Australia – Digital ID Law

Domestic law and policy

The cornerstone of Australia’s digital ID system is the Digital ID Act (2024), which, along with the Digital ID (Transitional and Consequential Provisions) Act (2024), establishes the legislative basis for the Australian Government Digital ID System (AGDIS).[27] The Digital ID Act is a legislation to ensure the safe use of digital ID systems from accredited digital ID providers. The operation of the Digital ID Act is supported by “Accreditation Rules, Accreditation Data Standards, Digital ID Rules and AGDIS Data Standards (the rules and standards)”.[28] Digital ID of an individual in the law is defined as, “a distinct electronic representation of the individual that enables the individual to be sufficiently distinguished when interacting online with services.”[29]The legislative framework does not establish a linkage between digital ID and citizenship, as proving citizenship is not a prerequisite for obtaining a digital ID.[30]

Data Protection

Data privacy in Australia is governed through multiple legislations at federal, state, and territory levels. These include federal Privacy Act (1988) as well as the Australian Privacy Principles (APP) contained in the Privacy Act.OAIC, [31] The Act was amended in 2024 through the Privacy and Other Legislation Amendment Act (Privacy Amendment Act), which will primarily come into effect in 2025.[32] There are also other reforms in the Privacy Amendment Act scheduled for this year.[33] Strong safeguards, in particular on privacy and security, are established in both the Digital ID Act as well as the Privacy Act which provides for penalties for accredited providers, in case they do not comply with government set standards of accessibility, usability, privacy, etc.[34]

The Privacy Act also outlines the Australia Privacy Principles (‘APP’), which set standards for the collection, use, and disclosure of personal information by government agencies and certain private sector organizations as well as creates obligations around an organisation’s “governance and accountability, integrity and correction of personal information, and the rights of individuals to access their personal information”.[35] Australia initially leaned toward a centralised approach.[36] However, there were significant concerns raised by civil society on centralisation, considering all of the collected data was meant to be stored on a central system, making it more vulnerable to data breaches.[37] A centralised model beyond breaches would also have been exposed to ‘function creep’, which creates conditions for an agency to use data for purposes not aligned with what the data was collected for, resulting in potential grounds for surveillance, profiling, etc.[38] This led to Australia creating a federated identity ecosystem of digital ID, which allows for decentralisation of data, securing it further and creating fair competition.[39]

Further, unlike Europe’s General Data Protection Regulation, the Privacy Act doesn’t give people strong personal rights over their data. For example, an individual does not have the right to erase their data.[40] They also do not have the right to object if their data is being used in a way they disagree with and cannot easily move their data to another service (no “data portability”).[41] There is also further flexibility and risk of abuse in digital ID systems as the Privacy Act only states that data should be collected by “fair and lawful means” and for a purpose related to the organisation’s work, unlike the GDPR which requires a clear legal basis for each use of data (like consent or public interest).[42] Positively, the Digital ID Act mentions that law enforcement agencies cannot access information without a warrant or unless they have explicit consent from the individual to do so.[43] The Privacy Act also provides for strict obligations against handling and collecting certain sensitive information (such as a person’s sexual orientation or political opinions) and also requires explicit consent of the digital ID holder to share that information with external AGDIS entities.[44] In case there are concerns related to privacy, a complaint can be filed against the digital ID company.[45] If the issue continues to persist, one can contact the Australian Information Commissioner and lodge a complaint by filling out the privacy complaint form, in accordance with the Privacy Act, 1988.[46]

International Commitments

Australia is also a signatory to several key international human rights treaties, such as the ICCPR, CERD, CRC, CEDAW, CRPD, among others. These treaties place binding responsibilities on Australia that are relevant to the right to nationality and the protection of stateless individuals. Notably, these obligations “apply to all individuals within Australian territory”, including non-citizens and stateless persons.[47] Australia has not ratified any other specific treaty or legislation in relation to digital ID, aside from committing to the Sustainable Development Goals, more particularly SDG 16.9 which have come to be synonymous with ensuring legal identity for persons in a digital format.[48] Furthermore, as an OECD member, Australia claims to be committed to aligning its digital services (including digital identity) with OECD’s Recommendation of the Council on Digital Government Strategies (2014) and later guidelines.[49] They prioritise inclusion, minimising barriers to access digital identity, interoperability and openness, data minimisation and privacy. OECD,[50]

References
28.^
Australian Government, ‘What Is the Digital ID Act 2024 | Digital ID System’ https://www.digitalidsystem.gov.au/what-is-digital-id/digital-id-act-2024 accessed 13 May 2025.
29.^
Section 9, Digital ID Act 2024.
31.^
‘Australian Privacy Principles’ (OAIC, 10 March 2023) https://www.oaic.gov.au/privacy/australian-privacy-principles accessed 14 May 2025.
32.^
Parliament of Australia, ‘Privacy and Other Legislation Amendment Bill 2024’ (ParlInfo) https://parlinfo.aph.gov.au/parlInfo/search/display/display.w3p;query%3DId%3A%22legislation%2Fbillhome%2Fr7249%22;rec=0 accessed 19 May 2025.
33.^
DLA Piper, ‘Data Protection Laws in Australia’ (20 January 2025) https://www.dlapiperdataprotection.com/index.html?t=law&c=AU accessed 13 May 2025.
35.^
OAIC, ‘Australian Privacy Principles’ (OAIC, 10 March 2023) https://www.oaic.gov.au/privacy/australian-privacy-principles accessed 14 May 2025.
36.^
Ashish Nanda, Jongkil Jay Jeong and Robin Doss, ‘Australia’s New Digital ID Scheme Falls Short of Global Privacy Standards. Here’s How It Can Be Fixed’ (The Conversation, 29 October 2024) http://theconversation.com/australias-new-digital-id-scheme-falls-short-of-global-privacy-standards-heres-how-it-can-be-fixed-241797 accessed 7 May 2025.
37.^
Ashish Nanda, Jongkil Jay Jeong and Robin Doss, ‘Australia’s New Digital ID Scheme Falls Short of Global Privacy Standards. Here’s How It Can Be Fixed’ (The Conversation, 29 October 2024) http://theconversation.com/australias-new-digital-id-scheme-falls-short-of-global-privacy-standards-heres-how-it-can-be-fixed-241797 accessed 7 May 2025.
38.^
Michelle Falstein, NSW Council for Civil Liberties, ‘Digital ID Bill and Digital ID Rules’ (10 October 2023).
39.^
‘Australia’s Digital ID System | Department of Finance’ https://www.finance.gov.au/government/australias-digital-id-system accessed 15 May 2025.
40.^
OneTrust DataGuidance and Mills Oakley, ‘Comparing Privacy Laws: GDPR v. Australian Privacy Act’.
41.^
OneTrust DataGuidance and Mills Oakley, ‘Comparing Privacy Laws: GDPR v. Australian Privacy Act’.
42.^
OneTrust DataGuidance and Mills Oakley, ‘Comparing Privacy Laws: GDPR v. Australian Privacy Act’.
43.^
Section 49, Digital ID Act 2024.; Nikhil Dutta and Shabnam Mojtahedi, ‘Navigating the Risks and Rewards of Digital ID Systems’ (Open Government Partnership, 26 March 2024) https://www.opengovpartnership.org/stories/navigating-the-risks-and-rewards-of-digital-id-systems/ accessed 7 May 2025.
44.^
Emma Croft, ‘Australia to Implement Landmark National Digital ID System’ (Bird & Bird, 6 July 2024) https://www.twobirds.com/en/insights/2024/australia/australia-to-implement-landmark-national-digital-id-system accessed 15 May 2025.
45.^
Emma Croft, ‘Australia to Implement Landmark National Digital ID System’ (Bird & Bird, 6 July 2024) https://www.twobirds.com/en/insights/2024/australia/australia-to-implement-landmark-national-digital-id-system accessed 15 May 2025.
46.^
OAIC, ‘Lodge a Privacy Complaint with Us’ (OAIC, 10 March 2023) https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us accessed 14 May 2025.
47.^
AnnMaree Murray, ‘Statelessness in Australia’ (Melbourne Law School, 24 January 2025) https://law.unimelb.edu.au/centres/statelessness/education/factsheet/statelessness-in-australia accessed 14 May 2025.
48.^
‘Australia: Sustainable Development Knowledge Platform’ https://sustainabledevelopment.un.org/memberstates/australia accessed 15 May 2025.
49.^
OECD, ‘OECD/LEGAL/0491 Recommendation of the Council on the Governance of Digital Identity’ (OECD Legal Instruments, 2023) https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0491 accessed 15 May 2025; OECD, ‘OECD/LEGAL/0406 Recommendation of the Council on Digital Government Strategies’ https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0406 accessed 15 May 2025.
50.^
‘OECD/LEGAL/0491 Recommendation of the Council on the Governance of Digital Identity’ (OECD Legal Instruments, 2023) https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0491 accessed 15 May 2025; OECD, ‘OECD/LEGAL/0406 Recommendation of the Council on Digital Government Strategies’ https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0406 accessed 15 May 2025.
Footer design