntary. However, if an accredited entity or a relying party wishes to participate, it must go through a further onboarding process and comply with additional obligations. One reason the AGDIS includes additional obligations is that it is currently used to access Commonwealth services.

A relying party is an organisation that uses the AGDIS, for example by accepting an AGDIS Digital ID as proof of identity. A relying party does not need to be accredited, but access to the AGDIS will need to be approved by the Digital ID regulator.

Service providers must be accredited in order to provide services in the AGDIS, and initially only non-corporate Commonwealth entities will be able to provide services in the AGDIS. The Digital ID regulator’s decision to permit participation in the AGDIS is separate to accreditation – the regulator must consider whether the accredited entity can meet the additional requirements of the AGDIS.

Key principles underlying the AGDIS include:

• a statutory contract that applies between each accredited service provider and each other accredited service provider or relying party in the AGDIS. Under this contract, service providers commit to provide accredited services.
• the interoperability obligation – accredited service providers and relying parties must (in general) not refuse to provide services to other accredited service providers or relying parties in the AGDIS.
• creating and using a Digital ID is voluntary – in general, relying parties need to ensure that use of the AGDIS is not a condition to their supply of a service and an alternative way to verify identity is available. This is not a blanket rule – important exceptions include where relying party is a small business or is an online-only service, and where the underlying service can be accessed by other means. Concerns have been raised about the practicalities of enforcing the voluntariness principle.
• data localisation – Digital ID Rules may include data localisation requirements for AGDIS data. Under the exposure draft rules, data must in general be processed and stored in Australia, with important exceptions such as transferring data to verify or authenticate information overseas.
• redress for incidents may be included in future versions of the Digital ID Rules, potentially requiring service providers to give notification, information, support, and assistance to those affected by an incident (including but not limited to cybersecurity and fraud incidents).
• change notifications – as with legislation for other types of critical infrastructure, accredited service providers will need to keep the Digital ID regulator informed of any actual or proposed change in control, or any significant IT system change impacting the AGDIS.
• additional responsibilities, data standards, service levels and conditions can also apply or be imposed.

Relying parties have more limited obligations than accredited service providers – these include ensuring that users can choose their identity service provider, allowing interoperability within the AGDIS, and reporting and supporting end users following digital identity fraud or cyber security incidents.

In addition, in granting approval for relying parties or service providers to participate in the AGDIS, the Digital ID regulator can impose conditions that it considers appropriate in the circumstances. Example categories of conditions are wide-ranging and include conditions on the way services can be provided, kinds of information (including biometric information) which can be collected, and even specify the technology systems through which services are provided and place restrictions on changes to those systems. Further conditions can also be imposed under the rules.

Liability and the statutory contract in the AGDIS

Delivery of a Digital ID solution requires the various providers to work together, trusting that other providers are performing their roles appropriately. Currently, the providers involved in delivering the AGDIS are all Commonwealth bodies – but extending participation to state and territory and private sector raises questions about how liability will be allocated if things go wrong.

Service providers in the AGDIS are accountable not only to the Digital ID regulator, but to each other service provider and relying party in the AGDIS – a statutory contract is created between each accredited entity in the AGDIS and:

• each other accredited entity in the AGDIS; and
• each relying party in the AGDIS.

Entities can take action in the Federal Circuit and Family Court of Australia, which can make a broad range of orders, including a broad power to make any order considered appropriate.

While the relationships between service providers and relying parties appear relatively straightforward with the currently very small number of AGDIS participants, we may see multiple identity exchanges operating within the AGDIS in the future – and interoperability requirements will mean that in the future service providers connected to one exchange may interact with service providers or relying parties connected to a completely different exchange.

The statutory contract framework facilitates interoperability in a way that traditional contracts would not – accredited service providers connected to any exchange will be automatically subject to a statutory contract with every other accredited service provider and every other relying party in the AGDIS, including those connected to different identity exchanges.

Under the statutory contract, an accredited entity agrees to comply with a limited set of obligations:

• to provide accredited services while participating in AGDIS in compliance with the obligations relating to verifying the identity of an individual or authenticating the Digital ID or information about an individual; and
• to comply with prescribed requirements in relation to intellectual property rights.

The bill has been updated since consultation to exclude service levels set by the Digital ID Data Standards Chair from this contract.

This means that the direct recourse that a party to a statutory contract will be able to seek from the other party to the statutory contract is limited, as it will be restricted to these set obligations. It also means that only accredited entities, and not relying parties, have obligations under the statutory contract.

Accredited entities are protected from liability in certain limited circumstances. An accredited entity will have no civil or criminal liability if:

• it provides or does not provide an accredited service within the AGDIS;
• provided that it has both acted in good faith and complied with its legislated obligations (other than the service levels).

The bill has been updated since consultation to also provide a liability shield where a non-compliance occurs, but the non-compliance is not the ground or cause of the relevant action or proceeding. This change should mean that the liability shield will not be lost due to unrelated non-compliances (such as technical or irrelevant ones).

The exclusion of service levels will allow the Data Standards Chair to set expectations that drive better performance, without exposing participants to unreasonable and unpredictable liability.

The statutory contract and liability shield leaves participants in the position where demonstrating compliance can mean the difference between absolute immunity and unpredictable liability – without the benefit of normal commercial tools like liability caps, exclusions of consequential or indirect loss, or force majeure regimes.

The Government has recognised this concern and included rule-making powers that will enable the Minister to limit the types of loss recoverable, introduce liability caps, exclude obligations from the statutory contract, or to exclude certain conduct or circumstances as breaches of the statutory contract. While no such modifications were included in the exposure draft Digital ID Rules, participants and potential participants will likely want further clarity.

The exact balance struck will have significant implications for risk management, insurance, and customer and supplier contract terms – on the one hand, potential liability to other participants presents an obvious financial risk – for example, if non-compliance by a participant enables a threat actor to create wide-spread harm. On the other hand, an inability to claim against other participants due to the liability shield can leave an organisation bearing financial loss caused by another participant.

Consumer Data Right legislation includes a similar (but different) liability shield and statutory contract arrangement, and we expect to see the models align over time.

Digital ID systems outside of the AGDIS will impose different rules – for example, through contracts signed by participants in private sector solutions. The statutory contract that applies to AGDIS participants can be seen as a transparent and regulated replacement of the commercial participation terms used in private sector solutions.

Penalties

Penalties under the Digital ID Bill are now five times higher than those proposed in the exposure draft.

Failure to comply with various obligations under the updated Digital ID Bill can result in civil penalties of up to 1,000 (up from 200 in the consultation draft) penalty units, or 1,500 (up from 300 in the consultation draft) penalty units in some cases, such breach of an additional privacy safeguard or offshoring AGDIS data unlawfully. For government entities and corporations this currently means $1,565,000 and $2,347,500 respectively.

Importantly, failure to comply with new privacy safeguards is considered an interference with privacy under the Privacy Act – exposing entities to recently increased penalties potentially exceeding $50 million.

In addition, as part of its response to the Privacy Act Review Report, the Government will introduce new lower tiers of penalties, a new direct right of action for breaches of the Privacy Act, and a statutory tort for a serious invasion of privacy.

The liability shield discussed above will be particularly important given the potential privacy risks that could flow from a systemic failure in the Digital ID system – strict compliance with the Digital ID regime may protect service providers from massive new privacy penalties, and potential class actions or other claims under coming privacy reforms.

The Digital ID regulator and System Administrator

Oversight and enforcement of the Digital ID laws will be shared between:

• an independent Digital ID regulator (the ACCC);
• Services Australia as the "System Administrator" of the AGDIS; and
• the Australian Information Commissioner on privacy matters.

The Government has previously described the Australian Competition and Consumer Commission (ACCC) as the "initial" regulator – consistent with earlier comments from Minister Katy Gallagher that the Government may hand oversight over to a "digital-specific regulator" as the system matures.

The Digital ID regulator will be responsible for governing the Accreditation Scheme and approving entities who wish to become accredited providers in the AGDIS.

From a monitoring perspective, the Digital ID Bill gives the regulator powers including to give directions, require production of information or documents, and suspend or revoke accreditation or approval. In relation to enforcement, the regulator has powers to issue infringement notices, seek enforceable undertakings, injunctions, and civil penalties.

In its submission to the Statutory Review of the Consumer Data Right, the ACCC supported a functional separation of the entities responsible for rule-making, operations and enforcement – similar to the approach taken in energy and UK open banking regulation. It also raised the possibility that responsibility, skill set, and capabilities required of an accreditation registrar might be better placed with another organisation. Functional separation has been adopted to a degree in the Digital ID Bill by placing rule-making powers with the Minister rather than the Digital ID regulator, reflecting current arrangements under the Consumer Data Right (where rule-making powers originally sat with the ACCC, but were subsequently transferred to the responsible Minister).

It is possible that future Digital ID regulation will adopt greater functional separation – we may see the role of the Digital ID regulator split, with a registrar focussed on accreditation, and a regulator focussed on compliance and enforcement. Such an arrangement might encourage more open engagement on accreditation challenges.

The Digital ID Bill has been clarified since consultation to provide that the "Chief Executive Centrelink" (ie the Chief Executive Officer of Services Australia) will be the "System Administrator” of the AGDIS, reflecting one of the roles that Services Australia plays in today's unlegislated AGDIS. Key functions of the System Administrator include:

• providing assistance to participants in the AGDIS (including dealing with incidents); and
• monitoring and managing the availability and operational risks relating to the performance and integrity of the AGDIS, and Digital ID fraud incidents and cyber security incidents involving participants.

Fraud and cyber security incidents

The Digital ID Bill supplements existing notifiable data breach obligations in the Privacy Act or state or territory equivalents – reports that must be given to privacy regulators must be given to the Digital ID regulator at the same time.

Where another regime does not apply to an accredited entity, the Digital ID Bill will extend the notifiable data breach regime under the Commonwealth Privacy Act to that entity. Mandatory data breach reporting is only recently coming to some state and territory privacy regimes – for example, data breach laws for NSW commenced just last month, and data breach laws for Queensland were passed last month, and are due to commence July 2025 for state government and 2026 for local government.

In addition, the Digital ID Rules require accredited service providers in the AGDIS to notify and manage "reportable incidents". There are a number of reportable incidents listed in the exposure draft of the Digital ID Rules – and unsurprisingly given the subject matter of the legislation – this includes cyber security incidents.

The exposure draft of the Digital ID Rules prescribed twelve items which must be included in a cyber security notification to the Digital ID regulator – including whether individuals have been informed of the incident. A reportable incident must be notified as soon as practicable after, and in any event, no later than 24 hours after the entity becomes aware of the incident or a suspected incident. Helpfully the draft rules acknowledge that it may not be possible to provide all information in relation to a cyber security incident within the prescribed timeframe, and so provides for a process of interim notifications to be given every 48 hours as additional information becomes available.

However, this regime does not align with other data breach reporting obligations, such as under the Commonwealth Privacy Act (or state/territory equivalents) or security of critical infrastructure legislation. Accredited entities will need to update their cyber response plans to manage different reporting obligations and timelines.

In addition to the notification requirements, the Digital ID regulator has the power to suspend the accreditation of an accredited entity in a range of circumstances, including serious cyber security incident involving the entity, or one is imminent. These powers have been refined since consultation - for example, in relation to attempted (and not actual) compromise, the incident must involve an unacceptable risk to provision of the accredited service to trigger suspension.

The Digital ID regulator can also revoke accreditation or approval to participate in the AGDIS for a "serious" cyber security incident.

The ability to in effect exclude service providers may on the one hand help triage compromised systems and protect other parts of the Digital ID ecosystem – but may also cause significant interruption at a particularly challenging time. In theory, a network of interoperable service providers would provide a level of redundancy – but in practice, relying parties and individuals may lose their ability to access services if their chosen identity service provider is excluded. If an identity exchange is excluded, the service providers connected to that identity exchange might be unable to operate. Building true redundancy will require service providers to be connected to multiple exchanges, and relying parties and individuals will need identity credentials maintained by multiple identity service providers.

Organisations will need to factor both cyber risks, and the risk of potential business interruption, into their business continuity plans.

Fees and charges

End users will not be charged for creating or using an AGDIS Digital ID. Relying parties looking to verify identities using the AGDIS will need to build Digital ID costs into their overall commercial framework rather than passing costs on to users directly.

The Government will not charge entities for accreditation and participation in the first two phases of expansion (across Commonwealth and state and territory governments). However, the Department of Finance will develop and conduct public consultations on an approach for charging ahead of private sector participation in the AGDIS.

As submissions to the recent consultation have shown, the charging model, and how charges may be recouped, will be an important factor impacting industry uptake, participation and use of AGDIS. The model may also have knock-on effects on commercial models and investment in private sector and state and territory Digital ID solutions (whether part of the AGDIS or not).

Commercial models adopted overseas will also need to be considered – not only must Australian Digital ID systems be technically interoperable with overseas solutions, but also commercially interoperable.

Transition arrangements

The Digital ID (Transitional and Consequential Amendments) Bill prioritises making sure that Commonwealth Government bodies currently using and relying on the (unlegislated) AGDIS can continue to operate with minimal disruption. Commonwealth Government bodies and services accredited under the (unlegislated) Trusted Digital Identity Framework (TDIF) are deemed accredited under the new regime, and those approved to participate in the current unlegislated AGDIS are deemed approved under the new regime.

Accreditation and approvals are subject to conditions similar to those that currently apply (for example, limiting accreditation and approvals to specified services, and requiring services to directly connect to Services Australia). This means new or changed services, or changes to how services interconnect, will require review and changes to accreditations and approvals.

The bill does not automatically transfer accreditation or approval for non-Commonwealth entities, recognising that the Accreditation Rules would only be made after the Digital ID Bill commences. But the door has been left open for the Minister to make further transitional rules (including to similarly deem accreditation and approval) in the first 12 months after commencement, allowing the Minister to transfer existing accreditation and approval (potentially subject to conditions).

The explanatory materials call out an important use of transitional rules – to allow the Commonwealth to test plans, systems and business processes for future expansion of the AGDIS by:

• transferring accreditation of state or territory government services accredited under the TDIF and participating in the AGDIS; or
• approving state and territory services to participate as "relying parties" in the AGDIS; and
• approving private sector services to participate as "relying parties" in the AGDIS.

This ability for the Commonwealth to test systems and processes is in addition to the AGDIS System Administrator (ie: Services Australia) power under the Digital ID Bill to authorise entities to conduct testing in the AGDIS without holding an approval to participate from the Digital ID regulator, which may be granted for up to three months and can be conditional.

Related developments

Digital ID is clearly high on the Government's agenda – a key initiative underpinning its recently announced cyber security strategy, as well as its National Strategy for Identity Resilience. The new laws are expected to result in an annual economy-wide compliance cost of almost $1.5m annually, but whole of economy savings in the order of $3.3bn.

In addition to the new bill, we've seen significant developments in the world of Digital ID:

• Australians will be able to sign Commonwealth Statutory Declarations using their myGov ID from 1 January 2024, with the Statutory Declarations Amendment Act 2023 receiving royal assent. Under the new laws, the Digital ID service can act as a virtual "witness".
• The Identity Verification Services Bill 2023 will regulate identity checking services that support Digital ID. A Senate Committee recommended the bill be passed, subject to recommendations including to require data breach notifications to affected individuals, to allow additional privacy safeguards through a rule-making power, to require express (not implied) consent, and to require a review of privacy and security protections and whether civil penalties should apply after 12 months. However, even with these amendments it is not clear whether the bill will pass – the dissenting report of the sole Opposition Senator on the committee recommended the bill be withdrawn and reworked. Protections in the Digital ID Bill are seen as a high water mark that, over time, the Identity Verification Services Bill may adopt – as well as taking on board future developments under the Government's overhaul of the Privacy Act.
• The Commonwealth Government announced a new Advisory Group to consider future improvements for the myGov platform, in addition to the recently announced Ministerial Digital ID Expert Panel to provide independent advice on Digital ID more broadly.
• The NSW Government is looking to conduct further pilots of a NSW Digital ID – with one trial expected by the end of the year and a further two trials next year.

Australia is not unique in pursuing a homogenous, interoperable Digital ID. The European Union is edging closer to a pan-European digital identity framework, with European Parliament and Council reaching agreement on the regulation of European Digital Identity Wallets that will require public services, very large online platforms, and services that are legally required to authenticate users to accept the EU Digital Identity Wallet. The EU continues to work on large-scale pilots testing the effectiveness.

Want to know more?

Read more about what Digital ID is, how it works and what it means for your organisation in our previous article Whole-of-economy Digital ID laws by the end of the year.

Digital ID is a key enabling technology for Australia's recently announced cybersecurity strategy. You can read more about the strategy in Australia's cyber strategy – a bold regulatory reform agenda.

You can also catch up on our past articles on Digital ID:

• Identity Resilience and digital identity – key defences against cyber threats (23 August 2023)
• Australian digital identity gains traction – a new national strategy, and legislation on its way (7 August 2023)
• Managing cyber risk – digital identity comes back into focus in Australia (18 April 2023)
• A trusted digital identity framework for Australia (13 October 2021)

Authors: Tim Brookes, Partner; Rebecca Cope, Partner; Anthony Lloyd, Partner; Clare Doneley, Counsel; Sashini Walpola, Senior Associate; Andrew Hilton, Expertise Counsel; Kerry Liang, Lawyer; and Shir Rosenberg, Clerk