Law-making in democracies in essence is about brute force – the Government exercising the will of the majority, which it more politely calls its mandate.
This exercise of power usually doesn’t require consultation and taking into account diverging views when developing new laws. In the federal administration, the Parliamentary Drafters operate within a special sealed bubble within the Canberra bubble, instructed by government departments preparing drafting instructions that reflect what the Government says it wants legislated.
That drafting bubble, and the drafts circulating within it, is seldom exposed to public scrutiny. Government departments often consult with some interested stakeholders in development of policy. The statement of policy then generated will then guide preparation of the drafting instructions that are passed by the department to the Parliamentary Drafters. Drafting instructions and draft bills are rarely circulated for comment by interested stakeholders or civil society organisations. If any outsiders are invited into the bubble, the invitees will usually only be a small circle of trusted confidants to the government of the day. Exposure or working drafts of bills, common in some other democracies, remain the exception rather than the norm in Australia. Australian Governments like control and predictability. Exposing Government’s intentions to scrutiny is usually seen as antithetical to Government controlling the agenda. Government departments and agencies understand the zeitgeist: they rarely push their Minister to open up the legislative drafting process. As a result, we often end up with sub-optimally drafted bills entering the Parliament. The best public servants and the best Parliamentary Drafters can’t foresee and draft a bill to address all concerns that the Government might actually wish to address – if the Minister, contrary to form, is willing to run the perceived political risk and open up and ask.
Of course, it is not quite that straightforward.
Federal Governments of the last decade in Australia have to take into account the cross-benchers in the Senate.
Governments also need to ensure that a Bill doesn’t create so much noise from the opposition and in the media that the Government itself is imperilled in the electorate.
However, that is about as far as building consensus before introducing bills into the Parliament usually goes.
Enter from stage left the villain and random disrupter of 2020, COVID-19, and from stage right, its would be vanquisher, the COVIDSafe app and the Privacy Amendment (Public Health Contact Information) Bill 2020.
The Morrison Government’s mission in legislating in support of the COVIDSafe contact tracing app was simple and clear: get take-up the COVIDSafe contact tracing app by Australian mobile phone users as far above 40% as reasonably possible, and provide users with every incentive not to then ‘go dark’ by failing to keep the app active (and in the case of the IoS (Apple) app, in foreground).
Fulfilment of this task required the Government to placate, if not satisfy, pesky human rights lawyers and privacy advocates – a constituency that many ‘in the Canberra bubble’ think can never can be satisfied.
It also required building trust within of a large segment of citizens that don’t trust apps, the government, law enforcement agencies, telcos, global data platforms, foreign spies, intelligence organisations, 5G (which caused all of this, of course), the neighbours, or whomever or whatever else. That digital trust is hard won and easily lost. Federal Governments to date have been pretty woeful at nurturing digital trust. Mandatory decryption, Robodebt, Censusfail, and MyHealth Record mandatory opt-in, are poster children in how governments can readily erode digital trust.
And this task requires persuading Australian citizens to opt-in to sharing mobile phone data, which anyone who has thought about data for more than five minutes knows can be an open window into our innermost lives: what we do, think, read, say, write or feel, with whom we do any of those things, and where, when and by inference why we do them.
The Morrison Government and the sponsors of the Bill, the federal Attorney-General’s Department accordingly faced yet another a novel challenge in its fight against novel coronavirus: completing, at running speed, an uphill slog of crafting law that created a good behavioural nudge for a sizeable and sceptical segment of the population that needed to be brought onboard to make the COVIDSafe app useful.
The task was only fulfilled by finding a new course up the mountain.
First, government needed to agree to keep the sticky beaks of law Federal, State and Territory enforcement agencies, courts and other busybodies, well-meaning or malevolent, out of COVIDSafe data, by express prohibition in a bill sponsored by AGD, the department overseeing most law enforcement agencies.
This also required the Federal Government to ‘cover the field’, finding and exerting Constitutional authority to exclude inconsistent State and Territory laws. Unfamiliar territory for urgent legislation.
Second, the legislation needed to state that third parties, such as employers and operators of semi-public spaces, could no’t impose a requirement that individuals demonstrate their use of the app and thereby undermine the user consent.
Third, the responsible Federal authority needed to agree to take end-to-end responsibility for management of COVIDSafe app data on the mobile phones and that data as it passed all the way through to the State or Territory contact tracer.
Every government authority dislikes assuming responsibility for acts and omissions of others, even when those others act under the authority’s direction and control and handle data within data ecosystems created and managed by the authority. If something goes wrong, the Government authority has no deniability and will be held to account. However, with great data power should come great responsibility: the bill imposed that responsibility.
Fourth, responsibility means little without accountability and oversight. The Government’s mission required a law whereby the responsible Federal agency took on accountability, implemented controls and safeguards (including functional separation) and exposed itself to independent oversight. Together, these are the kinds of demonstrable organisational accountability that Australian Governments (and Royal Commissions) now expect for handling by private sector organisations of sensitive and personal information about individuals. However, Governments have proven stubbornly resistant to accepting as necessary legislated controls on what government departments and agencies do and how they do it. Sometimes public servants drafting instructions for a bill are openly scornful of suggestions that it would be reasonable to include in the legislation controls that have the effect of stating in law as prohibited precisely what the Government is saying its departments and agencies have no intention of ever doing.
So novel coronavirus has delivered a novel case of an Australian government agency recognising that it couldn’t just say, trust us, we only want this data for the purpose that we have told you we want it for, and also trust us, we’ll keep this data safe from all other arms of governments (Federal, State and Territory), and courts, who might want this data for other purpose.
By a promoting a bill that ultimately incorporated these features, albeit not perfectly, the Morrison Government and the federal Attorney-General’s Department endeavoured to demonstrate that they should be gifted digital trust in the COVIDSafe app by a sceptical segment of citizens who collectively held in their hands the power to withhold that gift.
All in all, the Federal Government and AGD rose to that challenge. They listened to some of those pesky privacy advocates and rights lawyers, among others, and took into account a fair bit of what they had to say.
Will we see a reprise of this newly consultative process and legislating for demonstrably good data governance and data accountability by government agencies?
Maybe.
If so, that would be one of those few excellent things to come out of this very bad crisis.
Peter Leonard, Principal, Data Synergies and Professor of Practice (IT Systems and Management and Business Law), UNSW Business School