Business owners who ban people from entry unless they have downloaded the government’s coronavirus contact tracing app will face five years in gaol and a $63,000 fine under proposed laws.
The government has released a draft of its legislative backing to privacy and data protections for the COVIDSafe tracing app.
It proposes to make it illegal for anyone to refuse a person without the app entry to a public place, ban them from an activity or refuse to buy or sell goods and services to them.
The legislation would also make it an offence to access the data without proper authorisation and for the data to be stored anywhere outside of Australia.
All offences have a maximum penalty of five years in gaol, a $63,00 fine or both.
The legislation also says records of the Bluetooth “handshakes” a user’s phone makes with people they come in close contact with must be deleted after 21 days or upon request.
And once the health minister and chief medical officer decide the app is no longer necessary on health grounds, all data must be erased from the server and people will be told to delete the app from their phones.
A sunset clause in the legislation says the privacy protections and offences will end 90 days after the minister determines the app is no longer needed.
The legislation, which will be put to parliament when it returns next week, backs up rules already laid out in a biosecurity determination.
Attorney-general Christian Porter described it as the final step in a “triple lock of privacy protections”.
“The draft bill clarifies the enforcement mechanisms for the penalties that are already in place against misuse of data from the COVIDSafe app,” he said on Monday.
“In addition to the protections provided by the biosecurity determination, this bill puts in place a clear process outlining how the government will satisfy its obligation to delete all COVIDSafe data from the national COVIDSafe data store once the pandemic is over.”
Offences under the new law would be investigated by federal police and people could complain to the Office of the Australian Information Commissioner or their state privacy regulator if they were concerned their data had been misused.