Bills Digest No. 41, 2022–23

Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Bill 2022

Infrastructure, Transport, Regional Development, Communications and the Arts

Author

Jaan Murphy

Go to a section

Key points

  • The Bill will allow telecommunications companies to more easily provide assistance to law enforcement agencies and emergency service organisations in relation to:
    • preventing or lessening serious threats to a person's life or health and
    • calls to emergency service numbers.
  • The Bill will also:
    • confer civil immunities on telecommunications companies for the provision of reasonably necessary assistance to the Commonwealth, states or territories to respond during emergencies if a national emergency declaration is in force and
    • amend the existing requirements to record disclosures of certain information by telecommunications companies by increasing record keeping requirements and the level of detail of such records.
Introductory Info Date introduced: 10 November 2022
House: House of Representatives
Portfolio: Infrastructure, Transport, Regional Development, Communications and the Arts
Commencement: As set out in the body of this Bills Digest.

Purpose of the Bill

The purpose of the Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Bill 2022 (the Bill) is to amend the Telecommunications Act 1997 (the Act) and other legislation to:

  • better facilitate assistance by the telecommunications industry to law enforcement agencies and emergency service organisations by:
    • removing the ‘imminent’ threat qualifier before certain information can be provided and
    • authorising the use and disclosure of unlisted numbers (for example, mobile phone numbers) and associated addresses for the purpose of dealing with matters raised by a call to an emergency service number
  • confer civil immunities on telecommunications companies for the provision of reasonably necessary assistance to the Commonwealth, states or territories to respond during emergencies if a national emergency declaration is in force
  • amend the existing requirements to record disclosures of certain information by telecommunications companies by increasing record keeping requirements and the level of detail recorded to better enable oversight of underlying laws or warrants which required or authorised a disclosure and
  • making technical amendments to other legislation to ensure that relevant obligations and measures in that Act will commence as originally intended.[1]

Structure of the Bill

The Bill has one Schedule, divided into three parts. Part 1 contains the amendments that deal with, broadly speaking, information disclosure to:

  • law enforcement agencies
  • emergency services and
  • Commonwealth, state and territory agencies responding to emergencies when a national emergency declaration is in force.

Part 2 contains the amendments that deal with recording disclosures of certain information, including under warrants. Part 3 contains technical amendments to other legislation, which are not examined in this Digest.

Background

The Telecommunications Act 1997 (the Act) regulates telecommunications in general including the types of information that can be disclosed by telecommunications providers and carriers to law enforcement agencies and emergency service organisations, and the circumstances in which that is allowed. The Act also imposes several record-keeping requirements related to such disclosures on telecommunications carriers, providers or integrated public number database (IPND) operators.[2] A brief description of and background to the IPND is set out under the heading ‘Issues with the operation of existing section record keeping requirements’ below.

The Bill responds to several recommendations by, for instance, the Australian Law Reform Commission and State coroners, about the long-standing and well-known issue that the current drafting allows disclosure where ‘it is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person’ [emphasis added].[3] The need for the threat to be ‘imminent’ has hindered the disclosure of information about the location of missing persons, which can be determined by mobile phone triangulation.

Further background information on the measures is provided below under the Key issues and provisions part of the Digest.

Committee consideration

At the time of writing, the Bill had not been referred to any Committee for consideration.

Senate Standing Committee for the Scrutiny of Bills

At the time of writing the Senate Standing Committee for the Scrutiny of Bills had not considered the Bill.

Policy position of non-government parties/independents

Where able to be identified, the policy position of non-government parties and independents in relation to each measure is set out below under the Key issues and provisions part of the Digest.

Position of major interest groups

When able to be identified, the position of major interest groups is set out in relation to each measure is set out below under the Key issues and provisions part of the Digest.

Financial implications

The Explanatory Memorandum states that there are no financial impacts on the Commonwealth arising from the measures contained in the Bill.[4]

Statement of Compatibility with Human Rights

As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.[5]

Parliamentary Joint Committee on Human Rights

At the time of writing the Parliamentary Joint Committee on Human Rights had not considered the Bill.

Key issues and provisions

This Digest examines the measures dealing with facilitating assistance to law enforcement agencies, emergency agencies, Commonwealth, state and territory agencies during national emergencies and strengthening disclosure record keeping requirements.

Background: prohibition on disclosing certain information and existing exemptions

Part 13 of the Act provides for protection of the confidentiality of the contents of communications carried by carriers and carriage service providers; of the carriage service supplied by them, and of the affairs and personal particulars of other persons (notably, customers and end-users of carriage services). Whilst this includes personal information about individuals, relevant to the Bill it also includes information about telecommunications, including for example information about the location of a mobile handset (section 275A of the Act makes clear that information about location of a mobile phone is to be taken to be information about the affairs of a customer for these purposes).

Under the Act, it is an offence for eligible persons to disclose or use information protected by Part 13, otherwise than for the purpose of delivering carriage services or related telecommunications industry functions.[6] There are limited exceptions which permit the provision of this information to third parties, as examined below.

Facilitating assistance to law enforcement agencies

The Act facilities telecommunications carriers, providers and IPND operators providing assistance to law enforcement agencies by providing a number of exemptions to the prohibitions described above. Most relevantly to the Bill, the Act currently permits disclosure of information related to communications:

  • where it is reasonably necessary to prevent or lessen serious and imminent threats to a person's life or health (sections 287 and 300) and
  • in relation to the disclosure of information contained in an IPND, for various purposes, relevantly including the making of a call to an emergency service number.

These are examined below.

Issues with the operation of existing section 287 of the Telecommunications Act 1997

Mobile phone location data comes from a variety of sources including GPS signals and carrier mobile towers. Mobile carriers receive information about a phone’s proximity to mobile towers and by triangulation based on signal strength, an approximate location of that phone can be ascertained.[7]

Section 287 of the Act allows a telecommunications provider to disclose information or documents about another person (a primary disclosure), including the location of the person’s mobile phone. In turn, section 300 allows a person who received such information, including location of a mobile phone, to disclose that information or document to another person (a secondary disclosure) to prevent or lessen a serious and imminent threat to the life or health of another person.

Location data is often regarded as sensitive, due to its potential use in identifying an individual by drawing insights from the location of the individual, or to track an individual.[8] It is for this reason that such information is invaluable in missing person cases. For example, in 2020, the NSW Coroner noted that:

… the reality is triangulation is an incredibly useful tool for missing persons investigations. These days most people are carrying a mobile phone or some other device that can be located using triangulation.[9]

In 2008 the Australian Law Reform Commission (ALRC), in its report “For your Information; Australian Privacy Law and Practice”, summarised the issues with operation of sections 287 and 300 of the Act in the following terms:

…disclosure of information is permitted if the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person, and the first person believes on reasonable grounds that the use or disclosure is reasonably necessary to prevent or lessen a serious and imminent threat to the life or health of a person… At this point it is often too late to take meaningful preventative action.[10] [emphasis added]

The Explanatory Memorandum to the Bill reinforces this finding noting:

In a number of missing persons cases, law enforcement agencies have experienced practical challenges in ascertaining reasonable belief about the ‘imminence’ of a threat to the life or health of a person, even when the seriousness of the threat was clearly established. In both the Inquest into the death of Thomas Hunt (findings released 4 September 2020), and another recent inquest which has not been made public, the ‘imminent’ qualifier was a barrier to progressing a triangulation request that may have helped locate the individuals in question. A New South Wales Deputy State Coroner has recommended the Commonwealth urgently reform section 287 of the Act by removing the qualifier of an ‘imminent’ threat in the provision.[11] [emphasis added]

It has been noted that ‘imminent’ is viewed, and often applied in practice, as meaning that such a threat will occur within a very short period of time, generally a few hours.[12]

Previous recommendations regarding sections 287 and 300

The issues regarding the ‘imminent’ threshold for disclosure under section 287 of the Act have been examined previously. The ALRC recommended in 2008:

Sections 287 and 300 of the Telecommunications Act 1997 (Cth) should be amended to provide that a use or disclosure by a ‘person’, as defined under the Act, of information or a document is permitted if:

(a)   the information or document relates to the affairs or personal particulars (including any unlisted telephone number or any address) of another person; and

(b)   the person reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to a person’s life, health or safety.[13]

That is, the ALRC recommend the removal of the ‘imminent’ threshold. Likewise, a New South Wales Deputy State Coroner noted:

185.    Having regard to the evidence set out above, the following recommendations are both necessary and desirable, in accordance with s 82 of the Act:…

2.         That the Minister for Communications (Cth) be provided with the findings from this inquest and the evidence of Chief Inspector Gary Charlesworth, together with the findings in the Inquest into the death of Thomas James Hunt (dated 4 September 2020) regarding issues as to the interpretation and practical operation of s 287 the Telecommunications Act 1997 in relation to missing person investigations, with a view to considering urgent reform of that provision, including as to whether to:

                a.     remove the qualifier of an “imminent” threat (consistent with the Australian Law Reform Commission Report 108 (2010 [sic]), Recommendation 72–7); and

                            b.     change the requirement of ‘belief’ to ‘suspicion’.[14]

The Thomas Hunt inquest report also noted:

… the State Coordination Unit that controls applications for triangulation have concern over the use of the word “belief” in s. 287; they would like that changed to “suspicion”’.[15]

The Bill removes the ‘imminent’ threat qualifier and adds a safeguard

The Bill aims to address the ALRC and NSW Coroner recommendations.[16] It does this by removing the ‘imminent’ threat qualifier threshold before certain information can be provided by a telecommunications provider or carrier from sections 287 and 300 of the Act.[17]

The Bill does not, however, change the requirement that the person being asked to disclose the information, or the document, reasonably ‘believes’ the seriousness of the threat and the necessity of the disclosure to prevent or lessen that threat, rather than reasonably ‘suspecting’ as recommended in two NSW Coroner reports.[18]

In addition to removing the ‘imminent’ threat qualifier threshold, the Bill adds an important safeguard: the first person (that is, the entity or person being asked to disclose the information) needs to be satisfied that ‘it is unreasonable or impracticable to obtain the other person’s consent to the proposed disclosure or use’.[19] This means a person can only disclose information or documents if the following criteria are met:

  • the information or document relates to the affairs or personal particulars of another person and
  • the first person believes on reasonable grounds that the disclosure or use is reasonably necessary to prevent or lessen a serious threat to the life or health of a person and
  • the first person is satisfied that it is unreasonable or impracticable to obtain the other person’s consent to the proposed disclosure or use.

Issue: who determines if a threat is ‘serious’?

Currently, the Act requires that the person being asked to disclose the information or document, believes, on ‘reasonable grounds’, the seriousness of the threat to the health or safety of a person, and the necessity of the disclosure to prevent or lessen that threat.[20]

The Explanatory Memorandum notes:

The Parliament intends that regulated entities would largely be reliant on the representations made by law enforcement or emergency service organisations to determine whether a threat was ‘serious’. This approach is consistent with the expecting [sic] operational approach of law enforcement agencies, and recognises that law enforcement or emergency service organisations will have access to information, systems and resources that telecommunications companies will not.[21]

Whilst this is the stated intention, the Bill does not alter the legal burden. That is, it does not change the requirement that the person being asked to disclose the information or document must themselves believe, on reasonable grounds, both the seriousness of the threat and the necessity of disclosing the information or documents requested.

Issue: application to information other than mobile phone triangulation

The Explanatory Memorandum and the Minister’s second reading speech both reference the barriers that the ‘imminent’ threat qualifier places on locating missing persons using mobile phone triangulation as reasons for the proposed changes.[22] However, section 287 of the Act applies to a range of telecommunications related information and documents, not just mobile phone triangulation information. The Bill does not confine the proposed changes to mobile phone triangulation information or to missing person cases.

As such, the changes will apply to a broad range of telecommunications related information. In the past, information other than mobile phone triangulation information, including, potentially, ‘metadata’, has been provided to law enforcement agencies under section 287 of the Act (noting alternative disclosure mechanisms also now exist under the Telecommunications (Interception and Access) Act 1979 (TIA Act)).[23]

Policy position of non-government parties/independents on changes to sections 287 and 300

Media reports suggest that the Australian Greens have concerns about the Bill widening law enforcement access to personal data.[24] At the time of writing the position of other non-government parties and independents on the relevant measure could not be determined.

Position of major interest groups on changes to sections 287 and 300

The Explanatory Memorandum notes that a targeted consultation process was conducted with key stakeholders on the measures in the Bill, including the Office of the Australian Information Commissioner (Information Commissioner), state and territory law enforcement who the Explanatory Memorandum advises ‘have expressed support for the Bill’. Select industry stakeholders, including ‘the Communications Alliance, and major carriers’, were also consulted, including by being provided with a ‘pre-introduction version of the Bill’. [25]

At the time of writing the position of the industry stakeholders referred to in the Explanatory Memorandum on the measure could not be determined. The New South Wales Council for Civil Liberties expressed concerns about the measure:

The changes will allow emergency services more opportunity to apply for a warrant to request location triangulation data from phone companies to find missing people at risk…. the potential for misuse of location data, collected by everyone from telecommunications companies to Google, is enormous and people are rightly concerned this information could be misused. There must be a strong regime of protection in place, training and goverance [sic] to ensure police and other agencies properly protect private information.[26]

Issues with the operation of existing section 285 of the Telecommunications Act 1997

The IPND, which was established in 1998, is a database maintained by Telstra of all listed and unlisted telephone numbers and associated customer data—namely, the name and address of the customer, the customer’s service location, the name of the carriage service provider, and whether the telephone is to be used for government, business, charitable or private purposes.[27]

The use and disclosure of information in the IPND is subject to Part 13 of the Act. In particular, section 285 of the Act allows use or disclosure of IPND information (other than information relating to an unlisted telephone number) about the affairs or personal particulars of a person for purposes connected with:

  • provision of directory assistance services by or on behalf of a carriage service provider
  • publication and maintenance of a directory of public numbers
  • dealing with matters raised by a call to an emergency service number.

Further, Telstra’s carrier licence also limits the purposes for which IPND information can be used and disclosed, including that it can be disclosed only to a carriage service provider to enable the provider to: provide directory assistance, operator assistance or operator services, produce a public number directory, provide location dependent carriage services, or assist emergency call services and enforcement agencies.[28]

The ALRC summarised the issues with operation of section 285 of the Act in the following terms:

Section 285 currently restricts the permitted use and disclosure of IPND information for the purpose of emergency call services to listed numbers. Optus submitted that s 285 should be revised to clarify that both unlisted and listed numbers can be used and disclosed for matters raised by a call to an emergency service number. Most individuals would reasonably expect the disclosure of an unlisted number in an emergency call situation.[29] [emphasis added]

The Explanatory Memorandum to the Bill reinforces this finding noting:

the current situation is needlessly complicated. Only 5% of 72 million active phone number are listed, with mobile numbers unlisted by default, this provision can seemingly be a barrier in responding to emergencies.[30]

Previous recommendations regarding section 285

The ALRC recommended in 2008 that in the interest of the health and safety of individuals:

the Telecommunications Act should permit the disclosure of an unlisted number contained in the IPND if the disclosure is made to another person for purposes connected with dealing with the matter or matters raised by a call to an emergency service number.[31] [emphasis added]

The Bill widens disclosure of IPND information to include unlisted mobile phone information

The Bill amends the Act in a manner consistent with the ALRC recommendation.[32] It does this by authorising the use and disclosure of information and documents relating to the carriage service supplied or intended to be supplied or the personal affairs or particulars of a person (such as a person’s unlisted landline or mobile numbers and associated addresses) contained in an IPND, to emergency call persons where:

  • the use or disclosure of such information is for purposes connected with dealing with the matter or matters raised by a call to an emergency service number and
  • it is unreasonable or impracticable to obtain the person’s consent to the particular disclosure or use.[33]

Critically, due to the drafting of proposed subsection 285(1B) (at item 6 of Schedule 1 to the Bill), this will apply to information regarding mobile phones, which are by default unlisted numbers and hence currently outside the existing section 285 disclosure regime.

Policy position of non-government parties/independents

At the time of writing the position of non-government parties and independents on the relevant measure could not be determined.

Position of major interest groups

As noted above, the Explanatory Memorandum states that a targeted consultation process was conducted with key stakeholders on the measures in the Bill.[34] At the time of writing the position of the industry stakeholders referred to in the Explanatory Memorandum on the measure could not be determined.

Facilitating assistance to Commonwealth, state and territory emergency organisations

During national emergencies, telecommunications carriers and carriage service providers may be asked by the Commonwealth, states or territories to provide help as reasonably necessary in connection with preparing for, responding to or recovering from an emergency.

The Explanatory Memorandum notes that, due to a drafting error in the National Emergency Declaration Act 2020, when a national emergency declaration under that Act is in force, carriers, carriage service providers and carriage service intermediaries do not currently have civil immunity from various prohibitions on the disclosure of telecommunications information when providing help as is reasonably necessary for specific purposes in connection with preparing for, responding to, or recovering from an emergency in accordance with their duty under subsections 313(4A) or (4B) of the Act.[35]

The Bill will confer the relevant civil immunities ‘as originally intended’, which the Explanatory Memorandum notes:

… reflects the intention that such entities should not be liable to an action or other proceeding for damages for or in relation to an act done or omitted in good faith in compliance with the statutory duty.

The amendment is consistent with similar provisions relating to the ‘giving of help as is reasonably necessary’ in connection with safeguarding national security and protecting public revenue in the Act, and corrects a drafting error in the National Emergency Declaration Act 2020.[36]

Policy position of non-government parties/independents

At the time of writing the position of non-government parties and independents on the relevant measure could not be determined.

Position of major interest groups

As noted above, the Explanatory Memorandum states that a targeted consultation process was conducted with key stakeholders on the measures in the Bill.[37] At the time of writing the position of the industry stakeholders referred to in the Explanatory Memorandum on the measure could not be determined.

Commencement of proposed changes

The changes proposed by Part 1 of the Bill examined above will commence the day after the Act receives Royal Assent.[38] Item 11 provides that the changes to sections 285, 287 and 300 of the Act discussed above apply in relation to the use and disclosure of information by a person after the commencement of Part 1, regardless of when the information came to the person’s knowledge or the documents came into the person’s possession. The civil immunities will apply prospectively only; that is, in relation to an act done or omitted by a person after the commencement of Part 1.

Strengthening disclosure record keeping requirements 

Part 13 of the Act requires carriers, carriage service providers and IPND operators to create and retain records of certain disclosures of information protected by Part 13. These records must be provided to the Australian Communications and Media Authority (ACMA) at the end of each financial year, and the Information Commissioner monitors compliance with the recordkeeping requirements.[39]

Issues with the operation of existing section record keeping requirements

In its supplementary submission to the Parliamentary Joint Committee on Intelligence and Security Review of the Mandatory Data Retention Regime the Information Commissioner noted the information that these records must contain include:

  • the name of the person making the disclosure
  • the date of the disclosure
  • the grounds for the disclosure (such as the legislative provision under which the disclosure is authorised)
  • any applicable authorisation under the TIA Act
  • any other bodies involved in the request and
  • the telecommunications service used.[40]

Critically, however, the Information Commissioner observed that:

Service providers are not required to keep records of information relating to the kinds of information included in a disclosure, such as the types of telecommunications data that were disclosed. This means that the OAIC’s inspections under section s 309 of the Telecommunications Act do not allow officers to consider whether only necessary personal information is being disclosed by service providers when responding to information requests from enforcement agencies.[41] [emphasis added]

Previous recommendations regarding section 285

In 2008, the ALRC proposed that:

Telecommunications service providers should report on when they disclose information pursuant to one of the exceptions in Part 13. Each exception upon which a decision to disclose information or a document is based, however, does not need to be recorded when that decision is based on more than one of the exceptions in Part 13 of the Act.[42]

In 2020, the Information Commissioner recommended that the Act be amended to require telecommunications service providers to keep more detailed records relating to the kinds of information included in disclosures, allowing it to:

… oversee the extent to which service providers comply with such a requirement, utilising the monitoring functions conferred by s 309 of the Telecommunications Act.[43]

The Explanatory Memorandum to the Bill notes that the Bill will require more detailed records of information to be kept for authorised disclosures, consistent with the above recommendation of the Information Commissioner.[44]

The Bill changes the information that must be recorded about disclosures under Part 13

Part 2 of Schedule 1 of the Bill will, consistent with the recommendations noted above, amend the existing requirements to record disclosures of certain information by telecommunications entities. It will increase record keeping requirements to enable oversight of underlying laws or warrants which required or authorised a disclosure, consistent with the recommendations noted above. It does this by imposing the following record keeping obligations:

  • where disclosure of protected information occurs in accordance with a warrant and paragraph 280(1)(a) of the Act[45] applies to the disclosure:
    • the provision of the law under which the warrant was issued
    • the name of the person who issues the warrant and
    • the date of issuing
    will need to be recorded by the carrier, provider or IPND operator
  • where the disclosure of protected information is authorised or required under a law and paragraph 280(1)(b) of the Act[46] applies to the disclosure, the relevant provision of the law which required or authorised the disclosure will need to be recorded by the carrier, provider or number-database operator.[47]

The Bill also requires that where the information or document includes information covered by the table in subsection 187AA(1) of the TIA Act, or otherwise specified in a determination made by the Minister, the numbers of such items and a description of the content of those items, to the extent that the content relates to the information or document, must be recorded.[48] Examples of such information include:

  • any name or address information or other information for identification purposes relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service
  • the source or destination of a communication and
  • the location of equipment, or a line, used in connection with a communication.[49]

Policy position of non-government parties/independents

At the time of writing the position of non-government parties and independents on the relevant measure could not be determined.

Position of major interest groups

As noted above, the Explanatory Memorandum states that a targeted consultation process was conducted with key stakeholders on the measures in the Bill.[50] At the time of writing the position of the industry stakeholders referred to in the Explanatory Memorandum on the measure could not be determined.

Commencement of proposed changes

The changes proposed by Part 2 of the Bill examined above will commence 6 months after the Act receives Royal Assent.[51] In her second reading speech on the Bill, the Minister explained that the delayed commencement of this Part reflects concern expressed by telecommunication providers that ‘time would be needed to implement IT changes for the enhanced disclosure record keeping’.[52]

Item 15 provides that the changes to the rules about the recording of disclosures discussed above apply only to the disclosure of information or documents after the commencement of Part 2, but the scope of information or document captured by the new record keeping provisions covers any information or document that is in the person’s possession or knowledge at the time of the proposed disclosure.[53]

Concluding comments

The Bill responds to long-known issues regarding the disclosure of telecommunications related information to law enforcement and emergency agencies and associated record keeping and transparency measures. As such, whilst some concerns have been raised about the potential privacy impacts of the Bill if the new powers were misused, the Bill appears to be relatively uncontroversial.