Business Insight

Australia’s Digital ID Act and a new Trusted Exchange (TEx) – an update and a deep dive

By Rebecca Cope, Mathew Baldwin, Clare Doneley, Anthony Lloyd, Sashini Walpola and Andrew Hilton

16 August 2024

Share Share
swirl background
Share

    What you need to know

    • On 13 August 2024, the Australian Government unveiled a new initiative to build identity resilience in Australia. The “world-leading” Trust Exchange (TEx) is a quick and easy way to verify identity and credentials safely and securely, with choice, consent and trust as cornerstone principles.
    • TEx will make digital identity documents more secure and more useful than physical versions – with plans to share Commonwealth, state and territory IDs and credentials across government wallets by the end of 2024.
    • Further driving identity resilience, Australia’s new Digital ID Act 2024 is expected to commence in December 2024. Significant amendments were made in the Senate – including to open the Australian Government Digital ID System (AGDIS, better known as myGov / myGovID) to the private sector in two years (or possibly earlier).
    • In this article, we take a close look at recent developments, what changed in passing Digital ID laws, and take a deep dive into the Digital ID Act 2024.

    What you need to do

    • Understand the Digital ID rollout schedule – To date, the Government deliberately avoided providing a timetable for the rollout of economy-wide Digital ID. Due to amendments made in the Senate, the private sector will be able to apply to participate in the AGDIS in two years.
    • Plan for controversy – Ensuring Digital ID is truly voluntary will be a political issue for the foreseeable future. Organisations will need to plan for both Digital ID powered services, as well as support for those who experience barriers to accessing, or who do not wish to use, Digital ID.
    • Design for digital accessibility – Ensuring that Digital ID as well as underlying services are accessible will be a key design challenge. Government services will need to comply with the new Digital Service Standard – expect similar requirements to apply for private sector services in the future (including at Digital ID services, and other services such as those relating to the Consumer Data Right). 
    • Prepare for more consultation – Recent consultations on underlying rules and standards have focussed on what is required for December’s commencement of Digital ID laws. Within 12 months we will see important revisions to the framework focussed on private sector participation, as well as policy development around some of the more complex issues.

    Digital ID – a national priority

    Australia’s new national Digital ID laws are due to commence by the end of the year, providing the legislative basis for broader adoption of Digital ID – and expansion of the Australian Government Digital Identity System (AGDIS, better known as myGov / myGovID).

    Digital ID is a key initiative underpinning the Australia’s cyber security strategy and national strategy for identity resilience.

    The Government estimates that economy-wide compliance costs for Digital ID will be almost $1.5m annually, delivering estimated savings in the order of $3.3bn. 

    Rolling out economy-wide Digital ID and growing myGov capability is a long-term mission  but we’ve seen renewed focus on launching new uses:

    • an increasing number of Commonwealth Government services can be accessed using myGov and myGovID;
    • Commonwealth statutory declarations can now be signed using myGovID, without the need for a human witness – a project costing $1m a year, expected to save over $400 million in economic activity;
    • myGov accounts can now be secured using passkeys instead of passwords – either physical keys, or phone security like fingerprints, facial recognition, and other screen locks.  Passkeys and can be synced to password manager apps to be used for other services and across devices;
    • Services Australia is looking at law reform to allow safe data sharing to support better myGov user experience – technology to identify and target individual customers to deliver personalised services has been in testing for more than two years, but can't be deployed due to current government data sharing rules. The Interim Services Australia Independent Advisory Board met last Thursday, noting that the current consent-based model for data use by government services creates a poor user experience, and that there are essential efficiency gains for government in reforming data sharing (this shift in thinking from providing users with granular consent controls to streamlining safe user experiences can also be seen in operational changes to the Consumer Data Right under consultation);
    • Commonwealth, state and territory digital documents such as licences and credentials should be shared across government wallets by the end of 2024; and
    • just this week, the Government announced a new Trust Exchange enabling more secure verification of digital identity and credentials – read more below.

    In Part 1 of this article, we’ll take a close look at recent developments, including the new Trust Exchange and what changed in passing Digital ID laws through the Senate. In Part 2, we’ll take a deep dive into the Digital ID Act 2024 to explain how it works.

    Part 1: An update - what's changed and what's coming

    A new "world leading" Trust Exchange (TEx)

    Just this week, the Minister for Government Services unveiled new functionality for myGov wallets that will allow people to verify their identity or associated attributes without sharing their sensitive documents – for example, using a QR Code or NFC on a phone to verify your age without providing your drivers’ licence.  

    Key principles of the system will be choice, consent and trust.  

    TEx will connect to a user's digital wallet (such as a myGov wallet), allowing the user to verify their identity and credentials based on official information already held by the Australian Government.

    End users will opt in – able to choose and provide their consent to share necessary personal information with the relevant business. In the case of age verification, TEx could just provide confirmation without disclosing the user’s actual age or date of birth – only a “token” showing that a fact has been verified would need to be shared.

    Individuals won’t be charged to use TEx – but there may be charges to business. The technology is currently being trialled by Services Australia, with plans to launch a 6-month pilot very soon – meaning we may see full roll-out in 2025.

    Australia’s new Digital ID Act 2024

    Australia's new Digital ID Act 2024 was passed in May and will commence on proclamation – expected to be 1 December 2024. 

    The new laws drive two linked initiatives:

    • an expanded Australian Government Digital Identity System (AGDIS), enabling greater participation by state and territory government bodies and the private sector. The AGDIS is currently most recognisable as the myGov and myGovID systems used to access Commonwealth services; and
    • a legislated accreditation scheme to accredit providers of Digital ID services. The scheme is an evolution of the current unlegislated Trusted Digital Identity Framework. Accreditation is mandatory to participate in the AGDIS. While accreditation is not a statutory requirement to participate in other Digital ID systems, those other systems might require accreditation as part of their terms.

    The Digital ID Act 2024 will be supported by:

    • Digital ID Rules – dealing with issues such as cyber and other incident reporting, trust-marks and record keeping, and system onboarding requirements for the AGDIS.
    • Accreditation Rules – covering requirements for obtaining and maintaining accreditation, whether a service provider is onboarded to the AGDIS or not.
    • Transitional Rules – enabling a smoother transition during the first 12 months, and the flexibility to address unforeseen consequences.
    • Data and technical standards – made by the Digital ID Data Standards Chair dealing with issues such as data standards for accredited service providers, and technical standards and service levels for the AGDIS.

    The new Digital ID (Transitional and Consequential Provisions) Act 2024 focusses on automatically transitioning approvals and accreditations for Commonwealth Government entities from the existing unlegislated framework with minimal disruption.

    You can read more about how Digital ID works in our earlier publication.

    Digital ID laws remain controversial

    Digital ID laws were passed with support from minor parties and independents – which required agreeing some significant amendments from the Greens focussed on accessibility and digital inclusion.

    A private member's bill to repeal the Digital ID laws was introduced in late June. A focus of resistance to Digital ID laws is whether Digital ID will be truly voluntary. The second reading speech of the repeal bill focused on exemptions to the requirement that underlying services be accessible without using a Digital ID (the voluntariness principle, in section 74 of the new Digital ID Act). It is argued these exemptions could make having a Digital ID de facto mandatory.

    While we don’t expect this repeal bill to pass, with an election coming we may see pressure on both the Government and the opposition to modify Digital ID laws further.

    How were Digital ID laws changed in the Senate?

    Significant changes were made in the Senate, responding to concerns raised in Senate committees.

    • Private sector expansion in two years: Non-Commonwealth participants (including private sector and Commonwealth corporations) can apply to participate in the AGDIS after two years (the Minister may permit applications earlier by determination).
    • Tighter liability shield: Liability protections for participants in the AGDIS have been tightened to only apply to proceedings brought by other participants in the AGDIS (and not, for example, by individuals or regulators). The change brings greater public accountability for participants but is also a significant shift to liability and risk, particularly for a catastrophic or systemic issues.
    • Clarified data destruction: The rules may now selectively prevent other Commonwealth laws from authorising or requiring retention of data (such as privacy or archiving laws). State and Territory archives laws will need to be dealt with separately.
    • Privacy: Rules that prohibit using deactivated Digital ID for verification and reactivating a Digital ID without consent have been moved into the Act. Accredited small businesses are also now automatically covered by the Privacy Act rather than having to opt-in (which also has the effect of preventing them from opting out).
    • Transparency: Law enforcement bodies and enforcement agencies must report on their requests for access to Digital ID information to the Attorney-General, who will table reports in Parliament. Reviews of Digital ID fees will also be tabled in Parliament.
    • Accessibility and inclusion: Accredited entities must take reasonable steps to ensure services are accessible for individuals who experience barriers when creating or using a Digital ID. The Accreditation Rules will contain specific requirements around accessibility standards and guidelines, usability testing with diverse individuals, and support and assistance for those experiencing barriers. In making rules, the Minister must consult with organisations representing those who experience barriers creating or using Digital ID. In response to the myGov Audit, the Government released a Digital Service Standard 2.0 in December 2023 – new customer or staff facing Government services need to meet the new standards from 1 July 2024, and pre-existing services need to comply from 1 July 2025. Digital ID accessibility and inclusion requirements are expected to leverage the Digital Service Standard.
    • Biometrics: Accredited entities must take reasonable steps to continuously improve biometric systems to ensure they don't disadvantage or discriminate against any group.
    • Voluntariness: Underlying services need to be accessible using an alternative (non-AGDIS) means  they must be reasonably available, and on terms not substantially less favourable.
    • Redress for incidents (including fraud and cyber) must be included in the rules within 12 months  and must cover notifications to affected individuals, provision of information and support, and incident identification, management, resolution and complaint handling policies. 

    Significant matters in Rules and Data Standards consultation

    The Government has consulted on updated Digital ID Rules, Accreditation Rules and Data Standards to support the new Digital ID Act. Rules and standards are expected to be made in time for commencement of the Digital ID Act in December 2024. 

    The rules will be progressed in two tranches. 

    • Tranche 1 deals with issues that need to be dealt with for December commencement – including use of the Digital ID trustmark, reportable incidents and requirements and conditions to participate in the AGDIS.
    • Tranche 2 will commence up to 12 months after the first tranche – covering issues that require further policy development and consultation, or that are not required until the AGDIS opens up for private sector participation. This will cover issues such as such as dispute resolution, interoperability requirements, data localisation and charging. 

    As part of a recent reset to Australia's Consumer Data Right (CDR), the Assistant Treasurer wrote to the CDR Data Standards Chair:

    • emphasising the Government's focus on ensuring consistency with Digital ID;
    • supporting recent experiments, including ones testing interoperability with Digital ID; and
    • setting expectations that CDR standards will build on common elements of Digital ID and CDR – standards should align and be interoperable.

    A key part of the CDR's reset is reducing costs with a more disciplined and predictable approach to standards changes – with a fixed number of scheduled data standards releases per year, and an explicit focus on implementation and cost impacts. We expect a similar approach to Digital ID data standards, particularly as the AGDIS expands to the private sector.

    The broader technology reform agenda

    These changes have been proposed amid a very ambitious and busy digital, technology and cyber agenda for the Government, not long before the end of its term.

    • Consumer Data Right (CDR) – The Assistant Treasurer recently announced a more focussed, more refined CDR focussed on saving cost and driving high-value use cases – and looking to build on common elements of Digital ID, privacy reforms and CDR.
    • Privacy and doxxing – The Attorney-General and the Prime Minister have announced that they will bring forward a long-awaited bill to implement Privacy Act reforms and regulate doxxing (the malicious disclosure of personal information) – we also expect the release of an important strategic operational review of the Office of the Australian Information Commissioner. 
    • Cyber and critical infrastructure – The Government is expected to introduce a Cyber Security Bill and critical infrastructure reforms in coming weeks, a key part of its 2023-2030 Cyber Security Strategy regulatory reform agenda
    • Scams – The Assistant Treasurer recently announced next steps on the approach to regulating scam protection. 
    • Misinformation – The Government has consulted on draft legislation to help combat misinformation and disinformation, and provide ACMA with powers to enforce a code of practice. 
    • Artificial intelligence – We expect significant announcements in September – an Australian Senate Select Committee will report on opportunities and impacts for Australia arising from AI by 19 September 2024, and the term of the temporary expert group advising on mandatory AI "guardrails" was recently extended to September. In addition, Australia's May 2024 budget allocated funding to review and strengthen regulation of AI in health care, consumer, and copyright law. 
    • Online Safety – New standards have been registered by the eSafety Commissioner, coming into effect 21 December 2024. These complete the first tranche of codes and standards to manage the risks of seriously harmful online content such as child exploitation and pro-terror materials.  A second tranche of new codes are being developed dealing with age-appropriate access to online content.  A Statutory review of the Online Safety Act is due to report to the Minister by 31 October 2024.

    Part 2:  A deep dive - the new Digital ID Act

    The plan to expand – in four phases

    The Government’s plan to expand Digital ID economy-wide focuses initially on government, before a broader economy-wide integration. The expansion will follow four overlapping phases over a two-year period.

    • Phase 1, already underway, will grow the use of myGovID in Commonwealth, state and territory services, supported by the new legislation. The Government is also aiming to accredit more public and private service providers within the scheme.
    • Phase 2 integrates state and territory systems and services.
    • Phase 3 allows myGovID to be used in the private sector – for example, myGovID could be used to verify identity to open a new bank account, sign up for an electricity or telcommunications service, or sign a lease. Amendments to Digital ID laws made in the Senate mean private sector entities can apply to participate in the Government system after two years (or earlier if determined by the Minister).
    • Phase 4 will allow approved private sector Digital IDs to be used to verify users accessing some government services.

    Detailed rules for private sector participants have not yet been laid down – the Government’s recent consultation draft of underlying rules (discussed above) focusses on what is necessary for "day one” of the new regime, with further rules expected within 12 months.

    While the proposed legislation sets a framework for the Government’s vision, we expect it will need to change over time to facilitate these phases. Significant flexibility has been built in through exemptions, conditions and rule-making powers, similar to the approach adopted in the Consumer Data Right legislation – meaning the regime may be more easily tailored to deal with specific issues as they arise.

    The accreditation scheme

    Service providers in the Digital ID ecosystem, including Commonwealth, state and territory government bodies and private sector businesses, can become accredited for specified types of services, although initially only Commonwealth non-corporate entities will participate in the AGDIS. 

    Accreditation provides a baseline set of obligations and regulatory oversight for accredited service providers displaying an Australian Government trustmark, whether they provide services in the AGDIS or in a separate system.

    While accreditation is generally voluntary, a service provider needs to be accredited to provide services in the AGDIS. Participation rules for other Digital ID systems might also require accreditation, but there is no statutory requirement for them to do so.

    Accreditation requires an applicant to demonstrate how its Digital ID services meet requirements relating to accessibility and usability, privacy protection, security and fraud control, risk management and technology integrity – a process overseen by the ACCC as Digital ID regulator. 

    Once accredited, a service provider must comply with a range of obligations, including: 

    • being bound by Australian Privacy Principles (or state/territory equivalent) and data breach laws;
    • compliance with extensive additional privacy safeguards, including in respect of what information about a person (attributes) may be collected, consents, restrictions on dealing with biometric information and prohibitions on data profiling and marketing unrelated to Digital ID (regardless of consent);
    • deactivation of Digital ID and accessible/inclusive services;
    • blocking transactions involving compromised Digital IDs;
    • authorised use of trustmarks;
    • record-keeping and destruction of certain records; and
    • directions from the Digital ID Regulator and the production of documents and information.

    The Digital ID regulator also has the power to impose, vary and revoke specific conditions on an accreditation if the regulator considers that doing so is appropriate in the circumstances. Such conditions might, for example, address perceived security concerns, limit the extent of an entity’s authorisation (for example, to exclude biometric information) or specify the use of particular technology or systems.

    Types of accredited service provider

    The Digital ID regime is a federated model under which different types of service providers must cooperate to deliver a seamless and secure experience for the end user.

    There are three types of service accreditation:

    • Identity exchange provider – acts like a switchboard and manages the private and secure flow and transfer of information between identity service providers, attribute service providers and relying parties. This role is currently performed in the AGDIS by Services Australia using the myGov website and app.
    • Identity service provider – generates and manages an individual's digital identity by collecting, verifying, and validating attributes that confirm a person's identity. The current Australian Government service provider is myGovID, operated by the Australian Taxation Office (ATO). To initially set up a myGovID, the ATO will verify your identity documents. After that point, the myGov app can use your myGovID to access various government services (without needing to re-check your identity documents).
    • Attribute service provider – verifies and manages attributes that relate to a person's authorisation or characteristics (such as whether a person holds a licence, qualification, or permission). It manages information about a person other than identity. The Relationship Authorisation Manager operated by the ATO manages the fact that an individual is authorised to access services on behalf of a business. Similarly, myGov operated by Services Australia manages the fact that users have linked their myGov account with particular government services.

    For ease of accessibility, please see the table below the image to read about the end user journey

    Image text (for accessibility)
    The infographic is a diagram that illustrates the roles and relationships of different entities involved in the Digital Identity system in Australia. The system allows people to access online services from the government and the private sector using a verified digital identity account. The diagram shows four main types of entities: the identity service provider, the relying party, the attribute service provider, and the digital ID regulator. The identity service provider helps people set up and manage their digital identity account, which requires a 100-point paper-based ID check and a biometric face verification. The relying party is the entity that provides the online service that people want to access, such as a government agency or a private business. The attribute service provider is the entity that verifies additional information about the person, such as their business or customer status, that may be required by the relying party. The digital ID regulator is the entity that oversees the system and protects against fraud and privacy breaches.

    The Minister can add additional types of services over time as the Digital ID ecosystem evolves. For example, trusted digital wallets managing portable credentials will be a key part of the ecosystem, and policy development for digital wallets is already underway.

    The exemptions framework will provide some flexibility within these categories. For example, where a service might fulfil some, but not all, of the responsibilities of an existing category of service the service provider could apply for targeted exemptions rather than lobbying for the addition of a new category of service. This could be particularly relevant for state and territory services.

    Participating in the Australian Government Digital ID System (AGDIS)

    Participation in the AGDIS is voluntary. However, if an accredited entity or a relying party wishes to participate, it must go through a further onboarding process and comply with additional obligations. One reason the AGDIS includes additional obligations is its importance in providing Commonwealth services.

    Service providers must be accredited to provide services in the AGDIS. As part of “Phase 1” of the rollout, only non-corporate Commonwealth entities will be able to provide services in the AGDIS. State and territory governments will be able to apply for participation as part of Phase 2. Due to amendments made in the Senate, non-Commonwealth entities (like private sector participants and Commonwealth corporations) will be able to apply to participate in the AGDIS after two years (or earlier if determined by the Minister).

    The Digital ID regulator’s decision to permit participation in the AGDIS is separate to accreditation – the regulator must consider whether the accredited entity can meet the additional requirements of the AGDIS.

    A relying party is an organisation that uses the AGDIS, for example by accepting an AGDIS Digital ID as proof of identity. A relying party does not need accreditation, but access to the AGDIS will need to be approved by the Digital ID regulator.

    Key principles underlying the AGDIS include the following.

    • statutory contract that applies between each accredited service provider and each other accredited service provider or relying party in the AGDIS. Under this contract, service providers commit to provide accredited services.
    • The interoperability obligation – accredited service providers and relying parties must (in general) not refuse to provide services to other accredited service providers or relying parties in the AGDIS.
    • Creating and using a Digital ID is voluntary – in general, relying parties need to ensure that use of the AGDIS is not a condition to their supply of a service and an alternative way to verify identity is available. This is not a blanket rule – important exceptions include where a relying party is a small business or is an online-only service, and where the underlying service can be accessed by other means. Exceptions to the voluntariness principle have been a focus of resistance to Digital ID laws in Senate debates, and in the introduction of a private members' bill to repeal the Digital ID laws.
    • Data localisation – Digital ID Rules may include data localisation requirements for AGDIS data. While earlier consultation documents required data processing in Australia by default (subject to exceptions), revised consultation drafts took a step back, with rules around offshoring of data to be developed as part of a second tranche of rules due within 12 months.
    • As part of amendments agreed in the Senate, rules redress for incidents will be added within 12 months, requiring service providers to give notification, information, support, and assistance to those affected by an incident (including but not limited to cyber security and fraud incidents).
    • Change notifications – as with legislation for other types of critical infrastructure, accredited service providers will need to keep the Digital ID regulator informed of any actual or proposed change in control, or any significant IT system change impacting the AGDIS.
    • Additional responsibilities, data standards, service levels and conditions can also apply or be imposed.

    Relying parties have more limited obligations – such as ensuring that users can choose their identity service provider to allow interoperability within the AGDIS, and to report (and support end users who suffer) incidents such as digital identity fraud or related cyber security incidents.

    In granting approval to participate in the AGDIS, the Digital ID regulator can impose conditions that it considers appropriate in the circumstances – for example, conditions on the way services can be provided, kinds of information (including biometric information) which can be collected, and even specify the technology systems through which services are provided and place restrictions on changes to those systems. Further conditions can also be imposed under the rules.

    Liability and the statutory contract in the AGDIS

    Delivery of a Digital ID solution requires the various providers to work together, trusting that other providers are performing their roles appropriately. Currently, the providers involved in delivering the AGDIS are all Commonwealth bodies – but extending participation to state and territory and private sector raises questions about how liability will be allocated if things go wrong.

    Liability under the Digital ID Act is managed using a combination of a statutory contract and a liability shield – a shield that was significantly narrowed in Senate debates. We noted in our previous publications that private sector participants would want to see more clarity around liability in the Digital ID Rules. Recognising the need to have a workable regime in place by December, the Government updated consultation drafts of the Digital ID Rules to defer detailed liability arrangements for a second tranche of rules expected within 12 months.

    In the meantime, the rules include an interim arrangement reflecting the current (unlegislated) Trusted Digital Identity Framework. Under this interim arrangement, participants will not be able to make claims to be compensated for a breach of the statutory contract. Any compliance or non-compliance with the statutory contract is not considered a breach of the statutory contract, and no amount of compensation is payable for any kind of loss directly or indirectly attributable to non-compliance.

    Once the second tranche of rules are introduced, service providers in the AGDIS can expect to be accountable not only to the Digital ID regulator, but to each other service provider and relying party in the AGDIS – a statutory contract is created between each accredited entity in the AGDIS and:

    • each other accredited entity in the AGDIS; and
    • each relying party in the AGDIS.

    Entities will be able to take action in the Federal Circuit and Family Court of Australia, which can make a broad range of orders, including any order considered appropriate.

    While the relationships between service providers and relying parties appear relatively straightforward with the currently very small number of AGDIS participants, we may see multiple identity exchanges operating within the AGDIS in the future – and interoperability requirements will mean that in the future service providers connected to one exchange may interact with service providers or relying parties connected to a completely different exchange.

    The statutory contract framework facilitates interoperability in a way that traditional contracts would not – accredited service providers connected to any exchange will be automatically subject to a statutory contract with every other accredited service provider and every other relying party in the AGDIS, including those connected to different identity exchanges.

    Under the statutory contract, an accredited entity agrees to comply with a limited set of obligations:

    • to provide accredited services while participating in AGDIS in compliance with the obligations relating to verifying the identity of an individual or authenticating the Digital ID or information about an individual; and
    • to comply with prescribed requirements in relation to intellectual property rights.

    The recourse that a party to a statutory contract will be able to seek from the other party to the statutory contract is limited to these set obligations. Importantly, only accredited entities, and not relying parties, have obligations under the statutory contract. Accredited entities are protected from liability in limited circumstances – but the drafting of the liability shield was significantly tightened in the Senate. While the Digital ID Bill as introduced provided immunity to civil and criminal liability, the final liability shield will only apply to claims and proceedings brought by another participant or relying party in the AGDIS. The shield will not apply to, for example, claims brought by end users or regulators.

    This change emphasises the need for strategic risk and obligations management – taking a holistic view of regulatory and legal risks. Understanding and complying with Digital ID requirements will not necessarily protect a provider from claims that it has breached other laws – which may have significant implications, particularly in the event of serious or systemic failures.

    Under the final Digital ID laws, an accredited entity will have no civil or criminal liability:

    • for a claim or proceeding that is:
      • brought by another participant or relying entity (and not, for example, by a regular or end users);
      • for providing or not provide an accredited service within the AGDIS,
    • provided that either:
      • it has both acted in good faith and complied with its legislated obligations (other than the service levels); or
      • it has not complied with its obligations, but the non-compliance is not the ground or cause of the relevant action or proceeding – that is, the liability shield will not be lost due to unrelated non-compliances (such as technical or irrelevant ones).

    The exclusion of service levels will allow the Data Standards Chair to set expectations that drive better performance, without exposing participants to unreasonable and unpredictable liability.

    The statutory contract and liability shield leaves participants in the position where demonstrating compliance can mean the difference between absolute immunity and unpredictable liability – without the benefit of normal commercial tools like liability caps, exclusions of consequential or indirect loss, or force majeure regimes.

    The Government has recognised this concern and included rule-making powers that will enable the Minister to limit the types of loss recoverable, introduce liability caps, exclude obligations from the statutory contract, or to exclude certain conduct or circumstances as breaches of the statutory contract. This detail hasn’t been included in consultation draft of the Digital ID Rules due to the interim arrangements that prevent claims under the statutory contract – however, we will see a more nuanced approach to liability in the second tranche of rules expected within 12 months.

    The exact balance struck will have significant implications for risk management, insurance, and customer and supplier contract terms. On the one hand, potential liability to other participants presents an obvious financial risk – for example, if non-compliance by a participant enables a threat actor to create wide-spread harm. On the other hand, an inability to claim against other participants due to the liability shield can leave an organisation bearing financial loss caused by another participant.

    Consumer Data Right legislation includes a similar (but different) liability shield and statutory contract arrangement, and we may see the models align over time.

    Digital ID systems outside of the AGDIS will impose different rules – for example, through contracts signed by participants in private sector solutions. The statutory contract that applies to AGDIS participants can be seen as a transparent and regulated replacement of the commercial participation terms used in private sector solutions.

    Penalties

    Penalties under the Digital ID Act are five times higher than those proposed in early exposure drafts – reflecting a growing trend towards higher penalties, particularly in areas of consumer, data and cyber safety.

    Maximum penalties can be up to 1,000 penalty units, or 1,500 penalty units in some cases, such breach of an additional privacy safeguard or offshoring AGDIS data unlawfully. Government bodies and bodies corporate can face maximum penalties five times this amount – currently amounting to maximum penalties of $1,565,000 or $2,347,500 per breach.

    Failure to comply with new privacy safeguards is considered an interference with privacy, exposing entities to maximum penalties potentially exceeding $50 million. In addition, new privacy laws expected this month are likely to include new lower tiers of penalties, a new direct right of action for breaches of the Privacy Act, and a statutory tort for a serious invasion of privacy.

    The liability shield discussed above is particularly important given the potential privacy risks that could flow from a systemic failure in the Digital ID system – the liability shield will not protect service providers from massive new privacy penalties, and potential class actions or other claims under new privacy reforms – whether or not they have complied with Digital ID laws.

    The Digital ID regulator and System Administrator

    Oversight and enforcement of the Digital ID laws are shared between:

    • an independent Digital ID regulator (the ACCC);
    • Services Australia as the "System Administrator" of the AGDIS; and
    • the Australian Information Commissioner on privacy matters.

    The Government continues to describe the Australian Competition and Consumer Commission (ACCC) as the "initial" regulator – consistent with earlier comments from Minister Katy Gallagher that the Government may hand oversight over to a "digital-specific regulator" as the system matures.

    The Digital ID regulator is responsible for governing the Accreditation Scheme and approving entities who wish to become accredited providers in the AGDIS.

    The Digital ID regulator’s powers allow it to give directions, require production of information or documents, and suspend or revoke accreditation or approval. In relation to enforcement, the regulator has powers to issue infringement notices, and seek enforceable undertakings, injunctions, and civil penalties. Functional separation has been adopted (to a degree) by placing rule-making powers with the Minister rather than the Digital ID regulator to reflect current arrangements under the Consumer Data Right (the ACCC originally held rule-making powers).

    It is possible that future Digital ID regulation will adopt greater functional separation – we may see the role of the Digital ID regulator split, with a registrar focussed on accreditation, and a regulator focussed on compliance and enforcement. Such an arrangement might encourage more open engagement on accreditation challenges.

    Fraud and cyber security incidents

    The new Digital ID laws supplement existing notifiable data breach obligations in the Privacy Act or state or territory equivalents – reports to privacy regulators must be given to the Digital ID regulator at the same time. Where another regime does not apply to an accredited entity, the Commonwealth notifiable data breach regime will apply. 

    In addition, the Digital ID Rules require accredited service providers in the AGDIS to notify and manage "reportable incidents". These incident notification obligations have been simplified in latest consultation drafts of the rules – notifications now need to be made within one business day (rather than 24 hours) after an entity becomes aware of an incident or suspected incident. Incidents must now be reported to the Digital ID System Administrator (Services Australia).

    The rules provide a degree of flexibility – if an initial notification is verbal, a written notification must be provided within three working days. Acknowledging that it may not be possible to provide all information in relation to a cyber security incident within the prescribed timeframe, interim further notifications can be given every 48 hours as additional information becomes available. This flexibility can be extremely important in the initial aftermath of a cyber incident where, for example, computer systems normally used for incident reporting might be compromised, or where the full picture is not yet clear.

    However, this regime does not align with other data breach reporting obligations, such as under the Commonwealth Privacy Act (or state/territory equivalents) or security of critical infrastructure legislation. Accredited entities will need to update their cyber response plans to manage different reporting obligations and timelines.

    In addition to the notification requirements, the Digital ID regulator has the power to suspend the accreditation of an accredited entity in a range of circumstances, including serious cyber security incident involving the entity, or if one is imminent. The Digital ID regulator can also revoke accreditation or approval to participate in the AGDIS for a "serious" cyber security incident.

    The ability to in effect exclude service providers may on the one hand help triage compromised systems and protect other parts of the Digital ID ecosystem – but may also cause significant interruption at a particularly challenging time. In theory, a network of interoperable service providers would provide a level of redundancy – but in practice, relying parties and individuals may lose their ability to access services if their chosen identity service provider is excluded. If an identity exchange is excluded, the service providers connected to that identity exchange might be unable to operate. Building true redundancy will require service providers to be connected to multiple exchanges, and relying parties and individuals will need identity credentials maintained by multiple identity service providers.

    Organisations will need to factor both cyber risks, and the risk of potential business interruption, into their business continuity plans.

    Fees and charges

    End users will not be charged for creating or using an AGDIS Digital ID. Relying parties looking to verify identities using the AGDIS will need to build Digital ID costs into their overall commercial framework rather than passing costs on to users directly. The legislation was amended in the Senate to require the Attorney-General to table reviews and feedback regarding Digital ID fees in Parliament.

    The Government will not charge entities for accreditation and participation in the first two phases of expansion (across Commonwealth and state and territory governments). However, the Department of Finance will develop and conduct public consultations on an approach for charging ahead of private sector participation in the AGDIS.

    The charging model, and how charges may be recouped, will be an important factor impacting industry uptake, participation, and use of AGDIS. The model may also have knock-on effects on commercial models and investment in private sector and state and territory Digital ID solutions (whether part of the AGDIS or not).

    Commercial models adopted overseas will also need to be considered – not only must Australian Digital ID systems be technically interoperable with overseas solutions, but also commercially interoperable.

    Transition arrangements

    The Digital ID (Transitional and Consequential Amendments) Act 2024 prioritises making sure that Commonwealth Government bodies currently using and relying on the (unlegislated) AGDIS can continue to operate with minimal disruption. Commonwealth Government bodies and services already accredited are deemed accredited under the new regime, and those approved to participate in the current unlegislated AGDIS are deemed approved under the new regime.

    Accreditation and approvals are subject to conditions similar to those that currently apply (for example, limiting accreditation and approvals to specified services, and requiring services to directly connect to Services Australia). This means new or changed services, or changes to how services interconnect, will require review and changes to accreditations and approvals.

    The Act does not automatically transfer accreditation or approval for non-Commonwealth entities, who would need to meet the Accreditation Rules. But the door has been left open for the Minister to make further transitional rules (including to similarly deem accreditation and approval) in the first 12 months after commencement, allowing the Minister to transfer existing accreditation and approval (potentially subject to conditions).

    Explanatory materials call out an important use of transitional rules – to allow the Commonwealth to test plans, systems and business processes for future expansion of the AGDIS by:

    • transferring accreditation of state or territory government services accredited under the unlegislated Trusted Digital Identity Framework and participating in the AGDIS; or
    • approving state and territory services to participate as "relying parties" in the AGDIS; and
    • approving private sector services to participate as "relying parties" in the AGDIS.

    This ability for the Commonwealth to test systems and processes is in addition to the AGDIS System Administrator (Services Australia) power under the Digital ID Bill to authorise entities to conduct testing in the AGDIS without holding an approval to participate from the Digital ID regulator, which may be granted for up to three months and can be conditional.

    Want to know more?

    A deeper dive into Australia's Digital ID Bill (6 December 2023)

    Whole-of-economy Digital ID laws by the end of the year (29 September 2023)

    Identity Resilience and digital identity – key defences against cyber threats (23 August 2023)

    Australian digital identity gains traction – a new national strategy, and legislation on its way (7 August 2023)

    Managing cyber risk digital identity comes back into focus in Australia (18 April 2023)

    A trusted digital identity framework for Australia (13 October 2021)


    This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.

    The Ashurst Group comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.

    The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.

    For more information about the Ashurst Group, which Ashurst Group entity operates in a particular country and the services offered, please visit www.ashurst.com

    This material is current as at 15 August 2024 but does not take into account any developments to the law after that date. It is not intended to be a comprehensive review of all developments in the law and in practice, or to cover all aspects of those referred to, and does not constitute legal advice. The information provided is general in nature, and does not take into account and is not intended to apply to any specific issues or circumstances. Readers should take independent legal advice. No part of this publication may be reproduced by any process without prior written permission from Ashurst. While we use reasonable skill and care in the preparation of this material, we accept no liability for use of and reliance upon it by any person.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts