Who’s watching the ‘eyes’? Parliamentary scrutiny of national identity matching laws

For many rights advocates, the thought of relying upon parliamentary committees – in particular, government-controlled parliamentary committees – as a form of rights protection sends a shiver down their spine. ¹ Without judicial oversight or enforcement of human rights standards, reliance on parliamentary scrutiny as a safeguard against unjustified legislative interference with individual rights and liberties seems naïve and optimistic. However, every now and then the federal parliamentary committee system delivers some surprising results that pull against this orthodox view. In particular, the recent work of the Parliamentary Joint Committee on Intelligence and Security (the PJCIS) offers reason for pause before we completely write off the value of parliamentary rights scrutiny in the face of an Executive-dominated parliamentary system. ²

The PJCIS’s scrutiny of the Identity-matching Services Bill 2019 (Cth) and the Australian Passports Amendment (Identity-matching Services) Bill 2019 (Cth) is a good example of how the PJCIS has the potential to make a significant contribution to parliamentary rights scrutiny at the federal level. These laws – referred to collectively as the ‘Identity Matching Laws’ – aim to set up a national ‘hub’ (administered by the Department of Home Affairs) that would allow facial images and other identity information to be shared across the country. ³ While the regime’s benefits include faster identity matching in times of disaster or national emergency, ⁴ it has been heavily criticised by rights groups as an attempt at ‘mass surveillance’ and an egregious breach of individual privacy. ⁵ Insufficient safeguards and oversight, and lack of clarity around key terms and tests were cited as particularly problematic features of these proposed laws. ⁶ These concerns mirror those identified in the broader academic literature on the use of biometric materials by state agencies for identity matching purposes. ⁷

On 24 October 2019, the PJCIS issued a report that largely acknowledged these concerns, calling for significant changes to the proposed laws to ensure stronger protections for privacy and other safeguards against misuse. ⁸ The PJCIS recommended that, if pursued, the identity-matching regime must be ‘subject to Parliamentary oversight and reasonable, proportionate and transparent functionality’ and should be subject to annual reporting, with key details of the regime set out in primary legislation rather than left to Executive discretion. ⁹ In addition to these recommendations, the PJCIS said that the proposed legislation should not proceedin its current form. ¹⁰ This is a very significant, rights protecting recommendation for a government-chaired, government-majority committee to make, particularly in the context of the membership of the PJCIS (vetted personally by the Prime Minister) and its close relationships with the security agencies. ¹¹ Pulling against the conventional view of the impotence of parliamentary committees as tools for rights protection, the PJCIS appears to have had a significant rights protective impact on the shape of these laws. ¹² By highlighting a range of rights concerns in its consensus bipartisan report, the PJCIS has effectively stopped the proposed legislation from proceeding any further through Parliament (although it remains to be seen whether this is a permanent or a temporary stay).

At this point, it is helpful to take a step back and consider what these identity matching laws are all about, and why they might have significant implications for our individual rights – in particular, the right to privacy.

So, what are the identity-matching laws all about?

As the Bills Digestexplains, ¹³ under the proposed Identity Matching Laws, the Department of Home Affairs is tasked with creating and administering a central ‘hub’ through which requests for identity matching services can be received and actioned, and identity information (including facial imagery) can be shared between government agencies and, in some cases, private organisations. ¹⁴ The scheme gives effect to an agreement reached by the Council of Australian Governments (COAG) in 2017 to facilitate the ‘secure, automated and accountable’ exchange of identity information to help combat identity crime and to promote community safety. ¹⁵ The COAG Agreement (the Agreement) envisages a nationally administered system that could ease the administrative burden on existing departments and agencies, and also help identify individuals in times of disaster or when individuals are reported missing. ¹⁶ The state and territory parties to the Agreement made their support for the regime conditional upon the inclusion of ‘robust privacy safeguards’ to guard against misuse, ¹⁷ and demanded that the safeguards be ‘informed by independently conducted privacy impact assessments’ and developed with assistance from federal and state privacy commissioners to ensure that the resulting scheme appropriately balanced ‘privacy impacts against the broader benefits to the community from sharing and matching identity information’. ¹⁸

Using the Agreement as its authority, the federal government drafted the Identity Matching Services Bill (IMS Bill) to provide the broad framework for the identity matching ‘hub’ through which participating agencies and organisations can request and transmit information, including facial images on drivers’ licences and passports. ¹⁹ It is important to note that access to the identity matching services provided by the ‘hub’ is restricted to prescribed agencies that already have some legal basis for accessing identity-related information. However, much of the detail is left to the Regulations and subsequent intergovernmental agreements, meaning that the range of agencies that can potentially access, share and use this sensitive information is broad and can be extended to private bodies. ²⁰ For example, under the proposed laws, some government agencies would be able to access the identity-matching services for detecting identity fraud and responding to national security concerns, but also for more pedestrian purposes of ‘community safety’ or ‘road safety’ activities. ²¹ Information can also be electronically shared to, and by, private bodies such as telecommunication services providers and banks, subject to certain criteria being met. ²²

Concerns raised with the PJCIS about the identity-matching laws

The Identity Matching Laws contain some safeguards against misuse, including criminal sanctions when an ‘entrusted person’ discloses information for an unauthorised purpose and the requirement of ‘citizens consent’ when authorities are seeking identity-matching services for identity verification purposes. ²³ However, questions have been raised about the extent to which these safeguards would provide practical protection against undue invasions of privacy, particularly where consenting to identity matching is ‘bundled’ with other matters, such as requests for government services. ²⁴

Legal bodies have also raised concerns about the ‘framework approach’ to drafting the Identity Matching Laws that gives the regime a broad and uncertain scope, the precise contours of which will only be determined by subsequent Executive action. ²⁵ For example, it is not clear from the proposed Bills exactly which government officials can access identity-matching services and for what purpose. ²⁶ This is particularly problematic when coupled with the dynamic increases in the ‘collection points’ for facial imagery such as CCTV in a growing number of Australian streets, parks and transport hubs.

Other submission makers, such as the Human Rights Law Centre, said that the proposed Australian scheme has features that were ‘more draconian’ than those employed within the UK scheme, and noted that the Australian scheme could be used by a wide range of agencies to confirm the identity of any Australian with government-approved documentation (such as a passport or driver’s licence) regardless of whether or not they are suspected of a crime. ²⁷ The Australian Human Rights Commission also pointed to research suggesting that the software used to capture or match facial imagery could be biased towards certain racial or gender groups. ²⁸

In addition to these non-government actors, the ACT and Victorian governments have both stated that the IMS Bill goes beyond the scope of the COAG Agreement, primarily due to the insufficient safeguards to protect privacy and the lack of endorsement by the full range of state and territory Privacy Commissioners. ²⁹ As noted above, these concerns were largely acknowledged by the PJCIS in its report into the Identity Matching Laws, and reflected in their recommendations to prevent the Bills from moving forward – at least until they have been substantially redrafted to improve privacy protections, agency accountability and transparency.

What next?

When handing down the Committee’s unanimous report, Committee Chair Andrew Hastie MP said that, although the broad objectives of the identity-matching scheme were sound, key changes were needed to provide a stronger focus on privacy and transparency. ³⁰ This includes stricter reporting and oversight requirements for the collection, use and sharing of identity information, and taking a second look at the concept of ‘citizen consent’. ³¹ The states and territories also have an interest in ensuring that a national identity-matching scheme gets the balance right when it comes to addressing identity crime and assisting law enforcement and protecting individual privacy. The question is whether or not these strong calls for improvements will be loud enough to put these laws permanently back on the drawing board. At least in the short term, it looks like they are going nowhere fast.

This suggests that, despite the position adopted by many rights scholars who have good reason to be sceptical about the effectiveness of Australia’s parliamentary model of rights protection, the PJCIS is capable of drawing attention to proposed laws that breach individual rights and of taking decisive action to at least improve the compatibility of proposed national security laws with human rights standards. In fact, an early analysis of the PJCIS’s legislative review activity from its establishment in 2005 until the end of 2017 suggest that it enjoys a nearly 100 per cent strike rate when it comes to translating its recommendations into legislative amendments. ³² Interestingly, this research also suggests that the vast majority of the PJCIS’s recommendations are rights-enhancingin nature – that is, the Committee’s recommendations improve the proposed laws compliance with international human rights standards, even if they do not completely remedyor removeany impact on individual rights. ³³

Whether the PJCIS can maintain this level of influence and impact in the face of an increasingly ‘tribal’ political culture remains to be seen, and stress fractures may be apparent in the form of departures from the previously regular practice of the PJCIS to issue consensus-only reports. ³⁴ Regardless of these developments, the PJCIS remains an important Committee for rights advocates to watch – and its membership, functions and approach to legislative scrutiny offer important lessons for those contemplating more significant structural reform of Australia’s parliamentary model of rights protection at the federal level.