6.1
This chapter discusses the powers provided to the Australian Security Intelligence Organisation (ASIO) by Schedule 5 of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act) in relation to voluntary and compulsory assistance requests and the Director-General of Security’s statutory powers to confer immunity from civil liability for actions undertaken at the request of ASIO.
Overview of Schedule 5 powers
6.2
Prior to the introduction of the powers under Schedule 5 of the TOLA Act, ASIO did not have the power to compel assistance from a person in relation to accessing a computer, in contrast to the existing powers given to the Australian Federal Police (AFP) and Australian Border Force (ABF) to compel assistance in appropriate circumstances.
6.3
Powers akin to those provided to the AFP and the ABF were provided by a new s34AAA to the Australian Security Intelligence Organisation Act 1979 (ASIO Act) provided by amendments in the TOLA Act to allow for a voluntary and compulsory assistance framework.
6.4
At the request of the Director-General of Security, the Attorney-General may issue a compulsory assistance order compelling a person to assist in accessing data held on a computer or storage device. The INSLM said that compulsory assistance orders must have a tangible connection to an existing warrant:
The computer or data storage device the subject of an order must have a prescribed connection to a warrant. For instance, the computer or storage device must be the subject of a warrant, or on warrant premises, or be removed or seized under warrant, or found in the course of a search of a person authorised by warrant. The effect of this is that s 34AAA is only available in respect of a computer or device that is already lawfully available to ASIO.
6.5
Additional requirements apply when the computer or device is not on the premises to which the underlying authorising warrants relates, as outlined by the Department of Home Affairs:
Subsection 34AAA(3) provides additional conditions or safeguards which requires the compulsory assistance order to have regard for the fact that the premises in which the relevant computer or data storage device is located is not the premises that is specified in the warrant in force.
In such circumstances, the order must: specify the period within which the person must provide the information or assistance; and specify the place at which the person must provide the information or assistance; and specify the conditions (if any) determined by the Attorney-General as the conditions to which the requirement on the person to provide the information or assistance is subject.
6.6
Mr Mike Burgess, Director-General, ASIO said that compulsory assistance orders would be used to require an individual to share information to gain access to a device and associated material:
… it's the issue where they've got a device that they have a password or PIN code to and we would require them to share that with us so we could get access to the device and the material on the device.
6.7
Prior to issuing the order, the INSLM indicated that there are a number of matters that must be satisfied:
The Attorney-General may make an order under s 34AAA where satisfied of various things, including the purpose and importance of obtaining the data; that the person the subject of the order has a sufficient connection with the computer or device (or, if not, that he or she is suspected of ‘being involved in activities that are prejudicial to security’); and that the person has the knowledge to comply with the order.
6.8
Penalties apply to a failure to comply with a compulsory assistance order when a person is capable of doing so – at the time of this inquiry the penalty included five years’ imprisonment or a monetary penalty of 300 units.
6.9
Under the voluntary assistance framework, the Director-General may request a person or body to engage in conduct to assist ASIO in the performance of its functions, where such conduct doesn’t involve the commission of an offence against Australian law or result in significant loss or damage to property. The voluntary assistance framework also provides for circumstances where an individual may provide information, including producing a document or making one or more copies of a document, without a specific request from the Director-General of Security.
6.10
Though the Attorney-General was empowered to confer on a person protection from civil or criminal liability where the person engaged in ‘special intelligence conduct’ by the ASIO Act, there was not a more general immunity power available to ASIO until the introduction of the TOLA Act.
6.11
For both voluntary assistance requests and unsolicited disclosure of information, undertaking actions in compliance with the requirements of the section confers immunity from civil liability. The INSLM noted that the conferral of this immunity is not absolute:
The immunity that s 21A confers on a person is not absolute. It only applies to conduct which the person engages in ‘in accordance with the request’ of the Director-General. Further, no protection against liability applies to conduct that involves an offence against Commonwealth, State or Territory law. Also, it does not apply to conduct that results in significant loss of or damage to property.
6.12
The INSLM further noted the civil liability immunity for unsolicited disclosure of information applied to a more narrow set of provisions than those available in a request made by the Director-General of Security under s 21A of the ASIO Act.
Remaining issues with Schedule 5 powers
Industry and civil society concerns
6.13
A number of concerns with the provisions in Schedule 5 were raised by the International Civil Liberties and Technology Coalition, and the Law Council of Australia (hereafter referred to as the Law Council).
6.14
The Law Council remained concerned that the Director-General of Security has the power to make a voluntary assistance request without statutory restriction, and that such a request confers immunity from civil liability – a power historically reserved for the Attorney-General of Australia.
6.15
The International Civil Liberties and Technology Coalition raised concerns about the broad drafting of provisions related to the voluntary assistance framework, which has been interpreted as providing ASIO with the ability to circumvent the technical assistance request (TAR) process in Schedule 1. This position was also supported by the Law Council.
6.16
While a number of the Law Council’s recommendations were addressed in part by amendments to the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, the Law Council indicated there were several ongoing concerns with the provisions of Schedule 5.
6.17
The Law Council suggested that the civil immunity provisions associated with the voluntary assistance requests should not cover ‘conduct that causes economic loss or physical or mental harm or injury which might otherwise constitute negligence’.
6.18
When the INSLM’s report was available, the Law Council made a number of additional recommendations in a supplementary submission to the inquiry to suggest clarification on aspects of the voluntary assistance powers under s21A of the ASIO Act:
Subsection 21A(1) request-based immunities should be:
subject to a maximum period of effect;
subject to an express statutory issuing criterion directed to assessing the reasonableness and proportionality of the request for voluntary assistance, including the impact of the civil immunity on third parties whose rights to legal remedies will be extinguished;
incapable of immunising the repeated provision of the same act of assistance (that is, a ‘standing request’ that continues indefinitely or for a prolonged period). Rather, a fresh s 21A request must be made for each act of assistance;
subject to express statutory provisions governing variation and revocation; and
subject to statutory notification requirements to the Attorney-General and IGIS, if ASIO becomes aware that the person providing voluntary assistance exceeds the limitations of the civil immunity. There should be a corresponding statutory obligation on ASIO to make all reasonable efforts to monitor the conduct of the person upon whom ASIO has conferred immunity under s 21A(1).
6.19
The International Civil Liberties and Technology Coalition said that the provision appeared to authorise ‘deprivation of liberty and/or inhumane treatment’. Similarly the Law Council stated that statute should clarify the interaction of the compulsory assistance orders with ASIO’s questioning warrant powers:
Further, there should be statutory clarification of the interaction of compulsory assistance orders under s 34AAA with ASIO’s questioning warrants. (That is, where a person who is attending for questioning under an ASIO questioning warrant is issued with a s 34AAA assistance notice during their attendance.)
For example, questions will arise about whether:
compulsory questioning under the questioning warrant may or must be paused for the purpose of executing the assistance order;
the time a person spends complying with the assistance order should be offset against the maximum questioning period under the questioning warrant, in recognition that the person is under coercion; and
the legal power of IGIS officials (who are in attendance to supervise compulsory questioning under the questioning warrant) attending the execution of the assistance order at the place of questioning.
Further, the Law Council suggested that consideration of such interactions should form part of the Attorney-General’s decision-making process.
6.20
The Law Council also made a number of suggestions regarding improved oversight of ASIO’s activities in this regard, which is discussed further in Chapter 7.
INSLM review and findings
6.21
The INSLM made a number of findings in relation to the voluntary assistance requests and compulsory assistance orders powers provided by Schedule 5 of the TOLA Act.
6.22
In relation to the Director-General of Security’s voluntary assistance request powers, the INSLM concluded that amendments should be made to limit the breadth of s21A(1) and clarify its scope. In the view of the INSLM, to request a person to engage in ‘conduct’ is a term that is undefined and may operate too broadly, and further, is not necessary:
Section 21A(1) is both unnecessary and disproportionate. Given ASIO’s other powers to obtain information and assistance, I consider it is only necessary for ASIO to have power under s 21A(1) to request what equally could be volunteered under s 21A(5).
6.23
The INSLM noted that the insertion of s16A into the ASIO Act would allow the Director-General of Security to delegate powers to senior position-holders to authorise the making of voluntary assistance requests. The INSLM echoed the observation of the Law Council that allowing the Director-General of Security to confer immunity from civil liability was a significant step, and as a consequence, the INSLM recommended that the powers under s21A should be approved by the Director-General of Security of a Deputy Director-General only.
6.24
The INSLM noted that the legislation is not clear on the interaction between the voluntary assistance requests and TARs, noting that significantly more safeguards exist under the TAR process outlined in Schedule 1:
The power to issue a TAR under Part 15 of the Telecommunications Act, as introduced by Schedule 1 of TOLA, includes a number of important safeguards. So do other powers under the ASIO Act. It is necessary to make clear that s 21A does not empower the Director-General to circumvent those protections by making the request under s 21A instead.
The INSLM recommended that s21A(1) of the ASIO Act should be amended to make clear that the provisions as described do not allow the Director-General of Security to bypass the requirement to seek a TAR.
6.25
Additionally, the INSLM considered the adequacy of the civil liability provisions for voluntary assistance requests and unsolicited disclosure of information. While the provisions exempt unlawful conduct from conferral of civil immunity, the INSLM noted that conduct resulting in significant personal injury could result in the conferral of immunity, leaving the injured individual unable to seek compensation:
My chief concern is that a person who suffers injury as a result of conduct that ASIO requests not be deprived of the right to pursue compensation for interference to his or her quality of life or ability to earn a living. Only injury of some significance will sound in compensation in any case. On that basis, I consider it appropriate to limit the exclusion to conduct that causes death or serious personal injury to a person.
The INSLM recommended amendments to s21A(1)(e) and s21A(5)(e) to add that the conduct must not result in ‘death of or serious personal injury to any person’.
6.26
In relation to compulsory assistance orders, the INSLM received submissions recommending clarification of detention powers under s34AAA. During the course of the inquiry, the INSLM was satisfied that ASIO’s power would not be used as a power of detention:
I assess that there is no real risk that ASIO’s power will be construed or exercised as a power of detention, so I consider there is no need to introduce the safeguards that ordinarily apply to detention to which both the Australian Human Rights Commission and IGIS submissions refer.
However, the INSLM recommended expressly stating that the powers under s34AAA do not authorise the detention of a person where ASIO does not otherwise have a lawful basis to do so.
Government agency views
6.27
In relation to the INSLM’s recommendation to limit the Director-General’s power to confer civil liability to the types of conduct contained in the unsolicited disclosure of information provision, the Department of Home Affairs said that effective controls on the types of conduct which could have immunity from civil liability are already contained in the section, and amendments would provide a disincentive for cooperation:
The types of conduct where the conferral of civil immunity is available are effectively limited by the restrictions in paragraphs 21A(1)(d) and 21A(1)(e) to only conduct which does not amount to the commission of an offence against a law of the Commonwealth, a State or Territory, or which does not result in significant loss of, or serious damage to, property.
Implementing this recommendation could remove a potential incentive for external sources to cooperate with ASIO by closing an avenue to provide them with a limited civil immunity where their actions may otherwise give rise to an action against them.
6.28
Mr Mike Burgess, Director-General, ASIO indicated that implementing the INSLM’s recommendation to confine immunity powers to the same conduct as listed under s 21A(5) would cause operational difficulties for ASIO:
It was recommendation 19, which is that the scope of 21A(1) be limited to the scope of 21A(5). We think narrowing of those powers needs further consideration. We can use the current provisions under section 21A to provide legal protections to an entity that will provide voluntary assistance to us to physically access a facility. That is a circumstance where narrowing it would cause a problem for us, and therefore I don't agree with what the INSLM was thinking about. I'm sure he was thinking about information and access, but this is slightly different and we'd use it in a different way.
…
We believe it would stop us from doing things like asking someone for voluntary assistance to get physical access to a facility to set up an observation post, for example.
6.29
In addition, the Department of Home Affairs indicated that the INSLM’s recommendation to restrict the ability of the Director-General of Security to delegate voluntary assistance request powers may affect ASIO’s operational responsiveness in an emergency situation and further, that the ability to confer immunity through voluntary assistance as written is proportionate and appropriate:
The Director-General is responsible for issuing requests for assistance under section 21A of the ASIO Act. The Director-General represents the highest-level of authority in ASIO and is well equipped to consider the grounds of an order and considerations of reasonableness and necessity. Given the authority of the Director-General, the community can be satisfied that any request issued is proportionate and relevant for ASIO’s functions which includes maintaining national security.
6.30
In addition, the Department of Home Affairs said that the Director-General of Security’s ability to issue an evidentiary certificate under subsection 21A(8) provides the factual basis of the request and details how the conduct was likely to assist ASIO in its operations, giving further confidence on the use of the power.
6.31
The Inspector-General of Intelligence and Security (IGIS) raised a concern that there is no requirement set out in statute for the Director-General of Security to consider the reasonableness and proportionality of conduct undertaken in relation to conduct associated with carrying out a voluntary assistance request. The IGIS noted this omission is in contrast to the proportionality requirements in the statutory authorisation criteria applying to the Attorney-General for ASIO’s special intelligence operations, which also confers immunity from civil liability on participants.
6.32
Mr Mike Burgess, Director-General, ASIO said that he agreed with the proposal in principle to require consideration of the reasonableness and proportionality, but would have to consider the drafting of any amendment and potential operational impacts.
6.33
The IGIS said that the powers under s 21A(1) was ‘not subject to equivalent statutory decision-making criteria, statutory limitations, or a statutory requirement to keep written records of reasons.
6.34
In relation to the IGIS’ comments on keeping written records of reasons when issuing voluntary assistance requests, Mr Mike Burgess, Director-General, ASIO indicated his agreement with an amendment to require retaining written reasons and said that this practice already formed part of internal processes.
6.35
The IGIS also indicated that consideration may be given to implementing a maximum period of effect for voluntary assistance requests, and statutory requirements to govern how requests may be varied or revoked.
6.36
In relation to submitter’s concerns and the recommendation made by the INSLM to clarify that the voluntary assistance provisions are not designed to replace the TAR process in Schedule 1, the Department of Home Affairs said that an amendment to clarify the intent of the provisions may prevent ASIO from using the powers in legitimate circumstances:
This would have the effect of preventing subsection 21A(1) being used to seek assistance when the assistance would be sought from an entity which is also a designated communications provider and where the assistance is of the same kind, class or nature as those listed acts or things set out in subsection 317E(1) of the Telecommunications Act.
Adopting this recommendation may frustrate ASIO’s ability to issue similar assistance requests to multiple different entities simultaneously where some entities are designated communications providers and may be given a technical assistance request or notice, while others are not. This would confer different legal protections and place entities within different legal frameworks when they provide ASIO with the same type of assistance simultaneously.
6.37
Ms Heather Cook, Deputy Director-General, ASIO said that steps to clarify the use of voluntary assistance requests and TARs would not cause a particular problem for ASIO:
The IGIS has indicated that there is significant overlap. There is some overlap. I'm not sure if we would describe it as significant, so that indicates that there are different reasons why we would use 21A as opposed to, for instance, a technical assistance request. But, in terms of aligning those requirements, there's not a particular problem with that. But there are different reasons why we would be using them.
6.38
Mr Mike Burgess, Director-General, ASIO, in responding to general industry concerns that the powers under s34AAA of the ASIO Act could be used to compel industry assistance without using the more onerous provisions of Schedule 1, stated that clarification of the operation of s34AAA to exclude industry personnel unless they were the target of an investigation would not interfere with the intended operation of the provisions.
6.39
In relation to compulsory assistance powers under 34AAA, the IGIS echoed the concerns of other submitters that the construction of statute could confer a power of detention. The Department of Home Affairs indicated that was not the intention of the powers. Mr Mike Burgess, Director-General, ASIO said that amending the section to provide clarification would not be an issue for ASIO.
6.40
The IGIS noted, additionally, that there is no requirement to serve an order on the person who is subject to the order, meaning a person could technically be in breach of an order they are unaware exists. Mr Mike Burgess, Director-General, ASIO said that amending the provision to state that a compulsory assistance order was not enlivened until served on the particular person would not cause operational issues for ASIO.
6.41
Similarly, the IGIS noted there is currently no requirement to inform a person subject to the order the place at which they must attend, the period of timing they must render assistance, the information or assistance they are obligated to provide nor any other conditions the Attorney-General has imposed on the order.
6.42
Mr Mike Burgess, Director-General, ASIO said that ASIO would be open to considering amendments in this regard, noting that ASIO may not always have all information available at the time an order was made:
I think the [Inspector-General] nailed it, though, when she said we may not know at the time. But, of course, when we are in that process of wanting to execute on it, we may know further, so I'm open to consideration on this one. I can't think of anything that's materially problematic for us.
Committee comment
6.43
The Committee notes the evidence received from civil society and government agencies regarding the operation of Schedule 5 of the TOLA Act, and opportunities to clarify the intent of certain provisions to ensure the appropriate balance is achieved ensure appropriate flexibility to address operational requirements, and the removal of ambiguity in the operation of the Schedule.
6.44
In relation to the concerns raised by the Law Council and the INSLM regarding the potential delegation of voluntary assistance requests and unsolicited provision of information to a range of ASIO officers, the Committee agrees that providing the power to confer immunity from civil liability to the Director-General of Security is a significant step.
6.45
While the Committee acknowledges that requiring senior ASIO officers to approve voluntary assistance requests as per the recommendation by the INSLM may result in some delay, the Committee is not convinced that requiring the Director-General or a Deputy Director-General to authorise such requests would result in an unacceptable delay to ASIO’s operations. The Committee therefore recommends that the relevant provisions of the ASIO Act be amended to require the Director-General or Deputy-Directors-General within ASIO to authorise powers under s21A.
6.46
The Committee recommends that s21A of the Australian Security Intelligence Organisation Act 1979 be amended to limit authorisation of activities under voluntary assistance provisions to the Director-General of Security and Deputy Directors-General of the Australian Security Intelligence Organisation.
6.47
In addition, the Committee notes the concerns raised by the Law Council and the INSLM regarding the scope of conferral of immunity from civil liability which could preclude individuals from seeking a remedy as a result of serious personal injury or serious damage to property.
6.48
Though the Department of Home Affairs suggests that the current construction of the provisions excluding unlawful conduct from eligibility for conferral of civil immunity provides sufficient legal coverage in the event of loss, the Committee is persuaded by the arguments put forward by the INSLM, noting that conduct that falls short of illegality can still result in serious personal injury or serious damage to property. Therefore, the Committee recommends that that the scope of immunity from civil liability in s21A of the ASIO Act be confined to ‘conduct that does not result in serious personal injury or death to any person or significant loss of, or serious damage to, property’.
6.49
The Committee recommends that s 21A(1)(e) and s 21A(5)(e) of the Australian Security Intelligence Organisation Act 1979 be amended to confine the scope of the immunity from civil liability offered under the Act to ‘conduct that does not result in serious personal injury or death to any person or significant loss of, or serious damage to, property’.
6.50
The Committee notes that a number of concerns raised by submitters related to the broad construction of s21A. The Committee notes the evidence of the Department of Home Affairs and ASIO that the power would be used in a broad range of circumstances and considers that a certain degree of flexibility is required. The Committee has considered the INSLM’s recommendation to limit the scope of assistance that can be requested to that contained in s21A(5) for voluntary assistance requests, but, noting the evidence received from the Director-General of Security regarding the range of matters for which ASIO could request assistance, the Committee is not minded to recommend such a change at this point.
6.51
The Committee expects that ASIO will have robust internal guidance surrounding the matters for which ASIO can request voluntary assistance.
6.52
However, noting the conferral of immunity from civil liability arising from s21A, the Committee recommends that requiring the Director-General of Security to have consideration of the reasonableness and proportionality of a voluntary assistance request would bring this section closer to other powers for which civil liability immunity applies.
6.53
The Committee recommends that s21A of the Australian Security Intelligence Organisation Act 1979 be amended to require the Director-General of Security to be satisfied of the reasonableness and proportionality of the conduct of a voluntary assistance request prior to issuance.
6.54
In addition, the Committee notes the IGIS’ suggestion that ASIO be required to keep written reasons underlying a voluntary assistance request, and the evidence provided by the Director-General of Security that this is a practice already undertaken by ASIO. To ensure the alignment of statutory requirements with existing practice, the Committee recommends that s21A of the ASIO be amended to require the retention of reasons underpinning a voluntary assistance request.
6.55
The Committee recommends that s21A of the Australian Security Intelligence Organisation Act 1979 be amended to require the Australian Security Intelligence Organisation to retain written reasons underpinning a voluntary assistance request.
6.56
The Committees notes the concerns raised by submitters in relation to the potential power to circumvent TAR powers in issuing a voluntary assistance request or compulsory assistance order. The Committee appreciates the evidence from the Department of Home Affairs and ASIO to advise that is not the intent of the powers in Schedule 5, however, the Committee considers there is value in amending s21A and s34AAD to ensure the sections operate as intended.
6.57
The Committee recommends that s21A and s34AAD of the Australian Security Intelligence Organisation Act 1979 be amended to state that nothing in either section authorises the Director-General of Security to make a request of a person that is properly the subject of a technical assistance request as set out by s317G of the Telecommunications Act 1997.
6.58
In relation to the concerns raised by submitters that the construction of s34AAD powers under the ASIO Act may provide a detention power, the Committee notes the evidence received by the Department of Home Affairs and ASIO to clarify detention is not the intent of the provision. The Committee also notes the INSLM’s finding regarding the intent of the power, and supports the INSLM’s conclusion on this matter.
6.59
The Committee recently concluded its inquiry into the Australian Security Intelligence Organisation Amendment Bill 2020 which proposed replacing the detention framework provided by Division 3 of the ASIO Act with a more limited apprehension framework designed to ensure attendance at questioning. The Committee’s references to ‘detention’ in this report reflect the common meaning of the term rather than the provisions proposed for repeal and replacement by the ASIO Amendment Bill 2020.
6.60
The Committee notes that there may be legitimate scenarios where a person attending questioning as part of the revisions to the ASIO Act may also be subject to an assistance order under s34AAD of the ASIO Act. However, to align with the stated intent put forward by the Department of Home Affairs, the Committee recommends that the Government make clear that the compulsory assistance order power in the ASIO Act does not authorise the detention of a person to whom the order applies where the ASIO does not otherwise have any lawful basis to detail the person.
6.61
The Committee recommends that the Government make clear, for the avoidance of doubt, that the compulsory assistance order power in s34AAD of the Australian Security Intelligence Organisation Act 1979 does not authorise the detention of person to whom the order applies where the Australian Security Intelligence Organisation does not otherwise have any lawful basis to detain the person.
6.62
The Committee notes the IGIS’ evidence that, as written, the compulsory assistance orders do not require that they be served on an individual to take effect, nor that there is any requirement to inform the subject of a compulsory assistance order of a number of conditions imposed by the order. Given the penalty related to non-compliance with a compulsory assistance order, the Committee considers that the s34AAD should be amended to provide for additional conditions attached to the making of such orders.
6.63
The Committee, therefore, recommends that s34AAD be amended to state that the requirement to comply with a compulsory assistance order is only enlivened once the specified individual has been provided with a written notice that outlines what they must do to ensure compliance with the order and the consequences of failing to comply.
6.64
The Committee recommends that s34AAD of the Australian Security Intelligence Organisation Act 1979 be amended to state that the requirement to comply with a compulsory assistance order is only enlivened once the specified individual has been provided with a written notice that outlines what they must do to ensure compliance with the order. This notice should also clarify the consequences of failing to comply.
6.65
In addition, the Committee also recommends that a further amendment be made to s34AAD to require ASIO to advise the conditions that apply to a compulsory assistance order to the individual that is subject to the order at the time written notice is provided, or at the time the conditions are known. Such an amendment will ensure that the individual subject to a compulsory assistance order will not inadvertently breach the order.
6.66
The Committee recommends that s34AAD of the Australian Security Intelligence Organisation Act 1979 be amended to require the Australian Security Intelligence Organisation to advise the individual subject to a compulsory assistance order the conditions associated with that order at the time the written notice is provided or at such time as the conditions are known.
6.67
The Committee notes the additional recommendations made by the INSLM and the IGIS in relation to oversight and record-keeping, and will address the recommendations in Chapter 7.