COVIDSafe and Identity: Governance Beyond Privacy

There has rarely been a greater test of our structures of governance than the flurry of lawmaking amidst the declared emergency of the COVID-19 pandemic. Self-containment and restrictions on public (physical) engagement are starting to take their toll. Consequently, while fearful of the worst-case scenario of this terrible disease, some individuals are eager to ‘return to normal’. And to do so, they are willing to accept what is effectively a new social contract. The deal includes subscribing to an app (called COVIDSafe) that uses Bluetooth technology to log when a user has come into contact with other app users. If a user contracts COVID-19 then they may give the data to state and territory public health authorities who can use it to help trace the user’s past contacts and warn them about possible exposure.

Originally Prime Minister Scott Morrison would not rule out making the app mandatory, but subsequently promised that it would be entirely voluntary. Since the app was released on 26 April there has been a massive public relations campaign to encourage people to download (and use) the app. The government’s COVIDSafe website helpfully provides a range of free ‘campaign resources’, including social media ‘tiles’ (graphics), videos, and audio segments to promote uptake. The Prime Minister has said that if we want to go to the pub, download the app. The Health Minister promises a return to the footy if we download the app.

While public debate continues about the efficacy or desirability of COVIDSafe, there is an underlying question arising from its implementation. The app provides an interface between the individual and government mediated through personal data (one’s physical contacts). It does not provide a direct assertion of one’s COVID-free status such as the ‘immunity passport’ proposed in other jurisdictions. But through the mode of the app’s promotion, in the eyes of many it amounts to a proxy for health and certainly for safety.

Before the app was released, the Prime Minister was already talking up the return to a ‘COVID-safe economy’–implicitly releasing the branding of the forthcoming app. As a ticket out of isolation for all the community, it is an externally visible signal of one’s belonging–‘we’re all in this together’. Those who have not downloaded the app are therefore, by definition, marked as ‘other’. This sets up a differential characteristic based on ‘data status’, leaving those who do not download the app open to recrimination and discrimination.

We have recently seen analysis on the human rights dimensions of COVID-19, for example, on this blog, by Sarah Joseph, by Maria O’Sullivan, and by Kevin Bell. And Caroline Compton has analysed the paradox of trust involved in rolling out the COVIDSafe app. In this post, we also look at human rights, addressing how they are implicated in features of the app and its roll-out. More specifically, we analyse the laws concerning the app to identify the broader implications for those who do–or don’t–avail themselves of voluntary data collection technology. We are particularly interested in whether personal data and its interface with the state might comprise a new feature of identity–one that alters the existing ecosystem of protections concerning disclosure of personal information. We call this feature ‘data status’: a signifier of one’s belonging to a class of people according to whether or not they are prepared to voluntarily share data with the government.

Emphasis on Data Privacy

Without here interrogating the power of the Commonwealth to commission an app and release it on various platforms in the name of the Commonwealth, the lawmaking infrastructure surrounding the app’s introduction is familiar. The Health Minister is empowered under s 477(1)(a)(ii) of the Biosecurity Act 2015 (Cth) to ‘determine any requirement…necessary to prevent or control the … spread of the declaration listed human disease in Australian territory’. Pursuant to that power, on 25 April 2020 Health Minister Greg Hunt issued the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements–Public Health Contact Information) Determination 2020 (Cth) (‘Determination’).

Independently of the app itself, the Determination’s object (in s 4) is to ‘encourag[e] public acceptance and uptake’ of the app. The Determination achieves this object by providing for the collection, use or disclosure of COVID app data (s 6); treatment of the data (s 7); decryption of the data (s 8); and coercion concerning the app (s 9). Since then, the Attorney-General has released an exposure draft of a Bill to amend the Privacy Act 1988 (Cth) in respect of the app’s operation. The Bill mirrors the provisions in the Determination–and its objects, too, are to assist in controlling COVID-19 by providing stronger privacy protections for the app data and users, to encourage public acceptance and uptake of the app (s 94B).

The Health Minister has said that ‘[t]he safeguards that have been put in place are the strongest ever.’ Given that Parliament has, over recent years, set in place a powerful system of data gathering, access, and retention, this is perhaps not a difficult standard to exceed. Overall, the data protection provisions appear fairly robust, despite deficiencies in the process of their introduction.

In addition to the familiar framework of privacy concerning government collection of and access to personal data, the Determination prohibits ‘coercing’ people to take up the app, to use it, or to consent to uploading the data to the health authorities (s 9). In support of the prohibition on coercion, it prohibits refusing contracting, employment, entry to premises, participation in activities, and supply or receipt of goods and services on the basis that someone does not have or is not using the app. Again, the Draft Bill creates an offence of ‘requiring’ (a different standard, presumably, to coercion) another person to download the app, to have it in operation, or to consent to uploading data, and of refusing entry or service if a person does not have or is not using the app (s 94H). The five-year prison term for a breach of the proposed s 94H is ostensibly a strong deterrent.

The provisions do not go so far, however, as to prohibit coercion or refusal of service through asking for information about whether a person has downloaded the app. For example, if an employer asks an employee only to tell them whether or not they have downloaded the app and the employee refuses to disclose this information, there is no sanction if the employer takes disciplinary action against the employee. One’s ‘COVIDSafe Status’ is itself, apparently, not considered protected information.

The coercion provisions in the Draft Bill implicitly recognise that the app necessarily creates two classes of people: those who have and use the app, and those who do not. While the genesis of the provisions is reassurance that the app is indeed not compulsory, they acknowledge the heightened social anxiety during the pandemic and the potential for discrimination–examples of which have already occurred including at one local council that was reported as having required staff to download the app as a precondition to coming to work, claiming that it was a lawful and reasonable direction (that council has since reversed course).

Given the public concern regarding COVID-19, and the desire of business to get the economy restarted, this kind of demand is likely to become common–despite the provisions in the Draft Bill. There are likely to be implications arising from the app beyond a user’s data privacy that demand closer attention in terms of meaningful protection of one’s data status.

Data Privacy or Data Status?

Data collection is a function of government, and privacy laws in Australia generally govern the collection, use, and deployment of personal information. But whether that data is collected for purposes of criminal justice, for the Census, or for personal interactions with government (eg MyGov, MyHealthRecord, etc), data serves as the interface between the individual and government. While data may constitute part of one’s identity formation in terms of government service delivery, or inform relations with government, it is not constitutive of that individual in non-government contexts. The fact of one’s data status with government is itself private.

Regardless of the privacy of one’s COVIDSafe data in terms of its collection and sharing with government, the app’s marketing and operation are inherently networked and social. All technology has a social context. The broader context of the delivery of COVIDSafe–as an app, by government, in the middle of a pandemic, for the inherently collective goal of public health–is entirely relevant to its regulatory framework, through the Determination and the Draft Bill.

As evidence of the app’s social context, the government itself is using considerable social pressure by holding out the promise of winding back restrictions if the public downloads its app. Further, the government is providing guidelines for business about reopening in a ‘COVID safe way’. All messaging about reopening the economy is branded ‘COVID safe’, inherently positioning the app as integral to measures to re-open life as we know it. This discourse can already be seen to enhance public acceptance of the app. ‘App shaming’ has begun, with those who refuse to download the app being likened to anti-vaxxers, and politicians’ data status being publicly linked to whether restrictions are eased. While not yet specific discrimination or harm, these examples are indicative of how one’s data status might form the basis of discrimination and recrimination.

The framing of the Draft Bill is to encourage public acceptance of the app to control COVID-19. Enhancing privacy is the means of achieving this goal. By amending the Privacy Act, the Draft Bill recognises COVIDSafe as the data interface between the individual and the state. It therefore regulates the collection, storage, and use of data. Such rights are well-recognised in supporting the user to control their personal information including e.g., requesting that data is deleted (s 94L). In regulating the relationship between the individual and the state in terms of data use per se, the privacy framework does not, however, address the additional, social, context of the app. This context exists beyond the individual-state nexus of privacy law. The individual’s choice to download the app–creating a data ‘status’–identifies them in the community beyond their personal relationship with government, and beyond privacy law.

Data Status and Human Rights

Although data privacy aspects of the app are largely covered in the Draft Bill, the prohibition on coercion regarding downloading or using the app offers a useful study in the limitations of privacy and criminal sanctions as protection for users who acquire a potentially publicly facing data status through their choice, or their ability, to download the app or not. The privacy policy for the app recognises the need for redress against coercion, suggesting that those who are coerced or ‘feel pressured’ to use the app, or to upload their data, should lodge a complaint with the Department of Health, the Office of the Australian Information Commissioner (OAIC) or the Human Rights Commission.

The OAIC is a statutory agency overseeing complaints about privacy and data breaches. While this is the correct agency to investigate data breaches involving the app, its remit does not obviously include the power to investigate complaints about coercion concerning the app. Coercion about the app does not concern a breach of data use per se. It reflects treatment of a person based on their data status: whether or not they have downloaded the app.

The Australian Human Rights Commission is empowered to receive complaints regarding discrimination and breaches of human rights. Discrimination is defined in s 3 of the Australian Human Rights Commission Act 1986 (Cth) as:

any distinction, exclusion or preference made on the basis of race, colour, sex, religion, political opinion, national extraction or social origin… or any other distinction, exclusion or preference that has the effect of nullifying or impairing equality of opportunity or treatment in employment or occupation; and has been declared by the regulations to constitute discrimination.

Downloading the COVIDSafe app, or not, is not a head of discrimination. For example, if a person is excluded from a shop or a workplace because they do not have the app installed, that would not be discrimination on the grounds identified in s 3. Further, it is difficult to see that one’s ‘COVIDSafe status’ reflects a human right under the Universal Declaration of Human Rights or any other international human rights treaty. It seems, without more, that the Human Rights Commission is not empowered to hear a complaint about coercion. That leaves the excluded person without any realistic remedy, despite the Health Minister’s assurance that the Determination features ‘the strongest ever possible protections’.

The nature of the COVIDSafe app and its purpose have created a novel type of status that lies beyond mere data protection, or privacy. In its desire to ‘encourage public acceptance and uptake’ of a data collection technology, the government is creating a new form of identifying feature to distinguish between individuals, based on their data choices or their ability to enter into the data arrangements. Despite criminal sanctions against coercion, the Draft Bill has not afforded substantive rights concerning discrimination on the grounds of data status.

So long as the app is voluntary and government sells it as desirable (or even imperative), it creates a differential characteristic that marks individuals in a social, networked way. The notion of choice (or ability) is therefore inherently constrained, given the circumstances of the app’s introduction.

Whether the app provides significant public benefit is yet to be seen. But if public-facing data collection tools are to be added to government strategies, then we need to be considering appropriate frameworks for protecting data status. Without such protections, the app holds potential to become another Trojan horse, permitting public acceptance of other forms of personal data collection in the future, perhaps with quite different ends in mind. What might feel safe now in the shadow of pandemic may make us unsafe in the future.

Originally posted here on Auspublaw.

Kate Galloway is associate professor of law at Griffith Law School, and a member of the Law Futures Centre.Melissa Castan is an Associate Professor at Monash Law School, and a member of the Castan Centre for Human Rights Law.

Suggested citation: KateGalloway and Melissa Castan, ‘COVIDSafe and Identity: Governance Beyond Privacy’ on AUSPUBLAW (11 May 2020) <>