Australia: Digital ID Act 2024 including data protection regulation enters into force

On 16 May 2024, the Digital ID Act 2024 entered into force. The Bill expands the Australian Government Digital ID System (AGDIS) to include private sector entities, initially focusing on government services before expanding to include banks, credit card operators, and Australia Post within 2 years. These entities will enable access to services using government-issued Digital IDs and later offer their own accredited Digital ID services. The Australian Competition and Consumer Commission (ACCC) will act as the initial regulator, drawing on its consumer data and compliance expertise. The Bill introduces a voluntary accreditation scheme with cybersecurity and privacy requirements for accredited Digital ID providers. In particular, the Bill gives individuals rights over their personal data, including the right to privacy, consent before data is collected or shared, deletion of data on request, and protection against data profiling or unauthorised marketing. The Bill imposes responsibilities on data processors and data controllers, requiring compliance with data protection laws, explicit consent for the collection, use, and disclosure of biometric data, and mandatory destruction of such data after verification. Authorised entities must notify relevant authorities of data breaches, restrict the disclosure of unique identifiers, and comply with conditions on data collection and sharing.