Even if the government has the best intentions in this instance, it doesn’t matter. They have already created a set of laws that clearly dictate that this app and this data can be used how ever intelligence communities desire.
They have burned all goodwill and trust with the public. It doesn’t matter what they say today unless they repeal AABill etc. Otherwise they’re just saying empty words.
Interpreting legislation without any common law / precedence is difficult. However as a general rule, if there are two laws that are conflicting (such as previous anti-privacy laws vs the proposed safeguards) the most recent enacted law applies, especially if it is specific. So while I’m by no means a fan of the erosion of privacy that this government has done previously, the proposed safeguards would be effective and not just empty words (at least legally speaking). Also I’m being pedantic, but you repeal Acts, not bills. A Bill is proposed legislation that isn’t law yet
> So while I’m by no means a fan of the erosion of privacy that this government has done previously, the proposed safeguards would be effective and not just empty words (at least legally speaking).
Currently, they are empty words, legally speaking.
The legal text that contains the safeguards is here [0]. It doesn't have most of the safeguards that Hunt announced. They're a pipedream.
For example, the minister said that even in the event of a crime, the data could not be used. However, two parts combine that show actually, they can.
Firstly, possession rather than ownership, controls who can upload data:
> A person must not upload COVID app data from a mobile telecommunications device to the National COVIDSafe Data Store except with the consent of the person who has possession or control of the device.
Secondly, whilst there are controls around who can use that data once it has been uploaded, once it is transferred somewhere for that purpose, there are no restrictions around who can access it once it is outside the data store.
That last point is wrong – section 6 of the determination says that “a person must not collect, use or disclose COVID app data“ unless it is for one of the whitelisted purposes in subsection (2). COVID app data includes data that “has been” stored on a phone.
If the data is moved, on the Data Store is no longer the source, because you're getting that data from a secondary place, it is specifically excluded:
> However, it does not include information obtained, from a source other than the National COVIDSafe Data Store, in the course of undertaking contact tracing by a person employed by, or in the service of, a State or Territory health authority.
> For example, the minister said that even in the event of a crime, the data could not be used. However, two parts combine that show actually, they can.
That's incorrect. The only crime that could be a valid reason for using the data is a breach of the emergency biosecurity laws [6(2)(d)] (also see s477 of the Biosecurity Act 2015 (Cth)).
Two common legal 'tools' are inclusive clauses and exhaustive clauses. An inclusive clause lists examples of what a section of legislation or a contract applies to, but it's not a complete list. You may have seen something like this in an employment contract, where the contract lists out your roles and responsibilities with a list that starts with "including, but not limited to: ". E.g the items listed definitely apply but there may be more other items that are not listed.
Exhaustive clauses are the opposite, if it's not expressly stated in the list, it doesn't apply.
Part 2 limits how the data can be collected and used by using an exhaustive clause, i.e. section 6(2).
Breaking it down, section 6(1) states: 'A person must not collect, use or disclose COVID app data except as provided by subsection (2).' So unless the reason is expressly listed under subsection 6(2), it cannot be used/collected.
Very roughly paraphrasing the reasons in 6(2):
- 6(2)(a): The person is a State/Territory HEALTH official (i.e. not law enforcement) AND the reason for is contact tracing only
- 6(2)(b): The person is an employee/officer/contractor of the Health Department or Digital Transformation Agency (DTA) to help a Health employee with contact tracing, or to ensure the app / data store is functioning properly. E.g Devs bug fixing the app, API etc
- 6(2)(c) Moving encrypted data from a mobile to the CovidSafe database
- 6(2)(d) Investigating an offence of the emergency biosecurity laws
- 5(2)(e) Using data for 'de-identified' statistics
So going back to the grandparent comment, it's not correct say that the regulation has no effect due to the previous laws that weaken privacy. In fact the wording for the valid uses is refreshingly restrictive. E.g using '..[for the] purpose of, and only to the extent required for the purpose of' and not just 'for the purpose of' is a cue for the courts to interpret the use case quite restrictively.
With all that said, this may be all well and good in theory, but it remains to be seen if the Government can enforce these restrictions in practice. There are some very valid concerns about that. However that's for another conversation/thread.
> That's incorrect. The only crime that could be a valid reason for using the data is a breach of the emergency biosecurity laws
You haven't fully understood what I tried to convey. Whilst it is true that the data can only be copied from the data store for a restrictive reason, such as ensuring the security of the data store, once it is outside that store, it is no longer protected by the limitations.
So this sequence of events is possible, and legal:
+ Data store data is taken off site for a legitimate reason, such as validation, by the correct department.
+ The police upload from a suspect's CovidSafe app, as a matter of policy, to help protect the public.
+ The police issue a data request, such as under the recently passed AABill law, from the Health Department.
The protections around the data only refer to it in two ways: App data, when it is on the phone, or when referencing it in regards to the Data Store in Canberra. Once it leaves, it is no longer protected.
The definitions refer to the data in terms of location, if that location changes, then it's out of those protections.
Unless there's something I've missed entirely in the regulation, there's nothing that says the data loses its restrictions once it moved. Happy to be corrected and pointed to the specific clause, I just don't see it.
Section 3: "COVID app data is data relating to a person that...has been collected or generated through the operation of an app... and is, or has been, stored on a mobile telecommunications device." The data is defined by its origin, not its current location. The protections apply wherever it currently is.
Section 8: "A person must not decrypt encrypted COVID app data that is stored on a mobile telecommunications device"
Using your scenario, part two would be illegal (s8 especially) and the data request in part 3 should be rejected. The bigger problem is that's what _should_ happen. Whether it's enforced is another story...
> Unless there's something I've missed entirely in the regulation, there's nothing that says the data loses its restrictions once it moved.
It isn't explicitly stated, which is the point. We only have the data defined two ways: In the Data Store, and on a phone. Once downloaded from the Data Store, it is outside the definitions used within the bill.
This statement is the big one:
> However, it does not include information obtained, from a source other than the National COVIDSafe Data Store, in the course of undertaking contact tracing by a person employed by, or in the service of, a State or Territory health authority.
If the data was at one time obtained from the Data Store, but this new location is used as a source, it is no longer under the definitions of the bill.
Is "latest rules" truly what happens? Or if the law explicitly allows X and also explicitly disallows X, then a person would not be convicted, rendering in this case the latest safeguards in effective?
To say it's complicated is an understatement, there are literally entire books written about it [1]. It's rarely that simple but if one act states X is allowed and another act of the same jurisdiction states the exact opposite (assuming both laws are legally valid), then the most recent law prevails. The principle behind it is that the current parliament/legislature shouldn't be able restrict what future parliaments make laws on (the exception being the Constitution). Otherwise the government of today could make a law thats says 'X is illegal and no law can ever change this'.
Why do you think intelligence agencies stick to the law. Half the stuff the Aussie gov is taking flak for is what GCHQ and the NSA were doing in secret before the public even knew about it.
They have burned all goodwill and trust with the public. It doesn’t matter what they say today unless they repeal AABill etc. Otherwise they’re just saying empty words.