Key points
- The Bill will allow telecommunications companies to more easily provide assistance to law enforcement agencies and emergency service organisations in relation to:
- preventing or lessening serious threats to a person's life or health and
- calls to emergency service numbers.
- The Bill will also:
- confer civil immunities on telecommunications companies for the provision of reasonably necessary assistance to the Commonwealth, states or territories to respond during emergencies if a national emergency declaration is in force and
- amend the existing requirements to record disclosures of certain information by telecommunications companies by increasing record keeping requirements and the level of detail of such records.
Introductory Info
Date introduced: 10 November 2022
House: House of Representatives
Portfolio: Infrastructure, Transport, Regional Development, Communications and the Arts
Commencement: As set out in the body of this Bills Digest.
Purpose of
the Bill
The purpose of the Telecommunications
Legislation Amendment (Information Disclosure, National Interest and Other
Measures) Bill 2022 (the Bill) is to amend the Telecommunications
Act 1997 (the Act) and other legislation to:
- better
facilitate assistance by the telecommunications industry to law enforcement
agencies and emergency service organisations by:
- removing
the ‘imminent’ threat qualifier before certain information can be provided and
- authorising
the use and disclosure of unlisted numbers (for example, mobile phone numbers)
and associated addresses for the purpose of dealing with matters raised by a
call to an emergency service number
- confer
civil immunities on telecommunications companies for the provision of reasonably
necessary assistance to the Commonwealth, states or territories to respond
during emergencies if a national emergency declaration is in force
- amend
the existing requirements to record disclosures of certain information by
telecommunications companies by increasing record keeping requirements and the
level of detail recorded to better enable oversight of underlying laws or warrants
which required or authorised a disclosure and
- making
technical amendments to other legislation to ensure that relevant obligations
and measures in that Act will commence as originally intended.[1]
Structure
of the Bill
The Bill has one Schedule, divided into three parts. Part
1 contains the amendments that deal with, broadly speaking, information
disclosure to:
- law
enforcement agencies
- emergency
services and
- Commonwealth,
state and territory agencies responding to emergencies when a national
emergency declaration is in force.
Part 2 contains the amendments that deal with
recording disclosures of certain information, including under warrants. Part
3 contains technical amendments to other legislation, which are not examined
in this Digest.
Background
The Telecommunications
Act 1997 (the Act) regulates telecommunications in general including the
types of information that can be disclosed by telecommunications providers and
carriers to law enforcement agencies and emergency service organisations, and the
circumstances in which that is allowed. The Act also imposes several record-keeping
requirements related to such disclosures on telecommunications carriers,
providers or integrated public number database (IPND) operators.[2]
A brief description of and background to the IPND is set out under the heading
‘Issues with the operation of existing section record keeping requirements’
below.
The Bill responds to several recommendations by, for
instance, the Australian Law Reform Commission and State coroners, about the
long-standing and well-known issue that the current drafting allows disclosure
where ‘it is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person’ [emphasis
added].[3]
The need for the threat to be ‘imminent’ has hindered the disclosure of information
about the location of missing persons, which can be determined by mobile phone
triangulation.
Further background information on the measures is provided
below under the Key issues and provisions part of the Digest.
Committee
consideration
At the time of writing, the Bill had not been referred to
any Committee for consideration.
Senate
Standing Committee for the Scrutiny of Bills
At the time of writing the Senate Standing Committee for
the Scrutiny of Bills had not considered the Bill.
Policy
position of non-government parties/independents
Where able to be identified, the policy position of
non-government parties and independents in relation to each measure is set out
below under the Key issues and provisions part of the Digest.
Position of
major interest groups
When able to be identified, the position of major interest
groups is set out in relation to each measure is set out below under the Key issues and provisions part of the Digest.
Financial
implications
The Explanatory Memorandum states that there are no
financial impacts on the Commonwealth arising from the measures contained in
the Bill.[4]
Statement of Compatibility with Human Rights
As required under Part 3 of the Human Rights
(Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the
Bill’s compatibility with the human rights and freedoms recognised or declared
in the international instruments listed in section 3 of that Act. The
Government considers that the Bill is compatible.[5]
Parliamentary
Joint Committee on Human Rights
At the time of writing the Parliamentary Joint Committee
on Human Rights had not considered the Bill.
Key issues and provisions
This Digest examines the measures dealing with
facilitating assistance to law enforcement agencies, emergency agencies, Commonwealth,
state and territory agencies during national emergencies and strengthening disclosure
record keeping requirements.
Background:
prohibition on disclosing certain information and existing exemptions
Part 13 of the Act provides for protection of the confidentiality
of the contents of communications carried by carriers and carriage service
providers; of the carriage service supplied by them, and of the affairs and
personal particulars of other persons (notably, customers and end-users of
carriage services). Whilst this includes personal information about
individuals, relevant to the Bill it also includes information about
telecommunications, including for example information about the location of a
mobile handset (section 275A of the Act makes clear that information about
location of a mobile phone is to be taken to be information about the affairs
of a customer for these purposes).
Under the Act, it is an offence for eligible persons to
disclose or use information protected by Part 13, otherwise than for the
purpose of delivering carriage services or related telecommunications industry
functions.[6]
There are limited exceptions which permit the provision of this information to
third parties, as examined below.
Facilitating
assistance to law enforcement agencies
The Act facilities telecommunications carriers, providers
and IPND operators providing assistance to law enforcement agencies by
providing a number of exemptions to the prohibitions described above. Most
relevantly to the Bill, the Act currently permits disclosure of information
related to communications:
- where
it is reasonably necessary to prevent or lessen serious and imminent threats
to a person's life or health (sections 287 and 300) and
- in
relation to the disclosure of information contained in an IPND, for various
purposes, relevantly including the making of a call to an emergency service
number.
These are examined below.
Issues with the operation of existing section 287 of the Telecommunications Act 1997
Mobile phone location data comes from a variety of sources
including GPS signals and carrier mobile towers. Mobile carriers receive
information about a phone’s proximity to mobile towers and by triangulation
based on signal strength, an approximate location of that phone can be
ascertained.[7]
Section 287 of the Act allows a telecommunications
provider to disclose information or documents about another person (a primary
disclosure), including the location of the person’s mobile phone. In turn,
section 300 allows a person who received such information, including location of
a mobile phone, to disclose that information or document to another person (a
secondary disclosure) to prevent or lessen a serious and imminent threat
to the life or health of another person.
Location data is often regarded as sensitive, due to its potential
use in identifying an individual by drawing insights from the location of the
individual, or to track an individual.[8]
It is for this reason that such information is invaluable in missing person
cases. For example, in 2020, the NSW Coroner noted that:
… the reality is triangulation is an incredibly useful tool
for missing persons investigations. These days most people are carrying a
mobile phone or some other device that can be located using triangulation.[9]
In 2008 the Australian Law Reform Commission (ALRC), in
its report “For your Information; Australian Privacy Law and Practice”, summarised
the issues with operation of sections 287 and 300 of the Act in the
following terms:
…disclosure of information is permitted if the information or
document relates to the affairs or personal particulars (including any unlisted
telephone number or any address) of another person, and the first person
believes on reasonable grounds that the use or disclosure is reasonably
necessary to prevent or lessen a serious and imminent threat to the life
or health of a person… At this point it is often too late to take meaningful
preventative action.[10]
[emphasis added]
The Explanatory Memorandum to the Bill reinforces this
finding noting:
In a number of missing persons cases, law enforcement
agencies have experienced practical challenges in ascertaining reasonable
belief about the ‘imminence’ of a threat to the life or health of a person,
even when the seriousness of the threat was clearly established. In both the Inquest
into the death of Thomas Hunt (findings released 4 September 2020), and
another recent inquest which has not been made public, the ‘imminent’
qualifier was a barrier to progressing a triangulation request that may have
helped locate the individuals in question. A New South Wales Deputy State
Coroner has recommended the Commonwealth urgently reform section 287 of the Act
by removing the qualifier of an ‘imminent’ threat in the provision.[11]
[emphasis added]
It has been noted that ‘imminent’ is viewed, and often applied
in practice, as meaning that such a threat will occur within a very short
period of time, generally a few hours.[12]
Previous
recommendations regarding sections 287 and 300
The issues regarding the ‘imminent’ threshold for
disclosure under section 287 of the Act have been examined previously. The ALRC
recommended in 2008:
Sections 287
and 300 of the Telecommunications Act 1997 (Cth) should be amended to
provide that a use or disclosure by a ‘person’, as defined under the Act, of
information or a document is permitted if:
(a) the
information or document relates to the affairs or personal particulars
(including any unlisted telephone number or any address) of another person; and
(b) the person
reasonably believes that the use or disclosure is necessary to lessen or
prevent a serious threat to a person’s life, health or safety.[13]
That is, the ALRC recommend the removal of the ‘imminent’
threshold. Likewise, a New South Wales Deputy State Coroner noted:
185. Having
regard to the evidence set out above, the following recommendations are both
necessary and desirable, in accordance with s 82 of the Act:…
2. That the
Minister for Communications (Cth) be provided with the findings from this
inquest and the evidence of Chief Inspector Gary Charlesworth, together with
the findings in the Inquest into the death of Thomas James Hunt (dated 4
September 2020) regarding issues as to the interpretation and practical
operation of s 287 the Telecommunications Act 1997 in relation to
missing person investigations, with a view to considering urgent reform of
that provision, including as to whether to:
a. remove
the qualifier of an “imminent” threat (consistent with the Australian Law
Reform Commission Report 108 (2010 [sic]), Recommendation 72–7); and
b.
change the requirement of ‘belief’ to ‘suspicion’.[14]
The Thomas Hunt inquest report also noted:
… the State Coordination Unit that controls applications for
triangulation have concern over the use of the word “belief” in s. 287; they
would like that changed to “suspicion”’.[15]
The Bill
removes the ‘imminent’ threat qualifier and adds a safeguard
The Bill aims to address the ALRC and NSW Coroner recommendations.[16]
It does this by removing the ‘imminent’ threat qualifier threshold before certain
information can be provided by a telecommunications provider or carrier from
sections 287 and 300 of the Act.[17]
The Bill does not, however, change the requirement that
the person being asked to disclose the information, or the document, reasonably
‘believes’ the seriousness of the threat and the necessity of the disclosure to
prevent or lessen that threat, rather than reasonably ‘suspecting’ as
recommended in two NSW Coroner reports.[18]
In addition to removing the ‘imminent’ threat qualifier
threshold, the Bill adds an important safeguard: the first person (that is, the
entity or person being asked to disclose the information) needs to be satisfied
that ‘it is unreasonable or impracticable to obtain the other person’s consent
to the proposed disclosure or use’.[19]
This means a person can only disclose information or documents if the following
criteria are met:
- the
information or document relates to the affairs or personal particulars of
another person and
- the
first person believes on reasonable grounds that the disclosure or use is
reasonably necessary to prevent or lessen a serious threat to the life or
health of a person and
- the
first person is satisfied that it is unreasonable or impracticable to obtain
the other person’s consent to the proposed disclosure or use.
Issue: who
determines if a threat is ‘serious’?
Currently, the Act requires that the person being asked to
disclose the information or document, believes, on ‘reasonable grounds’, the
seriousness of the threat to the health or safety of a person, and the
necessity of the disclosure to prevent or lessen that threat.[20]
The Explanatory Memorandum notes:
The Parliament intends that regulated entities would largely
be reliant on the representations made by law enforcement or emergency service
organisations to determine whether a threat was ‘serious’. This approach is
consistent with the expecting [sic] operational approach of law enforcement
agencies, and recognises that law enforcement or emergency service
organisations will have access to information, systems and resources that
telecommunications companies will not.[21]
Whilst this is the stated intention, the Bill does not
alter the legal burden. That is, it does not change the requirement that the
person being asked to disclose the information or document must themselves
believe, on reasonable grounds, both the seriousness of the threat and the
necessity of disclosing the information or documents requested.
Issue:
application to information other than mobile phone triangulation
The Explanatory Memorandum and the Minister’s second reading
speech both reference the barriers that the ‘imminent’ threat qualifier places
on locating missing persons using mobile phone triangulation as reasons for the
proposed changes.[22]
However, section 287 of the Act applies to a range of telecommunications
related information and documents, not just mobile phone triangulation
information. The Bill does not confine the proposed changes to mobile phone
triangulation information or to missing person cases.
As such, the changes will apply to a broad range of
telecommunications related information. In the past, information other than
mobile phone triangulation information, including, potentially, ‘metadata’, has
been provided to law enforcement agencies under section 287 of the Act (noting
alternative disclosure mechanisms also now exist under the Telecommunications
(Interception and Access) Act 1979 (TIA Act)).[23]
Policy
position of non-government parties/independents on changes to sections 287 and
300
Media reports suggest that the Australian Greens have
concerns about the Bill widening
law enforcement access to personal data.[24]
At the time of writing the position of other non-government parties and
independents on the relevant measure could not be determined.
Position of
major interest groups on changes to sections 287 and 300
The Explanatory Memorandum notes that a targeted consultation
process was conducted with key stakeholders on the measures in the Bill,
including the Office of the Australian Information Commissioner (Information
Commissioner), state and territory law enforcement who the Explanatory
Memorandum advises ‘have expressed support for the Bill’. Select industry
stakeholders, including ‘the Communications Alliance, and major carriers’, were
also consulted, including by being provided with a ‘pre-introduction version of
the Bill’. [25]
At the time of writing the position of the industry
stakeholders referred to in the Explanatory Memorandum on the measure could not
be determined. The New South Wales Council for Civil Liberties expressed concerns about
the measure:
The changes will allow emergency services more opportunity to
apply for a warrant to request location triangulation data from phone companies
to find missing people at risk…. the potential for misuse of location data, collected
by everyone from telecommunications companies to Google, is enormous and people
are rightly concerned this information could be misused. There must be a strong
regime of protection in place, training and goverance [sic] to ensure police
and other agencies properly protect private information.[26]
Issues with the operation of existing section 285 of the Telecommunications Act 1997
The IPND,
which was established in 1998, is a database maintained by Telstra of all
listed and unlisted telephone numbers and associated customer data—namely, the
name and address of the customer, the customer’s service location, the name of
the carriage service provider, and whether the telephone is to be used for
government, business, charitable or private purposes.[27]
The use and disclosure of information in the IPND is
subject to Part 13 of the Act. In particular, section 285 of the Act allows use
or disclosure of IPND information (other than information relating to an unlisted
telephone number) about the affairs or personal particulars of a person for
purposes connected with:
- provision
of directory assistance services by or on behalf of a carriage service provider
- publication
and maintenance of a directory of public numbers
- dealing
with matters raised by a call to an emergency service number.
Further, Telstra’s carrier licence
also limits the purposes for which IPND information can be used and disclosed,
including that it can be disclosed only to a carriage service provider to
enable the provider to: provide directory assistance, operator assistance or
operator services, produce a public number directory, provide location
dependent carriage services, or assist emergency call services and enforcement
agencies.[28]
The ALRC summarised
the issues with operation of section 285 of the Act in the following terms:
Section 285 currently restricts the permitted use and
disclosure of IPND information for the purpose of emergency call services to
listed numbers. Optus submitted that s 285 should be revised to clarify that both
unlisted and listed numbers can be used and disclosed for matters raised by
a call to an emergency service number. Most individuals would reasonably expect
the disclosure of an unlisted number in an emergency call situation.[29]
[emphasis added]
The Explanatory Memorandum to the Bill reinforces this
finding noting:
the current situation is needlessly complicated. Only 5% of
72 million active phone number are listed, with mobile numbers unlisted by default,
this provision can seemingly be a barrier in responding to emergencies.[30]
Previous
recommendations regarding section 285
The ALRC recommended
in 2008 that in the interest of the health and safety of individuals:
the Telecommunications Act should permit the
disclosure of an unlisted number contained in the IPND if the disclosure is
made to another person for purposes connected with dealing with the matter or
matters raised by a call to an emergency service number.[31]
[emphasis added]
The Bill widens
disclosure of IPND information to include unlisted mobile phone information
The Bill amends the Act in a manner consistent with the
ALRC recommendation.[32]
It does this by authorising the use and disclosure of information and documents
relating to the carriage service supplied or intended to be supplied or the
personal affairs or particulars of a person (such as a person’s unlisted
landline or mobile numbers and associated addresses) contained in an IPND, to
emergency call persons where:
- the
use or disclosure of such information is for purposes connected with dealing
with the matter or matters raised by a call to an emergency service number and
- it
is unreasonable or impracticable to obtain the person’s consent to the
particular disclosure or use.[33]
Critically, due to the drafting of proposed subsection
285(1B) (at item 6 of Schedule 1 to the Bill), this will
apply to information regarding mobile phones, which are by default unlisted
numbers and hence currently outside the existing section 285 disclosure regime.
Policy
position of non-government parties/independents
At the time of writing the position of non-government
parties and independents on the relevant measure could not be determined.
Position of
major interest groups
As noted above, the Explanatory Memorandum states that a
targeted consultation process was conducted with key stakeholders on the
measures in the Bill.[34]
At the time of writing the position of the industry stakeholders referred to in
the Explanatory Memorandum on the measure could not be determined.
Facilitating
assistance to Commonwealth, state and territory emergency organisations
During national emergencies, telecommunications carriers
and carriage service providers may be asked by the Commonwealth, states or territories
to provide help as reasonably necessary in connection with preparing for,
responding to or recovering from an emergency.
The Explanatory Memorandum notes that, due to a drafting
error in the National
Emergency Declaration Act 2020, when a national emergency
declaration under that Act is in force, carriers, carriage service providers
and carriage service intermediaries do not currently have civil immunity from
various prohibitions on the disclosure of telecommunications information when providing
help as is reasonably necessary for specific purposes in connection with preparing
for, responding to, or recovering from an emergency in accordance with their duty
under subsections 313(4A) or (4B) of the Act.[35]
The Bill will confer the relevant civil immunities ‘as
originally intended’, which the Explanatory Memorandum notes:
… reflects the intention that such entities should not be
liable to an action or other proceeding for damages for or in relation to an
act done or omitted in good faith in compliance with the statutory duty.
The amendment is consistent with similar provisions relating
to the ‘giving of help as is reasonably necessary’ in connection with
safeguarding national security and protecting public revenue in the Act, and
corrects a drafting error in the National Emergency Declaration Act 2020.[36]
Policy
position of non-government parties/independents
At the time of writing the position of non-government
parties and independents on the relevant measure could not be determined.
Position of
major interest groups
As noted above, the Explanatory Memorandum states that a targeted
consultation process was conducted with key stakeholders on the measures in the
Bill.[37]
At the time of writing the position of the industry stakeholders referred to in
the Explanatory Memorandum on the measure could not be determined.
Commencement
of proposed changes
The changes proposed by Part 1 of the Bill examined
above will commence the day after the Act receives Royal Assent.[38]
Item 11 provides that the changes to sections 285, 287 and 300 of the
Act discussed above apply in relation to the use and disclosure of information
by a person after the commencement of Part 1, regardless of when the
information came to the person’s knowledge or the documents came into the
person’s possession. The civil immunities will apply prospectively only; that
is, in relation to an act done or omitted by a person after the commencement of
Part 1.
Strengthening
disclosure record keeping requirements
Part 13 of the Act requires carriers, carriage service
providers and IPND operators to create and retain records of certain
disclosures of information protected by Part 13. These records must be provided
to the Australian Communications and Media Authority (ACMA) at the end of each
financial year, and the Information Commissioner monitors compliance with the
recordkeeping requirements.[39]
Issues with the operation of existing section record
keeping requirements
In its supplementary
submission to the Parliamentary Joint Committee on Intelligence and
Security Review
of the Mandatory Data Retention Regime the Information Commissioner
noted the information that these records must contain include:
- the
name of the person making the disclosure
- the
date of the disclosure
- the
grounds for the disclosure (such as the legislative provision under which the
disclosure is authorised)
- any
applicable authorisation under the TIA Act
- any
other bodies involved in the request and
- the
telecommunications service used.[40]
Critically, however, the Information Commissioner observed
that:
Service providers are not required to keep records of
information relating to the kinds of information included in a disclosure, such
as the types of telecommunications data that were disclosed. This means
that the OAIC’s inspections under section s 309 of the Telecommunications Act
do not allow officers to consider whether only necessary personal information
is being disclosed by service providers when responding to information requests
from enforcement agencies.[41]
[emphasis added]
Previous
recommendations regarding section 285
In 2008, the ALRC proposed that:
Telecommunications service providers should report on when
they disclose information pursuant to one of the exceptions in Part 13. Each
exception upon which a decision to disclose information or a document is based,
however, does not need to be recorded when that decision is based on more than
one of the exceptions in Part 13 of the Act.[42]
In 2020, the Information Commissioner recommended that the
Act be amended to require telecommunications service providers to keep more
detailed records relating to the kinds of information included in disclosures,
allowing it to:
… oversee the extent to which service providers comply with
such a requirement, utilising the monitoring functions conferred by s 309 of
the Telecommunications Act.[43]
The Explanatory Memorandum to the Bill notes that the Bill
will require more detailed records of information to be kept for authorised
disclosures, consistent with the above recommendation of the Information
Commissioner.[44]
The Bill changes
the information that must be recorded about disclosures under Part 13
Part 2 of Schedule 1 of the Bill will, consistent
with the recommendations noted above, amend the existing requirements to record
disclosures of certain information by telecommunications entities. It will increase
record keeping requirements to enable oversight of underlying laws or warrants
which required or authorised a disclosure, consistent with the recommendations
noted above. It does this by imposing the following record keeping obligations:
- where
disclosure of protected information occurs in accordance with a warrant and
paragraph 280(1)(a) of the Act[45]
applies to the disclosure:
- the
provision of the law under which the warrant was issued
- the
name of the person who issues the warrant and
- the
date of issuing
will need to be recorded by the
carrier, provider or IPND operator
- where
the disclosure of protected information is authorised or required under a law
and paragraph 280(1)(b) of the Act[46]
applies to the disclosure, the relevant provision of the law which required or
authorised the disclosure will need to be recorded by the carrier, provider or
number-database operator.[47]
The Bill also requires that where the information or
document includes information covered by the table in subsection 187AA(1) of
the TIA Act, or otherwise specified in a determination made by the
Minister, the numbers of such items and a description of the content of those
items, to the extent that the content relates to the information or document,
must be recorded.[48]
Examples of such information include:
- any
name or address information or other information for identification purposes
relating to the relevant service, being information used by the service
provider for the purposes of identifying the subscriber of the relevant service
- the
source or destination of a communication and
- the
location of equipment, or a line, used in connection with a communication.[49]
Policy
position of non-government parties/independents
At the time of writing the position of non-government
parties and independents on the relevant measure could not be determined.
Position of
major interest groups
As noted above, the Explanatory Memorandum states that a
targeted consultation process was conducted with key stakeholders on the
measures in the Bill.[50]
At the time of writing the position of the industry stakeholders referred to in
the Explanatory Memorandum on the measure could not be determined.
Commencement
of proposed changes
The changes proposed by Part 2 of the Bill examined
above will commence 6 months after the Act receives Royal Assent.[51]
In her second reading speech on the Bill, the Minister explained that the
delayed commencement of this Part reflects concern expressed by
telecommunication providers that ‘time would be needed to implement IT changes
for the enhanced disclosure record keeping’.[52]
Item 15 provides that the changes to the rules
about the recording of disclosures discussed above apply only to the disclosure
of information or documents after the commencement of Part 2, but the
scope of information or document captured by the new record keeping provisions
covers any information or document that is in the person’s possession or
knowledge at the time of the proposed disclosure.[53]
Concluding comments
The Bill responds to long-known issues regarding the
disclosure of telecommunications related information to law enforcement and
emergency agencies and associated record keeping and transparency measures. As
such, whilst some concerns have been raised about the potential privacy impacts
of the Bill if the new powers were misused, the Bill appears to be relatively
uncontroversial.