Cracking QR codes: Venues can bar patrons who refuse to sign in

The Statement

A video on social media features claims that people can refuse to sign in at venues that require QR codes, claiming businesses that deny entry are breaching privacy laws.

The Facebook video from April 23 was shared to an Australian page with a caption advising people “how to deal with unlawful QR codes” which “breach privacy act 94H”.

In the video, a woman claims that while businesses may be required to ask people to sign in using QR codes due to COVID-19, customers “don’t have to abide by this”. “It’s not mandatory for us. We can say, ‘No thank you, I don’t want to’,” she continues.

The woman suggests anyone refused entry after not signing in should “get out your legislation”, referring to the Privacy Act 1988. A screen then shows Section 94H of the Act, which refers to “requiring the use of COVIDSafe”.

The woman says penalties of five years’ imprisonment or a fine of up to $30,000 apply “if they refuse to allow another person to enter (to a place) that is accessible to the public”.

“A person commits an offence if the person requires another person to download COVIDSafe, have COVIDSafe in operation or consent to uploading COVID app data – so we don’t have to do this. We can say no and we can stop complying out of fear,” she adds.

At the time of writing, the video had been viewed more than 8,000 times, drawing more than 430 comments and reactions and 270 shares.

The Analysis

The woman speaking in the video appears to confuse laws surrounding the federal government’s COVIDSafe app and state contract-tracing requirements such as QR code sign-ins. The latter are not unlawful, nor do they breach the Privacy Act, experts and government agencies say.

The COVIDSafe app, mentioned in the legislation shown in the video, was introduced in the early stages of the pandemic by the federal government to help contact tracers find close contacts of people who tested positive to COVID-19. It has been criticised for identifying only a handful of unique contacts since it was introduced.

In response to concerns about how data from the app would be accessed, the government amended the Privacy Act 1988 to penalise anyone found misusing the information. The changes introduced a string of offences relating to the COVIDSafe app and its data, including under the section cited in the video.

Bill Swannie, a lecturer in law at Victoria University, told AAP FactCheck the section of the Privacy Act referred to in the Facebook video was enacted to address specific concerns that the COVIDSafe app may be used to deny people access to shops and workplaces.

However, it did not relate to the use of Quick Response (QR) code sign-ins, which have been introduced in various Australian states and territories to aid with local contact tracing efforts. These codes allow people to easily provide their information via a mobile phone when entering a venue.

In NSW, for example, the state government introduced mandatory electronic customer registration through QR codes or other systems that recorded names and contact information in November 2020. Under its public health order, hospitality and entertainment venues need to electronically record the contact details of patrons (page 14). In Queensland, food and drink and entertainment businesses need to record similar information (schedule 1A).

Mr Swannie said such measures, introduced under public health orders, meant businesses were legally entitled to refuse entry to patrons who decline to sign in as required.

“The Privacy Act only applies to federal government agencies and certain organisations, and it doesn’t prevent the collection of private information. It simply regulates its collection, storage and use,” he said in an email.

The Office of the Australian Information Commissioner (OAIC) is the independent federal authority responsible for enforcing the Privacy Act, and in May 2020 guidance it noted that some states and territories had issued orders requiring businesses to obtain contact information from customers as a condition of reopening.

“If a direction or order applies to your business, the collection of this personal information will be necessary for your organisation’s functions or activities. This means the collection of contact information is permitted under the Privacy Act 1988,” it said.

Smaller businesses, those with annual turnover of $3 million or less, are already excluded from the Privacy Act.

Peter Leonard, a data business lawyer and professor of practice at UNSW’s Business School, told AAP FactCheck in a phone interview that a state law like the NSW public health order created a legal obligation for entities to deal in a certain way with personal information.

“(QR codes are) an example of (something that is) required or authorised by law, and therefore it falls within the exception from the federal Privacy Act,” he said.

Prof Leonard said businesses which fall under the Public Health Directives requiring them to record contact information using QR codes are legally entitled to deny entry to patrons who refuse, provided the venues aren’t breaching other discrimination laws.

A spokesman for Service NSW, the authority which oversees the QR code check-in function, told AAP FactCheck the state’s “COVID Safe check-in” is mandated by public health orders.

“Customers that choose not to provide details will be refused entry,” he said in an email.

All information, text and images included on the AAP Websites is for personal use only and may not be re-written, copied, re-sold or re-distributed, framed, linked, shared onto social media or otherwise used whether for compensation of any kind or not, unless you have the prior written permission of AAP. For more information, please refer to our standard terms and conditions.