Bills Digest No. 9, 2017-18
PDF version [1,623KB]
Monica Biddington and Jaan Murphy
Law and Bills Digest Section
8
August 2017
Contents
The Bills Digest at a glance
Purpose of the Bill
Structure of the Bill
Background
2013 PJCIS report
2015 PJCIS report
2016 Australian Cyber Security
Strategy
Committee consideration
Parliamentary Joint Committee on
Intelligence and Security
Senate Standing Committee for the
Selection of Bills
Senate Standing Committee for the
Scrutiny of Bills
Policy position of non-government
parties/independents
Opposition
Other non-government parties and
independents
Position of major interest groups
Previous consideration of TSSR and
position of interest groups
Current position of major interest
groups
Joint submission from industry
associations
Australian Centre for Cyber Security
The Bill and the Metadata Act
Financial implications
Statement of Compatibility with Human
Rights
Parliamentary Joint Committee on
Human Rights
Key issues and provisions
Administrative guidelines
Over-the-top services
Security obligations
Concerns about the use of the ASIO
Act definition of security
Key definitions underpinning the
security obligations
The security obligations generally
Table 1: security obligations
Immunity from liability
Elements of the security obligation
Meaning of ‘do their best’ element of
the security obligations
Security obligations and their
application
The definition of ‘facility’ and the
security obligations
Concerns about retrofitting
Notification regime—overview
Individual notifications
Annual Security Capability Plans
Interaction between SCPs and
individual notification regime Annual Security Capability Plans
Assessment of notified proposed
changes
Criticism of notification regime
Logic of the approach
Asymmetry of the notification
requirements
Inconsistency with the direction
regime
Length of time to finalise a decision
Unnecessary interference with
commercial decisions of carriers and CSPs
Offshoring
Unclear thresholds and unnecessarily
broad scope of application
Directions by the Attorney-General
Current position
Power to require a carrier or CSP to
cease operating a telecommunications service
Power to require a carrier, CSP or
intermediary to do or refrain from doing a specified act
Criticisms of the directions powers
Potential to undermine investment
decisions and reduce competition
Inappropriate weighting given to
adverse security assessments
The impact of uncertain definitions
and the opacity of adverse security assessments
Lack on consultation requirement in
shutdown power
Information gathering and sharing
powers
Power to obtain information or
documents
Content of notice to produce
information or documents
Availability of compensation
Abrogation of privilege against
self-incrimination
Information sharing
Criticisms of the information
gathering and sharing powers
Reporting and oversight
Concluding comments
Date introduced: 9
November 2016
House: Senate
Portfolio: Attorney-General
Commencement: 12
months after the date of Royal Assent.
Links: The links to the Bill,
its Explanatory Memorandum and second reading speech can
be found on the Bill’s home page, or through the Australian
Parliament website.
When Bills have been passed and have received Royal Assent,
they become Acts, which can be found at the Federal Register of Legislation
website.
All hyperlinks in this Bills Digest are correct as
at August 2017.
The Bills Digest at a glance
Purpose of the Bill
- The
purpose of the Bill is to create a regulatory framework for industry and
government to collaboratively manage national security risks of espionage,
sabotage and foreign interference to Australia’s telecommunications networks
and facilities.
- The
Bill will provide the Attorney-General with a new power to direct a carrier or carriage
service provider (CSP) or a carriage service intermediary (intermediary) to do
or not do a specified thing on security related grounds (for example, alter a
procurement assessed as giving rise to security risks).
Background
- The
proposed measures in the Bill form part of a package of reforms to national
security legislation, identified by the former government in 2012, commonly
referred to as Telecommunications Sector Security Reforms (TSSR). The TSSR is the
process of developing regulatory mechanisms to ensure that industry engages
with security agencies to enable the early identification and collaborative
management of security risks in their infrastructure, and information held on
or carried over it.
- TSSR
has been an issue of sustained parliamentary and industry interest and
consideration, including inquiries by the Parliamentary Joint Committee on
Intelligence and Security (PJCIS) in 2012–13 and 2014–15 and public
consultations on two exposure draft Bills released by the Government in 2015.
- The
overall intent and objectives of the Bill reflect and are largely consistent
with recommendations of the PJCIS on TSSR related measures, and Government responses
to those recommendations.
Stakeholder concerns
- Stakeholders
have expressed concerns including that because the regime favours security interests
over commercial or competition interests, it is an inappropriate intrusion into
the commercial decision-making of telecommunications companies’ that will undermine
sound investment decisions and reduce innovation in the sector.
- In
addition to raising in-principle concerns about the Bill, some stakeholders
have supported amendments to specific provisions of the proposed regime,
generally to strengthen safeguards, place limits on administrative discretions
and enhance protections for commercially sensitive information that may be
required to be disclosed under the proposed framework.
- Some
members of the PJCIS questioned whether the Bill contains adequate mechanisms to identify the amount of data held by Australian
telecommunications companies that is stored offshore (commonly referred to as
’offshoring’) and ensure its protection.
Key elements
- The
regime will have a delayed commencement (12 months), including the development
of administrative guidelines website.[1]
- The
regime established by the Bill will apply to carriers, CSPs and intermediaries
to varying degrees.
- A
new security obligation is imposed on carriers and CSPs to ‘do their best’ to
manage risks related to unauthorised access and interference to networks and
facilities they own, operate or use to ensure the availability and integrity of
networks and facilities and to protect the confidentiality of information
stored on and carried across them.
- A
new notification requirement is imposed on carriers and certain CSPs to notify
the government of planned changes to their systems and services that are likely
to make the network or facility vulnerable to unauthorised access and
interference.
- The
Secretary of the AGD is provided with coercive information gathering powers in
relation to carriers, CSPs and intermediaries subject to the new regime to
facilitate monitoring of and investigations into compliance with the new security
obligations.[2]
Key issues for debate
- The scope of key definitions including applying
all components of the definition of ‘security’ in the Australian Security Intelligence Organisation
Act 1979 (the ASIO Act) to the new security
obligations and notification requirements in proposed sections 313(1A) and (2A), rather than specifically limiting it to the components of the
definition listed in the notes to the provisions contained in the Bill.
- The suitability and breadth of application of the new security
obligations.
- The compliance burden and risk associated with the notification
obligation.
- The adequacy of the threshold that must be satisfied (and matters
to be considered) before the directions or shutdown power can be used by the
Attorney-General requiring a carrier, CSP or intermediary to do, or refrain
from doing, a specified act or thing (or ceasing to supply a carriage service).
-
The application of the regime to web-based
email, voice over internet protocol (VoIP) and cloud computing services.
- The adequacy of safeguards in relation to compulsory disclosure
and information-sharing powers, including:
- potential limitations in the protections available for the secondary
disclosure of information for the purposes of security under proposed section
315H(1)(b) and
- possible ways in which protections of commercially sensitive
information could be
strengthened under the proposed information-sharing arrangements in proposed
section 315H (both
legislative and administrative).
- The
adequacy of the oversight and reporting requirements in
relation to the operation of the proposed scheme and
- The collection of data offshore(and more specifically, the storage
of data required to be retained under the Telecommunications
(Interception and Access) Act 1979 (the TIA Act).
Purpose of the Bill
The purpose of the Telecommunications and Other
Legislation Amendment Bill 2016 (the Bill) is to amend the Telecommunications
Act 1997 (the Act), TIA Act, ASIO Act and the Administrative
Decisions (Judicial Review) Act 1977 (the ADJR Act) to provide
a regulatory framework for industry and government to collaboratively manage national
security risks of espionage, sabotage and foreign interference to Australia’s
telecommunications networks and facilities.[3]
It does so by:
- imposing a new security obligation on carriers and CSPs to ‘do
their best’ to manage risks related to unauthorised access and interference to
networks and facilities they own, operate or use to:
- ensure
the availability and integrity of networks and facilities and
- to
protect the confidentiality of information stored on and carried across them
-
imposing notification requirements on carriers and certain nominated
CSPs (‘NCSPs’) to notify the government of planned changes to their systems and
services that are likely to make the network or facility vulnerable to
unauthorised access and interference
- providing
the Secretary of the AGD with information gathering powers to facilitate
monitoring of and investigations into compliance with the new security
obligations
- providing
the Attorney-General with two directions powers (subject to certain conditions
being met) to:
- direct a carrier or CSP to do or not to do a specified thing (the ‘directions power’), for
example, alter a procurement assessed as giving rise to security risks or
- shut down a specific service (the ‘shutdown power’) and
- providing enforcement mechanisms by extending the civil remedies
regime provided for in Part 30 (injunctions), Part 31 (civil penalties), and
Part 31A (enforceable undertakings) of the Act to address non-compliance with
the security obligations, a Ministerial direction, or notice to produce
information or a document.[4]
Structure
of the Bill
This Bill has one Schedule, divided into three parts.
Part 1 contains the main amendments to the Act and TIA Act
to implement the new framework, which relate to the security obligations,
notification obligations and requirements, information gathering powers, the directions
and shutdown powers of the Attorney-General and the enforcement mechanisms.
Part 2 contains consequential amendments to the ASIO Act
and ADJR Act with respect to the issuing of security assessments for the
purpose of the new regime, and the statutory judicial review of Ministerial
directions.
Part 3 contains transitional and saving provisions, which
deal with Ministerial directions and security assessments issued under the
existing legislation, immediately before the commencement of the proposed
amendments.
Background
There has been parliamentary interest and consideration of
issues related to security of the telecommunications sector for a number of
years. The Bill reflects previous consideration of issues pertaining to the
security of the telecommunications sector generally by the PJCIS, as well as
more recent Government policy. In particular, the PJCIS, as constituted in the
43rd and 44th Parliaments, gave bipartisan support to the development of TSSR
measures, including in-principle support for the core elements of a regulatory
framework. The Government supported the PJCIS’s recommendations and now proposes
to implement them in this Bill.
2013 PJCIS report
In 2013, as part of its report examining potential reforms
to the Australia’s national security legislation,[5]
the PJCIS recommended that ‘the Government amend the Telecommunications Act
1997 to create a telecommunications security framework’ with the following
features:
- a telecommunications industry-wide obligation to protect
infrastructure and the information held on it or passing across it from
unauthorised interference a requirement for industry to provide the Government
with information to assist in the assessment of national security risks to
telecommunications infrastructure and
- powers of direction
and a penalty regime to encourage compliance.[6]
The PJCIS also recommended that (through a Regulation
Impact Statement (RIS)) the Government also consider:
- the interaction of
any such proposed regime with existing legal obligations imposed upon
corporations
- the compatibility of
the proposed regime with existing corporate governance where a provider’s
activities might be driven by decisions made outside of Australia
- consideration of an
indemnity to civil action for service providers who have acted in good faith
under the requirements of the proposed framework and
- the impacts of the
any such proposed regime on competition in the market-place, including:
- the potential for proposed requirements to create a
barrier to entry for lower cost providers
- the possible elimination of existing lower cost
providers from the market, resulting in decreased market competition on pricing
- any other relevant effects.[7]
The Government released a response to parts of the 2013
PJCIS report in July 2015, supporting this recommendation and indicating its
intention to introduce legislation within the year, following public
consultation on an exposure draft Bill. The Government further indicated its
intention to refer the Bill, once introduced, and a RIS to the PJCIS for
inquiry and report.[8]
The measures proposed by the Bill are broadly consistent with the above recommendations
and the Government’s response. The Government released two exposure draft (ED)
Bills for public consultation in June and November 2015.[9]
The second Exposure Draft made a ‘number of changes to improve the operation of
the proposed legislation in response to feedback received ...’[10]
It also issued an unclassified RIS (with some redactions of classified
information) in July 2015.[11]
The finalised RIS is annexed to the Explanatory Memorandum to the Bill and addresses
the key considerations noted above and analyses the respective net regulatory
benefits of the policy options.[12]
2015 PJCIS report
In its advisory report on the Telecommunications
(Interception and Access) Amendment (Data Retention) Bill 2014 (examined in Bills Digest No. 89, 2014–15) the
PJCIS also recommended that ‘the Government enact the proposed
telecommunications sector security reforms prior to the end of the
implementation phase for the Telecommunications (Interception and Access)
Amendment (Data Retention) Bill 2014’.[13]
Following passage of the latter Bill in March 2015, the 18-month implementation
phase for the data retention regime commenced on 13 October 2015 and ended on
13 April 2017.[14]
The PJCIS noted several potential security risks associated
with the (then) proposed mandatory data retention scheme, including the
potential for increased unlawful access to, or compromise of, personal
information that may be required to be retained under the scheme. It considered
that the timely implementation of TSSR measures was critical to the integrity of,
and community confidence in, the data retention regime (particularly as the
data retention regime was non-prescriptive as to where retained data must be
stored, and therefore allowed its storage at offshore facilities). The PJCIS
stated it was ‘strongly of the view’ that the TSSR measures it considered in
its 2013 report ‘should be finalised and implemented prior to the end of the
[data retention] implementation period’.[15]
The PJCIS also indicated its preference for any future TSSR-related legislation
to be referred to it for inquiry and advisory report to the Parliament.[16]
The Government supported the PJCIS’s recommendation,
stating that it would ‘introduce a [TSSR] scheme prior to the conclusion of the
data retention implementation period’.[17]
The introduction of the Bill in November 2016 gives effect to that response.
That said, there is likely to be a period of time in which
the data retention regime (DDR) will be fully operational in the absence of a dedicated
regulatory framework for TSSR (given the commencement date specified in the
Bill (12 months after royal assent) and the likely timing for the debate in
Parliament and potential passage of the Bill. This delay means that the Government
will arguably have a reduced capacity during the 12-month period before the
TSSR scheme commences to inform itself about storage arrangements for data that
is retained, and take steps to ensure its security (particularly in relation to
offshore storage arrangements). The AGD explained that during the
implementation period for DRR that (at that time) it did not have visibility of
the nature and extent of offshoring arrangements, with Mrs Anne Sheehan (Assistant
Secretary, Communications Security Branch, National Security Division of the
AGD) stating:
We do not have a complete picture of every company's offshore
storage of data. In conversations with some industry members, we may have some
visibility, but not across the board. What this bill would introduce is a
notification requirement, and one of the kinds of changes that would have to be
notified is information that is being stored offshore.[18]
Much may therefore depend on informal cooperation during
this period. One risk is that when the TSSR scheme commences, the new
notification requirements might identify data storage practices adopted in
response to the DDR over the previous 12 months that are inconsistent with the
new security obligations. If this risk eventuated, the early period in which
the TSSR scheme is operational may need to focus on remedial actions and
possibly require ‘retrofitting’ (despite the stated policy intention that the
measures proposed in the Bill will not generally require carriers, CSPs or
intermediaries to engage in retrofitting[19]).
In this regard, arguably the delayed introduction (and consequently, passage
and commencement) of the legislation deprives security agencies of the maximum
possible opportunity to pro-actively ensure that national security
considerations are given appropriate weight in decision-making about the
storage of retained data, particularly decisions about offshoring, before those
decisions are made and implemented.
2016
Australian Cyber Security Strategy
The Government’s Australian Cyber Security Strategy,
launched in April 2016, referred to ongoing work in developing the TSSR
initiatives in the course of implementing the PJCIS’s recommendations to
develop a regulatory framework:
Recognising the particular importance of secure
telecommunications networks, the Government is working with telecommunications
companies to manage supply chain risks by providing advice on protecting their
networks and the information stored and carried across them. This includes
work the Government is doing on Telecommunications Sector Security Reform to establish
more formal and comprehensive arrangements to better manage national security
risks of espionage, sabotage and interference.[20]
(emphasis added)
Committee
consideration
Parliamentary
Joint Committee on Intelligence and Security
The Bill was referred to the PJCIS for inquiry and report
by April 2017. Details of the inquiry are at Review
of the Telecommunications and Other Legislation Amendment Bill 2016. The
Committee reported on 30 June 2017 and made 12 recommendations for the
Government to consider prior to the passage of the Bill. The Committee was
unanimously satisfied that the legislative framework approach proposed in the
Bill is the most appropriate mechanism to ensure the security of Australia’s
telecommunications infrastructure.[21]
The recommendations can be summarised as:
- the
revision and expansion of the administrative guidelines (recommendations 1 and
4)
- the
exemption of broadcasters from the obligations set out in the Bill
(recommendation 2)
- ensuring
effective and regular information sharing (recommendation 3)
- allowing requests for exemptions by carriers and carriage service
providers for certain changes (recommendation 5)
- clarifying
that the Bill does not affect the operation of privacy obligations
(recommendation 6)
- expanding
the annual reporting and review requirements (recommendations 7, 10 and 12)
- clarifying
responsibilities of the Communications Access Co-ordinator (recommendations 8
and 9).
Senate
Standing Committee for the Selection of Bills
The Senate Standing Committee for the Selection
of Bills recommended that the Bill not be referred to Committee.[22]
Senate
Standing Committee for the Scrutiny of Bills
The Senate Standing Committee for the Scrutiny of
Bills had no comment on the Bill.[23]
Policy
position of non-government parties/independents
Opposition
TSSR reforms were initially an ALP proposal. In May 2012,
the then Attorney-General Nicola Roxon, referred potential TSSR measures to the
PJCIS for inquiry during the 43rd Parliament and in particular, sought the
PJCIS’s views on whether a regulatory response was necessary or appropriate
and, if so, the appropriate structure of the regulatory model. As part of this
process, the then ALP Government issued a discussion paper.[24]
Bipartisan support for the development of TSSR measures and
the core features of the regulatory model continued. For example, in the PJCIS’s
2013 Report of the Inquiry into Potential Reforms of Australia’s National
Security Legislation (2013 PJCIS Report), the PJCIS unanimously recommended
that a TSSR framework be created ‘whether or not Government chooses to
introduce a data retention regime’ and that ‘there cannot be an effective and
equitable security regime without enforcement mechanisms’.[25]
Likewise the PJCIS, in its Advisory report on the
Telecommunications (Interception and Access) Amendment (Data Retention) Bill
2014 (2015 PJCIS Report), unanimously recommended:
... the Government enact the proposed Telecommunications Sector
Security Reforms prior to the end of the implementation phase for the
Telecommunications (Interception and Access) Amendment (Data Retention) Bill
2014.[26]
In addition, ALP Senators noted in the Senate Legal and
Constitutional Affairs References Committee’s 2015 Report on the Comprehensive
revision of the Telecommunications (Interception and Access) Act 1979 (2015
L&CA Report) that ‘Labor will continue to press for improvements to data
security through the Telecommunications Sector Security Reform (TSSR) process’.[27]
The Opposition does not appear to have commented publicly
about its position on the specific provisions of the Bill as introduced. However,
in 2015 the
Opposition criticised the first exposure draft of the Bill in light of
industry concerns, and called upon the Government to develop and refer a
revised exposure draft to the PJCIS for inquiry before introducing a Bill to
Parliament.[28]
Other
non-government parties and independents
As of the time writing, the position of independents and
cross-bench parties was unknown.
However, in 2015 the Australian Greens reportedly expressed
some general reservations (in the context of the first Exposure Draft of the Bill),
and in particular about proposed the new directions power now contained in proposed
section 315B. The Greens noted the potential for directions to be overly
prescriptive, effectively telling ‘telecommunications companies how to run
their networks and their data centres’.[29]
Despite this, the Greens do not appear to have announced a position on the current
Bill.
Position of
major interest groups
Previous
consideration of TSSR and position of interest groups
As noted above, TSSR has been considered by a number of
previous Parliamentary and departmental inquiries, with key issues raised by
stakeholder having been considered on previous occasions. For example, the 2013
PJCIS’s Inquiry into Potential Reforms of Australia’s National Security
Legislation (2013 PJCIS Inquiry) considered whether there was a case for
regulatory intervention in relation to TSSR, and, if there was, the appropriate
regulatory model. After considering industry submissions, the PJCIS did not
support stakeholder suggestions for voluntary or co-regulatory models.[30]
More recently, a large number of interest groups made
submissions to the AGD as part of the consultation process regarding the two EDs
of the Bill released in June and November 2015.[31]
Telecommunications companies and industry associations raised similar issues,
which resulted the Government making a number of amendments to the first Exposure
Draft Bill.[32]
Briefly these included:
- narrowing
the scope of the security obligation
- increasing
the threshold for the exercise of the directions powers
- the
inclusion of additional safeguards around the exercise of the directions powers
-
the inclusion of additional safeguards to protect the
confidentiality of commercially sensitive information obtained through the
exercise of the information gathering power
- providing
that directions issued by the Attorney-General will now be reviewable under the ADJR Act
- streamlining
and clarifying the operation of the notification obligation
- increasing
the implementation timeframe from six months to 12 months from Royal Assent
- narrowing the scope of the obligation to protect networks or
facilities to networks or facilities owned, operated or used by a carrier or
CSP.
- extending the response time imposed on the CAC in relation to notifications
to 30 days and capability plans to 60 days (unless further information relating
to a notification has been requested)
-
increasing timeframes for affected parties to provide a
submission after a written notice of direction from 14 to 28 days
- providing that companies will now be able to provide copies of
documents, and also be entitled to reasonable compensation for complying with a
requirement to provide a copy of a document under the information gathering
powers
- providing that the Secretary of the AGD is required to have
regard to the likely cost to comply with an information gathering request
before issuing that request and
-
expanding the confidentiality requirements to protect the
confidentiality of commercially sensitive information or documents provided in
individual notifications or security capability plans.[33]
Current
position of major interest groups
The issues raised by major interest groups in submissions
to the Exposure Draft consultation process (to the extent they relate to provisions
that are consistent between the Bill and ED) as well as those made to the PJCIS’s
inquiry into the Bill are examined under the heading ‘Key issues and provisions’. However, briefly those issues included:
- the
appropriateness of key definitions
- the
appropriateness and breadth of application of the security obligation
- compliance
with the notification obligation
- the
threshold that must be satisfied and matters to be considered before a
direction can be given by the Attorney-General and
- application
of the regime to ‘over-the-top’ (OTT) services such as web-based email, voice
over internet protocol (VoIP) and cloud computing services.
Joint
submission from industry associations
The Australian Industry Group (AiGroup), Australian
Information Industry Association (AIIA), Australian Mobile Telecommunications
Association (AMTA) and Communications Alliance (the Associations) made a joint
submission to the PCJIS’s inquiry into the Bill.[34]
The Associations raised a number of concerns about the Bill, including its
underlying policy.
Incorrect
policy approach
The Associations stated in its submission to the PCJIS’s
inquiry into the Bill that the regime proposed by the Bill ‘appears to be
founded on the incorrect assumption that security risks are known ... before
service introduction or equipment deployment occurs’ and noted that in practice,
security threats ‘typically emerge, or become known, after
introduction/deployment’.[35]
More specifically, the Associations stated that the Exposure
Draft ‘fail to answer the fundamental question of what specific failings and/or
weaknesses Government is seeking to address’ and that it was:
... unclear how this additional layer of regulation and cost to
Industry and intrusion into the commercial decision making processes of C/CSPs
and carriage service intermediaries can be justified.[36]
In particular, the Associations expressed concern that the
proposed regime will grant to the Government ‘wide-ranging’ powers to intervene
in industry participants internal commercial decisions relating to:
- network
design
- M&A
activities and
- vendor selection, procurement and service supply options (including
resale of global or regionally based services and the use of global or
regionally based network or business resources of multinational organisations).[37]
The Associations also noted ‘there is no corresponding
obligation on Government to justify its actions, take responsibility for any
unintended outcomes’ or ‘bear the costs’ (a concern possibly partially ameliorated
by proposed subsections 315B(2) and (6), 315C(4) and (8)
and proposed section 315J, discussed below under ‘Key issues and provisions’).[38]
The Associations concluded that the proposed regime ‘runs the very serious risk
that it will not be adaptable or flexible enough to tackle the risks that will
emerge’ and that a traditional ‘‘command-and-control’ regulatory framework’
will not be ‘agile enough’ to respond to emerging security threats and ‘also
runs the risk of unnecessarily increasing costs and investment risks of the
telecommunications industry which will impact Australia’s digital capability’.[39]
Support for alternative policy approaches
The Associations outlined what they considered to be ‘more
collaborative approaches’ to dealing with security threats to
telecommunications infrastructure and services used or being ‘contemplated in
major international markets’ and suggested ‘the benefits of adopting a more
collaborative, less prescriptive and less onerous strategy be carefully
considered and examined in Australia’ before the Bill is passed.[40]
The Associations provided a summary of the current regimes of the US and UK, as
well as the proposed Canadian regime.
In summary, the Associations argue that industry-led (and
possibly voluntary) frameworks developed either independently of (or in
collaboration with) Government that reflect standards and practices from other
jurisdictions is a more effective, adaptable and cost-effective policy approach
than the regime proposed by the Bill.
However, in relation to the policy approaches adopted by
other countries the AGD noted in its submission to the Inquiry into the Bill:
International voluntary compliance frameworks, such as those
outlined in the joint submission of the Australian Industry Group, Australian
Information Industry Association, Australian Mobile Telecommunications
Association and Communications Alliance [The Associations], are often cyber
security focused and outline voluntary procedures for sharing cyber threat
information.[41]
The AGD went on to note that Australia already ‘has
voluntary information sharing forums in place which focus on cyber security
generally’ and that the proposed TSSR ‘extends beyond general cyber security to
enable the protection of Australia’s critical infrastructure from specific
national security risks’ and therefore the Bill seeks to formalise ‘the
existing and emerging relationships with the telecommunications industry’ with
a view to enabling government ‘to identify where security risks are and enable
engagement at the earliest possible time’.[42]
Inability of the Bill to deal with emerging technology
and innovation in the sector
The Associations argued that the regime proposed by the
Bill would slow down industry responsiveness and ability to innovate ‘and will
be more likely to stifle innovation necessary to keep pace with the increasing
sophistication of cyber threats’.[43]
This, it was argued, would be because telecommunications sector businesses
would ‘focus on minimising exposure to regulatory imposts or on compliance’
instead of on innovation ‘particularly in the context of the Internet of Things’.[44]
The Associations noted that ‘the Security Capability Plans
that the revised draft legislation has introduced, while being very useful in
many areas, would ‘not be able to overcome the problems that the proposed
reforms pose for flexible and fast innovation processes’.[45]
The Associations concluded ‘it appears even more evident
that the proposed reforms do not strike an appropriate balance between risk and
opportunity’ as the regime proposed by the Bill would unable to deal with
emerging technology and would stifle innovation.[46]
However, in response to this issue, the AGD noted that the
Bill ‘proposes a balanced and risk-based approach to take into account the
needs of the Australian telecommunications sector to remain competitive and innovative
in the market, having regard to minimising regulatory impacts’.[47]
Australian
Centre for Cyber Security
The Australian Centre for Cyber Security (ACCS) was the
only published submission to note the potential overlap between the regime
proposed by the Bill and the data retention regime created by the Telecommunications
(Interception and Access) Amendment (Data Retention) Act 2015 (the Metadata
Act).
The ACCS noted that under the Bill the AGD will have the
power to collect any type of information from a carrier or CSP and:
- this
power is only overseen by an annual report submitted by the AGD to Parliament
- this
power may be delegated to the Director-General of the ASIO and
- ASIO
may in turn share the information gathered with the AFP and third parties.[48]
The ACCS noted that from a technical perspective, metadata
includes IP (Internet Protocol) source and destination addresses, source and
destination port addresses and protocol numbers and ‘therefore includes
URLs/web browsing history’.[49]
The ACCS referred to this set of session metadata as ‘5-tuple’ and noted that
‘the 5-tuple falls within the pool of ‘any information’ the AGS and ASIO may collect
from’ carries and CSPs under the Bill.[50]
The ACCS noted that ‘using metadata to detect and resolve
cyber security threats quicker and in near real-time is a developing trend’ and
that as a result, a carrier or CSP ‘may therefore retain more metadata, and for
longer, than it usually would’ as not collecting, retaining and analysing the
5-tuple session metadata ‘from most devices connected to the Internet’ may
result in a carrier or CSP not ‘doing your best and exercising competent
supervision’, which is what the Bill requires.[51]
The Bill
and the Metadata Act
The ACCS noted that as the regime proposed by the Bill and
the Metadata Act both address the issues related to national security,
there is therefore effectively duplication of the ‘metadata creation, retention
and disclosure’ obligations imposed on carriers and CSPs.
The ACCS noted that whilst the Metadata Act regime
does not apply to the ‘3-tuple’ (destination IP, destination port and protocol
number), the regime proposed by the Bill will. The ACCS stated that whilst 3-tuple
metadata ‘is not required to be retained and is not being disclosed by the TelCo
to the agencies’ under the Metadata Act, under the regime proposed by
the Bill ‘the 3-tuple may potentially be required to be disclosed to the AGD and
the agencies’.[52]
The ACCS noted that both the Metadata Act regime
and that proposed by the Bill ‘essentially address the same metadata but with
different procedures’ and that as a result of those differences ‘oversight,
governance and ethical risks’ may arise.[53]
Further, the ACCS noted that whilst the Metadata Act regime oversight
powers have been introduced:
There are no clear public guidelines and oversight mechanisms
regarding the collection and sharing of the 5-tuple information between the
AGS, ASIO, the AFP and third parties.[54]
The ACCS again noted that the metadata dealt with ‘is more
information than what is addressed under’ the Metadata Act and that as
result of the lack of ‘clear boundaries’ regarding ‘how overlaps are to be
addressed between collecting the information for the purposes of national
security’ under the regime proposed by the Bill and that collected under the Metadata
Act regime ‘may lead to forum-shopping by the agencies’ between the Bill’s
regime and the Metadata Act regime.[55]
The ACCS noted that as ‘it makes little sense not to
simultaneously retain destination information under a ‘situational awareness’
and ‘threat intelligence’ strategy’, compliance with the Bill’s regime may
result in carriers and CSPs collecting, retaining and analysing the 5-tuple
(which includes source and destination metadata) in order to identify emergent
threats, incidents and attacks.[56]
In turn, the AGD could then require carriers and CSPs to provide that 5-tuple
metadata (including the 3-tuple metadata), and in turn share it with ASIO, the
AFP and other third parties, despite the contrary intention and requirements
under the Metadata Act regime in relation to the 3-tuple and that this
represented ‘potentially conflicting positions between the law and policy and
the two regimes’.[57]
The ACCS concluded:
Overall, the metadata under both regimes are just the same
metadata at the end of the day. The same metadata is accessed for the same
purposes: law enforcement and national security. However, the oversight
mechanisms regarding access for security under the two regimes differ vastly. The
purpose for this difference in treatment is not made clear. Metadata under the
TSSR, which is the vast majority of session metadata and may have greater
privacy implications, require no authorisation and notification process, and
little independent oversight, unlike the source IP and port addresses under the
Metadata Creation, Retention and Disclosure Regime.[58]
The ACCS also noted that the Commonwealth Ombudsman ‘is
not granted oversight powers’ over the AFP and metadata collected under the
Bill’s regime (unlike with metadata collected under Metadata Act) and
therefore recommended the alignment of the Bill’s regime with that of the Metadata
Act ‘so as to avoid fragmentation in terms of data types, retention
requirements, disclosure rules and oversight’.[59]
Financial
implications
The Explanatory Memorandum notes that cost of resourcing
and administering the scheme proposed by the Bill by ASIO and AGD is estimated at
$1.6m annually ‘due to increased engagement with C/CSPs and to review
notifications of proposed changes to telecommunications systems and services’.[60]
The Explanatory Memorandum estimated the total cost to
industry of the TSSR regime proposed by the Bill at approximately $220,000 per
C/CSP per year and noted that such costs ‘would represent a modest additional
cost to the sector which has revenue in excess of $43b a year’.[61]
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights
(Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the
Bill’s compatibility with the human rights and freedoms recognised or declared
in the international instruments listed in section 3 of that Act. The
Government considers that the Bill is compatible.[62]
Parliamentary
Joint Committee on Human Rights
On 22 November 2016, the Parliamentary Joint Committee on
Human Rights reported that the Bill did not raise human rights concerns.[63]
Key issues and provisions
As table item 2 of proposed section 2
provides that the TSSR will commence 12 months after the Act receives Royal
Assent, the TSSR will have a delayed commencement in line with feedback from
industry.
Administrative
guidelines
To aid the transition to the TSSR, the AGD will develop, in
consultation with industry, non-binding administrative guidelines that will
provide carriers and CSPs with guidance about:
- which parts of networks and facilities are particularly
vulnerable to unauthorised access and interference and how they can maintain
competent supervision and effective control over their networks
- what is required to meet their legislative requirements,
including what is expected of carriers and CSPs to comply with the security
obligation (including possible control measures and mitigations) and
-
when a carrier or NCSP should notify of proposed changes
(including what should and should not be notified and included or not included
in a SCP).[64]
The AGD published draft
administrative guidelines in November 2015.[65]
The PJCIS Advisory report recommended that the administrative guidelines be
revised to provide ‘comprehensive information, clarity and certainty to
industry in a greater range of circumstances’, prior to the conclusion of the
12 month implementation period.[66]
Over-the-top
services
The uncertainty regarding the potential application of the
proposed regime to ‘over the top-services’ was an issue raised by a number of
stakeholders. ‘Over the top’ (OTT) service providers are services ‘such as such
as web-based email, VoIP or [a] cloud service’.[67]
In relation to the application of the Bill’s provisions to OTT services, the Law
Council of Australia (LCA) noted that the regime proposed by the Bill ‘appears
to apply to Australian based’ carriers, CSPs and intermediaries ‘that supply
OTT services’ but will ‘not apply to international OTT services or
internationally based’ carriers or CSPs ‘that provide OTT services’ to
Australians.[68]
The LCA noted that ‘it is not apparent as to how the level of risk will be
calculated’ when determining whether Australian based carriers and CSPs
fulfilled the security obligations ‘when they supply OTT services’.[69]
The LCA recommended that ‘the security obligations should relate to any additional
likely level of security risk with the supply of OTT services when compared with
the level of risk that applies where the service is obtained directly from the
OTT service’.[70]
The Associations argued:
... the legislation continues to only apply to a subset of the
Australian telecommunications sector, i.e. C/CSPs and carriage service
intermediaries, but it does not apply to overseas OTT services. ... The
regulatory burden of the reform falls onto a subset of the global market place
for the supply of services, i.e. the burden only falls on Australian-based
C/CSPs, including intermediaries as defined in the Act. Overseas service
suppliers providing OTT services will not be subject to the TSSR. An Australian
based C/CSP simply reselling OTT services faces substantial regulatory
uncertainty and regulatory risk under the TSSR framework.[71]
The Associations recommended that carriers and CPSs should
only be required to ‘take action under the legislation’ if their supply of
relevant services (including OTT services) ‘adds substantive security risk’.[72]
Further, the Associations argue that the obligations of carries and CSPs should
be assessed solely on the basis of the:
- level
of security risk that applies if the service is obtained directly from the
service supplier
- level
of security risk that applies if the service is obtained via the carrier or CSP
and
- steps
can be implemented by the carrier or CSP to address ‘any added security
risk’.[73]
The Associations expressed their concern that the reforms
proposed by the Bill would relegate Australian-based telecommunications
businesses to ‘play minor, low-value roles in the supply of internet services’
and that the reforms would result in overseas companies dominating ‘the supply
of value-adding OTT services, resulting in a negative effect on competition,
the industry and the overall framework required to assist in achieving the TSSR
policy objective’.[74]
Whilst the Bill will not apply to international OTT
service providers or internationally based carriers or CSPs that provide OTT
services to Australians (due to the lack of a physical presence in Australia),
it will apply to Australian carriers and CSPs that provide or re-sell OTT
services.
In this regard the concerns noted above should be
considered within the context of the deliberately non-prescriptive approach
taken to the content of the security obligations (discussed below). Importantly
the security obligations ‘impose a subjective element which means that what is
required to comply with the obligation will differ’ according to the risk
profile and the specific activities of the relevant entity.[75]
The Explanatory Memorandum outlines how the risks of the security obligation is
aimed at can be assessed:
The following factors will contribute to whether a C/CSP is
more likely to be actively targeted and therefore have an increased risk from
espionage, sabotage or foreign interference:
- percentage of market share – the larger the customer base the
greater the aggregated data;
- sensitivity of customer base – some customers will have more
information of a sensitive nature being communicated and held on networks and facilities
than others – including government and critical service providers, science and
research organisations, large or significant commercial organisations, and
large healthcare provider organisations (or their suppliers and business
partners); and
- criticality of the network – for example, where the
telecommunications network or service supports the delivery of other critical
services, such as power, water, health, banking or where it provides services
to critical customers.[76]
Most OTT services would be considered at less risk of espionage,
sabotage or foreign interference than non-OTT services or facilities of the
types noted above. Further, the Explanatory Memorandum also noted:
Not all parts of networks and facilities are equally
vulnerable to national security risks. ... [The]areas of greater security
interest are:
- network operation centres, including infrastructure used to
facilitate support of the network;
- lawful interception equipment or operations;
- any part of a telecommunications network that manages or stores:
- aggregated information about customers
- aggregated authentication credentials of a significant number of
customers
- administrative (privileged user) authentication credentials for
the network or related systems
- any place in a telecommunications network where data belonging to
a customer or end user aggregates in large volumes, being either in transit or
stored data; and
- any additional area as advised in writing, in response to changes
in threat, technology and business practices.[77]
Therefore OTT services would be considered at less risk of
intrusion and interference that the types of non-OTT services or facilities
noted above.
Finally, whilst there is no legislative prescription as to
what constitutes ‘best endeavours’, ‘competent supervision’ or ‘effective
control’ in relation to OTT services provided by carriers or CPSs, the
Explanatory Memorandum notes:
The Bill does not prescribe what technical solutions a C/CSP
should use to secure networks to protect information or the integrity and
availability of the network, as this will be highly dependent on factors
specific to each network and business delivery model.[78]
However, it does note that carries and CSPs will be
expected to ‘demonstrate effective control and competent supervision over the
networks and facilities’ that they own or operate, and this would include implementing
measures that address ‘vulnerabilities that can arise through equipment supply,
outsourcing and offshoring arrangements’.[79]
Further, the Explanatory Memorandum provides guidance to the ‘competent
supervision’ aspect of the security obligations, stating it means:
... the ability of a C/CSP to maintain proficient oversight of
its networks and facilities and could include arrangements to maintain:
- visibility of network and facility operations;
- visibility of key data flows and locations;
- awareness of parties with access to network infrastructure; and
- the ability to detect security breaches or compromises.[80]
In relation to the ‘effective control’ aspect of the security
obligations, the Explanatory Memorandum states that this:
... means the ability of the C/CSP to maintain direct authority
and/or contractual arrangements which ensure that networks, facilities,
infrastructure and information stored or transmitted within networks, is
protected from unauthorised interference. This would include authority over all
parties with access to network infrastructure and data. It could include the
ability to:
- direct actions to ensure the integrity of network operations and
the security of information carried on them;
- terminate contracts without penalty where there has been a
security breach or data breach reasonably attributable to the contracted
services or equipment;
- address issues of data sovereignty;
- direct contractors to carry out mitigation or remedial actions;
- oblige contractors to monitor and report breaches to the C/CSP;
and
- re-establish the integrity of data or systems where unauthorised
interference or unauthorised access has occurred (for example to confirm
accuracy of information or data holdings).[81]
This would appear to suggest that the security obligation
is an outcome-based one, and therefore provides Australian carriers and CSPs
that provide or re-sell OTT services a significant degree of flexibility
regarding how they meet their obligations. However, at the PJCIS’s hearing into
the Bill, a number of witnesses again raised concerns about how the risk posed
by OTT services would be evaluated (and therefore how carriers and CSPs could
meet their security obligation) and the supposed competitive disadvantage
Australian based OTT service providers would face by having to comply with the
security obligation.[82]
In relation to any residual concerns raised by
stakeholders about the ‘uncertain’ application of the TSSR to Australian-based
OTT services provided by carriers and CSPs, how risk is to be evaluated and the
security obligation discharged in relation to OTT services, members of the
Parliament might wish to consider requesting the Government develop targeted
administrative guidance to relevant Australian carriers and CSPs that provide OTT
services. This could be done, for example, by including some guidance in the
Administrative Guidelines supporting the scheme, a draft copy of which is
available on the AGD’s website.[83]
Security
obligations
The Government notes that because telecommunications
networks and facilities of carriers, CSPs, and carriage service intermediaries (intermediaries)
transfer and hold sensitive information and data they are ‘attractive targets
for espionage, sabotage and foreign interference activity by state and
non-state actors’.[84]
The national security risks that may arise from such espionage, sabotage and
foreign interference include:
- compromise or degradation of telecommunications networks
- compromise of valuable data or information of a sensitive nature,
such as aggregate stores of personal data or commercial or other sensitive data
-
impairment of the availability or integrity of telecommunications
networks or
- the potential impact on other critical infrastructure or
government services (such as banking/finance, health or transport services).[85]
Currently section 313 of the Act requires that carriers,
carriage service providers and carriage service intermediaries must ‘do their
best’ to prevent networks and facilities being used to commit offences and also
to provide ‘reasonable assistance’ to authorities for the purposes of enforcing
criminal and pecuniary laws, protecting public revenue and safeguarding
national security.
Proposed subsections 313(1A), (1B) and 313(2A)
are designed to complement the existing obligations imposed by the Act by
imposing a new security obligation on the telecommunications industry that the
Government argues is an appropriate response to manage ‘national security risks’
on a ‘cooperative basis rather than through the formal exercise of regulatory
powers’.[86]
In general terms the security obligation requires carriers,
CSPs and some intermediaries to (for the ‘purpose of security’) ‘do their best’
to protect telecommunications networks and facilities that they own, operate or
use from unauthorised interference, or unauthorised access. The term ‘security’
is defined by reference to the meaning of that term in section 4 of the Australian Security
Intelligence Organisation Act 1979 (ASIO Act). The term
‘security’ is defined in the ASIO Act to mean:
(a) the protection of, and of the people of, the Commonwealth
and the several States and Territories from:
(i) espionage;
(ii) sabotage;
(iii) politically motivated
violence;
(iv) promotion of communal
violence;
(v) attacks on Australia’s defence
system; or
(vi) acts of foreign interference;
whether directed from, or committed within, Australia or not;
and
(aa) the protection of Australia’s territorial and border
integrity from serious threats; and
(b) the carrying out of Australia’s responsibilities to any
foreign country in relation to a matter mentioned in any of the subparagraphs
of paragraph (a) or the matter mentioned in paragraph (aa).
The above definition is further expanded by connected
definitions contained in section 4 of the ASIO Act. For example, the acts
of foreign interference is defined as meaning activities relating to
Australia that are carried on by or on behalf of, are directed or subsidised by
or are undertaken in active collaboration with, a foreign power, being
activities:
- are
clandestine or deceptive and:
- are
carried on for intelligence purposes
- are
carried on for the purpose of affecting political or governmental processes or
- are
otherwise detrimental to the interests of Australia or
- involve
a threat to any person.
Likewise the term attacks on Australia’s defence
system is defined expansively as including:
... activities that are intended to, and are likely to,
obstruct, hinder or interfere with the performance by the Defence Force of its
functions or with the carrying out of other activities by or for the
Commonwealth for the purposes of the defence or safety of the Commonwealth.[87]
The term politically motivated violence, used
in paragraph (a)(ii) of the definition of security is defined as meaning:
- acts or threats of violence or unlawful harm that are intended or
likely to achieve a political objective, whether in Australia or elsewhere,
including acts or threats carried on for the purpose of influencing the policy
or acts of a government, whether in Australia or elsewhere or
- acts
which:
- involve
violence or are intended or are likely to involve or lead to violence (whether by the persons who carry on those acts or by other persons) and
- are
directed to overthrowing or destroying, or assisting in the overthrow or
destruction of, the government or the constitutional system of government of
the Commonwealth or of a State or Territory or
- acts
that are terrorism offences[88]
or
- acts that are offences punishable under Division 119 of the Criminal
Code Act 1995, the Crimes (Hostages) Act 1989 or Division 1 of Part
2, or Part 3, of the Crimes (Ships and Fixed Platforms) Act 1992 or
under Division 1 or 4 of Part 2 of the Crimes (Aviation) Act 1991[89]
or
- acts
which:
- are
offences punishable under the Crimes (Internationally Protected Persons) Act
1976,[90]or
- threaten
or endanger any person or class of persons specified by the Minister for the
purposes of this subparagraph by notice in writing given to the Director
General.
Finally, promotion of communal violence,
used in paragraph (a)(iv) of the definition of security is defined as ‘activities
that are directed to promoting violence between different groups of persons in
the Australian community so as to endanger the peace, order or good government
of the Commonwealth.’
Whilst the notes in proposed subsections 313(1A)
and (2A) provides a summary of the definition of security that the
Explanatory Memorandum states is intended to highlight the most important
aspects of the definition as it would apply to the TSSR scheme, those notes in
no way limit the broad meaning of the term ‘security’ for the purpose of the
new security obligations.[91]
The Explanatory Memorandum does not appear to explain the
need to apply all components of the definition of security in the ASIO Act
noted above, rather than specifically limiting it to the matters extracted in
the notes to proposed subsection 313(1A) and (2A). For example,
it is not clear why there is a need to impose the security obligation for the
purpose of the paragraph (b) of the definition of security (the carrying out of
Australia’s responsibilities to any foreign country in relation to a matter encompassed
by the definition of security). Arguably this could result in the proposed
security obligations being extended to cover other countries’ security
interests where Australia has responsibilities to that country (for example,
under a treaty or other agreement).
Concerns
about the use of the ASIO Act definition of security
One interest group expressed concern about the Bill using
the ASIO Act’s definition of ‘security’ in relation to the security
obligation, stating it would ‘have the serious consequences’ of:
- preventing
the use of network facilities or other infrastructure located offshore to supply
services
- creating
smaller scale, higher cost and delayed services using onshore infrastructure
and
- encouraging
customer migration to direct supply from offshore entities.[92]
However, most of the stakeholders concerns about the
security obligation are related to its breadth of application. This is discussed
below.
Key
definitions underpinning the security obligations
The security obligations are linked to existing
definitions in the Act. To give context to the discussion regarding the
security obligation, and concerns raised by stakeholders, these are briefly
examined below.
The security obligation applies to facilities and
telecommunications networks. Facility is defined in section 7 of
the Act as meaning:
(a) any part of the infrastructure of a telecommunications
network; or
(b) any line, equipment, apparatus, tower, mast, antenna,
tunnel, duct, hole, pit, pole or other structure or thing used, or for use, in
or in connection with a telecommunications network.
Telecommunications network is defined as ‘a system,
or series of systems, that carries, or is capable of carrying, communications
by means of guided and/or unguided electromagnetic energy.’ In turn, communications
is defined as ‘any communication’ including (but not limited to):
(a) whether between persons and persons, things and things or
persons and things; and
(b) whether in the form of speech, music or other sounds; and
(c) whether in the form of data; and
(d) whether in the form of text; and
(e) whether in the form of visual images (animated or
otherwise); and
(f) whether in the form of signals; and
(g) whether in any other form; and
(h) whether in any combination of forms.
In addition to the above, the Act regulates three types of
entities that the Bill proposes to regulate: carriers, carriage
service providers (CSPs), and carriage service intermediaries
(intermediaries). These entities are characterised as follows:
-
carriers own or operate telecommunications infrastructure or
otherwise elect to be a carrier, and must hold a carrier licence
- a CSPs is any entity that supplies, or proposes to supply, a listed
carriage service to the public (for example, telephone services) to the
public whether or not they own the telecommunications infrastructure and
-
in simple terms an intermediary is any entity that, for reward, arranges
for the supply of a listed carriage service by a CSP to a third
person, would be a CSP if the intermediary had supplied that carriage service,
or is in a contractual relationship with the third person for the continuing
supply of the carriage service. As such, intermediaries are entities such as resellers
and other entities that arrange the supply of a carriage service.[93]
A listed carriage service is any carriage
service for carrying communications by electromagnetic
energy between a point in Australia and one or more other points. The
definition requires a carriage service with one of the end points in Australia,
whether or not the other point is in or outside of Australia. A ‘point’
includes a mobile (or potentially mobile point), regardless of whether it is on
land, underground, in the atmosphere, in outer space, underwater, at sea or
anywhere else.[94]
Importantly, carriers, CSPs and intermediaries have a
degree of overlap. For example, an entity may be both a carrier and a CSP, and
therefore must obtain a carrier licence and also comply with the laws that
apply to carriers in addition to the laws that relevantly apply to CSPs (such
as those proposed by the Bill). Further, subsection 87(5) of the Act provides
that intermediaries are CSPs.[95]
As the above definitions are broad, they encompass a range
of infrastructure and devices ‘used, or for use, in or in connection with’ a
telecommunications network, and therefore the entities that own, operate or
control them.
The
security obligations generally
Proposed subsections 313(1A), (1B) and (2A) collectively
impose the security obligations on carriers, CSPs and intermediaries. Whilst
the obligations vary according to type of entity, generally the security
obligation requires carriers, CSPs or intermediaries to ‘for the purposes of
security ... do their best’ to protect certain telecommunications networks and
facilities from unauthorised interference or unauthorised access to ensure:
- the
confidentiality of communications and information carried or contained on the
network or facilities and
- the
availability and integrity of the network and facilities.[96]
The meaning of ‘do their best’ is discussed below under
the heading ‘Elements of the security obligation’.
The table below sets out the obligations that apply to
carriers and CSPs, those that apply to intermediaries and to which networks or
facilities those obligations relate. Proposed subsection 313(1A) sets
out the general security obligations listed above, which are owed by carriers
and CSPs in relation to any telecommunications networks or facilities that they
own, operate or use.
In contrast, the specific obligation imposed on carriers
and CSPs by proposed subsection 313(1B) provides that the general
obligation imposed on C/CSPs includes, but is not limited to, a requirement to
maintain competent supervision of, and effective control over, telecommunications
networks and facilities they own or operate. The obligation imposed on
intermediaries by proposed subsection 313(2A) applies to
telecommunications networks and facilities that they use to supply certain
services and does not depend upon ownership of, or the exercise of direct
control or supervision of, a network or facility.
Table 1: security obligations
|
Entity
|
Obligation
|
Networks or facilities it applies to
|
Possible consequences for breaches
|
|
Carriers and CSPs
|
Protect telecommunications networks and facilities from
unauthorised interference or unauthorised access to ensure:
- the
confidentiality of communications and information carried or contained on the
network or facilities and
- the
availability and integrity of the network and facilities[97]
|
Telecommunications networks and facilities they:
|
- Enforcement
action[99]
- Being
issued with a Direction[100]
- Possible
contravention of licence condition (and associated enforcement actions)[101]
|
|
Maintain competent supervision of and effective control over
telecommunications networks and facilities[102]
|
Telecommunications networks and facilities they:
|
|
Intermediaries
|
Protect telecommunications networks and facilities from
unauthorised interference or unauthorised access to ensure:
- the
confidentiality of communications and information carried or contained on the
network or facilities and
- the
availability and integrity of the network and facilities[104]
|
Telecommunications networks and facilities used to supply
a carriage service referred to in subsection 87(5) of the Act[105]
– essentially the infrastructure used by a person for the purpose of
arranging the supply of a carriage service to a third person for reward.[106]
|
Source: proposed subsections 313(1A), (1B) and (2A).
Immunity
from liability
Currently subsection 313(5) of the Act provides that a
carrier or CSP is not liable in relation to an act done or omitted in good
faith in the performance of the duties imposed by section 313, or in compliance
with a direction given by ACMA under section 312.
Items 10 and 11 would extend immunity from
liability to an act done or omitted in good faith in the performance of the
security obligations and in compliance with a direction issued under proposed
subsections 315A(1) or 315B(2).
Elements of the security
obligation
The security obligations contain a number of elements. Most
importantly these include:
- a
requirement to ‘do their best’ to prevent the relevant risk and
- a requirement to maintain ‘competent supervision’ of, and
‘effective control’ over telecommunications networks and facilities they own or
operate.
These are discussed below to give context to the concerns
about the security obligation.
Meaning of
‘do their best’ element of the security obligations
The security obligations contain a requirement that the
carrier, CSP or intermediary ‘do their best’ to fulfil the relevant obligation.
As noted earlier, the overarching design of the TSSR proposed by the Bill is
both outcome-based and deliberately non-prescriptive (in a technical sense). The
Bill’s security obligations are high-level obligations, the content of which
are to be determined on a case by case basis, with the aid of administrative
guidelines. The Explanatory Memorandum notes that the requirement ‘to do their
best imposes a subjective element which means that what is required to comply
with the obligation will differ according to the risk profile of the C/CSP’.[107]
The Explanatory Memorandum then notes that, as ‘the parts
considered more vulnerable are likely to change over time due to changes in the
way networks and services are operated and delivered’, administrative
guidelines ‘will outline what is expected of C/CSPs to comply with the security
obligation’.[108]
The Explanatory Memorandum notes that demonstrating ‘best
efforts’ to:
... secure networks would include as a minimum, ensuring
mechanisms for facilitating corporate awareness of the broad national security
vulnerabilities and risks posed to telecommunications networks and embedding
security considerations in to business decision-making and business delivery
models.[109]
The Explanatory Memorandum then notes that the security
obligation will be discharged where a carrier, CSP or intermediary can
demonstrate that it has ‘implemented effective security practices and measures’
to manage the relevant risks.[110]
When determining whether a carrier, CSP or intermediary
has ‘done their best’ to discharge the security obligation a court will
consider whether the actions or decisions taken (or not taken) are ‘reasonable
steps’, as discussed below.
‘Reasonable
steps’ aspect of the ‘do their best’ element of the security obligations
The Explanatory Memorandum notes that ‘do their best’ to fulfil
the security obligation ‘will depend on what steps are reasonable in particular
circumstances’.[111]
The Explanatory Memorandum provides an example of reasonable steps:
... an intermediary may be given access to services that may
provide them with information about security vulnerabilities. They would
therefore be expected to have appropriate procedural, governance and
contractual arrangements to secure this type of information so that this
knowledge of security vulnerabilities cannot be accessed by other parties and
exploited.[112]
(emphasis added)
In relation to carriers and CSPs:
... a C/CSP would need to take reasonable steps to ensure that
intrusions or breaches do not occur within networks or facilities that they
own, use or operate, and that the potential for malicious activity is
minimised, demonstrable by the security controls in place. This will be
particularly relevant where activity, left unchecked, could provide opportunity
to compromise the confidentiality, availability or integrity of
telecommunications infrastructure or information carried by, or across it.[113]
As such, it would appear that whether a carrier, CSP or
intermediary has done ‘their best’ by taking ‘reasonable steps’ to fulfil the
security obligations will be determined on a case by case basis, and will be
based on the information available to the entity at the time. Further, a
variety of factors such as the type and degree of risk, the cost of mitigating
the risk and so forth will be important in determining if the relevant
obligation was effectively discharged.
Competent
supervision and effective control
Proposed subsection 313(1B) provides that, as part
of the security obligations, carriers and CSPs are required to maintain
‘competent supervision’ of and ‘effective control’ over telecommunications
networks and facilities that they own or operate. Whilst not defined in the
Bill, the Explanatory Memorandum states that the ‘competent supervision’ means
the ability the of carrier or CSP ‘to maintain proficient oversight of its
networks and facilities’ and may include arrangements to maintain:
- visibility of network and facility operations
- visibility of key data flows and locations
- awareness of parties with access to network infrastructure and
- the ability to detect security breaches or compromises.[114]
The Explanatory Memorandum outlines that ‘effective
control’ means the ability of a carrier or CSP to:
... maintain direct authority and/or contractual arrangements
which ensure that networks, facilities, infrastructure and information stored
or transmitted within networks, is protected from unauthorised interference.
This would include authority over all parties with access to network infrastructure
and data. [115]
The Explanatory Memorandum expanded on the above, stating
‘it could include’ the ability to:
direct actions to ensure the integrity of network operations
and the security of information carried on them
terminate contracts without penalty where there has been a
security breach or data breach reasonably attributable to the contracted
services or equipment
address issues of ‘data sovereignty’
direct contractors to carry out mitigation or remedial
actions
require contractors to monitor and report breaches to the
carrier or CSP, and
re-establish the integrity of data or systems where
unauthorised interference or unauthorised access has occurred (for example, to
confirm accuracy of information or data holdings).[116]
Whether a carrier or CSP has maintained ‘competent
supervision’ of and ‘effective control’ over telecommunications networks and
facilities that they own or operate (and therefore if they have discharged
their security obligations) will be considered on a case by case basis.
Further, a variety of factors such as the terms of relevant contacts,
thoroughness of arrangements regarding other parties’ access to network
infrastructure will be important in determining if the relevant obligation was
effectively discharged.
Practical
examples
Non-binding administrative guidelines will outline to carriers
and CPSs how to comply with the security obligation, and that this will be
based on whether they have a low, medium or high risk profile and the parts of
networks and facilities considered most vulnerable to national security risks.[117]
The Explanatory Memorandum then notes that ‘this advice
and guidance will assist C/CSP to implement a risk managed approach to meeting
the security obligation’.[118]
The AGD has produced draft
guidelines that specifically deal with how the security obligation is to be
discharged.[119]
Under the heading ‘What do you need to do to meet your security obligation?’
the AGD state that the security obligation ‘is not absolute and is underpinned
by a 'reasonableness' test’.[120]
In summary, the AGD notes that to meet the security
obligations a carrier or CSP:
[is] expected to adopt ‘a risk-managed approach to managing
risks of espionage, sabotage and foreign interference to their networks and
facilities’
[has] a risk management culture and ‘processes and structures
that underpin the effective management of potential opportunities and adverse
effects’ that is based on a ‘structured approach to identifying, assessing and
controlling risks that emerges during a program or project life cycle’ such as
AS/NZS ISO 31000:2009 Risk management – Principles and guidelines which
is ‘the key standard for risk management’
focuses on risks posed by arrangements with suppliers (in
particular managed service providers) and particular service delivery models
(that is, outsourcing/offshoring)
demonstrates that it has processes, controls and arrangements
in place to manage ‘who’ can access systems, networks and communications (that
is, has competent supervision and effective control of its network)
use third-party assurance where appropriate
ensuring that authorised users have access to information,
communications and telecommunications networks and facilities when required
ensure the accuracy and completeness of information and
communications, as well as the protection of telecommunications networks and
facilities from compromise or unauthorised modification and
implementing robust access controls to limit who has access
to confidential communications and information, including information both in
transit and in storage and potentially using encryption as a key method of
ensuring confidentiality of information and communications.[121]
Security obligations and their application
The Exposure Draft applied the security obligations to
carriers, intermediaries and CSPs to ‘telecommunications networks and
facilities’ generally. A number of stakeholders expressed concern about the
breadth of the security obligations in the Exposure Draft Bill, including their
application to intermediaries:
It would not be reasonable for a duty to be imposed with
regards to the supervision and control of any other infrastructure than that
which the provider owns and controls – ‘their’ networks and facilities.[122]
The Bill appears to have responded to those concerns. The
security obligation now only applies to telecommunications networks and facilities
that are ‘owned, operated or used’ by the carrier or CSP.[123]
In relation to intermediaries, instead of the security obligations applying to
‘telecommunications networks and facilities’ generally, it is now restricted to
‘telecommunications networks and facilities used to supply the carriage service’
offered by the intermediary.[124]
However, despite these changes the Associations expressed
concern that the security obligation will apply to the telecommunications
networks and facilities used by carriers, CSPs and intermediaries,
arguing that ‘it is unclear what ‘use’ may actually entail and, maybe more
importantly, what would be required of C/CSPs/intermediaries to protect
networks that they are merely using’.[125]
The definition of ‘facility’ and the security obligations
A number of interest groups expressed concern about the
definition of ‘facility’ in the Act and the range of facilities to which the
security obligations would therefore apply.
The Associations argue that the definition of ‘facilities’
in the Act and used in the Bill is ‘vague and open to discretionary
interpretation’.[126]
The Associations contend that the proposed obligation to protect networks and
facilities from unauthorised interference and unauthorised access and to
maintain competent supervision and effective control of them is likewise ‘vague
and open to discretionary interpretation’ and therefore it is:
... conceivable that the term ‘facility’ could be interpreted
to encompass cloud computing and cloud storage solutions implemented by C/CSPs
as any supporting equipment would appear to meet the above definition. This has
the potential to significantly broaden the regulatory burden that C/CSPs face
under the regime and will leave them at a competitive disadvantage compared
with suppliers of equivalent services that are not C/CSPs.[127]
The Associations noted that ‘ex-post interpretation of
undefined (and even defined) terms in the technical areas of communications
create confusion at best and randomness at worst’ and should therefore be avoided.[128]
The LCA expressed similar concerns and noted that the
definition of ‘facility’ appears ‘to capture cloud computing and cloud storage
options implemented’ by carriers and CSPs and that it was unclear how carriers
and CSPs ‘will be able to effectively maintain their security obligations in
this context’.[129]
The LCA recommended that ‘the Attorney-General's Department consult with
industry’ on an adequate definition of ‘facility’ for the purposes of the
regime proposed by the Bill’.[130]
Optus noted similar concerns and in particular that the
practical effect of the definition of ‘facility’ would the application of the
security obligations to ‘infrastructure that would not normally be expected to
be relevant’ to the security obligations such as ‘content serving platforms for
streaming television or streaming content services’.[131]
Optus recommended that refining the definition of ‘facility’ would ‘prevent
overreach’ of the security obligations.[132]
Foxtel also expressed similar concerns noting that as the Act’s
definitions of ‘telecommunications network’, ‘communications’ and ‘carriage
service’ are not limited or described in any way by reference to the supply of
telephony or internet access services’ those terms could be interpreted as
applying to ‘infrastructure and facilities used to supply broadcasting and
content services (even where this is the sole or principal use of the
infrastructure or facilities)’.[133]
Foxtel then noted that it remained ‘concerned that the scope
of the proposed reforms is broad and unclear in relation to their application
to infrastructure and facilities used to supply broadcasting and content
services’.[134]
Foxtel argued that because broadcasting and content
services do not carry sensitive corporate or government information or
sensitive, confidential information about law enforcement activities, protected
information or potentially disclose the location of politicians or other
protected persons and they are not essential to the delivery and support of
critical services, such as, power, water and health, they should be excluded
from the security and notification obligations.[135]
Foxtel recommended that proposed subsection 313(1A)
and (2A) be amended to ‘clarify that infrastructure and facilities used
solely or principally for broadcasting or content services are not intended to
be subject to this additional regulation’.[136]
Foxtel argued that such amendments would ‘provide certainty in relation to the
application of the regulatory framework in future’.[137]
In relation to these concerns, the AGD noted that whilst the Bill ‘applies to
the protection of telecommunications networks and facilities, irrespective of
the type of service being provided over the networks’ it also enables
exemptions from the notification requirements to be provided to carriers and
CSPs ‘that offer a range of services’ including ‘in relation to broadcasting or
a subscription television service’.[138]
The AGD further noted whilst ‘the exemption process will be refined during the
implementation phase, in consultation with industry’, nonetheless:
... the provider would still be required to notify of changes
to other parts of their business that apply to the provision of other services,
such as telephony and broadband access.[139]
The PJCIS Advisory Report has recommended that the Bill
clarify that in circumstances where a broadcaster is exempt from being treated
as a carriage service providers under the Telecommunications Act 1997, they
are also not intended to be subject to the obligations set out in the Bill.[140]
Concerns about retrofitting
Some stakeholders raised concerns that compliance with the
security obligation would require expensive retrofitting of existing
facilities, systems and networks.[141]
For example, the Associations argued that the security obligation will apply ‘without
further distinction of the age of the systems, networks and facilities (jointly
systems) or whether systems are already existing and in place vs. newly
installed systems.’[142]
The Associations indicated that ‘industry could face very
high costs to rebuild existing networks’ if required to ‘retrofit or remove
existing facilities’[143]
and therefore recommended:
- ‘the
legislation itself ought to be amended to reflect the intention to not require
retrofits except in rare and extremely serious circumstances’ or
- ‘the
legislation should include a sunset clause on the ability to issue a direction
for a network retrofit’ and limit the ability of the government to require
retrofitting to ‘12 months after the expiry of the implementation period (i.e.
two years after the date of Royal Assent)’ which the Association argued ‘would
provide at least some element of certainty for C/CSPs as to the longevity of
existing systems’.[144]
Despite these concerns, it would appear unlikely that
carriers or CPSs will be required to conduct extensive retrofitting to comply
with the security obligations. The Explanatory Memorandum notes:
C/CSPs are not expected to retrofit all systems on
commencement of this security obligation. However, there may be very rare cases
where a significant security vulnerability is found in an existing system that
could facilitate acts of espionage, sabotage and foreign interference. In such
cases, government agencies will seek to work with the provider to develop cost
effective solutions to better manage the risks posed by the existing
vulnerability. Subject to how serious the security risk is and how willing the
C/CSP is to collaborate with government to manage the risk, the
Attorney-General could issue a direction requiring mitigation measures to be
implemented.[145]
Notification regime—overview
The CAC liaises between security and law enforcement
agencies and the telecommunications industry, and is committed to supporting
industry in understanding its interception capability obligations.[146]
Currently section 202B of the TIA Act requires carriers and NCSPs to
notify the CAC within the AGD of planned changes to telecommunications systems
and services which are likely to have a material adverse effect on the ability
of the carrier or NCSP to meet its obligations:
- under
the TIA Act (for example, retaining telecommunications data (‘metadata’)
under section 187A)
- under section 313 of the Act (that is, preventing networks and
facilities being used to commit offences and also providing reasonable
assistance to authorities for the purposes of enforcing criminal and pecuniary
laws, protecting public revenue and safeguarding national security).
Proposed section 314A is modelled on section 202B
and will require carriers and NCSPs to notify the CAC of individual proposed
changes to networks and services which could have a material adverse effect on
its ability to comply with the proposed security obligations. The CAC will have
the power to exempt carriers and NCSPs from the notification requirement in
full or part.[147]
Proposed section 314C will also provide carriers
and NCSPs with the option of submitting an annual SCP that forecasts multiple
proposed changes to their systems and services (in lieu of making multiple
individual notifications) that sets out how it proposes to meet the security
obligation in light of those proposed changes.
Individual notifications
Proposed subsections 314A(1) and (3) provide
that carriers and NCSPs are to notify the CAC in writing of its intention to
implement proposed individual changes to networks and services if that change
‘is likely to have a material adverse effect’ in its ability to comply with the
security obligations in proposed subsections 313(1A) and (2A).
Types of changes to be notified
Proposed subsection 314A(2) provides a
non-exhaustive list of the types of changes to a telecommunications system or
service that must be notified by the carrier or NCSP:
- providing
one or more new telecommunication services
- changing
the location of notifiable equipment (including moving equipment outside
Australia)
- procuring notifiable equipment (including procuring equipment that is located
outside Australia)
- entering
into outsourcing arrangements:
- to
have all or part of the telecommunication services provided or managed for the carrier or NCSP
-
to
have all or some information to which section 276 of the Act applies managed
for the carrier or NCSP (for example, information or documents that relate to the
contents or substance of a communication that has been carried by a carrier or‘metadata’)) or
- to
have all or some information to which section 276 applies (for example,
metadata) accessed by persons outside Australia.[148]
The Explanatory Memorandum provides further guidance about
the types of matters in relation to which carriers and NCSPs would be expected
to notify the CAC about. In particular the Explanatory Memorandum notes that carriers
and NCSPs would be expected ‘to notify the CAC when they are planning changes
to these more sensitive or vulnerable parts of networks’ and that the
administrative guidelines would ‘outline what is expected of C/CSPs to comply
with the notification obligation’.[149]
When
notification should occur
The draft guidelines also outline that it is in the
C/CSP's best interests to notify as early as possible, such as early in the
stages of considering a C/NCSP finalising any business plans, contracts or
negotiations and before entering into any binding undertakings.[150]
More specifically, the draft guidelines suggest that the
obligation should be discharged:
- in relation to procurement or acquisition: before taking any
steps as part of the decision-making approach (such as before issuing a request
for quote, tender or otherwise approaching the market) to allow security
considerations to be built into the proposal from the start and
- in relation to offshoring plans: before any plans are finalised
(and as early as possible) to allow the carrier or CSP to receive advice from
ASIO and the CAC regarding the process and thereby prevent inadvertently
exposing the networks to an increased risk of espionage, sabotage and foreign
interference activities.[151]
Notification
obligation only triggered where a proposed change is likely to have a ‘material
adverse effect’
However, the notification obligation is only triggered
where:
- a proposed change is likely to have a ‘material adverse effect’,
that is ‘an actual or measurable negative impact on the ability of the C/CSP’
to comply with security obligations to protect networks from risks of
unauthorised access and unauthorised interference and
-
the carriers or NCSPs ‘becomes aware’ that the implementation of
a proposed change is likely to have a material adverse effect on the capacity
of the carriers or NCSPs to protect telecommunications networks and facilities,
which recognises that ‘C/NCSPs are well-placed through their practices and
processes to identify risks associated with proposed changes’.[152]
The draft guidelines indicate that carriers and NCSPs will
be able to contact a hotline at AGD for advice as to whether a proposed change
constitutes a material adverse change.[153]
Exemptions from the
notification obligation
Proposed subsections 314A(4)-(7) allow the CAC to
provide (in writing) exemptions to a carrier or NCSP from the operation of proposed
section 314A generally or from the requirement to provide notifications in
relation types of changes specified in the notice of exemption.
The policy intent underlying the granting of exemptions
from the notification obligation is to allow non-critical or low-risk parts of
a carriers’ or CSPs’ business to be exempted, thus reducing the regulatory
burden imposed by the notification regime.
When determining whether to grant an exemption, the CAC
will seek advice from ASIO regarding security risk profile of a company which
in turn would be based on factors such as:
- the percentage of market share of the entity applying for the
exemption (the larger the customer base the greater the aggregated data)
- the sensitivity of the customer base (some customers will have
more information of a sensitive nature being communicated and held on networks
and facilities than others—including government and critical service providers,
science and research organisations, large or significant commercial
organisations, and large healthcare provider organisations (or their suppliers
and business partners) and
- the criticality of the network (for example, where the telecommunications
network or service supports the delivery of other critical services such as
power, water, health, banking or where it provides services to critical
customers).[154]
The Explanatory Memorandum notes that it is envisaged that
‘classes of providers may be exempt from the notification requirement on the
same grounds, for example, exemptions may relate to a particular type of low
risk service or network operator’ based on the factors such as those noted
above.[155]
However, the draft guidelines note that ‘there is no application process’ for carriers
or NCSPs wanting to be exempted from the notification obligation (in part or in
full’ and instead the ‘CAC will decide if and when to grant any exemption’
based on advice received from ASIO noted above.[156]
The PJICS Advisory Report recommended that the Bill be
amended to outline the application process for exemptions from notification
requirements, noting that the Attorney-General’s Department is ‘open’ to
amending the Bill to include an exemption application process.[157]
Annual Security Capability Plans
Proposed section 314C allows carriers and NCSPs to
submit an annual SCP to the CAC. Annual SCPs are a mechanism by which carriers
and NCSPs can notify the CAC of its intention to implement one or more proposed
changes to networks and services if those change ‘are likely to have a material
adverse effect’ its ability to comply with the security obligations.[158]
Further, SCPs will provide carriers and NCPSs with ‘an
opportunity to outline proposed changes within the context of the company’s
approach to security management’, and thereby ‘streamline the process of
assessing the security risks associated with each proposed change and
ultimately provide the CAC (and ASIO) with sufficient information to assess
whether proposed changes can be implemented without further engagement with
government agencies’.[159]
Types of changes that can be included in a SCP
Proposed subsection 314C(4) provides that the types
of changes to a telecommunications system or service that can be notified by
the carrier or NCSP to the CAC in an annual SCP includes (but is not limited
to) the types of changes listed in proposed subsection 314A(2) as well
as any types of changes specified by the CAC in a legislative instrument issued
under proposed subsection 314C(5). The draft guidelines noted:
... security capability plans should only include changes that
are likely to have a material adverse effect on the capacity of the C/NCSP to
comply with their obligation to protect their networks and facilities from unauthorised
access or interference under subsections 313(1A) and (2A).[160]
The use of SCPs to forecast changes
Whilst SCPs can be used to forecast and advise the CAC of
proposed future changes, the draft guidelines note that as a matter of
practicality there are limits to ‘how far in advance’ a SCP ‘should capture
proposed changes’ as (when the CAC’s maximum of 60 days to consider
notifications covered in a SCP is considered):
... it may not be feasible to include changes that have tight
deadlines for implementation and which require CAC consideration in a shorter
timeframe to avoid delaying a project.[161]
The draft guidelines further note that to ‘maximise the
benefit’ of submitting a SCP, it should, at a minimum ‘forecast proposed
changes to systems and services for the upcoming 12 months’.[162]
The draft guidelines also note that carriers or NCSPs that choose to submit as
SCP ‘are encouraged to notify proposed major changes such as development of a
new service or network as soon as possible’ but that the SCP should:
... include sufficient detail about each proposal to enable the
CAC and security agencies to adequately assess whether the proposed change is
likely to give rise to national security risks.[163]
Further, the major limiting factors on the length of time
that a SCP can be used to forecast proposed changes include the proposed
subsection 314C(8) which restricts carriers and NCSPs from submitting one
SCP per year, and prevents a previously submitted SCP from being updated during
that 12-month period.[164]
Other information that can be included in a SCP
Proposed subsections 314C(6) and (7) provide
that an annual SCP may also include the practices, policies and strategies adopted
by the carrier or NCSP to comply with the security obligations and any measures
or proposed measured to mitigate the risk of unauthorised interference or
access to telecommunications networks or facilities. The draft guidelines
provide the following examples of other types of information that can be
included in a SCP:
-
a description of the risk assessment processes used to identify
and manage security risks on networks, systems and services
-
arrangements and mechanisms in place for overseeing contracted
managed service provider compliance with security requirements and so forth
(for example standard contract terms concerning personnel, logical and physical
security requirements and access restriction and how compliance with these
terms is monitored and enforced) and
- any
assurance processes for vetting security practices of a vendor.[165]
The draft guidelines also note that a CSP can ‘detail any
current or proposed mitigation measures or controls to reduce the risk of
unauthorised access or interference’ and this this could ‘include access
controls in systems or oversight arrangements that are proposed to be built
into contracts with third parties’.[166]
The AGD notes that the inclusion of such additional information in a SCP:
... will help expedite the assessment of the security plan by
security agencies by reducing the likelihood that the CAC will need to request
additional information from a C/CSP about a proposed change.[167]
The Explanatory Memorandum also notes that where a carrier
or NCSP includes information about its ‘security polices, practises and
strategies’ in a SCP, it could help:
... streamline the process of assessing the security risks
associated with each proposed change and ultimately provide the CAC (and ASIO)
with sufficient information to assess whether proposed changes can be
implemented without further engagement with government agencies.[168]
However, the Explanatory Memorandum also notes that submission
of a SCP is ‘not intended to remove the need to engage with ASIO’ either ‘where
this is already occurring or where ASIO considers it necessary’ to ensure a
carrier or NCSP complies with the security obligation.[169]
Interaction between SCPs and individual notification
regime Annual Security Capability Plans
Proposed subsection 314E(1) provides that where an
annual SCP is submitted, the carrier or NCSP is not required to notify those
proposed changes under the individual notification regime. However, proposed subsection
314E(2) does require that where a carrier or NCSP becomes aware of any
modification to proposed changes notified to the CAC through an annual SCP ‘are
likely to have a material adverse effect’ its ability to comply with the
security obligations in proposed subsections 313(1A) and (2A) then
those modifications must be individually notified under proposed section
314A.
Interaction between SCPs and exemptions from the
notification regime generally
Whilst proposed subsections 314A(4)–(7) allow the
CAC to provide exemptions from the notification obligation, this does not apply
to the SCP process as it is not mandatory, with the Explanatory Memorandum
noting that any carrier or NCSP exempted from making individual notifications
for planned changes to telecommunications systems and services ‘would also be
expected not to submit a SCP’.[170]
Assessment of notified proposed changes
Proposed sections 314B (individual notifications) and
314D (annual SCPs) deal with the assessment of proposed changes to a
telecommunications system or service by the CAC.
If the CAC considers that further information about the
proposed change is required to assess whether there is a risk of unauthorised
interference with, or unauthorised access to telecommunications networks or
facilities that would be prejudicial to security the CAC may, in writing,
require the carrier or NCSP to provide such further specified information.[171]
Such a notice must be given to the carrier or NCSP within 30 days of the
individual notification being provided to the CAC, or 60 days of the annual SCP
being given to the CAC.[172]
If after considering an individual notification or annual
SCP or any further information provided in response to a notice issued request
further information, the CAC is satisfied that, in relation to the proposed
change:
-
there is a risk of unauthorised interference with, or
unauthorised access to, telecommunications networks or facilities and
- that risk would be prejudicial to security (as defined by
reference to the definition of that term in the ASIO Act)[173]
then the CAC must give a written notice to the carrier or
NCSP:
- advising
the carrier or NCSP provider of the relevant risk
- setting
out security obligations and
- setting
out the consequences for the carrier or NCSP for not complying with the
security obligations.[174]
Proposed subsections 314B(4) and 314D(4) provide
that a notice issued by the CAC of the above kind ‘may also set out the
measures’ the CAC ‘considers the carrier or provider could adopt to eliminate
or reduce’ the relevant risk.
Proposed section 314B does not prevent a carrier or
NCSP from implementing the proposed change within the 30 day period specified
for the CAC to assess the proposed change or following a notice provided to the
carrier or NCSP by the CAC under proposed subsection 314B(3).[175]
However, when viewed in the context of the powers provided to the
Attorney-General under proposed section 315B, and the (likely) advice
provided by ASIO and other government agencies, arguably a carrier or CSP
should comply with any measures proposed by the CAC to eliminate or reduce the relevant
risk to avoid the risk of potentially breaching the security obligations or
having a direction issued to it by the Attorney-General covering the same or
substantially similar matters.[176]
If, after considering the notification or annual SCP (and
any further information requested) the CAC is satisfied that the proposed
change does not create a risk of unauthorised interference with or access to
telecommunications networks of facilities, the CAC must provide a written
notice to that effect to the carrier or NCSP.[177]
The CAC must issue the relevant notice to the carrier or
NCSP within the following timeframes (as applicable):
- within 30 days (in the case of individual notifications) or 60
days (in the case of annual SCPs) of the individual notification or SCP being
provided to the CAC or
- as soon as practicable and no later than 30 days (in the case of
individual notifications) or 60 days (in the case of SCPs) after the carrier or
NCSP provided further information in response to a request from the CAC.[178]
Importantly, the 30 or 60 day time limit for a formal
response from the CAC runs from when the individual notification or annual SCP
is received but that time-limit effectively ‘re-sets’ each time the CAC
requests further information.[179]
This has attracted some criticism, discussed below.
Criticism of notification regime
Both the individual notification regime and annual SCP
regime have been criticised by stakeholders on a number of grounds.
Logic of the approach
The Associations argued that ‘the basic logic of the
approach’ underpinning the notification regime ‘continues to be fundamentally
flawed’ on the basis:
... if ... C/CSPs have a “duty to do their best to protect
telecommunications networks and facilities from unauthorised interference, or
unauthorised access”, then anything “likely to have a material adverse effect
on their capacity to comply with this duty” cannot exist – irrespective of any
notification and potential subsequent authorisation – without already causing a
breach of the obligation “to do their best to protect”. Doing something that
may adversely affect protection while not breaching the obligation cannot
co-exist with the duty to do one’s best to protect, whether notified or
authorised, or not.[180]
The Associations argued that the principle underpinning
the notification regime should be:
- carriers
and CSPs ‘have a duty to do their best to protect their networks’ and
- where
they ‘seek to do one or more of the following: [list of specific items],
notification is required’.[181]
Asymmetry of the notification requirements
The Associations noted that the proposed notification regime
may require carriers and CSPs to ‘engage with Government early in their
planning, design and procurement activities’ but that the Bill did not impose
an ‘equivalent obligation on Government to proactively notify’ carriers and
CSPs ‘early when it becomes aware of security threats’ to carriers and CSPs telecommunications
networks or facilities.[182]
The Associations argued:
It appears highly inefficient that C/CSPs are obliged to
proactively notify Government of proposed changes to their networks (i.e.,
outsourcing, offshoring, equipment procurement or change in management) and
proposed risk mitigation strategies while Government is not compelled to
equally notify C/CSPs of any potential or real security threats to networks and
facilities. This means that C/CSPs may receive an adverse security assessment
and, consequently, commit scarce resources to developing risk mitigation
strategies based on incomplete or no threat information from Government. This
is an inefficient process and is likely to add to compliance costs which
ultimately will be borne by consumers.[183]
The Associations recommended that the Bill be amended to
require the Government to proactively make carriers and CSPs ‘aware of any
known security threats to their networks and facilities’ through a newly
established ‘single point of truth and advice facility’, such as a Threat
Advisory Service.[184]
Inconsistency with the direction regime
The Associations noted that the requirement that there be
an adverse security assessment before the directions powers can be used by the Attorney-General
does not apply to the notification and consultation processes that precede the issuing
of a direction and argued:
This allows the Attorney-General to apply pressure onto
C/CSPs without a formal basis for doing so.[185]
The Associations recommended that ‘the adverse security
assessment be a prerequisite for the entire process rather than just its last
step’.[186]
Length of time to finalise a decision
As noted above, the Bill provides that the CAC must
respond to individual notifications in 30 days and to SCPs in 60 days. However,
if the CAC seeks further information from the carrier or CSP the Bill provides
for the CAC’s decision-making time period be ‘re-set’ and commence again with a
further full decision-making period (30 or 60 days) starting from when the carrier
or CSP responds to the information request. Optus was critical of this
approach, stating that in response to the second Exposure Draft of the Bill:
This approach raises the prospect of extended overall
decision-making periods (with providers bearing the additional commercial risk
and uncertainty), well beyond the 30 or 60 day periods envisaged in the main
legislative provision. It would be more appropriate for the 30 or 60 day clock
to ‘stop’ for the duration of the period it takes the applicant to respond to
the information request, and then for the ‘clock’ to resume, starting with the
same number of elapsed days as when the information request was made.[187]
The corresponding provisions in the second Exposure Draft
of the Bill provided simply that the CAC must issue a notice ‘within’ 30 or 60
days (as applicable) of the carrier or NCSP providing the further information.
The Bill as introduced contains the additional requirement that the CAC must
respond as soon as practicable and no later than 30 or 60 days
(as applicable) after the carrier or NCSP provided further information.
However, it is not clear that this amendment will fully address the concern
raised by Optus on the second Exposure Draft. Further, in its submission to the
PJCIS on the Bill, Optus noted that the Bill is ‘silent on what occurs if these
timeframes are not met by the CAC’[188]
and argued that ‘this places an unacceptable commercial risk on providers’ and
recommended that the Bill should provide:
The Bill should outline what the outcome will be if the CAC
does not respond with the required timeframe. In Optus’ view, if the CAC does
not respond with a decision within the specified time limits, the notification
or SCP should be deemed agreed unless formal notice is provided by the CAC of
an extended assessment period with a revised notification date. Such a notice
should be open to administrative review and further deadlines so it cannot be
rolled over indefinitely.[189]
Unnecessary interference with commercial decisions of
carriers and CSPs
Vodafone Hutchison Australia (Vodafone) argued that the
notification regime, along with other aspects of the Bill, would ‘dramatically
impact the incentives for outcomes orientated collaboration and impose
significant costs and commercial risks into the telecommunications industry’.[190]
TPG Telecom Limited Group also expressed similar concerns
and argued that the proposed notification regime is ‘unreasonably lengthy and
is intrusive on the ordinary operations of the Telco’.[191]
Offshoring
Macquarie Telecom noted that whilst it ‘very concerned at
the prospect of the costs and intrusion into its commercial operations’ resulting
from the regime proposed by the Bill, it ‘takes a different view in relation to
the potential impact the legislation may have on the practice of offshoring
infrastructure’.[192]
Macquarie Telecom noted:
Macquarie Telecom considers that the benefits of retaining
certain types of data within Australia outweigh any additional costs of using
onshore infrastructure and services... Macquarie Telecom Group contends that
Australian based services and infrastructure can be efficient, innovative and
cost effective. From a security and intelligence perspective, Australian based
services and infrastructure can allow a high degree of collaboration and access
between industry and security agencies (within an appropriate framework).[193]
Macquarie Telecom concluded that there is ‘significant
risk in offshoring certain data and considers it important that Australia
retains sovreignty [sic] over certain types of information’.[194]
However, overall Macquarie Telecom nonetheless expressed concern over ‘the real
possibility’ that the Bill ‘could stimie [sic] its ability to innovate and
respond to changes in technology and customer demand’ and ‘could lead to
increased security threats as the implementation of new technology is delayed
or deferred due to concerns about any approvals required from Government’.[195]
Despite Macquarie Telecom’s concern, the principal concern
of industry stakeholders in relation to the offshoring of services or equipment
appears to be that the security obligation would impose a legal obligation on
carriers and CSPs to exert control over aspects of networks and facilities that
they use, including those located offshore, over which they may not have legal
or physical control.
It is argued that this requirement may limit the extent to
which carriers and CSPs can utilise offshoring arrangements, which could reduce
Australia’s international competitiveness with respect to investment and
innovation in the telecommunications sector. For example, the security
obligations of carriers and CSPs under the Bill might be incompatible with the
laws of the foreign jurisdiction in which the network or facility is located,
such as obligations to provide assistance to law enforcement or intelligence
agencies of that foreign country (or potentially its allies). It is also
possible that a carrier or CSP may not have ownership of the relevant
infrastructure and therefore cannot take the steps considered necessary to
protect the network.[196]
The CEO of the Communications Alliance, Mr John Stanton,
also gave evidence to the PJCIS that the offshore storage of data did not, in
his organisation’s opinion, present an elevated security risk compared to
onshore storage:
Senator McKENZIE: ... My question goes to managing risk
and the increasing propensity of our Australian providers to offshore aspects
of their operations and the subsequent increase in risks in that for all of
us—not just you but also us. It is something that we need to manage. Also, you
are obviously offshoring as a result of competitive tensions. Are there things
we need to change in the bill to address that, or are you comfortable with the
measures within the bill around your need to offshore certain aspects—and
increasingly it seems that the trend continues—and our ability to manage the
risks to the Australian public?
Mr Stanton : ...I will start with the underlying
premise, which is that offshoring is inherently more risky than storing data
onshore. To my mind it is not so much about geography; it is about security and
the robustness of the arrangements that you have got in place, whether they be
in Australia or offshore.[197]
However, in contrast the draft guidelines appear to
indicate that the practice of offshoring necessarily raises security concerns
because it creates a greater level of vulnerability to espionage and sabotage:
Offshoring raises security concerns because it enables access
and control to critical parts of major Australian telecommunications networks
outside of Australia, this can facilitate foreign intelligence collection
(espionage) and disrupt the network itself (sabotage). Risks arise where
control and supervision arrangements have the potential to allow unauthorised
actions by third parties, such as theft of customer data or sabotage of the
network.[198]
The draft guidelines further identify some specific
security vulnerabilities presented by offshoring arrangements, which appear to
focus on the outsourcing or sub-contracting of some of a carriers or CSPs activities
to third party providers located overseas: The draft guidelines state:
Foreign solutions often function in different legal and
cultural environments which present a number of potential national security
risks and vulnerabilities, further exacerbated by an operator's lack of
security visibility or involvement in:
- the use of cloud services and infrastructure, and
where they are located
- equipment running out of a foreign country and
integrated back into the main network of an operator in Australia
- staff recruitment (including staff vetting processes)
where the general culture around these processes may not be on par with
Australian requirements, noting that the staff may also not share a sense of
corporate loyalty to the operator
- the procurement and management of third party
equipment vendors
- a solution being run under a vendor's security policy,
which may not align with Australian legislation, best practice and/or existing
compliance requirements or with the operator's own risk profile.
C/CSPs should seek specific guidance from government agencies
if they are unsure of the particular risks posed by their existing and planned
supplier arrangements.[199]
As such, the security of data retained offshore and the
use of offshore service providers by carriers and CSPs would appear to be
unresolved issues of concern to a range of stakeholders.
Unclear thresholds and unnecessarily broad scope of
application
Optus argued that the notification obligations imposed by proposed
subsections 314A(1) and 314C(2) are ‘expressed in a way that creates
a logic trap and an associated compliance risk for providers which is not satisfactory’. [200]
Optus also expressed concern about how that threshold would be applied and how
the decisions of carriers and CSPs would be viewed, noting that if (based on
the information it has available) a carrier or CSP forms a view that change is
not notifiable and proceeds on this basis:
- it
runs the risk ‘that some ‘after-the-event’ investigation’ by the CAC will draw
a different conclusion and
-
therefore be found to have breached the notification and security
obligations, even though the security assessment may have been based on
information which the CAC (or a security agency) conducting such an
investigation had ‘uniquely available to it and to which the provider was not
privy when considering the threshold question’.[201]
As a result, Optus recommend that the drafting of proposed
subsections 314A(1) and 314C(2) should be reviewed to take into
account the above concerns.[202]
Foxtel also noted that the notification requirements in proposed
section 314A may also apply to ‘its broadcasting and content infrastructure
and facilities’.[203]
Foxtel therefore sought ‘clarification that networks and facilities used to
supply broadcasting and content services are not intended to be subject to ...
the notification requirements in section 314A’.[204]
Foxtel argued that because broadcasting and content
services do not carry sensitive corporate or government information or
sensitive, confidential information about law enforcement activities, protected
information or potentially disclose the location of politicians or other
protected persons and they are not essential to the delivery and support of
critical services, such as, power, water and health they should be excluded
from the security and notification obligations. As result, Foxtel recommended
that proposed section 314A be amended to expressly exclude networks and
facilities to the extent that these are used to supply broadcasting services
and content services (as defined by the Broadcasting Services Act 1992)
from the notification requirements.[205]
Foxtel argued that such amendments would ‘provide clarity
and certainty in relation to the application of the regulatory framework in
future’.[206]
In that regard it is worth noting that the Explanatory Memorandum notes that it
is envisaged that ‘classes of providers may be exempt from the notification
requirement’ potentially including subscription television services (see the
discussion above under the heading ‘Exemptions from the notification
obligation’).[207]
This would appear to suggest an intention to deal with this issue via
exemptions granted by the CAC, and the proposal to develop an approach to the
granting of exemptions during the implementation phase.
Directions by the Attorney-General
Current position
Currently subsection 581(3) of the Act provides that the
Attorney-General may (after consulting the Prime Minister and Minister
administering the Act[208])
direct a carrier or CSP to cease operating a telecommunications service where
the proposed or continued operation of that service is, or would be,
prejudicial to security. The Explanatory Memorandum notes that the power
provided under subsection 581(3) of the Act is:
... an extreme measure and only appropriate for managing the
most extreme national security risks given the potentially significant flow on
consequences for the affected company’s business, their customers, and possibly
the broader Australian economy. For these reasons the power has not been exercised
to date.[209]
Subsection 581(4) of the Act provides that a person must
comply with a direction given under subsection 581(3). In turn, compliance with
the Act (and hence directions issued under subsection 581(3) area standard
licence condition (as per item 1 of Schedules 1 and 2 to the Act). This means
that non-compliance with a direction issued under section 581 of the Act may
amount to a breach of licence conditions. It may also be a civil penalty
provision and attract other remedial action under section 68-69 and 101-102 of
the Act. Collectively this means that such directions have a degree of
regulatory force to ensure compliance. However, current subsection 581(3A) of
the Act prevents the power from being expressed ‘to apply to the supply of a
carriage service to a particular person, particular persons or a particular
class of persons’.
The Bill repeals subsections 581(3) and (3A) of the Act in
order to re-locate it within the TSSR framework in proposed Division 5 of Part
14.[210]
Proposed section 315A largely replicates the power in existing
subsection 581(3), with some procedural changes. The Bill will also grant the
Attorney-General a new and separate directions power to direct a carrier or CSP
to do or refrain from doing something.
Power to require a carrier or CSP to cease operating a
telecommunications service
The first power (provided in proposed section 315A)
is modelled on existing subsections 581(3) and (3A).[211]
It allows the Attorney-General to direct a carrier or CSP to cease operating a
telecommunications service where the proposed or continued operation of that
service is, or would be, prejudicial to security (‘shutdown power’).
Whilst it is modelled on existing subsections 581(3) and
(3A), and is not intended to change the operation or effect of the power, there
are some differences relating to the issuing requirements, and provisions for
the statutory judicial review of decisions to issue directions.[212]
The first difference is that ASIO must have issued an adverse security
assessment before the Attorney-General can exercise the power.[213]
The second difference is that the current limitation on judicial review of a
direction under the ADJR Act is removed.[214]
These are discussed below.
However, prior to discussing those differences it is worth
noting that proposed subsection 315A(2) replicates existing subsection
581(3A) and hence will prevent the Attorney-General from issuing directions
that apply to a particular person, particular persons or a particular class of
persons—they must apply to a carrier or CSP generally.
When a direction to cease operating a telecommunications service
is given to a carrier or CSP, a copy of the direction must be provided to the
ACMA and proposed subsection 315A(5) provides a person must comply with
the direction.[215]
In turn, compliance with the Act (and hence directions issued under proposed
section 315A) area standard licence condition (as per item 1 of Schedules 1
and 2 to the Act). This means that non-compliance with a direction issued under
proposed section 315A of the Act may amount to a breach of licence
conditions. It may also be a civil penalty provision and attract other remedial
action under section 68-69 and 101-102 of the Act. Collectively this means that
such directions have a degree of regulatory force to ensure compliance.
It is also worth noting that the Explanatory Memorandum
states that the directions power is:
... intended to be used in the most extreme circumstances where
the continued operation of the service would give rise to such serious
consequences that the entire service needed to cease operating.[216]
Further, the Government also notes that in relation to the
directions power provided by current subsection 581(3) of the Act (which does
not contain the limitations on its exercise that proposed section 315A has)
that ‘it is such an extreme measure that it has never been used’ and that it is
‘designed for use in exceptional or extreme cases only to prevent harm to
Australia’s interests’.[217]
This would suggest that the ‘shut down’ power contained in proposed section
315A is also only designed for use in exceptional or extreme cases, only to
prevent harm to Australia’s interests, and only when there has been an adverse
security assessment provided by ASIO. In other words, the ‘shut down’ power
proposed by the Bill will be more limited (and will have greater review and
appeal rights) than the current power provided by subsection 581(3) of the Act.
Requirement for an adverse security assessment from ASIO
The first difference is a new restriction on the powers is
provided under proposed subsection 315A(3): a direction cannot be issued to a
carrier or CSP unless an adverse security assessment in respect of the relevant
carrier or CSP is given to the Attorney-General. This is a change from the
current regime, where there is no requirement for an adverse security
assessment prior to issuing a direction under section 581 of the Act.
Briefly, security assessments are a means by which ASIO
provides advice. They only consider factors related to ‘security’ and ‘are not
character checks and factors such as criminal history, dishonesty or deceit are
only relevant to ASIO’s advice if they have a bearing on security
considerations’.[218]
An adverse security assessment is where ‘ASIO recommends that a prescribed
administrative action be taken ... or not taken’.[219]
In the context of the proposed TSSR regime, a ‘prescribed administrative
action’ could relate to approving SCP (and hence proposed changes) or issuing a
direction to a carrier or CSP.
Adverse security assessments are subject to merits review
under Division 4 of Part IV of the ASIO Act. The notification
requirements under s 38A of the ASIO Act also apply.
Allowing review of directions under the ADJR Act
The second difference is that decisions to issue
directions made under proposed section 315A will now be subject to
judicial review. Item 32 of Schedule 1 of the Bill removes the
limitation currently imposed on directions issued under subsection 581(3) of
the Act. The Explanatory Memorandum notes:
Currently, while judicial review of a direction to cease a
service would likely be available through the High Court’s original
jurisdiction, the process is more complicated and does not provide as many
grounds of review. Removing the current exemption will enable a C/CSP to seek
judicial review under the ADJR Act and therefore increase the transparency and
accountability of the direction process. It will also align with the review
rights provided under the new directions power in subsection 315(2) which will
also provide for judicial review under the ADJR Act.[220]
Power to require a carrier, CSP or intermediary to do or
refrain from doing a specified act
The second power, provided in proposed subsection
315B(2) allows the Attorney-General to direct a carrier, CSP or
intermediary to do or refrain from doing a specified act. The relevant act must
be connected to:
- the
operation by a carrier or CSP of telecommunications networks or facilities or
- the
supply of a carrier service by a carrier or CSP (or when supply is arranged by
an intermediary).[221]
To exercise the power, the Attorney-General must be
satisfied:
- there
is, in connection with one of the above activities:
- a
risk of unauthorised interference with, or unauthorised access to, telecommunications
networks or facilities
- the
risk would be prejudicial to security (by reference to the meaning of that term
in the ASIO Act) and
- requiring the carrier, CSP or intermediary to do, or refrain from
doing, the specified act or thing is reasonably necessary for purposes relating
to eliminating or reducing the abovementioned risk.[222]
‘Prejudicial to security’ means activities relevant to
security, which can reasonably be considered capable of causing damage or harm
to Australia, the Australian people, or Australian interests, or to foreign
countries to which Australia has responsibilities.[223]
The Explanatory Memorandum notes that the power in proposed
section 315B ‘is intended to reduce the need to rely on the existing powers
under subsection 581(3) of the Act’ (and therefore also proposed section
315A). The Explanatory Memorandum also notes that it ‘is intended to be
used in a cooperative way alongside engagement with industry’ but ‘it is
expected this power will be used only as a last resort to achieve compliance’
or where ‘C/CSP would prefer the certainty of a formal direction’.[224]
Whilst proposed section 315B ‘is an intrusive power’[225]
it is subject to a number of thresholds and safeguards.
First, proposed subsection 315B(4) provides that a
direction cannot be issued by the Attorney-General unless they have received an
adverse security assessment in respect of the carrier, CSP or intermediary (for
discussions regarding adverse security assessments, refer to ‘Requirement for an adverse security assessment from ASIO’ above, which is equally
applicable to proposed section 315B).
Second, proposed subsection 315B(3) provides the
Attorney-General must be satisfied that providing a direction is ‘reasonably
necessary’ for the purposes of eliminating or reducing the risks of
unauthorised interference with (or access to) telecommunications networks or
facilities that would be prejudicial to security.
Third, proposed subsections 315B(5) and (8)-(10) provide
that a direction cannot be issued by the Attorney-General until:
- they
have consulted the Minister administering the Act (and any other persons the
Minister sees fit)[226]
- gives to the carrier, CSP or intermediary a written notice setting
out the proposed direction that includes an invitation to make written
representations to the Attorney-General in relation to the proposed direction
within the period specified in the notice (which must be at least 28 days after
the notice is given, unless the Attorney-General specifies a shorter period
because he or she considers it necessary to do so because of urgent
circumstances)[227]
- has
had ‘regard to any such representations made within that period’[228]
- they are satisfied that reasonable steps have been taken to
negotiate in ‘good faith’ with the carrier, CSP or intermediary ‘to achieve an
outcome of eliminating or reducing’ the relevant risk[229]
and
- has
had regard to the matters listed in proposed subsection 315B(6) (discussed
below).
Requirement to consult with other Ministers
Proposed subsection 315B(8) provides that the
Attorney-General must consult with the Minister administering the Act before
issuing a Direction. Proposed subsection 315B(10) then provides that proposed
subsection 315B(8) does not limit the persons with whom the
Attorney-General may consult, prior to issuing a Direction. The Explanatory
Memorandum notes that this mandatory consultation requirement and flexibility
to consult with other persons is designed to ensure:
... the exercise of the power takes into account broader
communications policy considerations, for example, any potential impact on the
telecommunications sector, including effects for competition... This requirement imposes
a high degree of scrutiny and accountability on the Attorney-General’s exercise
of this power. Mandatory consultation with the Minister for Communications
highlights the significance of the decision and will ensure a range of views
inform the Attorney-General’s exercise of the directions power and the
Attorney-General takes into account factors such as the potential impact for
the affected C/CSP, end-users and the economy more broadly.[230]
By way of example, the Explanatory Memorandum explains
that proposed subsection 315B(1) would allow the Attorney-General to
consult with other Ministers with an interest ‘such as the Minister for Foreign
Affairs and Trade where there are international sensitivities’ and that this
would result in directions being ‘informed by the advice of other security
agencies and relevant government agencies’ through such consultations.[231]
However, proposed paragraph 315B(8)(b) also imposes
mandatory consultation with the affected carrier or CSP. This is because the
Attorney-General is required to write to the carrier or CSP and notify them of the
intention to issue a Direction. However in addition, the Attorney-General must
also provide a draft Direction, and provide the carrier or CSP the opportunity
to make written representations about it. In practice, the Attorney-General
will ‘generally provide the C/CSP with a copy of the draft direction at the
time he/she provides the ASIO security assessment (as required under the ASIO
Act)’.[232]
When the above procedures are considered, it is apparent
that it is possible for:
- an
adverse security assessment to be provided to the carrier or CSP and
- at
some later point in time, the Attorney-General to provide the carrier or CSP
with the draft Direction.
Whilst it could be argued that the material in the adverse
security assessment may allow a carrier or CSP to start processes and steps to
ensure compliance with its TSSR obligations related to the contents of the
adverse security assessment, alternatively it could be argued that a more
efficient method would be to include a statutory obligation to provide the
draft direction at the same time the carrier or CSP is notified about the
adverse security assessment, rather than the as part of the (presumably later)
notice requirement in proposed subparagraph 315B(8)(b)(i).
Requirement
to negotiate in ‘good faith’ with the carrier, CSP or intermediary
In relation to the requirement to negotiate in ‘good faith’
with the carrier, CSP or intermediary ‘to achieve an outcome of eliminating or
reducing’ the relevant risk imposed by proposed subsection 315B(5), the
Explanatory Memorandum states:
Good faith in this context is intended to impose a
requirement that engagement is genuine and solutions-focussed and all
reasonable options for addressing the risk are considered by both parties. This
provision is intended to underpin the entire objective of the security
framework which is to facilitate cooperative and collaborative government and
industry partnership to manage national security risks to the telecommunications
sector.[233]
In addition to the good faith requirement that underpins
consultations with the potentially affected carrier, CSP or intermediary, proposed
subsection 315B(9) requires that (absent urgent circumstances) the
consultation period must be ‘at least’ 28 days after the proposed direction is
given. This means that, barring where the Attorney-General considers it
necessary to shorten the consultation period due to urgent circumstances, a
carrier, CSP or intermediary will generally have adequate time to consider the
draft Direction and adverse security assessment, and potentially seek a merit
review of the adverse security assessment (which would in effect stay ‘the
process for issuing a direction’).[234]
Reflecting the gravity of the direction power, the Explanatory Memorandum
notes:
... the Attorney-General’s power to issue directions under
sections 315A or 315B cannot be delegated (unlike the Secretary of AGD’s
information-gathering powers under section 315C which may be delegated to the
Director-General of Security– see notes on Division 6 below). There is also
no implied power to authorise an official to exercise the power to issue
directions on the Attorney-General’s behalf.[235]
(emphasis added)
Proposed subsection 315B(6) provides that in
addition to the above, the Attorney-General must, before issuing a direction,’
have regard to the following matters:
- the
adverse security assessment
- the
costs, in complying with any direction, that would be likely to be incurred by
the carrier, CSP or intermediary
- the
potential consequences that any direction may have on competition in the
telecommunications industry
- the
potential consequences that any direction may have on customers of the carrier,
CSP or intermediary.
The subsection also provides that ‘the Attorney-General
must give the greatest weight to the matter’ mentioned in proposed paragraph
315B(6)(a): the adverse security assessment.
Proposed subsection 315B(7) provides that proposed
subsection 351B(6) does not limit the matters to which the Attorney-General
may have regard (that is, the mandatory considerations do not preclude the
Attorney-General from having regard to other considerations at his or her
discretion).
It is unclear on the face of the provisions whether any
discretionary considerations taken into account—consistent with the recognition
in proposed subsection 315B(7)—would also be subject to the requirement
in proposed subsection 315B(1) that the Attorney-General must give the
greatest weight to the adverse security assessment.
It appears that the requirement to give greatest weight to
the adverse security assessment is limited to the mandatory considerations in proposed
subsection 315B(6). If this interpretation is accepted, then it would
theoretically be open to the Attorney-General to place a greater degree of
weight on discretionary considerations as determined in the circumstances of
individual cases, as compared to an adverse security assessment (and any other
mandatory considerations) prescribed by proposed subsection 315B(6).
In the absence of explanation in the EM, it is unclear
whether this result is intended.
Criticisms of the directions powers
Both the directions powers contained in proposed
sections 315A and 315B have been criticised on various grounds.
Potential to undermine investment decisions and reduce
competition
A number of stakeholders expressed a view that the powers
contained in proposed sections 315A and 315B amounted to
inappropriate interference in the commercial decisions of telecommunications
companies.
For example, TPG stated that the power to ‘tell Telcos
what to do about their networks and facilities’ will ‘undermine sound
investment decisions made by industry’.[236]
Further, TPG also argued that there is a risk that that decisions about whether
to issue a Direction ‘could be inappropriately influenced by the prevailing
socio-political climate or the relationship (or lack of a relationship) with
the Government of the day’ instead of being ‘based on the need to promote
network security’ (so that vendors of equipment are motivated to compete based
on their security credentials)’.[237]
Likewise, Vodafone argued that the use of the directions
power ‘potentially limits competition especially where the pool of technology
vendors for particular equipment is in low single digits, increasing the chance
that this draconian approach runs afoul of anti-competition laws’.[238]
Inappropriate weighting given to adverse security
assessments
A number of stakeholders expressed concerns at the factors
that the Attorney-General must consider before issuing a Direction in proposed
subsection 315B(6) and the emphasis placed on the adverse security
assessment.
For example, TPG noted that whilst the power to issue a
Direction under proposed section 315B is limited to circumstances where
the Attorney-General has received an adverse security assessment ‘this does
little to limit the potential favouring of one particular manufacturer of
equipment, or a particular country’s manufacturer, as against other
manufacturers’.[239]
TPG also argued that whilst the power provided by proposed section 315B to
direct a carrier, CSP or intermediary to do or refrain from doing specified
acts requires the Attorney-General to have regard to the compliance costs and
burdens and competition implications ‘the Attorney General is free, and is
indeed required, to discount such considerations in favour its consideration of
the adverse security assessment’.[240]
Optus likewise noted that the Attorney-General must give the greatest weight
the adverse security assessment and argued:
... this decision-making “bias” be removed by deleting this
sentence. If it is retained, the most likely practical outcome would be for
this factor to dominate decision-making. This outcome would have the effect of
undermining the point of including the factors (b), (c) and (d) in the list of
decision-making factors in the first place. It is critical that this coercive
power only be exercised in the full understanding of its practical impact and
for these other aspects to be given suitable weight and potential to influence
decisions.[241]
Optus also recommended that proposed subsection 315B(6)
be amended to include a new paragraph (e) which would require the
Attorney-General to consider ‘whether the network or service to which the
proposed direction would apply is critical national infrastructure or a
critical service’.[242]
Optus argued that such an amendment would:
... ensure decision-making takes into account a view, not just
of costs, customer impact, competition and security as currently proposed, but
also the significance of the infrastructure or criticality of the service in
the national context and in the context of the network and services which the
providers offers to the public in Australia. The addition of this factor would
also assist to align the exercise of the power to give directions with the
stated policy intent of protecting critical national infrastructure.[243]
Vodafone also argued that despite the obligation to
negotiate in good faith before issuing a Direction, the directions powers posed
a risk that agencies would ‘invoke the security assessment as a reason not to
collaborate with a service provider to find more reasonable and just as
effective national security outcomes’ and this would in turn limit competition.[244]
In relation to concerns about the weighting given to
adverse security assessments in proposed subsection 315B(6) the
Government notes:
The harm to security is to be given the greatest weight in
this balancing exercise to ensure that Australia’s security interests are
properly safeguarded despite potential impacts on the C/CSP, competition and
end-users. The requirement to have regard to other factors, in addition to the
risk to security, will ensure that a direction is proportionate and
reasonable in all of the circumstances and guard against imposing
directions that would possibly address security risks but have an unnecessary
crippling effect on the C/CSP’s business or impede market innovation and
competition.[245]
As such, it appears that the Government has (through the
consultation process regarding the ED) considered the stakeholder concerns
discussed above and determined that as the reforms are aimed at ensuring
security, proposed subsection 35B(6) aims to ensure that a balance
between security issues and non-security issues such as cost and competition is
struck, without necessarily requiring equilibrium between those factors.
The impact of uncertain definitions and the opacity of
adverse security assessments
The LCA noted that the rule of law is predicated on the
basis that laws are both readily known and available, and certain and clear. In
that regard, in relation to the thresholds proposed by the Bill the LCA noted
that ‘any process that may result in substantial impacts on providers and
potentially the services provided to consumers must be, to the extent possible,
transparent.’[246]
The LCA argues that because issuing of an adverse security
assessment is not required to be based on conventional standards of proof such
as a 'balance of probabilities' test and the specific criteria by which ASIO
make their assessments are also largely unknown (beyond that it must relate to
ASIO's functions and the definition of security in section 4 of the ASIO Act)
the proposed provisions resulted in uncertainty:
... as to when a cyber risk or threat will be considered to be
of a sufficient level of seriousness to warrant the issuing of a direction by
the Attorney-General.[247]
The LCA concluded that as it was also ‘unclear whether a
risk or prejudice to security must be substantial, likely, imminent or of
severe potential impact before an adverse security assessment is issued’ that
the threshold was not sufficiently transparent and recommended:
... the exercise of the directions powers should only be
permitted where there is a sufficient level of risk to security to justify the
exercise of the powers. This could be achieved, for example, by amending
subsection 315B(1) to require that the Attorney-General is satisfied that there
is a substantial and imminent risk of unauthorised interference with, or
unauthorised access to, telecommunications networks or facilities that would be
prejudicial to security.[248](emphasis
added).
The LCA also noted that the definition of ‘prejudicial to
security’—which forms part of the thresholds that must be satisfied before the
shut down or directions power can exercised—is not defined in the Bill itself.[249]
The meaning of ‘prejudicial to security’ is not defined in the ASIO Act,
but is instead defined in guidelines issued under section 8A of that Act as meaning
activities relevant to security, which can reasonably be considered capable of
causing damage or harm to Australia, the Australian people, or Australian
interests, or to foreign countries to which Australia has responsibilities.[250]
The LCA again reiterated that ‘the rule of law requires
that the law must be both readily known and available, and certain and clear’
and that ‘this requires that key terms should be defined’.[251]
The LCA therefore recommended that the term 'prejudicial to security' should be
defined in the legislation itself so as to ensure:
- that the definition of 'prejudicial to security' could not be
redefined without ‘adequate Parliamentary scrutiny’ and
- that the Attorney-General's directions powers under proposed
subsections 315A(3) and 315B(4) could only be exercised in the
circumstances intended by the Explanatory Memorandum.[252]
Whilst legislative certainty regarding definitions is an
often-sought goal, a statutory definition of ‘prejudicial to security’ may have
adverse security implications because it would require the Parliament to decide
the relevant criteria in the abstract, necessarily without the benefit of
intelligence about threats to Australia’s security (as well as without the
detailed knowledge of the security environment that the Attorney-General would
possess due to his or her portfolio responsibility for ASIO). This is why the ASIO’s
guidelines are non-legislative instruments, as recommended by the Hope Royal
Commission in 1984, and are partially classified (as a compromise, the
unclassified portions must be tabled in Parliament under section 8A of the ASIO
Act).
Lack of consultation requirement in shutdown power
TPG noted that in contrast to the direction power
contained in proposed section 315B (which requires the Attorney-General
undertakes good faith negotiations with carriers, CSPs or intermediaries before
issuing a direction) the shutdown power provided by proposed section 315A
could be exercised by the Attorney-General without any need to consult with the
impacted carrier, CSP or intermediary.[253]
TPG argued that the shutdown power ‘should be subject to judicial oversight
rather than just a bare power for the executive branch’.[254]
The Government argues that the directions power in proposed
section 315B is intended to supplement the shutdown power in proposed
section 315A and hence is aimed at enabling ‘other action to be taken to
address a security risk where the circumstances do not require the complete
shut-down of the service’.[255]
As such, the shutdown power provided by proposed
section 315A ‘will remain the ultimate protection measure where action
needs to be taken immediately to protect Australia’s security interests’ and
therefore:
For these reasons, some of the additional requirements and
protections included in the new directions power under section 315B, for
example the Attorney-General must be satisfied all reasonable steps have been
taken to reach agreement and consult the affected C/CSP in good faith, are not
replicated in the existing provision. However, alternative safeguards are
provided for use of the power under section 315A through the requirement to
consult the Prime Minister, in addition to the Minister responsible for
administering the Telecommunications Act, the Minister for Communications.[256]
Whilst as noted above, TPG argues that the shutdown power
should be subject to judicial oversight, decisions to issue a direction under proposed
section 315A can be challenged through:
- a merits review of the adverse security assessment (which is a
necessary pre-condition of giving a direction) and
- judicial
review of the decision to issue a direction itself.[257]
Information gathering and sharing powers
The Bill proposes to give the Attorney-General’s Secretary
(Secretary) a number of coercive information gathering powers, as well as
information sharing powers, in relation to assessing compliance with the new
security obligations imposed by proposed subsections 313(1A) and 313(2A)
inserted by items 8 and 9 (discussed above).
Power to obtain information or documents
Proposed section 315C provides that when the
Secretary ‘has reason to believe’ that a carrier, CSP or intermediary has
information or a document that is relevant to assessing compliance with the
security obligations they may issue a written notice requiring them to give the
Secretary:
- any
information or documents (in a form specified) within a specified time-period
or
- copies
of documents (in a form specified) and produce them within a specified
time-period.[258]
However, proposed subsection 315C(4) provides that before
the Secretary (or the Director-General of Security in the event that the
Secretary delegates his or her powers to the Director-General)[259]
issues such a notice, they must ‘have regard to’ the costs that would be
incurred by the carrier, CSP or intermediary in complying with the notice. Proposed
subsection 315C(5) provides that proposed subsection 315C(4) does not limit
the matters to which the Secretary (or the Director-General as the Secretary’s
delegate) may have regard at their discretion. Once issued, proposed
subsection 315C(3) provides that a person must comply with such a notice.
This means that non-compliance with a Direction issued
under proposed section 315CA of the Act may amount to a breach of
licence conditions. It may also be a civil penalty provision and attract other
remedial action under sections 68–69 and 101–102 of the Act. Collectively this
means that such directions have a degree of regulatory force to ensure
compliance.[260]
Content of notice to produce information or documents
Proposed subsections 315C(6) and (7) provide
that if a notice to produce information or documents is issued, it must set out
a number of matters including:
- if
the notice is issued to a carrier:
-
the
effect of proposed subsection 315C(3) (which requires a person to
comply with the notice)
- section
68 of the Act (a carrier or person must comply with the conditions of its
carrier licence—which includes compliance with the Act, TIA Act and
other legislation)[261]
- section
570 of the Act (which sets out the pecuniary penalties for contravention of the
Act’s civil penalty provisions)
- Part
1 of Schedule 1 of the Act (which provides that a standard conditions of a
carrier licence includes compliance with the Act TIA Act and other
legislation)[262]
- Sections
137.1 and 137.2 of the Criminal Code (which are offences for providing
false or misleading information or documents)
- if
the notice is issued to a CSP or an intermediary:
-
the
effect of proposed subsection 315C(3) (which requires a person to
comply with the notice)
- section
101 of the Act (a service provider must comply with the service provider rules—which
includes compliance with the Act, TIA Act and other legislation)[263]
- section
570 of the Act (which sets out the pecuniary penalties for contravention of the
Act’s civil penalty provisions)
- Part
1 of Schedule 2 of the Act (which provides that a service provider rule
includes compliance with the Act TIA Act and other legislation)[264]
- Sections
137.1 and 137.2 of the Criminal Code (which are offences for providing
false or misleading information or documents).
Availability of compensation
Proposed subsection 315C(8) provides that a
carrier, CSP or intermediary is entitled to be paid ‘reasonable compensation’
for complying with a requirement to provide copies of a document to the
Secretary under proposed paragraph 315C(2)(c). In contrast, no
compensation is available for compliance with a notice to produce information
or documents issued under proposed paragraphs 315C(2)(a) and (b).
This approach is consistent with section 523 of the Act
(in relation to the ACMA’s information-gathering powers). This may suggest an
intention that compensation is for the costs of producing copies, rather than
foregone productivity or other business costs as a result of searching for and
producing documents, or providing information in compliance with a notice.
Abrogation of privilege against self-incrimination
The information-gathering power in proposed section
315C (combined with the provision on self-incrimination in proposed
section 315D, discussed below) will operate to override reasons for
non-disclosure and compel the provision of information or documents. The
compulsion element has the effect of authorising the disclosure of personal
information under the Privacy Act (that is, the disclosure is authorised
by law) and offers a statutory protection for breach of confidentiality
provisions in contracts.
Proposed subsection 315D(1) abrogates the privilege
against self-incrimination by providing that a person is not excused from
giving information or providing a document (or a copy of a document) under proposed
section 315C on the grounds it might tend to incriminate the person or
expose them to a penalty.
However, as is relatively common with such types of
coercive powers, the abrogation of the privilege against self-incrimination is
accompanied by ‘use’ and ‘derivative use’ immunities.[265]
Proposed subsection 315D(2) provides that where such information is
given or a document (or copy of a document) is provided under proposed
section 315C that information, document or copy or any information,
document or thing obtained as a direct or indirect consequence of giving the
information, document or copy is not admissible in evidence against the
individual who provided it in:
- criminal proceedings other than proceedings for an offence
against sections 137.1 and 137.2 of the Criminal Code (offences for
providing false or misleading information or documents) or
-
civil proceedings other than proceedings under section 570 of the
Act related to the recovery of a penalty for contravening proposed
subsection 315(C)(3) (failing to comply with a notice to give information,
provide a document or copy).
Information sharing
Proposed section 315H authorises the further use or
disclosure of information or documents obtained under proposed sections
314A, 314B, 314C, 314D, 315C and 315H to persons other than the
Secretary or their delegate.
However, proposed subsection 315H(1) provides that
any such disclosure must be either for the purpose of assessing compliance with
the security obligations or for the purposes of security (within the meaning of
that term in the ASIO Act). The Government notes:
In practice it is likely that information sharing may take
place between relevant government agencies, such as with the Department of
Communications and the Arts or the Australian Signals Directorate. For example,
information or documents may be shared in cases where technical expertise or
assistance is required to assess risks to security. It may also be used to
inform the Attorney-General or other relevant Ministers for the purpose of
exercising the Attorney-General’s power in new section 315A (previously
subsection 581(3), or more broadly for the purposes of security. ‘Security’ is
defined by reference to the ASIO Act. The powers would therefore also
potentially authorise sharing of information or documents with state
authorities and international partners, pursuant to the ASIO Act and formal
information sharing arrangements with those countries.[266]
In addition to the above restriction on the purposes of
disclosure, proposed subsection 315(2) provides that a person must not
disclose information or documents obtained under proposed sections 314A,
314B, 314C, 314D, 315C and 315H to the extent the information is
‘identifying information’ or the document (or copy) contains ‘identifying
information’ to persons who are not are not Commonwealth officers (some
stakeholders criticised the breadth of the definition, as discussed below).[267]
The term ‘identifying information’ is defined in proposed subsection
315H(4) as ‘information that identifies the carrier, carriage service
provider or carriage service intermediary concerned’. Proposed subsection
315H(3) provides that, subject to the disclosures permitted under section 315H,
a person who obtains information or a document under proposed sections 314A,
314B, 314C, 315C or 315H must treat that information or document as
confidential.
Protection of commercially sensitive information
The intent of proposed subsection 315H is to enable
the disclosure of information as necessary for the purposes of security, while
also protecting commercially sensitive information provided by carriers, CSPs
and intermediaries. It seeks to balance interests in security and the
confidentiality of commercially sensitive information primarily by requiring
the Secretary, Director-General of Security or other Commonwealth officers who
have access to the information or documents to remove information that
identifies the carrier, CSP or intermediary before sharing them outside of the
Australian Government.[268]
The Government notes:
In practice, information would only likely be shared outside
Commonwealth Government officials for reasons of providing threat information
and intelligence to foreign partners in support of reciprocal information
sharing arrangements. Australia is dependent on intelligence provided under
these arrangements to support preparation of its own threat advice to
Australian companies. C/CSPs will not be advised when information is shared with
foreign partners as this could potentially compromise national security by
identifying the types of issues considered by security agencies and the nature
of sharing arrangements.
Only information that does not identify the C/CSP (i.e. the
threat-based information) would be shared in these circumstances and
information shared in these circumstances is protected through formal
arrangements such as a Memorandum of Understanding. In practice, this would
involve removing the identifying details of the C/CSP such as company name and
logo before the information or documents are shared ... Information and documents
would be shared with other security agencies and foreign intelligence partners
to better protect national security. It would not be shared with a C/CSP’s
competitors or with other stakeholders who may gain a commercial advantage from
seeing this information. Subsection 315H(3) also imposes a confidentiality
obligation on people who obtain information and documents. This would include
protection of information and documents in line with Australian Government
policies and procedures and only disclosing the information or documents for
the purposes of section 315H or where otherwise provided for under other
legislation.[269]
Protection of personal information
In addition to safeguards directed to the protection of
commercially sensitive information, the broader legislative framework within
which the Bill will operate may provide some protection to personal information
that may be contained in information or a document obtained under proposed
sections 314A-314D, 315C and 315H. In particular, the Explanatory
Memorandum notes that Australian Government agencies subject to the Privacy
Act 1988 are required to protect, use, disclose and destroy personal
information in line with the requirements of that Act. Accordingly, the
Explanatory Memorandum states that information or documents proposed to be
shared in accordance with the requirements of proposed section 315H
would ‘therefore generally be de-identified prior to being shared to remove
personal information’ except where ‘information about a particular person needs
to be shared for the purposes of security’ (such as where information about an
individual is directly relevant to a security threat).[270]
The complaints, investigation and enforcement mechanisms under the Privacy
Act would be available in relation to disclosures that contravened the
requirements of that Act.[271]
It is also worth noting that some Commonwealth agencies
that are not subject to the requirements of the Privacy Act, such as
intelligence agencies, are required to comply with administrative privacy rules
or other administrative guidelines for the protection of personal privacy, which
may offer some protections in for the use and handling of any personal
information disclosed in accordance with proposed section 315H.[272]
Intelligence agencies’ compliance with applicable administrative rules or
guidelines is subject to the independent oversight of the Inspector-General of
Intelligence and Security (IGIS) under the Inspector-General of Intelligence
and Security Act 1986.
Safeguards in relation to secondary disclosures made
for the purposes of security
Where information or a document obtained under proposed
sections 314A-314D and 315C is shared with another person under proposed
subsection 315H(1) for the purposes specified in proposed paragraphs
315H(1)(a) or (b), that provision appears to authorise the recipient to
engage in subsequent (secondary) disclosures of that information for one or
both of the purposes specified in proposed paragraphs 315H(1)(a) and (b).
The Explanatory Memorandum states that proposed paragraph 315H(1)(b)
would ‘potentially authorise sharing of information or documents with state
authorities or international partners, pursuant to the ASIO Act and formal
information sharing arrangements with those countries’ (emphasis added).[273]
As discussed below, however, proposed subsection 315H(1) would appear to
allow secondary disclosures for the purpose of proposed paragraph 315H(1)(b)
in a broader range of circumstances.
If ASIO proposes to engage in a secondary disclosure of
information or documents ‘for the purposes of security’ under proposed paragraph
315H(1)(b), any such disclosure will be governed by the existing
requirements contained in, or made under, the Australian Security
Intelligence Organisation Act 1979 (ASIO Act) that authorise ASIO to
communicate information obtained in the performance of its functions.[274]
Significantly, these requirements include the authorisation or approval of
persons to communicate information, and a requirement for the prior Ministerial
approval of authorities of other countries to which ASIO may communicate
information.[275]
The ASIO Act contains criminal offences for the unauthorised
communication of information.[276]ASIO’s
compliance with the relevant statutory requirements, and supporting internal
administrative guidelines, is also subject to the independent oversight of the
IGIS.[277]
However, proposed subsection 315H(1) appears to
allow a wider range of persons and agencies than ASIO to engage in secondary
disclosures of information to other persons for the purposes specified in proposed paragraphs
315H(1)(a) and (b).
It is not clear whether there are any statutory or
administrative safeguards in existence that would ensure a purported secondary
disclosure of information or documents under proposed paragraph 315H(1)(b)
was, in fact, rationally connected to, and necessary for, the purposes of
security. It might be questioned whether every person or agency to which
information is disclosed under proposed subsection 315H(1) would have
the capacity to accurately assess this matter, or to assess the potential
security implications of a secondary disclosure to a particular recipient or
recipients.
Consideration might therefore be given to placing some
further limitations on secondary disclosures of information or documents under proposed
subsection 315H(1). This might be achieved in a variety of ways, such as:
limiting the persons or agencies that can engage in secondary disclosures;
limiting the range of persons or agencies to which secondary disclosures can be
made; or making provision for administrative limitations, such as authorising
the primary discloser of the information or documents to impose conditions or
limitations on secondary disclosures in individual cases; or imposing
requirements for the prior approval of certain proposed secondary disclosures
(or proposed secondary disclosures to certain recipients).
Consequences for contravening the limitations on
disclosure in proposed section 315H
Although the Bill does not propose to create any specific
sanctions for contravening the limitations on disclosure in proposed
subsections 315H(1) and 315H(2) or the confidentiality obligation in proposed
subsection 315H(3), a number of criminal and administrative sanctions may
apply under existing legislation. For example, the Explanatory Memorandum
notes:
[D]isciplinary action would be available
under existing legislation for Australian Government employees who breach these
provisions. Under the Public Service Act 1999 Australian Public Service
employees must comply with all applicable Australian laws and could face disciplinary
action for any breaches. Section 70 of the Crimes Act 1914 applies
criminal sanctions to unauthorised disclosure of information by current or
former Commonwealth officers. Many Australian state and territories have
similar offences for unauthorised disclosure of information by public officials.[278]
Noting that proposed section 315F allows the
Attorney-General to retain documents and copies provided under proposed
section 315C, the confidentiality of documents retained under the section would
also be protected under existing legislative requirements that govern the use
and disclosure of documents and information held for official purposes,
including secrecy obligations and storage requirements under the Archives
Act 1983.[279]
Viewed as a whole, the existing legislative obligations
placed on Commonwealth officers, including criminal offences and administrative
sanctions for contravention, would appear to operate with proposed subsection
315H(3) as an effective deterrent against unauthorised disclosure. However,
as outlined below, some stakeholders have raised concerns about the scope of
the disclosures capable of being authorised under proposed section 315H.
Criticisms of the information gathering and sharing powers
Concern about the definition of ‘identifying
information’
Proposed subsection 315H(4) defines ‘identifying
information’ for the purpose of information or documents obtained under proposed
sections 314A, 314B, 314C, 314D and 315C as ‘information that
identifies the carrier, carriage service provider or carriage service
intermediary concerned’. As such, it does not apply to information that would
identify individuals.
The OAIC recommended that this definition be amended to include
‘personal information’ within the meaning of that term in the Privacy Act,
so that the limitation on disclosures to non-Commonwealth officers in proposed subsection
315H(2) would also apply to personal information.[280]
However, Australian Government agencies subject to the Privacy
Act are required to protect, use, disclose and destroy personal information
in line with the requirements of that Act. Noting that proposed section 315H
‘is intended to allow information to be shared for reasons of providing threat
information and intelligence to foreign partners in support of reciprocal
information sharing arrangements’, nonetheless:
Information or documents would therefore generally be
de-identified prior to being shared to remove personal information, unless information
about a particular person needs to be shared for the purposes of security (such
as where information about an individual is directly relevant to a security
threat).[281]
The Government also notes that ‘the restrictions in
section 315H will not override existing legislative provisions that authorise
ASIO to communicate information obtained in the performance of its functions’
and:
Parliament has already set out the circumstances in which it
is considered appropriate for an agency such as ASIO to be able to communicate
information collected as part of the performance of its functions, including
personal and other information collected under warrant.[282]
If the recommendation of the
OAIC to expand the definition of ‘identifying information’ in proposed
subsection 315H(4) to include ‘personal information’ as defined in the Privacy
Act were followed, there may be a risk the amendment would frustrate the
intention that information (including personal information in some
circumstances) should be shared with Australia’s foreign partners, including
information in which an individual is identified where the information about
that individual is directly relevant to a security threat.[283]
As such, implementation of the OAIC’s recommendation would require proposed subsection
315H(2) to contain an exemption for disclosures of personal information in
such circumstances.
Concerns about information-gathering powers
Vodafone expressed concern that the ‘sweeping’ information-gathering
powers could be used to obtain information or documents from service providers ‘which
could include documents that may contain commercially or personally sensitive
information only some of which that may relate to matters specific to a
security assessment’.[284]
TPG also expressed concerns about the information-gathering powers, describing
them as ‘very wide’ and stated that they amounted to a power to ‘require the
Telco to go on a fishing-expedition to establish compliance’ with the security
obligations.[285]
Telstra noted that ‘there are no limits on the scope of
information that may be required’ and therefore compliance with a requirement
to provide information or documents ‘may be time consuming, costly and
difficult’ as a carrier or CSP is essentially required to comply with ‘an
open-ended request for information’ that may involve ‘many potential sources of
information’.[286]
Concerns about information-sharing powers
Despite the confidentiality obligation imposed by proposed
subsection 315H(3) and the existing legislative obligations placed on
Commonwealth officers and criminal offences related to the unauthorised disclosure
of confidential information, Vodafone argued that the information-sharing power
‘is still too broad in the capability to demand and distribute commercially
sensitive information’.[287]
Similarly, Telstra recommended that the definition of
‘identifying information’ in proposed subsection 315H(4) should be
expanded to cover any information that could identify the carrier or CSP
‘including in combination with other reasonably accessible information.’[288]
Whilst acknowledging the introduction of a requirement to
de-identify information acquired under proposed section 315C before
disclosing it to a person other than a Commonwealth officer, Telstra argued
that the process still posed:
... a real risk that a person with industry knowledge would be
able to connect the remaining information to the relevant C/CSP. This is of
particular concern when the disclosure is to a private third party who may,
either now or in the future, work for Telstra's commercial competitors.[289]
Telstra recommended that before disclosing any information
to a person other than a Commonwealth officer that the Secretary should be
required to provide the relevant carrier or CSP ‘with a copy of the information
proposed to be disclosed’ and to then ‘consider in good faith’ any of the
carrier’s or CSP’s comments and objections ‘including suggestions about how the
information could be better de-identified’.[290]
The Explanatory Memorandum notes that carriers and CSPs
will not be informed of proposed disclosures of information under proposed
section 315H because this could ‘potentially compromise national security by
identifying the types of issues considered by security agencies and the nature
of sharing arrangements’.[291]
Reporting and oversight
Proposed section 315J requires the Secretary to
provide an annual report to the Attorney-General on the operation of the Bill
as soon as practicable after the end of the relevant financial year. Proposed
subsection 315J(3) requires the Attorney-General to cause the tabling of a
copy of the report in each House of the Parliament within 15 sitting days of
that House after receiving the report.
Item 3 of the Bill prevents duplication of
reporting and oversight by providing that the ACMA is not required to monitor
or report to the Communications Minister on the operation of the Bill’s
provisions as part of its annual reporting obligations in relation to the Act. Item
3 inserts proposed paragraph 105(5B) which provides that the ACMA’s
reporting obligation in paragraph 105(5A)(a) of the Act does not apply in
relation to Part 14 of the Act to the extent that it has been amended by this
Bill (if enacted).
The PJCIS has recommended that the Bill be amended to
specify what should be included in the annual report including:
- the
number of occasions the information-gathering powers have been exercised
- the
number of notificaitons and security capability plans received
-
regulatory performance measures, including the average response
timeframes of the CAC to notifications and the proportion of responses made
within the statutory timeframes
- details
of the Government’s information-sharing arrangements with industry
- a
summary of any feedback or complaints received from stakeholders and
- the
number of occasions the directions-power have been exercised.
Concluding comments
The overall objectives and approach of the Bill appear to
be largely consistent with previous consideration of security of the
telecommunications sector by the PJCIS and Government responses to that
committee’s recommendations. Although stakeholders have expressed concerns that
the regime favours security considerations over commercial or competition
concerns, it appears that the Government has determined that security
considerations should be given priority while seeking to ensure that completion
and cost issues are considered in decision making processes.
The Bill’s reporting mechanism in proposed section 315J
may enable Parliament and interested stakeholders to monitor and evaluate the
operation of the proposed regime over time and assess whether an appropriate
balance is struck in practice.
[1]. Attorney-General’s
Department (AGD), Telecommunications
sector security guidelines: knowing your legislative obligations to protect
telecommunications networks and facilities form unauthorised access and
interference: draft version, AGD, Canberra, November 2015, p. 37.
[2]. For
further information including a flowchart of the administration of the TSSR,
see ibid., p. 37.
[3]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 2, 4.
[4]. Ibid.,
pp. 4–5.
[5]. In
May 2012, the then Attorney-General Nicola Roxon, referred potential TSSR
measures to the PJCIS for inquiry during the 43rd Parliament and in particular,
sought the PJCIS’s views on whether a regulatory response was necessary or appropriate
and, if so, the appropriate structure of the regulatory model. As part of this
process, the Government issued a discussion paper See: AGD, Equipping
Australia against emerging and evolving threats, AGD, Canberra, July
2012, pp. 29–39.
[6]. Parliamentary
Joint Committee on Intelligence and Security (PJCIS), Report
of the inquiry into potential reforms of Australia’s national security
legislation, PJCIS, Canberra, May 2013, pp. xxviii–xxix.
[7]. Ibid.,
p. xxix.
[8]. Australian
Government, Australian
Government response to chapters 2 and 3 of the Parliamentary Joint Committee on
Intelligence and Security's report of the inquiry into potential reforms of
Australia's national security legislation, Australian Government, July
2015, p. 13.
[9]. G
Brandis (Attorney-General) and M Turnbull (Minister for Communications), Consultation
opens on reforms to strengthen the security of Australia's telecommunications
networks, joint media release, 26 June 2015; and G Brandis
(Attorney-General) and M Fifield (Minister for Communications and the Arts), Further
consultation on telecommunications sector security reform, joint media
release, 27 November 2015. Non-confidential submissions on the two exposure
drafts are published at AGD, ‘Telecommunications security’,
AGD website. A summary of changes made to the Bill in response to stakeholder
feedback on exposure drafts are published at AGD, ‘Telecommunications sector security
reforms’, AGD website, n.d.
[10]. AGD,
‘Telecommunications
security’, AGD website.
[11]. Office
of Best Practice Regulation, Department of the Prime Minister and Cabinet
(DPMC), Telecommunications
sector security reforms: regulatory impact statement, DPMC website, 6
July 2015. (The RIS also indicates that targeted consultations were held with
C/CSPs in 2012, 2014 and 2015: RIS, Attachment B, p. 44.)
[12]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 50–103.
[13]. PJCIS,
Advisory
report on the Telecommunications (Interception and Access) Amendment (Data
Retention) Bill 2014, PJCIS, Canberra, 27 February 2015,
recommendation 36. (While the formal language used in the recommendation—that
the government should enact legislation—is a non sequitur, the
Committee’s supporting justification at p. 297 makes clear its intention that
the TSSR framework should be implemented before the end of the implementation
phase for data retention. Hence, it appears that the PJCIS was of the view that
the government should introduce a Bill in sufficient time for its passage and
commencement prior to the end of the implementation phase for data retention.)
[14]. Telecommunications
(Interception and Access) Act 1979, subsection 187H(2).
[15]. PJCIS,
Advisory
report on the Telecommunications (Interception and Access) Amendment (Data
Retention) Bill 2014, op. cit., p. 297.
[16]. Ibid.,
p. 298.
[17]. G
Brandis (Attorney-General) and M Turnbull (Minister for Communications), Government
response to committee report on the Telecommunications (Interception and
Access) Amendment (Data Retention) Bill 2014, joint media release, 3
March 2015.
[18]. A
Sheehan (Assistant Secretary, Communications Security Branch, National Security
Division of the AGD), Evidence to PJCIS, Review
of the Telecommunications and Other Legislation Amendment Bill 2016, 16
February 2017, p. 5.
[19]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 23–24: ‘While the security obligation will have immediate effect from
the expiry date of the implementation period, existing networks and facilities
in place at the time the security obligation comes into effect that are
non-compliant will not be subject to civil penalties for non-compliance with
the security obligation to protect networks and facilities under subsections
313(1A) and (2A). C/CSPs are not expected to retrofit all systems on
commencement of this security obligation. However, there may be very rare cases
where a significant security vulnerability is found in an existing system that
could facilitate acts of espionage, sabotage and foreign interference. In such
cases, government agencies will seek to work with the provider to develop cost
effective solutions to better manage the risks posed by the existing
vulnerability. Subject to how serious the security risk is and how willing the
C/CSP is to collaborate with government to manage the risk, the
Attorney-General could issue a direction requiring mitigation measures to be
implemented’.
[20]. Department
of Prime Minister and Cabinet (DPMC), Australia's
cyber security strategy: enabling innovation, growth and prosperity, DPMC,
Canberra, 21 April 2016, p. 29.
[21]. Parliamentary
Joint Committee on Intelligence and Security (PJCIS), Advisory
report on the Telecommunications and Other Legislation Amendment Bill 2016,
PJCIS, Canberra, June 2017, p.25.
[22]. Senate
Standing Committee for the Selection of Bills, Report,
10, 2016, The Senate, Canberra, 1 December 2016, p. 3.
[23]. Senate
Standing Committee for the Scrutiny of Bills, Alert
digest, 9, 2016, The Senate, Canberra, 23 November 2016, p. 13.
[24]. AGD,
Equipping
Australia against emerging and evolving threats, Commonwealth of
Australia, Canberra, July 2012, pp. 29–39. See also: Parliamentary Joint
Committee on Intelligence and Security (PJCIS), Report
of the inquiry into potential reforms of Australia’s national security
legislation, op. cit.
[25]. PJCIS,
Report
of the inquiry into potential reforms of Australia’s national security
legislation, op. cit., pp. 82–84, recommendation 19.
[26]. PJCIS,
Advisory
report on the Telecommunications (Interception and Access) Amendment (Data
Retention) Bill 2014, op. cit., recommendation 36.
[27]. Senate
Standing Committee on Legal and Constitutional Affairs, Report
on the comprehensive revision of the Telecommunications (Interception and
Access) Act 1979, The Senate, Canberra, March 2015, p. 94.
[28]. S
Martin, ‘ALP
urges fresh draft of telco security laws’, The Australian, 12 August
2015, p. 6.
[29]. M
Clarke and C Uhlmann, ‘Telcos
draw the line at latest Federal Government changes to national security laws’,
ABC News, 22 July 2015.
[30]. PJCIS,
Report
of the inquiry into potential reforms of Australia’s national security
legislation, op. cit., recommendation 19. See also: pp. 84–86:
‘Although there are currently indirect incentives for service providers to
protect their customers’ information (such as public relations damage),
commercial interests will not always align with the national interest. To
account for those instances where advice is not acted upon and where national
security is threatened, the Committee agrees that Government should create a
scheme including the capacity for Government to direct service providers to
take certain remediation actions. The Committee believes there cannot be an
effective and equitable security regime without enforcement mechanisms ... an
infrastructure and information security regime should be introduced whether or
not Government chooses to introduce a data retention regime’.
[31]. The
submissions can be accessed from: AGD, ‘Telecommunications
security’, AGD website, n.d.
[32]. AGG,
‘Telecommunications sector
security reforms’, AGD website, n.d.
[33]. Ibid.
[34]. Australian
Industry Group (AiGroup), Australian Information Industry Association (AIIA),
Australian Mobile Telecommunications Association (AMTA) and Communications
Alliance (Associations), Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2016. The Associations also made a submission to the
AGD’s consultation process regarding the Exposure Draft: Associations, Joint
submission to AGD, Second exposure draft of the
Telecommunications and Other Legislation Amendment Bill 2015, January
2016.
[35]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2016, p. 6.
[36]. Ibid.,
p. 6.
[37]. Ibid.,
pp. 6–7.
[38]. Ibid.,
p. 7.
[39]. Ibid.,
p. 7.
[40]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, February 2016, p. 5.
[41]. AGD,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., p. 6.
[42]. Ibid.
[43]. Ibid.,
p. 10.
[44]. Ibid.,
p. 10.
[45]. Ibid.,
p. 11.
[46]. Ibid.,
p. 11.
[47]. Ibid.,
p. 7.
[48]. Australian
Centre for Cyber Security (ACCS), Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2016, p. 2.
[49]. Ibid.,
p. 3.
[50]. Ibid.,
p. 3. A 5-tuple refers to a set of five different values that comprise a
Transmission Control Protocol/Internet Protocol (TCIP/IP) connection. It
includes a source IP address/port number, destination IP address/port number
and the protocol in use. System and network administrators (NA) use 5-tuples to
identify key requirements for creating a secure, operational and bidirectional
network connection between two or more remote and local machines: Techopedia, ‘5-tuple: definition:
what does 5-tuple mean?’, Techopedia website, n.d.
[51]. ACCS,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2016, pp. 2–3.
[52]. Ibid.,
p. 4.
[53]. Ibid.
[54]. Ibid.
[55]. Ibid.
[56]. Ibid.,
p. 5.
[57]. Ibid.
[58]. Ibid.,
p. 6.
[59]. Ibid.,
p. 6.
[60]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 7.
[61]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp.
79–82. See also: AGD, Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., p. 8.
[62]. The
Statement of Compatibility with Human Rights can be found at page 8 of the
Explanatory Memorandum to the Bill.
[63]. Parliamentary
Joint Committee on Human Rights (PJCHR), Report,
9, 2016, Canberra, 22 November 2016, p. 39.
[64]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp.
7, 23, 25, 27 and 33.
[65]. Attorney-General’s
Department (AGD), ‘Telecommunications
Sector Security Guidelines: draft version’, AGD website, November 2015.
[66]. PJCIS,
Advisory report on the Telecommunications and Other Legislation Amendment
Bill 2016, 30 June 2017, p.41, paragraph [3.49].
[67]. Ibid.,
p. 154, paragraph [5.13].
[68]. Ibid.,
p. 4.
[69]. Ibid.,
p. 4.
[70]. Ibid.,
p. 4.
[71]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2016, p. 15.
[72]. Ibid.,
p. 16.
[73]. Ibid.
[74]. Ibid.
[75]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 22.
[76]. Ibid.,
p. 22.
[77]. Ibid.,
p. 23.
[78]. Ibid.,
p. 24.
[79]. Ibid.
[80]. Ibid.,
p. 24.
[81]. Ibid.,
pp. 24–25.
[82]. See
for example: M Stanton (CEO, Communications Alliance), Evidence
to PJICS, Inquiry into Telecommunications and Other Legislation Amendment
Bill 2016, 16 February 2017, p. 10: ‘It is the case that increasing the
core carriage services while they provide an underlay is only part of the mix
that consumers are looking for, be they messaging apps, be they non-carrier
based email—any one of hundreds of over-the-top services that form part of the
bouquet for Australian providers. There is uncertainty around what obligations
you have to protect or to guard against any risk to something that is a
value-add that you do not own or control’ and : C Gillespie-Jones (Director,
Program Management, Communications Alliance), Evidence
to PJICS, Inquiry into Telecommunications and Other Legislation Amendment
Bill 2016, 16 February 2017, p. 10: ‘At the moment, I would say that
unfortunately there is not too much uncertainty about it. If you are providing
an over-the-top service and you are reselling it as an Australian carriage
service provider, you would be bound by TSSR obligations. If, as a consumer,
you were to buy the same service from a non-Australian over-the-top
provider—exactly the same service just not rebranded with a different
Australian brand—then the obligations would not apply ... One is bound by the
obligations; the other one is not. That, as such, is not a desirable outcome
for competition, because it does mean the Australian providers that offer these
over-the-top services are disadvantaged over other non-Australian providers’.
[83]. Ibid.,
p. 108; AGD, Telecommunications
sector security guidelines, Draft version, AGD, Canberra, November
2015.
[84]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 2.
[85]. Ibid.
[86]. Ibid.,
p. 3.
[87]. Australian Security
Intelligence Organisation Act 1979, section 4.
[88]. Defined
as an offence against Subdivision A of Division 72 or Part 5.3 of the Criminal Code Act
1995.
[89]. These
deal with foreign incursions and recruitment, hostage-taking offences, various
ship and fixed-platform related offence (such as seizing a ship or fixed
platform, damaging a ship or fixed platform, or giving false information that
will endanger a ship) and various offences related to aircraft (for example,
hijacking or endangering the safety of aircraft in flight).
[90]. Various
offences in relation to internationally protected persons (for examples,
diplomats) include murder, kidnapping and damaging official premises (for
example, an embassy).
[91]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 22.
[92]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2016, pp. 13–14.
[93]. Telecommunications
Act 1997, sections 7, 16, 56 and 86.
[94]. Telecommunications
Act 1997, sections 7 and 16.
[95]. Telecommunications
Act 1997, subsection 87(5).
[96]. See
also the amendment to section 311 of the Act proposed by item 5 of the
Bill.
[97]. Proposed
subsection 313(1A).
[98]. Proposed
subsection 313(1A).
[99]. Under
section 570 of the Telecommunications Act the pecuniary penalties for
contraventions of civil penalty provisions (which would include the security
obligation) provide that the maximum amount that could be payable would be $10m
for a body corporate and $50 000 for a natural person: Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 17, 31, 34, 46, and 54.
[100]. Under
proposed sections 315A and 315B.
[101]. Section
68 of the Telecommunications Act provides that a carrier or person must
comply with the conditions of its carrier licence – which includes compliance
with the Telecommunications Act, TIA Act and other legislation.
Schedule 1, section 1 of the Telecommunications Act also provides that a
carrier must comply with the Telecommunications Act 1997, the Telecommunications
(Consumer Protection and Service Standards) Act 1999 and regulations under
that Act and Chapter 5 of the Telecommunications (Interception and Access)
Act 1979. In turn section 570 of the Telecommunications Act sets out the
pecuniary penalties for contravention of the civil penalty provisions and Part
1 of Schedule 1 of the Telecommunications Act provides that a standard
conditions of a carrier licence includes compliance with the Telecommunications
Act, TIA Act and other legislation. Collectively this ensures that failure to
comply with the security obligation, the information gathering powers or a
direction would result potentially significant civil penalties being imposed.
[102]. Proposed
subsection 313(1B).
[103]. Proposed
subsection 313(1B).
[104]. Proposed
subsection 313(2B).
[105]. Subsection
87(5) of the Telecommunications Act 1997 provides that an entity who
receives a reward for arranging the supply of a listed carriage service by a carriage
service provider to a third person who would be a carriage service provider if
the person had supplied that carriage service and who has a commercial
relationship with the third person which is governed by an agreement relating
to the continuing supply of the service.
[106]. As
noted by the Australian Communications and Media Authority (AMCA) subsection
87(5) of the Telecommunications Act 1997 is ‘intended to capture
switchless resellers and/or aggregators who may not themselves be supplying a
listed carriage service’: ACMA, ‘Service
provider obligations’, ACMA website, 7 November 2016.
[107]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
22.
[108]. Ibid.,
p. 23.
[109]. Ibid.,
p. 25.
[110]. Ibid.,
p. 23.
[111]. Ibid.,
p. 26.
[112]. Ibid.,
p. 26.
[113]. Ibid.,
p. 23.
[114]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
24.
[115]. Ibid.
[116]. Ibid.,
pp. 24-25.
[117]. Ibid.,
p. 23.
[118]. Ibid.,
[119]. AGD,
Telecommunications
sector security guidelines, op. cit., p. 15.
[120]. Ibid.,
p. 15.
[121]. Ibid.,
pp. 15–22.
[122]. Optus,
Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, 14 January 2016, p. 2.
[123]. Proposed
subsection 313(1A).
[124]. Proposed
subsection 313(2).
[125]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2017, p. 13.
[126]. Ibid.,
p. 16.
[127]. Ibid.,
p. 17.
[128]. Ibid.,
p. 17.
[129]. Law
Council of Australia (LCA), Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, 18 January 2016, p. 4.
[130]. Ibid.,
p. 4.
[131]. Optus,
Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., p. 1.
[132]. Ibid.,
p. 1.
[133]. Foxtel,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2016, p. 2. Foxtel made a similar point in
its submission regarding the ED: Foxtel, Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, 19 January 2016, p. 2.
[134]. Foxtel,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., p. 2. Foxtel made a similar point in its submission
regarding the ED, stating: it’s not clear whether its broadcasting and content
infrastructure and facilities will also be subject to the new protection
obligations’: Foxtel, Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., p. 2.
[135]. Foxtel,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., pp. 3–4; Foxtel, Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 4.
[136]. Foxtel,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., p. 4; Foxtel, Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., pp. 3–4.
[137]. Foxtel,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., p. 4.
[138]. AGD,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, submission no. 4, 3 February 2016, p. 15.
[139]. Ibid.,
p. 16.
[140]. PJCIS,
Advisory report, op.cit, p.42.
[141]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., pp. 3, 18; Macquarie Telecom, Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, submission no. 2, February 2016, p. 3.
[142]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., p. 18.
[143]. Ibid.,
p. 3.
[144]. Ibid.,
p. 18.
[145]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
24.
[146]. AGD,
‘Interception
capability plans’, AGD website, n.d.; Under section 6R of the Telecommunications
(Interception and Access) Act 1979 (TIA Act), the CAC is the
Secretary of the Department (AGD) or a person specified in a legislative
instrument by the Minister to be the CAC. Under the TIA Act the CAC has
various powers related to authorisations, consultation with ACMA, the
Information Commissioner, declaring the application of various parts of the TIA
Act to carriers, and service providers, approving and amending data
retention implementation plans, granting exemptions from certain the
obligations imposed on service providers or carriers by the TIA Act: see
for example sections 183, 187B, 187E, 187F, 187G, 187H, 187J, 187K, 187KA, 192,
196, 197 of the TIA Act.
[147]. Proposed
subsections 314A(4)–(7).
[148]. Section
276 of the Telecommunications Act 1997 contains an offence for the
unauthorised disclosure and use of certain information. This includes
information that ‘relates to’ the contents or substance of a communication that
has been carried by a C/CSP; carriage services supplied or intended to be
supplied to another person; and the affairs or personal particulars (including
any unlisted telephone number or any address) of another person (and hence
included metadata as it ‘relates to’ the content of communications).
[149]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
28.
[150]. Ibid.,
p. 29.
[151]. Ibid.,
pp. 29–30.
[152]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
28.
[153]. AGD,
‘Telecommunications
Sector Security Guidelines (Draft version)’, op. cit., p. 27.
[154]. Ibid.
[155]. Ibid.
[156]. AGD,
Telecommunications
sector security guidelines (draft version), op. cit., pp. 25–26.
[157]. PJIC
Advisory report, op.cit. p.57.
[158]. Proposed
subsection 314D(2).
[159]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp.
31–32.
[160]. AGD,
Telecommunications
sector security guidelines, op. cit., p. 31.
[161]. Ibid.
[162]. Ibid.
[163]. Ibid.,
pp. 31–32.
[164]. Ibid.,
p. 32.
[165]. Ibid.
[166]. Ibid.
[167]. Ibid.
[168]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
32.
[169]. Ibid.
[170]. Ibid.,
p. 34.
[171]. Proposed
subsections 314B(1) and 314D(1).
[172]. Proposed
subsections 314B(2) and 314D(2).
[173]. Proposed
paragraphs 314B(3)(a) and (b) and proposed paragraphs 314D(3)(a) and
(b).See also the definition of the term ‘security’ in proposed subsections
314B(7) and 314D(7).
[174]. Proposed
paragraphs 314B(3)(c)-(e) and 314D(3)(c)–(e).
[175]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
30.
[176]. The
reasons for this are set out at paragraphs [144]–[148] and [161]–[163] of the
Explanatory Memorandum to the Bill.
[177]. Proposed
subsections 314B(5) and 314D(5).
[178]. Proposed
subsections 314B(6) and 314D(6). (Notices issued under proposed
subsection 314D(6) may relate to one or more proposed changes to an SCP.)
[179]. Proposed
paragraphs 314B(6)(b) and 314D(6)(b).
[180]. Associations,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2017, p. 12.
[181]. Ibid.
[182]. Ibid.
[183]. Ibid.
[184]. Ibid.
[185]. Ibid.,
p. 15.
[186]. Ibid.,
p. 15.
[187]. Optus,
Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., p. 3.
[188]. Optus,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, submission no. 1, 3 February 2017, p. 7.
[189]. Ibid.
[190]. Vodafone
Hutchison Australia (Vodafone), Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, n.d., pp. 3–4.
[191]. TPG
Telecom Limited Group (TPG), Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, 18 January 2016, p. 2.
[192]. Macquarie
Telecom, Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, submission no. 2, February 2017, p. 3.
[193]. Ibid.,
p. 4.
[194]. Ibid.,
p. 4.
[195]. Ibid.,
p. 4.
[196]. See,
for example, Associations, Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 3 February 2017, pp. 13–14.
[197]. M
Stanton (CEO, Communications Alliance), Evidence
to PJICS, Inquiry into Telecommunications and Other Legislation Amendment
Bill 2016, 16 February 2017, p. 8.
[198]. AGD,
Telecommunications
sector security guidelines, op. cit., p. 30.
[199]. Ibid.,
p. 9.
[200]. Optus,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., p. 5.
[201]. Ibid.,
p. 2.
[202]. Ibid.
[203]. Foxtel,
Submission to AGD, Second
exposure draft of the Telecommunications and Other Legislation Amendment Bill
2015, op. cit., p. 2.
[204]. Ibid.,
p. 2; Foxtel, Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, op. cit., pp. 3–4: ‘Foxtel considers it should be clarified that
where infrastructure and facilities are used solely or principally for the
supply of broadcasting services it is not subject to the proposed reforms ... Foxtel
requests the Committee recommend there be further clarification ... about the
purpose and application of the proposed ... notification requirements ... to
clarify that infrastructure and facilities used solely or principally for
broadcasting or content services are not intended to be subject to this
additional regulation’.
[205]. Ibid.,
pp. 3–4.
[206]. Ibid.,
p. 4.
[207]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 29.
[208]. This
is the Communications Minister: Administrative Arrangements Order, 1 September
2016, p. 9.
[209]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 3.
[210]. Schedule
1, items 27–29.
[211]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 35.
[212]. Ibid.
[213]. Proposed
subsection 315A(3), Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 35.
[214]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 35.
[215]. Proposed
subsections 315A(4) and (5).
[216]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
35.
[217]. Ibid.,
p. 14. See also p. 58.
[218]. ASIO,
ASIO’s
security assessment function, ASIO, Canberra, September 2013, p. 1.
[219]. Ibid.
[220]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
36.
[221]. Proposed
paragraphs 351B(1)(a)–(c).
[222]. Proposed
subsections 315B(1) and (3).
[223]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 35; ASIO, ‘Attorney-General’s
guidelines’, n.d.; ASIO, Attorney-General's
guidelines in relation to the performance by the Australian Security
Intelligence Organisation of its function of obtaining, correlating, evaluating
and communicating intelligence relevant to security (including politically
motivated violence), n.d., (made under s 8A of the ASIO Act),
para 4.1(b) at p. 3).
[224]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 14–15 and p. 36.
[225]. Ibid.,
p. 15.
[226]. Proposed
paragraph 315B(8)(a) and proposed subsection 315B(10).
[227]. Proposed
subparagraphs 315B(8)(b)(i)–(ii) and proposed subsection 315B(9).
[228]. Proposed
subparagraph 351(8)(b)(iii).
[229]. Proposed
subsection 315B(5).
[230]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
39.
[231]. Ibid.,
p. 40.
[232]. Ibid.,
p. 39.
[233]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
38.
[234]. Ibid.,
p. 39.
[235]. Ibid.,
p. 40.
[236]. TPG,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 3.
[237]. Ibid.,
p. 4.
[238]. Vodafone,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 3.
[239]. TPG,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 4.
[240]. Ibid.
[241]. Optus,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 4.
[242]. Ibid.
[243]. Ibid.
[244]. Vodafone,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 3.
[245]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 38–39.
[246]. LCA,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 3.
[247]. Ibid.,
p. 3.
[248]. Ibid.,
p. 3.
[249]. Ibid.,
p. 3.
[250]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 35; ASIO, ‘Attorney-General’s
guidelines’, n.d.; ASIO, Attorney-General's
Guidelines in relation to the performance by the Australian Security
Intelligence Organisation of its function of obtaining, correlating, evaluating
and communicating intelligence relevant to security (including politically
motivated violence), n.d., (made under s 8A of the ASIO Act), para
4.1(b) at p. 3).
[251]. Ibid.,
p. 4.
[252]. Ibid.,
p. 4.
[253]. TPG,
Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., p. 4.
[254]. Ibid.
[255]. Explanatory
Memorandum, p. 35.
[256]. Ibid.
[257]. Explanatory
Memorandum, pp. 35–26.
[258]. Proposed
subsections 315C(1) and (2).
[259]. Proposed
section 315G. (The Secretary may delegate certain of his or her
information-gathering powers to the Director-General of Security, by a written
instrument of delegation. In exercising delegated powers, the Director-General
is required under proposed subsection 315C(2) to comply with any directions the
Secretary may issue.)
[260]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
42: ‘Non-compliance with a notice to provide information or documents will constitute
a breach of the Telecommunications Act and will attract the operation of the
civil remedies regime in Part 30 (injunctions), Part 31 (civil penalties) and
Part 31A (enforceable undertakings) of the Telecommunications Act. The Bill
authorises the Attorney-General to bring proceedings to enforce these remedies
for non-compliance with a notice issued under section 315C.’
[261]. Telecommunications
Act 1997, Schedule 1, section 1: a carrier must comply with the Telecommunications
Act 1997, the Telecommunications (Consumer Protection and Service
Standards) Act 1999 and Regulations under that Act and Chapter 5 of the Telecommunications
(Interception and Access) Act 1979.
[262]. Ibid.
[263]. Telecommunications
Act 1997, Schedule 2, section 1: a service provide must comply with the Telecommunications
Act 1997, the Telecommunications (Consumer Protection and Service
Standards) Act 1999 and Regulations under that Act and Chapter 5 of the Telecommunications
(Interception and Access) Act 1979.
[264]. Ibid.
[265] ‘Use’
immunity is defined as where a person is required to answer questions which
would tend to incriminate or expose him or herself to a penalty, any
information or evidence given that would tend to incriminate the person may not
be used against him or her directly in court. In comparison, ‘derivative use’
immunity is where any information or evidence given that would tend to
incriminate the person may not be used to gather other evidence against that
person: AGD, A
guide to framing Commonwealth offences, infringement notices and enforcement
powers, AGD, Canberra, September 2011, pp. 97, 98.
[266]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 43.
[267]. ‘Commonwealth
Officer’ is defined in proposed subsection 315H(4) as including (a) a
person who is in the employment of the Commonwealth, other than a person who is
engaged outside Australia to perform duties outside Australia as an employee;
or (b) a person who holds or performs the duties of any office or position
established by or under a law of the Commonwealth; or (c) a member of the
Australian Defence Force; or (d) the Commissioner of the Australian Federal
Police, a Deputy Commissioner of the Australian Federal Police, an AFP 9
employee, a special member or a special protective service officer (all within the
meaning of the Australian Federal Police Act 1979). Importantly, this
includes persons employed by the Director-General of Security, on behalf of the
Commonwealth, under subsection 84(1) of the Australian Security Intelligence
Organisation Act 1979.
[268]. Ibid.
[269]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 43–44.
[270]. Ibid.,
p. 43, paragraph [210].
[271]. For
a useful summary, see: Office of the Australian Information Commissioner
(OAIC), Guide
to privacy regulatory action, June 2015.
[272]. For a useful summary of privacy rules applied to Australian
Intelligence Community (AIC) agencies, see: Inspector-General of Intelligence
and Security (IGIS), ‘AIC privacy protections’, IGIS website.
[273]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
pp. 43–44.
[274]. See
further: Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 44.
[275]. ASIO
Act, subsections 18(1) and 18(3)–(4B) (authorisations in relation to the
disclosure of intelligence and other information) and section 19 especially
paragraph 19(1)(c) (cooperation with other entities for the purpose of ASIO
performing its functions, including cooperation and information-sharing with
authorities of other countries approved by the Attorney-General). See further: Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 44, paragraph [216] which states that ‘in general, the types of foreign
authorities that are approved by the Attorney-General perform broadly similar
functions to ASIO, and include security and intelligence agencies, law
enforcement, immigration and boarder control, and government coordination
bodies’.
[276]. ASIO
Act, subsection 18(2). See also sections 18A and 18B (offences for unauthorised
dealings with records and the unauthorised making of records of information,
which apply to conduct that places information at risk of unauthorised
disclosure that falls short of communication).
[277]. See
further: Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016,
p. 44.
[278]. Ibid.,
p.45.
[279]. Ibid.,
p.42.
[280]. OAIC,
Submission
to PJCIS, Review of the Telecommunications and Other Legislation Amendment
Bill 2016, 8 February 2017, pp. 2–3.
[281]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
44.
[282]. Ibid.
[283]. Ibid.
[284]. Vodafone,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, op. cit., p. 4.
[285]. TPG,
Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., p. 4.
[286]. Telstra,
Submission
to AGD, Second exposure draft of the Telecommunications and Other Legislation
Amendment Bill 2015, 22 December 2015, p. 5.
[287]. Vodafone,
Submission
to AGD, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., p. 4.
[288]. Telstra,
Submission
to AGB, Second exposure draft of the Telecommunications and Other
Legislation Amendment Bill 2015, op. cit., p. 5.
[289]. Ibid.
[290]. Ibid.
[291]. Explanatory
Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p.
44.
For copyright reasons some linked items are only available to members of Parliament.
© Commonwealth of Australia
Creative Commons
With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.
In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.
To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.
Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.
Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.
Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library‘s Central Enquiry Point for referral.