Australia has passed two pieces of legislation on digital identity, potentially bringing new options for authentication for payments companies alongside stricter privacy requirements.
The Digital ID Bill 2024 and the Digital ID (Transitional and Consequential Provisions) Bill 2024 passed through the House of Representatives on Thursday May 16, following their approval in the Senate in March.
The passage of these bills provides the necessary framework for the expansion of the Australian Government Digital ID System, the government said in a press release.
Payment service providers in the country will now be able to apply to join this framework, which aims to enhance privacy and security for Australians interacting online.
The private sector in the country has already been focusing on digital ID opportunities, with various applications already available in the market. For example, Mastercard has launched a new ID service, which is available in Australia as well as New Zealand.
The Labor-led government now aims to build an economy-wide, federated system to manage citizens’ online identity. This will over time integrate national and state government bodies, and the private sector, into a common interoperable framework.
The end goal is for government and private sector credentials and systems to be interoperable under common standards.
This echoes initiatives elsewhere, such as the EU, where the Digital Identity Regulation (sometimes referred to as eIDAS 2.0) passed earlier this year.
Most EU countries already have strong digital ID provisions at the national level.
Australian Payments Plus (AP+), a membership organisation that is also behind ConnectID, was among those welcoming the passage of the Digital ID Bills in parliament.
Rick Iversen, product and scheme lead at the company, said that the new laws were “concrete advances” in Australia's journey towards a more secure and inclusive digital future. “Through ConnectID, businesses and consumers alike benefit from authenticated, trusted sources of ID verification without the creation of new honeypots of data.”
The new Digital ID laws will “create a secure, cohesive digital identity framework, allowing for the development of a more efficient and secure digital ecosystem”, he said. “This will allow business to prosper and consumers to navigate the digital space with greater ease, privacy and confidence.”
What will this legislation do?
The legislation is intended to strengthen the voluntary accreditation scheme for digital ID service providers to ensure compliance with best practice standards in privacy, security, proofing and authentication.
It will also enable the expansion of the Australian Government Digital ID System for use by the national, state and territory governments, and eventually private sector entities as well. The bill will embed robust privacy and consumer safeguards, supplementing the Privacy Act.
Ultimately, the government has said it will give Australians a broader selection of secure and trusted digital identity providers.
“Digital ID makes it safer and easier for Australians to prove who they are online,” Katy Gallagher, the country’s minister of finance, has previously said. “Australians will be sharing less personal information, which is held by fewer organisations, that are subject to stronger regulation, reducing the chance of identity theft online.”
Next steps
The bills are due to be passed into law in the coming weeks, with the legislative acts expected to commence by November 2024.
Upon commencement, the Australian Competition and Consumer Commission (ACCC) will serve as the Digital ID regulator, working alongside the Office of the Australian Information Commissioner (OAIC), which will oversee the privacy aspects of the Digital ID System.
The legislation enforces compliance by providing civil penalties and granting specific enforcement powers to the ACCC.
The regulator will have a calibrated set of powers, including the authority to request information, issue remedial directions and enforce undertakings. If necessary, the regulator can suspend or revoke an entity’s accreditation or participation in the Australian Government Digital ID System (AGDIS).
Additionally, the bill stipulates that breaches of its privacy safeguards may be treated as interference with privacy under the Privacy Act 1988, therefore allowing the OAIC to apply the powers and penalties available under the Privacy Act to Digital IDs.