Biometric Bills at 'high risk' of breaching human rights: Commissioner

Australia's Human Rights Commissioner has said the identity-matching Bills need clearer safeguards to remain consistent with international human rights obligations, while the Law Council of Australia has questioned whether the biometric data would be exempt from mandatory data breach reporting rules.

The identity-matching Bills currently facing Parliament are at "high risk" of violating Australia's human rights obligations, Human Rights Commissioner Edward Santow has told the Joint Intelligence and Security Committee.

According to Santow, there are four main areas of concern: Proportionality; autonomy; lack of democratic oversight; and the risk of fraud and other unintended consequences.

"The Bills are unprecedented in impacting on Australians' privacy," he said during a hearing on the committee's Review of the Identity-matching Services Bill 2018 and the Australian Passports Amendment (Identity-matching Services) Bill 2018.

"The problem with the Bills is some of the permitted purposes for sharing personal information is so broad that they could give especially law-enforcement and intelligence bodies almost unrestricted power to share personal data."

Protections have not been written into the Bills, only being addressed in the explanatory memorandum, he said, which could lead to the "mass surveillance" of Australians.

In addition, he pointed to the "high level of discretion" being vested in the departmental secretary by the Bills, including over what biometric data could in future be gathered.

"The Bill focuses on the use of facial images for identity matching, but there are many other types of biometric information that could be used in time," he argued, saying the draft legislation "would enable a relatively swift process by which new forms of data can be used without the full parliamentary oversight" at the discretion of the minister.

On fraud and unintended consequences, Santow pointed towards the potential for biometric data to be stolen or misused.

"A centralised system of personal information can create a focal honey pot of biometric data that if compromised massively increases the risk of identity theft," he said.

"The aggregation of data into a single system carries risks, and so the way to address those risks is either to say it's too dangerous, the risk-reward ratio doesn't play out, or to have very, very stringent protections where you can be really incredibly confident that nothing will go wrong."

According to Santow, "innocent people" could also end up being accused of serious crimes if they simply happen to resemble someone else.

"There needs to be stronger protections against those unintended consequences," he said, suggesting that Parliament looks at what protections are in place, what justifications there are for collecting the biometric data, and whether these are sufficient -- especially since the uses set out in the Bill are "incredibly broad", as "assist in helping solve a crime" could refer to any crime.

"We're not making any criticisms of the law-enforcement agencies or intelligence agencies; what we're saying is that any Australian government agency relies on the parameters set out in the legislation they operate under, and those parameters have to be really clear about what they can use information for and what they can't," he explained.

"What we need to do is find mechanisms so that we can achieve the objectives of the legislation ... but do so in a way that is consistent with international human rights obligations that apply to Australia."

Referring to the Department of Home Affairs' views that a warrant process would be too "resource intensive", Santow said timeliness does need to be taken into account, but that warrants are necessary.

"That's why we need to have a streamlined, efficient process whereby the government is able to apply for a warrant," he said.

"It needs to be properly resourced, but it can apply for the warrant as swiftly and efficiently as possible. A decision on whether to grant that warrant needs to be able to be made swiftly and efficiently, and then that balance is most likely to be able to be satisfied and assured that people's human rights are not under threat, and also to ensure that mistakes are much less likely to be made.

"Australia becomes no safer if through too much haste we make mistakes about the identification of, for example, potential criminal perpetrators. It's really important. Warrants can actually increase the security and safety of the community by ensuring that only the best evidence is considered and used."

DHA had last month written in its submission: "The time involved in preparing, reviewing, and granting a warrant application to use services would significantly delay, and in some circumstances undermine, law-enforcement and national security investigations; impede operational activity, including the prevention of criminal acts; and divert resources from investigations."

Bills exempt from mandatory data breach reporting?

Also facing the joint committee on Thursday, the Law Council of Australia said that significantly, the Interoperability Hub to be used under the draft laws may not be subject to the mandatory data breach notification laws that came into effect in February.

"If the hub is not subject to the [Privacy] Act itself, it will not be subject to mandatory breach reporting," the Law Council said, explaining that the way the breach reporting laws were drafted means they do not attach to items that are exempt from the Privacy Act.

Like the Human Rights Commissioner, the Law Council also expressed concern about scope creep of government surveillance on citizens, saying that the right to privacy must be protected, with proportionality and balance needing to be better addressed by the Bills.

"I think it's quite self-evident that there are questions about use, consent, purpose, creep, safeguards," the Law Council said.

"The question of consent is inextricably interwoven into the question of use and purpose, and the purpose issue is about the purpose that a citizen thought she or he had in providing a certain type of information that can then be used for entirely different purposes, and the quality of the consent that goes with that.

"Are Australians going to be comfortable with surrendering their biometric evidence that was gathered for an entirely different purpose to be placed in a hub that contains a great deal of personal and private data when we don't actually in this Bill know precisely what it's going to look like?"

The Law Council suggested that the public be consulted on the matter, to see "how prepared we are as Australians to give up our private information to law-enforcement agencies". Citizens might be fine with their biometric data being collected to protect against serious crimes like terrorism and national security, for instance, but not consent to the everyday collection of data, the group said.

Consent therefore needs to be clarified before collecting data, the Law Council argued, with Australian Privacy Principle 6 requiring consent for secondary use of sensitive information -- but the Bill is missing detail and a framework on how to formulate such detail on this.

"The hub at this juncture seems to offer both civil and criminal issues and conflates that, and I think that's where a lot of the lack of clarity starts to erode from the Bill," the group said.

"The controls around the sharing of that information would need to be commensurate and proportionate to the uses."

Lastly, the Bill is "very vague and very broad" on the issue of whether the public will ever find out which private sector entities gain access to the facial verification service, the group said.

"It really goes to the central question of oversight ... the absence of any separate regulatory oversight," the Law Council said.

"In relation to the obligations placed on the Human Rights Commissioner and Information Commissioner to be consulted by the minister when he considers making rules ... there is no additional present resourcing available. So not only is the auditing and perhaps non-public reporting opaque, but it doesn't appear to us to be supported with any additional resourcing of those officers."

According to DHA -- which also spoke during Thursday's hearing, announcing that it has purchased a facial recognition algorithm to be used for the service but is exempt from revealing the vendor -- Australians give consent when they fill out a passport application.

"When people apply for a passport, they sign a declaration in which it appears quite prominently as one of just a few points -- not one of these long legal screeds -- 'I understand that my photo and personal information will be used for data and biometric matching purposes'," DHA said.

"Even in the event that the application is withdrawn, biometric matching allows the passport photo to be electronically compared with other facial images to confirm identity.

"They don't explicitly give consent for it to be used for other purposes, but where it is used for other purposes, those purposes are authorised by law in the Privacy Act or the Passports Act."

The Australian government had in February introduced the two Bills into the House of Representatives to enable the creation of a system to match photos against identities of citizens stored in federal and state agencies.

The Identity-matching Services Bill authorises Peter Dutton's DHA to operate a central hub for communicating between agencies, while the Australian Passports Amendment (Identity-matching Services) Bill would allow for real-time crime fighting, Foreign Minister Julie Bishop said at the time.

The Bills were introduced as a result of a COAG agreement in October to formulate a national system for biometric matching.

"This is not accessing photo ID information that is not currently available ... these are all available to law-enforcement agencies now and have been for many years, if not for generations," Prime Minister Malcolm Turnbull had said.

"It shouldn't take seven days to be able to verify someone's identity or seek to match a photograph of somebody that is a person of interest. It should be able to be done seamlessly in real time."

PREVIOUS COVERAGE