Australia has now enshrined the privacy protections for its COVIDSafe contact tracing app into law. The Privacy Amendment (Public Health Contact Information) Bill passed through parliament with minor changes, clearing the Senate on Thursday morning just two days after the government introduced it.
The legislation addresses privacy concerns raised by the public. It replaces the interim determination under the Biosecurity Act used when COVIDSafe launched last month. The law imposes strict penalties—up to five years in jail—for anyone who collects, uses, discloses (including overseas), or decrypts COVIDSafe data for purposes other than contact tracing.
It also bans forcing individuals to use COVIDSafe. The law defines how the health department and Digital Transformation Agency (DTA) must handle data. Following negotiations, Labor secured key amendments. These include clearer definitions of protected data, restrictions on law enforcement managing the COVIDSafe data store, and mandatory six-month public reports on the app’s performance.
Shadow attorney-general Mark Dreyfus praised the improved bill. “This is now a stronger and better piece of legislation as a result of constructive engagement between Labor and the government,” he said on Tuesday.
The bill grants the Office of the Australian Information Commissioner greater oversight of the app. It empowers the office to investigate privacy breaches, even when law enforcement agencies are involved. “This bill introduces the strongest privacy safeguards ever enacted by any Australian parliament,” Dreyfus told the House of Representatives.
He added that the COVIDSafe app remains voluntary and collects less sensitive data than most government or corporate systems. “This bill takes privacy seriously,” he said.
Despite these protections, concerns remain about the app’s effectiveness. Critics from Labor, the Greens, and Centre Alliance argue that legislation alone cannot fix its technical issues. COVIDSafe’s Bluetooth struggles on iOS devices, limiting its ability to record “digital handshakes” between users.
The DTA’s choice of Amazon Web Services (AWS) to host and manage the app has also faced criticism. Opponents say Australian cloud providers like Sliced Tech, Macquarie Telecom, and Vault should have been allowed to bid. DTA CEO Randall Brugeud defended the decision, explaining that AWS offered a full package—hosting, development, and operational services—with rapid scalability during the pandemic.
Foreign affairs minister Marise Payne confirmed AWS’s advantages but stressed that the new law prevents any overseas data transfers. “Any transfer of data outside Australia will constitute a criminal offense and carry a penalty of five years imprisonment,” she said.
After a brief debate, parliament passed the bill. Labor opposed further amendments, including a strict sunset clause. “There is strong public interest in enacting these protections quickly. We will not support amendments that delay this bill,” Labor senator Murray Watt stated.
More than 5.6 million Australians have downloaded and registered for COVIDSafe since its release two and a half weeks ago. Deputy chief medical officer Paul Kelly announced on Wednesday that the portal for state and territory health officials to access app data is now operational. Agreements with all states and territories have been signed, and health professionals trained to use the portal. The DTA released the app’s source code last week but withheld the code for the national data store.