Introductory Info

Date introduced: 5 March 2020
House: House of Representatives
Portfolio: Home Affairs
Commencement: Sections 1‑3 on Royal Assent; Parts 1, 2 and 4 of Schedule 1 on the day after Royal Assent; Part 3 of Schedule 1 immediately after Parts 1 and 2 of Schedule 1 commence or on commencement of the Federal Circuit and Family Court of Australia Act 2020, whichever is later. However, Part 3 will not commence if the Federal Circuit and Family Court of Australia Act 2020 does not commence.

The Bills Digest at a glance

The Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (the Bill) will introduce a regime for Australian agencies to obtain international production orders (IPOs) that require designated communications providers overseas to intercept communications and provide access to stored communications and telecommunications data.

The IPO scheme is intended to provide a faster alternative to the formal mutual legal assistance process for obtaining access to certain information and data held by overseas providers (and for overseas authorities to access information and data held by Australian providers).

Certain agencies will be able to apply for IPOs for the purposes of investigating serious offences, carrying out the Australian Security Intelligence Organisation’s (ASIO) functions, and purposes related to control orders. IPOs will be externally authorised and only available in relation to providers in countries with which Australia has a bilateral or multilateral agreement on cross-border access to electronic information and communications data.

The Bill also includes amendments to ensure that Australian communications providers are not prevented from responding to incoming requests for access to electronic information and communications data from countries with which Australia has an agreement in place.

Key issues in relation to the Bill include:

• the lack of required parameters for international agreements and incoming orders made under them. The Bill lacks the protections included under equivalent United States legislation and the safeguards provided for under mutual assistance laws with respect to matters such as protection of human rights, including the right to life and prohibition on torture, and restrictions on accessing data about Australian persons
• whether international agreements will be subject to adequate scrutiny, including by the Parliament, before coming into effect and when they are amended
• whether it is appropriate for certain members of the Administrative Appeals Tribunal to issue orders in addition to or instead of members of the judiciary
• the lack of protections for journalists’ telecommunications data compared to domestic provisions
• the appropriateness of IPOs for purposes relating to control orders, in particular for monitoring compliance with a control order, and the fact that powers will be available for those purposes under IPOs that are not currently available within Australia
• the appropriateness of IPOs for national security purposes (particularly given the breadth of powers to access telecommunications data) and whether the safeguards for these IPOs are adequate and
• the adequacy of provisions enabling service providers to object to IPOs, both in terms of the grounds for objection and the means of considering and determining such objections.

The Bill is being considered by the Parliamentary Joint Committee on Intelligence and Security.

The Senate Standing Committee for the Scrutiny of Bills and the Parliamentary Joint Committee on Human Rights each sought additional information from the Minister on several aspects of the Bill. Having considered the Minister’s responses, both committees suggested that consideration be given to making particular amendments to the Bill.

Purpose of the Bill

The purpose of the Bill is to amend the Telecommunications (Interception and Access) Act 1979 (the TIA Act) and make consequential amendments to other Acts to introduce a framework for Australian agencies to obtain an international production order (IPO) requiring a designated communications provider (DCP) overseas to:

• intercept communications
• provide access to stored communications or
• provide access to telecommunications data.

Certain agencies will be able to apply for IPOs in relation to investigating serious offences, carrying out ASIO’s functions, and purposes relating to control orders.

IPOs will be authorised externally to the requesting agency. They will only be available in relation to providers in countries with which Australia has a bilateral or multilateral agreement on cross-border access to electronic information and communications data; that is, a designated international agreement.

The Bill will also amend the TIA Act and other Acts to ensure that Australian communications providers are not prevented from responding to incoming requests for access to electronic information and communications data from countries with which Australia has a designated international agreement.

The proposed IPO framework is intended to provide a faster alternative to the formal mutual legal assistance process for obtaining access to certain information and data held by overseas providers (and for overseas authorities to access information and data held by Australian providers).

Structure of the Bill

The Bill comprises a single Schedule of four parts:

• Part 1 contains the main amendments to the TIA Act and consequential amendments to the Australian Crime Commission Act 2002, Australian Security Intelligence Organisation Act 1979, Freedom of Information Act 1982, International Criminal Court Act 2002, Law Enforcement Integrity Commissioner Act 2006 and the Mutual Assistance in Criminal Matters Act 1987.

Item 43 will add proposed Schedule 1 to the TIA Act, comprising:

• Part 1—Introduction
• Part 2—International production orders relating to the enforcement of the criminal law
• Part 3—International production orders relating to control orders
• Part 4—International production orders relating to national security
• Part 5—Giving of international production orders
• Part 6—Revocation of international production orders
• Part 7—Objections to, and cancellation of, international production orders
• Part 8—Compliance with international production orders
• Part 9—Reporting and record-keeping requirements
• Part 10—Oversight by the Commonwealth Ombudsman
• Part 11—Disclosure of protected information
• Part 12—Evidentiary certificates
• Part 13—Incoming orders and requests and
• Part 14—Miscellaneous.

• Part 2 contains an application provision.
• Part 3 contains a technical amendment contingent on the commencement of the Federal Circuit and Family Court of Australia Act 2020.[1]
• Part 4 contains technical amendments to the TIA Act and the Surveillance Devices Act 2004.

Background

Existing framework for cross-border data access

Australia currently relies on the mutual legal assistance framework to obtain admissible evidence for criminal investigations and prosecutions.[2] While information useful to investigations may also be obtained through police-to-police and agency-to-agency assistance, the mutual assistance framework provides standardised procedures for the sharing of certain evidence between countries for the purposes of criminal matters (generally, criminal investigations and prosecutions and proceeds of crime matters).

Australia is party to several bilateral and multilateral treaties regulating mutual assistance, but may also make and consider requests in the absence of a treaty.[3] Similarly, while the Mutual Assistance in Criminal Matters Act 1987 (MACMA) specifically provides for particular types of incoming and outgoing requests including access to stored communications, data held in computers and telecommunications data, it does not prohibit other types of assistance.[4]

The International Crime Cooperation Central Authority (ICCCA), part of the Attorney-General’s Department (AGD), manages mutual assistance requests.[5] The ICCCA forwards requests for assistance, made by the Attorney-General or a delegate on behalf of an Australian law enforcement or prosecuting agency, to the central authority of the relevant country. The request is considered and, if accepted, executed by local authorities under domestic laws. The resulting information is returned to the requesting agency via the ICCCA.[6]

Incoming requests from foreign countries must be made through the ICCCA.[7] Incoming requests are considered by the Attorney-General or a delegate in accordance with the MACMA, which sets out grounds on which requests must or may be refused.[8] Among the circumstances in which an incoming request must be refused are where:

• the overseas offence is a political offence
• the overseas offence may be punished by imposition of the death penalty (except in special circumstances) or
• there are substantial grounds for believing:
  • the request was made for the purpose of ‘causing prejudice to a person on account of the person’s race, sex, sexual orientation, religion, nationality or political opinions’
  • the request has been made with a view to investigating, prosecuting or punishing a person for a political offence or
  • assisting with the request is likely to put a person in danger of being subjected to torture.[9]

Among the circumstances in which an incoming request may be refused are where:

• the provision of assistance may result in the death penalty being imposed on a person, and the Attorney-General considers that in the circumstances of the case the request should not be granted
• the person has already been acquitted or pardoned or undergone punishment for another offence constituted by the same conduct
• assisting with the request could prejudice the investigation or prosecution of a criminal matter in Australia or would, or would be likely to, prejudice the safety of any person or
• the Attorney-General considers that in the circumstances of the case the request should not be granted .[10]

If a request is accepted, it is executed by an Australian law enforcement agency under the MACMA and other applicable laws, and the resulting information is returned by ICCCA to the requesting country.[11]

Challenges associated with the current framework

The length of time it takes to process a mutual assistance request varies depending on a number of factors, and can be anywhere from several days for urgent requests to several years.[12] The average processing time for outgoing Australian requests for communications data is 10‑12 months.[13] This is comparable to other countries.[14]

Data of interest to Australian investigations is increasingly held overseas.[15] Accordingly, the volume of outgoing mutual assistance requests, including those for communications data, has increased significantly over the last ten years.[16] While this in itself is not necessarily a challenge, it means that the problem of long time frames to process these requests is affecting an increasing number of investigations and prosecutions.

The negative impacts of lengthy processing times can go beyond simply delay to include ‘charges being withdrawn, less serious charges being laid or a weaker case going before the court which does not show the full picture of criminality, and may ultimately lead to lower sentences being imposed’, as well as providing an opportunity for further offending to occur in the meantime.[17]

United States CLOUD Act

The United States Clarifying Lawful Overseas Use of Data Act (CLOUD Act) of 2018 aims to address the challenges associated with increasing volumes of data being held overseas in two ways:[18]

• it amended US law to require technology companies to provide data in response to certain US warrants, authorisations and court orders, regardless of where the data is located (and addressed related potential conflicts of law) and
• it allowed the US to enter into executive agreements with foreign countries under which authorities in each country may obtain data directly from technology companies in the other country under domestic orders as an alternative to the mutual assistance process.[19]

A key advantage claimed for the CLOUD Act framework is that it facilitates faster access for authorities to data for purposes relating to serious crime.[20]

Before an agreement made under the CLOUD Act may enter into force, the US Attorney-General (with the concurrence of the Secretary of State) must determine and certify to Congress that:

• the domestic law of the other country, and its implementation, ‘affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement’ (including, for example, adhering to applicable international human rights)
• the foreign government ‘has adopted appropriate procedures to minimize the acquisition, retention, and dissemination of information concerning United States persons subject to the agreement’
• the terms of the agreement ‘shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data’ and
• the agreement contains specific requirements for orders made under the agreement.[21]

Among the specific requirements concerning orders are that:

• orders must:
  • be ‘for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism’
  • identify a specific person, account, address, personal device or other specific identifier as the object of the order
  • be subject to review or oversight by an independent authority prior to, or in proceedings regarding, enforcement of the order and
  • not be used to infringe freedom of speech
• the foreign government may not:
  • intentionally target a US person or person located in the US or
  • issue an order so as to provide information to the US or a third-party government and
• the foreign government must:
  • store data securely and to the maximum extent possible, comply with minimisation requirements
  • provide reciprocal rights of data access for US authorities and
  • generally not disseminate the information obtained to the US Government.[22]

US/UK agreement and proposed Australian agreement under the CLOUD Act

The first agreement under the CLOUD Act was entered into by the US and the United Kingdom in October 2019. The US/UK agreement enables orders to be made in the US to access electronic data held in the UK and vice-versa, for the purposes of ‘the prevention, detection, investigation, or prosecution of Serious Crime’, [23] where ‘Serious Crime’ means an offence punishable by a maximum term of imprisonment of at least three years.[24]

The US/UK agreement includes provisions required by the CLOUD Act, such as those relating to targeting and minimisation procedures, as well as specific provisions limiting the use of data in the US for an offence for which the death penalty is sought and in the UK where it raises freedom of speech concerns for the US.[25]

Australia and the US commenced formal negotiations for a bilateral agreement under the CLOUD Act in October 2019.[26]

UK legislation

The Crime (Overseas Production Orders) Act 2019 (UK) enables overseas production orders to be issued for the purposes of obtaining electronic data[27] for a terrorist investigation[28] or an investigation of, or proceedings in respect of, an indictable offence,[29] where a designated international co-operation arrangement is in place.[30]

A treaty related to mutual assistance in investigation and prosecution of offences may be specified as a designated international co-operation arrangement by regulations, but only after it has been tabled in Parliament before ratification in accordance with the Constitutional Reform and Governance Act 2010 (UK).[31]

Committee consideration

Parliamentary Joint Committee on Intelligence and Security

The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report by 26 June 2020; however, the report had not been tabled as at the date of this Digest. Details of the inquiry are at the inquiry homepage.

Senate Standing Committee for the Scrutiny of Bills

The Senate Standing Committee for the Scrutiny of Bills (Scrutiny of Bills Committee) sought the Minister’s advice on several aspects of the Bill, in particular:

• why it is necessary and appropriate to allow IPOs to be issued by Administrative Appeals Tribunal (AAT) members
• whether the Bill could be amended to include a national public interest monitor (PIM) scheme so that PIMs may make submissions in relation to all IPO applications (only Victoria and Queensland have state-based PIMs)
• whether the Bill could be amended to require that all IPOs only be issued if the issuer is satisfied that the IPO would be likely to substantially assist with the relevant purpose (as applies to IPOs related to control orders), rather than ‘likely to assist’[32]
• whether the three month period allowed for reporting IPOs to the Commonwealth Ombudsman could be reduced, and whether the Ombudsman could be permitted to obtain information from officials on the basis of reasonable suspicion instead of reasonable belief
• why it is necessary and appropriate to permit a broad range of persons to apply for an IPO, and whether the Bill could be amended to place stricter limits on who may apply
• the rationale for including a provision stating that failure to comply with requirements relating to Ombudsman notification does not affect the validity of an IPO
• why it is necessary to allow most of the Ombudsman’s powers to be delegated to APS employees of any level, and whether consideration could be given to amendments
• why it is necessary to provide the Ombudsman and related persons with immunity from legal action
• whether the Bill could be amended to provide that all evidentiary certificates are to be taken as prima facie, not conclusive, evidence of the relevant matter
• why it is considered necessary and appropriate to:

  … allow information held in Australia to be accessed by foreign governments in circumstances where existing legislative protections for the accessing of information have been removed and no safeguards are provided on the face of the bill to ensure a designated international agreement contains sufficient safeguards regarding the circumstances in which information can be accessed

• whether the Bill could be amended to set out minimum privacy protections and safeguards that must be included in designated international agreements, require agreements to be tabled in Parliament, and provide that regulations designating agreements do not commence until after the Parliament has had an opportunity to scrutinise the international agreement.[33]

After considering the Minister’s response, the Scrutiny of Bills Committee requested that additional information be included in the Explanatory Memorandum and considered that several amendments should be made to the Bill.[34]

With respect to parliamentary oversight of international agreements, the Committee recommended the Bill:

• be amended to:
  • specify minimum protections and safeguards related to privacy that must be included in designated international agreements;
  • require that, before the Australian Government signs a designated international agreement with a foreign government:
    • the Australian Government must conduct a publicly-available assessment of the laws and the legal and democratic processes of the relevant foreign country, to ensure that there are adequate safeguards in place against undue trespass on personal rights and liberties, including but not limited to undue trespass on the right to privacy; and
    • the ministers responsible for domestic and international privacy and human rights matters must approve the proposed agreement.[35]
• be amended so that regulations designating international agreements do not come into effect until they have been approved in resolutions of each House of Parliament.

On other matters, the Committee recommended the Bill be amended to:

• provide that only judicial officers may issue IPOs, or at a minimum, limit the issue of IPOs by AAT members to a President or Deputy President of the AAT with at least five years’ experience as a legal practitioner
• require issuers for all types of IPOs to have regard to whether a proposed IPO would be the method that is likely to have the least interference with any person’s privacy
• establish a national PIM scheme so that PIMs can be involved in consideration of all proposed IPOs
• require chief officers to notify the Ombudsman of IPOs issued in relation to control orders as soon as is reasonably practicable
• permit the Ombudsman to obtain information from officials on the basis of reasonable suspicion instead of reasonable belief
• require agency heads to be satisfied that persons authorised to apply for IPOs possess the appropriate skills, training and expertise and
• restrict the delegation of the Ombudsman’s powers to specific persons or roles, or require the Ombudsman to be satisfied that delegates have expertise appropriate to the relevant function or power.[36]

Parliamentary Joint Committee on Human Rights

The Parliamentary Joint Committee on Human Rights (PJCHR) sought extensive further information from the Minister in order to fully assess the Bill’s compatibility with the right to privacy, including:

• for IPOs:
  • why the Bill does not provide for PIMs nationwide, and why PIMs have no role in applications for IPOs concerning stored communications
  • whether the interference with privacy is greater for interception than for access to stored communications and why
  • why any AAT member with five years’ experience as an enrolled legal practitioner should be eligible to be appointed as an issuing authority for IPOs, and whether that is consistent with the requirement that judicial authorities issue surveillance warrants
  • why the Bill does not require greater consideration by issuers of interference with privacy before IPOs are issued and
  • whether all of the exceptions to the prohibition on use, recording and disclosure of protected information obtained under an IPO are appropriate and
• for incoming requests:
  • what the legitimate objective is in relation to removing privacy protections so that telecommunications material may be intercepted and accessed by foreign governments and
  • what safeguards will apply before foreign governments issue requests, and what oversight mechanisms will apply before Australia enters into a designated international agreement.[37]

The PJCHR also sought further information from the Minister in order to fully assess the Bill’s compatibility with:

• the right to an effective remedy for a person whose privacy might be violated by the issue of an IPO, in particular ‘whether a person who was the subject of an IPO will be made aware of that after the investigation has been completed’ and if not, how he or she would effectively access a remedy for a violation of privacy and
• the right to life and the prohibition against torture, cruel, inhuman or degrading treatment or punishment, in particular:
  • why the bill does not provide that an international agreement will not be designated unless there is a written assurance that information provided pursuant to an IPO will not be used in connection with any proceeding by way of a prosecution for an offence against the law of the foreign country that is punishable by death;
  • what safeguards are in place to ensure that information from an IPO would not be shared overseas in circumstances that could expose a person to torture, or cruel, inhuman or degrading treatment or punishment.[38]

After considering the Minister’s response, the PJCHR considered that:

• the Bill may not adequately protect the right to privacy, and consideration should be given to amendments to:
  • establish a national scheme whereby an independent expert (such as a PIM) is involved in consideration of all IPOs concerning telecommunications interception and access to stored communications
  • remove the ability for AAT members to issue IPOs, or at least limit the issue of IPOs by AAT members to senior members only
  • require the issuer of an IPO relating to a control order to consider the gravity of the conduct being investigated and
  • require issuers of all types of IPOs to consider how much the privacy of the person would be likely to be interfered with
• it does not appear that individuals in relation to whom IPOs are made will be likely to be able to access an effective remedy for any violation of their right to privacy
• consideration should be given to amendments to reduce the risk that information may be shared with a foreign country that could expose a person to the death penalty or to cruel, inhuman or degrading treatment or punishment and
• consideration should be given to amending the Bill to require the Minister to be reasonably satisfied that an international agreement contains sufficient safeguards and independent processes to protect the right to privacy before the agreement can be designated in regulations.[39]

Policy position of non-government parties/independents

The Shadow Attorney-General reportedly expressed concern about the lack of specific protections for journalists and their sources under IPOs.[40] However, the Labor Party’s position on the Bill as a whole did not appear to have been made public as at the date of this Bills Digest.

Other non-government parties and independents did not appear to have publicly stated their positions on the Bill as at the date of this Digest.

Position of major interest groups

Some of the main concerns raised by different stakeholder groups are summarised briefly below. Further information is provided where relevant in the ‘Key issues and provisions’ section of this Digest.

Oversight bodies

Inspector-General of Intelligence and Security

The Inspector-General of Intelligence and Security (IGIS) will oversee ASIO’s use of the IPO regime.

In her submission to the PJCIS, the IGIS raised several issues on which amendments could be considered; among them:

• issues relating to thresholds for the issue of IPOs relating to national security, including the lack of a requirement to consider privacy, proportionality and human rights, and the low threshold for access to telecommunications data
• the lack of protections for journalists’ telecommunications data compared to domestic provisions
• allowing all ASIO officers to apply for IPOs and
• the lack of statutory guidance on what constitutes urgent circumstances.[41]

Commonwealth Ombudsman

The Commonwealth Ombudsman will inspect and report on records relating to IPOs held by the Australian Designated Authority (ADA) and law enforcement and anti-corruption agencies.

The Ombudsman estimated that its oversight of IPOs could result in up to 65 additional inspections per year. While stating in a submission to the PJCIS that he was broadly comfortable with the new oversight role proposed, the Ombudsman noted that his Office would require additional funding ‘to undertake the activities necessary to assure the Parliament these new powers are being used appropriately’.[42]

Civil society

Key concerns raised by civil society stakeholders in submissions to the PJCIS included whether the Bill adequately protects privacy and individual rights, whether it is appropriate for AAT members to be able to issue IPOs, and the lack of safeguards in relation to incoming requests.

Privacy and individual rights

Some civil society stakeholders considered that there will be inadequate consideration given to privacy in the issue of different types of IPOs. Unlike IPOs relating to criminal law enforcement and control orders, the issuer for IPOs relating to national security will not be required to consider how much the privacy of ‘any person or persons’ will be interfered with before issuing an IPO. The Law Council of Australia (LCA) recommended that this be a required consideration for all IPOs.[43]

For other IPOs, the issuer will only be required to consider whether action under an IPO would be the method that is likely to have the least interference with any person’s privacy if an IPO is sought for interception in relation to a control order. The Australian National University Law Reform and Social Justice Research Hub (ANU Research Hub) questioned why this test was not required for all IPOs.[44]

Several civil society stakeholders also recommended that consideration be given to establishing a national system of PIMs to represent the interests of the subjects of all proposed IPOs.[45]

Issuers of IPOs

Some civil society stakeholders considered that AAT members lack the independence required to properly fulfil the role of considering and issuing IPOs. The Australian Privacy Foundation (Privacy Foundation) stated:

The Bill seeks to enshrine authorisation by a member of the Administrative Appeals Tribunal rather than by a court. Reliance on the AAT is inappropriate and of deep concern, particularly given community perceptions that the Tribunal is being influenced through appointments that reflect political affiliation. It is symptomatic of ongoing weakening of privacy protection.[46]

The LCA recommended that IPOs relating to criminal law enforcement and control orders should only be issued by judicial officers, to provide greater substantive and perceived independence to the approval process. In the alternative, it recommended restricting the issue of IPOs by AAT members to ‘Deputy Presidential and senior members, and members of the Security Division who have been admitted as Australian lawyers for a minimum of five years’.[47]

The LCA also questioned why the issue of IPOs relating to national security will be restricted only to members of the AAT’s Security Division, and recommended that judicial officers also be able to be appointed as issuers.[48]

Incoming requests

With respect to incoming requests from countries with which Australia has an agreement, the Bill provides only that Australian organisations will be exempt from laws that would otherwise prevent their compliance with those requests. Several civil society stakeholders were concerned that this approach fails to protect against the inappropriate use of such requests and lacks important safeguards included in the mutual assistance framework (such as refusal of requests where they relate to political offences or would put the person in danger of being subjected to torture).[49]

Scrutiny of international agreements

Partly due to the lack of restrictions placed on incoming requests, the LCA and ANU Research Hub sought assurance that international agreements will be made public in full and subject to appropriate scrutiny before coming into force.[50]

Information and Communications Technology sector

Some Information and Communications Technology (ICT) sector stakeholders shared the concerns of civil society stakeholders about the adequacy of protections for privacy and individual rights,[51] and about the issue of IPOs by AAT members.[52]

Other key concerns raised by ICT sector stakeholders included the ability for Australian authorities to seek the imposition of civil penalties for failure to comply with an IPO,[53] and the limited availability of mechanisms to appeal or object to an IPO.[54]

Agencies impacted by the Bill

The Commonwealth Director of Public Prosecutions and several agencies that will be able to apply for IPOs made submissions to the inquiry in support of the Bill.[55]

Financial implications

The Explanatory Memorandum states that financial impacts will be met from existing appropriations.[56]

As noted above, the Ombudsman noted that his Office would require additional funding to provide oversight of the proposed framework.

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill engages the protection against arbitrary or unlawful interference with privacy, the rights to freedom of expression and to an effective remedy, and the right to life. It assesses that the Bill is compatible with those rights on the basis that any limitations are reasonable, necessary and proportionate.[57]

As noted above, the PJCHR recommended that consideration be given to several amendments to improve the human rights compatibility of the Bill.

Key issues and provisions

Proposed Schedule 1 to the TIA Act—‘International Production Orders’

Proposed Schedule 1 to the TIA Act has 14 parts, which are listed above under the heading ‘Structure of the Bill’. The provisions are discussed in order of significance rather than according to the structure of the Schedule.

Incoming orders and requests (Part 13)

The international agreements the Bill is designed to support are focused on enabling orders made in one country to be sent directly to and actioned by service providers in another, so the bulk of the Bill concerns the making of Australian orders. Proposed Part 13 of Schedule 1 to the TIA Act, which concerns incoming orders and requests from countries with which Australia has an agreement, is brief. It provides only that Australian organisations will be exempt from laws that would otherwise prevent their compliance with those orders and requests.

The prohibitions for which organisations in Australia will be exempt for the purposes of complying with an incoming order or request concern:

• telecommunications interception and dealing with intercepted information
• access to and dealing with stored communications and
• disclosure and use by certain persons of information and documents relating to:
  • the contents or substance of certain communications
  • carriage services supplied or intended to be supplied to another person or
  • the affairs or personal particulars of another person.[58]

Issue: no statutory limits on incoming requests

The Bill does not place any limits or restrictions on incoming requests. This is perhaps because unlike the mutual assistance framework, under which requests are considered by the Government, incoming requests will be made by countries directly to service providers in Australia under the relevant designated international agreement.[59] It would not be appropriate to put providers in the position of having to determine the sorts of matters that constitute grounds on which a mutual assistance request must or may be refused (such as those relating to political offences, potential human rights abuses and potential application of the death penalty).

Instead it appears that the scheme intends any restrictions to be included in the international agreements under which orders are made. However, as outlined below, the Bill does not set any parameters around limitations or restrictions that must be addressed in an international agreement.

Ability to object to incoming requests

The means by which and grounds on which Australian-based organisations may object to overseas orders will depend on the domestic legislation in the issuing country, mirroring the way that the Bill sets out how and on what grounds a DCP may object to an Australian IPO.[60]

The US CLOUD Act allows an overseas provider to file a motion in a US court to quash or modify a US warrant, authorisation or order if the provider reasonably believes:

• the customer or subscriber in relation to whom information is sought is not a US person and does not reside in the US and
• the required disclosure would create a material risk that the provider would violate the laws of a country with which the US has an executive agreement that is in force.[61]

The Crime (Overseas Production Orders) Act 2019 (UK) allows a person affected by an order (including an overseas provider) to apply to a UK judge to have the order varied or revoked, but does not specify on what grounds a revocation may be sought.[62]

It is also possible to include restrictions in the international agreements under which orders are made so that incoming orders should not be made in the first place in certain circumstances. This possibility is explored below.

Content of designated international agreements (Part 1, clause 3)

An agreement with a foreign country for cross-border data access will need to be specified in regulations before it will be a designated international agreement under which IPOs and equivalent incoming orders may be made.[63] Such regulations will be subject to disallowance in the usual way.[64] There is a limitation on when agreements relating to countries that have offences for which the death penalty may be imposed can be specified in regulations (see further under ‘Death penalty issues’ below), but that limitation applies to the designation of an agreement in regulations, not directly to the agreements themselves. Apart from that limitation, the Bill contains no specific requirements that must be met before an international agreement may be entered into or designated in regulations.

Death penalty issues

Australia has a long-standing and bipartisan position of opposing the death penalty.[65] Proposed subclauses 3(2), (4) and (5) are intended to give effect to Australia’s opposition to the death penalty in the context of cross-border sharing of communications data. However, stronger protections may be required to give full effect to that policy intent.

Proposed subclauses 3(2), (4) and (5) provide that a bilateral agreement must not be specified as a designated international agreement, and a foreign country must not be specified as a recognised party to a multilateral designated international agreement, unless:

… the Minister has received a written assurance from the government of the foreign country relating to the use or non-use, in connection with any proceeding by way of a prosecution for an offence against the law of the foreign country that is punishable by death, of Australian-sourced information obtained in accordance with such an order.[66] [emphasis added]

The Explanatory Memorandum indicates that the reason for the inclusion of use (instead of only non-use) of information is to account for circumstances where the information will be used for exculpatory purposes.[67] However, as pointed out by the PJCHR and some stakeholders, the provisions will not require the Minister to be satisfied that information will only be used in a manner consistent with the right to life and Australia’s opposition to the death penalty.[68] Amendments could be considered to bring the provisions into closer alignment with the stated policy intent.

Other instances in which Australia may wish to refuse or restrict access to data

Other than the limitation relating to the death penalty outlined above, the Bill does not contain any provisions to ensure that international agreements may only be designated and come into force if they meet certain requirements and contain particular safeguards. The PJCHR and several stakeholders raised concerns about the lack of required parameters for international agreements and incoming orders made under them.[69] For example, the PJCHR noted that nothing in the Bill would prevent Australian providers from disclosing information that could lead to a person being tortured or subjected to cruel, inhuman or degrading treatment or punishment, and the Allens Hub suggested incoming orders be restricted to those concerning serious crime.[70]

As incoming orders and requests will be made directly to Australian providers, it will be important to clearly articulate any limitations or restrictions Australia wishes to impose on orders that may be made under an international agreement. While it could be left entirely to the government of the day to ensure appropriate provisions are included in each agreement, the Parliament may wish to consider amending the Bill to legislate minimum requirements for the designation of international agreements, as the US has done. As noted in the ‘Background’ section of this Digest, the CLOUD Act requires the Attorney-General to determine and certify to Congress a range of matters before an executive agreement under the Act may come into force.[71] The grounds on which mutual assistance requests must be refused could also provide a useful starting point.[72]

Issue: scrutiny of designated international agreements

The Scrutiny of Bills Committee and several stakeholders including the IGIS and the LCA raised concerns about whether agreements must be made public, and whether they will be subject to adequate scrutiny, including by the Parliament.[73]

It appears that designated international agreements will be treaties.[74] While such requirements are not explicit in the Bill, the Government has stated that copies of international agreements will be tabled in Parliament with accompanying National Interest Analyses, and reviewed by the Joint Standing Committee on Treaties (JSCOT).[75] This process would facilitate some scrutiny of proposed agreements by Parliament, and by the public through JSCOT’s review process. However, it falls short of the US requirements for international agreements under the CLOUD Act.

As noted in the ‘Background’ section of this Digest, the CLOUD Act requires the Attorney-General to determine and certify to Congress a range of matters before an executive agreement under the Act may come into force.[76] When the Attorney-General provides notice of the determination of those matters and a copy of the agreement to Congress, he or she must provide it to the Senate Committee on the Judiciary, the Senate Committee on Foreign Relations, the House Committee on the Judiciary and the House Committee on Foreign Affairs.[77] Agencies must promptly respond to requests from the Chairman or Ranking Member of one of those committees for a summary of factors considered in determining that the foreign government meets the relevant requirements.[78] Congress may enact a joint resolution of disapproval of an agreement, in which case it does not enter into force.[79]

Changes to designated international agreements

References to an agreement between Australia and one or more foreign countries in regulations made for the purposes of Schedule 1 to the TIA Act, an application made under that Schedule, any other instrument made under that Schedule, or an international production order are references to the agreement ‘as amended and in force for Australia from time to time’.[80] The LCA expressed concern about the impact of this provision, stating that it would deprive the Parliament of:

… the opportunity to disallow potentially significant amendments to the agreement, in respect of which it may have exercised its disallowance power had those matters been included in the original version of the agreement.[81]

In contrast, the CLOUD Act provides that if an executive agreement is revised, it is treated as a new agreement and is subject to the same determination, certification and disallowance procedures (except that timeframes for committee reports and resolutions of disapproval are shortened).[82]

Issue: Administrative Appeals Tribunal members issuing IPOs

IPOs relating to investigation of a serious offence or to a control order may be issued by certain judges and magistrates.[83] The Attorney-General may also nominate or appoint certain members of the AAT to issue such IPOs.[84]

The proposed issue of IPOs by AAT members attracted criticism from the Scrutiny of Bills Committee, the PJCHR, and a range of stakeholders. Noting the significant intrusion on privacy, the committees questioned why the issue of IPOs was not restricted to judicial officers, while stakeholders questioned whether AAT members have sufficient independence to properly fulfil the role of considering and issuing IPOs.[85] For example, the LCA stated:

… the requirement for a judicial officer to authorise the issue of an IPO provides greater independence, both substantive and perceived, in the approval process for IPOs. Even while acting persona designata, a judicial officer must act consistently with the essential requirements of the judicial process. This includes the independence and impartiality of their decision making, their application of the rules of natural justice, and their ascertainment of the law and facts followed by an application of the law to the facts as determined.[86]

Similarly, BSA stated:

The circumstances relating to the issuance of any IPO could be very complex and could extend beyond the immediate merits of the application. Judicial authorities are generally considered to be best placed to weigh evidence presented from the requesting interception agency regarding the necessity of issuing the IPO including evidence as to why other less intrusive measures are unavailable or insufficient in the circumstances, along with other important considerations such as the reasonableness, proportionality, practicability, and feasibility of the proposed requirements.[87]

While domestic interception and stored communications warrants may also be issued by certain AAT members, the Scrutiny of Bills Committee did not consider that consistency with existing provisions was sufficient justification, on its own, for taking the same approach with IPOs.[88]

The LCA also questioned why the issue of national security IPOs will be restricted only to members of the AAT’s Security Division, and recommended that judicial officers also be able to be appointed as issuers.[89]

Issue: Public interest monitors (PIMs)

Consistent with the TIA Act, if an interception agency of Victoria or Queensland applies for an interception IPO, the relevant PIM may make submissions to the issuer about matters to which the issuer must have regard in deciding whether to issue an IPO, and may question the person making the application or a person required to give further information about the application in the presence of the issuer.[90] The issuer must have regard to any submissions made by the PIM in determining whether to issue an interception IPO in relation to an investigation or a control order.[91]

The Scrutiny of Bills Committee, PJCHR and several civil society and ICT sector stakeholders noted the absence of PIMs in most states and territories and suggested that the Bill could be amended to include a national PIM scheme.[92] The committees considered that such a scheme should apply for IPOs in relation to stored communications and telecommunications data as well as interception.[93] If a national scheme was to be established, it would be logical to extend it beyond IPOs to other intrusive powers, including but not limited to those under the body of the TIA Act.

Definitions (Part 1)

Proposed Part 1 includes definitions for the purposes of the proposed Schedule. A key definition relevant to all types of IPO is designated communications provider, (proposed clause 2), which will mean a:

• carrier, carriage service provider (defined more broadly than in the body of the TIA Act)
• message/call application service provider (which will capture providers of services such as Kik Messenger, WhatsApp, Viber and Skype),
• storage/back-up service provider (which will capture providers of services such as Dropbox) or
• general electronic content service provider (which will capture providers of services such as Facebook, Reddit and Youtube).[94]

Other key definitions in proposed clause 2 include those for:

• carriage service (equivalent to the body of the TIA Act)
• message/call application service
• protected information
• storage/back-up service
• stored communication (defined more broadly than in the body of the TIA Act)
• telecommunications data (not currently defined in the body of the TIA Act)
• video call and
• voice call.

Further key definitions in proposed Part 1 include:

• designated international agreement—meaning a bilateral or multilateral agreement specified in the regulations (proposed clause 3)
• message application service (proposed clause 4)
• voice call application service (proposed clause 5)
• video call application service (proposed clause 6) and
• general electronic content service (proposed clause 8).

Part 2—IPOs relating to the enforcement of the criminal law

There are three different types of IPOs relating to the enforcement of the criminal law: an IPO relating to interception, an IPO relating to stored communications and an IPO relating to telecommunications data. The offences in relation to which IPOs may be sought, the agencies able to apply, the issuer, the thresholds for issue and other requirements differ by the type of order. The agencies able to apply for IPOs are consistent with the agencies able to apply for interception and stored communications warrants and to authorise access to telecommunications data under the body of the TIA Act.

Agencies able to apply for orders

An interception agency will be able to apply for an IPO relating to interception; that is:

• Commonwealth agencies (Australian Federal Police (AFP), Australian Criminal Intelligence Commission (ACIC) and Australian Commission for Law Enforcement Integrity (ACLEI)) and
• eligible authorities of States (including the NT) in relation to which a declaration under section 34 of the TIA Act is in force.[95]

A criminal-law enforcement agency will be able to apply for an IPO relating to stored communications; that is: AFP, ACIC, ACLEI, the Department of Home Affairs (only in connection with the investigation of certain contraventions), the Australian Securities and Investments Commission, the Australian Competition and Consumer Commission, state and territory police forces, crime commissions and anti-corruption agencies, and other declared authorities.[96]

An enforcement agency will be able to apply for an IPO relating to telecommunications data; that is: subject to any limitations, criminal-law enforcement agencies and authorities and bodies for which declarations under subsection 176A(3) of the TIA Act are in force.[97]

Issuer of orders

Consistent with Part 2-5 of the TIA Act, IPOs for interception may be issued by an eligible Judge or a nominated AAT member.[98]

Consistent with Part 3-3 of the TIA Act, IPOs for access to stored communications may be issued by an issuing authority (judges and magistrates who have consented, and certain AAT members, appointed in writing by the Attorney-General).[99]

Under Division 4 of Part 4-1 of the TIA Act, authorisations for access to telecommunications data may be made by certain officers within each enforcement agency.[100] IPOs for access to telecommunications data will instead be issued by issuing authorities.[101] The reason for this appears to be that the US CLOUD Act requires incoming orders to be ‘subject to review or oversight by a court, judge, magistrate, or other independent authority’.[102]

Offences for which orders may be made

IPOs for interception may be made for the purposes of the investigation of one or more serious category 2 offences, defined as a serious offence within the meaning of section 5D of the TIA Act or an offence punishable by a maximum penalty of imprisonment for seven years or more or by life imprisonment.[103] Interception for investigations under Part 2-5 of the TIA Act is restricted to investigation of serious offences.[104] The Explanatory Memorandum does not address why IPOs for interception should be available for investigation of offences carrying a certain penalty but which do not constitute serious offences under section 5D of the TIA Act.

IPOs for access to stored communications and telecommunications data may be made for the purposes of the investigation of one or more serious category 1 offences, defined as an offence punishable by a maximum penalty of imprisonment for three years or more or by life imprisonment.[105] The three year threshold matches that which applies to stored communications warrants under Part 3-3 of the TIA Act and authorisations for access to prospective information or documents under Division 4 of Part 4-1.[106]

Part 2, Division 2—IPO relating to interception: enforcement of the criminal law

An interception agency will be able to apply for an IPO relating to interception; that is: Commonwealth agencies (AFP, ACIC and ACLEI) and eligible authorities of States (including the NT) in relation to which a declaration under section 34 of the TIA Act is in force.[107]

IPOs for interception may be made for the purposes of the investigation of one or more serious category 2 offences, defined as a serious offence within the meaning of section 5D of the TIA Act or an offence punishable by a maximum penalty of imprisonment for seven years or more or by life imprisonment.[108]

An eligible Judge or a nominated AAT member will be able to issue an IPO in respect of one or more individual carriage services or one or more individual message/call application services directing a DCP to:

• intercept communications carried/sent, made or received during a specified period
• make those communications available to the agency that requested the order and
• disclose to that agency specified telecommunications data relating to:
  • the intercepted communications and
  • the individual carriage services or individual message/call application services.[109]

The specified period must not begin before the order is given to the DCP. It may be up to 90 days if the order relates to services used by a person involved in the offence or offences being investigated, and up to 45 days if the order relates to services used by another person with whom a person involved is likely to communicate.[110] The time limits are the same as for telecommunications service warrants under the body of the TIA Act.[111]

General thresholds

For an IPO relating to one or more individual carriage services, the issuer must be satisfied that:

• there are reasonable grounds for suspecting that the DCP:
  • owns or operates a telecommunications network that is, or is likely to be, used to supply those individual carriage services or
  • supplies those individual carriage services
• there are reasonable grounds for suspecting that a particular person is using, or is likely to use, those individual carriage services
• information likely to be obtained by intercepting communications being carried by those individual carriage services would be likely to assist in connection with the investigation by the agency of one or more serious category 2 offences in which the particular person is involved, or another person is involved with whom the particular person is likely to communicate using those individual carriage services
• the application complies with the requirements in Subdivision A, Division 2, Part 2 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[112]

Equivalent thresholds apply for IPOs relating to one or more individual message/call application services.[113]

The thresholds are similar to those that apply for telecommunications service warrants under Part 2-5 of the TIA Act.[114]

Safeguards

The safeguards are largely similar to those that apply for telecommunications service warrants under the body of the TIA Act.

If an interception agency of Victoria or Queensland applies for an IPO, the relevant PIM may make submissions to the issuer about matters to which the issuer must have regard in deciding whether to issue an IPO, and may question the person making the application or a person required to give further information about the application in the presence of the issuer.[115]

In deciding whether to issue an IPO, the issuer must have regard to the same matters as an issuer deciding whether to issue a telecommunications service warrant under Part 2-5 of the TIA Act. These include how much the privacy of any person or persons would be likely to be interfered with by the proposed interception, the gravity of the conduct involved in the offence or offences being investigated, how much the information sought to be obtained would be likely to assist the investigation and if relevant, submissions made by a PIM. However, unlike under Part 2-5 of the TIA Act, where the issuer must have regard only to the listed issues, the issuer must also consider such other matters (if any) as the issuer considers relevant.[116]

The issuer must not issue an IPO relating to individual carriage services used by another person with whom a particular person involved in an offence being investigated is likely to communicate unless he or she is satisfied that:

• the agency has exhausted all other practicable methods of identifying the individual carriage services used or likely to be used by the particular person or
• interception of communications carried by individual carriage services used or likely to be used by the particular person would not otherwise be possible.[117]

An equivalent restriction applies for IPOs relating to individual message/call application services.[118]

Applications, content of orders and making of further orders

Provisions concerning the making of applications are similar to those for telecommunications service warrants under Part 2-5 of the TIA Act. For example, applications must generally be made in writing and accompanied by affidavits that address certain matters, but applications may be made by telephone in urgent circumstances.[119] However, affidavits will not be required to specify the period for which it is requested an IPO be in force and why that period is considered necessary.[120] Applications must also nominate a designated international agreement.[121]

IPOs will be required to be signed by the issuer and to contain particular details, including the date of issue, the names of the interception agency, the DCP and the designated international agreement nominated in the application, applicable telecommunications identifiers, and short particulars of each serious category 2 offence in relation to which the issuer was satisfied that the proposed interception would be likely to assist an investigation.[122]

Schedule 1 will not prevent the issue of a further IPO under clause 30 directed to the same DCP in relation to the same services as an earlier IPO issued under the same provision, so long as the period specified in the further order begins after the end of the period specified in the original order.[123]

Part 2, Division 3—IPO relating to stored communications: enforcement of the criminal law

A criminal-law enforcement agency will be able to apply for an IPO relating to stored communications. A criminal-law enforcement agency is: AFP, ACIC, ACLEI, the Department of Home Affairs (only in connection with the investigation of certain contraventions), the Australian Securities and Investments Commission, the Australian Competition and Consumer Commission, state and territory police forces, crime commissions and anti-corruption agencies, and other declared authorities.[124]

IPOs for access to stored communications may be made for the purposes of the investigation of one or more serious category 1 offences, defined as an offence punishable by a maximum penalty of imprisonment for three years or more or by life imprisonment.[125]

An issuing authority[126] will be able to issue an IPO directing a DCP to:

• make a copy of certain stored communications
• make the copy available to the agency that requested the order and
• disclose to that agency specified telecommunications data relating to:
  • the stored communications and
  • the individual carriage service (for communications carried by such a service), the individual message/call application service (for messages sent or received, or recordings of voice or video calls made or received using such a service) or the end-user’s account with the service (for material uploaded for storage or back-up by a storage/back-up service or posted to a general electronic content service).[127]

General thresholds

To issue an IPO relating to stored communications, the issuing authority must be satisfied that:

• there are reasonable grounds for suspecting that the DCP holds stored communications consisting of:
  • communications made, messages sent or received, recordings of voice or video calls made or received, or material that has been uploaded to a storage/back-up service or posted to a general electronic content service by a particular person using a relevant network or service or
  • communications made by another person using a relevant network or service, for which the particular person is the intended recipient and
• information likely to be obtained by making a copy of the stored communications would be likely to assist in connection with the investigation by the agency of one or more serious category 1 offences in which the particular person is involved
• the application complies with the requirements in Subdivision A, Division 3, Part 2 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[128]

The thresholds are similar to those that apply for stored communications warrants under Part 3-3 of the TIA Act.[129]

Safeguards

In deciding whether to issue an IPO, the issuing authority must have regard to the same matters as an issuer deciding whether to issue a stored communications warrant under Part 3-3 of the TIA Act. These include how much the privacy of any person or persons would be likely to be interfered with by the agency obtaining a copy of the stored communications, the gravity of the conduct involved in the offence or offences being investigated and how much the information sought to be obtained would be likely to assist the investigation. However, unlike under Part 3-3 of the TIA Act, where the issuing authority must have regard only to the listed issues, the issuing authority must also consider such other matters (if any) as the issuing authority considers relevant.[130]

Issue: no end date for IPOs for stored communications

Under Part 3-3 of the TIA Act, stored communications warrants only remain in force until first executed by a particular carrier or for five days from the date of issue, whichever occurs sooner.[131] The Bill contains no provisions limiting how long an IPO remains in force, which would seem to leave open the possibility that an IPO could be executed more than once, and potentially long after the IPO was made.

Applications, content of orders and making of further orders

Provisions concerning the making of applications are similar to those for stored communications warrants under Part 3-3 of the TIA Act. For example, applications must generally be made in writing and accompanied by affidavits that address certain matters, but applications may be made by telephone in urgent circumstances.[132] Applications must also nominate a designated international agreement.[133]

IPOs will be required to be signed by the issuing authority and to contain particular details, including the date of issue, the names of the criminal law-enforcement agency, the DCP and the designated international agreement nominated in the application, and short particulars of each serious category 1 offence in relation to which the issuing authority was satisfied that the proposed action would be likely to assist an investigation.[134]

Schedule 1 will not prevent the issue of a further IPO under clause 39 directed to the same DCP in respect of the same person as an earlier IPO issued under the same provision.[135]

Part 2, Division 4—IPO relating to telecommunications data: enforcement of the criminal law

An enforcement agency will be able to apply for an IPO for telecommunications data. An enforcement agency is: subject to any limitations, criminal-law enforcement agencies and authorities and bodies for which declarations under subsection 176A(3) of the TIA Act are in force.[136]

IPOs for access to telecommunications data may be made for the purposes of the investigation of one or more serious category 1 offences, defined as an offence punishable by a maximum penalty of imprisonment for three years or more or by life imprisonment.[137]

An issuing authority[138] will be able to issue an IPO directing a DCP to disclose to the agency that applied for the order telecommunications data:

• held by the DCP when the IPO comes into force (existing data) and/or
• that commences to be held by the CDP during a specified period (prospective data).[139]

The specified period in an IPO for prospective data must not begin before the order is given to the DCP and must not be longer than 90 days.[140]

Issue: length of specified period for prospective data

The specified period for which an IPO may require a DCP provide prospective data is twice as long as that permitted under Division 4, Part 4-1 of the TIA Act.[141] The Explanatory Memorandum does not address why this was considered necessary or appropriate. It may be that a longer period was considered appropriate because IPOs will be externally authorised, while authorisations for access to telecommunications data under Part 4-1 of the TIA Act are made by certain officers within the agencies seeking access.

General thresholds

To issue an IPO relating to telecommunications data, the issuing authority must be satisfied that:

• there are reasonable grounds for suspecting that the DCP holds, or is likely to commence to hold, telecommunications data that relates to:
  • an individual carriage service supplied by the DCP, or communications carried on such a service
  • an individual carriage service supplied using a telecommunications network owned or operated by the DCP, or communications carried on such a service
  • an individual message/call application service provided by the DCP, or messages sent or received or voice or video calls made or received using such a service
  • material that has been uploaded by an end-user for storage or back-up by a storage/back-up service provided by the DCP or
  • material that has been posted on a general electronic content service provided by the DCP and
• disclosing the telecommunications data to the enforcement agency would be likely to assist in connection with the investigation by the agency of one or more serious category 1 offences
• the application complies with the requirements in Subdivision A, Division 4, Part 2 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[142]

Safeguards

In deciding whether to issue an IPO, the issuing authority must have regard to certain matters, specifically:

• how much the privacy of any person or persons would be likely to be interfered with by disclosing the telecommunications data
• the gravity of the conduct involved in the offence or offences being investigated
• how much the information sought to be obtained would be likely to assist the investigation
• to what extent other methods of investigation have been used by, or are available to, the enforcement agency and
• how much the use of other methods would be likely to:
  • assist in connection with the investigation and
  • prejudice the investigation.[143]

The issuing authority must also have regard to such other matters (if any) he or she considers relevant.[144]

These matters are modelled on those to be considered for stored communications warrants under Part 3-3 of the TIA Act instead of the obligation of authorising officers to consider privacy before authorising access to telecommunications data under Part 4-1.[145]

Issue: no special protections for journalists’ sources

Under Part 4-1 of the TIA Act, an authorising officer of an enforcement agency must not issue a telecommunications data authorisation for the purpose of identifying a journalist’s source, except under a journalist information warrant (JIW).[146] An issuing authority may only issue a JIW if he or she is satisfied that:

• the warrant is reasonably necessary for the purpose set out in the relevant provision and[147]
• the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source, having regard to:
  • the extent of interference with any person’s privacy
  • the gravity of the matter in relation to which the warrant is sought
  • the extent to which the information or documents would be likely to assist in relation to that matter
  • whether reasonable attempts have been made to obtain the information through other means
  • any submissions made by a Public Interest Advocate under section 180X of the TIA Act and
  • any other relevant matters.[148]

If not satisfied of the above after considering an application, the issuing authority must refuse to issue a JIW.[149]

The proposed IPO regime does not include equivalent or similar protections for journalists’ sources. This seems a significant oversight in the context of recent investigations involving journalists and subsequent inquiries into press freedoms.[150]

Applications, content of orders and making of further orders

Provisions concerning the making of applications are similar to those proposed for interception and stored communications IPOs. For example, applications must generally be made in writing and accompanied by affidavits that address certain matters, but may be made by telephone in urgent circumstances; and must nominate a designated international agreement.[151]

IPOs will be required to be signed by the issuing authority and to contain particular details, including the date of issue, the names of the enforcement agency, the DCP and the designated international agreement nominated in the application, and short particulars of each serious category 1 offence in relation to which the issuing authority was satisfied that the proposed action would be likely to assist an investigation.[152]

Schedule 1 will not prevent the issue of a further IPO under clause 48 directed to the same DCP in relation to the same investigation as an earlier IPO issued under the same provision.[153]

Part 3—IPOs relating to control orders

Issue: scheme for IPOs relating to control orders goes beyond that in the TIA Act

The TIA Act was amended in 2016 to enable agencies to obtain an interception warrant in relation to an individual subject to a control order for the purposes of:

• monitoring compliance with the order
• protecting the public from a terrorist act
• preventing the provision of support for, or the facilitation of, a terrorist act and/or
• preventing the provision of support for, or the facilitation of, the engagement in a hostile activity in a foreign country.[154]

However, agencies are not able to obtain a stored communications warrant or authorise access to telecommunications data for purposes relating to control orders.

By enabling IPOs for access to stored communications and telecommunications data to be made for purposes relating to control orders, the proposed IPO regime goes beyond what is currently permitted under the body of the TIA Act. The Explanatory Memorandum does not provide any justification for the proposed broader powers available under IPOs relating to control orders.

Issue: whether IPOs relating to control orders should be permitted

The PJCHR and LCA questioned the need for IPOs to be available for the purposes of monitoring compliance with a control order.[155] The PJCHR pointed to the fact that failure to comply with a control order is an offence that carries a maximum penalty of five years imprisonment, and appeared to imply that IPOs should instead be sought in the context of an investigation of such an offence instead of simply to monitor compliance.[156]

There is also a question of whether allowing IPOs to be issued to monitor compliance with control orders will go beyond what may be permitted by an agreement under the CLOUD Act. Before an executive agreement under the CLOUD Act can come into force, the US Attorney-General must determine and certify to Congress that orders under the agreement ‘shall be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism’.[157]

Agencies able to apply for orders

An IPO relating to a control order may be sought by a control order IPO agency, which will mean a control order warrant agency under the body of the TIA Act.[158] This will mean that orders may be sought by the AFP, ACLEI, ACIC or an eligible authority of a state (such as a police force or anti-corruption agency) that a declaration in force under section 34 authorises to apply for control order warrants under Part 2-5 of the TIA Act.[159]

Issuer of orders

As with those relating to investigation of serious offences, IPOs for interception may be authorised by an eligible Judge or a nominated AAT member and IPOs for access to stored communications or telecommunications data may be issued by an issuing authority.[160]

Notifications to the Ombudsman

For each IPO that is issued for purposes relating to a control order, the chief officer of the agency that applied for the IPO must notify the Ombudsman that the IPO was issued and give the Ombudsman a copy of the IPO. This must be done within three months of the IPO being issued.[161]

If the chief officer of an agency contravenes the requirement to revoke an IPO because the grounds for its issue no longer exist, he or she must notify the Ombudsman of that contravention as soon as practicable.[162]

However, a failure to comply with one of the above requirements will not affect the validity of an IPO.[163]

Part 3, Division 2—IPO relating to interception: control orders

An eligible Judge or a nominated AAT member will be able to issue an IPO in respect of one or more individual carriage services or one or more individual message/call application services directing a DCP to:

• intercept communications carried/sent, made or received during a specified period
• make those communications available to the agency that requested the order and
• disclose to that agency specified telecommunications data relating to:
  • the intercepted communications and
  • the individual carriage services or individual message/call application services.[164]

The specified period must not begin before the order is given to the DCP. It may be up to 90 days if the order relates to services used by a person subject to a control order, and up to 45 days if the order relates to services used by another person with whom a person subject to a control order is likely to communicate.[165] The time limits are the same as for control order warrants for telecommunications services under the body of the TIA Act.[166]

General thresholds

For an IPO relating to one or more individual carriage services, the issuer must be satisfied that:

• there are reasonable grounds for suspecting that the DCP:
  • owns or operates a telecommunications network that is, or is likely to be, used to supply those individual carriage services or
  • supplies those individual carriage services
• there are reasonable grounds for suspecting that a particular person is using, or is likely to use, those individual carriage services
• a control order is in force in relation to:
  • the particular person or
  • another person with whom the particular person is likely to communicate using those individual carriage services
• information likely to be obtained by intercepting communications being carried by those individual carriage services would be likely to substantially assist in connection with:
  • the protection of the public from a terrorist act
  • preventing the provision of support for, or the facilitation of, a terrorist act or the engagement in a hostile activity in a foreign country or
  • determining whether the control order, or any succeeding control order, has been, or is being, complied with
• the application complies with the requirements in Subdivision A, Division 2, Part 3 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[167]

Equivalent thresholds apply for IPOs relating to one or more individual message/call application services.[168]

The thresholds are similar to those that apply for control order warrants for telecommunications services under Part 2-5 of the TIA Act.[169]

Safeguards

The safeguards are largely similar to those that apply for control order warrants for telecommunications services under the body of the TIA Act.

If an interception agency of Victoria or Queensland applies for an IPO, the relevant PIM may make submissions to the issuer about matters to which the issuer must have regard in deciding whether to issue an IPO, and may question the person making the application or a person required to give further information about the application in the presence of the issuer.[170]

In deciding whether to issue an IPO, the issuer must have regard to the same matters as an issuer deciding whether to issue a control order warrant for telecommunications services under Part 2-5 of the TIA Act. These include how much the privacy of any person or persons would be likely to be interfered with by the proposed interception, how much the information sought to be obtained would be likely to assist in connection to the purpose for which the IPO is sought, the possibility that the person subject to a control order has engaged or will engage in certain conduct, and if relevant, submissions made by a PIM. However, unlike under Part 2-5 of the TIA Act, where the issuer must have regard only to the listed issues, the IPO issuer must also consider such other matters (if any) as the issuer considers relevant.[171]

The issuer must not issue an IPO relating to individual carriage services used by another person with whom a particular person subject to a control order is likely to communicate unless he or she is satisfied that:

• the agency has exhausted all other practicable methods of identifying the individual carriage services used or likely to be used by the particular person or
• interception of communications carried by individual carriage services used or likely to be used by the particular person would not otherwise be possible.[172]

An equivalent restriction applies for IPOs relating to individual message/call application services.[173]

Applications, content of orders and making of further orders

Provisions concerning the making of applications are similar to those for control order warrants for telecommunications services under Part 2-5 of the TIA Act. For example, applications must generally be made in writing and accompanied by affidavits that address certain matters, but applications may be made by telephone in urgent circumstances.[174] However, affidavits will not be required to specify the period for which it is requested an IPO be in force and why that period is considered necessary.[175] Applications must also nominate a designated international agreement.[176]

IPOs will be required to be signed by the issuer and to contain particular details, including the date of issue, the names of the control order IPO agency, the DCP and the designated international agreement nominated in the application, applicable telecommunications identifiers, and a statement to the effect that the IPO is issued on the basis of a control order made in relation to a named person.[177]

Proposed Schedule 1 will not prevent the issue of a further IPO under clause 60 directed to the same DCP in relation to the same services as an earlier IPO issued under the same provision, so long as the period specified in the further order begins after the end of the period specified in the original order.[178]

Part 3, Division 3—IPO relating to stored communications: control orders

An issuing authority will be able to issue an IPO directing a DCP to:

• make a copy of certain stored communications
• make the copy available to the agency that requested the order and
• disclose to that agency specified telecommunications data relating to:
  • the stored communications and
  • the individual carriage service (for communications carried by such a service), the individual message/call application service (for messages sent or received, recordings of voice or video calls made or received using such a service) or the end-user’s account with the service (for material uploaded for storage or back-up by a storage/back-up service or posted to a general electronic content service).[179]

General thresholds

To issue an IPO relating to stored communications, the issuing authority must be satisfied that:

• a control order is in force in relation to a particular person
• there are reasonable grounds for suspecting that the DCP holds stored communications consisting of:
  • communications made, messages sent or received, recordings of voice or video calls made or received, or material that has been uploaded to a storage/back-up service or posted to a general electronic content service by a particular person using a relevant network or service or
  • communications made by another person using a relevant network or service, for which the particular person is the intended recipient and
• information likely to be obtained by making a copy of the stored communications would be likely to substantially assist in connection with
  • the protection of the public from a terrorist act
  • preventing the provision of support for, or the facilitation of, a terrorist act or the engagement in a hostile activity in a foreign country or
  • determining whether the control order, or any succeeding control order, has been, or is being, complied with
• the application complies with the requirements in Subdivision A, Division 3, Part 3 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[180]

Safeguards

In deciding whether to issue an IPO for access to stored communications, the issuing authority must have regard to most of the same matters as an issuer deciding whether to issue an IPO for interception, including how much the privacy of any person or persons would be likely to be interfered with.[181] However, unlike for an IPO for interception, the issuing authority will not be required to have regard to whether the proposed action would be the method likely to have the least interference with any person’s privacy or the possibility that the person subject to a control order has engaged or will engage in certain conduct.[182] The rationale for this discrepancy is unclear.

Applications, content of orders and making of further orders

Provisions concerning the making of applications are similar to those for stored communications warrants for investigations under Part 3-3 of the TIA Act. For example, applications must generally be made in writing and accompanied by affidavits that address certain matters, but applications may be made by telephone in urgent circumstances.[183] Applications must also nominate a designated international agreement.[184]

IPOs will be required to be signed by the issuing authority and to contain particular details, including the date of issue, the names of the control order IPO agency, the DCP and the designated international agreement nominated in the application, and a statement to the effect that the IPO is issued on the basis of a control order made in relation to a named person.[185]

Schedule 1 will not prevent the issue of a further IPO under clause 69 directed to the same DCP in respect of the same person as an earlier IPO issued under the same provision.[186]

Part 3, Division 4—IPO relating to telecommunications data: control orders

An issuing authority will be able to issue an IPO directing a DCP to disclose to the agency that applied for the order telecommunications data:

• held by the DCP when the IPO comes into force (existing data) and/or
• that commences to be held by the CDP during a specified period (prospective data).[187]

The specified period in an IPO for prospective data must not begin before the order is given to the DCP and must not be longer than 90 days.[188]

Issue: length of specified period for prospective data

The specified period for which an IPO may require a DCP provide prospective data is twice as long as that permitted under Division 4, Part 4-1 of the TIA Act for authorisations relating to investigations.[189] The Explanatory Memorandum does not address why, particularly given that access to telecommunications data is not permitted under the body of the TIA Act for purposes relating to control orders, this was considered necessary or appropriate.

General thresholds

To issue an IPO relating to telecommunications data, the issuing authority must be satisfied that:

• a control order is in force in relation to a particular person
• there are reasonable grounds for suspecting that the DCP holds, or is likely to commence to hold, telecommunications data that relates to:
  • an individual carriage service supplied by the DCP, or communications carried on such a service
  • an individual carriage service supplied using a telecommunications network owned or operated by the DCP, or communications carried on such a service
  • an individual message/call application service provided by the DCP, or messages sent or received or voice or video calls made or received using such a service
  • material that has been uploaded by an end-user for storage or back-up by a storage/back-up service provided by the DCP or
  • material that has been posted on a general electronic content service provided by the DCP and
• disclosing the telecommunications data to the agency would be likely to substantially assist in connection with
  • the protection of the public from a terrorist act
  • preventing the provision of support for, or the facilitation of, a terrorist act or the engagement in a hostile activity in a foreign country or
  • determining whether the control order, or any succeeding control order, has been, or is being, complied with
• the application complies with the requirements in Subdivision A, Division 4, Part 3 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[190]

Safeguards

In deciding whether to issue an IPO for access to telecommunications data, the issuing authority must have regard to most of the same matters as an issuer deciding whether to issue an IPO for interception, including how much the privacy of any person or persons would be likely to be interfered with.[191] However, unlike for an IPO for interception, the issuing authority will not be required to have regard to whether the proposed action would be the method likely to have the least interference with any person’s privacy or the possibility that the person subject to a control order has engaged or will engage in certain conduct.[192] The rationale for this discrepancy is unclear.

Applications, content of orders and making of further orders

Provisions concerning the making of applications are similar to those proposed for interception and stored communications IPOs. For example, applications must generally be made in writing and accompanied by affidavits that address certain matters, but may be made by telephone in urgent circumstances; and must nominate a designated international agreement.[193]

IPOs will be required to be signed by the issuing authority and to contain particular details, including the date of issue, the names of the control order IPO agency, the DCP and the designated international agreement nominated in the application, and a statement to the effect that the IPO is issued on the basis of a control order made in relation to a named person.[194]

Schedule 1 will not prevent the issue of a further IPO under clause 78 directed to the same DCP in relation to the same person as an earlier IPO issued under the same provision.[195]

Part 4—IPOs relating to national security

ASIO will be the only agency permitted to apply for an IPO relating to national security.[196] The specific purposes for which IPOs may be issued differ across the types of IPO and are consistent with the body of the TIA Act. Specifically, IPOs for interception and access to stored communications may be issued to assist ASIO with carrying out its function of obtaining intelligence relating to security, while IPOs for access to telecommunications data may be issued in connection with the performance by ASIO of any of its functions.[197]

Issue: whether IPOs should be permitted for national security purposes

As the LCA noted, the Government’s justification of IPOs has focused on difficulties associated with the existing mutual assistance framework; it has not specifically addressed the shortcomings in ASIO’s existing framework that necessitate the inclusion in the Bill of IPOs relating to national security.[198] In its evidence to the PJCIS inquiry into the Bill, ASIO focused on the difficulties it faces obtaining information from offshore providers in a useable form. Its submission stated:

Australia has seen a steady shift to encrypted Internet Protocol (IP) based communications over the past decade, with the majority of these services provided by offshore companies. This shift in communications practices has naturally been mirrored by the subjects of ASIO's investigations. Companies providing encrypted IP communications services are mostly based offshore and often fall outside the legal frameworks in Australia that authorise interception of communications or disclosure of telecommunications data. Such communications are therefore not accessible to ASIO or, when collected through warranted interception via onshore providers, are encrypted and unusable.[199]

If ASIO’s need for IPOs is accepted, there is still a question of whether the IPOs relating to national security proposed in the Bill will go beyond what an agreement under the CLOUD Act may permit. Before an executive agreement under the CLOUD Act can come into force, the US Attorney-General must determine and certify to Congress that orders under the agreement ‘shall be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of serious crime, including terrorism’.[200] IPOs relating to national security for interception and stored communications will be for the purposes of assisting ASIO with carrying out its function of obtaining intelligence relating to security.[201] Under the Australian Security Intelligence Organisation Act 1979 (ASIO Act), security means:

(a)   the protection of, and of the people of, the Commonwealth and the several States and Territories from:

(i)  espionage;

(ii)  sabotage;

(iii)  politically motivated violence;

(iv)  promotion of communal violence;

(v)  attacks on Australia’s defence system; or

(vi)  acts of foreign interference;

whether directed from, or committed within, Australia or not; and

(aa) the protection of Australia’s territorial and border integrity from serious threats; and

(b)   the carrying out of Australia’s responsibilities to any foreign country in relation to a matter mentioned in any of the subparagraphs of paragraph (a) or the matter mentioned in paragraph (aa).[202]

The issue is more pronounced in relation to IPOs for access to telecommunications data, which will be able to be made if disclosure of the data would be in connection with ASIO’s performance of any of its functions.[203] Those functions include furnishing security assessments and cooperating with and assisting the Australian Secret Intelligence Service, Australian Signals Directorate, Australian Geospatial-Intelligence Organisation and the Office of National Intelligence.[204]

Issuer of orders

All IPOs relating to national security will be considered and issued by nominated AAT Security Division members.[205] The functions of the Security Division of the AAT under other laws include reviewing security assessments made by ASIO, decisions about ASIO records under the Archives Act 1983 and decisions about preventative detention orders issued under the Criminal Code.[206] Under the body of the TIA Act, warrants for interception and access to stored communications are issued by the Attorney-General, and authorisations for access to telecommunications data are made internally within ASIO.[207] The reason for having IPOs issued by certain AAT members instead appears to be that the US CLOUD Act requires incoming orders to be ‘subject to review or oversight by a court, judge, magistrate, or other independent authority’.[208]

ASIO must not apply for an IPO for interception or stored communications without first obtaining the consent of the Attorney-General.[209]

Part 4, Division 2—IPO relating to interception: national security

A nominated AAT Security Division member will be able to issue an IPO in respect of one or more individual carriage services or one or more individual message/call application services directing a DCP to:

• intercept communications carried/sent, made or received during a specified period
• make those communications available to ASIO and
• disclose to ASIO specified telecommunications data relating to:
  • the intercepted communications and
  • the individual carriage services or individual message/call application services.[210]

The specified period must not begin before the order is given to the DCP. It may be up to six months if the order relates to services used by a person of security concern, and up to three months if the order relates to services used by another person with whom a person of security concern is likely to communicate.[211] The time limits are the same as for telecommunications service warrants under the body of the TIA Act.[212]

General thresholds

In order to consent to an application for an interception IPO being made, the Attorney-General must be satisfied that:

• there are reasonable grounds for suspecting that particular individual carriage services or particular individual message/call application services are being, or are likely to be:
  • used by a person engaged in, or reasonably suspected of being engaged in, or of being likely to engage in, activities prejudicial to security or
  • the means by which another person communicates (receives or sends a communication or message, or receives or makes a voice or video call) with such a person and
• information likely to be obtained by the proposed interception would be likely to assist ASIO in carrying out its function of obtaining intelligence relating to security.[213]

For an IPO relating to one or more individual carriage services, the issuer must be satisfied that:

• there are reasonable grounds for suspecting that the DCP:
• owns or operates a telecommunications network that is, or is likely to be, used to supply those individual carriage services or
• supplies those individual carriage services
• there are reasonable grounds for suspecting that those services are being or likely to be:
  • used by a person engaged in, or reasonably suspected of being engaged in, or of being likely to engage in, activities prejudicial to security or
  • the means by which another person receives or sends a communication from or to such a person or
  • used for purposes prejudicial to security
• there are reasonable grounds for suspecting that information likely to be obtained by intercepting communications being carried by those individual carriage services would be likely to assist ASIO in carrying out its function of obtaining intelligence relating to security
• the application complies with the requirements in Subdivision A, Division 2, Part 4 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[214]

Equivalent thresholds apply for IPOs relating to one or more individual message/call application services.[215]

The thresholds are broadly similar to those that apply for telecommunications service warrants under Part 2-2 of the TIA Act.[216]

Safeguards

In deciding whether to issue an IPO, the issuer must have regard to:

• what extent methods of carrying out ASIO’s function of obtaining intelligence relating to security (so far as it relates to the target) that are less intrusive than interception have been used by, or are available to, ASIO
• how much the use of those methods would be likely to assist, and to prejudice, ASIO in carrying out its function of obtaining intelligence relating to security (so far as it relates to the target) and
• such other matters (if any) the issuer considers relevant.[217]

The issuer must not issue an IPO relating to individual carriage services used by another person with whom a particular person is likely to communicate unless he or she is satisfied that:

• ASIO has exhausted all other practicable methods of identifying the individual carriage services used or likely to be used by the particular person or
• interception of communications carried by individual carriage services used or likely to be used by the particular person would not otherwise be possible.[218]

An equivalent restriction applies for IPOs relating to individual message/call application services.[219]

Applications, content of orders and making of further orders

Applications must generally be made in writing and accompanied by affidavits that address certain matters, but they may be made by telephone in urgent circumstances.[220] As noted above, ASIO must not make an application without first obtaining the Attorney-General’s consent to do so.[221]

The Attorney-General’s consent must generally be given in writing, but may be given orally in urgent circumstances. If the Attorney-General consents orally, ASIO must give the Attorney-General a written report setting out particulars of the urgent circumstances and whether the application was granted, withdrawn or refused within three working days of the application’s determination. ASIO must give a copy of that report to the IGIS in the same timeframe.[222]

IPOs will be required to be signed by the issuer and to contain particular details, including the date of issue, the names of the DCP and the designated international agreement nominated in the application and applicable telecommunications identifiers.[223]

Schedule 1 will not prevent the issue of a further IPO under clause 89 directed to the same DCP in relation to the same services as an earlier IPO issued under the same provision, so long as the period specified in the further order begins after the end of the period specified in the original order.[224]

Part 4, Division 3—IPO relating to stored communications: national security

An issuer will be able to issue an IPO directing a DCP to:

• make a copy of certain stored communications
• make the copy available to ASIO and
• disclose to ASIO specified telecommunications data relating to:
  • the stored communications and
  • the individual carriage service (for communications carried by such a service), the individual message/call application service (for messages sent or received, recordings of voice or video calls made or received using such a service) or the end-user’s account with the service (for material uploaded for storage or back-up by a storage/back-up service or posted to a general electronic content service).[225]

General thresholds

In order to consent to an application for a stored communications IPO being made, the Attorney-General must be satisfied that:

• there are reasonable grounds for suspecting that a particular person is engaged in, or is likely to engage in, activities prejudicial to security and
• information likely to be obtained by making a copy of the stored communications would be likely to assist ASIO in carrying out its function of obtaining intelligence relating to security.[226]

To issue an IPO relating to stored communications, the issuer must be satisfied that:

• there are reasonable grounds for suspecting that a particular person is engaged in, or is likely to engage in, activities prejudicial to security
• there are reasonable grounds for suspecting that the DCP holds stored communications consisting of:
  • communications made, messages sent or received, recordings of voice or video calls made or received, or material that has been uploaded to a storage/back-up service or posted to a general electronic content service by the particular person using a relevant network or service or
  • communications made by another person using a relevant network or service, for which the particular person is the intended recipient and
• information likely to be obtained by making a copy of the stored communications would be likely to assist ASIO in carrying out its function of obtaining intelligence relating to security
• the application complies with the requirements in Subdivision A, Division 3, Part 4 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[227]

Safeguards

In deciding whether to issue an IPO for stored communications, the issuer must have regard to equivalent matters as an issuer deciding whether to issue an IPO for interception.[228]

Applications, content of orders and making of further orders

Provisions for applications, content of orders and the making of further orders are equivalent to those that apply for IPOs for interception.[229]

Part 4, Division 4—IPO relating to telecommunications data: national security

An issuer will be able to issue an IPO directing a DCP to disclose to ASIO telecommunications data:

• held by the DCP when the IPO comes into force (existing data) and/or
• that commences to be held by the DCP during a specified period (prospective data).[230]

The specified period in an IPO for prospective data must not begin before the order is given to the DCP and must not be longer than 90 days.[231]

General thresholds

To issue an IPO for telecommunications data, the issuer must be satisfied that:

• there are reasonable grounds for suspecting that the DCP holds, or is likely to commence to hold, telecommunications data that relates to:
  • communications that a particular person has made using an individual carriage service supplied by the DCP
  • messages sent or received, or voice or video calls made or received, by a particular person using an individual message/call application service supplied by the DCP
  • material that has been uploaded by a particular person for storage or back-up by a storage/back-up service provided by the DCP
  • material that has been posted by a particular person on a general electronic content service provided by the DCP
  • an individual carriage service supplied by the DCP or supplied using a telecommunications network owned or operated by the DCP, where the service is used, or likely to be used, by a particular person or
  • an individual massage/call service provided by the DCP, where the service is used, or likely to be used, by a particular person
• disclosing the telecommunications data to ASIO would be in connection with the performance by ASIO of its functions
• the application complies with the requirements in Subdivision A, Division 4, Part 4 of Schedule 1 to the TIA Act for the making of applications and
• in the case of a telephone application, because of urgent circumstances, it was necessary for the application to be made by telephone.[232]

Safeguards

In deciding whether to issue an IPO for telecommunications data, the issuer must have regard to equivalent matters as an issuer deciding whether to issue an IPO for interception or stored communications.[233]

Issue: no special protections for journalists’ sources

Under Part 4-1 of the TIA Act, an ASIO officer must not issue telecommunications data authorisation for the purpose of identifying a source to a journalist, except under a journalist information warrant (JIW).[234] The Attorney-General may only issue a JIW if he or she is satisfied that:

• ASIO’s functions would extend to the making of authorisations under Division 3 of Part 4-1 of the TIA Act in relation to a person and
• the public interest in issuing the warrant in relation to that person outweighs the public interest in protecting the confidentiality of the identity of the source in connection with whom authorisations would be made under the authority of the warrant, having regard to:
  • the extent of interference with any person’s privacy
  • the gravity of the matter in relation to which the warrant is sought
  • the extent to which the information or documents would be likely to assist in the performance of ASIO’s functions
  • whether reasonable attempts have been made to obtain the information through other means
  • any submissions made by a Public Interest Advocate under section 180X of the TIA Act and
  • any other relevant matters.[235]

If not satisfied of the above after considering an application, the Attorney-General must refuse to issue a JIW.[236]

As is the case for IPOs for investigation of serious offences, the proposed IPO framework as it relates to national security does not include equivalent or similar protections for journalists’ sources.

Applications, content of orders and making of further orders

Provisions for applications, content of orders and the making of further orders are equivalent to those that apply for IPOs for interception and stored communications.[237]

Issue: adequacy of safeguards for IPOs relating to national security

Before issuing an IPO relating to national security, the issuer must consider:

• to what extent methods of carrying out ASIO’s function of obtaining intelligence relating to security (so far as it relates to the target) that are less intrusive have been used by, or are available to, ASIO
• how much the use of those methods would be likely to assist, and to prejudice, ASIO in carrying out its function of obtaining intelligence relating to security (so far as it relates to the target) and
• such other matters (if any) the issuer considers relevant.[238]

These matters are not required to be considered before interception or access to stored communications or telecommunications data is authorised for ASIO under the body of the TIA Act.[239] However, the IGIS and LCA pointed out that the matters that must be considered by the issuer are nonetheless only a subset of those that must be considered before issuing an IPO in relation to a criminal investigation.[240] The issuer will be required to consider for an investigation IPO, but not for an IPO relating to national security: how much the privacy of any person or persons would be likely to be interfered with, the gravity of the conduct involved, and how much the information sought to be obtained would be likely to assist the investigation.[241]

Part 9—Reporting and record-keeping requirements

Interception agencies, criminal law-enforcement agencies and enforcement agencies

Relevant agencies (interception agencies, criminal law-enforcement agencies, enforcement agencies and control order IPO agencies) will be required to report to the Minister within three months of the end of each financial year. The reports must include, for that financial year:

• for each of the six types of IPO, the number of applications made, withdrawn and refused, and how many IPOs were issued
• the number of applications made that nominated each designated international agreement
• if any IPOs were issued, the number of:
  • times that protected information obtained in accordance with an IPO was shared with other relevant agencies
  • arrests made on the basis of such information
  • prosecutions in which such information was used in evidence and
  • convictions where such information was used in evidence in the relevant prosecution
• if any IPOs were made for the purposes of offence investigations, the type or types of offences (separately for interception, stored communications and telecommunications data)
• the number of IPOs revoked by the chief officer
• the number of IPOs made for interception in relation to a person other than the person involved in the offence/s or subject to a control order (separately for investigation and control order IPOs).[242]

These reporting requirements are broadly consistent with those for equivalent powers under the body of the TIA Act. However, for interception, Part 2-8 of the TIA Act also requires separate reports on the outcomes of each telecommunications service warrant within three months of its expiry, and slightly more detailed information in annual reports.[243]

Relevant agencies will be required to keep certain records in relation to IPOs for up to three years, or less if the Ombudsman has reported to the Minister on an inspection of those records. These records include, for example, copies of applications and related affidavits, copies of IPOs, details of telephone applications, and details about the communication of protected information obtained under an IPO to a person outside the agency.[244]

ASIO

For each IPO authorising interception, ASIO will be required to give the Attorney-General a written report on the extent to which compliance with the IPO has assisted ASIO in carrying out its functions. Such reports will be required within three months of the last day on which the DCP could have done an act or thing in compliance with the order, or the IPO ceases to be in force due to a revocation or cancellation, whichever is earlier.[245] This mirrors a reporting requirement under section 17 of the TIA Act.[246]

ASIO will be required to include information about IPOs in the annual reports it gives the Minister under the ASIO Act. The information includes:

• for each type of IPO, the number of applications made, withdrawn and refused, and how many IPOs were issued
• the number of each type of IPO given by the ADA to a DCP
• the number of IPOs issued and given by the ADA that invoked each designated international agreement
• the number of IPOs for interception in relation to another person with whom a particular person is likely to communicate
• the number of IPOs cancelled by the ADA under clause 112 (under which an order must be cancelled instead of given to a DCP if the ADA is not satisfied that it complies with the agreement nominated in the application for the order)
• the number of IPOs cancelled by the ADA under clause 122 (under which the ADA has a general power to cancel orders, including in response to an objection from a DCP)
• the number of IPOs revoked by the Director-General of Security
• the number of occasions on which protected information obtained under an IPO was communicated by ASIO to a person other than an ASIO official and
• if any objections were received by the ADA in relation to IPOs issued:
  • the number of IPOs to which the objections related
  • the number and type of those orders and
  • the number of those orders that invoked each designated international agreement.[247]

ASIO will be required to keep certain records in relation to IPOs for three years. These records include, for example, copies of applications and related affidavits, copies of IPOs, details of telephone applications, details about the communication of protected information obtained under an IPO to a person outside the agency, and statements setting out details of the use (where that has occurred) of information obtained under each IPO.[248]

Australian Designated Authority

The ADA will be required to report to the Minister within three months of the end of each financial year. For each relevant agency, the reports must include, for that financial year:

• if any IPOs were issued and given by the ADA to a DCP, the number of orders and of each type of order, and the number of orders that invoked each designated international agreement
• the number of IPOs made for interception in relation to a person other than the person involved in the offence/s or subject to a control order (separately for investigation and control order IPOs)
• the number of IPOs cancelled by the ADA under clause 111 (under which an order must be cancelled instead of given to a DCP is the ADA is not satisfied that it complies with the agreement nominated in the application for the order)
• the number of IPOs cancelled by the ADA under clause 122 (under which the ADA has a general power to cancel orders, including in response to an objection from a DCP)
• the number of instruments of revocation issued and given by the ADA to a DCP
• if any objections were received by the ADA in relation to IPOs issued:
  • the number of IPOs to which the objections related
  • the number and type of those orders and
  • the number of those orders that invoked each designated international agreement.[249]

The Minister must cause a copy of each report to be given to the Attorney-General as soon as practicable after receiving it.[250]

The ADA will be required to keep certain records in relation to IPOs for three years, including copies and details of each IPO given to a DCP by the ADA, copies of and details relating to instruments of revocation and cancellation, and copies and details of each objection received by the ADA to an Australian IPO.[251] The ADA must also keep records of any objections to foreign orders it is aware of being made by a DCP carrying on activities in Australia or providing services to end users physically present in Australia.[252]

The ADA will also be required to keep a register of IPOs that includes certain information for each Australian IPO issued.[253]

Reports by the Minister

The Minister must cause to be written a report that sets out the information contained in reports made by each relevant agency and by the ADA, as soon as practicable after the end of each financial year. The Minister will be required to table copies of such reports in each House of Parliament within 15 sitting days.[254]

Reports must not be made in a manner that is likely to enable identification of a person.[255] As with reports on interception under Part 2-5 of the TIA Act, control order information may be excluded from the report for a financial year, with the information to be included in a subsequent report when it is no longer control order information.[256]

Destruction of records

Relevant agencies and ASIO will be required to destroy intercepted communications, messages, voice and video calls and copies of stored communications once satisfied that the information is not likely to be required for certain purposes (such as investigations, prosecutions and the performance of ASIO’s functions).[257] However, as noted by the IGIS and the LCA, the Bill does not include an explicit obligation for agencies to conduct regular reviews of information held to determine whether or not it is still required for the listed purposes.[258]

As noted by the IGIS and the LCA, the Bill does not include destruction requirements for telecommunications data obtained under an IPO.[259] In support of the absence of such a requirement, the Explanatory Memorandum cites the findings of a review conducted by AGD in response to a 2015 PJCIS recommendation. The review reportedly found:

• Keeping telecommunications data for extended periods of time can be beneficial to law enforcement agencies in particular circumstances.
• A destruction requirement may have little privacy benefit and could create a further burden on the telecommunications industry.
• It will be administratively challenging to destroy copies of telecommunications data given its need to be stored on numerous information management systems.[260]

However, the LCA was concerned that a review that does not appear to have been made public is being relied upon to justify a lack of destruction requirements for telecommunications data. It also questioned whether that review specifically examined ASIO’s practices in addition to law enforcement agencies.[261] The LCA and the IGIS recommended that consideration be given to whether the Bill should include destruction requirements for telecommunications data.[262]

Part 10—Oversight by the Commonwealth Ombudsman

As is the case for interception warrants, stored communications warrants and authorisations for access to telecommunications data under the body of the TIA Act, the Ombudsman will be able to inspect the records of relevant agencies to determine the extent of compliance with proposed Schedule 1 to the TIA Act. The Ombudsman will also be able to inspect the records of the ADA for the same purpose.[263]

The Ombudsman will have the power to enter premises of agencies and of the ADA (after providing notification), will have full and free access to records, and will be able to obtain relevant information.[264]

The Ombudsman will be required to report annually to the Minister on the results of its inspections as soon as practicable after the end of the financial year.[265] The Minister will be required to table copies of such reports in each House of Parliament within 15 sitting days.[266]

Part 11—Disclosure of protected information

Proposed Part 11 of Schedule 1 to the TIA Act will prohibit the use of protected information other than for a purpose outlined in that Part. Protected information will mean information:

• obtained in accordance with an IPO or
• about an application for an IPO, the issue of an IPO, the existence or non-existence of an IPO, compliance with an IPO, or the revocation or cancellation of an IPO.[267]

Prohibition on use, recording or disclosure of protected information and its admission in evidence

A person will commit an offence if:

• the person uses, records or discloses information
• the information is protected information and
• the use, recording or disclosure is not permitted by Proposed Part 11 of Schedule 1 to the TIA Act.[268]

The maximum penalty for the offence will be two years imprisonment and/or a fine of 120 penalty units (currently $26,640) for an individual and a fine of 600 penalty units (currently $133,200) for a body corporate.[269]

Subject to proposed Part 11 of Schedule 1 to the TIA, protected information must not be admitted in evidence in any proceedings in Australia.[270]

Permitted use, recording and disclosure

Proposed clause 153 lists purposes for which any protected information may be used, recorded, disclosed or admitted in evidence. The purposes include, for example:

• investigation or prosecution of a serious category 1 offence or a serious category 2 offence
• proceedings relating to bail for a serious category 1 offence or a serious category 2 offence
• investigation of or proceedings for a contravention of a civil penalty provision in Schedule 1 to the TIA Act
• the performance of ASIO’s functions or its exercise of powers
• record-keeping and reporting provisions relating to IPOs
• inspections of IPO-related records by the Ombudsman
• the performance of the IGIS’s functions or duties or its exercise of powers
• certain proceedings under certain Acts, including the Extradition Act 1988 and the MACMA
• a designated international agreement
• making a required notification to the PIM of Victoria or Queensland and
• disclosure to a foreign country, the International Criminal Court or a War Crimes Tribunal if authorised by the Attorney-General.

Proposed clauses 154 and 155 permit disclosure of protected information to the Minister and the Attorney-General for the purposes of the performance of the functions or exercise of the powers of the Minister or Attorney-General.

Proposed clause 156 permits a DCP to disclose the total number of IPOs given to the DCP during a period of at least six months.

Proposed clauses 157, 158 and 159 list additional purposes for which protected information obtained in accordance with, or that relates to, an IPO relating to interception, stored communications or telecommunications data respectively made be used, recorded, disclosed and admitted in evidence.

Permitted and prohibited use and disclosure of information obtained under interception and stored communications warrants and authorisations for access to telecommunications data are dealt with separately under the body of the TIA Act for each of those powers.[271] However, the provisions of proposed Part 11 of Schedule 1 to the TIA Act are broadly comparable.

Part 5—Giving of IPOs

Once made, IPOs must be given to the ADA by ASIO or the relevant agency. The ADA must consider whether the IPO complies with the designated international agreement nominated in the application and:

• if satisfied that the IPO complies with the agreement, give the order or a certified copy to the DCP to which it is directed as soon as practicable and
• if not satisfied that the IPO complies with the agreement, cancel the order by written instrument, return it to the agency and give the agency such advice as it considers appropriate in relation to compliance with the agreement.[272]

An IPO will come into force when given to the DCP by the ADA.[273]

Parts 6 and 7—Revocation and cancellation of IPOs

The chief officer of a relevant agency (or delegate) may revoke an IPO issued in response to an application made by the agency, and must do so if satisfied that the grounds on which the IPO was issued have ceased to exist.[274] An equivalent provision will apply to ASIO.[275]

Revocations are to be made by written instrument, which must be given to the ADA as soon as practicable. The ADA will then be required to give the instrument of revocation to the DCP to which the IPO was given as soon as practicable. Revocations will take effect when given to the DCP concerned or if the IPO had not yet been given to a DCP, when the revocation is made.[276]

Objections to and cancellation of IPOs

A DCP to which an IPO is given will be able to object to the order on the grounds that it does not comply with the designated international agreement nominated in the application. Objections are to be made by written notice to the ADA. The notice must be given to the ADA within a ‘reasonable time’ after the IPO is given to the DCP, and set out why the DCP considers that the IPO does not comply with the agreement.[277]

The ADA may cancel an IPO by written instrument. If the ADA does so, it must inform the chief officer of the relevant agency or the Director-General of Security of the cancellation as soon as practicable. If the IPO was given to a DCP before being cancelled, the ADA must also give the instrument of cancellation to the DCP as soon as practicable. Cancellations take effect when that instrument is given to the DCP or otherwise when they are made.[278]

Issue: adequacy of the objections framework

Several stakeholders raised concerns about the adequacy of the Bill’s provisions for making and considering objections and the appropriateness of the ADA as the decision maker.

The LCA, ICLT Coalition and DIGI considered that the Bill does not make adequate provision for objections to IPOs. The LCA stated:

… the Bill does not impose a requirement on the ADA to consider and determine this application, or prescribe minimum requirements for the conduct of a review of the objection, including timeframes … Further, there is no requirement for the ADA to give reasons to the DCP or relevant IPO agencies for its decision on a DCP’s objection.[279]

The ICLT Coalition and DIGI outlined similar concerns related to the lack of clarity about how objections will be dealt with.[280] They and other ICT sector stakeholders also raised concerns about the potentially narrow ground on which they may be made, with the ICLT Coalition stating:

An opportunity to challenge is only meaningful if providers are given clear procedural and substantive rights to challenge demands that are overbroad, abusive, violate the terms of an international agreement, or are otherwise unlawful.[281]

The LCA also pointed out that while the ADA has a general power to cancel an IPO, it is not explicitly required to do so if it upholds an objection from a DCP.[282]

Finally, the LCA and Mr Wilson also questioned the appropriateness of the ADA being the decision maker on objections.[283] The LCA noted that the ADA would already have considered and formed a view on the compliance of the IPO with the relevant agreement, as it must only give an IPO to a DCP if it is satisfied that it complies with that agreement. It further noted that the ADA (the Secretary or a delegate in AGD) may also advise the Attorney-General on whether to consent to an application by ASIO for an IPO.[284]

Part 8—Compliance with IPOs

If an IPO is given to a DCP to which it is directed, the IPO is in force and when it is given, the DCP meets the enforcement threshold, the DCP will be required to comply with the order to the extent to which it is capable of doing so. A civil penalty will apply for non-compliance, with a maximum penalty of 238 penalty units for an individual (currently $52,826) and 47,600 penalty units for a body corporate (currently $10,567,200).[285]

Broadly, a DCP will meet the enforcement threshold if it provides a relevant service to one or more Australians (or owns or operates a telecommunications network used to supply a carriage service to one or more Australians), unless the DCP cannot reasonably be considered to have offered or provided the service on the basis of it being available to Australians.[286]

The civil penalty will be enforceable under Part 4 of the Regulatory Powers (Standard Provisions) Act 2014, which will extend to acts, omissions, matters and things outside Australia.[287]

Issue: compulsory nature of IPOs

The Australian Industry Group and some ICT sector stakeholders questioned the appropriateness of, or objected to, the availability of civil penalties to enforce compliance with an IPO. They considered that the inclusion of penalties for non-compliance is contrary to the ‘intention and spirit’ of the US CLOUD Act, which they argued is focused on lifting so-called ‘blocking statutes’, not compelling service providers.[288]

Part 12—Evidentiary certificates

Proposed Part 12 of Schedule 1 to the TIA Act will allow particular persons to issue evidentiary certificates setting out certain facts. The use of evidentiary certificates is intended to ensure that employees of DCPs and employees and officers of agencies are not required to testify that information or material was lawfully obtained in every proceeding to which it is admitted.[289]

DCPs: compliance with IPOs

A DCP or manager of a DCP may issue a written, signed certificate setting out facts that the DCP or manager considers relevant with respect to acts or things done by the DCP to comply with an IPO. Such documents are to be received in evidence in a proceeding in Australia without further proof and in such a proceeding will be conclusive evidence of the matters stated therein.[290] This is consistent with evidentiary certificates able to be issued by carriers under the body of the TIA Act and takes account of Australian agencies’ inability to compel employees of foreign DCPs to attend court to give evidence.[291]

DCPs: voluntary provision of certain information related to IPOs

A DCP or manager of a DCP may issue a written, signed certificate setting out facts that the DCP or manager considers relevant with respect to acts or things done in order to voluntarily give an agency certain information relating to an IPO, or to explain certain matters. For example, for interception IPOs, certificates may set out such facts as the DCP or manager considers:

• relevant with respect to acts or things done to voluntarily give an agency, in connection with an IPO, information relating to:
  • the individual carriage services or individual message/call application services to which the IPO relates or
  • a person who uses, or is likely to use, those services and/or
• would assist in explaining:
  • the operation of the individual carriage services of individual message/call application services to which the IPO relates or
  • the way in which the intercepted material was made available to the agency.[292]

Similar provision is made in relation to IPOs for access to stored communications or telecommunications data.[293]

These documents are to be received in evidence in a proceeding in Australia without further proof and in such a proceeding will be prima facie evidence of the matters stated therein, so long as information obtained in accordance with the relevant IPO is admissible in those proceedings.[294]

ASIO and relevant agencies

A certifying person in ASIO or a certifying officer in a relevant agency may issue a written, signed certificate setting out facts he or she considers relevant to the receipt by ASIO or the relevant agency of information made available or disclosed in accordance with an IPO. These documents are to be received in evidence in a proceeding in Australia without further proof and in such a proceeding will be prima facie evidence of the matters stated therein. This is consistent with evidentiary certificates able to be issued by agencies under the body of the TIA Act.[295]

The ADA

The ADA may issue a written, signed certificate setting out facts that the ADA considers relevant with respect to:

• giving an IPO, instrument of revocation or instrument of cancellation to a DCP
• the receipt by the ADA of information made available under an IPO (to be passed on to the agency that sought the IPO) or
• anything done by the ADA for the purposes of ensuring that information was passed on to ASIO or the relevant agency.[296]

These documents are to be received in evidence in a proceeding in Australia without further proof and in such a proceeding will be prima facie evidence of the matters stated therein.[297]

Other key provisions

Delegation by the ADA

The ADA (the Secretary of AGD) may delegate any or all of the ADA’s functions or powers under proposed Schedule 1 to the TIA Act to an SES employee or acting SES employee in AGD or to an APS employee holding or acting in an executive level 1 or 2 position in AGD.[298] Consideration could be given to limiting the delegation of certain functions, such as determining whether to cancel an IPO, to SES employees; while allowing delegation of more routine functions, such as the giving of orders, to executive level employees.

Interaction with mutual assistance laws

The proposed scheme will operate alongside existing mutual assistance legislation. Proposed clause 183 will provide that Schedule 1 to the TIA Act is not intended to limit the operation of the Mutual Assistance in Criminal Matters Act.

Concluding comments

The Bill, in combination with relevant international agreements, has the potential to facilitate significantly faster access by law enforcement and security agencies to relevant data held overseas, thereby assisting criminal investigations and prosecutions and security investigations. However, the Bill fails to provide the safeguards that exist under domestic mutual assistance laws and the US CLOUD Act. It will also allow IPOs to be made for certain matters where equivalent powers would not currently be available within Australia, and the IPO framework lacks protections for journalists’ sources that apply in relation to equivalent domestic powers.

Parliament may wish to amend the Bill to include safeguards for international agreements and incoming orders instead of leaving those matters entirely to agreements negotiated by the Executive. It may also wish to consider amendments to strengthen parliamentary scrutiny of international agreements and changes to such agreements, and to ensure that safeguards that apply to domestic powers are replicated in the IPO framework.