Digital ID is shaping up as the next data localisation battleground, with the Tech Council of Australia arguing proposed rules requiring onshore hosting for the scheme will do nothing to improve security.
In a submission to the parliamentary inquiry into the Digital ID Bill, the industry body for Australia’s tech sector said that while it supports the passage of the legislation in its current form, the underpinning rules should be tweaked.
“We believe these matters may be appropriate for the Committee to consider in its report, but importantly, do not affect the content of the primary legislation,” it said this week, adding that the bill is “crucial to realising the benefits of digital IDs”.
According to the Digital ID Rules, accredited entities will be prevented from holding, storing or handling system information – information that “generated, collected, held or stored by the entity in relation to the Australian Government Digital ID System (AGDIS)” – outside Australia.
System information must also not be transferred to a “place outside Australia for storage or handling”, unless that entity obtains an exemption from the Finance minister to hold the system information offshore.
In granting an exemption, the minister must consider whether the proposed hosting jurisdiction has privacy laws that are “at least substantially similar” to how the Australian Privacy Principles operated in Australia.
But the requirements to “localise data … runs contrary” to the government’s wider efforts to support data security, including through the uplift proposed in Australia’s recent cybersecurity strategy, according to the Tech Council.
“Data localisation is based on the misconception that cybersecurity risk is dependent on physical location. However, the main determinants of cyber-resilience are technical, such as strong encryption measures and infrastructure protection, and governance-related,” it said.
The Tech Council, which joined other tech giants in opposing the expansion of data localisation requirements beyond “highly sensitive use cases” in 2022, also noted that there is no “data localisation by default” for critical infrastructure providers.
The group also shares the concerns of a handful of business, including two of the big four banks, and the Business Council, that there is a lack of transparency over the “timing of the proposed phasing of the expansion” to the private sector.
Under the current plan, the expansion will begin with state and territory government, before moving to the private sector, including existing providers of ID like Australian Payments Plus and Mastercard, in the fourth and final phase.
“To maintain a fair competitive landscape and offer consumer choice, private providers should be quickly granted the same access and opportunities to the AGDIS as their public sector counterparts, contingent upon meeting equivalent accreditation requirements,” the Tech Council said.
“The current lack of clarity regarding the timing of these rollout phases poses a challenge for private sector planning and industry preparedness, and could also put private providers at a competitive disadvantage to public sector providers.”
The TCA has also asked that the government prioritise work to extend the digital ID system to credentials “as soon as possible” and extend the timeframe to report cyber incidents to 72 hours, in line with the current Australian Cyber Security Centre requirement for critical infrastructure.
“The TCA has long supported the development of legislation to create a secure, convenient, interoperable and inclusive digital ID system in Australia,” the submission, submitted to the inquiry on Monday, said.
“In an era of unprecedented digital connectivity, with an increasingly number of transactions and interactions taking place online, digital IDs are a cornerstone for the integrity of digital economies – helping to boost productivity, improve citizen experience and enhance security and privacy.”
