Law Library Stacks

Back to Index of of Legal Reports
Back to Comparative Summary

Full Report (PDF, 2.78MB)
Map: COVID-19 Contact Tracing Apps (PDF, 550KB)

Jurisdictions Surveyed:
The Americas: Argentina | Brazil | Mexico
East Asia, South Asia and Pacific: Australia | China | India | Japan | South Korea | Taiwan
Europe and Central Asia: European Union | England | France | Iceland | Italy | Norway | Portugal | Russia | Spain | Turkey
Middle East and Africa: Iran | Israel | South Africa | United Arab Emirates


The Australian government launched the COVIDSafe mobile phone application on April 26, 2020. The app uses Bluetooth signals to record a user’s contacts with other users and saves the encrypted information on their phone; it does not record location information. The contact data of a user who tests positive for COVID-19 can be uploaded to a central storage system and accessed by state and territory authorities as part of their contact tracing processes. The app is voluntary to download and users must grant permission for their data to be uploaded. The most recent figures available show that around 23% of Australians have downloaded the app.

The collection, use, and disclosure of personal information by various entities in Australia is primarily governed by the Privacy Act 1988 (Cth). This Act applies to federal government agencies and to entities with annual revenues over a certain threshold. In addition, most states and territories have privacy and health information laws that apply to state and territory government agencies and public-sector health service providers. The use and disclosure of telecommunications and related data by mobile phone carriers, including for purposes of law enforcement and national security, is governed by specific legislation. The laws include requirements to retain certain data about telecommunications and to provide assistance to relevant government entities, including in relation to encrypted information.

At the time of its launch, use of the COVIDSafe app and the data collected were subject to a privacy policy and a determination that set out various privacy protections and prohibited people or organizations from coercing others to download or use the app. On May 15, 2020, a bill that replicated and extended those rules and protections was enacted. The bill inserted a new part into the Privacy Act 1988 (Cth) that, for example, defines the data that is collected by the app; contains rules and offenses regarding access to and use of that data; provides for oversight, complaint processes, and reporting requirements related to the app; and sets out a process for determining the end of the data period, at which point data stored in the central system will be deleted.

The COVIDSafe legislation excludes the application of other Australian laws that might allow data to be accessed, including the telecommunications laws referred to above, meaning that the data collected by the app cannot be accessed by law enforcement or national security agencies. However, some commentators remain concerned that agencies in the United States may be able to gain access to the data pursuant to the CLOUD Act because the central storage system is hosted in Australia by Amazon Web Services, a US company. They argue that the reciprocal agreement currently being negotiated between Australia and the US should specifically exclude COVIDSafe app data.

I. Introduction

The Commonwealth of Australia is a federation of six states. In addition, two mainland territories have been granted a limited right of self-government and are often treated in a similar way to states: the Australian Capital Territory and Northern Territory.[1] Under the country’s constitutional structure and relevant laws, plans, and arrangements,[2] the states and territories have primary responsibility for a range of public health measures related to responding to the COVID-19 pandemic, including testing and contact tracing, physical distancing requirements, and travel restrictions between jurisdictions.[3] National coordination mechanisms involve the federal Department of Health and the Australian Health Protection Principal Committee (AHPPC), while federal government responsibilities include national border measures, acquisition and distribution of certain supplies, and the country’s economic response to the pandemic.[4]

As of May 22, 2020, a total of 7,095 confirmed cases of COVID-19 had been reported in Australia, including 101 deaths.[5] The country’s response to the pandemic has been recognized internationally for its ability to restrict the outbreak and resulting deaths,[6] with an infection rate of around 280 per million people and a fatality rate of four per million people.[7]

On April 26, 2020, the federal government launched a mobile phone application, COVIDSafe, that records contacts between individual users through the use of Bluetooth wireless signals.[8] The app is available nationwide for voluntary download on both iOS and Android operating systems and the data can be accessed by state and territory authorities to supplement existing contact tracing processes.[9] The app was developed by the Digital Transformation Agency, which had made two updates to the app as of May 18, 2020.[10] On launching the app, the Prime Minister stated that “[t]he Chief Medical Officer’s advice is we need the COVIDSafe app as part of the plan to save lives and save livelihoods.  The more people who download this important public health app, the safer they and their family will be, the safer their community will be and the sooner we can safely lift restrictions and get back to business and do the things we love.”[11]

Within just over 24 hours after the app was launched, two million Australians, or around 8% of the population, had downloaded the app.[12] On May 20, 2020, the Minister for Health stated that there had been 5.9 million downloads of the app,[13] which equates to around 23% of the total population.  According to a national survey conducted by consulting company Deloitte in 2019, 91% of Australians have a smartphone device.[14]

At the time the app was first launched, the Minister for Health issued a determination containing certain rules and restrictions regarding the use of the collected data and prohibiting anyone from coercing others to download or use the app. Subsequently, on May 4, 2020, the government published draft legislation to replace and extend the rules in the determination.[15] The final bill was introduced in the federal Parliament on May 12, 2020. It was passed on May 14, 2020, and received assent on May 15, 2020.[16]

II. Legal Framework

A. Privacy and Data Protection

The federal Privacy Act 1988 (Cth) applies to most federal government agencies and to private-sector organizations with an annual revenue of more than AU$3 million.[17] The Act includes 13 Australian Privacy Principles (APPs), which govern standards, rights, and obligations related to the collection, use, and disclosure of personal information, among other matters.[18] For example, APP 6 requires that APP entities only use or disclose personal information for a purpose for which it was collected (“primary purpose”) and not for another purpose (“secondary purpose”), unless the individual has either consented to the secondary use or disclosure of the information or an exception applies.

Exceptions include, for example, where the secondary use or disclosure is authorized by or under an Australian law or court order,[19] where a “permitted general situation” exists (including where the use or disclosure is necessary to lessen or prevent a serious threat to life, health, or safety of any individual, or to public health and safety),[20] and where a “permitted health situation” exists (including where the use or disclosure is necessary for research relevant to public health or public safety, or for the compilation or analysis of statistics relevant to public health or safety).[21] The Act also contains additional specific provisions related to health information that apply to all private-sector health service providers in Australia.[22]

The government may declare a national emergency or disaster under the Privacy Act.[23] When such a declaration is in effect, an entity may collect, use, or disclose personal information relating to an individual involved in the emergency or disaster, where such dealing with the information is for a permitted purpose in relation to the emergency or disaster.[24] These provisions were most recently applied in early 2020 in the context of the Australian bushfires; no declaration has been made with respect to the COVID-19 pandemic.[25]

The Office of the Australian Information Commissioner (OAIC) is responsible for various privacy functions, including receiving complaints and investigating possible breaches of the Privacy Act.[26] Several other federal laws also relate to privacy, including the telecommunications laws discussed below.[27] In addition, most states and territories have privacy and health information laws that apply to state and territory government agencies and public-sector health service providers, and every jurisdiction has a dedicated commissioner or committee to handle complaints about privacy breaches.[28]

The OAIC has issued privacy guidance for public- and private-sector entities in relation to responding to the COVID-19 pandemic.[29] It has also convened a “National COVID-19 Privacy Team,” consisting of the Australian Privacy Commissioner and state and territory privacy regulators, “to respond to personal information handling proposals with national implications.”[30]

B. Data Retention and Location Tracking

1. Use and Disclosure of Information under the Telecommunications Act 1997

The Telecommunications Act 1997 (Cth) contains provisions related to the use and disclosure of personal information by “carriers” (entities holding a carrier license for the provision of the infrastructure on which carriage and content services are provided to the public) and “carriage service providers” (providers of phone and/or internet services to the public).[31] This specifically includes “location information” with respect to mobile phones and other mobile communications devices.[32]

Under the Act, the disclosure or use of protected information is allowed in limited circumstances, including where it is required or authorized under a warrant or by or under law,[33] where there are reasonable grounds for believing that disclosure or use of the information “is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person,”[34]  and disclosure to an emergency management person “for a purpose connected with persons being alerted to an emergency or likely emergency.”[35] Disclosures in these circumstances are deemed to be authorized by the Privacy Act.[36]

The Act also requires that carriers and carriage service providers give authorities “such help as is reasonably necessary” for the purposes of enforcing the criminal law and laws imposing pecuniary penalties, protecting the public revenue, and safeguarding national security.[37]

2. Access to Telecommunications for National Security or Law Enforcement Purposes

The Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act) sets out the rules and procedures that enable government agencies to lawfully intercept or access telecommunications and related data for national security or law enforcement purposes.[38] It includes provisions on, for example, warrants authorizing the Australian Security Intelligence Organisation (ASIO)  to intercept communications;[39] emergency requests authorizing officers of a carrier to intercept communications where a person is dying or seriously injured;[40] warrants authorizing law enforcement agencies (including at the state level) to intercept communications;[41] dealing with intercepted information;[42] the preservation of stored communications held by a carrier; access to stored communications pursuant to warrants issued to ASIO and criminal law enforcement agencies; and permitted dealings with accessed information.[43]

3. Data Retention Requirements

The TIA Act includes data retention provisions under which telecommunications companies are required to “retain a particular set of telecommunications data for at least 2 years.”[44] The required data involves information about communications, such as when an email was sent and the relevant email addresses, rather than the content or substance of communications.[45] The Act specifically requires the retention of information regarding “[t]he location of equipment, or a line, used in connection with a communication.”[46] Service providers are required to protect the confidentiality of such information by encrypting it and protecting it from unauthorized interference or access.[47]

Enforcement agencies, including state and territory police, may access telecommunications data for criminal law enforcement purposes and for the enforcement of laws imposing a pecuniary penalty.[48] Service providers may also voluntarily disclose such data when reasonably necessary for the enforcement of criminal law.[49]

The OAIC “has a range of powers and obligations in regards to the administration” of both the Telecommunications Act and the TIA Act, including monitoring compliance with the record-keeping requirements related to disclosures of personal information and oversight of the handling of data collected under the data retention provisions.[50]

4. Access to Encrypted Information

Following amendments passed in 2018,[51] the Telecommunications Act 1997 (Cth) and the TIA Act contain provisions that seek to address “law enforcement and intelligence agencies’ challenges with the evolution of the communications environment, including the growth of encrypted communication.”[52] These include provisions aimed at enhancing industry cooperation with the relevant agencies and enhancing agency computer access powers to “improve the ability of agencies to operate around encryption without undermining it.”[53] This includes provisions related to “technical assistance requests,” “technical assistance notices,” and “technical capability notices.”[54]

5. Other Federal and State/Territory Surveillance Laws

Other federal laws relevant to the ability of government agencies to access information held by mobile carriers include the Surveillance Devices Act 2004 (Cth),[55] Australian Security Intelligence Organisation Act 1979 (Cth),[56] and Crimes Act 1914 (Cth).[57] There are also laws at the state and territory level related to the use of surveillance and listening devices, including “tracking” devices. According to one law firm, writing about the possible use of location data or apps in the context of the context of the COVID-19 pandemic,

[i]n general terms, surveillance legislation in NSW, NT, SA and WA prohibits the installation, use or maintenance of a tracking device to determine the geographical location of a person or thing without the express or implied consent of the person. The prohibitions are targeted at individuals and corporations and carry criminal penalties.

Mobile location data, which is collected by mobile carriers, operating systems and apps, would likely not fall within the scope of these prohibitions given the prohibitions are targeted at the installation, use or maintenance of a tracking device without a person’s consent. Mobile phone users would likely have either expressly consented or be considered to have impliedly consented to the use of mobile location services, through use of specific location-based services (in apps or IoT devices) or through use of a mobile network.

Further still, the prohibitions in the relevant instruments are subject to a number of exceptions which vary from state to state and include the installation, use or maintenance in accordance with a law of the Commonwealth. There is scope in a number of Commonwealth Acts for the exercise of various powers to permit the disclosure of mobile location data, including under the Telecommunications Act 1997 (Cth) and the Biosecurity Act 2015 (Cth). . . .[58]

6. Public Health and Disaster Legislation

Legislation related to public health responses to epidemics or pandemics, including the Biosecurity Act 2015 (Cth),[59] the National Health Security Act 2007 (Cth),[60] and state and territory public health laws[61] and disaster or emergency laws,[62] do not appear to contain specific provisions on the use of mobile phone traffic and location data for the purposes of contact tracing or otherwise responding to a pandemic. However, the Biosecurity Act allows the federal health minister to make a determination requiring that various measures be taken by specified classes of persons in order to prevent a listed human disease from entering, emerging, establishing itself, or spreading within Australia.[63] Such measures include “requiring a behaviour or practice” and “requiring a specified person to provide a specified report or keep specified records.”[64] In addition, the Act provides that “an individual may be required by a human biosecurity control order to wear either or both specified clothing and equipment that is designed to prevent a disease from emerging, establishing itself or spreading.”[65] It does not appear that these provisions have been utilized in implementing electronic measures in response to the COVID-19 pandemic.

A “human biosecurity emergency” declaration regarding “human coronavirus with pandemic potential” was made by the government on March 18, 2020.[66] The declaration “gives the Minister for Health expansive powers to issue directions and set requirements in order to combat the outbreak” and “is the first time these powers under the Biosecurity Act have been used.”[67]

Under the National Health Security Act, “the Australian government is authorised to exchange public health surveillance information (including personal information) between the states and territories and the World Health Organisation (WHO). State and territory governments are also responsible for collecting surveillance data to contribute to the national picture and to inform the jurisdictional public health response.”[68]

III. Electronic Measures to Fight COVID-19 Spread

A. Use of Anonymized Location Data

According to news reports from early April 2020, Vodafone Australia had provided, on request, “the mobile phone location data of several million Australians in an anonymised and aggregated form to the federal and NSW [New South Wales] governments to monitor whether people are following social distancing restrictions amid the coronavirus pandemic.”[69] In addition, “governments, medical experts and the media have used location data from transport apps such as CityMapper, which shows how people move throughout cities like Sydney and Melbourne using public transport, in an attempt to determine whether people’s movement has reduced.”[70]

One law firm notes that, if sufficiently anonymized, “data about people movements may not qualify as personal information within the meaning of the Privacy Act.”[71] However, it further states that “overseas experience shows how readily geo-location data can be reverse processed to re-identify individuals.”[72]

An NSW government minister stated that NSW would “absolutely not” use telecommunications data to enforce isolation by checking on whether people were leaving their premises.[73]

B. Use of Mobile Data in Contact Tracing

According to the news reports, South Australia’s health department had “used an Apple iPhone’s inbuilt location services in a bid to trace the historical movements of a couple diagnosed with coronavirus” in February.[74] A spokesperson for the department said that this involved unique circumstances, and that the couple had volunteered their phones to police who worked with the chief public health officer to analyze the data.[75]

Apart from this instance, it has been reported that no jurisdictions are using an individual’s mobile phone data for contact tracing purposes, with health departments relying mainly on questionnaires in their efforts to locate individuals with whom a person who tested positive for COVID-19 had interacted in the previous 14 days.[76]

In late March, it was reported that Victoria’s health department was to start using a cloud-based messaging platform, Whispir, to “regularly interact with those who have come into close contact with someone who has contracted COVID-19” and that the platform would “also be used to enforce self-isolation for Victorians who have confirmed cases of the virus.”[77] According to Whispir, “[r]ecipients will be required to respond to the communications issued by the DHHS ‘contact tracing’ team by answering a series of questions, including recent activities, health and quarantine status.”[78]

C. Australian Government’s Coronavirus Information App

At the end of March 2020, the Australian government released the “Coronavirus Australia” app to provide users with “official information and advice” about the COVID-19 pandemic in Australia.[79] It includes a “symptom checker” feature that asks for a person’s gender, age, and confirmation of symptoms. There is also an “isolation registration” option through which a person provides their location, name, phone number, age, gender, number of people in their household, and date their isolation commenced.[80] The app reportedly includes a privacy policy related to the isolation registration option, which states that “[t]he Commonwealth Department of Health will share the information with other Commonwealth agencies and the state and territory government agencies as appropriate.”[81] Other general Department of Health privacy policies also potentially apply to the app.[82]

D. COVIDSafe App

1. How It Works

a. Overview

The Department of Health explains that, upon downloading the COVIDSafe app, users provide their name, mobile number, and postcode, and select their age range. The user is sent a confirmation SMS text message to complete the installation of the app. The system “then creates a unique encrypted identifier” for the user.[83] The app uses Bluetooth to record a user’s contacts with others who have also installed the app:

COVIDSafe recognises other devices with the COVIDSafe app installed and Bluetooth enabled. When the app recognises another user, it notes the date, time, distance and duration of the contact and the other user’s reference code. The COVIDSafe app does not collect [the user’s] location.[84]

The information collected by the app is encrypted and “that encrypted identifier is stored securely” on the user’s phone--even the user cannot access it.[85] The information stored on the phone “is deleted on a 21-day rolling cycle.”[86]

A “frequently asked questions” document further explains that “[w]hen two (or more) app users come into close proximity their phones exchange Bluetooth signals and make a series of ‘digital handshakes’,” and that “[t]he proximity for a close contact is approximately 1.5 metres, for a period of 15 minutes or more.”[87] It appears that health officials are able to discern close contacts through technical processes that apply in the storage system: “A filtering process on the highly secure information storage system separates information that meets the close contact requirements and makes it available to the relevant state and territory health officials.”[88]

When an app user tests positive for COVID-19, state and territory health officials ask them about who they have been in contact with. If the user provides permission, “the encrypted contact information from the app will be uploaded to a highly secure information storage system.”[89] The officials will then

  • use the contacts captured by the app to support their usual contact tracing
  • call people to let them or their parent/guardian know they may have been exposed
  • offer advice on next steps, including:
    • what to look out for
    • when, how and where to get tested
    • what to do to protect friends and family from exposure

Health officials will not name the person who was infected.[90]

Users will be prompted to delete the app at the end of the pandemic in Australia, thereby deleting all app information from their phones. In addition, “information contained in the information storage system will also be destroyed at the end of the pandemic.”[91]

The FAQs document states that “[t]he app cannot be used to enforce quarantine or isolation restrictions or any other laws” and “Commonwealth and state/territory law enforcement agencies will not be allowed to access any information from the app, unless investigating misuse of that information itself.”[92]

b. Privacy Policy

The privacy policy for the app, which has been published online, explains what personal information is collected, why it is being collected, how it is collected, how it will be stored, and how it will be used and disclosed, as well as the process for deleting personal information and for a person to access or correct their information; the contact data that the app will record (being “(1) the encrypted user ID, (2) date and time of contact and (3) Bluetooth signal strength of other COVIDSafe users with which you come into contact”); the generation of encrypted user IDs every two hours and the logging of these IDs in the National COVIDSafe data store; the fact that no location data will be collected at any time; access to and automatic deletion of contact data from a user’s phone; and the process if the user tests positive for COVID-19.[93]

The policy states that, when a user tests positive for COVID-19,

[a] health official will contact you and ask for consent to enter your mobile number into the data store to generate a PIN to be sent to you by SMS.

If you enter the PIN, you will give your consent to upload contact data on your device into the data store to share with health officials to enable contact tracing.

If another user tests positive to COVID-19, they may upload their contact data, which may include details of their contact with you.[94]

The policy also states that “[n]o user should feel pressured to install or continue to use COVIDSafe, or to agree to upload contact data to the data store,” and explains that complaints can be made to the Department of Health, OAIC, or the Australian Human Right Commission if a person feels pressured to do these things.[95]

Registration information, encrypted user IDs, and contact data is stored in a cloud-based facility, “using infrastructure located in Australia.”[96] A user can submit a request form for the deletion of personal information held in the data store.

The privacy policy for the app indicates that the Department of Health’s general privacy policy also applies, and that this policy contains information about how a person may complain about a breach of the APPs or an applicable APP code.[97] The FAQs document also states that, “[i]n accessing and using the uploaded data, health officials will be required to comply with the Australian Privacy Principles and all applicable data protection and information security obligations. It will only be able to be used for alerting individuals if they have come into contact with a person who has contracted coronavirus.”[98]

The OAIC “will have independent oversight of personal information handling by the app and the National COVIDSafe Data Store,” and can audit the system and investigate complaints.[99]

2. Privacy Impact Assessment

During the development of the app, the Department of Health engaged a law firm to prepare a Privacy Impact Assessment (PIA) to advise the Department on how it needed to address and mitigate any identified privacy risks.[100] Such PIA are required under the Australian Government Agencies Privacy Code for projects “involving new ways of handling personal information.”[101] The PIA identifies the potential impacts of the app on individuals’ privacy and sets out 19 recommendations for how these can be managed, minimized, or eliminated. The PIA, along with the Department’s response to the recommendations, were published online at the time the app was released.[102]

The PIA states that the law firm was “satisfied that Australian Government has considered the range of privacy risks associated with the App and has already taken steps to mitigate some of these risks. The PIA makes a range of recommendations to ensure privacy issues continue to be addressed as the App is rolled out and App information is collected and used.”[103] The PIA recommended, for example, that the Department of Health

  • “consider making the source code for the App publicly available”;
  • “continue to consider and investigate the legislative options in relation to the collection, use, disclosure, and deletion, of personal information in connection with the App”;
  • “ensure that the App seeks consent from Users at two different points--an initial notice which is provided to individuals before they agree to their Registration Information being uploaded to the National COVIDSafe Data Store, and a further notice which is provided before they agree to upload the Digital Handshake information on their device to the National COVIDSafe Data Store”;
  • “consider developing training and/or scripts for Public Health Officials and Contact Tracers in connection with the App”;
  • “has contractual or other administrative arrangements in place with the State and Territory public health authorities responsible for contact tracing”;
  • “seek independent assurance from security experts (including as appropriate, the Australian Signals Directorate and the Australian Cybersecurity Centre), to provide additional testing and assurance that the security arrangements for the App and the National COVIDSafe Data Store, and the use of information in it, are appropriate”; and
  • “further consider the processes in the App if a User is a Child User.”[104]

The Department’s response to the PIA agreed with all of the recommendations and set out the actions being taken to address them.[105] The OAIC stated that it would monitor the implementation of the recommendations and closely review the relevant legislation.[106] The Australian Human Rights Commission also stated it would assess whether additional human rights safeguards should be included in the legislation.[107]

3. Interim Determination

Upon launching the COVIDSafe app in late April, the federal Minister for Health made a determination under the Biosecurity Act 2015 (Cth)[108] that set out rules about the collection and disclosure of data collected via the app and prohibited the coercion of individuals to download or use the app.[109] The government explained that this was an interim measure and that legislation was being developed that would govern the app and resulting data. The Attorney-General’s Department explained that the provisions in the determination

  • ensure that data from COVIDSafe is only used to support state and territory health authorities’ contact tracing efforts, and only to the extent required to do so
  • outline limited additional circumstances when data from COVIDSafe can be used, including to investigate a breach of the determination and allow the administrator of the National COVIDSafe Data Store to produce de-identified statistics about COVIDSafe registrations
  • require that users must consent before data from their device can be uploaded to the National COVIDSafe Data Store
  • prevent data from COVIDSafe being retained outside of Australia, and protect against unauthorised disclosure outside of Australia
  • require all COVIDSafe data held in the National COVIDSafe Data Store to be deleted at the end of the COVID-19 pandemic
  • protect against decryption of COVIDSafe data stored on users’ devices
  • provide that no one can be forced to download or use COVIDSafe or upload their data to the National COVIDSafe Data Store.[110]

4. Legislation

On May 4, 2020, the Australian government released a draft bill related to the COVIDSafe app:[111] the Privacy Amendment (Public Health Contact Information) Bill 2020.[112] The final version of the legislation was introduced in the Parliament on May 12, 2020, and passed on May 14, 2020.[113] The Bill “substantially reproduces the obligations and prohibitions contained in the COVIDSafe Determination, with some amendments to strengthen potential gaps in protection.”[114] The Bill repealed the determination when it came into force. The Attorney-General’s Department summarized the key additional protections in the Bill as follows:

  • The national privacy regulator, the Office of the Australian Information Commissioner (OAIC), will have oversight of COVIDSafe. They can manage complaints about mishandling of COVIDSafe data and conduct assessments relating to maintenance and handling of that data.
  • The Privacy Act’s Notifiable Data Breaches scheme will be extended to apply to COVIDSafe data.
  • The interaction between the powers and obligations of the OAIC in relation to COVIDSafe data with the powers of state and territory privacy regulators and the Australian Federal Police will be clarified.
  • The administrator of the National COVIDSafe Data Store will delete users’ registration data upon request.
  • An individual will be required to delete COVIDSafe data if they receive it in error.
  • No data can be collected from users who have chosen to delete COVIDSafe.
  • A process will be put in place for COVIDSafe data to be deleted at the end of the COVID-19 pandemic and users to be notified accordingly.[115]

The Bill added a new part to the Privacy Act, part VIIIA.[116] A provision in the Bill “expressly cancels the effect of any Australian law which would otherwise permit or require conduct, or an omission to act, that is prohibited under” the new part.[117] According to information provided by the government to the Senate committee tasked with overseeing the response to COVID-19, the legislation “overrides all other Commonwealth and state and territory laws that would provide for any form of law enforcement access.”[118]

The Bill contains various offenses, including collecting, using, or disclosing app data outside of the circumstances permitted by the Bill; “retaining uploaded COVID app data which has been uploaded to the COVIDSafe Data Store on a database outside Australia, or disclosing such data to another person outside Australia (other than for contact tracing purposes)”; “uploading, or causing to be uploaded, COVID app data from a communication device to the COVIDSafe Data Store without the consent of the COVIDSafe user . . .”; decrypting app data that is stored on a communication device; and coercive actions in respect of the app, including, for example, requiring a person to download or use the app or upload data from the app.[119] Each offense “carries a maximum penalty of five years imprisonment and/or 300 penalty units ($63,000 [about US$40,780]). This is the same as the maximum penalty applicable under the Biosecurity Act for breaches of the COVIDSafe Determination.”[120]

Under the Notifiable Data Breaches scheme,

the data store administrator or relevant health authority is required to notify the [OAIC] where they have reasonable grounds to believe they have breached a requirement in relation to COVID app data. The [OAIC] will determine whether the administrator/health authority is required to comply with the data breach notification requirements by preparing a statement about the data breach and notifying affected individuals of (or otherwise publicising) the contents of this statement.[121]

The OAIC also has the power to conduct assessments of whether state and territory authorities are complying with the part, and to conduct investigations (either in response to a complaint or on its own initiative) into interferences with individuals’ privacy.[122]

The Bill introduced in the Parliament included reporting requirements that had not been contained in the original draft. These include a requirement that the Minister for Health “cause a report to be prepared on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store” every six months, and to present the report to the Parliament.[123] The OAIC must also prepare reports on the performance of its functions, and exercise of its powers, under the new part.[124] The explanatory memorandum for the Bill states that the reporting obligations are “designed to ensure an appropriate degree of transparency and to build public confidence in the strong privacy protections that will apply under the Bill.”[125]

The Minister for Health must determine a particular day to be the end of the COVIDSafe data period. The Minister must first consult the Chief Medical Officer or AHPPC and must be satisfied that by that day “the use of the app is no longer required to prevent or control, or no longer likely to be effective in preventing or controlling, COVID-19 in Australia.”[126] At the end of the period, no further app data may be collected and the app must not be available for download. The data store administrator must also delete all app data from the data store, inform the Minister for Health and OAIC that it has been deleted, and take all reasonable steps to inform current users of this fact. The Bill provides for the repeal of all provisions inserted into the Act at the end of 90 days after the date specified as being the end of the data period.[127]

5. Concerns Raised

Privacy advocates and legal experts have raised various concerns about the privacy protections provided by the app itself, by the interim determination, and by the draft and final bill. These include, for example, potential conflicts with other apps, the possibility of Bluetooth tracking location on other apps, vulnerabilities to data interception, failure to clearly limit data collection and decryption to information about “close contacts,” failure to include decrypted records in the definition of COVID app data in the legislation, and loopholes in the rules against coercing individuals to download and use the app.[128]

However, many appear to believe that the COVIDSafe Bill passed in May “does go a long way to protecting the use and disclosure of information collected by the app.”[129] The opposition party in Parliament agreed, stating that “[i]n many ways the privacy protections included in this bill are--to use the word of our times¾unprecedented in Australian law.”[130] According to the deputy chief medical officer, “all states and territories have now signed up to allow their health officials to use the data.”[131] He stated that “[w]e are now absolutely certain privacy and data security issues are all taken care of in terms of states and territories agreeing to our proposals.”[132]

One of the remaining major concerns raised by critics is whether United States law enforcement entities could gain access to the app data.[133] This is because the data is being hosted in Australia by Amazon Web Services, a US company subject to the Clarifying Lawful Overseas Use of Data Act (CLOUD Act)--“a law which can force US companies to hand over data to US law enforcement regardless of where that data is held.”[134] The government has argued that the Bill makes it an offense to transfer any of the data to any country outside Australia. However, critics have noted that the Telecommunications Legislation Amendment (International Production Orders) Bill 2020,[135] currently before Parliament, which was developed with the CLOUD Act in mind, “make[s] it possible for Australia to facilitate agreements with other nations so that Australian law enforcement agencies could access data held in those countries and vice versa.”[136] For example, the Law Council raised concerns about the adequacy of safeguards in the COVIDSafe Bill to “quash” US requests for data under the CLOUD Act and argued that the relevant reciprocal executive agreement with the US government, currently being negotiated, would need to ensure the app data is excluded.[137]

On May 19, 2020, several news articles reported that the NSW government was still “formally evaluating the use of the COVIDSafe app,” and other states also confirmed that their health officials had not yet accessed any of the app data.[138] The Guardian reported that NSW Health had contacted the Digital Transformation Agency regarding a technical problem.[139] In response to the reports, the federal Department of Health issued a statement saying that “[a]ny claims that technical issues are restricting access are not correct,” and that each state and territory has “undertaken training and adopted clear protocols on access of information when a person tests positive.”[140] The statement further said that,

[a]s is expected, each state will refine how they operate, noting that currently there are only a small number of cases nationally.  We hope this continues.  The app will be an essential tool for containing any further outbreaks.

The key is to have as many people registered with the app so in the event of an outbreak, public health officials can find cases faster and rapidly contain it. This will be increasingly important as restrictions are eased around the country and people are more mobile.[141]

Back to Top

Prepared by Kelly Buchanan
Foreign Law Specialist
June 2020

[1] State and Territory Government,,

[2] See, e.g., Department of Health, Australian Health Sector Emergency Response Plan for Novel Coronavirus (COVID-19) (last updated Feb. 7, 2020),; Australian Health Protection Principal Committee, CDPLAN: Emergency Response Plan for Communicable Disease Incidents of National Significance (Sept. 2016),

[3] See Australian Government Solicitor, Australian Jurisdictions Responses to COVID-19 (May 11, 2020),

[4] Id.; Government Response to the COVID-19 Outbreak, Department of Health,; Karen Elphick, Australian COVID-19 Response Management Arrangements: A Quick Guide (Parliamentary Library, Apr. 28, 2020),; Karen Elphick, Australian Pandemic Response Planning: A Quick Guide (Parliamentary Library, Apr. 28, 2020),; Karen Elphick, National Emergency and Disaster Response Arrangements in Australia: A Quick Guide (Parliamentary Library, Apr. 28, 2020),  

[5] Coronavirus (COVID-19) at a Glance, Department of Health,

[6] See, e.g., Nectar Gan, How Did Australia Flatten Its Coronavirus Curve? Restrictions Easing as Infection Rate Continues to Fall, CNN (May 1, 2020),

[7] COVID-19 Coronavirus Pandemic, Worldometer,

[8] Press Release, Prime Minister et al., COVIDSafe: New App to Slow the Spread of Coronavirus (Apr. 26, 2020),; COVIDSafe App, Department of Health, See also Ariel Bogle, Will the Government’s Coronavirus App COVIDSafe Keep Your Data Secure? Here’s What the Experts Say, ABC News (Apr. 27, 2020),

[9] COVIDSafe App, Australian Government, See Josh Taylor, Covidsafe App: How Australia’s Coronavirus Contact Tracing App Works, What It Does, Downloads and Problems, Guardian (May 14, 2020),; Gavin Smith et al., COVIDSafe – What We Now Know, Allens, Insight (Apr. 27, 2020),

[10] The Next Release of COVIDSafe Is Live, Digital Transformation Agency (May 14, 2020),

[11] Press Release, supra note 8.

[12] Justin Hendry, COVIDSafe App Hits 2 Million Downloads in 24 Hours, iTNews (Apr. 27, 2020),

[13] Transcript, Minister for Health, Press Conference in Melbourne about COVID-19 (May 20, 2020),

[14] Mobile Consumer Survey 2019, Deloitte,

[15] See Paul Karp, Government Releases Draft Legislation for Covidsafe Tracing App to Allay Privacy Concerns, Guardian (May 4, 2020),

[16] See Justin Hendry, COVIDSafe Privacy Protections Now Locked in Law, iTNews (May 14, 2020),

[17] Privacy Act 1988 (Cth) s 6 (definitions of “agency” and “APP entity”), 6C & 6D,; The Privacy Act, Office of the Australian Information Commissioner (OAIC),

[18] Privacy Act 1988 (Cth) sch 1; Australian Privacy Principles, OAIC,

[19] Privacy Act 1988 (Cth) sch 1 APP 6.2(b).

[20] APP 6.2(c) & s 16A(1) item 1.

[21] APP 6.2(d) & s 16B(3). See Andrew McDonald & Tessie Tan, Coronavirus Surveillance Tactics Raise Questions about Civil Liberties, Thomson Reuters, Legal Insight (Apr. 7, 2020),

[22] Privacy Act 1988 (Cth) ss 6FA, 16FB, & 95A. See What Is Health Information?, OAIC,; What Is a Health Service Provider, OAIC,; Privacy for Health Service Providers, OAIC,

[23] Privacy Act 1988 (Cth) s 80J.

[24] Id. s 80P.

[25] See Emergency Declaration – Privacy Act 1988, Attorney-General’s Department,

[26] What We Do, OAIC,

[27] See Other Legislation, OAIC,

[28] See Privacy in Your State, OAIC,

[29] Coronavirus (COVID-19): Understanding Your Privacy Obligations to Your Staff, OAIC (Mar. 18, 2020),

[30] COVID-19, OAIC (May 5, 2020),; COVID-19 Response from Australian Privacy Regulators, OAIC (Mar. 27, 2020),

[31] Telecommunications Act 1997 (Cth) ss 5, 7 (definition of “carrier” and “carriage service”) 56, 87  & pt 13,

[32] Id. s 275A.

[33] Id. s 280.

[34] Id. ss 287 & 300.

[35] Id. s 285A & pt 13 div 3B.

[36] Id. s 303B.

[37] Id. ss 311 & 313(3) & (4).

[38] Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act),; Lawful Access to Telecommunications: Telecommunications Interception and Surveillance, Department of Home Affairs,

[39] TIA Act pt 2-2.

[40] Id. pt 2-3.

[41] Id. pt 2-5.

[42] Id. pt 2-6.

[43] Id. ch 3.

[44] Lawful Access to Telecommunications: Data Retention Obligations, Department of Home Affairs,; TIA Act pt 5-1A.

[45] TIA Act s 187AA; Lawful Access to Telecommunications: Data Retention, Department of Home Affairs,

[46] TIA Act s 187AA(1) item 6.

[47] Id. s 187BA.

[48] Id. pt 4-1 div 4 & s 110A.

[49] Id. s 177.

[50] Telecommunications, OAIC,

[51] Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth),

[52] Lawful Access to Telecommunications: Assistance and Access: Overview, Department of Home Affairs,

[53] Lawful Access to Telecommunications: The Assistance and Access Act 2018, Department of Home Affairs,; Telecommunications Act 1997 (Cth) pt 15.

[54] See Telecommunications Act 1997 (Cth) s 317A.

[55] Surveillance Devices Act 2004 (Cth),

[56] Australian Security Intelligence Organisation Act 1979 (Cth) pt III div 2,

[57] Crimes Act 1914 (Cth) pt IAA div 2,

[58] Michael Caplan et al., Location, Location, Location! – Data, Privacy and Coronavirus, Gilbert + Tobin (Apr. 19, 2020),

[59] Biosecurity Act 2015 (Cth),

[60] National Health Security Act 2007 (Cth),

[61] See Links to State and Territory Public Health Legislation, the Biosecurity Act, and the National Health Security Act 2007, Department of Health,

[62] See Helen Portillo-Castro, Emergency Management and Disaster Resilience: A Quick Guide, Australian Parliamentary Library (July 16, 2019),; Emergency Management, Department of Home Affairs,

[63] Biosecurity Act 2015 (Cth) s 51(1).

[64] Id. s 51(2).

[65] Id. s 88. See Letter, “I See You’re at Bondi Beach Not Self Isolating”: Using Mobile Phone Data to Manage Covid-19, Gilbert + Tobin,

[66] Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 (Cth),

[67] Howard Maclean & Karen Elphik, COVID-19 Legislative Response – Human Biosecurity Emergency Declaration Explainer, FlagPost, Parliamentary Library (Mar. 19, 2020),

[68] McDonald & Tan, supra note 21.

[69] Ben Grubb, Mobile Phone Location Data Used to Track Australians’ Movements During Coronavirus Crisis, Sydney Morning Herald (Apr. 5, 2020),; Isabelle Lane, Privacy Fears as Governments Use Phone Data to Track Coronavirus Rule Breakers, New Daily (Apr. 6, 2020),

[70] Grubb, supra note 69.

[71] Letter, supra note 65.

[72] Id.

[73] Grubb, supra note 69.

[74] Id.

[75] Id.; Emily Olle, Coronavirus Couple’s Movements to be Tracked by Phone: SA Health, 7News (Feb. 4, 2020),

[76] Jessie Davies, Why Australia Isn’t Using Mobile Data to Track People Potentially Infected with Coronavirus, ABC News (Apr. 7, 2020),

[77] Justin Hendry, Victoria Ramps Up COVID-19 Contact Tracing Using Whispir, ITNews (Mar. 26, 2020),

[78] Id.

[79] Coronavirus Australia App, Department of Health,

[80] Katharine Kemp, Opinion: Privacy and Health: COVID-19 Tracking Apps, UNSW Newsroom (Apr. 15, 2020),

[81] Id.

[82] Id.

[83] COVIDSafe App, Department of Health,

[84] Id.

[85] Id.

[86] Id.

[87] Department of Health, Coronavirus Contact App FAQs 3 (Apr. 2020),

[88]Id. at 6.

[89] COVIDSafe App, supra note 83.

[90] Id.

[91] Id.

[92] Coronavirus Contact App FAQs, supra note 87, at 4.

[93] Privacy Policy for COVIDSafe App, Department of Health,

[94] Id.

[95] Id.

[96] Id.

[97] Id. See also Privacy Policy, Department of Health,

[98] Coronavirus Contact App FAQs, supra note 87, at 4.

[99] Privacy Protections in COVIDSafe Contact Tracing App, OAIC (Apr. 26, 2020),

[100] COVIDSafe Application Privacy Impact Assessment, Department of Health,

[101] See Privacy Protections in COVIDSafe Contact Tracing App, supra note 99.

[102] COVIDSafe Application Privacy Impact Assessment – Agency Response, Department of Health,

[103] Maddocks, Department of Health: The COVIDSafe Application – Privacy Impact Assessment ¶ 1.5 (Apr. 24, 2020),

[104] Id. at 5-13.

[105] Department of Health, The COVIDSafe Application: Privacy Impact Assessment – Agency Response (2020),

[106] Privacy Protections in COVIDSafe Contact Tracing App, supra note 99.

[107] Commission Welcomes COVIDSafe App, Australian Human Rights Commission (Apr. 27, 2020),

[108] Biosecurity Act 2015 (Cth) s 477(1).

[109] Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020,

[110] COVIDSafe Draft Legislation, Attorney-General’s Department,

[111] Press Release, Attorney-General, Legislation for COVIDSafe App Privacy Protections (May 4, 2020), See also Justin Hendry, Govt Unveils COVIDSafe Contact Tracing App Bill, ITNews (May 5, 2020),

[112] COVIDSafe Draft Legislation, supra note 110; Exposure Draft: Privacy Amendment (Public Health Contact Information) Bill 2020,

[113] Privacy Amendment (Public Health Contact Information) Bill 2020, Parliament of Australia,

[114] Claire Petrie, Privacy Amendment (Public Health Contact Information) Bill 2020, at4 (Parliamentary Library, Bills Digest No. 98, 2019-20, May 12, 2020),

[115] COVIDSafe Draft Legislation, supra note 110.

[116] Privacy Amendment (Public Health Contact Information) Act 2020 (Cth),

[117] Petrie, supra note 114, at 4.

[118] Quoted in id. at 5.

[119] Id. at 7.

[120] Id. at 8.

[121] Id.

[122] Id. at 9.

[123] Id.

[124] Id.

[125] Attorney-General, Explanatory Memorandum: Privacy Amendment (Public Health Contact Information) Bill 2020, at 7,

[126] Petrie, supra note 114, at 10.

[127] Id.

[128] See James Jin Kang & Paul Haskell-Dowland, How Safe is COVIDSafe? What You Should Know About the App’s Issues, and Bluetooth-related Risks, The Conservation (May 7, 2020),; Stilgherrian, Australia’s Wobbly Start to the COVIDSafe App Transparency, ZDNet (May 11, 2020),; Graham Greenleaf & Katharine Kemp, The COVIDSafe Bill: Privacy Protections Improved, But More Needed, UNSW, Newsroom (May 5, 2020),; Gavin Smith et al., The COVIDSafe Bill – Good Progress, But There’s More to Do, Allens, Insight (May 6, 2020),; Sheila McGregor et al., Does the 80:20 Rule Apply? – Federal Government Releases Draft COVIDSafe App Privacy Legislation, Gilbert + Tobin, COVID-19 Hub (May 7, 2020),

[129] Paul Farrell, Experts Raise Concerns about Security of Coronavirus Tracing App COVIDSafe, ABC News (May 14, 2020),

[130] Id.

[131] Deputy Medical Officer Says All Coronavirus Tracing App Privacy Concerns ‘Are Taken Care Of’, SBS News (May 14, 2020),

[132] Id.

[133] See Dylan Welch & Linton Besser, Experts Warn There Are Still Legal Ways the US Could Obtain COVIDSafe Data, ABC News (Apr. 27, 2020),

[134] Josh Taylor, Questions Remain over Whether Data Collected by Covidsafe App Could be Accessed by US Law Enforcement, Guardian (May 14, 2020),

[135] Telecommunications Legislation Amendment (International Production Orders) Bill 2020, Parliament of Australia,

[136] Taylor, supra note 134.

[137] Id.

[138] Kelly Burke, Coronavirus Testing: Australia’s COVIDSafe App Still an Untried Tool, 7News (May 19, 2020),

[139] Josh Taylor, NSW is Unable to Use Covidsafe App’s Data for Contact Tracing, Guardian (May 19, 2020),

[140] Press Release, Department of Health, Operation of the COVIDSafe App (May 19, 2020),

[141] Id.

Last Updated: 12/30/2020