Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015

Bill home page  


Download WordDownload Word


Download PDFDownload PDF

 

 

 

2013-2014-2015

 

 

THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA

 

 

SENATE

 

 

TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) AMENDMENT (DATA RETENTION) BILL 2015









REVISED EXPLANATORY MEMORANDUM

 

 

 

(Circulated by authority of the

Attorney-General, Senator the Honourable George Brandis QC)

           

 

 

THE MEMORANDUM TAKES ACCOUNT OF AMENDMENTS MADE BY THE HOUSE OF REPRESENTATIVES TO THE BILL AS INTRODUCED AND SUPERSEDES THE REPLACEMENT EXPLANATORY MEMORANDUM PRESENTED TO THE HOUSE OF REPRESENTATIVES ON 19 MARCH 2015.                                    

 

TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) AMENDMENT

(DATA RETENTION) BILL 2015

General Outline

1.                   The last fifteen years have seen significant advancements in communications technology and changes to industry structure, practices and consumer behaviour. While the tools available to national security and law enforcement agencies in the Telecommunications (Interception and Access) Act 1979 (the TIA Act) have been extremely successful in investigating, prosecuting and preventing serious criminal offences (including murder, sexual assault, kidnapping, drug trafficking, money laundering and fraud) and activities that threaten national security, the value of these tools is being undermined by the level of change in the telecommunications environment.

2.                   Serious and organised criminals and persons seeking to harm Australia’s national security, routinely use telecommunications service providers and communications technology to plan and to carry out their activities. Some activities, including child pornography, are predominantly executed through communications devices such as phones and computers. The TIA Act provides a framework for national security and law enforcement agencies to access the information held by communications providers that agencies need to investigate criminal offences and other activities that threaten safety and security.

3.                   A critical tool available under the TIA Act is access to telecommunications data. Telecommunications data is information about a communication, such as the phone numbers of the people who called each other, how long they talked to each other, the email address from which a message was sent and the time the message was sent. Data is often the first source of lead information for further investigations, helping to eliminate potential suspects and to support applications for more privacy intrusive investigative tools including search warrants and interception warrants.

4.                   The global nature of the telecommunications industry and market and the development and growth of new technologies have created a rapid increase in new telecommunications services, changed business practices (including subscription rather than transaction based billing) and encouraged the adoption of new corporate models. All of these factors are diminishing traditional business requirements for retaining telecommunications data.

5.                   Currently, the TIA Act does not specify any types of data the telecommunications industry should retain for law enforcement and national security purposes or how long that information should be held. In lieu of any standardisation, individual carriers retain information based on business, taxation, billing and marketing requirements. This means there are significant variations across the telecommunications industry in the types of data available to law enforcement and national security agencies and the period of time that information is available. Agencies have publicly identified the lack of availability of data as a key and growing impediment to the ability to investigate and to prosecute serious offences.

6.                   On 24 June 2013 the Parliamentary Joint Committee on Intelligence and Security handed down its report entitled Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation (the 2013 PJCIS Report).  As part of that Inquiry the Committee considered whether a mandatory data retention scheme should be introduced. In the 2013 PJCIS  Report the PJCIS noted a diversity of views amongst Committee members and made several recommendations about what a mandatory data scheme should include if implemented. The Committee also made a number of recommendations about other aspects of the TIA Act.

7.                   The Bill gives effect to several of the PJCIS’ recommendations including:

·          the data retention obligation only applies to telecommunications data (not content) and internet browsing is explicitly excluded (Recommendation 42)

·          service providers are required to protect the confidentiality of retained data by encrypting the information and protecting it from authorised interference or access (Recommendation 42)

·          mandatory data retention will be reviewed by the PJCIS by three years after its commencement (Recommendation 42)

·          the Commonwealth Ombudsman will oversight the mandatory data retention scheme and more broadly the exercise of law enforcement agencies’ exercise of powers under Chapters 3 and 4 of the TIA Act (Recommendations 4 and 42), and

·          confining agencies’ use of, and access to, telecommunications data through refined access arrangements, including a ministerial declaration scheme based on demonstrated investigative or operational need (Recommendation 5).

8.                   This Bill amends the TIA Act to standardise the types of telecommunications data that service providers must retain under the TIA Act and the period of time for which that information must be held.

9.                   While telecommunications data is less privacy intrusive than content, law enforcement and national security agencies can only access data where a case can be made that this information is reasonably necessary to an investigation. This Bill further strengthens privacy protections in the TIA Act in relation to data by limiting the types of enforcement agencies that can access telecommunications data.

10.               Currently any authority or body that enforces a criminal law, a law imposing a pecuniary penalty or a law that protects the public revenue is an ‘enforcement agency’ under the TIA Act and can seek telecommunications data where that access complies with the requirements set out in Chapter 4 of the TIA Act. In 2012-13 data was accessed by around 80 Commonwealth, State and Territory agencies with law enforcement or revenue protection functions.

11.               The Bill limits the range of agencies who are a ‘criminal law enforcement agency’ for the purposes of the TIA Act and provides that any declaration to include any agency ceases to have effect 40 sitting days after entering into force.  These amendments ensure that only authorities and bodies with a demonstrated need to have telecommunications information can authorise the disclosure of this material. These amendments are consistent with Recommendation 5 of the 2013 PJCIS Report that the number of agencies able to access telecommunications data be reduced.

12.               The Bill further enhances privacy protections by introducing an independent oversight mechanism for access to data by law enforcement agencies. Under these provisions the Commonwealth Ombudsman will, for the first time, have the power to inspect the records of enforcement agencies to ensure that agencies are complying with their obligations under the TIA Act. The Inspector-General of Intelligence and Security (IGIS) currently oversights and, will continue to oversight, access to telecommunications data by the Australian Security Intelligence Organisation (ASIO).

13.               The Bill also amends Chapter 3 of the TIA Act to limit the availability of stored communications warrants in Part 3-3 of the TIA Act to a ‘criminal law-enforcement agency’. Currently, any authority or body that is an ‘enforcement agency’ can apply for a stored communications warrant under Part 3-3. The Bill limits this power to interception agencies and other law enforcement agencies with a demonstrated need for such information. A restricted definition recognises that text messages and emails stored on a phone or other communications device are more akin to content than data and should be subject to greater privacy protection than telecommunications data.

14.               The Bill was referred to the PJCIS for inquiry on 21 November 2014. The PJCIS tabled its Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the 2015 PJCIS Report) on 27 February 2015.

15.               The PJCIS concluded that implementation of a mandatory data retention regime is necessary to maintain the capability of national security and law enforcement agencies and recommended that the Bill be passed (recommendation 39). The PJCIS also recommended that the Bill be amended to strengthen the privacy safeguards and oversight mechanisms contained in the data retention scheme.

16.               On 3 March 2015, the Government announced that it would accept all of the Committee’s recommendations and, on 19 March 2015, the House of Representatives agreed to amendments to the Bill and to the Intelligence Services Act 2001, the Telecommunications Act 1997 , the Privacy Act 1988 and the Australian Security Intelligence Organisation Act 1979 to give effect to the 2015 PJCIS Report.

17.               The House of Representatives also agreed to amendments to implement the ‘journalist information warrant’. The journalist information warrants regime prohibits agencies from making authorisations to access journalists’ or their employers’ data for the purpose of identifying a confidential source unless a journalist information warrant is in force. The journalist information warrants regime recognises the public interest in protecting journalists’ sources while ensuring agencies have the investigative tools necessary to protect the community.

FINANCIAL IMPACT

18.               The Bill will have financial impacts on service providers who will be required to meet the new minimum data retention obligations. Independent costings work was undertaken with a sample of affected service providers that cover the vast majority of services offered in Australia were consulted on the development of the policy and in assessing the regulatory impacts of the Bill.



STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015

19.               This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 .

Overview of the Bill

20.               The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (Bill) amends the Telecommunications (Interception and Access) Act 1979 (the TIA Act) and the Telecommunications Act 1997 (the Telecommunications Act) to introduce a statutory obligation for telecommunications service providers to retain, for two years, particular types of telecommunications data.

21.               The Bill amends the TIA Act to specify the types of information or documents that service providers must retain (the data set) to comply with their data retention obligations. Telecommunications data, including subscriber information, is currently kept by service providers for billing, quality assurance and other business purposes. However, the evolution of business models associated with Internet Protocol (IP) convergence has led to less telecommunications data being created by and/or held on service provider systems. Consequently, there is an associated decrease in the availability of certain types of information that would assist law enforcement and intelligence agencies with their investigations.

22.               The purpose of the Bill is to require service providers to retain a strictly defined subset of telecommunications data produced in the course of providing telecommunications services. This ensures the availability of a specified range of basic telecommunications data for law enforcement and national security purposes. Telecommunications data is central to virtually every counter-terrorism, organised crime, counter-espionage and cyber-security investigation, as well as almost every serious criminal investigation, such as murder, rape and kidnapping. Telecommunications data is increasingly important to Australia’s law enforcement and national security agencies, allowing agencies to determine how and with whom a person has been communicating. Access to telecommunications data also infringes less on personal privacy compared to other covert investigative methods as it does not include the content or substance of the communication.

23.               Access to telecommunications data has proven to be a critical tool for security and law enforcement agencies, providing both intelligence and evidence when identifying and prosecuting offenders. Telecommunications data provides agencies with an irrefutable method of tracing all telecommunications from end-to-end. It can also be used to demonstrate an association between two or more people, prove that two or more people communicated at a particular time (such as before the commission of an alleged offence), or exclude a person from further inquiry. The attrition of data will have a deleterious impact on law enforcement agencies' intelligence and evidence gathering capabilities. In June 2013 the Parliamentary Joint Committee on Intelligence and Security (PJCIS) concluded that telecommunications industry changes are resulting in ‘an actual degradation of the investigative capabilities of the national security agencies, which is likely to accelerate in future’. A European investigation provides an example of the difference data retention can make—in a major Europol child exploitation investigation UK investigators, with the advantage of retained data, identified 240 out of 371 suspects in their jurisdiction (almost 65%) securing 121 convictions; Germany on the other hand, without data retention, identified less than 2% (7 out of 377 suspects) and convicted none.

24.               Access to historical data and analysis of inter-linkages with other data sources is vital to both reactive investigations into serious crime and the development of proactive intelligence on organised criminal activity and matters affecting national security. In 2012 the Queensland Crime and Misconduct Commission (now the Crime and Corruption Commission) stated that more than one-fifth of all of their investigations were being undermined by telecommunications data not being kept. In 2014 the Australian Federal Police (AFP) revealed that it could not identify more than one-third of all suspects in a current, major child exploitation investigation, because the necessary telecommunications data is not available.

25.               The data retention measures contained in the Bill ensure the retention of the basic telecommunications data that is essential to support Australian law enforcement and security agencies in the performance of their functions.

26.               The Bill also amends the TIA Act to bolster the privacy protections associated with the access to, and use of, telecommunications data. It achieves this by limiting the agencies which may authorise access to telecommunications data, and by providing that agencies’ access to, and use of, telecommunications data is subject to comprehensive oversight by the Commonwealth Ombudsman.

27.               Notably, the measures contained in the Bill do not increase or otherwise modify the powers of Australian agencies in relation to access to the content of communications.

28.               The Bill incorporates amendments made following the consideration of the Parliamentary Joint Committee on Intelligence and Security’s Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the 2015 PJCIS Report).  The amendments increase Parliamentary oversight of the mandatory data retention scheme and strengthen safeguards, oversight and accountability mechanisms relating to access to telecommunications data more broadly. 

29.               In response to a recommendation in the 2015 PJCIS Report, the Bill amends  the Intelligence Services Act 2001 (the ISA) to give the PJCIS the ability to inquire into operational matters relating to the use of telecommunications data by the Australian Security Intelligence Organisation (ASIO) and the Australian Federal Police (the AFP) in relation to the AFP’s counter-terrorism functions.

30.               Amendments to the Telecommunications Act 1997 (the Telecommunications Act), the Privacy Act 1988 (the Privacy Act) and the Australian Security Intelligence Organisation Act 1979 included in the Bill give effect to recommendations in the 2015 PJCIS Report.

31.               The Bill also introduces a journalist information warrant regime.  Under this regime agencies are prohibited from authorising disclosure of a journalists’ or their employers’ telecommunications data for the purposes of identifying a source of the journalist without a warrant.

Parliamentary Joint Committee on Intelligence and Security recommendations on data retention - 2013 and 2015 Reports

32.               The 2013 PJCIS Report noted that there was a diversity of views within the Committee as to whether there should be a mandatory data retention regime.  The PJCIS observed that the issue of whether there should be a mandatory data retention regime was ultimately a decision for Government. However, if the Government was persuaded that a mandatory data retention regime should proceed, the PJCIS provided guidance on the particulars of a data retention regime, including that:

·          any mandatory data retention regime should apply only to ‘metadata’ and exclude content

·          the controls on access to communications data remain the same as under the current regime

·          internet browsing data should be explicitly excluded

·          the data should be stored securely by making encryption mandatory

·          save for existing provisions enabling agencies to retain data for a longer period of time, data retained under a new regime should be for no more than two years, and

·          an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers and oversight of agencies’ access to telecommunications data by the Ombudsmen and the Inspector-General of Intelligence and Security (recommendation 42).

33.               The data retention scheme set out in the Bill is consistent with the majority of the PJCIS’s recommendations in relation to a mandatory data retention obligation.

34.               The data retention scheme recognises that the ability to lawfully access telecommunications data held by telecommunications service providers is a vital tool for agencies. Criminals and persons engaged in activities prejudicial to security use the full range of modern telecommunications services to communicate, and to coordinate and manage their activities. The availability of encrypted services is also impacting on the utility of access to telecommunications content, making telecommunications data an increasingly valuable investigative tool.

35.               The utility of access to telecommunications data is clearly demonstrated in its ability to provide critical evidence and intelligence in terrorist and other criminal prosecutions. There is a risk that if the Government does not imminently address the issue of data attenuation there will be a serious deterioration of this important investigative capability, and the effectiveness of national security and law enforcement agencies across the nation to prevent or detect serious crime and safeguard national security will be seriously impacted. In addition to being broadly consistent with the PCJIS’s views on parameters for a data retention regime, the scheme is reasonable and proportionate to the law enforcement and national security aims to be supported by limiting the retention obligations to categories of data critically required by law enforcement and intelligence agencies to investigate and solve crime and to protect national security. The scheme is also bolstered by refinements to data access arrangements and a new oversight regime, providing important safeguards, further contributing towards providing a reasonable and proportional response to the challenges of declining availability of telecommunications data for law enforcement and security purposes.

36.               The PJCIS concluded in its 2015 Report on the Bill that implementation of a mandatory data retention regime is necessary to maintain the capability of national security and law enforcement agencies and recommended that the Bill be passed (recommendation 39).  The PJCIS also recommended that the Bill be amended to strengthen the privacy safeguards and oversight mechanisms contained in the data retention scheme. 

37.               The Government accepted all of the Committee’s recommendations on 3 March 2015.  Following amendments to the Bill by the House of Representatives, the Bill provides for increased Parliamentary oversight of the mandatory data retention scheme and strengthened safeguards, oversight and accountability mechanisms that engage and promote human rights.

Overview of Schedules

38.               Schedule 1 requires providers of telecommunications services to retain telecommunications data associated with a communication specified in subsection 187AA for a period of two years (section 187C).  Section 187AA lists the information and documents that service providers must retain in order to comply with their data retention obligations, providing certainty and clarity to service providers and telecommunications users about the information retained under the scheme.

39.               The data set is supported by a declaration making power in subsection 187AA(2) so that the data set can be amended where necessary to rapidly respond to advances in telecommunications technology or the use of telecommunications services.  Declarations are subject to Parliamentary disallowance and expire 40 sitting days of either House of Parliament after the declaration comes into force.  The Attorney-General must refer any proposed legislative amendments to the data set to the PJCIS and give the PJCIS at least 15 sitting days of a House of Parliament to review the amendment and to issue a report.  These requirements support flexibility to address developments requiring amendment to the data set as well as providing for rigorous scrutiny of any amendments to the data set. 

40.               Subsection 187A(4) puts beyond doubt that service providers cannot be required to keep information about the content or substance of a communication, nor an address to which a communication was sent on the internet from a telecommunications device, or from which a communication was sent on the internet by a telecommunications device, using an internet access service or obtained only as a result of providing the service. This limitation means that service providers cannot be required to keep information about subscribers’ web browsing history.

41.               Paragraph 187A(4)(c) clarifies that service providers are only required to retain telecommunications data to the extent that such information is, in fact, available to a particular service provider.  Providers are not required to retain information about communications passing ‘over the top’ of the underlying service they provide, which are being carried by means of another service, operated by another provider. 

42.               Schedule 1 also permits service providers to seek approval of data retention implementation plans, providing industry with the ability to seek endorsement of a strategy to achieve compliance with the data retention obligation over 18 months from the commencement of the obligation. The implementation period allows industry to achieve compliance over an extended period.

43.               The Schedule also permits service providers to seek an exemption from data retention obligations. The exemption framework complements and sits alongside the implementation plan framework, providing further flexibility to ensure data retention obligations may be qualified to the extent appropriate having regard to national security and law enforcement considerations and the objects of the Telecommunications Act 1997 .

44.               Under the exemption framework, the Communications Access Coordinator (the CAC) as defined under section 6R of the TIA Act, may exempt service providers from being required to, or vary their obligations to:

·          retain telecommunications data at all,

·          retain specified telecommunications data in respect of one or more types of telecommunications services,

·          retain specified telecommunications data for the full retention period

·          protect the confidentiality of retained data through encryption and prevention of unauthorised interference or access

45.               Section 187B exempts certain service providers from data retention obligations unless the CAC has declared that a service operated by a particular service provider must comply with the data retention scheme.  Before making a declaration, the CAC must consider the objects of the Privacy Act and, if there is any uncertainty or a need for clarification, consult with the Australian Privacy Commissioner.  The CAC must consider any submissions made by the Privacy Commissioner as a result of such consultation. Further, the CAC must as soon as practicable give written notice of any declaration made under subsection 187B(2) to the Minister, and in turn, the Minister must give written notice to the PJCIS as soon as practicable.  These measures enhance existing privacy protections by requiring the CAC to consider applicable privacy considerations and ensures that the Privacy Commissioner is consulted where necessary as part of the CAC’s deliberations. 

46.               Section 187LA provides that the Privacy Act applies in relation to a service provider to the extent that the activities of the service provider relate to retained data.  This means that the Privacy Act and the Australian Privacy Principles (APPs) apply to the data retention activities of all service providers, including operators that would otherwise be exempt from the Privacy Act.  Section 187LA provides that information or documents kept under the data retention regime are ‘personal information’ for the purposes of the Privacy Act.  As a result, individuals are able to request access to their personal retained data in accordance with APP 12.  Consistent with the APPs, service providers are able to charge an individual for providing access to this information. 

47.               Section 187BA supplements existing information security obligations under the Privacy Act and the Telecommunications Consumer Protection Code by requiring service providers to protect and to encrypt retained telecommunications data. 

48.               Schedule 1 facilitates the enforcement of the data retention scheme by making the data retention obligation and compliance with any implementation plan subject to civil penalty provisions under the Telecommunications Act 1997 .

49.               Currently, section 180F of the TIA Act requires authorised officers to ‘have regard to’ the impact on an individual’s privacy before authorising a service provider to disclose telecommunications data. 

50.               The Bill increases this obligation to require authorising officers to be ‘satisfied on reasonable grounds’ that a proposed disclosure or use of telecommunications data is justifiable and proportionate to the interference with the privacy of any person or persons that may result from the disclosure or use of the data.  Authorising officers are also required to consider a number of additional factors before making an authorisation including, the gravity of the conduct being investigated, the reason why the disclosure is proposed to be authorised and the likely relevance and usefulness of the information to the investigation. 

51.               Schedule 2 limits the range of agencies that are able to access telecommunications data and stored communications.

52.               The Bill amends the TIA Act to provide that only criminal law-enforcement agencies are able to access stored communications (and to require the preservation of stored communications). Criminal law-enforcement agencies are defined to mean:

·          interception agencies (Commonwealth, State and Territory police and anti-corruption agencies) that are able to obtain warrants to intercept communications under the TIA Act;

·          the Australian Customs and Border Protection Service (Customs), the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission; and

·          authorities or bodies declared by the Minister to be a criminal law-enforcement agency.

53.               Subsection 110A(3B) requires that the Minister must not make a declaration unless satisfied on reasonable grounds that the functions of the authority or body include investigating serious contraventions.  In considering whether to make a declaration the Minister must consider several specified factors including whether the authority or body is required to comply with the APPs or is required to comply with a binding scheme that protects personal information or has agreed in writing to comply with a scheme providing such protection of personal information if a declaration is made.

54.               The measures contained in Schedule 2 similarly reduce the range of agencies that are able to access telecommunications data to ‘enforcement agencies’, being:

·          criminal law-enforcement agencies; and

·          authorities or bodies that have been declared by the Minister as enforcement agencies, where the agencies satisfy certain criteria that support a clear and genuine need to access telecommunications data for their investigations.

55.               Subsection 176A(3A) requires that the Minister must not make a declaration unless satisfied on reasonable grounds that the functions of the authority or body include enforcing the criminal law or administering a law that either imposes a pecuniary penalty or relates to the protection of the public revenue.

56.               In considering whether to make a declaration, the Minister must consider several specified factors including whether the authority or body is required to comply with the APPs or is required to comply with a binding scheme that protects personal information or has agreed in writing to comply with a scheme providing such protection of personal information if a declaration is made.

57.               The characteristics of a binding scheme in relation to the protection of personal information must include a mechanism for monitoring the authority’s or body’s compliance with the scheme and enable individuals to seek recourse if their personal information is mishandled. 

58.               Any Ministerial declarations made in relation to criminal law enforcement and enforcement agencies cease to have effect 40 sitting days after a declaration comes into force.  Any permanent amendment to the list of criminal law-enforcement agencies or enforcement agencies must be introduced through amendments to the TIA Act and referred to the PJCIS for review providing at least 15 sitting days of a House of Parliament to review the amendment and to issue a report.  These requirements support flexibility to support additional agencies in the performance of their functions that meet the threshold requirements while providing for rigorous scrutiny of any expansion to the scope of criminal law enforcement agencies.

59.               The limitations on who may access stored communications and telecommunications data are complemented by enhanced oversight through a comprehensive Commonwealth Ombudsman oversight model (Schedule 3).

60.               Schedule 3 specifies record-keeping, reporting, oversight and accountability requirements relating to agencies’ use of, and access to, telecommunications data. Specifically, the Bill:

·          extends the Commonwealth Ombudsman’s remit to facilitate independent oversight of agency compliance with powers exercised under Chapter 3 (stored communications) and Chapter 4 (access to telecommunications data) of the TIA Act, and

·          prescribes detailed reporting obligations in relation to access to stored communications and telecommunications data to assess agency compliance with the statutory scheme.

61.               Schedule 3 provides support for the Ombudsman oversight role by criminalising circumstances where a person fails to comply with a request to attend before an inspecting officer, to give information or to answer questions from the Ombudsman in relation to compliance by the agency with the provisions relating to access to telecommunications data, and, in relation to a criminal law enforcement agency, in relation to access to stored communications. The Bill also creates a mirror offence to support the Ombudsman in oversight of the interception of communications. The penalty for these offences is 6 months imprisonment.



 

Human rights implications

62.               The Bill engages the following human rights:

·          protection against arbitrary or unlawful interference with privacy contained in Article 17 of the International Covenant on Civil and Political Rights (ICCPR)

·          the right to a fair hearing, the right to minimum guarantees in criminal proceedings and the presumption of innocence contained in Article 14 of the ICCPR

·          the right to freedom of expression contained in Article 19 of the ICCPR

·          the right to life and the right to security of the person contained in Articles 6 and 9 of the ICCPR (respectively), and

·          the right to an effective remedy contained in Article 2(3) of the ICCPR

Right to protection against arbitrary or unlawful interferences with privacy—Article 17 of the ICCPR

63.               The Bill engages the right to protection against arbitrary and unlawful interferences with privacy in Article 17 of the ICCPR. Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence.

64.               The use of the term ‘arbitrary’ means that any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. The United Nations Human Rights Committee has interpreted ‘reasonableness’ to imply that any limitation must be proportionate and necessary in the circumstances.

65.               The right to privacy under Article 17 can be permissibly limited in order to achieve a legitimate objective and where the limitations are lawful and not arbitrary. In order for an interference with the right to privacy to be permissible, the interference must be authorised by law, be for a reason consistent with the ICCPR and be reasonable in the particular circumstances. The United Nations Human Rights Committee has interpreted the requirement of ‘reasonableness’ to imply that any interference with privacy must be proportionate to a legitimate end and be necessary in the circumstances of any given case.

66.               In this case, the legitimate end is the protection of national security, public safety, addressing crime, and protecting the rights and freedoms of individuals by requiring the retention of a basic set of communications data required to support relevant investigations.

67.               The Bill permissibly limits an individual’s privacy in correspondence (telecommunications) in a way which is reasonable and proportionate by circumscribing the types of telecommunications data that are to be retained by service providers to the essential categories of data required to advance criminal and security investigations, permitting access to telecommunications data only in circumstances specified in the TIA Act and reducing the range of agencies who can access data under those provisions.

68.               To the extent that the right to privacy is impinged, the interference corresponds to a ‘pressing social need’, that is, the need for law enforcement agencies to effectively investigate and prosecute crime. The limitation is proportionate because the measures are precisely directed to the legitimate aim being pursued. Rather than requiring retention of a broad range of telecommunications data, the Bill expressly limits the data to be retained to certain types, and moreover excludes data representing a greater level of intrusion.

69.               The provisions of the Bill engage the right to privacy in the following manner:

70.               Schedule 1 : The introduction of a regime whereby service providers must retain a specifically defined set of telecommunications data for a two year period engages the right to privacy. The regime requires that service providers retain and store data which is personal information for the purposes of the Privacy Act 1998 (the Privacy Act).   

71.               The Bill also includes a mechanism for the Communications Access Coordinator (the CAC) to exempt a service provider from some or all of the mandatory data retention requirements, with or without conditions or qualifications, either entirely, in respect of a specified kind of service or in relation to the retention period.

72.               Schedules 2 and 3 : Reduce the number and range of agencies that may access telecommunications data and extend the remit of the Ombudsman to oversight law enforcement agencies compliance with the framework for access to, and use of telecommunications data under Chapter 4 of the TIA Act. Schedules 2 and 3 also extend and enhance the Ombudsman’s oversight of law enforcement agencies’ access to, and use of, stored communications.  These amendments promote protection from unlawful and arbitrary interference with privacy by ensuring that access to data only occurs in confined circumstances as dictated by operational need and that the ability to become an agency who may access telecommunications data is closely circumscribed and subject to parliamentary scrutiny. Protection from unlawful and arbitrary interference is likewise promoted by the conferral of an oversight role on the Ombudsman. The prospect of review and accountability provides a strong and positive incentive for strict compliance, thereby supporting privacy protection and obviating against unlawful or arbitrary interference with this right.

Schedule 1—Data retention obligations and mandatory dataset

73.               Schedule 1 amends the TIA Act to create a requirement for service providers to retain and to secure for two years telecommunications data prescribed by section 187AA.  The framework allows service providers to seek exemptions for the requirement from the Communications Access Co-ordinator, supporting providers in respect of telecommunications services that may be of lesser relevance to law and security purposes. The ability to grant exemptions provides a further mechanism to minimise privacy intrusion through the retention of telecommunications data having regard to the interests of law enforcement and national security.

74.               The legislative requirement for providers to store the telecommunications data in relation to its services engages the right to protection against arbitrary and unlawful interference with privacy.  Specification of the types of data that may be retained minimises the privacy impacts associated with the storage of telecommunications data, ensuring that only narrow categories of telecommunications data necessary for the investigation of serious criminal offences and national security threats are retained. In summary, privacy and other rights-based implications are minimised because:

(1) the prescribed information or documents that must be retained is confined in ambit so that only non-content data available to a particular service provider which is critical to initiating or furthering law enforcement investigations is required to be kept;

(2) the data retention regime is supported by new Parliamentary and Commonwealth Ombudsman oversight of agencies’ access to and use of telecommunication data, coupled with obligations under the Privacy Act in relation to privacy protections and accountability standards for service providers in relation to customers’ personal information, consistent with contemporary community expectations; and

(3) the scheme will be reviewed within three years of the conclusion of the implementation phase of the obligation, providing an opportunity for further Parliamentary scrutiny of the proportionality and effectiveness of the response and impact on privacy.

Security and destruction of retained data

75.               The Bill contains a range of safeguards to ensure that the rights of individuals, in particular the privacy rights of individual telecommunications users, are protected. The right to privacy is permissibly limited and the limitation is reasonable, necessary and proportionate to a legitimate aim.

76.               Telecommunications service providers currently retain, store and destroy a wide range of telecommunications data for their own purposes and to comply with other legislative obligations. Accordingly, many service providers already have arrangements for the storage and protection of this information consistent with their existing data protection obligations under the Privacy Act or state/territory equivalent legislation. Importantly, the Bill provides that the Australian Privacy Principles (APPs) in the Privacy Act apply to data retained under the data retention regime.  The Privacy Commissioner can, therefore, oversight service providers’ collection and use of data required to be retained under the data retention regime. 

77.               The Bill includes a requirement that service providers protect retained data through encryption and preventing unauthorised access and interference.  This obligation supplements existing requirements under the Privacy Act and Telecommunications Consumer Protection Code, adding an additional layer of privacy and security protection for customer data, supporting the confidentiality of that information.

78.               These requirements will be supplemented by the proposed Telecommunications Sector Security Reforms (TSSR) [1] which will require service providers to do their best to prevent unauthorised access to and unauthorised interference with retained telecommunications data.

79.               The privacy implications associated with the increased volume of data which may be generated by the mandatory dataset arrangements are mitigated by the existing statutory obligations on service providers to ensure the quality and/or correctness of any personal information (APP 10) and to keep personal information secure (APP 11) as well as in relation to the destruction of personal information. Telecommunications service providers currently retain information of the type which is being contemplated under the data retention scheme for their own functions and purposes, including billing customers.

80.               Service providers are also subject to the data protection obligations contained in Part 13 of the Telecommunications Act. Under section 309 of the Telecommunications Act, the Information Commissioner oversees compliance by telecommunications providers with Part 13 of that Act. This includes monitoring the record-keeping of service providers and ensuring that the grounds for disclosures under Part 13 are recorded by service providers and authorised by the Telecommunications Act and the TIA Act.

The specified dataset

81.               Section 187AA sets out the types of information and documents that service providers are required to retain in accordance with the mandatory data retention obligation.  

82.               Item 1, Table in section 187AA—subscriber of the relevant service and accounts, services, telecommunications devices and other relevant services relating to the relevant service: Information regarding the subscriber of a relevant service is information that is critical for linking the identity of a person to the use of a relevant service. Information about accounts, telecommunications devices and other relevant services relating to the relevant service likewise provide basic and essential information about the subscription to and use of a relevant service.

83.               The information covered by Item 1of the Table, is essential for any investigation involving communications made from a service, as it enables investigating authorities to establish the details of who is involved in making a communication. This type of information is already broadly retained by service providers as part of general customer records for up to 7 years.

84.               The retention of this data category is reasonable, proportionate and necessary in fulfilment of the legitimate aim of ensuring law enforcement and intelligence agencies have the investigative tools to safeguard national security and prevent or detect serious and organised crime. In the absence of the retention of this type of information, it may be exceedingly difficult or impossible to determine who has made a communication of interest. Subscriber information provides the critical link between communications and the subscriber to the service. Without this basic information, agencies may be unable to commence an investigation, as it can otherwise be impossible to link a suspect communication to a particular subscriber, thereby providing no avenues to further investigations. This is particularly the case in relation to crime types making extensive use of telecommunications in their perpetration, for example the distribution of child pornography. It is notable that subscriber data, as the predominant data category which would be generated through the collection of customer information, raises relatively fewer privacy implications than traffic and location data comparators.

85.               Item 2, Table in section 187AA—the source of a communication: This category covers the identifier or combination of identifiers which are used by the service provider to describe the account, service and/or device from which a successful or attempted communication is sent. An example of such an identifier is a telephone number. The source of a communication is critical for the purpose of the investigation, detection and prosecution of serious crime and security threats, providing clear identification of the origin of communications relevant to investigations.

86.               Item 3, Table in section 187AA —the destination of a communication: This category covers identifiers of an account to which a communication is sent. An example of such an identifier is the telephone number dialled when making a telephone call. The retention of telecommunications data regarding the destination of a communication (such as telephone numbers and email addresses) is necessary in order to connect a communication of interest to the particular telecommunications service being used to send or receive this communication. This information can then assist with determining the subscribers who sent or received relevant communications. If providers of telecommunications services did not retain this telecommunications information, there is a real risk that agencies would not be able to determine with whom a person has been communicating, providing important information on linkages and connections of investigative significance and which are critical to advance inquiries into criminality and security threats.

87.               Under paragraph 187A(4)(b), the retention obligation is explicitly expressed to exclude the retention of destination web address identifiers, such as destination internet Protocol (IP) addresses or uniform resource locators (URLs). This exception is intended to ensure that providers of internet access services are not required to engage in session logging, which may otherwise fall within the scope of the destination of a communication.

88.               Item 4, Table in section 187AA—the date, time and duration of a communication: This category covers the time at which it occurred and its duration. Using this information, agencies can link the time of a communication with events associated with the communication. This information is also critical to linking a communication to a particular subscriber, as the source of a communication can change over time, requiring the time of the communication in order to identify its sender.

89.               The retention of this data category is reasonable, proportionate and necessary as it constitutes information that can help inculpate or exculpate an individual associated with a communication, and is also valuable in tracing the steps of a missing person who has been using a communications service before or during the time they are missing. An agency’s ability to investigate these matters will be significantly limited if providers of telecommunications services do not retain this information. The data covered by this item is also critical because communications may now travel over multiple networks and service providers. As such, time-calibrated information about a communication needs to be sufficiently precise to enable agencies to develop an accurate picture of a particular communication.

90.               Item 5, Table in section 187AA—the type of communication: This category covers the type of service used, including the type of access network or service or application service. Data which identifies the type of communication is necessary for understanding what telecommunications service has been used to send the communication.

91.               Item 6, Table in section187AA—the location of equipment or a line used in connection with a communication: This category covers information which identifies the location of equipment or a line used in connection with a communication.

92.               Information on the location of telecommunications equipment can be of significant utility to law enforcement and national security investigations. Location information is often retained in records which form a part of a customer’s billing.

93.               The potential privacy impacts associated with the retention of information which determines the location of equipment has been minimised in the Bill. The Bill provides that two or more communications that together constitute a single communications session, such as an internet access session, are taken to constitute a single communications session. This limitation ensures that communications that may technically be achieved by a series of smaller communications, such as a download, are treated as a single communication, and through that ensuring that location information is limited to that overarching communication rather than its constituent components. Further, the Bill expressly provides that the obligation to keep location information is limited to location information used by the service provider to provide the relevant service. Accordingly, the obligation is limited to that required by the networks to effect a communication, but cannot extend to other location based information that a provider may hold.

94.               Location-based data is valuable for identifying the location of a device at the time of a communication, providing evidence linking the presence of a device to an event, or alternatively providing indications that may exclude a person from further inquiry. This data may also be instructive in determining the location of a person who is reporting an emergency, or help with precursor steps towards identifying the locality of a missing person who has used a telecommunications device. Without this information being retained by service providers, agencies’ abilities to investigate crimes, emergencies and missing person matters are substantially limited.

95.               While service providers typically generate a wide range telecommunications data in the course of providing telecommunications services, the Bill further circumscribes the data retention obligation by excluding information that the service provider is required to delete pursuant to a Determination made under section 99 of the Telecommunications Act. This ensures that the limitation on the privacy of users of telecommunications services is proportionate to the legitimate outcome sought, that being the ability for Australian law enforcement and national security agencies to have the necessary telecommunications data to effectively carry out their investigations, and does not operate to require retention of a specific category of subscriber identification information required to be destroyed under specific existing protections.

96.               Importantly, access to all telecommunications data (whether or not captured by the terms of the data set) is limited to specific purposes. Enforcement agencies may only issue authorisations enabling access to data where it is ‘reasonably necessary’ for a legitimate investigation and must consider the privacy impact of accessing telecommunications data. ‘Reasonably necessary’ is not a low threshold. It will not be ‘reasonably necessary’ to access data if it is merely helpful or expedient.

97.               The Bill further increases the threshold requirement in section 180F for authorisations to disclose telecommunications data to require that the authorising officer be ‘satisfied on reasonable grounds’ that a particular disclosure or use of telecommunications data being proposed is proportionate to the intrusion into privacy (as opposed to “having regard to whether any interference with privacy is justifiable”). The Bill requires the authorising officer to have regard to a number of specified factors, including the gravity of the conduct being investigated, the reason why the disclosure is proposed to be authorised and the likely relevance and usefulness of the information to the investigation.  This amendment bolsters privacy safeguards by ensuring agencies weigh the proportionality of the intrusion into privacy against the value of the evidence and the assistance to be provided to the investigation.

98.               In relation to the Australian Security Intelligence Organisation (ASIO), ASIO is subject to strict privacy and proportionality obligations under the Attorney-General’s Guidelines, made under paragraph 8(1)(a) of the Australian Security Intelligence Organisation Act 1979 , which relevantly requires that:

·          any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence,

·          inquiries and investigations into individuals and groups should be undertaken using as little intrusion into individual privacy as is possible, consistent with the performance of ASIO's functions, and

·          wherever possible, the least intrusive techniques of information collection should be used before more intrusive techniques.

99.               Notably, the limited telecommunications data the subject of the data retention obligation is information about a communication—not the content or substance of a communication, such as the body and subject line of an email or what you search for online. Agencies will continue to require a warrant to access the content of a communication.

EU Data Retention Directive [2]

100.           In the 2014 judgment of the Court of Justice of the European Union (CJEU) ( Digital Rights Ireland Ltd and Ors (C-293/12) and Kärntner Landesregierung and Ors (C-594/12), 8 April 2014) the CJEU observed that legislation on the retention of telecommunications data ‘must lay down clear and precise rules governing the scope and application’ of the measures in question, ‘imposing minimum safeguards so that the persons whose data have been retained have sufficient guarantees to effectively protect their personal data against risk of abuse and against any unlawful access and use of that data ’ ( at paragraphs 65-69).

101.           The CJEU accepted that the objective of the EU Data Retention Directive, namely to contribute to the fight against terrorism and serious crime and to maintain public security, was a legitimate justification for interfering with the right to privacy. However, the CJEU considered that the extent of interference as set out in the Directive was disproportionate to those ends.

102.           The CJEU considered that the conditions under which data could be retained should have been more closely defined in the Directive, and identified a range of conditions and safeguards which were not included in the Directive and which it considered should have been for human rights compatibility. In particular, the CJEU found that the Directive was not human rights compatible because it did not contain:

a.        any restrictions on the types of data retained—the Directive covered all persons, all means of electronic communications and all traffic data (paragraph 57)

b.       any conditions limiting the categories of data that is retained—for example limitations by geographical location, or by link to serious crime (paragraph 59)

c.        any objective criteria on access to data and its subsequent use, simply referring to ‘serious crime’ and did not restrict access to the purpose of preventing/detecting serious crime (paragraph 60)

d.       any requirement of prior review by a court or independent administrative body to determine the necessity of the request for the purposes of preventing or detecting serious crime (paragraph 62)

e.        any different retention periods for different types of traffic data, or any requirement that the retention period be based on objective criteria (paragraph 57), and

f.         sufficient safeguards for the protection of data, having regard to the quantity of data retained, the sensitive nature of the data, and the risk of unlawful access to the data (paragraph 66).

103.           In relation to the scheme in the Bill, the types of information that may be prescribed for retention are consistent with those identified in the Directive, but the scheme provides clear and specific restrictions on the nature of the data to be retained ( criteria (a) ). The dataset does not apply indiscriminately to all details of electronic communications to the extent that it does not require retention of all traffic data in its various permutations. In addition, the obligation is explicitly expressed to exclude web-browsing history and to limit location information to that held by a carrier in connection with the provision of the service.

104.           In relation to criteria (c) , Schedules 2 and 3 introduce provisions to reduce the number of agencies who may access telecommunications data and implement new and comprehensive oversight of access to, and usage of, this data.  This is achieved by: amendments to the definition of ‘enforcement agency’ in section 5 of the TIA Act to confine its ambit; replacing the existing general descriptors of the types of agencies who may access telecommunications data with a confined list, combined with a ministerial declaration scheme to ensure that any additions to the range of agencies is rigorously assessed against their functions, need for access to data, privacy protections and oversight arrangements and is time limited; and providing independent oversight for agency access to telecommunications data through Parliamentary scrutiny and by extending the statutory remit of the Commonwealth Ombudsman to enable the Ombudsman to oversight agency use of, and access to, telecommunication data.

105.           These new measures to address the risk of unlawful access to telecommunications data are also supported by the application of existing privacy protection frameworks. In relation to criteria (d) the reduction in the number of agencies capable of accessing data, the introduction of a time-limited ministerial declaration scheme and Parliamentary oversight ensure scrutiny of any extension to the agencies that may access telecommunications data. In relation to criteria (e) , the measure caps the mandatory retention period of retention at two years. The retention period is based on objective factors associated with the descriptive nature and confined classification of the data types which form the dataset. The retention period reflects international experience that, while the majority of requests for access to telecommunications data are for data that is less than 6 months old, certain types of investigations are characterised by a requirement to access to data up to 2 years old. These include complex investigations such as terrorism, financial crimes and organised criminal activity, serious sexual assaults, premeditated offences and transnational investigations. Against the particular context of the critical importance of telecommunications data in very serious crime types and security threats, the two year retention period provides a proportionate response to that environment.

106.           In relation to criteria (f), the Bill requires service providers to protect the confidentiality of information retained pursuant to the data retention obligation by encrypting the data and protecting it from unauthorised interference or access.  The CAC may exempt a provider from this obligation or vary the effect of the obligation in limited circumstances.

CAC exemption regime

107.           Division 3, Part 5-1A of the TIA Act provides a mechanism for the CAC to grant an exemption to a service provider from some or all of the mandatory data retention obligations. The scheme operates in a similar way to the existing exemption regime for interception capability under section 192 of the TIA Act.

108.           Under the data retention exemption scheme, a service provider may apply to the CAC for an exemption and the CAC is required to make a decision on the application within a specified period. The exemption may also stipulate expiration dates or circumstances whereby the service provider must reapply for an exemption.

109.           The CAC exemption facility indirectly strengthens the right to privacy of individual customers in that it provides a method of reducing data retention obligations, for example, in circumstances where the volume of data to be retained is disproportionate to the interests of law enforcement and national security.

Review of data retention scheme

110.           A further important public accountability and transparency measure contained in the Bill is section 187N which provides for a review of the data retention regime commencing two years after the end of the implementation phase. This responds to the recommendation in the 2013 PJCIS Report that ‘the effectiveness of the regime be reviewed by the PJCIS three years after its commencement,’ and the recommendation in the 2015 PJCIS Report that the review commence two years after the conclusion of the implementation period and conclude within three years of the end of the period.  The data retention scheme will not be fully functional until at least two years after its commencement as industry begins to collect and retain the required data in accordance with the implementation arrangements. In addition, investigations and prosecutions span many years, and they provide the most effective barometer through which the data retention scheme is best empirically assessed.

Two year retention period

111.           Section 187C provides that the data retention period for all classes of data subject to the scheme is two years.

112.           Law enforcement and national security agencies advise that a data retention period of two years is appropriate to support critical investigative capabilities. The two year period draws on international experience in relation to the use and value of telecommunications data and achieves a balance between supporting the operational requirements of agencies and minimising privacy impacts associated with the retention of data. The experience under the former EU Data Retention Directive was that, while frequently data accessed by agencies was less than six months old, there was a higher requirement for data up to two years old for national security and complex criminal offences.

113.           Data retention beyond the statutory retention period continues to be governed by industry business needs, other legislated requirements (such as those relating to tax records), privacy protection obligations under Part 13 of the Telecommunications Act or the Privacy Act. The Bill does not prevent a provider from keeping records for these purposes.

114.           The PJCIS recommended in its 2015 Report that the two-year retention period contained in the Bill be maintained (recommendation 9).  The Committee considered that a reduced period “would risk undermining the efficacy of the scheme as a whole.” [3]

Schedule 2—Agency use of preservation notices, access to stored communications and access to telecommunications data

115.           Access to telecommunications data is regulated by Chapter 4 of the TIA Act, which permits an ‘enforcement agency’ to authorise a carrier to disclose telecommunications data where it is reasonably necessary for the enforcement of the criminal law, a law imposing a pecuniary penalty, or the protection of the public revenue. Lawful access to the telecommunications data is subject to existing safeguards contained in the TIA Act. The TIA Act establishes a process of authorisation for access to telecommunications data that requires senior management officers of agencies to authorise access to this data before it is disclosed to the agency. The authorisation process requires the authorised officer to consider the need for access to this information on a case-by-case basis in accordance with a prescriptive legal framework. There are separate provisions enabling access by ASIO for purposes relevant to security.

116.           Currently, under the TIA Act, an enforcement agency is broadly defined as all agencies empowered to intercept telecommunications content as well as bodies whose functions include administering a law imposing a pecuniary penalty or administering a law relating to the protection of the public revenue. The range of agencies that are enforcement agencies and which are capable of authorising the disclosure of telecommunications data is broad and includes Commonwealth, State, Territory and local government agencies as well as non-government or quasi-government bodies that carry out relevant functions.

117.           The Bill amends the definition of ‘enforcement agency’ to clearly circumscribe the agencies who may access telecommunications data, ensuring that access is limited to those agencies who have a clear and scrutinised need for access to telecommunications data in the performance of their functions and are subject to appropriate privacy and oversight arrangements.

118.           Schedule 2 of the Bill engages the right to privacy under Article 17 of the ICCPR on the basis that the telecommunications data retained pursuant to subsection 187A(1) is accessible by agencies in accordance with the existing lawful access provisions. The Bill does not lower the statutory threshold under which agencies are able to access telecommunications data. Rather, it continues to be the case that telecommunications data is only accessible through existing processes for lawfully accessing telecommunications data.  Moreover, the Bill amends the Act to require that the authorised officer be satisfied that any interference with the privacy of a person is justifiable and proportionate, having regard to the seriousness of the matter under investigation.

119.           In order to reinforce the privacy protections associated with a user’s telecommunications data contained within the TIA Act, Schedule 2 of the Bill introduces limitations upon the type of agencies that are permitted to authorise the disclosure of telecommunications data for an agency’s investigations. The Bill also places new limitations on the range of agencies that can access stored communications such as emails and SMSs, by further confining the scope of agencies that can apply for stored communications warrants and issue preservation notices under Chapter 3 of the TIA Act.

120.           The refinements to the definition of enforcement agency, coupled with the ministerial declaration models which would govern access, ensure that data access arrangements are rigorously scrutinised. Consistent with the nature of the powers that are reposed in enforcement agencies under Chapter 4 and their impact on privacy, the definition of an enforcement agency appropriately circumscribes the access regime and introduces explicit ministerial and parliamentary scrutiny.

121.           The Minister may make a time-limited declaration having the effect of including an agency as a criminal law enforcement or enforcement agency.  The Minister must be satisfied that the authority or body undertakes investigative or public protection responsibilities which would necessitate access to stored communications and telecommunications data respectively. The factors the Minister must consider when determining whether to declare an authority or body to be a criminal law-enforcement agency or an enforcement agency include:

·          whether the authority or body is required to comply with the Australian Privacy Principles (the APPs) or complies with a binding scheme that provides comparable protection to the APPs or has agreed in writing to comply with such a scheme if a declaration is made,

·          whether the Minister considers that the declaration would be in the public interest.

122.           The public interest criteria ensures that the Minister gives consideration to matters of community expectation, which would include, but not be limited to, the proper administration of government; public health and safety; national security; and the prevention and detection of crime and fraud.

123.           The ministerial declaration scheme reinforces the right to privacy in that it ensures that enforcement agency access to telecommunication data is strictly circumscribed and expansion of such access is subject to ministerial scrutiny. This provides a critical safeguard and restricts such access to agencies which have satisfied the Minister that they have a genuine and demonstrated need for access to telecommunications data. The Minister may, of his or her own motion, revoke a declaration if he or she is no longer satisfied that the circumstances continue to justify access to telecommunications data. The Minister can also impose conditions on access, which provides a further ability to restrict and confine access to telecommunications data in a manner consistent with and proportionate to the needs of the agency to be declared in all the circumstances.

124.           The Bill amends Chapter 3 of the TIA Act to confine and limit those agencies that are able to apply for stored communications warrants and issue preservation notices. While the TIA Act currently provides that enforcement agencies are able to apply for these stored communications warrants and issue preservation notices, the Bill repeals these provisions and amends the TIA Act to provide that only criminal law-enforcement agencies are able to utilise these investigative powers.

125.           Criminal law-enforcement agencies are defined in the Bill to include Australian police forces and anti-corruption agencies that currently have the ability to apply for warrants for the interception of telecommunications, the Australian Customs and Border Protection Service, the Australian Securities and Investments Commission and the Australian Competition and Consumer Commission.

126.           The Bill provides that the Minister may declare additional agencies to be a criminal law-enforcement agency for a limited period subject to consideration of specified criteria prescribed in the Bill. Longer term expansion of the class requires legislative amendment.  As a corollary of the higher level of intrusion into privacy occasioned by access to stored communications and prospective telecommunications data, a higher threshold for an agency to be declared as a criminal law-enforcement agency applies in comparison to the criteria applicable for enforcement agency status. Like the declarations for enforcement agencies, the Minister must consider whether that access to stored communications information is reasonably likely to assist the authority or body in performing their investigative functions.

127.           The Bill does not lower the threshold of access to stored communications in Chapter 3, but substantially reduces the number of agencies who may seek to access stored communications by redefining the concept of a criminal law enforcement agency in the TIA Act. 

128.           Collectively, the amendments in relation to the range of agencies that may access stored telecommunications or telecommunications data contribute to ensuring that access is reasonable, necessary and proportionate. The existing frameworks in relation to access to, use and disclosure of this lawfully accessed information in the TIA Act, as further enhanced by the Bill, continue to ensure that any abrogation on the privacy right in Article 17 is limited to the legitimate purposes articulated in the TIA Act.

Schedule 3—Oversight and accountability provisions

129.           Schedule 3 extends the remit of the Ombudsman to enable the Ombudsman to comprehensively assess agency compliance with all of an enforcement agency’s (or a criminal law-enforcement agency’s) obligations under Chapters 3 and 4 of the TIA Act, including use and access to telecommunications data. Oversight of this category of data would also extend to auditing the use and access to data retained as a result of the data retention obligation.

130.           There is currently no independent oversight for the use of, and access to, telecommunications data. Neither the TIA Act nor the predecessor arrangements in the Telecommunications Act included an independent oversight arrangement in relation to telecommunications data. The Bill facilitates Ombudsman oversight of access to and use of telecommunications data.

131.           The oversight arrangements draw on the model contained in Part 6 of the Surveillance Devices Act 2004 (Cth) (the SD Act) and aspects of the oversight role performed by the Commonwealth Ombudsman under Part IAB of the Crimes Act 1914  (Cth) (the Crimes Act). The oversight model extends beyond agency record keeping and record destruction obligations and provides a higher level of guidance in terms of the precise obligations imposed on law enforcement agencies. The model therefore supports compliance by agencies due to the higher level of precision in compliance obligations, greater consistency in reporting methodology by agencies and higher acuity in statistical output to measure compliance for annual reporting and other audit-related purposes.

132.           Schedule 3 vests the Ombudsman with an over-arching role in assessing agency compliance across powers exercised under both Chapters 3 (stored communications) and 4 (telecommunications data) of the TIA Act. Currently under the TIA Act, the Commonwealth Ombudsman’s audit functions in relation to stored communications are limited to compliance with an agency’s record keeping and record destruction obligations. The Bill expands the Ombudsman’s oversight role in a manner consistent with that for oversight of access to telecommunications data.

133.           Currently, the emphasis of the Ombudsman’s oversight role under Chapters 3 of the TIA Act is on determining agency compliance with record keeping and destruction provisions. The enhanced oversight function under Chapter 4A of the Bill enables assessment of an enforcement agency’s overall compliance with the powers exercisable under Chapters 3 and 4 of the TIA. The provisions relating to the powers, scope and reporting obligations of the oversight role enable the Ombudsman to provide a level of public accountability as to how agencies have applied their powers under Chapters 3 and 4.

134.           The oversight model promotes Convention rights, by virtue of the following key features:

·          holistic oversight of enforcement agency use of and access to telecommunications data (beyond agency record keeping and record destruction obligations) to ascertaining agencies’ compliance in exercising their powers under Chapter 3 and Chapter 4 of the TIA Act (excluding ASIO, which is the subject of separate independent oversight)

·          a higher level of specificity and transparency in terms of the precise reporting obligations imposed on law enforcement agencies

·          consistency in inspection methodology by virtue of a non-fragmentary model involving oversight of all agencies that apply the powers under Chapters 3 and 4, and

·          clearly defined reporting obligations that engender:

o    a higher level of compliance by agencies due to a greater level of precision in compliance obligations, and

o    greater acuity in statistical output to measure compliance for annual reporting and cross-agency compliance.

135.           The Bill promotes the right to privacy by confirming the Ombudsman’s ability to audit an agency’s use of its powers to access stored communications and telecommunications data under the TIA Act. This helps ensure that an agency’s access to the telecommunications information of interest to an investigation, and the interaction with the privacy right in Article 17 in that regard, is a reasonable, necessary and proportionate limitation on that right to privacy.

136.           These measures are consistent in-principle with the 2013 PJCIS Reports recommendation that the Attorney-General’s Department undertake a review of the oversight arrangements to consider the appropriate organisation or agency to ensure effective accountability under the TIA Act.

137.           The Ombudsman oversight of the telecommunications data regime recognises that access to telecommunications data by enforcement agencies potentially impacts on the privacy of persons whose data is being accessed. It is responsive to privacy and other rights-based issues raised by the implementation of the data retention regime and the ability for enforcement agencies to access telecommunications data. A comprehensive oversight regime for telecommunications data assists in ensuring that use, access to or disclosure of telecommunications data by enforcement agencies, including retained data, for purposes set out in Chapter 4 of the TIA Act, is subject to independent compliance assessment. It also serves to provide an important level of public accountability and scrutiny of agency practices by virtue of the Ombudsman public reporting regime being implemented in Chapter 4A.

138.           In summary, the measures in Schedules 1, 2 and 3 outlined above, promote the right to privacy by enhancing privacy protections through, for example, Parliamentary scrutiny, directly linking Privacy Act protections and appropriate oversight by the Privacy Commissioner.

Right to a fair hearing

139.           The Bill engages Article 14 of the ICCPR, which guarantees a person be afforded a fair hearing in relation to any suit at law and in the determination of any criminal charge against them, the right to a fair trial in the following respects:

·          the imposition of civil penalty provisions in relation to a failure to comply with subsections 187A(1) and 187D(a) (subsection 187M),

·          the imposition of criminal offence provisions contained in subsections 87(6), 182A and 186C(3),

·          the privilege against self-incrimination engaged by subsection 186D(1) and (2), and

·          limitation of the circumstances in which a service provider can disclose data retained under Part 5-1A of the TIA Act in relation to or as a part of civil litigation (subsections 280(1B) and 281 of the Telecommunications Act).

Section 187M

140.           Section 187M provides that civil penalties may apply where a service provider fails to keep or cause to be kept information or documents as required by the data retention obligation or where a service provider fails to comply with an approved data retention implementation plan in respect of a communication carried by means of that service.

141.           The effect of this provision is that contraventions of statutory obligations in relation to the data retention regime are dealt with under the enforcement mechanisms specified under the Telecommunications Act. Enforcement options available under the Telecommunications Act include remedial directions, formal warnings, pecuniary penalties and infringement notices.

142.           The United Nations Human Rights Committee has stated that the notion of criminal charges may ‘also extend to acts that are criminal in nature with sanctions that, regardless of their qualification in domestic law, must be regarded as penal because of their purpose, character or severity’ (see General Comment No. 32, para 15; Communication No. 1015/2001, Perterer v Austria , at para 9.2). As such, a penalty or other sanction, notwithstanding its nomenclature, may be ‘criminal’ for the purposes of the ICCPR even if it is described as a civil penalty under Australian domestic law. It is therefore necessary to consider the substance as well as the form of the civil penalties provided for by the Bill.

143.           The civil penalty in subsection 187M is not, in substance, a criminal penalty provision. Rather, the provision forms part of a regulatory regime which provides for a graduated series of sanctions under the Telecommunications Act, including infringement notices and pecuniary penalties. It is aimed at an objective which is protective or regulatory (the critical objective being to ensure provider compliance with the obligations imposed by the Bill) as opposed to being punitive or reparatory in nature.

144.           The civil penalty provision is designed to ensure a proportionate regulatory response to redress systemic compliance issues as opposed to acts of moral culpability. Further, no term of imprisonment is provided (typical of a criminal penalty provision) and the maximum penalty is comparatively lower than would be imposed under counterpart criminal penalty provisions. Although it may be regarded as large, it is not excessive in that it applies to regulated enforcement agencies and is reasonable and proportionate having regard to the legitimate community interest in enforcing the obligation to retain selected telecommunications data to support its availability to law enforcement and security agencies.

145.           As the penalty provisions which apply in relation to subsection 187A(1) and paragraph 187D(a) are properly characterised as civil penalty provisions, the criminal process guarantees in Article 14 and 15 do not apply. However, the equality of arms principles in Article 14(1) is enlivened because this principle applies equally to civil proceedings. ‘Equality of arms’ requires that each party be afforded a reasonable opportunity to present its case under the conditions that do not place it at a substantial disadvantage vis-à-vis another party ( Brandstetter v. Austria , Application No: 11170/84; 12876/87; 13468/87, Strasbourg judgment 28 August 1991 §§41-69)). ‘Equality of arms’ essentially denotes equal procedural ability to state the case. The right of equal access to a court, embodied in Article 14(1), is engaged, but not limited by section 187M. This is because the imposition of a civil penalty in these circumstances does not derogate from, or abridge, existing procedural rights of parties to litigation and would not result in actual disadvantage or other unfairness to the defendant. That is, the provision would not impact upon opportunities to adduce or challenge evidence or present arguments on the matters at issue ( H. v Belgium , Application No: 8950/80, Strasbourg judgment 30 November 1987 §§49-55). Further, the provision in no way impedes parties to a relevant proceeding being given the opportunity to contest all the arguments and evidence adduced.

Criminal penalty provisions—subsection 186C(3), section 182A and subsection 87(6)

146.           Subsection 186C(3) makes it a criminal offence to refuse to attend before an inspecting officer, to give information or to answer questions where requested by an inspecting officer of the Ombudsman for the purposes of inspections conducted under Chapter 4A. The maximum penalty for this offence is 6 months imprisonment.

147.           Subsection 87(6) similarly makes it a criminal offence for a person to fail to comply with a request to attend to provide information, to give information or to answer questions from the Ombudsman under section 87 where the Ombudsman has reason to believe that an officer of an agency is able to give information relevant to an inspection under Chapter 2, Part 2-7 of the TIA Act. The maximum penalty for this offence is 6 months imprisonment.

148.           Both offence provisions mirror existing provisions in the SD Act (section 56) and Inspector-General of Intelligence and Security Act 1986 (section 18).

149.           Criminal penalty provisions of this nature engage the criminal process rights under Article 14 of the ICCPR. This Article sets out specific guarantees that apply to proceedings involving the determination of ‘criminal charge’, and to persons who have been convicted of a ‘criminal offence’.

150.           The offence provisions are reasonable and proportionate and do not impermissibly limit the criminal process guarantees under the ICCPR. To the extent they engage Article 14, they are unlikely to raise any issues of incompatibility with Article 14(2) of the ICCPR as they involve low penalties and relate to matters that are readily accessible and peculiarly within the defendant’s knowledge. It is reasonable to expect law enforcement officers who access regulated powers to comply with conditions associated with inspection and auditing of the exercise of those powers and to respond to relevant requests for information. [4]

151.           The offence provisions moreover apply only to people who opt-in to the regulatory regime—people are not compelled to become law enforcement officials, and officials are not compelled to work in investigations and use the powers and therefore potentially be exposed to penalties of this nature. The enforcement agency officers to whom the offences would apply are best placed to make out a valid defence. [5] The facts pertaining to any alleged infringement are readily provable by a law enforcement officer as a matter peculiarly within their own knowledge or to which they have ready access. [6] That is, they are capable of effective rebuttal by an officer of the agency that would be subject to the offence provisions. [7]

152.           It is notable that the offence provisions would apply only to officials of law enforcement agencies. Such officials hold positions of great public trust and exercise covert powers under the TIA Act. Public confidence in the justice system requires that officials are held to a higher standard of conduct, particularly because there are fewer avenues to identify misconduct in relation to powers exercised covertly.

153.            Section 182A makes it an offence for a person to use or disclose information about whether a journalist information warrant, has been, or is being requested or applied for, the making of such warrant, the existence or non-existence of such a warrant and the revocation of such a warrant. The maximum penalty for this offence is 2 years imprisonment.  Section 182A is consistent with equivalent offence provisions already in place in relation to other warrants, including telecommunications interception warrants and stored communications warrants.  These provisions create a “need-to-know” within an agency to protect the privacy of the person who is the subject of a TIA Act warrant.

Subsections 186D(1) and (2)

154.           Article 14(3)(g) of the ICCPR protects the right to be free from self-incrimination by providing that a person may not be compelled to testify against him or herself or to confess guilt. The right to be free from self-incrimination may be subject to permissible limitations, provided that the limitations are for a legitimate objective, and are reasonable, necessary and proportionate to that objective.

155.           International jurisprudence suggests that the abrogation of the privilege against self-incrimination is more likely to be permissible where protections relating to the use of the information are included, such as a ‘use immunity’, which prohibits use of the information against the person in subsequent proceedings; or a ‘derivative use immunity’, which additionally prevents other information obtained as a result of the giving of self-incriminating information being used as evidence against the person.

156.           Subsection 186D(1) abrogates the privilege against self-incrimination as it provides that a person is not excused from giving information under Chapter 4A by reason that compliance would be incriminating. However, provision is made in subsection 186D(2) for use and derivative use immunities that restrict any direct or indirect use of that information in any subsequent criminal or civil proceedings, except by way of a prosecution for an offence against sections 133, 181A, 181B or 182, or against Part 7.4 or 7.7 of the Criminal Code.

Subsection 186D(1)

157.           Subsection 186D(1) provides that a person is not excused from giving information, answering a question or giving access to a document (disclosing information), as required under Chapter 4A (oversight by the Commonwealth Ombudsman) of the TIA Act, despite other matters which may otherwise bar the giving of that information. These matters are listed at paragraphs 186D(1)(a) to (c) and are that disclosure of the information would be:

a.        a contravention of a law

b.       contrary to the public interest, or

c.        might tend to incriminate the person or make the person liable to a penalty.

Privilege against self-incrimination or self-exposure to a civil penalty

158.           Paragraph 186D(1)(c) abrogates the privilege against self-incrimination or self-exposure to a civil penalty (referred to hereafter together as ‘self-incrimination’) in relation to the disclosure of information required under Chapter 4A. Subsection 186D(2) provides however that the disclosed information cannot be used as evidence against the person who disclosed that information, whether directly or indirectly (a ‘use immunity’ and ‘derivative use’ immunity). The use and derivative use immunities do not apply to prosecutions for offences against sections 133, 181A, 181B and 182 of the TIA Act or Part 7.4 or 7.7 of the Criminal Code.

159.           Section 133 of the TIA Act creates an offence of unlawful dealing in accessed stored communications under Chapter 3, Part 3-4, Division 1 of the TIA Act. Sections 181A, 181 and 182 create offences for unlawful dealing in telecommunications data authorisation information or unlawful secondary disclosure of accessed telecommunications data under Chapter 4, Part 4-1, Division 6 of the TIA Act. Parts 7.4 (false or misleading statements) and Part 7.7 (forgery and related offences) of the Criminal Code create offences relating to hindering, obstructing, intimidating or resisting a public official in the performance of their functions.

160.           The abrogation of the privilege in relation to the specified offences is reasonable and proportionate in the circumstances for the following reasons:

·          there are no other appropriate avenues for collecting this information, which is peculiarly within a person’s knowledge and not contained elsewhere in written documentation form (for example, the motive of a person in acting in a particular way); or

·          the public benefit derived from the abrogation of the privilege decisively outweighs the harm to individual rights. The harm to individual rights is minimised by the provision of a use and derivative use immunity. The limitation of the immunity to exclude listed offences corresponds with the likely focus of an Ombudsman investigation under Chapter 4A, and it would frustrate the purpose of Ombudsman oversight if it were not possible for prosecutorial authorities to adduce as evidence material compulsorily obtained by the Ombudsman.

161.           Further, the regime contained in Chapter 4A strengthens oversight and accountability of agency access to stored communications and telecommunications data. The offences and their abrogation of relevant privileges provide support for an effective oversight regime.

162.           The disclosure of information to the Ombudsman, and the ability to prosecute a person involved in wrongdoing under the TIA Act, forms a core part of the inspection and oversight functions of the Ombudsman. This function would be significantly impaired if persons were excused from providing self-incriminating information, or if that information could not be used as evidence in TIA Act proceedings.

Other laws do not prevent the disclosure of information for the purposes of an inspection

163.           Subsections 186D(3) and (4) provide that the unlawful disclosure provisions in sections 133, 181A, 181B or 182 of the TIA Act or in any other law do not prevent the disclosure of information to an inspecting officer of the Ombudsman for the purposes of an inspection under the oversight provisions contained in Chapter 4A.

164.           The purpose of provisions such as those in sections 133, 181A, 181B or 182 of the TIA Act is to protect the privacy of impact on persons whose information was accessed under the TIA Act. Given the purpose of the oversight regime in ensuring that agencies access this privacy sensitive information in a lawful manner, it is appropriate that the requirement to disclose information to the Ombudsman under section 186D overrides other laws that would otherwise prevent the disclosure of that information.

Retained data and civil litigation -subsections 280(1B) and 281(2) & (3) of the Telecommunications Act

165.           Article 14(1) of the ICCPR provides that all persons shall be equal before the courts and tribunals and that, in the determination of an individual’s rights and obligations in a suit at law, everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law.  This includes respect for the principle of ‘equality of arms’, which requires that all parties to a proceeding must have a reasonable opportunity of presenting their case under conditions that do not disadvantage them as against other parties to the proceedings.

166.           Subsections 280(1B) and 281(2) and (3) strictly limit the circumstances in which a service provider may disclose data that has been retained for the purpose of Part 5-1A in relation to or as part of civil litigation.  This measure engages the right to a fair hearing, specifically the principle of equality of arms because it has the potential to affect procedural fairness in terms of the general conduct of the proceedings and the nature and quantum of evidence capable of being adduced by the parties and available for the court’s deliberative processes.

167.           Specifically, subsections 280(1B) and 281(2) and (3) amend sections 280 and 281 of the Telecommunications Act to limit the disclosure of information or documents kept by a service provider solely for the purpose of complying with Part 5-1A of the TIA Act, and that is used by the service provider only for that purpose, a limited range of public interest purposes (which include using or disclosing data in connection with an emergency warning, a call to an emergency services number, a threat to life situation, or the preservation of human life at sea), or a purpose incidental to those purposes.  These items give effect to recommendation 23 of the 2015 PJCIS Report.  The Committee received evidence of concerns about a possible increase in the frequency and volume of telecommunications data accessed by civil litigants as a result of the implementation of the data retention scheme and the public interest in confining disclosure of and access to, telecommunications data, to protect the broader privacy interests of the community.

168.           Subsections 280(1B) and 281(2) and (3) engage Article 14(1) to the extent that prohibiting litigants from accessing telecommunications data as an evidentiary source in civil proceedings could potentially reduce the ability of parties to litigation to access a probative source of information relevant to their claim or response. This has the propensity to affect their legitimate rights and interests in the conduct of civil litigation and constitute an additional ex ante barrier to mounting or defending a claim.

169.           However, subsections 280(1B) and 281(2) and (3) do not offend the equality of arms principle as telecommunications data is not be available as an evidentiary source for either party. As such, neither litigant is at a procedural disadvantage in terms of access to evidence or resources to formulate their case. Precluding parties’ access to a new source of information does not purport to, nor effectively regulate, the rules of evidence in courts and tribunals or impact the way in which other sources of evidence are collected or presented by either party.  The amendments seek to ensure that access to data that is currently available to claimants and respondents is not reduced or limited, as the prohibition is limited to data held solely for the purposes of compliance with the new data retention obligation and related purposes.

170.           Subsections 280(1B) and 281(2) and (3) also contain a regulation making power permitting the Minister administering the Telecommunications Act to prescribe exceptions to this prohibition. This enables exceptions to be formulated with the benefit of, and informed by, detailed empirical information about the use and application of telecommunications data in civil proceedings and enables any anticipated practical impediments to the conduct of litigation to be appropriately addressed. The prohibition on the disclosure of retained data in connection with civil proceedings does not operate in relation to disclosures prior to the data retention scheme being implemented, ensuring the Government has sufficient time to identify and put in place appropriate exceptions.

171.           In summary, none of the fundamental tenets of the right to a fair hearing, including the equality of arms principle are removed, compromised or reduced by the measure. Although the right to a fair hearing is potentially engaged by this measure, it is not limited, in that it would not undermine or compromise the overall procedural efficacy of civil proceedings.  The ability of an applicant or plaintiff to present their case or to challenge the case against them is not compromised as the restriction on access to telecommunications data applies equally to both parties.   As a result, this measure does not prevent one party accessing their opponent’s submissions, nor does it compromise procedural equality or generally restrict access to admissible evidence relied on by the other party or adduced in the proceedings.

The way in which retention of data promotes the right to a fair hearing

172.           More broadly, the right to a fair hearing is promoted by the data retention measures in the Bill on the basis that telecommunications data is equally capable of providing exculpatory evidence as evidence implicating a person in criminality. Accordingly, the potential future lack of availability of key telecommunications data in the absence of this measure may prejudice the right to a fair hearing guaranteed by Article 14 of the ICCPR. Given its forensic value, telecommunication data has important evidentiary value in criminal proceedings. The courts have an increasing expectation that such material is equally available to both the prosecution and defence.

Right to freedom of expression—Article 19 of the ICCPR

173.           Article 19 of the ICCPR provides that all persons shall have the right to freedom of expression. This right includes the freedom to seek, receive and impart information and ideas of all kinds, through any media of a person’s choice. It has been interpreted as encompassing every form of subjective ideas and opinions capable of transmission to others, and should not be construed as being confined to means of political, cultural or artistic expression. [8] The means of communication listed in Article 19(2) are not exhaustive and the right to freedom of expression has been interpreted as including means of communication such as the contents of phone conversations. [9] Article 19(3) provides that the right to freedom of expression may be subject to restrictions for specified purposes provided in the right, including the protection of national security or public order ( ordre public , which includes prevention of disorder and crime) where such restrictions are provided by law (that is, set down in formal legislation or an equivalent unwritten norm of common law) and are necessary for attaining one of these purposes.

174.           The requirement of necessity implies that any restriction must be proportional in severity and intensity to the purpose sought to be achieved. Limitations on freedom of expression on the grounds of ordre public include limitations for the purpose of preventing crime. In order for the laws to be considered a necessary restriction on freedom of expression on the grounds of ordre public , the restriction must be clearly defined.

175.           The Bill engages the right to freedom of expression in Article 19 to the extent that requiring providers of telecommunications services to retain telecommunications data about the communications of its subscribers or users as part of a mandatory dataset may indirectly limit the right to freedom of expression, as some persons may be more reluctant to use telecommunications services to seek, receive and impart information if they know that data about their communications is stored and may be subject to lawful access.

176.           The data retention regime aims to prevent criminal activity by ensuring that law enforcement and intelligence agencies have access to a limited range of vital telecommunications data, central to virtually every organised crime, counter-espionage, cyber-security and counter-terrorism investigation. It is also used in almost every serious criminal investigation, such as murder, rape and kidnapping. The provisions in the Bill therefore fall within the scope of a specified purpose for which the freedom of expression may be limited.

177.           To the extent that the measures in the Bill have the effect of limiting the right to freedom of expression, the limitation is designed for the legitimate objective of protecting public order. The Bill limits the extent to which the right to freedom of expression is abrogated by ensuring that only the minimum necessary types and amounts of telecommunications data are retained, and by limiting the range of agencies that may access telecommunications data.

178.           The additional safeguards on the access to and use of telecommunications data under the Bill (through limiting the number of enforcement agencies able to access data, making eligibility of access subject to ministerial declaration and the comprehensive Ombudsman oversight of data access and usage in Chapter 4A) together with existing safeguards under the TIA Act (including that agencies may only request data where it is reasonably necessary for a legitimate investigation) provides assurance that specified data is only retained and used for law enforcement and investigative purposes, meaning that any indirect limitation on the right to freedom of expression in Article 19 is appropriately minimised.

Journalist information warrant regime

179.           As outlined above, Article 17 of the ICCPR provides that everyone has the right to freedom from unlawful or arbitrary interferences with their privacy (the right to privacy). Article 19(2) of the ICCPR provides that everyone has the right to freedom of expression, including the freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art or through any other media.  A journalist’s right to protect confidential information derives from the right to freedom of expression and is a fundamental tenet of an open and unimpeded press. Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest. As a result, the ability of the press to provide accurate and reliable information may be adversely affected.

180.           The Bill promotes the right to freedom of expression and the right to privacy in that it provides a higher threshold for the authorisation of disclosures of telecommunications data for the purposes of identifying a journalist’s source.

181.           Specifically, Division 4C creates a scheme that requires ASIO and enforcement agencies to obtain a warrant prior to authorising the disclosure of telecommunications data to identify a journalist’s source. The effect of the Division is to prohibit enforcement agencies from making historic or prospective data authorisations for access to a journalist’s or their employer’s data for the purpose of identifying a confidential source unless a journalist information warrant is in force that authorises the making of such authorisations.

182.           Agencies are required to obtain a journalist information warrant relating to an investigation into a particular journalist from an independent issuing authority, or, in the case of ASIO, the Minister, as a condition precedent to the agency being permitted to authorise the disclosure of telecommunications data by carriers for that investigation. Notably, the warrant scheme has the same protections, safeguards and oversights that apply to agencies when they obtain telecommunications interception warrants.  The features of the scheme include creating new issuing authorities for the journalist information warrants; use and disclosure offences and exceptions for agencies that obtain data relating to journalists and their sources; allowing Public Interest Advocates, at both the Commonwealth and State and Territory levels, to make submissions to warrant issuing authorities; statistical reporting by enforcement agencies in the public TIA Act Annual Report and by ASIO in its classified Annual Report; and retention of information about the use of these warrants by agencies so that the PJCIS may have access to that information in its long term review of the data retention scheme.

183.           The Bill promotes the right of journalists to seek and to impart information by introducing specific safeguards to protect the confidentiality of journalists’ sources. These protections include a high threshold for access through ex ante judicial review of a warrant for data authorisation requests ensuring that data access for the purposes of identifying a source receives specific and dedicated independent attention. This measure ensures that such access is only permitted in circumstances where the public interest in the issue of the warrant outweighs the public interest in maintaining the confidentiality of the source.  As a corollary, the item also promotes the corresponding right of the public to receive information disseminated by a journalist in such circumstances, augmenting the ability of the press to provide information on matters of public interest. This item further promotes the right to freedom from arbitrary and unlawful interferences with privacy of the source and the journalist, by providing for stronger protections that apply where an agency is seeking to access telecommunications data relating to the journalist or their employer for the purpose of identifying the source.

184.           Independent oversight, through the creation of a warrant scheme approved by a judicial officer or AAT member minimises the potential for deterring sources from actively assisting the press to inform the public on matters of public interest and ensures that the media is not adversely affected by the measure. The existence of robust oversight of authorisation requests militates against access to source information occurring in a way which is unduly privacy intrusive. Further, consistent and routine scrutiny of authorisations by independent issuing authorities further assists in building public trust about how law enforcement and intelligence agencies are using or seeking to use coercive powers. Journalists, by extension, have a greater level of assurance that the confidentiality of their sources will be preserved save where the public interest in identification outweighs the interest in confidentiality.

185.           The additional protection afforded to these data authorisations complements journalists’ limited privilege to not be compelled to identify their sources where they have given an undertaking of confidentiality and is responsive to media concerns centring on press freedom and the protection of journalists’ sources. The Court of Justice of the European Union (CJEU), in assessing the former EU Data Retention Directive, observed that ‘[the Directive] does not provide for any exception, with the result that it applies even to persons whose communications are subject, according to rules of national law, to the obligation of professional secrecy.’ ( Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and others (Irish Human Rights Commission intervening); In re Kärntner Landesregierung and others (Joined Cases C-293/12 and C-594/12 ); [2014] WLR (D) 164). The amendments add a further warrant threshold, providing a significant additional and unique protection in relation to the identification of confidential journalist sources.

186.           Further, the statutory criteria to which issuing authorities must have regard in considering a journalist information warrant application, including whether the interest in the disclosure of data outweighs the interest in confidentiality of the source, with particular regard to the impacts on individual privacy, the gravity of the conduct in relation to which the warrant is sought and the potential investigative utility of the information, ensures that privacy and public interest considerations are always taken into account before a journalist information warrant is granted. Issuing authorities, based on their particular experience and qualifications, are well placed to weigh source confidentiality against the operational outcomes sought to be achieved by disclosure.

Right to life and security of the person—Articles 6 and 9 of the ICCPR

187.           The right to security of the person in Article 9 of the ICCPR requires States to provide reasonable and appropriate measures, within the scope of those available to public authorities, to protect a person’s physical security.

188.           The right to life also imposes a positive obligation to protect life in Article 6 of the ICCPR. In addition to protecting individuals from unwarranted actions by the State, it is necessary for the State to protect individuals from unwarranted actions by private persons. The Human Rights Committee has confirmed that protection of the right to life ‘requires that States adopt positive measures’ [10] and the positive obligation to protect life in the context of law enforcement is likely to extend beyond putting in place an effective criminal justice system. [11] Specifically, European jurisprudence has established that the obligation to protect life also requires the police and other protective authorities to take, in certain well-defined circumstances, preventative operational measures to protect an individual whose life is at risk from the acts of a third party. [12] The statutory obligation which the Bill places on service providers to retain a limited subset of telecommunication data which has been determined to be integral for law enforcement and security purposes buttresses the right to life in Article 6 of the ICCPR. If such data is not retained, and law enforcement investigations are resultantly compromised, the ability of police to protect the physical security of potential victims of a crime is critically undermined.

189.           Access to telecommunications data at the inception of investigations enables agencies to narrow down the field of initial suspects and to identify linkages, networks and patterns of criminality. It is also the least privacy intrusive methodology to remove alleged suspects from inquiries, and to identify criminal networks. Access to this data is a key building block for investigations, facilitating discovery of and providing context to identities, location and point in time and, potentially, to prevent the commission of further crime. The ability of law enforcement officers to harness investigative mechanisms facilitated by data access, assists in promoting the welfare and safety of potential and actual victims of serious crimes as well as safeguarding the general public who may otherwise be susceptible to security incidents and criminal acts, resulting in the arbitrary deprivation of life.

Right to an effective remedy - Article 2(3) of the ICCPR

190.           Article 2(3) of the ICCPR protects the right to an effective remedy for any violation of rights or freedoms recognised by the ICCPR, including the right to have such a remedy determined by competent judicial, administrative or legislative authorities or by any other competent authority provided for by the legal system of the State.

191.           Section 187KA allows the CAC to refer disputes over applications for exemptions from and variations to data retention obligations to the Australian Communications Media Authority (the ACMA).

192.           Section 187KA engages and promotes the right to an effective remedy as it provides service providers with an additional remedial avenue for the resolution of disputes by the ACMA in relation to exemptions or variation decisions made by the CAC.

193.           The Bill also confers on the ACMA a role to arbitrate disputes in relation to data implementation plans between the CAC and service providers and allows a service provider to apply to the ACMA for a review of CAC decisions about exemptions or variations of retention obligations applicable to their services.

194.           Providing administrative review of CAC decisions, in addition to judicial review [13] , advances an applicant’s right to an effective remedy.

Summary

195.           Any interference with Convention rights occasioned by this Bill is in pursuit of a legitimate aim—the ability of law enforcement and intelligence agencies to obtain telecommunications data in order to safeguard national security, prevent and detect crime and protect members of the public. Access to this telecommunications data is essential for law enforcement and security agencies to effectively investigate a range of criminal offences and threats to national security. In the absence of these measures, there is a risk that agencies will not receive vital information relevant to these investigations. This would limit agencies’ abilities to fulfil their obligations into preventing, detecting and prosecuting offences under Australian law and safeguarding Australia’s national security. Telecommunications data is not the only source of information available to law enforcement and national security agencies, however it is a critical investigative tool that agencies use in order to identify and prosecute criminals, and protect Australians. 

196.           It is notable that telecommunications data also plays an important role in protecting the privacy of innocent parties who come within the scope of an agency’s investigation, by allowing an agency to rule them out from suspicion at an early stage and without having to resort to more privacy-intrusive investigative methods.  For example, call charge records can show that a potential person of interest has had no contact with other members of a criminal syndicate.

197.           Telecommunications data is also frequently used to refine and direct the use of more intrusive investigative methods, such as telecommunications interception, avoiding unnecessary invasion of privacy. The ability of law enforcement and national security agencies to use telecommunications data at the early stages of an investigation also displaces the need for agencies to employ more privacy and rights intrusive alternative investigative methods to build a picture of a suspect and their network of criminal associates.

198.           Under existing provisions under the TIA Act, law enforcement and national security agencies can only access telecommunications data in limited circumstances.  Authorising officers must be satisfied on a case-by-case basis that the disclosure of the information is reasonably necessary, and must be satisfied that the interference with privacy is justified and proportionate having regard to the seriousness of the matter under investigation and the likely utility of the information sought. 

199.           Any purported interference with Convention rights resulting from this Bill are in pursuit of a legitimate aim, namely the ability of law enforcement and intelligence agencies to access telecommunications data in order to safeguard national security and to prevent, detect, investigate and prosecute crime. The reasonableness of the measures and their proportionality is supported by the specificity of the provisions, being appropriately targeted for that legitimate purpose.

200.           The additional oversight by the Ombudsman contained in Schedule 3 to the Bill and the limitations on the range of agencies who may access telecommunications data (which reduce the number and range of agencies able to access this information, and subject the nature of their investigative activities and need for data to greater scrutiny) are important safeguards that go towards the reasonableness and proportionality of the legislation as a whole.

Conclusion

201.           The Bill is compatible with human rights because it promotes a number of human rights. To the extent that it may also limit human rights, those limitations are reasonable, necessary and proportionate.



 

NOTES ON CLAUSES

Clause 1—Short title

202.           This clause provides that when the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 is enacted, it is to be cited as the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (the Act).

Clause 2—Commencement

203.           Clause 2(1) sets out when various provisions of the Act are to commence, as described in the table.

204.           Item 1 in the table provides that sections 1 to 3, which concern the formal aspects of the Act, as well as anything not elsewhere covered by the table, commence on the day the Act receives the Royal Assent.

205.           Item 2 in the table provides that Schedule 1, Items 1 to 7, which amend the Telecommunications (Interception and Access) Act 1979 (the TIA Act) to introduce a mandatory data retention scheme for telecommunications service providers, commence the day after the end of the period of 6 months beginning on the day this Act receives the Royal Assent. The reason for the delay in commencement of these Items is to ensure that, prior to commencement, service providers can put in place implementation arrangements to comply with the data retention regime. The delay also ensures that all appropriate instruments required under the Act are in effect.

206.           Item 3 in the table provides that Schedule 1, Items 8 to 11 commence on the day the Act receives the Royal Assent. Items 8 to 11 in Schedule 1 are application provisions that allow service providers to keep documents and to make applications contained in Part 5-1A of the Act before that Part commences. These provisions enable implementation plans and exemptions to be in place upon the commencement of the main amendments, and allow service providers to begin complying with their data retention obligations.

207.           Item 4 in the table provides that Schedules 2 and 3 commence the day after the end of the period of 6 months beginning on the day this Act receives the Royal Assent. The reason for the delay in commencement of these schedules is to enable agencies and oversight bodies to put in place implementation and necessary transition arrangements prior to commencement of the Act.

208.           Clause 2(2) allows the date the Act receives the Royal Assent to be inserted into the Act on publication. This provision allows specification of the start and end dates for the implementation periods included in Schedules 1 (Items 1 to 7) and Schedules 2 and 3 of the Act.

Clause 3—Schedules

209.           Clause 3 provides that each Act specified in a Schedule to this Act amended or repealed as set out in the applicable items in the Schedule. Any other item in a Schedule to this Act has effect according to its terms. This is a technical provision to give operational effect to the amendments contained in the Schedules.

Schedule 1—Data retention

Part 1—Main amendments

Overview of measures

210.           Part 1 of Schedule 1 inserts Part 5-1A into Chapter 5 of the Telecommunications (Interception and Access) Act 1979 (the TIA Act). Chapter 5 deals with the interaction between agencies and carriers.

211.           This Schedule requires service providers to retain and secure listed telecommunications data.

212.           The amendments provide for:

a.        the obligation to keep and secure information and documents (Division 1)

b.       data retention implementation plans (Division 2)

c.        exemptions from the data retention requirements (Division 3)

d.       the confidentiality of data retention implementation plans and exemptions (Division 4)

e.        the Commonwealth to make a grant of financial assistance to service providers (Division 4)

f.         pecuniary penalties and infringement notices (Division 4)

g.       the Privacy Act to apply in relation to a service provider to the extent the extent of their data retention activities

h.       a review of the operation of the data retention scheme by the Parliamentary Joint Committee on Intelligence and Security (the PJCIS) to commence no more than two years after the end of the implementation phase (Division 4), and

i.         annual reporting on the operation of the data retention scheme (Division 4).

213.           The data retention obligation requires service providers to keep a minimum subset of telecommunications data (also known as metadata) that is critical to law enforcement and national security investigations, and specifies the minimum period for which it must be kept. The retention obligation creates a consistent obligation for record-keeping across the telecommunications industry. The minimum obligation imposed by this legislation is consistent with the types of data and subscriber information currently held by service providers for billing, quality assurance and other business purposes. Some service providers may initially need to modify their systems to ensure they meet this minimum standard.

214.           The requirements on service providers to keep data, as provided for by the Division 1 of Part 5-1A, ensure the availability of a set of critical data for law enforcement and national security purposes.

215.           Division 2 of Part 5-1A allows service providers to develop and submit implementation plans to the Communications Access Co-ordinator (the CAC) for approval. These plans will set out how the provider will achieve compliance with their data retention and security obligations over a period of up to 18 months.

216.           The implementation plan process is intended to:

·          allow service providers to develop and implement cost-effective solutions to their data retention obligations by, for example, aligning the implementation of such solutions with a provider’s internal business planning and investment cycles,

·          ensure that service providers achieve substantial compliance with their data retention obligations early in the implementation phase by encouraging interim data retention solutions, such as by increasing the storage for existing databases to allow for a longer retention period, albeit for a period that is less than 2 years, or by implementing full data retention capability for one or more (but not all) services covered by the plan, or for one or more (but not all) kinds of data prescribed in the regulations,

·          facilitate engagement between industry and Government on the above issues, and

·          provide regulatory certainty for both industry and agencies during the implementation phase.

217.           Once approved by the CAC, a service provider is required to comply with the implementation plan, for a period of up to 18 months, instead of the data retention and security obligations under sections 187A and 187C. Additionally, once approved, a plan is only be able to be varied with the consent of both the CAC and the service provider.

218.           Division 3 of Part 5-1A provides that the CAC may grant exemptions to service providers for any or all of the obligations. The CAC is required to consider both the interests of law enforcement and national security agencies, and the objects of the Telecommunications Act 1997   when deciding whether to grant an exemption. This allows exemptions to be granted where, for example, telecommunications data relating to the relevant service is likely to be of little or no relevance to law enforcement or national security investigations, or where the cost of complying, either in full or in part, with data retention and security obligations in relation to the relevant service would be disproportionately high.

219.           Division 4 of Part 5-1A provides that the CAC must treat applications for implementation plans and exemptions as confidential, as must any person to whom the CAC discloses such applications. Division 4 also provides that the contravention of data retention obligations under Part 5-1A attracts civil penalties. Further, Division 4 allows the Commonwealth to make a grant of financial assistance to service providers and provides that the Privacy Act applies in relation to a service provider to the extent the extent of their data retention activities.  Division 4 also requires the Parliamentary Joint Committee on Intelligence and Security (the PJCIS) to review the operation of the data retention regime within three years of the mandatory data retention scheme being fully implemented and requires the Minister to report annually on the operation of the data retention regime.



 

Telecommunications (Interception and Access) Act 1979

Item 1—Part 5-1A

220.           Item 1 inserts Part 5-1A after Part 5-1 of the TIA Act. The provisions inserted by this Part contain the requirements for the retention and security of prescribed telecommunications data by telecommunications service providers.

Division 1 of Part 5-1A—Obligation to keep information and documents

Section 187A—Service providers must keep certain information and documents

221.           This section provides that service providers must keep and secure certain information and documents.

Subsection 187A(1)—Information and documents to be kept

222.           Telecommunications data is not defined in the TIA Act. This approach is consistent with the technology-neutral approach of the Privacy Act, and Part 13 of the Telecommunications Act. [14] The term is described, however, through the provisions of Divisions 3, 4 and 4A of Chapter 4 of the TIA Act, which contain the powers of agencies to make authorisations for the disclosure of information or documents protected under Part 13 of the Telecommunications Act, and section 172 of the Act, which provides that Divisions 3, 4 and 4A do not permit the disclosure of information that is the contents or substance of a communication, or a document to the extent that it contains such information. As such, telecommunications data can be considered to be information about a communication, but not its content or substance.

223.           Data retention obligations do not apply to all telecommunications data.

224.           The purpose of the data retention obligation is to create a consistent minimum retention obligation across the telecommunications industry in relation to a limited range of telecommunications data that is critical to law enforcement and national security investigations. Data retention and security obligations apply to specified information, or documents containing such information, relating to a service operated by the service provider for the period specified under section 187C. The limited subset of telecommunications data to which the obligations apply is specified by section 187AA. Subsection 187A(3) describes the services to which data retention obligations apply.

225.           The detailed, technologically-neutral table in subsection 187AA(1) is designed to ensure that the legislative framework gives service providers sufficient technical detail about their data retention obligations while remaining flexible enough to adapt to future changes in communication technology.

Subsection 187A(3)—Application of Part 5-1A to certain services

226.           Subsection 187A(3) sets out the services to which the data retention obligations under Part 5-1A of the Act apply. Data retention obligations only apply to services that satisfy paragraphs 187A(3)(a), (b) and (c).

227.           Paragraph 187A(3)(a) provides that the Part applies to a service if it is a service for carrying communications, or that enable communications to be carried, by guided or unguided electromagnetic energy or both. Section 5 of the TIA Act defines the term ‘carry’ for the purposes of the TIA Act. The term is defined in the same manner as in the Telecommunications Act, but should be interpreted in light of the objective of the TIA Act to allow for lawful access to communications in relation to law enforcement and national security investigations. The concept of ‘enabling’ a communication to be carried is intended to put beyond doubt that data retention obligations apply to relevant services that operate ‘over the top’ of, or in conjunction with, other services that carry communications.

228.           Paragraph 187A(3)(b) provides that the Part applies to a service if it is:

a.        operated by a carrier (within the meaning of the TIA Act);

b.       operated by an internet service provider (within the meaning of Schedule 5 of the Broadcasting Services Act 1992 ).; or

c.        of a kind declared by the Minister.

229.           A service is ‘operated by’ a carrier or an internet service provider even if:

a.         the service itself would not require a carrier licence, or the service is not a ‘carriage service’ (within the meaning of the Telecommunications Act); for example, if a licenced carrier operates an email service, that service is still operated by the carrier notwithstanding that to provide an email service does not require a licence; or

b.       in the case of an internet service provider, the service itself is not an ‘internet access service’ (within the meaning of Schedule 5 of the Broadcasting Services Act 1992 ); for example if an internet service provider operates a VoIP service, that service is still operated by the internet service provider notwithstanding that a VoIP service is not itself an internet access service.

230.           Paragraph 187A(3)(c) provides that Part 5-1A applies to a service if the person operating the service owns or operates, in Australia, infrastructure that facilitates, or relates to, the provision of any of its services, of a kind referred to in paragraph (a). Item 5 of the Bill defines infrastructure as any line or equipment used to facilitate telecommunications across a telecommunications network.  The intention of paragraph 187A(3)(c) is that the data retention obligation applies to a service if the person operating the service owns or operates infrastructure in Australia relating to any of its services, irrespective of whether the person owns or operates infrastructure in Australia relating to the particular service in question.

231.           Data retention obligations do not, however, apply to a broadcasting service (within the meaning of the Broadcasting Services Act 1992 ). The definition of a ‘telecommunications service’ in section 5 of the TIA Act currently excludes a service for carrying communications solely by means of radiocommunication. This exclusion is appropriate for the purposes of prohibiting and regulating the lawful interception of telecommunications, where it is appropriate to consider the end-to-end passage of a communication across a telecommunications system (as defined in section 5 of the TIA Act). Data retention obligations, by comparison, expressly relate to such parts of a telecommunications service or system as are operated by a given service provider and which may, therefore, involve a service for carrying communication solely by means of radiocommunication. As such, subsection 187A(3) does not incorporate the radiocommunications exception, but excludes broadcasting services.

Subsection 187A(3A)-(3C)— Declaration of additional classes of service providers

232.           The telecommunications industry is highly innovative and increasingly converged. Sophisticated criminals and persons engaged in activities prejudicial to security are frequently early adopters of communications technologies that they perceive will assist them to evade lawful investigations. As such, a declaration is required to ensure the data retention regime is able to remain up-to-date with rapidly changes to communications technologies, business practices, and law enforcement and national security threat environments.

233.           Subsection 187A(3A) provides the Minister with a power to declare a service to be within the data retention scheme.

234.           Subsection 187A(3B) provides that a declaration under subsection 187A(3A) ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force.  However, such a declaration may be expressed to enter into force either when it is made or at some later date.  The time to expiry of the declaration only commences once the declaration comes into force.

235.           Subsection 187A(3C) provides that, where a Bill is introduced into the Parliament to amend the classes of service providers to which data retention obligations apply (i.e., where a Bill is introduced that would permanently list an additional class of service provider on the face of the TIA Act), the Bill must be referred to the PJCIS for inquiry.  Subsection 187A(3C) requires the PJCIS to be given a minimum of 15 sitting days of a House of the Parliament for review and report on the bill. These subsections give effect to recommendation 14 of the 2015 PJCIS Report.

Subsection 187A(4)— Information not required to be kept

236.           Paragraph 187A(4)(a) provides that service providers are not required to keep information or documents that are the contents or substance of a communication, such as the words spoken during a phone call, or an email subject line. This paragraph gives effect to the relevant part of recommendation 42 of the 2013 PJCIS Report   that any mandatory data retention regime should apply only to telecommunications data and exclude content. The paragraph explicitly states that the obligation to keep information does not require a carrier to retain content.

237.           Paragraph 187A(4)(a) does not preclude carriers from retaining the content or substance of a communication for other lawful purposes, such as their lawful business purposes. For example, a service provider that provides an email service may keep the content of emails on a server as a necessary part of providing that service.

238.           Section 172 of the TIA Act currently prohibits ASIO or enforcement agencies from authorising the disclosure of the substance or content of a communication under a data authorisation made under Chapter 4 of the TIA Act. Agencies may only access the substance or content of a communication under a warrant, or in limited other circumstances, such as in a life-threatening emergency.

239.           Paragraph 187A(4)(b) provides that service providers are not required to retain information or documents that state an address to which a communication was sent on the internet from a telecommunications device using an internet access service provided by the service provider, and that was obtained by the carrier only as a result of providing a service for internet access.

240.           This provision gives effect to the relevant part of recommendation 42 of the 2013 PJCIS Report, that internet browsing data should be explicitly excluded from the scope of any mandatory data retention regime. This provision goes further than the 2013 PJCIS Report recommended by ensuring that service providers are not required to keep records of the uniform resource locators (URLs), internet protocol (IP) addresses, port numbers and other internet identifiers with which a person has communicated via an internet access service provided by the service provider. The provision is required because a URL is in some cases telecommunications data rather than content.

241.           Paragraph 187A(4)(b) only applies, however, to internet address identifiers obtained by a carrier solely as the result of providing an internet access service. If the service provider obtains a destination internet address identifier as the result of providing another service, the provider is required to keep a record of that identifier. For example, an email service provider is required to keep records of the destination internet address identifiers associated with the use of an email service, such as the email and IP address, and port number to which an email was sent. Similarly, if a service provider that provides an internet access service to a subscriber also provides a Voice over the Internet Protocol (VoIP) service to that subscriber, the service provider is required to keep records of any destination internet address identifiers associated with the use of that VoIP service. This could include the internet protocol (IP) address to which a VoIP call was sent. In this example, however, the service provider is not required to keep records of any other destination internet address identifiers associated with web browsing.

242.           Paragraph 187A(4)(b) operates to exclude information of a certain character from retention obligations—being information an internet access service provider has about destinations on the internet that the provider only has because it provides that service. While internet access services are used to both send and receive information, received information is still of the above character and excluded by the paragraph. However, this paragraph does not exclude any provider from retaining information about the identifiers it assigns, on a permanent or transient basis, to an account, device or relevant service, such as network address translation (NAT) information. Such information can be required to be retained by Item 1(d) or Item 2, or both, of the table in 187AA.

243.           Paragraph 187A(4)(c) provides that a service provider is not required to keep, or cause to be kept information to the extent that it relates to a communication that is being carried by means of another service that is of a kind referred to in paragraph 187A(3)(a) and that is operated by another person using the relevant service operated by the service provider. Furthermore, a service provider is not required to keep, or cause to be kept a document to the extent that it contains such information. This item seeks to ensure that service providers are only required to retain telecommunications data to the extent that such information is available to that service provider.

244.           The note at the end of paragraph 187A(4)(c) puts beyond doubt that service providers are not required to keep information or documents about communications that are carried or enabled by means of services that they themselves do not provide that pass ‘over the top’ of the underlying service they provide. This item implements recommendation 6 of the 2015 PJCIS Report.

245.           Paragraph 187A(4)(d) provides that the requirements to keep data under section 187A do not apply to information that a service provider is required to delete because of a determination made under section 99 of the Telecommunications Act. An example of such a determination is the Telecommunications (Service Provider—Identity Checks for Pre-paid Public Mobile Carriage Services) Determination 2013 .

246.           Paragraph 187A(4)(e) provides that a service provider is not required to keep information about the location of a telecommunications device that is not information used by the service provider in relation to the relevant service to which the device is connected. This could include, for example, a record of which cell tower, base station or other network access point a device was connected to. This provision ensures that service providers are not required to generate and keep location records that are more detailed than or different to the location records used in relation to the relevant service.

Subsection 187A(5) —Attempted and untariffed communications

247.           Paragraph 187A(5)(a) prescribes the circumstances in which an attempt to send a communication is taken to be the sending of a communication, which would trigger data retention obligations under subsection 187A(1). These circumstances include, for example, where:

a.        a phone number is dialled, but the phone rings and is unanswered or rings out (subparagraph 187A(5)(a)(i))

b.       an email server attempts to send a new email to an email client, but the client email server does not exist or is not working (subparagraph 187A(5)(a)(ii)), or

c.        a mobile phone number is dialled, but the destination mobile phone is switched off and so is not recorded on the network’s Visitor Location Register; as such, the network does not attempt to connect the phone call and instead informs the caller that the phone is switched off or unavailable (subparagraph 187A(5)(a)(iii)).

248.           Paragraph 187A(5)(b) clarifies that untariffed communications, such as 1800 phone calls, communications sent using ‘unlimited’ phone or internet plans, or free internet or application services, are communications for data retention purposes, and thus may be the subject of data retention obligations.

Subsection 187A(6)—Service providers must create information or a document if not already created by the operation of the relevant service

249.           Subsection 187A(6) clarifies that if the information or documents that service providers are required to keep under subsection 187A(1) are not created by the operation of the relevant service, or if they are only created in a transient fashion, then the service provider is required to use other means to create this information or document.

250.           Mandatory data retention is the creation of a consistent minimum standard across the telecommunications industry for what data is to be collected and how long it is to be retained. Subsection 187A(6) ensures that all service providers must meet this minimum standard, whether or not that data is currently being collected or retained by the relevant service provider.

Section 187AA—Information to be kept

251.           This section lists the information or documents that service providers must retain and secure in order to comply with obligations. The effect is to prescribe the data set in primary legislation, implementing recommendation 2 of the 2015 PJCIS Report.

252.           The table below sets out explanatory material relating to each of the categories of information or documents that service providers must retain for the purposes of this section along with a description of the information that may be included within each kind of information, and an accompanying explanation. This table is not exhaustive of the information that may be included within each kind of information listed in subsection 187AA(1).

Information or documents to be kept

Item

Topic

Column 1

Description of information

Column 2

Explanation

1

The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service

The following:

(a) any information that is one or both of the following:

i) any name or address information;

ii) any other information for identification purposes;

relating to the relevant service, being information used by the service provider for the purposes of identifying the subscriber of the relevant service;

(b) any i nformation relating to any contract, agreement or arrangement relating to the relevant account, service or device;

(c) any information that is one or both of the following:

(i) billing or payment information;

(ii) contact information;

relating to the relevant service, being information used by the service provider in relation to the relevant service;

(d) any identifiers relating to the relevant service or any related account, service or device, being information used by the service provider in relation to the relevant service or any related account, service or device;

(e) the status of the relevant service or any related account, service or device

This category includes customer identifying details, such as name and address. It also includes contact details, such as phone number and email address. This information allows agencies to confirm a subscriber’s identity or link a service or account to a subscriber.

This category also includes details about services attached to account, such as the unique identifying number attached to a mobile phone, or the IP address (or addresses) allocated to an internet access account or service.

This category further includes billing and payment information.

Information about the status of a service can include when an account has been enabled or suspended, a relevant service has been enabled or suspended or is currently roaming, or a telecommunications device has been stolen.

The phrases ‘any information’ and ‘any identifiers’ should be read to mean the information that the provider obtains or generates that meets the description which follows that phrase. If the provider has no information that meets the description, including because that kind of information does not pertain to the service in question, no information needs to be retained. For instance, if a provider offers a free service and therefore has no billing information, no billing information needs to be retained by that provider with respect to that service the provider will need to retain subscriber and transactional data with respect to that service, but no billing information needs to be retained.

Service providers are not required to collect and retain passwords, PINs, secret questions or token codes, which are used for authentication purposes.

2

The source of a communication

Identifiers of a related account, service or device from which a communication has been sent or attempted to be sent by means of the relevant service.

Identifiers for the source of a communication may include, but are not limited to:

·          the phone number, IMSI, IMEI from which a call or SMS was made

·          identifying details (such as username, address, number) of the account, service or device from which a text, voice, or multi-media communication was made (examples include email, Voice over IP (VoIP), instant message or video communication)

·          the IP address and port number allocated to the subscriber or device connected to the internet at the time of the communication, or

·          any other service or device identifier known to the provider that uniquely identifies the source of the communication.

In all instances, the identifiers retained to identify the source of the communication are the ones relevant to, or used in, the operation of the particular service in question.

 

3

The destination of a communication

Identifiers of the account, telecommunications device or relevant service to which the communication:

a) has been sent; or

b) has been forwarded, routed or transferred, or attempted to be forwarded, routed or transferred.

Paragraph 187A(4)(b) puts beyond doubt that service providers are not required to keep information about subscribers’ web browsing history.

The destination of a communication is the recipient. Identifiers for the destination of a communication may include, but are not limited to:

·                      the phone number that received a call or SMS

·                      identifying details (such as username, address or number) of the account, service or device which receives a text, voice or multi-media communication (examples include email, VoIP, instant message or video communication)

·                      the IP address allocated to a subscriber or device connected to the internet at the time of receipt of the communication, or

·                      any other service or device identifier known to the provider that uniquely identifies the destination of the communication.

For internet access services, the Bill explicitly excludes anything that is web-browsing history or could amount to web-browsing history, such as a URL or IP address to which a subscriber has browsed.

In all instances, the identifiers retained to identify the destination of the communications are the ones relevant to, or used in, the operation of the particular service in question. If the ultimate destination of a communication is not feasibly available to the provider of the service, the provider must retain only the last destination knowable to the provider.

4

The date, time and duration of a communication, or of its connection to a relevant service

The date and time (including the time zone) of the following relating to the communication (with sufficient accuracy to identify the communication):

a)        the start of the communication

b)        the end of the communication

c)        the connection to the relevant service, and

d)        the disconnection from the relevant service.

For phone calls this is simply the time a call started and ended.

For internet sessions this is when a device or account connects to a data network and ends when it disconnected - those events may be a few hours to several days, weeks, or longer apart, depending on the design and operation of the service in question.

 

5

The type of a communication and relevant service used in connection with a communication

The following:

a) the type of communication;

Examples: Voice, SMS, email, chat, forum, social media.

b) the type of the relevant service;

Examples: ADSL, Wi-Fi, VoIP, cable, GPRS, VoLTE, LTE.

c) the features of the relevant service that were, or would have been, used by or enable for the communication.

Examples: call waiting, call forwarding, data volume usage.

The type of communication means the form of the communication (for example voice call vs. internet usage).

 

The type of the relevant service (5(b)) provides more technical detail about the service. For example, for a mobile messaging service, whether it is an SMS or MMS.

Data volume usage, applicable to internet access services, refers to the amount of data uploaded and downloaded by the subscriber. This information can be measured for each session, or in a way applicable to the operation and billing of the service in question, such as per day or per month.

Note: This item will only apply to the service provider operating the relevant service: see paragraph 187A(4)(c).

 

 

6

the location of equipment or a line used in connection with a communication

The following in relation to the equipment or line used to send or receive the communication:

a) the location of the equipment or line at the start of the communication;

b) the location of the equipment or line at the end of the communication.

Examples:  Cell towers, Wi-Fi hotspots.

Location records are limited to the location of a device at the start and end of a communication, such as a phone call or Short Message Service (SMS) message.

For services provided to a fixed location, such as an ADSL service, this requirement can be met with the retention of the subscriber’s address.

Paragraph 187A(4)(e) of the Bill provides that location records are limited to information that is used by a service provider in relation to the relevant service. This would include information such as which cell tower, Wi-Fi hotspot or base station a device was connected to at the start and end of communication.

Service providers are not required to keep continuous, real-time or precise location records, such as the continuous GPS location of a device. These limitations seek to ensure that the locations records to be kept by service providers do not allow continuous monitoring or tracking of devices.  

253.           Subsections 187AA(2)-(5) implement Recommendation 3 of the 2015 PJCIS Report. 

254.           Subsection 187AA(2) permits the Minister to amend the dataset on a temporary basis by issuing a declaration.  Subsection 187AA(2) is subject to subsections 187AA(3)-(4), which set out when such a declaration is in force and the Minister’s powers in relation to the declarations. This is designed to cover a situation in which future technologies or changing telecommunications practices require amendments to the data set to ensure the data retention scheme continues to meet its underlying purpose.

255.           Paragraph 187AA(3)(a) provides that the declaration comes into force either when it is made or on a later day specified in the declaration. Paragraph 187AA(3)(b) provides that the declaration ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force.  The time to expiry of the declaration only commences once the declaration comes into force (which may be later than when it is made).

256.           Subsection 187AA(4) requires that when a bill is introduced into either House of Parliament to permanently amend the data set, or any of the limitations on the data set.  In those circumstances, the Minister must refer the amendment to the PJCIS and give the PJCIS at least 15 sitting days of a House of Parliament to conduct its review and issue its report.

257.           Subsection 187AA(5) provides that, in relation to the telecommunications data required to be retained in items 2, 3, 4 and 6 in the dataset in subsection 187AA(1), two or more communications that together constitute a single communications session are taken to be a single communication. 

258.           Subsection 187AA(5) ensures that providers are not required to record the source, destination, time, date and duration of a communication or the location of a device throughout a communications session. For example, a smartphone connected to a mobile data network may have multiple applications running in the background, each of which may routinely communicate with remote servers, such as to seek and obtain updates. As such, the smartphone may send and receive a near-continuous stream of communications. However, these communications may together constitute a single communications session. Absent this provision, providers could, for example, be required to record the location of the device on a near-continuous basis. The effect of the provision is that providers of mobile internet access services are only required to record prescribed location information for the overall communication rather than its constituent components. 

259.           Whether a series of communications constitutes a single communications session is a question of technical fact and depends on the objective operation of the provider’s network or service. This question should not be determined from the user’s perspective, as the provider subject to data retention obligations is generally unable to assess a user’s intentions in this regard, and in many cases, users are unlikely to be aware of when their device is communicating, such as when applications installed on a smartphone or computer automatically seek and receive updates.

Section 187B—Certain service providers not covered by this Part

260.           Section 187B excludes certain service providers from being required to comply with data retention obligations under subsection 187A(1) of the TIA Act. The purpose of section 187B is to ensure that entities such as governments, universities and corporations are not required to retain telecommunications data in relation to their own internal networks (provided these services are not offered to the general public), and that providers of communications services in a single place, such as free Wi-Fi access in cafes and restaurants are not required to retain telecommunications data in relation to those services. However, the CAC can declare that data from such services must nevertheless be retained.

261.           Subparagraph 187B(1)(a)(i) provides that data retention obligations do not apply if the service is provided only to a person’s ‘immediate circle’ within the meaning given by section 23 of the Telecommunications Act. This definition includes (amongst other things) persons in corporate networks, government networks and tertiary institutions. Such networks are excluded from data retention obligations if the carriage services (as defined in the Telecommunications Act) associated with them are not available to the general public.

262.           Subparagraph 187B(1)(a)(ii) provides that data retention obligations do not apply if the service is provided only to places that are all in the same area, as defined in section 36 of the Telecommunications Act. Section 36 of the Telecommunications Act describes a range of circumstances in which places are considered to be all in the same area. Generally speaking, the concept of ‘same area’ includes (amongst other things) places such as university campuses, cafes or restaurants.

263.           Paragraph 187B(1)(b) qualifies the exemptions in paragraph 187B(1)(a) by providing that the CAC can make a declaration under subsection 187A(2) that data must nevertheless be retained in relation to the relevant services.

264.           Subsection 187B(2) provides that the CAC can declare that the provider of an ‘immediate circle’ or ‘same area’ service (as defined in subsection 187B(1)) is nevertheless required to retain telecommunications data in relation to the relevant services according to the requirements of subsection 187A(1).

265.           Subsection 187B(2A) enables the Communications Access Co-ordinator (the CAC) to consult the Privacy Commissioner before making a declaration that data retention obligations apply to an otherwise exempt relevant service. This item implements recommendation 13 of the 2015 PJCIS Report by enabling the CAC to consult with the Privacy Commissioner.

266.           The paragraphs implement recommendation 13 of the 2015 PJCIS Report by requiring the CAC to consider the objects of the Privacy Act when considering whether to make a declaration under subsection 187B(2) that the data retention obligation applies to an otherwise exempt relevant service.

267.           Subsection 187B(3) provides that in making a declaration under subsection 187B(2), the CAC must have regard to the interests of law enforcement and national security, the objects of the Telecommunications Act and the objects of the Privacy Act 1988 (the Privacy Act) and any submissions made by the Privacy Commissioner as a result of consultations under subsection 187B(2A) when considering whether to make a declaration. The main (but not the only) objects of the Telecommunications Act are set out in section 3(1) of that Act and are to provide a regulatory framework that promotes:

a.        the long-term interests of end-users of carriage services or of services provided by means of carriage services

b.       the efficiency and international competitiveness of the Australian telecommunications industry, and

c.        the availability of accessible and affordable carriage services that enhance the welfare of Australians.

268.           Subsection 187B(4) provides that the CAC’s declaration must be in writing.

269.           Subsection 187B(5) provides that a declaration made by the CAC under this section is not a legislative instrument. Subsection 187B(5) is included to assist readers, as a declaration made by the CAC under this section is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003 .

270.           Subsections 187B(6) and (7) require the CAC to give written notice of a declaration to the Minister (under subsection (6)) who must in turn give the written notice to the PJCIS (under subsection (7)) as soon as practicable. These subsections implement recommendation 13 of the 2015 PJCIS Report.

Section 187BA—Ensuring the confidentiality of information

271.           Section 187BA gives effect to recommendation 37 of the 2015 PJCIS Report by supplementing the obligations of service providers under Australian Privacy Principle (APP) 11.1 to ‘take such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss; and from unauthorised access, modification or disclosure.’ Section 187LA provides that the Privacy Act applies to all service providers to the extent that the service provider’s activities relate to retained data.  Further, section 187LA provides that information and documents kept by a service provider in complying with Part 5-1A are personal information within the meaning of the Privacy Act, and so must be protected in accordance with APP 11.1. This item also supplements the obligations of carriage service providers under clause 4.6.3 of the Telecommunications Consumer Protection Code (C628:2012) to ‘have robust procedures to keep its Customers’ Personal Information in its possession secure and restrict access to personnel who are authorised by the Supplier.’

272.           This section requires service providers to protect the confidentiality of information or documents kept in accordance with section 187A. Service providers are required to protect these records in two ways: by encrypting the information, and by protecting the information from unauthorised interference or unauthorised access.

273.           This section does not prescribe a particular type of encryption; the decision about how to implement the encryption required by this item will be a matter for the service provider to determine, in light of all the circumstances including, in particular, the technical configuration of the system or systems used to keep information required to be retained under section 187A, and whether a particular method or set of methods of encryption will be adequate to protect the confidentiality of that information.

274.           Where a service provider encrypts retained data, the service provider must retain the technical capability to decrypt and disclose relevant retained data in a useable form in accordance with a lawful request or requirement under the TIA Act or Telecommunications Act. 

275.           Under Division 2 of Part 5-1A, a service provider may seek approval of a data retention implementation plan that replaces the service provider’s obligations under section 187BA while the plan is in force. Additionally, under Division 3 of Part 5-1A a service provider may apply for and receive an exemption from or variation to the service provider’s obligations under section 187BA. An example of a situation in which such an exemption or variation might be appropriate would be where the cost of encrypting a legacy system that was not designed to be encrypted would be unduly onerous and the service provider has identified alternative information security measures that could be implemented. However, an exemption would not normally be appropriate where fulfilling the data protection obligations would be merely inconvenient.

Section 187C—Period for keeping information and documents

276.           Section 187C sets out the required period for service providers to retain specified telecommunications data.  A retention requirement of two years is necessary having regard to the requirements of national security and law enforcement agencies to have telecommunications data available for investigations. It is also consistent with privacy expectations and the privacy of users of the Australian telecommunications system. The experience under the former European data retention scheme was that, while frequently data accessed by agencies was less than six months old, for national security and serious criminal offences, data up to two years old would often be required for the most complex investigations into crimes and threats to national security that can have the most damaging effect.

277.           However, the retention period in section 187C is subject to an exemptions regime in Division 3 of Part 5-1A. In particular, paragraph 187K(1)(c) allows the CAC to reduce the required retention period. In addition, data retention implementation plans that a service provider may provide under Division 2 of Part 5-1A of the TIA Act may also be relevant to the period for which a service provider must retain relevant data.  It is possible for a data retention implementation plan to specify a retention period for a service offered by a service provider of less than two years in relation to services under the plan while the plan is in force.

278.           Paragraph 187C(1)(a) sets out the required period for retention of subscriber telecommunications data.  Subscriber telecommunications data is the documents or information of the kind described in paragraph (a) or (b) in column 2 of item 1 of the table in subsection 187AA(1).  For basic subscriber data, a service provider must retain the data from when it was created until two years after the closure of the relevant account.  Records relating to the use of an account, such as call-charge records, are significantly less useful if they cannot be associated with a real-world subscriber.  Subscriber records are typically generated when an account or service is opened, and may not be updated for many years.  The purpose of this provision is to ensure that subscriber records associated with an account are available throughout the life of the account, and for as long as records relating to communications sent using that account are retained.  This is intended to ensure that the necessary information is available to establish a connection between a particular communication and the subscriber. 

279.           This provision is subject to subsection 187C(2), which permits the Governor-General to prescribe in regulations that the retention period for certain information of a kind described in paragraph (a) or (b) in column 2 of item 1 of the table in subsection 187AA(1), is the period starting when it came into existence and ending two years after the information came into existence.

280.           Paragraph 187C(1)(b) sets out the retention period for all types of data that is required to be retained, other than subscriber data. In general terms, this applies to telecommunications traffic data. Specifically, it means the information or documents referred to in subsection 187AA(1) other than paragraph (c) or (b) in column 2 of item 1. As the provision provides, the required retention period for this data is from when that data came into existence until two years after it came into existence.

281.           Subsection 187C(3) provides that a service provider is not prevented by the provisions of section 187C from keeping telecommunications data for longer periods that those set down in section 187C. This means, for example, that service providers are not prevented by section 187C from retaining telecommunications data for longer than two years for their own lawful business purposes. Likewise, the scheme does not intend to regulate the de-identification and destruction of data once the retention period has expired. However, other laws/regulations may mandate how providers handle the retained data once the retention period has expired.

282.           For instance, the Australian Privacy Principles (APPs), as set out in Schedule 1 of the Privacy Act 1988 (the Privacy Act), still applies to service providers covered by the Privacy Act and their dealings with the telecommunications data that is personal information and that is required to be retained under the Part 5-1A of the TIA Act. For instance, APP 11.2 requires entities to take reasonable steps to destroy personal information or to ensure that the information is de-identified where the entity no longer needs the information for a reason set out in the APPs. Where the required retention period for telecommunications data under the Part 5-1A of the TIA Act expires, entities may be required to destroy or de-identify such information if it constitutes personal information.

283.           However, as APP 11.2(d) provides, an entity is only required to destroy or de-identify personal information where ‘the entity is not required by or under an Australian law… to retain the information’. The data retention requirements set out in Part 5-1A of the TIA Act constitute such a law requiring retention of the relevant information during the specified period.

Division 2 of Part 5-1A—Data Retention Implementation Plans

284.           Division 2 of Part 5-1A of the TIA Act supports the development of data retention implementation plans. Data retention implementation plans are intended to be plans that allow the telecommunications industry to design a pathway to full compliance with their telecommunications data retention and security obligations within 18 months of the commencement of those obligations, while also allowing for interim measures that result in improved data retention practices.

285.           Data retention implementation plans complement the availability of exemptions under Division 3 of Part 5-1A. For example, a service provider is able to seek an exemption for some of its services under Division 3 while at the same time submit an implementation plan for some or all of its other services under Division 2.

Section 187D—Effect of data retention implementation plans

286.           Section 187D sets out the effect of data retention implementation plans. While a plan is in force in relation to a relevant service offered by the service provider, the service provider must comply with the plan in relation to that service in lieu of the obligations that would otherwise apply under sections 187A, 187BA and 187C.

Section 187E—Applying for approval of data retention implementation plans

287.           Section 187E sets out the process for service providers to apply for approval of data retention implementation plans. Submission of implementation plans by service providers is voluntary.  However, in the absence of an implementation plan, service providers are required to comply with the data retention and security obligations immediately on their commencement.

288.           Subsection 187E(1) provides that a service provider can apply to the CAC for approval of an implementation plan in relation to one or more services that it offers. The application provisions contained in Part 3 permits applications to be lodged, considered and approved from the date of Royal Assent. A service provider is not obliged to submit an implementation plan for all of its services.

289.           Subsection 187E(2) sets out the matters a service provider’s implementation plan must include.  The purpose of subsection 187E(2) is to ensure that a service provider’s implementation plan gives sufficient information for the CAC and any other person considering the plan to make an informed decision on the plan.

290.           Paragraph 187E(2)(a) provides that a service provider’s implementation plan is required, in relation to each relevant service, to include an explanation of the current relevant data retention and information security practices of the service provider. In particular, paragraph 187E(2)(a) requires that the plan explain what practices the service provider has in relation to the information or documents it would otherwise have had to retain under section 187A, had the implementation plan not been in force. This ensures that the CAC has sufficient knowledge of existing practices to ascertain the changes to its practices the service provider will have to undertake to meet its obligations.

291.           Paragraph 187E(2)(b) requires that an implementation plan include details of the interim arrangements, if any, that a service provider proposes to implement prior to achieving full compliance. Examples of interim arrangements that a service provider could propose include collection on only part of the data set normally required to be kept under subsection 187A(1) or retention of such data for less than two years. A service provider can propose more than one interim arrangement over the life of the implementation plan for any particular relevant service.

292.           Paragraph 187E(2)(c) specifies that a service provider’s implementation plan is required, in relation to each relevant service, to specify when the service provider will comply with its data retention obligations under section 187A; including the required time period for retaining relevant information or documents under section 187C and the security requirements in section 187BA. However, as stated in paragraph 187E(2)(c), a service provider will not be required to provide this information in its plan to the extent that it has obtained relevant exemptions from its data retention obligations from the CAC under Division 3 of Part 5-1A of the TIA Act.

293.           Subsection 187E(3) clarifies that a service provider is not able to nominate a date in its implementation plan for compliance with its data retention obligations that is later than the relevant date provided in section 187H regarding when implementation plans are in force. Under subparagraph 187H(b)(i), for telecommunications services that the service provider was already operating when Part 5-1A of the TIA Act commenced, the relevant date is 18 months after commencement of Part 5-1A. Under subparagraph 187H(b)(ii), for telecommunications services that the service provider was not already operating when Part 5-1A of the TIA Act commenced, the relevant data is 18 months after the time when the service provider started operating the service.

294.           Subsection 187E(4) provides that a service provider’s plan must also specify:

·          any relevant services of the service provider not covered in the implementation plan; and

·          the contact details of relevant employees of service providers in relation to the implementation plan.

295.           The purpose of paragraph 187E(4)(a) is to ensure that the implementation plan makes it clear whether relevant services of the service provider are not to be incorporated in the plan. This will provide the CAC, and any other person considering the plan, with information to make an informed decision on the plan.

296.           Paragraph 187E(4)(b) also ensures that the relevant employees of the service provider can be contacted directly in relation to the plan. Service providers should provide names, direct phone numbers and email addresses of staff that have worked on or are responsible for the implementation plan. This provision is designed to avoid, for example, a situation where the CAC or other relevant persons would have to contact the service provider’s general public contact number to discuss the implementation plan.

Section 187F—Approval of data retention implementation plans

297.           Section 187F sets out the process for the CAC to consider and approve data retention implementation plans.

298.           Subsection 187F(1) provides that, if a service provider submits a plan to the CAC, the CAC must either approve the plan and notify the service provider, or give the plan back to the service provider for specified amendments. The CAC may not refuse to take the plan or decline to consider the plan.

299.           Subsection 187F(2) sets out a list of factors the CAC must take into account in deciding whether or not to approve a plan submitted by a service provider. These factors are:

·          187F(2)(a)—The desirability of the service provider achieving substantial compliance with its data retention and security obligations as soon as is practicable (which would take into account any interim arrangements proposed by the service provider, as well as the time by which the provider proposes that each service covered by the plan will be fully compliant).

·          187F(2)(b)—Whether the proposed implementation plan would reduce the regulatory burden on the service provider made by data retention obligations in Part 5-1A.

·          187F(2)(c)—If the service provider is not complying with its data retention or security obligations in relation to one or more of its services—the reasons why the service provider is not complying.

·          187F(2)(d)—The interests of law enforcement and national security.

·          187F(2)(e)—The objects of the Telecommunications Act. The main (but not the only) objects of the Telecommunications Act, as set out in section 3 of that A ct, are:

·          the long-term interests of end-users of carriage services or of services provided by means of carriage services

·          the efficiency and international competitiveness of the Australian telecommunications industry, and

·          the availability of accessible and affordable carriage services that enhance the welfare of Australians.

·          187F(2)(f)—Any other matter the CAC considers relevant.

300.           Subsection 187F(3) provides that, if the CAC does not make a decision and communicate that decision within 60 days, it is deemed that the CAC has made and notified the service provider of the decision the service provider asked for. The effect of this provision is to ensure that the service provider is required to comply with the implementation plan in lieu of the obligations that otherwise apply under sections 187A. This provision does not require the CAC to make a decision within 60 days, rather the provision is intended to ensure that service providers have certainty about their obligations (and are not required to act in an manner that would pre-empt the CAC’s decision) in situations where the CAC takes more than 60 days to either approve or to request an amendment to the plan.

301.           Subsection 187F(4) qualifies subsection 187F(3). Subsection 187F(4) provides that a deemed decision under subsection 187F(3) is in force only until the CAC makes and communicates to the service provider the CAC’s actual decision on the application.

302.           The CAC’s decision is not reviewable under the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act) as decisions under the TIA Act are not decisions to which the ADJR Act applies (see paragraph (d) of Schedule 1 to the ADJR Act). The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewable under paragraph 75(v) of the Constitution and s 39B of the Judiciary Act 1901 (Cth).

Section 187G—Consultation with agencies and the ACMA

303.           Section 187G sets out the consultation process that the CAC must undertake in relation to data retention implementation plan applications that it receives.

304.           References to the ‘original plan’ in section 187G mean references to the data retention plan originally submitted by the service provider under section 187E of the Act, rather than to any amended version of the plan created (or proposed to be created) under the processes set out in section 187G.

305.           Subsection 187G(1) provides that, once the CAC receives an implementation plan application, the CAC must give a copy of the plan to the enforcement agencies and security authorities that are likely to be interested in the plan for comment, and may give a copy to the Australian Communications and Media Authority (the ACMA).

306.           Subsection 187G(2) governs requests for amendment of a service provider’s original plan, providing that if an enforcement agency or security authority makes a request for amendment of the plan, the CAC must consider whether the request is reasonable. If the CAC considers the request is reasonable, the CAC must give the service provider a copy of the request, and may also provide the service provider with a copy of the comment, or a summary of the comment. The CAC must then request the service provider to respond to the CAC within 30 days after receiving the comment or summary.

307.           Subsection 187G(2) is intended to ensure that interested enforcement agencies and security authorities have the opportunity to comment on and request amendments to a service provider’s proposed implementation plan, and to require the CAC to provide those requests to the service provider, if he or she considers such requests to be reasonable. Subsection 187G(2) does not require the CAC to provide a service provider with a copy or summary of the comment accompanying a request as, in some cases, it will not be appropriate to do so, including where the comment relates to sensitive law enforcement or national security matters.

308.           Subsection 187G(3) provides that a service provider must respond to a request for amendment of its plan that it received under subsection 187G(2). The service provider must either:

·          accept the request for amendment by giving the CAC an appropriately amended plan within the 30 day period set out in subsection 187G(2), or

·          indicate that it does not accept the request for amendment and provide its reasons to the CAC.

309.           In the event that a service provider does not comply with the requirement to respond (either adequately or at all) to the CAC in relation to the request for amendment within the 30 day period, subsection 187G(3) should be interpreted to mean that the service provider is taken not to have accepted the request for amendment. As the deeming provision under subsection 187F(3) ceases to apply once the CAC notifies a service provider of a request to amend a plan, a failure by a service provider to respond to a request for amendment within the required period may result in the service provider being subject to data retention obligations under sections 187A and 187C.

310.           Subsections 187G(4) and (5) provide for the role of the ACMA in relation to proposed amendment of a service provider’s implementation plan. The purpose of subsections 187G(4) and (5) is to require the CAC to refer disputes over proposed implementation plan amendments to the ACMA for determination by the ACMA.

311.           Data retention implementation plans are highly technical documents. The ACMA is the industry regulator for the telecommunications industry, and has substantial expertise relating to the technical and commercial operation of the industry. As such, the ACMA is the appropriate body to review any dispute over a request to amend a data retention implementation plan.

312.           Subsection 187G(4) applies in the event the service provider does not accept a request for amendment of its plan. If so, the CAC must refer the request for amendment to the ACMA along with the service provider’s response (if one was given) and request the ACMA to make a determination on the dispute. Under subsection 187G(5) the ACMA is then be required to determine in writing either that no amendment of the plan is necessary or that that original plan should be amended. The ACMA is only be able to determine that the original plan should be amended if the ACMA considers the amendment request to be reasonable and the service provider’s response to the request for amendment to not be reasonable. In the event that the service provider does not respond (or did not respond adequately) under subsection 187G(3), prima facie that could be considered not to be a reasonable response. The ACMA must then give a copy of its determination to the service provider.

313.           Subsection 187G(6) sets out what the CAC must do in relation to implementation plans amended by the service provider in accordance with a determination by the ACMA and given to the CAC. While no particular timeframe is specified in the subsection for a service provider to provide an amended plan to the CAC, the service provider should provide the amended plan within a reasonable period of time. (A guide for a reasonable period of time would be 30 days). The CAC must then either approve the amended plan or refuse to approve the plan. In either case, the CAC must notify the service provider accordingly.

314.           While no specific factors are set down in section 187G, in making decisions under section 187G, the CAC and the ACMA should generally take into account the list of factors in subsection 187F(2).

315.           Subsection 187G(7) provides that a determination by the ACMA under subsection 187G(5) is not a legislative instrument. Subsection 187G(7) is included to assist readers, as a determination made by the ACMA under section 187G(5) is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003 .

Section 187H—When data retention implementation plans are in force

316.           Section 187H sets out when data retention implementation plans are in force.

317.           Paragraph 187H(1)(a) provides that a data retention implementation plan for a telecommunications service operated by a service provider commences when the CAC notifies the service provider of the CAC’s approval of the plan (which can be either the service provider’s original plan or an amended plan).

318.           Paragraph 187H(1)(b) also sets out that an implementation plan ceases to be in force in relation to a service operated, in the following circumstances:

  1. For telecommunications services that the service provider was already operating when Part 5-1A of the TIA Act commenced, the plan ceases to be in force 18 months after commencement of Part 5-1A of the TIA Act.
  2. For telecommunications services that the service provider was not already operating when Part 5-1A of the TIA Act commenced, the plan ceases to be in force 18 months after when the service provider started operating the service.

319.           Subsection 187H(2) defines the term ‘implementation phase’ for the purposes of Part 1 of Schedule 1 of the TIA Act as being the period of 18 months starting on the commencement of Part 5-1A.

Section 187J—Amending data retention implementation plans

320.           Section 187J sets out when a data retention implementation plan can be amended. The purpose of this provision is to ensure that, once approved, a data retention implementation plan may only be varied with the consent of both the service provider and the CAC. This limitation is intended to provide regulatory certainty for service providers, and to ensure that law enforcement and national security interests are considered in relation to any variation.

321.           Subsection 187J(2) provides that the rules for the CAC to approve implementation plans under section 187F and section 187H also apply to applications for amendments of plans by a service provider under paragraph 187J(1)(a), as if the amendment application had been an application in relation to an original plan under section 187E. This means that the CAC is required to assess proposed amendments of implementation plans under section 187J in the same way as the CAC would assess applications in relation to original plan applications made under section 187E.

322.           Paragraph 187J(3)(a) provides that an amendment to a data retention implementation plan comes into force when the CAC notifies the service provider of the approval of an amendment, or when the service provider agrees to an amendment requested by the CAC. Paragraph 187J(3)(b) provides that an amendment to a data retention plan cannot reduce or extend the period for which the implementation plan is in force (although an amended plan could specify that full compliance will be achieved prior to the end of period for which the plan is in force).

Division 3 of Part 5-1A—Exemptions

Section 187K—The Communications Access Co-ordinator may grant exemptions or variations

323.           Section 187K provides that the CAC may exempt a service provider from the mandatory data retention and information security obligations imposed on the service provider under Part 5-1A of the TIA Act, or vary the obligations that the service provider is subject to. The CAC may grant this exemption or variation on his or her own volition or on application by a service provider.

324.           This exemption and variation scheme is intended to permit exemptions or variations to be granted in a range of circumstances, including where imposing data retention obligations for a particular relevant service would be of limited utility for law enforcement and national security purposes.

325.           The scheme provided by this section is modelled on existing sections 192 and 193 of the TIA Act, which provide that the CAC or the ACMA may grant exemptions in relation to the interception capability obligations of service providers.

326.           Subsection 187K(1) provides that the CAC may make a determination in relation to a specified service provider that:

·          removes or varies any or all of the mandatory data retention or information security obligations

·          removes or varies any or all of the mandatory data retention or information security obligations imposed on the service provider under Part 5-1A for a particular kind of relevant service, or

·          reduces the data retention period or the extent of the information security obligations, either generally or in relation to data that relates to a particular kind of relevant service.

327.           A variation must not, however, impose obligations that would exceed the obligations to which a service provider would otherwise be subject to under sections 187A, 187BA and 187C.

328.           The decision of the CAC may be expressed broadly. In making a determination, the CAC may specify service providers in any way, for example by reference to a class of service providers, and is not required to refer specifically to individual service providers. For example, the CAC may specify that any service provider that provides Internet Protocol television (IPTV) services is not required to retain any data in relation to its IPTV service. Similarly, an exemption or variation may be expressed to apply to a class of obligations.

329.           Subsection 187K(1) ensures that determinations can be properly nuanced by vesting the CAC with the ability to elaborate, either to particular service providers or generally, how the data retention obligations introduced by Part 5-1A should apply to particular technologies. For example, a determination could exempt the retention of specific information relating to satellite or mobile internet services. Those services create different types of data, therefore it is appropriate to have a method of providing greater certainty to service providers about how high-level obligations apply to diverse technologies.

330.           The data retention obligations under Part 5-1A may cover services that are of limited or no relevance to law enforcement or national security. These could include services relating to IPTV, content on demand, the leasing of dark fibre and machine-to-machine communications. Subsection 187K(1) recognises that, in certain instances, a service provider may not achieve complete technical compliance in relation to a particular service or some aspect of that service, or that the non-compliance has limited implications for law enforcement or national security agencies.

331.           The decision of the CAC to grant an exemption or variation is not reviewable under the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act) as decisions under the TIA Act are not decisions to which the ADJR Act applies (see paragraph (d) of Schedule 1 to the ADJR Act). The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewable under paragraph 75(v) of the Constitution and section 39B of the Judiciary Act 1901 (Cth).

332.           Subsection 187K(2) provides that the CAC’s decision must be in writing.

333.           Subsection 187K(3) provides that the CAC’s decision may be unconditional, or subject to such conditions as specified in the decision. Such conditions may include limits on the time for which the exemption or variation applies, limits on the numbers of customers or the geographic scope of a particular type of service, or requirements for ongoing consultations with agencies.

334.           Subsection 187K(4) provides that a decision made by the CAC under subsection 187K(1) is not a legislative instrument. Subsection 187K(4) has been included to assist readers, as the instrument is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003.

335.           Paragraph 187K(5)(a) provides that where a service provider applies in writing for a particular decision, the CAC must give a copy of the application to affected enforcement agencies or security agencies and may give a copy to the ACMA. Where the requested exemption has an impact on the investigative capabilities or regulatory functions of an agency, it is appropriate that the CAC consults with that agency.

336.           Paragraph 187K(5)(b) provides that if the CAC does not respond to a service provider’s application within 60 days, the decision requested by the service provider is deemed to have been granted to that service provider. This provision is intended to ensure that the CAC resolves applications in a timely manner and provides certainty for service providers as to their legal obligations under the TIA Act at any given time.

337.           Subsection 187K(6) provides that the deemed decision under paragraph 187K(5)(b) has effect only until the CAC makes and communicates to the service provider a decision on the application. This ensures that the deemed exemption is only temporary.

338.           Subsection 187K(7) requires that, in granting an exemption or variation, the CAC must take into account the interests of law enforcement and national security, which can include the relevance to law enforcement or national security of the services for which an exemption or variation is being sought.

339.           The CAC must also take into account the objects of the Telecommunications Act 1997 , [15] the main object of which is to provide a regulatory framework that promotes:

·          the long-term interests of users of telecommunications services,

·          the efficiency and international competitiveness of the Australian telecommunications industry, and

·          the availability of accessible and affordable carriage services that enhance the welfare of Australians.

340.           The CAC must also take into account the service provider’s history of compliance with Part 5-1A of the TIA Act, the service provider’s costs, or anticipated costs, of complying with data retention obligations under Part 5-1A, and any alternative data retention or information security arrangements that the service provider has identified. Such alternative data retention and security arrangements could be formalised as part of an exemption or variation granted by the CAC. Service providers are in a unique position to draw to the CAC’s attention specific cost implications, and to suggest alternative compliance arrangements in support of any exemption application.

341.           Subsection 187K(8) enables the CAC to take into account any other relevant matter when deciding whether or not to grant an exemption or variation, which might include relevant technological or industry factors such as:

·          the size, market share and national security and law enforcement risk profile of the service provider

·          the degree to which an exemption would effectively mitigate costs and minimise impacts on the service provider’s cash flow, and

·          the pre-existing business plans of the service provider.

342.           Pursuant to section 33(3) of the Acts Interpretation Act 1901 , the power to make or grant an instrument of administrative character, such as an exemption or variation under subsection 187K, is to be taken as including a power to repeal, rescind, revoke, amend or vary any such instrument. This power is to be exercised in the same manner and subject to the same conditions (if any) that applied to the making or granting of the instrument.

343.           The CAC may seek to exercise the power to repeal or revoke an exemption or variation in a range of circumstances, including where an exemption (that has been granted on the expectation that it will remain confidential) becomes known publicly, to a class of persons, or to a specific individual in circumstances where that disclosure would have a detrimental impact on the interests of law enforcement and national security.

Section 187KA- Review of exemption or variation decisions by the ACMA

344.           Section 187KA implements recommendation 15 of the 2015 PJCIS Report.

345.           The ACMA has the ability to determine disputes in relation to applications for data retention implementation plans (including applications for amendment). This item provides the ACMA with the additional role to determine disputes when a service provider has applied to the CAC for an exemption or variation from the data retention obligations. As such, section 187KA ensures a consistent approach to disputes between the CAC and service providers regarding the application of data retention obligations.

Division 4 of Part 5-1A—Miscellaneous

Section 187KB—Capital contribution

346.           Section 187KB supports the implementation of recommendation 16 of the 2015 PJCIS Report on the Bill.

347.           This section provides legislative authority for the Commonwealth to grant financial assistance to service providers to assist them to comply with obligations imposed by the data retention scheme. The terms and conditions of the financial assistance are to be set out in agreements entered into with service providers on behalf of the Commonwealth. The financial assistance is to be provided out of money appropriated by the Parliament.

Section 187L—Confidentiality of applications for exemptions etc

348.           Subsection 187L(1) places an obligation on the CAC to treat a service provider’s application for a data retention implementation plan or an exemption from the data retention obligations as confidential, and must not disclose the service provider’s application, without the written permission of the service provider. This prohibition does not apply to disclosure to the ACMA, an enforcement agency or a security authority. It is appropriate that the CAC is able to consult with affected agencies and the ACMA about such applications.

349.           Subsection 187L(1A) requires the ACMA to keep confidential any application by a service provider for a review that it receives under subsection 187KA(1). The ACMA is unable to disclose the service provider’s application without the written permission of the service provider.

350.           However, this confidentiality requirement does not prevent the ACMA providing the application to the CAC and relevant enforcement agencies and security authorities, as subsection 187KA(3) requires the ACMA to provide those agencies or authorities with a copy of the application.  This ensures that those agencies and authorities are appropriately consulted.

351.           A service provider’s application for a review includes details about specific business processes, such as technical network infrastructure specifications which may be commercially sensitive. The obligation on the ACMA, as well as any agencies or authorities that the application was disclosed to, to treat such applications as confidential reflects the sensitivity of the information contained in such applications, from both a commercial and security perspective.

352.           Subsection 187L(2) provides that, where a copy of an application is disclosed to the ACMA, an enforcement agency or a security authority, that body must treat the copy as confidential, and may not disclose it to any other person or body without the written permission of the carrier. This subsection is modelled on section 202 of the TIA Act.

353.           Subsection 187L(2) introduces new confidentiality requirements in subsection by requiring the ACMA, the CAC and any enforcement agency or security authority to keep confidential any copy it receives of a service provider’s application for:

·          approval of a data retention implementation plan

·          exemption from or variation of data retention obligations, and

·          review of a CAC decision in relation to exemption or variation of data retention obligations.

354.           This item ensures that the CAC and any enforcement agencies or security authorities keep confidential copies of exemption review applications they receive from the ACMA under section 187KA(3).

355.           This item also refers to paragraph 187G(1)(a) to ensure that the ACMA is required to keep confidential copies of data retention implementation plan applications it receives from the CAC under subsection 187G(1).   (The ACMA receives such copies under subsection 187G(1), rather than paragraph 187G(1)(a)).  Enforcement agencies and security authorities continue to be required to keep copies of such applications they receive under subsection 187G(1) confidential.

356.           A service provider’s application for an exemption includes details about specific business processes, such as technical network infrastructure specifications which would be commercial-in-confidence. The obligation on the CAC, as well as any agencies that the application was disclosed to, to treat such applications as confidential reflects the sensitivity of the information contained in such applications, from both a commercial and national security perspective.

357.           Section 187L does not require service providers to keep applications, approved implementation plans or exemptions confidential. However, revealing the existence of the fact that a service provider is not subject to data retention obligations under section 187A and 187C in relation to a particular relevant service may give rise to new or increased law enforcement and national security risks that may, in all of the circumstances, justify the CAC revoking an exemption.

Section 187LA—Application of the Privacy Act 1988

358.           Section 187LA implements recommendations 24 and 35 of the 2015 PJCIS Report.

359.           Subsection 187LA(1) provides that the Privacy Act applies in relation to a service provider to the extent that the activities of the service provider relate to retained data. The effect of this provision is that the Privacy Act and the Australian Privacy Principles (APPs) applies to all service providers as though they were ‘organisations’, including service providers that would otherwise be exempt from the Privacy Act under the ‘small business operator’, ‘registered political party’, ‘agency’, ‘State or Territory authority’ or ‘prescribed instrumentality of a State or Territory’ exemptions contained in section 6C of the Privacy Act. However, this provision applies only to the extent that the activities of the service provider relate to retained data (including, for example, the collection, storage, use, disclosure, including cross-border disclosure, individual access, de-identification and destruction of retained data).

360.           Subsection 187LA(2) provides that information or documents kept under Part 5-1A are taken to be ‘personal information’, within the meaning of the Privacy Act, relating to an individual if the information relates to the individual, or to a communication to which the individual is or was a party. Under the standard definition of personal information, what constitutes personal information will vary, depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances. As a result, not all information held by service providers may fall within the standard definition of personal information. This item expands the definition of personal information, ensuring that all retained data kept by service providers in accordance with Part 5-1A is personal information within the meaning of the Privacy Act.

361.           As a result of section 187LA, individuals can request access to their personal retained data in accordance with APP 12, removing uncertainty about whether particular types of retained data are personal information. This right of access continues to be subject to the Privacy Act and APPs. In particular, service providers can charge an individual for giving access, in accordance with APP 12.8.  Where an individual requests access to information about communications to which they were a party, that information will generally also be the personal information of at least one other individual (being the other party to the communication).

362.           Regarding cost recovery in civil litigation proceedings, service providers are already able to apply for reimbursement once they have been served with a subpoena to produce evidence. In civil litigation proceedings, cost recovery is subject to the relevant court rules and procedures, as for example section 15A.10, of the Federal Circuit Court Rules 2001. Service providers are also required to comply with the information security obligations contained in APP 11.1 in relation to all retained data, and are required to de-identify or destroy retained data at the expiry of the retention period, unless one of the circumstances in paragraphs (b), (c) or (d) of APP 11.2 applies.

Section 187M—Pecuniary penalties and infringement notices

363.           Section 187M provides that the data retention obligations set out in subsection 187A(1) and the obligations under data retention implementation plans under paragraph 187D(a) are civil penalty provisions for the purposes of the Telecommunications Act. This provision makes clear that the telecommunications data retention regime and data retention implementation plans are enforceable under the applicable enforcement mechanisms set out in the Telecommunications Act.

364.           The Telecommunications Act already requires compliance with carrier licence conditions (for carriers) or service provider rules (for carriage service providers), which require, amongst other things, compliance with Chapter 5 of the TIA Act.

365.           Enforcement options available in the Telecommunications Act for non-compliance with the data retention regime or a data retention implementation plan would include remedial directions, formal warnings and pecuniary penalties.

366.           Infringement notices are notices issued to carriers/carriage service providers (C/CSPs) by the ACMA in relation to contravention of civil penalty provisions of the Telecommunications Act (which can include for these purposes the TIA Act). The notices are designed as a more efficient means of dealing with certain penalty provisions as an alternative to instituting court proceedings for the recovery of a pecuniary penalty.

367.           Subsection 572E(1) of the Telecommunications Act provides that the ACMA can issue an infringement notice if a C/CSP has contravened a civil penalty provision. Section 187M defines the data retention obligations in subsection 187A(1) and the data retention implementation obligations in paragraph 187D(a) as civil penalty provisions. This means the ACMA can issue infringement notices in relation to contraventions of these provisions.

368.           Subsections 572E(6) to (9) of the Telecommunications Act refer to a process for declaring contraventions of certain carrier licence conditions and service provider rules under the Telecommunications Act before the ACMA can issue infringement notices in relation to those matters. It is not be necessary for the ACMA to declare contraventions of subsection 187A(1) or paragraph 187D(a) of the TIA Act to be listed infringement notice provisions before the ACMA can issue infringement notices in relation to these matters. This is because section 187M of the TIA Act declares these provisions to be civil penalty provisions in their own right.

Section 187N—Review of operation of Part

369.           Section 187N ensures that, after the data retention regime has been in operation for a sufficient period of time, a Parliamentary review will be conducted to ensure the regime is operating appropriately and effectively.

370.           Section 187N provides that the PJCIS must complete its review of the operation of Part 5-1A of the TIA Act by the third anniversary of the end of the implementation phase for data retention obligations. Subsection 187N(2) requires the PJCIS to give the Minister a written report of the review. This requirement is not intended to prevent the Chair of the PJCIS from tabling that report in Parliament.

371.           Section 187N gives effect to the relevant part of recommendation 43 of the 2013 PJCIS Report, as modified by the 2015 PJCIS Report, that the effectiveness of any mandatory data retention regime be reviewed by the PJCIS three years after its commencement.

372.           Subsection 187N(1A) requires the PJCIS to start its review of the data retention regime on or before the second anniversary of the end of the implementation phase and conclude that review on or before the third anniversary of the end of the implementation period.  The PJCIS recommended that the commencement date for the review be reduced from three years to two.  In 2015, the PJCIS also recommended that its report on the review be presented to Parliament no later than three years after the end of the implementation period. 

373.           Subsection 187N(1A) implements recommendation 30 of the 2015 PJCIS Report, specifying that the review must start on or before the second anniversary of the end of the implementation phase and finish on or before the third anniversary of the end of the implementation phase.

374.           The requirement under subsection 187N(2) for the Committee to provide the Minister with a copy of the report is not intended to preclude the Chair of the Committee from tabling that report in Parliament.

375.           Subsections 187N(3), (4) and (5) require the head of an agency to keep, until the PJCIS review of the data retention scheme is completed, a copy of all authorisations made under Chapter 4 of the TIA Act, a copy of all journalist information warrants (and authorisations made under those warrants) made under Chapter 4 of the TIA Act, as well as information reported each year to the Minister relating to the agency’s access to historic telecommunications data. This ensures that the PJCIS review of the data retention scheme in section 187N will have access to comprehensive information held by agencies on their access to telecommunications data.

376.           These subsections implement recommendation 31 of the 2015 PJCIS Report that agencies be required to collect and retain information necessary to inform the Committee’s review of the data retention scheme.

Section 187P—Annual reports

377.           Section 186 of the TIA Act lists the information enforcement agencies must provide to the Minister about data authorisations. This information is included in the Annual Report about the use of powers under the TIA Act prepared under Part 2-8 of the TIA Act and tabled by the Minister in each House of the Parliament.

378.           Subsection 187P(1) provides that the Minister must prepare a written report on the operation of Part 5-1A (regarding data retention obligations) for each financial year. Subsection 187P(1A) implements recommendation 33 of the 2015 PJCIS Report by requiring that the Annual Report prepared under subsection 187P(1) contain information on the costs incurred by service providers in complying with their obligations, and the use of data retention implementation plans.

379.           Subsection 187P(2) requires that the report be included in the Annual Report under subsection 186(2) of the TIA Act which enables the Minister to include any information in the Annual Report that the Minister considers appropriate.

380.           Subsection 187P(3) requires that the report under subsection 187P(1) must not be made in a manner that would be likely to identify a person.

381.           Section 187P implements the relevant part of Recommendation 43 of the 2013 PJCIS Report that if data retention is implemented, there should be an annual report to Parliament on the operation of the scheme. The requirement to report on the regime is consistent with the general reporting and accountability obligations already contained in the TIA Act.



 

Part 2—Other Amendments

Australian Security Intelligence Organisation Act 1979

Items 1A, 1B, 1C and 1D —Section 4 and subsection 94

382.           These items amend the Australian Security Intelligence Organisation Act 1979 (ASIO Act) to implement the Government’s response to recommendation 33 of the 2015 PJCIS Report, insofar as it applies to ASIO, that annual reports on the data retention scheme will cover certain matters. These relate to: the number and types of purposes of authorisations to access retained data; lengths of time for which relevant documents covered by the authorisations were held; and the number of authorisations that related to subscriber data and communications traffic data respectively.

383.           These items amend the reporting requirements in subsection 94(2A) of the ASIO Act, to ensure that these matters are included in ASIO’s annual reports, in relation to ASIO’s telecommunications data access. Subsection 94(2A) is amended to include the number of journalist information warrants issued during the reporting period and the number of authorisations made under those journalist information warrants. Annual reports including this information are subject to Minister’s discretion under subsection 94(5) to make deletions from the report to be tabled in Parliament, in accordance with subsection 94(4), in order to avoid prejudice to security, defence, international affairs or the privacy of individuals.  The Inspector-General of Intelligence and Security (IGIS) can request classified annual reports in accordance with the Inspector-General of Intelligence and Security Act 1986 (the IGIS Act).

Intelligence Services Act 2001

384.           These items amend the Intelligence Services Act 2001 (the ISA), principally to implement the Government’s response to recommendation 34 of the 2015 PJCIS Report.  The PJCIS recommended it be conferred a new statutory function in section 29 of the ISA, enabling it to conduct inquiries into the purpose and manner of access of retained data by ASIO and the AFP, arising from relevant annual reports made on the data retention scheme. 

385.           Consistent with this division of responsibilities, items 1E-1G confer upon the PJCIS a new function to conduct a review of the overall effectiveness of the operation of the data retention scheme, in relation to the activities of ASIO and the AFP (in relation to AFP investigations under Part 5.3 of the Criminal Code 1995), where those activities are the subject of the relevant annual reporting requirements applying to ASIO and the AFP under the ASIO Act and TIA Act respectively.  The PJCIS can also inquire into operational matters concerning the relevant data access activities of ASIO (covered in their annual report) and the AFP (covered in the TIA Act annual report) to the extent that such operations are relevant to the Committee’s overall assessment of the effectiveness of the data retention scheme in Part 5-1A of the TIA Act.

Item 1E—Section 3

386.           Item 1E inserts definitions of terms in section 3 of the ISA (‘retained data activity’, and ‘service provider’) which are used in the provisions of section 29 conferring the PJCIS’s new function.

 



 

Item 1F After paragraph 29(1)(bb)

387.           Item 1F inserts paragraphs 29(1)(bc), (bd) and (be).  Paragraph 29(1)(bc) makes explicit that it is a statutory function of the PJCIS to conduct its review of the data retention scheme under s 187N of the TIA Act, following completion of the implementation phase.  Paragraphs 29(1)(bd) and (be) provide, respectively, for the PJCIS’s new inquiry function of the data retention activities of ASIO and the AFP (in relation to investigations under Part 5.3 of the Criminal Code), in response to recommendation 34 of the 2015 PJCIS Report.  The scope of the new inquiry function in paragraph 29(1)(be) in relation to the activities of the AFP (pertaining to Part 5.3 of the Criminal Code) is consistent with the PJCIS’s existing functions in relation to the AFP under subsection 29(1) of the ISA. 

388.           Subsection 29(3) of the ISA reflects that it is not a function of the PJCIS to examine operational matters (or matters beyond those pertaining to intelligence and security). That existing provision reflects a principle that operational oversight of Australia’s intelligence, security and law enforcement agencies is conducted principally by independent statutory bodies - including the IGIS and the Ombudsman - which report to the relevant responsible Minister.

 

Item 1G At the end of section 29

389.           Item 1G sets out the parameters for the PJCIS’s performance of the new function, by inserting subsections 29(4) and 29(5).  Subsection 29(4) provides that the PJCIS can examine matters relating to particular operations of ASIO and the AFP with respect to retained data activities covered in the ASIO annual report and the TIA Act annual report respectively.  This is a limited exemption from the prohibitions on inquiring into operational matters in paragraphs 29(3)(c) and 29(3)(k).

390.           Paragraph 29(5)(a) provides that the PJCIS’s examination of particular operational matters under subsection 29(4) is to be performed for the sole purpose of assessing and making recommendations about the overall operation and effectiveness of the data retention scheme.  (Paragraph 29(5)(c) also makes explicit that the new function cannot be performed for any other purpose than that set out in paragraph (a) of the subsection).  These provisions are necessary to preserve the focus of the PJCIS on non-operational matters, and to avoid overlap or duplication with the operational oversight of the IGIS and Ombudsman, while also enabling the PJCIS to access operational information for the purpose of performing its new function.

391.           Paragraph 29(5)(b) further qualifies that the new inquiry function is limited to the activities of ASIO and the AFP (in relation to Part 5.3 of the Criminal Code), and does not permit reviewing the activities of ‘service providers’ (as defined in section 3 by reference to that term in the TIA Act).  This reflects the intention of the PJCIS in recommendation 34 to facilitate Parliamentary oversight of the purpose and manner of access to retained data by ASIO and the AFP.

392.           All of the PJCIS’s statutory functions will continue to be governed by the procedural arrangements in Schedule 1 to the ISA.  These include the protections for operationally sensitive information (and other information which, if released, would or might prejudice national security or foreign relations) as set out in Parts 1 and 2 of Schedule 1. The Government further intends to work with the PJCIS to develop practical arrangements for the conduct of its new inquiry function.  It is anticipated that these working arrangements may address such matters as: the timing of inquiries; strategies for avoiding overlap with extant oversight activities of the IGIS and Ombudsman; and arrangements for requesting, providing and protecting operational and other sensitive information.

Privacy Act 1988

Item 1H Subsection 6(1) (at the end of the definition of personal information )

393.           Item 1H amends the Privacy Act to insert a note at the end of the definition of ‘personal information’ contained in subsection 6(1) to draw attention to the extension by the TIA of the meaning of personal information to cover information kept under the data retention scheme.

Item 1J Subsection 6C(1) (note)

394.           Item 1J repeals and replaces the existing explanatory note to the definition of ‘organisation’ in subsection 6C(1) of the Privacy Act.  This note clarifies that under section 187LA  service providers are treated as organisations for the purposes of the Privacy Act in relation to the retention of data under Part 5-1A of the TIA Act.  Service providers are therefore an ‘APP entity’ under the Privacy Act and must comply with the APPs in relation to their activities under Part 5-1A of the TIA Act.

Telecommunications Act 1997

Item 2—Section 7 (at the end of the definition of civil penalty provision)

395.           This item amends section 7 of the Telecommunications Act to clarify that a provision of the TIA Act that is declared to be a civil penalty provision is a civil penalty provision for the purposes of the TIA Act. Section 187M of the TIA Act provides that the data retention obligations set out in subsection 187A(1) and data retention implementation plan obligations in paragraph 187D(a) are civil penalty provisions.

Item 3—Subsection 105(5A)

396.           This item amends section 105 of the Telecommunications Act, which sets out the matters on which the ACMA must monitor and report in its annual reports. This clause repeals and substitutes subsection 105(5A) of the Telecommunications Act to provide that the ACMA must monitor and report each financial year to the Minister on:

·          The operation of Part 14 of the Telecommunications Act (which governs the assistance that carriers, carriage service providers and carriage service intermediaries must provide in relation to national security and law enforcement matters) and the costs of compliance with Part 14, and

·          The costs of compliance with data retention capability obligations set out in Part 5-1A of the TIA Act.

397.           Paragraph 105(5A)(a) of the Telecommunications Act is only intended to re-enact the repealed subsection 105(5A) of the Telecommunications Act and no change in meaning is intended. However, paragraph 105(5A)(a) deletes an obsolete reference from subsection 105(5A) of the Telecommunications Act to Part 15 of that Act, which was repealed by the Telecommunications (Interception and Access) Amendment Act 2007 .

398.           Paragraph 105(5A)(b) of the Telecommunications Act requires the ACMA to monitor and report on the costs of data retention. The purpose of paragraph 105(5A)(b) is to provide public accountability about the costs to the telecommunications industry of implementing data retention obligations by providing that the ACMA must monitor and report on these matters.

Item 3A After subsection 280(1A)

399.           Currently, subsection 280(1) of the Telecommunications Act provides that the prohibitions on the disclosure of certain communications-related information and documents under Division 2 of Part 13 of that Act do not apply, other than where the disclosure is in connection with the operation of an enforcement agency within the meaning of the TIA Act, where the disclosure is required or authorised by or under law. Item 39 inserts item 3A into Part 2 of Schedule 1 of the Bill that inserts subsections 280(1B) and (1C) into the Telecommunications Act.

400.           The effect of subsection 280(1B) is that paragraph 280(1)(b) does not apply in circumstances where all of the criteria specified in paragraphs 280(1B)(a) to (c) are satisfied. Paragraph 280(1B)(a) is satisfied where the disclosure is required or authorised because of a subpoena, a notice of disclosure, or an order of a court in connection with a civil proceeding.

401.           Telecommunications data that is retained by service providers for their ordinary business purposes or for other regulatory purposes is currently accessed in the course of many civil proceedings.  The purpose of paragraph 280(1B)(b) is to ensure that the prohibition applies only to telecommunications data that is collected and retained only for the purpose of complying with Part 5-1A, and that is used by the service provider only for that purpose, a limited range of defined public interest purposes, or for purposes incidental to any of those purposes.

402.           An example of a purpose incidental to the purpose listed in subparagraph 280(1B)(c)(i) (complying with Part 5-1A of the TIA Act) would be to develop, test or maintain the systems used to retain data under Part 5-1A. An example of a purpose incidental to the purposes listed in subparagraphs 280(1B)(c)(ii), (iii) or (iv) (complying with a warrant issued or authorisation made under the TIA Act, or with a request or requirement provided for by sections 284 to 288 of the Telecommunications Act, or a request to provide a person with access to their personal information under the Privacy Act) would be using or disclosing information or documents for the purpose of seeking legal advice in relation to the warrant, authorisation, request or requirement.

403.           This provision thereby ensures that telecommunications data that is collected, retained or used for a service provider’s ordinary business purposes or other purposes unrelated to the data retention obligation, continues to be available for such proceedings.

404.           Paragraph 280(1C)(a) provides that the prohibition contained in subsection 280(1B) does not apply in circumstances of a kind prescribed by the regulations. As noted above, telecommunications data is currently accessed by parties to many civil proceedings, including proceedings relating to international child abduction, family violence, and personal injury or economic harm as a result of negligence or professional malpractice. As the requirement for access depends substantially on the facts and circumstances of each individual civil proceeding, any limit on the availability of such information would have the potential to prejudice the legitimate rights and interests of claimants or respondents in such proceedings. Therefore, a regulation-making power is required to enable the creation of regulations to prescribe further circumstances for where the prohibition in paragraph 280(1B) would not apply.

405.           Paragraph 280(1C)(b) provides that the prohibition contained in subsection 280(1B) does not apply in relation to disclosures to enforcement agencies. A number of enforcement agencies currently obtain access to telecommunications data in the course of civil proceedings such as actions for the proceeds of crime, or in relation to control orders made under Division 104 of the Criminal Code.

406.           Paragraph 280(1C)(c) provides that the prohibition contained in subsection 280(1B) does not commence until the end of the implementation phase for Part 5-1A of the TIA Act. This provision ensures that the prohibition does not commence until the data retention scheme is implemented.

Item 3B Section 281

407.           This item corrects a drafting error by inserting “(1)” before the “Division 2” in section 281 of the Telecommunications Act 1997.

Item 3C At the end of section 281

408.           Currently, section 281 of the Telecommunications Act provides that the prohibitions on the disclosure of certain communications-related information and documents under Division 2 of Part 13 of that Act do not apply in relation to a disclosure made by a person of information or a document if the person makes the disclosure as a witness summoned to give evidence or to produce documents. 

409.           Item 3B inserts item 3C to Part 2 of Schedule 1 of the Bill that inserts subsections 281(2) and (3) to the Telecommunications Act. The purpose of these subsections is substantially similar to the purpose of subsections 280(1B) and (1C) of the Telecommunications Act, being to prohibit the disclosure by a witness in civil proceedings of information or documents that have been kept by a service provider solely for the purpose of complying with Part 5-1A of the TIA Act, and that are not used by the service provider only for that purpose, a limited range of defined public interest purposes, a purpose prescribed by the regulations, or for purpose incidental to the abovementioned purposes.

410.           Subsection 281(3) contains exceptions to this prohibition, which are similar to those in subsection 280(1C). In particular, paragraph 281(3)(a) contains a regulation-making power, which has the same purpose as the regulation-making power that would be established by paragraph 280(1C)(a).

Item 4—Subsection 314(8)

411.           Section 314 of the Telecommunications Act concerns the terms and conditions on which carriers, carriage service providers and carriage service intermediaries must provide reasonably necessary assistance in relation to national security and law enforcement matters.

412.           Subsection 314(8) of the Telecommunications Act clarifies that certain obligations set out in the TIA Act are not included within the provisions of section 314 of the Telecommunications Act.  This item amends subsection 314(8) of the Telecommunications Act to provide that section 314 of the Telecommunications Act does not apply in relation to data retention capability obligations set out in Part 5-1A of the TIA Act.

Telecommunications (Interception and Access) Act 1979

Item 5—Subsection 5(1)

 

Definition of ‘Defence Minister’

413.           This item inserts a definition of ‘Defence Minister’ into subsection 5(1) of the TIA Act. The ‘Defence Minister’ has the meaning given in the Intelligence Services Act 2001.

 

Definition of ‘Foreign Affairs Minister’

414.           This item inserts a definition of ‘Foreign Affairs Minister’ into subsection 5(1) of the TIA Act. The ‘Foreign Affairs Minister’ has the meaning given in the Intelligence Services Act 2001.

 

Definition of ‘IGIS official’

415.           This item inserts a definition of the term ‘IGIS official’ into subsection 5(1) of the TIA Act. An ‘IGIS official’ has the meaning given in section 4 of the Australian Security Intelligence Organisation Act 1979.

 

Definition of ‘implementation phase’

416.           This item also inserts a definition of ‘implementation phase’ by stating it has the meaning given in subsection 187H(2), which states the implementation phase is the period of 18 months starting on the commencement of the data retention obligations.

 

Definition of ‘infrastructure’

417.           This item inserts a definition for the term infrastructure into subsection 5(1) of the TIA Act. It defines infrastructure, as it is used in paragraph 187A(3)(c), to mean any line or equipment used to facilitate communications across a telecommunications network.

418.           The term infrastructure is used as part of the three limb test in paragraphs 187A(3)(a), (b) and (c) which defines a relevant service. ‘Equipment’ is defined in section 5 of the Act, which states equipment means any apparatus or equipment used, or intended for use, in or in connection with a telecommunications network, and includes a telecommunications device but does not include a line. Section 5 of the Act, defines ‘line’ by reference to the definition in the Telecommunications Act. Section 7 of the Telecommunications Act states a line is a wire, cable, optical fibre, tube, conduit, waveguide or other physical medium used, or for use, as a continuous artificial guide for or in connection with carrying communications by means of guided electromagnetic energy.

419.           Servers used to operate an ‘over the top’ service such as VoIP would fall within the definition of infrastructure. However, ‘infrastructure’ is not intended to include business premises. For example the headquarters of a company, taken in isolation, would not satisfy the definition of ‘infrastructure.’

420.           Importantly, a piece of equipment or line meeting the definition of infrastructure does not automatically satisfy paragraph 187(3)(c). For instance, a computer used by an employee in a company’s headquarters or marketing office is not directly involved in the provision of a relevant service and therefore does not satisfy paragraph 187(3)(c).

421.           This item implements recommendation 11 of the 2015 PJCIS Report by defining the term ‘infrastructure’ in greater detail for the purposes of paragraph 187A(3)(c).

Definition of ‘journalist information warrant’

422.           This item inserts a definition for the term ‘journalist information warrant’ into subsection 5(1) of the TIA Act. A ‘journalist information warrant’ means a warrant issued under Division 4C of Part 4-1.

 

Definition of ‘Part 4-1 issuing authority’

423.           This item inserts a definition for the term ‘Part 4-1 issuing authority’ into subsection 5(1) of the TIA Act. A ‘Part 4-1 issuing authority’ is defined as a person whose appointment is in force under section 6DC.

 

Definition of ‘Public Interest Advocate’

424.           This item inserts a definition for the term ‘Public Interest Advocate’ into subsection 5(1) of the TIA Act. A ‘Public Interest Advocate’ is defined as a person declared to be a Public Interest Advocate under subsection 180X(1).

 

Definition of ‘related account, service or device’

425.           This item also inserts a definition of ‘related account, service or device’ in relation to a service to which Part 5-1A applies. This definition is used in section 187AA.

 

Definition of ‘retained data’

426.           This item also inserts a definition for ‘retained data’ which defines it as information, or documents, that a service provider is, or has been, required to keep under Part 5-1A of the TIA Act.   

 

Definition of ‘service provider’

427.           This item also inserts a definition of ‘service provider’ by stating it has the meaning given in subsection 187A(1), which provides that it is a person who operates a service to which Part 5-1A applies.   

 

Definition of ‘source’

428.           This item inserts a definition of ‘source’ into subsection 5(1) of the TIA Act to support the journalist information warrant provisions. This definition is expressed not to apply to item 2 of the table in subsection 187AA(1), where source takes on its natural meaning in the context of a telecommunication.

Item 6—At the end of subsection 6R(3)

429.           This item amends subsection 6R(3) of the TIA Act to provide that an act done by the CAC is done on behalf of all enforcement agencies, in addition to being done on behalf of interception agencies.

430.           The purpose of this provision is to support the decisions of the CAC in relation to exemptions from the mandatory data retention regime made in relation to enforcement agencies that are not also interception agencies.

 

Item 6A —After section 6DB

431.           Section 6DC provides that the Minister responsible for the administration of the TIA Act can, by writing, appoint a judge of the federal court, including a judge of the Federal Court of Australia, Family Court of Australia or the Federal Circuit Court, or a magistrate (where those persons have consented in writing to be appointed as an issuing authority) to be an issuing authority for the purposes of issuing a journalist information warrant.

432.           The section also allows the Minister to appoint a person who holds an appointment to the Administrative Appeals Tribunal as Deputy President, full-time senior member, part-time senior member or member (including a part-time or full-time member), who is enrolled, and has been enrolled for at least 5 years, as a legal practitioner of a federal court or of the Supreme Court of a State or Territory for the same purpose.

 

Items 6B, 6C and 6D —Section 64

433.           Item 6B replaces and substitutes the heading of section 64 of the TIA Act with ‘Dealing in connection with Organisation’s or Inspector-General’s functions’.

434.           The introduction of specific provisions to the TIA Act permitting a person to deal in information in connection with the performance by the IGIS of his or her functions follows the introduction of similarly specific provisions into the ASIO Act by the National Security Legislation Amendment Act (No. 1) 2014 . In that context, this item seeks to place beyond doubt that a person may deal in the information described in subsection 64(1), and that an IGIS official and another specified person may deal in the information described in subsection 64(2), in connection with the performance by the IGIS of his or her functions.

 

Items 6E and 6F —Section 176

435.           These items amend section 176 of the TIA Act which relates to prospective data authorisations made by ASIO. Specifically, item 6E replaces the current paragraph 176(5)(b) with two new subparagraphs. Subparagraph 176(5)(b)(i) states that authorisations under section 176 of the TIA Act end as specified in the authorisation which can be no later than the end of the period of 90 days beginning on the day the authorisation is made. Subparagraph 176(5)(b)(ii) provides that if the authorisation is made under a journalist information warrant then the end of the authorisation can be no later than the end of the period specified in section 180N, being the end of the period for which the warrant is in force.

436.           In addition, item 6F replaces current subsection 176(6) in relation to the revocation of an authorisation where the eligible person is satisfied the disclosure is no longer required with an expanded revocation provision requiring revocation of authorisations made under a journalist information warrant where that warrant was revoked, or the Director-General is satisfied the grounds on which the warrant was issued have ceased to exist.

 

Items 6G and 6H —Section 180

437.           These items amend section 180 of the TIA Act which relates to prospective data authorisations made by criminal law-enforcement agencies. Specifically, item 6G replaces the current paragraph 180(6)(b) with two new subparagraphs. Subparagraph 180(6)(b)(i) states that authorisations under section 180 of the TIA Act end as specified in the authorisation which can be no later than the end of the period of 45 days beginning on the day the authorisation is made. Subparagraph 180(6)(b)(ii) provides that if the authorisation is made under a journalist information warrant then the end of the authorisation can be no later than the end of the period specified in subsection 180U(3), being the end of period for which the warrant is in force.

438.           In addition, item 6H replaces the current subsection 180(7) in relation to the revocation of an authorisation where the authorised officer is satisfied the disclosure is no longer required, with an expanded revocation provision requiring revocation of authorisations made under a journalist information warrant where that warrant was revoked.

 

Items 6J and 6K —Section 180F

439.           Item 6J amends section 180F of the Act by omitting the requirement that an officer authorising the disclosure of data ‘have regard to whether any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable’ and inserting a requirement that they ‘be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate’.

440.           This item implements recommendation 25 of the 2015 PJCIS Report by requiring the authorised officer making an authorisation under Division 4 or 4A of Part 4-1 of the TIA Act to be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate.

441.           Item 6K inserts subparagraph 180F(aa) requiring that the authorised officer must have regard to the gravity of any conduct in relation to which the authorisation is sought, including the seriousness of any criminal offence, the seriousness of any pecuniary penalty, the seriousness of any protection of the public revenue and whether the authorisation is sought for the purposes of finding a missing person when determining whether to disclose or authorise the use of communications.

 



 

Item 6L —After Division 4B of Part 4-1

 

Division 4C Journalist information warrants

442.           Chapter 4 of the TIA Act regulates how national security and law enforcement agencies may access telecommunications data. Item 6A inserts Division 4C after Part 4-1 of the TIA Act. The provisions to be inserted by this Part establish a journalist information warrant scheme. This scheme requires ASIO and enforcement agencies to obtain a warrant prior to authorising disclosure of telecommunications data to identify a journalist’s source.   The effect of Division 4C is to prohibit ASIO and enforcement agencies from making data authorisations for access to a journalist’s or their employer’s data for the purpose of identifying a confidential source unless a journalist information warrant is in force.

443.           The concept of a ‘journalist’ is intended to replicate the current approach in Division 119 of the Criminal Code , as amended by the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 . Subsection 119.2(3)(f) of the Criminal Code provides that where a person is working in a professional capacity as a journalist, or is assisting another person working in a professional capacity as a journalist, they are exempted from the general prohibition from entering or remaining in, a declared area. Similarly, an individual is a journalist under Division 4C if they are working as a journalist in a professional capacity. Indicators that a person is acting in a professional capacity include regular employment, adherence to enforceable ethical standards and membership of a professional body. 

444.           Subdivision 4C-A establishes that national security and law enforcement agencies are required to obtain journalist information warrants. Subdivision 4C-B establishes the procedures for issuing a journalist information warrant to the Organisation. Subdivision 4C-C establishes the procedures for issuing journalist information warrants to enforcement agencies.

 

Subdivision A—The requirement for journalist information warrants

 

Section 180G—The Organisation

445.           Section 180G provides that an eligible person within ASIO must not authorise the disclosure of information or documents under Division 3 relating to a particular person without a journalist information warrant. An ‘eligible person’ is defined under subsections 175(2) and 176(2) of the TIA Act. Section 180G applies if that eligible person knows or reasonably believes that particular person is working in a professional capacity as a journalist or is the employer of a journalist and the purpose of making the authorisation is to identify another person the eligible person reasonably believes to be a source.

 

Section 180H—Enforcement agencies

446.           Subsection 180H(1) provides that an authorised officer of an enforcement agency must not authorise the disclosure of information or documents under section 178, 178A, 179 or 180 relating to a particular person without a journalist information warrant. An ‘authorised officer’ is defined in subsection 5(1) of the TIA Act.  

447.           Subsection 180H(2) provides that an authorised officer of the Australian Federal Police must not authorise the disclosure of information or documents under Division 4A (in connection with the enforcement of the criminal law of a foreign country) relating to a journalist for the purpose of identifying a source.  A journalist information warrant is not available for this purpose.

 

Subdivision B—Issuing journalist information warrants to the Organisation

 

Section 180J—Requesting a journalist information warrant

448.           Section 180J provides that the Director-General of Security may request that the Minister issue a journalist information warrant in relation to a particular person. This request must specify the facts and other grounds on which the Director-General considers it necessary to issue the warrant.

 

Section 180K—Further information

449.           Section 180K provides that the Minister may require the Director-General of Security to provide the Minister, within a specified period, further information in connection with a request under subdivision B. If the Director-General breaches a requirement under subsection 180K(1) the Minister may refuse to consider the request or refuse to take any further action in relation to that request.

 

Section 180L—Issuing a journalist information warrant

450.           Section 180L provides that after considering a request for a journalist information warrant, the Minister must either issue a warrant that authorises the Organisation to make data authorisations in relation to a person who is working in a professional capacity as a journalist or refuse to issue a journalist information warrant.

451.           The Minister must not issue a journalist information warrant unless the Minister is satisfied that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source, having regard to specified factors.  These include the anticipated privacy interference, the gravity of the matter for which the warrant is sought, the assistance the information to be sought would provide, whether other reasonable methods, if any, that would be effective to obtain the information have been used, any submissions by a Public Interest Advocate on that application and any other relevant matter.

452.           Subsection 180L(3) provides that a warrant issued under the section may specify conditions or restrictions relating to making authorisations under the authority of the warrant.

 

Section 180M—Issuing a journalist information warrant in an emergency

453.           Subsection 180M establishes the procedure for the Director-General of Security to issue journalist information warrants in an emergency.  Subsection 180M(1) provides that the Director-General may only issue an emergency journalist information warrant if authorised to do so by a Minister listed in subsection 180M(4) or if those Ministers listed in subsection 180M(4) are unavailable. The Director-General may issue a journalist information warrant if a request under section 180J has been made for the issue of such a warrant in relation to the particular person and the Director-General is satisfied that, security will be, or is likely to be, seriously prejudiced if the Organisation does not obtain access to the relevant information or documents before the journalist information warrant is issued and made available to the Minister. The emergency warrant may be issued if, to the knowledge of the Director-General, the Minister has not made a decision under section 180L and the Minister has not refused to issue the relevant journalist information warrant.

454.           Subsection 180M(2) provides that the Director-General may not issue a journalist information warrant unless he or she is satisfied as to the matters set out in subsection 180L(2)(a) and (b).

455.           Subsection 180M(3) enables a Minister listed in subsection 180M(4) to orally authorise the Director-General to issue a journalist information warrant if they are satisfied of the matters listed in paragraphs 180L(2)(a) and (b).

456.           Subsection 180M(4) provides that where the Director-General is satisfied the Minister is unavailable, an oral authorisation may be provided by the Prime Minister, Defence Minister and the Foreign Affairs Minister.

457.           Subsection 180M(5) provides that an emergency authorisation may specify conditions or restrictions relating to issuing the journalist information warrant.

458.           Subsection 180M(6) requires the Director-General to ensure a written record of the authorisation provided under subsection 180M(3) is made as soon as practicable, but no later than 48 hours, after the authorisation is given.

459.           Subsection 180M(7) provides that a journalist information warrant must specify the period for which it remains in force, and this period must not exceed 48 hours. Subsection 180M(3) does not prevent the Minister from revoking the emergency warrant.

460.           Subsection 180M(8) provides that the Director-General must provide the Minister with a copy of the warrant and a statement of the grounds on which the warrant was issued, and either a copy or the record made under subsection 180M(6) or, where a journalist information warrant was issued under subparagraph 180M(1)(e)(ii), a summary of the facts of the case justifying the issuing of the warrant..

461.           Subsection 180M(9) provides that the Director-General must give a copy of the journalist information warrant to the Inspector-General of Intelligence and Security within 3 business days of issuing such a warrant. Subsection 180M(10) is intended to ensure subsection 180M(5) has effect despite subsection 185D(1).

 

Section 180N—Duration of a journalist information warrant

462.           Section 180N provides that a journalist information warrant issued under this Subdivision must specify the period for which it is to remain in force. The specified period must not exceed 6 months.

 

Section 180P—Discontinuance of authorisations before expiry of a journalist information warrant

463.           Section 180P provides that the Director-General of Security must take the necessary steps to discontinue the making of authorisations under a journalist information warrant where the Director-General is satisfied that the grounds on which the warrant was issued no longer exist.  The Director-General must also advise the Minister, who under section 180L is the issuing authority for the Organisation in relation to journalist information warrants. 

464.           These requirements ensure that authorisations do not continue to be made where the grounds that supported the issue of the warrant no longer apply. 

 

Subdivision C—Issuing journalist information warrants to enforcement agencies

 

Section 180Q—Enforcement agency may apply for a journalist information warrant

465.           Section 180Q limits the persons in an enforcement agency who can apply for a journalist information warrant. 

466.           Paragraph 180Q(2)(a) provides that in the case of enforcement agencies that are also interception agencies authority to apply for a journalist information warrant is limited to the persons that can apply for an interception warrant under subsection 39(2) of the TIA Act. 

467.           Paragraph 180Q(2)(b) sets out that where an enforcement agency is not an interception agency, applications must be made by the chief officer of the agency or an officer of the agency in a management level position that has been nominated by the chief officer of the agency to make applications on the agency’s behalf.  This limitation ensures that the need to apply for a journalist information warrant is considered at an appropriately senior level in an agency.

468.           Subsection 180Q(3) gives the chief officers of enforcement agencies the power to nominate, in writing, management level offices or positions in their agency, the occupants of which can apply on behalf of their agency for a journalist information warrant.

469.           Subsection 180Q(4) clarifies that nominations made by chief officers under subsection 180Q(3) are not legislative instruments.

470.           Subsection 180Q(5) specifies that applications for a journalist information warrant on behalf of an enforcement agency may be made in writing or any other form. 

 

Section 180R—Further information

471.           Subsection 180R(1) provides that the issuing authority may require the applicant to provide further information in connection with an application for a journalist information warrant.

472.           Subsection 180R(2) sets out what happens if the enforcement agency does not provide the information the issuing authority requires under subsection 180R(1).  In these circumstances, the issuing authority can refuse to consider the application or to take any action (or any further action) in relation to the application.

473.           The purpose of section 180R is to ensure that an issuing authority can require an enforcement agency to make available to the issuing agency all relevant and necessary information when considering an application for a journalist information warrant.  Section 180R also makes it clear the issuing authority is not required to consider or act on such an application if that information is not provided.

 

Section 180S—Oaths and affirmations

474.           Subsection 180S(1) provides that information given by enforcement agencies to the issuing authority in connection with an application for a journalist information warrant must be given on oath or affirmation.

475.           Subsection 180S(2) provides that the issuing authority can administer the oath or affirmation, or can authorise another person.  The oath or affirmation may be administered in person, by telephone, video call, video link or audio link.

476.           The purpose of section 180S is to ensure that information that the enforcement agency gives to the issuing authority in support of an application for a journalist information warrant complies with the requirements of evidence law for witnesses to take an oath or affirmation before giving evidence.

 

Section 180T—Issuing a journalist information warrant

477.           Section 180T provides that after considering an application for a journalist information warrant under section 180T, an issuing authority must either issue a warrant that authorises the requesting agency to make data authorisations in relation to a person who is working in a professional capacity as a journalist or refuse to issue a journalist information warrant.

478.           The factors that an issuing authority must consider in making a decision are set out in Subsection 180T(2).

479.           An issuing authority can only issue a journalist information warrant if he or she is satisfied that the warrant is reasonably necessary to:

·          enforce the criminal law; or

·          locate a person reported as missing to the Australian Federal Police or a State Police Force; or

·          enforce a law that imposes a pecuniary penalty or protects the public revenue; or

·          investigate serious offences or an offence against a Commonwealth, State or Territory law punishable by at least a 3 year imprisonment term.

480.           The issuing authority must also be satisfied that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source, having regard to specified factors.  These include the anticipated privacy interference, the gravity of the matter for which the warrant is sought, the assistance the information to be sought would provide, whether other reasonable methods, if any, that would be effective to obtain the information have been used, any submissions by a Public Interest Advocate on that application and any other relevant matter.

 



 

Section 180U—Form and content of a journalist information warrant

481.           Section 180U requires journalist information warrants issued under the Subdivision to be made in accordance with a form to be prescribed.

482.           Journalist information warrants must be signed by the issuing authority that issues the warrant and be in the prescribed form.  Warrants may list any conditions or restrictions that apply to authorisations made under the warrant and must specify the period for which the warrant is in force.  Under subsection 180U(3) and section 180V, journalist information warrants can be in force for up to 90 days, commencing the day the warrant is issued. 

483.           Subsection 180U(4) provides that warrants cannot be extended beyond the period they are in force.  This ensures that any ongoing operational need to investigate the subject of a journalist information warrant is considered afresh by an issuing authority under the criteria set out in section 180U.  Subsection 180U(5) clarifies that while a journalist information warrant cannot be extended, a further warrant can be issued under the TIA Act in relation to a person previously the subject of a warrant under the Act.

 

Section 180V—Entry into force of a journalist information warrant

484.           Section 180V provides that a journalist information warrant comes into force when it is issued.

 

Section 180W—Revocation of a journalist information warrant by chief officer

485.           Section 180W outlines the revocation of a journalist information warrant. Paragraph 180W(1)(a) states that the chief officer may revoke such a warrant at any time. Paragraph 180W(1)(b) provides that the chief officer of an enforcement agency must revoke such a warrant if satisfied that the grounds on which the warrant were issued to the agency have ceased to exist.

 

Subdivision D—Miscellaneous

 

Section 180X—Public interest advocates

486.           Section 180X creates the new role of Public Interest Advocates. The Public Interest Advocate role considers and evaluates journalist information warrant applications made by the Organisation and law enforcement agencies pursuant to sections 180L and 180T respectively. The Public Interest Advocate can make independent submissions to the Minister in the case of the journalist information warrants made by the Organisation, and to the issuing authority in the case of the law enforcement agencies, on the proposed undertaking in relation to each application (including conditions or restrictions).

487.           Subsection 180X(1) provides that the Prime Minister must declare one or more persons to be a Public Interest Advocate. Subsection 180X(3) enables regulations to be made relating to the role of the Public Interest Advocate to support the discharge of its independent role.  Subsection 180X(4) clarifies that a declaration of an Advocate is not a legislative instrument.

 

Items 6M, 6N, 6P, 6Q, 6R, 6S, 6T and 6U —Sections 181A, 181B and 182

488.           These items amend the Bill to insert paragraphs into the use and disclosure provisions contained in Part 4-1 Division 6 of the TIA Act. These are consequential amendments relating to the implementation of recommendations 27 and 34 of the 2015 PJCIS Report.

489.           These items ensure that ASIO, enforcement agencies, IGIS, the Commonwealth Ombudsman, the Minister and the PJCIS are able to use and disclose authorisations made under Chapter 4 of the TIA Act and associated information for the purposes of the oversight and reporting functions recommended by the PJCIS in its report.

490.           The introduction of specific provisions to the TIA Act permitting persons to deal in information for the purpose of the IGIS exercising powers, or performing functions or duties, under the IGIS Act follows the introduction of similarly specific provisions into the ASIO Act by the National Security Legislation Amendment Act (No. 1) 2014 . In that context, these items seek to place beyond doubt that a person use or disclose the information described in sections 181A, 181B and 182 for the purpose of the IGIS exercising powers, or performing functions or duties, under the IGIS Act.

 

Item 6V —At the end of Division 6 of Part 4-1

491.           This item inserts sections 182A and 182B in the TIA Act, and relates to the introduction of journalist information warrants.

492.           Section 182A creates an offence where a person discloses or uses a journalist information warrant or information about such a warrant. Commission of the offence attracts a penalty of two years imprisonment.

493.           Section 182B outlines the circumstances in which disclosures and use are permitted. An enforcement agency may use or disclose such a warrant or information about such a warrant to a third party for the specified purposes set out in the section. Such purposes include enabling the making of submissions under section 180X by a Public Interest Advocate, enabling a person to comply with their notification obligations under section 185D or 185DE in relation to journalist information warrants, enabling ASIO to perform its functions, or to enforce the criminal law, the enforcement of a law imposing a pecuniary penalty, or the protection of the public revenue. In addition, a disclosure to and by an IGIS official (in connection with the exercising of the powers, or performing functions or duties of the IGIS) is permitted.

494.           The note following section 182B indicates that where a person is charged in relation to a contravention of section 182A, the defendant bears an evidential burden to demonstrate that the disclosure or use was lawful.

 

Item 6W —A t the end of section 185

495.           Subsection 185(3) ensures that section 185 of the TIA Act does not limit the operation of subsection 187N(3), which relates to the keeping of information for the PJCIS review into the data retention scheme.

 



 

Item 6X—After section 185C

496.           Sections 185D and 185E in the TIA Act implement the Government’s responses to recommendations 27 and 34 of the 2015 PJCIS Report. Consequential on the introduction of journalist information warrants, the provisions require agencies’ to provide a copy of journalist information warrants to the Minister, IGIS and Ombudsman.

497.           Section 185D requires the Director-General of Security and the Commissioner of the Australian Federal Police to provide copies of journalist information warrants to the IGIS or the Ombudsman (if applicable) as soon as practicable after they are made. The Commissioner of the Australian Federal Police is required to give the Minister a copy of the warrant as soon as practicable and the Minister must then notify the PJCIS that such a warrant has been issued.

498.           Furthermore, section requires the Director-General of Security and the chief officers of enforcement agencies to provide the IGIS or Ombudsman (as applicable) with copies of authorisations made under those warrants as soon as practicable after the expiry of the warrant. 

499.           Subsections 185D(1), (2), (5) and (6) ensures that the relevant independent oversight bodies (the IGIS and Ombudsman) are provided with copies of journalist information warrants and authorisations made under those warrants.  The IGIS and Ombudsman can then undertake relevant oversight activities in relation to the warrants and subsequent authorisations under their governing legislation - the IGIS Act, and in the case of the Ombudsman, the TIA Act. 

500.           Subsections 185D(3) and 185D(7) impose obligations on the Minister in relation to reports provided by the IGIS or Ombudsman concerning journalist information warrants and authorisations made as a result.  In the event that the IGIS or the Ombudsman exercise their oversight functions in relation to relevant warrants and authorisations, and report to the responsible Minister in accordance with their governing legislation, the Minister is then required to provide copies of those oversight reports to the PJCIS as soon as practicable after receiving them from the IGIS or the Ombudsman. 

501.           The PJCIS can then request the IGIS or the Ombudsman to brief it on the relevant oversight report.

502.           Section 185E implements recommendation 34 of the 2015 PJCIS report.  It imposes corresponding obligations to those in section 185D on the Minister, after receiving oversight reports from the IGIS or the Ombudsman in relation to the purpose and manner of access to data by ASIO or the AFP generally. 

503.           The Minister must provide any oversight reports to the PJCIS as soon as practicable after receiving them from the IGIS or Ombudsman, and the PJCIS may request the IGIS or Ombudsman to brief it on the relevant oversight report.

504.           These amendments ensure that the PJCIS has visibility of the outcomes of independent oversight of authorisations undertaken by the IGIS and Ombudsman, under those bodies’ governing legislation.  Importantly, the amendments also preserve the independent discretion of these oversight offices in setting their oversight priorities and performing their statutory functions.  The amendments further maintain the established lines of reporting as between the IGIS and the Ombudsman and the relevant responsible Minister. 

505.           The ability of the PJCIS to request briefing on the outcomes of oversight in relation to the retained data activities of ASIO and the AFP (under Part 5.3 of the Criminal Code ) is consistent with its existing ability to seek briefings from relevant entities, including the IGIS, under section 30 of the ISA.

 

Items 6Y and 6Z —E nd of subsection 186(1)

506.           Items 6Y and 6Z amend section 186 of the TIA Act, which relates to the information required of agencies in reporting to the Minister. That information is included in the TIA Act Annual Report which is tabled in Parliament each year.

507.           The report includes information about agency’s use of powers under the TIA Act including information about interception warrants, warrants for access to stored communications and authorisations for access to telecommunications data. Items 6Y and 6Z expand the list of required information in accordance with recommendation 33 of the 2015 PJCIS Report, and require the number of journalist information warrants issued during the reporting period and the number of authorisations made under those journalist information warrants.

508.           Subsection 186(1E) provides the Minister with a declaration-making power to declare additional kinds of information that must be provided under section 186(1).

 



 

Part 3—Application Provisions

Item 7—Existing information and documents

509.           Subitem (1) provides that the requirements on service providers to keep data contained in Schedule 1 apply in relation to information and documents already being kept by service providers immediately before the commencement of this item, where the service provider had not already kept the information or documents for longer than the retention period specified by section 187C.

510.           This ensures that any existing information and documents that have been in existence for less than two years will be retained by service providers, and will remain available for law enforcement and national security purposes.

511.           These obligations may be modified under a data retention implementation plan or an exemption approved under Part 5-1A.

512.           Subitem (2) is intended to provide clarification that the requirement in subitem (1) to retain existing information and documents does not require a service provider to create any information or document that was not already created by the operation of a carriage service before the commencement of this item.

513.           The data retention requirements contained in Part 5-1A as inserted by Item 1 of Schedule 1 do not have retrospective application.

Item 8—Reducing the period for keeping information or documents

514.           This item commences on Royal Assent and requires that service providers must not reduce the length of time for which they retain information or documents that are subject to data retention obligations under Part 5-1A in the period between Royal Assent and the commencement of Part 5-1A.

515.           The purpose of this item is to prevent any further degradation of industry retention practices prior to the commencement of Part 5-1A.

516.           This item interacts with the implementation planning and exemption frameworks. An implementation plan approved under section 187F, or an exemption granted under section 187K, may modify the period for which a service provider is, after the commencement of Part 5-1A,  required to keep or cause to be kept information or documents under Part 5-1A. As such, where a service provider has an implementation plan approved or is granted an exemption prior to the commencement of Part 5-1A, the provider is permitted to keep the information or documents covered by that plan or exemption for the period specified in that plan or exemption, even if that period is shorter than the period for which the service provider kept that information or those documents at Royal Assent.

517.           This item is taken to be a civil penalty provision for the purposes of the Telecommunications Act.

Item 9—Applications made before commencement of Part 5-1A

518.           Subitem 9(1) provides that at any time after this legislation receives the Royal Assent a service provider may apply to the Communications Access Co-ordinator (the CAC) for either or both of the following:

a.        (i) approval of a data retention implementation plan

(ii) an amendment of a data retention implementation plan, and

b.       a decision to exempt the service provider from any or all of the obligations under subsection 187K(1) or 187KA(2).

519.           This enables service providers to seek approval of plans and to facilitate a decision by the CAC on the request before the commencement of the data retention obligations. At any time after this legislation receives the Royal Assent, a service provider may apply to the ACMA for review of a decision by the CAC on an application by the service provider to exempt the service provider from some or all of its data retention obligations.  However, the service provider is not able to apply to the ACMA unless and until the CAC has made such a decision. This implements recommendation 15 of the 2015 PJCIS Report in relation to the period after Royal Assent of the legislation, but prior to commencement of the legislation.

520.           Subitem 9(2) provides that paragraph (1)(a) of this item (application for the approval of a data retention implementation plan after the Royal Assent) does not apply unless the application would, if it had been made after the commencement of Part 5-1A, have complied with the requirements for applying for the approval of data retention implementation plans under section 187E.

521.           The effect of this subitem is to require that applications by a service provider made prior to the commencement of the main data retention amendments for the approval of a data retention implementation plan must still comply with the requirements for such an application under section 187E.

Item 10—Decisions made before commencement of Part 5-1A

522.           Subitem 10(1) provides that the power of the CAC to make decisions under sections 187F (approval of data retention implementation plans), 187G (consultation with interception agencies and the ACMA), 187J (amending data retention implementation plans), 187K (exemptions) and 187KA (the ACMA powers to review CAC decisions) is taken, for the purposes of section 4 of the Acts Interpretation Act 1901 (AIA), to be a power to make an instrument of an administrative character.

523.           Section 4 of the AIA allows for the exercise of powers of an administrative character conferred by an Act before the commencement of that Act.

524.           The ability of the CAC to make these decisions before the commencement of Part 5-1A (as inserted by Item 1 of Schedule 1 of this legislation) ensures that the data retention scheme will be fully effective upon the commencement of the main amendments.

525.           Subitem 10(2) is a transitional application provision. It provides that subsection 187F(3) applies, in relation to applications for the approval of data retention implementation plans made before the commencement of Part 5-1A, as if references in that subsection to 60 days were references to the number of days provided for in subitem (4) of this item.

526.           Subsection 187F(3) provides that a service provider’s application to the CAC for the approval of a data retention implementation plan is deemed to have been granted if the CAC does not make a decision within 60 days.

527.           Subitem 10(3) is a transitional application provision. It provides that paragraph 187K(5)(b) applies, in relation to applications for exemptions made before the commencement of Part 5-1A, as if references in that subsection to 60 days were references to the number of days provided for in subitem (4).

528.           Subsection 187K(5) provides that a service provider’s application to the CAC for an exemption from the data retention obligations under section 187A is deemed to have been granted if the CAC does not make a decision within 60 days.

529.           Subitem 10(4) provides that for the purposes of subitems 10(2) and (3), the number of days is the period between the day the application was made and the day immediately before Part 5-1A commences; and 60 days, whichever is greater.

530.           Subitems 10(2) and (3) have the effect of providing the CAC with at least 60 days to consider applications before an approval is deemed.  This time period ensures that the CAC has sufficient time to properly consider any applications received prior to the commencement of Part 5-1A.

Item 11—Keeping information or documents before commencement of Part 5-1A

531.           This item provides that a service provider may keep or cause to be kept the information or documents the service provider is required to keep or cause to be kept under the data retention obligations contained in Part 5-1A as inserted by Item 1 of Schedule 1, before the commencement of those data retention obligations.

532.           Australian Privacy Principles 3.2 and 11.2 prohibit entities from collecting and retaining data that is not reasonably necessary for its functions or activities in the absence of a legislative obligation (which do not exist until the data retention obligations commence) to do so.

533.           However, it may be more commercially efficient for a carrier to commence retaining data at some point prior to the commencement of the data retention obligations. For example, if a carrier designs and builds a new data retention system, it may wish to shut down its existing system and transition to the new system prior to the commencement date to save on capital and operating costs.

534.           This provision ensures that service providers are not in breach of their obligations under the Privacy Act 1988 should they retain relevant data before the commencement of the data retention requirements.

Item 12—First reporting period after commencement of Part 5-1A

535.           This item provides that, in the first annual reporting period following the commencement of the Bill, ASIO and enforcement agencies are only required to comply with annual reporting requirements introduced by the Bill on a prospective basis. That is, agencies are not required to report on matters that occurred before commencement of the legislative requirements.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Schedule 2— Restricting access to stored communications and telecommunications data

Overview of measures

536.           This Schedule amends the Telecommunications (Interception and Access) Act 1979 (the TIA Act) to limit the types of agencies that can apply for stored communications warrants under Part 3-3 of Chapter 3 of the TIA Act and the types of authorities and bodies that can authorise the disclosure of telecommunications data under Division 4, Part 4-1 of Chapter 4 of the TIA Act.

537.           These amendments recognise the widespread community acceptance and use of stored communications (including text messages and emails) and the greater privacy sensitivity of these communications, which reveal content and the substance of a person’s discussions with others, compared to telecommunications data. Currently, authorities and bodies that are an ‘enforcement agency’ can apply to an independent issuing authority (appointed under section 6DB of the TIA Act) for a stored communications warrant to investigate a ‘serious contravention’ of the law. While this requirement limits the availability of stored communications warrants to enforcement agencies that investigate offences with at least a three year imprisonment penalty or a fine of at least 900 penalty units, this Schedule further reduces the availability of stored communications warrants by limiting access to stored communications to agencies that are criminal law-enforcement agencies.

538.           Currently, access to telecommunications data is regulated by Chapter 4 of the TIA Act, which permits enforcement agencies to authorise telecommunications carriers to disclose telecommunications data where that information is reasonably necessary for the enforcement of the criminal law, a law imposing a pecuniary penalty, or the protection of the public revenue. An ‘enforcement agency’ is broadly defined to include all interception agencies as well as a body whose functions include administering a law imposing a pecuniary penalty or administering a law relating to the protection of the public revenue. In practice, the range of agencies that are enforcement agencies and who can authorise the disclosure of telecommunications data is broad and includes local government councils and Commonwealth and State Departments and Agencies. In 2012-13, approximately 80 enforcement agencies made historic data authorisations. [16]

539.           Schedule 2 amends the existing definition of ‘enforcement agency’ to limit access to telecommunications data to criminal law-enforcement agencies and authorities or bodies that have been declared by the Minister to be an ‘enforcement agency’. These amendments are consistent with recommendation 5 of the 2013 PJCIS Report that the number of agencies able to access telecommunications data be reduced.

540.           These amendments are also consistent with Australia’s international legal obligations under the Convention on Cybercrime. Article 14(2) of the Cybercrime Convention [17] requires parties to ensure that telecommunications data (and other evidence in electronic form, other than the content of communications and prospective or future telecommunications data) is available for the investigation of any criminal offence. [18] Schedule 2 complies with this obligation by ensuring that telecommunications data is available to agencies with a demonstrated need to access data.

541.           The data access arrangements contained in Schedule 2 are subject to new oversight and accountability requirements detailed in Schedule 3 of the Bill. Together, the Schedules introduce a new data access framework that better protects privacy while ensuring that data is available to investigate criminal offences and other activities that threaten community safety and security.

542.           Part 1 of this Schedule contains the main amendments to Chapters 3 and 4. These provisions restrict access to stored communications to criminal law enforcement agencies, and amend the definition of ‘criminal law enforcement agency’ and ‘enforcement agency’.

543.           Part 2 of this Schedule contains other amendments that are consequential to the amendments contained in Part 1.

544.           Part 3 of this Schedule prescribes the application of the amendments contained in Schedule 2  on their commencement.

Part 1—Main Amendments

Telecommunications (Interception and Access) Act 1979

Item 1—Subparagraphs 107J(1)(a)(i) and (ii)

545.           Subparagraph 107J(1)(a)(i) of the TIA Act enables any enforcement agency to issue a historic domestic preservation notice to a carrier to preserve specified stored communications held by a carrier on the day the notice is received. Subparagraph 107J(1)(a)(ii) allows enforcement agencies that are also interception agencies to issue ongoing preservation notices. Ongoing notices require carriers to keep relevant stored communications held by the carrier for up to 30 days from receipt of the notice. The term ‘interception agency’ is defined in section 5 of the TIA Act and is limited to agencies such as the Australian Federal Police and State Police Forces eligible to apply under Part 2-5 of the TIA Act for an interception warrant.

546.           Item 1 removes the references to an ‘enforcement agency’ in subsection 107(J)(1) of the TIA Act and substitute the new definition of a ‘criminal law-enforcement agency’ in section 110A of the Act. Amending the definition strengthens privacy protections in relation to stored communications by limiting the availability of historic domestic preservation notices to those agencies who can apply for stored communications warrants under the TIA Act as amended by this Schedule. Ongoing domestic preservation notices continue to be limited to interception agencies.

Item 2—Subsection 110(1)

547.           Subsection 110(1) of the TIA Act provides that an enforcement agency may apply to an issuing authority for a stored communications warrant in respect of a person.

548.           Item 2 removes the reference to an ‘enforcement agency’ in subsection 110(1) of the Act and substitute the new definition of a ‘criminal law-enforcement agency’ in section 110A of the Act.

549.           Amending the definition reduces the number of agencies that can apply for stored communications warrants from all enforcement agencies that investigate serious contraventions to those authorities and bodies that are recognised under section 110A of the Act as being criminal law-enforcement agencies.

Item 3—After section 110

Section 110A meaning of criminal law-enforcement agency

550.           Currently, criminal law-enforcement agencies can issue historic domestic preservation notices, and access stored communications and prospective telecommunications data. Agencies that fall within the broader definition of ‘enforcement agency’ are also able to issue historic domestic preservation notices and apply for stored communications warrants.

551.           Item 3inserts a definition of ‘criminal law-enforcement agency’ after section 110 of the TIA Act. The definition removes the ability of enforcement agencies that are not also criminal law-enforcement agencies to issue historic domestic preservation notices under subsection 107J(1) and to apply for stored communications warrants under section 110 of the Act. These amendments recognise that while governments at all levels have charged a range of authorities and bodies with responsibility for investigating or enforcing offences punishable by significant prison terms (at least a three year term) access to stored communications should be limited to agencies with a demonstrated investigative need and practices to safeguard the use and disclosure of information obtained under a stored communications warrant.

Subsection 110A(1) - meaning of criminal law-enforcement agency

552.           Subsection 110A(1) provides that the following agencies, authorities and bodies are ‘criminal law-enforcement agencies’:

(a)     the Australian Federal Police

(b)    a Police Force of a State

(c)     the Australian Commission for Law Enforcement Integrity

(d)    the Australian Crime Commission

(e)     the Australian Customs and Border Protection Service

(ea) the Australian Securities and Investments Commission

(eb) the Australian Competition and Consumer Commission

(f)      the Crime Commission

(g)    the Independent Commission Against Corruption

(h)    the Police Integrity Commission

(i)      the Independent Broad-based Anti-corruption Commission

(j)      the Crime and Corruption Commission of Queensland

(k)    the Corruption and Crime Commission

(l)      the Independent Commissioner Against Corruption, and

(m)  subject to subsection (7), an authority or body for which a declaration under subsection (3) is in force.

553.           Section 110A includes all the interception agencies listed in the current definition of criminal law-enforcement agency in section 5(1) of the TIA Act. The Australian Customs and Border Protection Service is included as it is prescribed by the Telecommunications (Interception and Access) Regulations 1987 to be a criminal               law-enforcement agency for the purposes of paragraph (k) of the definition of ‘enforcement agency’ in subsection 5(1) of the TIA Act.

554.           Paragraph 110A(1)(m) allows the Minister to declare authorities or bodies to be criminal law-enforcement agencies to accommodate the creation of any new agencies or any changes in agency functions over time.

555.           The inclusion of ASIC and ACCC as ‘criminal law-enforcement agencies’ implements recommendation 20 of the 2015 PJCIS Report.

Subsections 110A(2) to (6) - Declaration of an authority or body as a criminal law-enforcement agency

556.           Subsections 110A(2) to (9) allow the Minister to declare authorities or bodies to be ‘criminal law-enforcement agencies’ for the purposes of paragraph 110A(1)(m). This power replaces paragraph (k) in the definition of enforcement agency in section 5(1) of the TIA Act that allows the Governor-General to make regulations prescribing an agency to be an enforcement agency. Agencies that are prescribed under paragraph (k) are also criminal law-enforcement agencies for the purposes of the TIA Act.

557.           Under subsection 110A(2), the head of an authority or body is able to ask the Minister to declare the authority or body to be a criminal law-enforcement agency.

558.           Under paragraph 110A(3)(a) the Minister may declare an authority or body to be a criminal law-enforcement agency. Paragraph 110A(3)(b) also enables the Minister to declare certain persons specified in the declaration to be ‘officers’ of the criminal law-enforcement agency. Under the TIA Act, officers, as defined in subsection 5(1) of the Act, have various roles and responsibilities. For example, under section 110 of the TIA Act, applications for stored communications warrants can be made on an agency’s behalf by officers holding a management position in that agency. Enabling persons to be declared as officers of a particular criminal law enforcement agency facilitates the effective operation of the TIA Act in relation to that agency.

559.           Subsection 110A(3A) clarifies that the Minister may declare an authority or body to be a criminal law-enforcement agency under subsection 110A(3), even if the head of that authority or body has not made a request in accordance with subsection 110A(2).

560.           Subsection 110A(3B) provides that the Minister may not declare an authority or body to be a criminal law-enforcement agency unless the Minister is satisfied on reasonable grounds that the authority or body has functions that include investigating serious contraventions.  The term ‘serious contravention’ is defined in section 5E of the TIA Act.

561.           Subsection 110A(3B) implements recommendation 17 of the 2015 PJCIS Report. Subsection 110A(3B) is intended to ensure that only agencies that investigate serious contraventions can be declared criminal law-enforcement agencies and thereby be able to use the more intrusive powers of obtaining stored communications warrants or making an authorisation for the disclosure of prospective telecommunications data.

562.           Before making a declaration, the Minister must consider the factors listed in paragraphs (b)-(f) of subsection 110A(4). The current regulation making power in relation to paragraph (k) of the definition of enforcement agency does not prescribe any factors that must be considered in making a decision whether or not to prescribe an agency. Subsection 110A(4) ensures that authorities and bodies provide consistent and detailed information about their functions and privacy practices necessary to make an informed decision about an agency’s need to access stored communications and the appropriateness of that agency having such information.

563.           Under paragraph 110A(4)(c), in considering whether to make a declaration, the Minister must have regard to whether the authority or body:

·          is required to comply with the Australian Privacy Principles

·          is required to comply with a binding scheme that provides protection of personal information that meets the requirements of subsection (4A), or

·          has agreed in writing to comply with a scheme providing such protection of personal information, in relation to personal information disclosed to it under Chapter 3 or 4, if the declaration is made.

564.           Subsection 110A(4A) operates in conjunction with subparagraphs 110A(4)(c)(ii) and (iii) by stating that the protection of personal information provided by the scheme must:

·          be comparable to the protection provided by the Australian Privacy Principles, and

·          include a mechanism for monitoring the authority’s or body’s compliance with the scheme, and

·          include a mechanism that enables an individual to seek recourse if his or her personal information is mishandled.

565.           These amendments require the Minister to be satisfied, in considering whether to make a declaration of an ‘criminal law-enforcement agency’, that the authority or body is required to comply with a binding scheme with the listed privacy-protection mechanisms. These particular amendments implement recommendation 18 of the 2015 PJCIS Report.

566.           Subsection 110A(5) allow the Minister is able to consult with any persons or bodies the Minister considers should be consulted with before making a declaration under subsection 110A(4). The Minister can consult with the Privacy Commissioner and the Commonwealth Ombudsman but is not limited to consulting with those bodies.

567.           Subsection 110A(6), when read with subsection 110A(7), means that authorities and bodies may only be granted the status of a criminal law-enforcement agency or enforcement agency for certain powers available under Chapter 3 or Chapter 4 of the TIA Act. Authorities may investigate a range of offences only some of which are serious contraventions (under section 5E of the TIA Act serious contraventions are limited to offences punishable by a period, or a maximum period, of at least three years’ imprisonment or an equivalent fine or pecuniary penalty). In these circumstances the interaction of these two subsections means the Minister could limit an authority’s status as a criminal law enforcement agency to the offences with a three year or more imprisonment term.

568.           Decisions about declarations are not subject to review under the Administrative Decisions Judicial Review Act 1977 (the ADJR Act) as decisions under the TIA Act are not decisions to which the ADJR Act applies (see paragraph (d) of Schedule 1 to the ADJR Act). The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewed under paragraph 75(v) of the Constitution. Declarations under subsection 110A(3) are also subject to parliamentary review as they are legislative instruments under the Legislative Instruments Act 2003 and can be disallowed under Part 5 of that Act.

569.           Subsection 110A(8) enables the Minster to revoke a declaration made under subsection (3) if the Minister is no longer satisfied that the circumstances justify the declaration remaining in force. This provision addresses a shortfall in the current Act whereby agencies that meet the definition of a criminal law-enforcement agency retain that status even if their functions change. Subsection 110A(8) ensures that only agencies with a demonstrated need for stored communications are able to obtain this information.

570.           Under subsection 110A(9) the revocation of a declaration does not affect the validity of:

(a)       a domestic preservation notice given by the authority or body

(b)       a stored communications warrant issued to the authority or body that was in force immediately before the revocation took effect, or

(c)       an authorisation made by an authorised officer of the authority or body under Division 4 of Part 4-1.

571.           This allows authorities and bodies to rely on notices and authorisations already issued or warrants already obtained for the duration of their independent validity period and protect carriers who act on a notice, authorisation or a stored communications warrant before becoming aware of the revocation.

572.           Subsections 110A(10) and 110A(11) respond to recommendation 17 of the 2015 PJCIS Report.

573.           Paragraph 110A(10)(a) provides that a declaration comes into force either when it is made or on a later day specified in the declaration. Paragraph 110A(10)(b) provides that the declaration ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force.  The time to expiry of the declaration only commences once the declaration comes into force (which may be later than when it is made).

574.           Subsection 110A(11) provides that when a Bill is introduced into either House of Parliament to amend the list of criminal law-enforcement agencies in the TIA Act, the  Minister must refer the amending Bill to the PJCIS  and give the PJCIS at least 15 sitting days of a House of Parliament to conduct its review and issue its report.



 

Item 4—Before section 177

Section 176A meaning of enforcement agency

575.           Item 4 inserts section 176A before section 177 of the TIA Act.

576.           Section 176A replaces the current definition of ‘enforcement agency’ in subsection 5(1) of the TIA Act with a definition that limits the authorities and bodies that can access telecommunications data to criminal law-enforcement agencies and authorities and bodies declared under section 176A to be an enforcement agency.

577.           Currently the definition of ‘enforcement agency’ in section 5(1) of the TIA Act provides that the following agencies are enforcement agencies:

(a)     the Australian Federal Police

(b)    a Police Force of a State

(c)     the Australian Commission for Law Enforcement Integrity

(d)    the Australian Crime Commission

(e)     the Crime Commission

(f)      the Independent Commission Against Corruption

(g)    the Police Integrity Commission

(h)    the Independent Broad-based Anti-corruption Commission

(i)      the Crime and Misconduct Commission

(j)      the Corruption and Crime Commission

(ja) the Independent Commissioner Against Corruption

(k)    an authority established by or under a law of the Commonwealth, a State or a Territory that is prescribed by the regulations for the purposes of this paragraph

(l)      a body or organisation responsible to the Ministerial Council for Police and Emergency Management - Police

(m) the CrimTrac Agency

(n)    any body whose functions include:

                             (i)             administering a law imposing a pecuniary penalty; or

                           (ii)             administering a law relating to the protection of the public revenue.

578.           The reference to ‘criminal law-enforcement agency’ in paragraph 176A(a) replaces the agencies listed at paragraphs (a) to (k) in the current definition.

579.           Current paragraph (l) of the definition of ‘enforcement agency’ is an open-ended description and is omitted from paragraph 176A. Deleting this reference ensures that only agencies specifically listed in the section, or declared to be enforcement agencies following consideration of the factors listed in paragraph 176A(4), can access telecommunications data.

580.           Current paragraph (m), which refers to the CrimTrac Agency, is also deleted from the definition. CrimTrac develops and maintains national police information sharing services between Australian law enforcement agencies, particularly by delivering national database systems such as the National Child Sex Offender Register, the National Automated Fingerprint Identification System and the National Criminal Investigation DNA Database. CrimTrac does not however, enforce laws by investigating and prosecuting specific instances of wrongdoing (whether in a primary or supporting role).

581.           Current paragraph (n) is also removed from the definition. Paragraph (n) is broad and increases the possibility that authorities and bodies that do not have a compelling current need to access telecommunications data may be able to authorise the disclosure of this information. The definition as unamended by this Bill encompasses a wide range of Commonwealth, State, Territory and local government agencies as well as bodies such as the Royal Society for the Prevention of Cruelty to Animals that have law enforcement roles under State legislation. Many of these bodies are responsible for investigating serious activities and behaviours. For example, under Queensland’s Animal Care and Protection Act 2001, the offence of animal cruelty has a maximum penalty of 2,000 penalty units or 3 years imprisonment.

582.           While the existing arrangements limit who within an authority or body can access telecommunications data and for what purposes, the scope of current paragraph (n) means that telecommunications data could potentially be available to a large number of agencies as the TIA Act does not have a clear mechanism for determining which authorities and bodies fall within the definition of an ‘enforcement agency’. Section 176A addresses this issue by introducing a power at subsection 176A(3) for the Minister to declare a specific authority or body to be an enforcement agency for the purposes of the TIA Act.

Subsections 176A(2) to (7) - Declaration of an authority or body as an enforcement agency

583.           Subsections 176A(2) to (7) sets out the process to be used by the Minister in considering whether to declare an authority or body to be an enforcement agency.

584.           Under subsection 176A(2) the head of an authority or body is able to request that the Minister declare the authority or body to be an enforcement agency.

585.           Under paragraph 110A(3)(a) the Minister may declare an authority or body to be a criminal law-enforcement agency. Paragraph 176A(3)(b) also enables the Minister to declare certain persons specified in the declaration to be ‘officers’ of the enforcement agency. Under the TIA Act, officers, as defined in subsection 5(1) of the Act, have various roles and responsibilities. For example, under section 185C of the TIA Act, evidentiary certificates relating to acts by enforcement agencies may be issued by a certifying officer of that agency. Enabling persons to be declared as officers of a particular enforcement agency facilitates the effective operation of the TIA Act in relation to that agency.

586.           Subsection 176A(3A) clarifies that the Minister may declare an authority or body to be an enforcement agency under subsection 176A(3), even if the head of that authority or body has not made a request in accordance with subsection 176A(2).

587.           Subsection 176A(3B) provides that the Minister may not declare an authority or body to be an enforcement agency unless the Minister is satisfied on reasonable grounds that the authority or body has functions that include or more of:

(a)     enforcement of the criminal law

(b)    administering a law imposing a pecuniary penalty, or

(c)     administering a law relating to the protection of the public revenue.

588.           Subsection 176A(3B) implements the relevant part of recommendation 21 of the 2015 PJCIS Report. Subsection 176A(3B) is intended to ensure that only agencies that have the functions referred to above can be declared enforcement agencies and thereby be able to access historic telecommunications data.

589.           The meaning of ‘enforcement of the criminal law’, for the purposes of paragraph 176A(3B)(c), include the process of investigating crime and prosecuting criminals. It also includes precursory and secondary intelligence gathering activities which support the investigating and prosecution of suspected offences. The term ‘criminal law’ includes any Commonwealth, State or Territory law that makes particular behaviour an offence punishable by fine or imprisonment.

590.           The reference to ‘pecuniary penalties’ in paragraph 176A(3B)(a) relates to penalties for breaches of Commonwealth, State and Territory laws that are not prosecuted criminally or that impose a penalty which serves as an administrative alternative to prosecution (often referred to as civil or administrative penalty provisions). Pecuniary penalties for the purposes of this provision are not intended to encompass small-scale administrative fines.

591.           The concept of ‘public revenue’ in paragraph 176A(3B)(b) includes State and Territory revenue in addition to Commonwealth revenue. Lawful obligations charged on a regular basis such as taxes, levies, rates and royalties are also included but occasional charges, such as fines, are not. ‘Protecting the public revenue’ also includes the activities of agencies and bodies undertaken to ensure that those lawful obligations are met; for example routine collection, audits, investigatory and debt recovery actions.

592.           The term ‘revenue’ is not intended to be limited to incoming monies from taxation but could also extend to ‘monies which belong to the Crown, or monies to which the Crown has a right, or monies which are due to the Crown’. [19] The term ‘protection of public revenue’ is intended to extend to protecting the revenue from which compensation or similar payments are paid, including circumstances where it is sought to ensure that wrongful payments are not made out of that revenue. The term does not include activities aimed at identifying and eliminating inefficient but lawful spending of public monies. The concept of ‘administering’ a law in subparagraphs 176A(4)(a)(ii) and (iii) also includes bodies whose functions include investigating possible breaches of relevant laws as this work plays an important role in carrying legislation into effect (including by ensuring that the obligations imposed by the legislation are carried out).

593.           Before making a declaration, the Minister must consider the factors listed in paragraphs (b)-(f) of subsection 176A(4). Subsection 176A(4) ensures that authorities and bodies provide consistent and detailed information about their functions and privacy practices necessary to make an informed decision about an authority’s or body’s need to access telecommunications data and the appropriateness of that authority or body having such information.

594.           Under paragraph 176A(4)(c), in considering whether to make a declaration, the Minister must have regard to whether the authority or body:

(i)           is required to comply with the Australian Privacy Principles

(ii)         is required to comply with a binding scheme that provides protection of personal information that meets the requirements of subsection (4A), and

(iii)       has agreed in writing to comply with a scheme providing such protection of personal information, in relation to personal information disclosed to it under Chapter 3 or 4, if the declaration is made.

595.           Subsection 176A(4A) operates in conjunction with subparagraphs 176A(4)(c)(ii) and (iii) by stating that the protection of personal information provided by the scheme must:

(a)       be comparable to the protection provided by the Australian Privacy Principles, and

(b)       include a mechanism for monitoring the authority’s or body’s compliance with the scheme, and

(c)       include a mechanism that enables an individual to seek recourse if his or her personal information is mishandled.

596.           The effect of these amendments is to require the Minister to be satisfied, in considering whether to make a declaration of an ‘enforcement agency’, that the authority or body is required to comply with a binding scheme with the listed privacy-protection mechanisms. These particular amendments implement recommendation 22 of the 2015 PJCIS Report.

597.           Subsection 176A(5) means that the Minster can consult with any persons or bodies the Minister considers should be consulted before making a declaration under subsection 176A(4). The Minister can consult with the Privacy Commissioner and the Ombudsman but is not limited to consulting with those bodies.

598.           Subsection 176A(6), when read with subsection 176A(7), means that an authority or body may only be granted the status of an enforcement agency for certain powers available under Chapter 4 of the TIA Act. For instance, an authority’s functions may include administering legislation that imposes pecuniary penalties of a minor degree as well as offences with significant penalties and terms of imprisonment. In these circumstances the interaction of these two subsections means the Minister could limit an authority’s ability to access telecommunications data to the offence with more significant penalties.

599.           Decisions about declarations are not subject to review under the Administrative Decisions Judicial Review Act 1977 (the ADJR Act) as decisions under the TIA Act are not decisions to which the ADJR Act applies (see paragraph (d) of Schedule 1 to the ADJR Act). The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewed under paragraph 75(v) of the Constitution. Declarations under subsection 176A(3) are also subject to parliamentary review as they are legislative instruments under the Legislative Instruments Act 2003 and can be disallowed under Part 5 of that Act.

600.           Subsection 176A(8) enables the Minister to revoke a declaration made under subsection (3) if the Minister is no longer satisfied that the circumstances justify the declaration remaining in force. Subsection 176A(8) ensures that only agencies with a demonstrated need for telecommunications data are able to authorise service providers to disclose this information.

601.           Under subsection 176A(9) revocation of a declaration does not affect the validity of an authorisation made by the authorised officer of an authority or body immediately before the revocation took effect. This provision allows authorities and bodies to rely on authorisations already issued and protects carriers who act on an authorisation before revocation.

602.           Subsections 176A(10) and 176A(11) respond to recommendation 21 of the 2015 PJCIS report.

603.           Paragraph 176A(10)(a) provides that the declaration enters into force either when it is made or on a later day specified in the declaration. Paragraph 176A(10)(b) provides that the declaration ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force.  The time to expiry of the declaration only commences once the declaration comes into force (which may be later than when it is made).

604.           Subsection 176A(11) provides that when a Bill is introduced into either House of Parliament to amend the list of enforcement agencies in the TIA Act the Minister must refer the amending Bill to the PJCIS and give the PJCIS at least 15 sitting days of a House of Parliament to conduct its review and issue its report.



 

Part 2—Other Amendments

Telecommunications (Interception and Access) Act 1979

Item 5—Subsection 5(1) (definition of Crime and Misconduct Commission )

605.           Subsection 5(1) of the TIA Act defines the term Crime and Misconduct Commission as meaning the Crime and Misconduct Commission of Queensland. On 1 July 2014, the Crime and Misconduct Commission became the Crime and Corruption Commission under the Crime and Misconduct and Other Legislation Amendment Act 2014 (Qld) .

606.           Item 5 amends the definition of Crime and Misconduct Commission in subsection 5(1) of the TIA Act to recognise the Commission’s change of name.

Item 6—Subsection 5(1) (definition of criminal law-enforcement agency )

607.           Item 6 repeals the definition of ‘criminal law-enforcement agency’ in subsection 5(1) of the TIA Act and replaces it with the definition of ‘criminal law-enforcement agency’ in section 110A.

608.           Item 6 is consequential to Item 3 of Part 1 of Schedule 2, which inserts a definition of ‘criminal law-enforcement agency’ in section 110A into the TIA Act.

Item 7—Subsection 5(1) (definition of enforcement agency )

609.           Item 7 repeals the definition of ‘enforcement agency’ in subsection 5(1) of the TIA Act and replaces it with the definition of ‘enforcement agency’ in section 176A.

610.           Item 7 is consequential to Item 4 of Part 1 of Schedule 2, which inserts a definition of ‘enforcement agency’ in section 176A into the TIA Act.

Item 8—Subsection 5(1) (at the end of the definition of officer )

611.           Item 8 adds paragraphs (n) and (o) to the end of the definition of ‘officer’ in subsection 5(1) of the TIA Act. The definition of ‘officer’ specifies the class of persons who may be taken to be officers of certain agencies, eligible Commonwealth authorities or eligible authorities of a State.

612.           Paragraph (n) provides that for a criminal law enforcement agency for which a declaration under subsection 110A(3) is in force, an officer is a person specified, or of a kind specified, in the declaration to be an officer of the criminal law enforcement agency for the purposes of the TIA Act. This item is consequential to Item 3 of Part 1 of Schedule 2, which inserts a definition of ‘criminal law-enforcement agency’ in section 110A into the TIA Act.

613.           Paragraph (o)   provides that for an enforcement agency for which a declaration under subsection 176A(3) is in force, an officer is a person specified, or of a kind specified, in the declaration to be an officer of the enforcement agency for the purposes of the TIA Act. This is consequential upon Item 4 of Part 1 of Schedule 2, which inserts a definition of ‘enforcement agency’ in section 176A into the TIA Act.

614.           Under Chapter 4 of the TIA Act, only authorised officers of an enforcement agency can request telecommunications data from a carrier. Officers must consider the privacy impacts of the disclosure or use of telecommunications information before making an authorisation and must also be satisfied that the disclosure is reasonably necessary for the enforcement of a relevant law. Section 183 of the TIA Act requires that authorisations must be in a prescribed form and comply with any requirements made by the CAC, a statutory position within the Attorney-General’s Department currently filled by the First Assistant Secretary, National Security Law and Policy Division. These requirements are set out in the Telecommunications (Interception and Access) (Authorisations, Notifications and Revocations) Determination 2012 .

Items 9 and 10—Section 107G

615.           Section 107G of the TIA Act is an outline to Part 3-1A of the TIA Act which is about preserving stored communications. Item 9 removes references to ‘an enforcement agency or the Organisation’ in section 107G and substitute references to ‘a criminal law-enforcement agency, or the Organisation’. Item 10 removes references to ‘an interception agency or the Organisation’ in section 107G and substitute references to a ‘criminal law-enforcement agency that is an interception agency, or the Organisation’.

616.           Items 9 and 10 are consequential to Item 3 of Part 1 of Schedule 2, which inserts a new definition of ‘criminal law-enforcement agency’ in section 110A into the TIA Act.

Item 11—Subsection 107J(1) (heading)

617.           Section 107J of the TIA Act contains the heading ‘Notices given by enforcement agencies or interception agencies’.

618.           Item 11 repeals this heading and substitute the heading ‘Notices given by criminal law-enforcement agencies.’

619.           Item 11 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‘an enforcement agency’ in subsection 110(1) of the TIA Act.

Item 12—Paragraphs 107L(2)(a), 107M(1)(a), (2)(a) and (3)(a)

620.           Sections 107L and 107M provide arrangements for revoking domestic preservation notices and who may give or revoke domestic preservation notices. Item 12 repeals all references in those provisions to the term ‘enforcement agency’ and substitute references to ‘a criminal law-enforcement agency’.

621.           Item 12 is consequential upon Item 2 of Part 1 of this Schedule which deletes the reference to ‘an enforcement agency’ in subsection 110(1).

Item 13—Part 3-3 (heading)

622.           Part 3-3 is headed ‘Access by enforcement agencies to stored communications’.

623.           Item 13 deletes this heading and substitutes ‘Part 3-3—Access by criminal law-enforcement agencies to stored communications. Item 13 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‘an enforcement agency’ and substitute ‘a criminal law-enforcement agency’ in subsection 110(1) of the TIA Act.

Item 14—Section 110 (heading)

624.           Section 110 of the TIA Act is headed ‘110 Enforcement agencies may apply for stored communication warrants’. Item 14 repeals this heading and substitutes the heading ‘110 Criminal law-enforcement agencies may apply for stored communications warrants’. Item 14 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‘an enforcement agency’ and substitute ‘a criminal law-enforcement agency’ in subsection 110(1) of the TIA Act.

Items 15-33, 35-36, 38-39, 41-47—omit references to ‘enforcement agency’ and ‘an enforcement agency’ and substitute references to ‘criminal law-enforcement agency’ and ‘a criminal law-enforcement agency’

625.           These items delete references to ‘enforcement agency’ and ‘an enforcement agency’s’ as they appear in Chapter 3 of the TIA Act and substitutes them with references to ‘criminal law-enforcement agency’ and ‘a criminal law-enforcement agency’s’.

626.           These items are consequential to the amendments made by Item 2 of Part 1 of Schedule 2, which deletes the reference to ‘an enforcement agency’ and substitutes ‘a criminal law-enforcement agency’ in subsection 110(1) of the TIA Act.

Item 34—Section 130 (heading)

627.           Section 130 of the TIA Act is headed ‘Evidentiary certificates relating to actions by criminal law-enforcement agencies’. Item 34 repeals this heading and substitute the heading ‘130 Evidentiary certificates relating to actions by criminal law-enforcement agencies’.

628.           Item 34 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‘an enforcement agency’ and substitutes ‘a criminal law-enforcement agency’ in subsection 110(1) of the TIA Act.

Item 37—Subsection 135(1) (heading)

629.           Subsection 135(1) of the TIA Act is headed ‘Communicating information to the appropriate enforcement agency’. Item 37 repeals this heading and substitutes the heading ‘Communicating information to the appropriate criminal law-enforcement agency’.

630.           This amendment is consequential to Item 2 of Part 1 of Schedule 2 which deletes the reference to ‘an enforcement agency’ and substitutes ‘a criminal law-enforcement agency’ in subsection 110(1) of the TIA Act.

Item 40—Section 138 (heading)

631.           Section 138 of the TIA Act is headed ‘Employee of carrier may communicate information to the enforcement agency’. Item 40 repeals this heading and substitutes the heading ‘138 Employee of carrier may communicated information to the criminal law-enforcement agency’.

632.           Item 37 is consequential to Item 2 of Part 1 of Schedule 2 which deletes the references to ‘an enforcement agency’ and substitutes ‘a criminal law-enforcement agency’ in subsection 110(1) of the TIA Act.

Part 3—Application Provisions

Item 48—Existing domestic preservation notices

633.           Item 48 is a transitional provision that provides that existing domestic preservation notices continue to be in force after the commencement of Schedule 2, even if the authority or body that gave the notice is not able to give a notice under the TIA Act as amended, because it is not a criminal law-enforcement agency. This provision allows agencies to rely on notices already issued and ensures that carriers do not unlawfully access stored communications.

Item 49—Existing stored communications warrants

634.           Item 49 is a transitional provision that provides that existing stored communications warrants continue to be in force after the commencement of Schedule 2, even if the authority or body that obtained the warrant is not able to obtain the warrant under the TIA Act as amended, because it is not a criminal law enforcement agency. This provision allows agencies to rely on warrants already issued and ensures that carriers do not unlawfully access stored communications.

Item 50—Existing authorisations

635.           Item 50 is an application provision that provides that existing authorisations continue to be in force after the commencement of Schedule 2, even if the authority or body that made the authorisations is not able to make authorisations under the TIA Act as amended, because it is no longer an enforcement agency.

636.           This provision allows agencies to rely on authorisations already issued and ensures that carriers do not unlawfully disclose information or documents the disclosure of which would otherwise be prohibited under section 276, 277 or 278 of the Telecommunications Act 1997 .

Item 51—Evidentiary certificates

637.           Item 51 is an application provision which ensures that evidentiary certificates do not become invalid upon the commencement of this Act. Evidentiary certificates are received as evidence of facts in prosecutions and civil penalty court proceedings and the amendments contained in this item ensures that court proceedings are not adversely impacted by a change in an authority or body’s status when this Act commences.

638.           Subitem (1) provides that an evidentiary certificate issued by an authority or body under section 107U or 130 of the TIA Act continues to be in force even if on the commencement of Schedule 2 the authority or body ceases to be a criminal law-enforcement agency.

639.           Subitem (2) provides that an evidentiary certificate issued by an authority or body under section 185C of the TIA Act continued to be in force even if on the commencement of Schedule 2 the authority or body ceases to be an enforcement agency.

640.           Subitem (3) provides that an authority or body that ceases to be a criminal law-enforcement agency upon the commencement of Schedule 2 is able to issue evidentiary certificates under section 107U or 130 of the TIA Act with respect to anything done before the commencement of Schedule 2.

641.           Subitem (4) provides that an authority or body that ceases to be an enforcement agency upon the commencement of Schedule 2 is able to issue evidentiary certificates under section 107U or 130 of the TIA Act with respect to anything done before the commencement of Schedule 2.

 

 

 



 

Schedule 3—Oversight by the Commonwealth Ombudsman

Overview of measures

642.           Schedule 3 implements the relevant part of recommendation 42 of the 2013 PJCIS Report that data retention legislation should include oversight of agencies’ access to telecommunications data by the Ombudsman and the IGIS.

643.           Schedule 3 amends the TIA Act by inserting obligations to keep records in relation to the access of stored communications (Chapter 3 of the TIA Act) and telecommunications data (Chapter 4 of the TIA Act).  The Bill inserts Chapter 4A to implement a comprehensive record-keeping, inspection and oversight regime in relation to:

·          the issue of preservation notices by criminal law-enforcement agencies

·          the access to, and dealing with, stored communications by criminal law-enforcement agencies, and

·          the access to, and dealing with, telecommunications data by criminal law-enforcement agencies and enforcement agencies.

644.           The record-keeping regime requires all Commonwealth, State and Territory enforcement agencies to keep prescribed information and documents necessary to demonstrate that they have exercised their powers under Chapters 3 and 4 in accordance with their statutory obligations under the TIA Act. The specificity of the oversight provisions is intended to provide sufficient clarity to enable agencies to be properly versed as to what the Ombudsman would require to be kept and made available at inspections.

645.           The inspection and oversight regime requires the Ombudsman to inspect and oversight the records of Commonwealth, State and Territory agencies in order to assess compliance against the exercise of their powers under Chapters 3 and 4 of the TIA Act.

646.           Currently, the TIA Act does not provide for independent oversight for the use of, and access to, telecommunications data by enforcement agencies. Under the TIA Act, the Ombudsman has limited audit functions to assess the compliance by agencies with record keeping and record destruction obligations in relation to the issue of preservation notices and access to stored communications. While carrying out such an audit, other compliance issues may come to the Ombudsman’s attention, but these would not expressly fall within the Ombudsman’s existing inspection remit under the TIA Act. While the Ombudsman is empowered to report on these additional compliance issues (by virtue of the existing ‘incidental or conducive to the performance’ of functions provision in section 152), the extent of the Ombudsman’s power is not clearly delineated.

647.           The IGIS currently inspects and reports on access to telecommunications data by ASIO, under the Inspector-General of Intelligence and Security Act 1986 .

648.           The oversight regime is similar to the existing Ombudsman oversight model contained in Part 6 of the Surveillance Devices Act 2004 (SD Act), and enables comprehensive assessment of agency compliance with all of an enforcement agency’s (or a criminal law-enforcement agency’s) obligations under Chapters 3 and 4 of the TIA Act, including access to and use of telecommunications data, which can be accessed on a historical basis (sections 178, 178A, 179) and on a prospective (or near-real time) basis (section 180). Oversight of this category of data by extension, captures the set of telecommunications data that service providers are required to retain under subsection 187A of the Act.

649.           The provisions relating to the powers, scope and reporting obligations of the oversight role are intended to enable the Ombudsman to provide public assurance and to enhance levels of transparency and public accountability. These provisions also align with other oversight roles performed by the Ombudsman, such as those performed under the SD Act and the Controlled Operations provisions in Part IAB of the Crimes Act 1914.

650.           Part 1 of this Schedule contains the main amendments to Chapters 3 and 4, as well as minor and consequential amendments to Chapters 1 and 2. These main amendments introduce new record-keeping obligations for criminal law-enforcement agencies and enforcement agencies, and establish a comprehensive oversight regime administered by the Ombudsman for such agencies accessing stored communications and telecommunications data.

651.           Part 2 of this Schedule provides for how the amendments contained in Schedule 3 apply upon their commencement.

Part 1—Amendments

Telecommunications (Interception and Access) Act 1979

Item 1—Subsection 5C(1)

652.           Item 1 amends section 5C of the TIA Act, which defines when information or a question is relevant to an inspection by the Ombudsman. The clause deletes the reference to ‘Part 3-5’ in subsection 5C(1) of the TIA Act and substitutes a reference to Chapter 4A of the TIA Act.

653.           This is a technical amendment to ensure that the definition of when information or a question is relevant to an Ombudsman inspection refers to the provisions of the Act which pertain to Ombudsman oversight, contained in Chapter 4A.

Item 2—At the end of section 87

654.           Section 87 of the TIA Act sets out the powers the Ombudsman has to obtain relevant information, in documentary or oral form, in relation to an Ombudsman inspection of the use of interception powers by Commonwealth agencies in circumstances where the Ombudsman has reason to believe that an officer of an agency is able to give information relevant to an inspection under Part 2-7 and relating to that agency’s records.

655.           This item inserts subsection 87(6) into the TIA Act that makes refusal to attend, give information or to answer questions in relation to an inspection, a criminal offence. The penalty for an offence against subsection 87(6) is six months imprisonment.

656.           Subsection 87(6) mirrors subsection 186C(3) (applicable to stored communications and telecommunications data) in terms of the form of the offence and the applicable penalty. It is also broadly consistent with similar provisions under the Surveillance Devices Act 2004 (section 56) and the Inspector-General of Intelligence and Security Act 1986 (section 18). The offence provision is only enlivened in relation to officials of law enforcement agencies. Such officials hold positions of public trust and exercise intrusive and covert powers under the TIA Act. Public confidence in the justice system requires that officials are held to a higher standard of conduct, particularly because there are fewer avenues to identify misconduct or systemic non-compliance in the telecommunications interception environment due to its covert nature.

Item 3—Section 134

657.           This item amends section 134 of the TIA Act, which sets out when a person may deal in preservation notice information or stored communications warrant information.

658.           The amendment provides that a person may deal in such information for the purposes of Chapter 4A of the TIA Act (Oversight by the Commonwealth Ombudsman). The purpose of this provision is to clarify that dealing with preservation notice information and stored communications information is permitted if it is for the purposes of an Ombudsman inspection under Chapter 4A of the TIA Act.

Item 4—Part 3-5 (heading)

659.           This item repeals the heading to Part 3-5 (‘Keeping and inspection of preservation notices and access records’) and substitutes a new heading (‘Keeping and inspection of records’). The new heading is a technical amendment to reflect the amendments to Part 3-5 in the Bill. While the current Part 3-5 of the Act contains both record keeping obligations on agencies and an inspection regime by the Ombudsman, the amended Part 3-5 of the Act is limited to placing inspection obligations on criminal-law enforcement agencies (although section 158A of the TIA Act will remain). The change in the heading to Part 3-5 reflects this extended remit.

Item 5—Section 151 of Division 1 of Part 3-5: Obligation to keep records

660.           This item repeals Divisions 1 and 2 of Part 3-5 and substitutes a new Division 1 of Part 3-5.

661.           Division 1 of Part 3-5 currently describes the records that enforcement agencies must keep in relation to their use of preservation notices and the use of powers to access stored communications.

662.           Division 2 of Part 3-5 currently sets out a regime for inspection of record keeping by enforcement agencies relating to preservation notices and access to stored communications.

663.           Repealing Divisions 1 and 2 and substituting new Division 1 is necessary so that auditing of stored communications can be undertaken in a manner consistent with the approach to the oversight of other powers exercisable under Chapter 4 of the TIA Act.

664.           Section 151 comprehensively sets out the information or documents that a criminal law-enforcement agency must retain to enable the Ombudsman to inspect the agency’s records to determine the extent of its compliance with Chapter 3 of the TIA Act. Chapter 3 of the Act relates to issuing preservation notices and access to and dealing with stored communications.

665.           The purpose of section 151 is to ensure that agencies retain the records that the Ombudsman requires in order to carry out his or her inspection functions under  Chapter 4A of the TIA Act.

666.           An agency meets the requirements of section 151 by retaining either the original or a copy of the relevant document.

667.           Subsection 151(2) provides that the Minister may, by legislative instrument, prescribe the kinds of documents and other materials that the chief officer of a criminal law-enforcement agency must cause to be kept in the agency’s records. The requirement for additional records to evidence compliance is prospective. Any prescription of documents by legislative instrument will enable the record keeping list for the purpose of compliance assessment to expand over time if it is deemed additional record keeping requirements are required to enable the Ombudsman to determine agencies’ compliance.

668.           Subsection 151(3) specifies how long agencies must retain records for compliance inspection purposes. This provision requires agencies to retain the records referred to in subsection 151(1) and any documents or other materials prescribed under subsection 151(2) for a maximum of 3 years from when the document or record came into existence (subparagraph 151(3)(b)(i)) or until the Ombudsman gives a report to the Minister under section 186J about records, including that particular record (subparagraph 151(3)(b)(ii)), whichever happens earlier. Requiring agencies to keep records until the Ombudsman has made findings on and made reports in relation to, those records, meets the Ombudsman’s requirements for when they no longer require the records for inspection purposes. The maximum retention period of three years is consistent with the period currently contained in section 185 of the TIA Act for the retention of data authorisations made under Divisions 4 and 4A of Part 4-1. The approach also avoids imposition of arbitrary and discordant retention timeframes on agencies across record types.

Item 6—Section 186A: Obligation to keep records

669.           Section 186A sets out the information or documents that an enforcement agency must retain to ensure that the Ombudsman is able to inspect the agency’s records to determine the extent of the agency’s compliance with Chapter 4 of the TIA Act. Chapter 4 of the Act relates to enforcement agencies’ access to and dealing with telecommunications data.

670.           An agency meets the requirements of section 186A by retaining either the original or a copy of the relevant document.

671.           Subsection 186A(2) allows the Minister to prescribe the kinds of documents and other materials that a criminal law-enforcement agency must keep in addition to those specified under subsection 186A(1). A declaration will be a legislative instrument for the purposes of the Legislative Instruments Act 2003 . Subsection 186A(2) operates in conjunction with paragraph 186A(1)(j) of the TIA Act, which requires criminal law-enforcement agencies to retain such records.

672.           The purpose of subsection 186A(2) and related paragraph 186A(1)(j) is to require new classes of documentation to be kept in future as the new inspection regime develops. It also accommodates the addition of new types of documents to be retained if the powers and functions of relevant agencies and the Ombudsman change.

673.           Subsection 186A(3) specifies how long agencies must retain records for compliance inspection purposes. This provision requires agencies to retain the records referred to in paragraphs 186A(1)(a)-(i) and other materials prescribed under subsection 186A(2) for a maximum of 3 years from when the document or record came into existence (paragraph 186A(3)(b)(i)) or when the Ombudsman gives a report to the Minister under section 186J about records that include that particular record (paragraph 186A(3)(b)(ii)), whichever happens earlier.

674.           Requiring agencies to keep records until the Ombudsman has made findings on and made reports in relation to those records, would meets the Ombudsman’s requirements for when they no longer require the records for inspection purposes. The maximum of three years is consistent with the period currently contained in section 185 of the TIA Act for the retention of data authorisations made under Divisions 4 and 4A of Part 4-1. However, the retention period referred to in subsection 186A(3) does not affect the operation of the retention period section 185, which does still apply.

Item 7—Chapter 4A: Oversight by the Commonwealth Ombudsman

675.           Item 7 inserts Chapter 4A before Chapter 5 of the TIA Act.  Chapter 4A sets out a new oversight regime for the Commonwealth Ombudsman.

Section 186B—Inspection of records

676.           Section 186B establishes an inspection regime to enable the Ombudsman to inspect the records kept by enforcement agencies associated with the use of and access to, telecommunications data and stored communications. Sections 151 and 186A facilitate this inspection regime by requiring agencies to keep such records. The role of the Ombudsman is to determine whether an agency is compliant with its obligations relating to the issue of preservation notices and access to stored communications under Chapter 3 and access to telecommunications data under Chapter 4 of the TIA Act.

677.           Subsection 186B(1) is not intended to require the Ombudsman, nor to give the Ombudsman the power to, inspect, review or report on whether an issuing authority ought to have issued a stored communications warrant under section 116 of the TIA Act.

678.           Paragraph 186B(1)(a) requires the Ombudsman to inspect the records of enforcement agencies to determine the extent of their compliance with the exercise of statutory powers associated with telecommunications data access set out in Chapter 4 of the TIA Act.

679.           Access to telecommunications data by enforcement agencies has the potential to impact on the privacy of persons whose data is being accessed. The comprehensive oversight regime for telecommunications data assists in ensuring that access to and the use and disclosure of, telecommunications data by enforcement agencies, including retained data, under Chapter 4 of the TIA Act, is subject to independent compliance assessment. It also serves to provide an important level of public accountability and scrutiny of agency practices by virtue of the Ombudsman public reporting regime implemented in Chapter 4A.

680.           Paragraph 186B(1)(b) requires the Ombudsman to inspect the records of criminal law-enforcement agencies to determine the extent of their compliance with the requirements set out in Chapter 3 of the TIA Act in relation to the issue of preservation notices and the access to and dealing with stored communications. It also requires the Ombudsman to inspect records of an enforcement agency to determine the extent of compliance with Chapter 4 by the agency and its officers.

681.           Tailored oversight provisions in relation to the use by agencies of preservation notices and their access to and dealing with stored communications are important inclusions in the Bill because:

·          the use of preservation notices by criminal law-enforcement agencies potentially impacts on individual privacy, in that agencies can use such notices to ensure that carriers and carriage service providers preserve the private stored communications of persons where the agency intends to later apply for an interception or stored communications warrant to access those communications in connection with the investigation of a serious contravention, and

·          the access to and dealing with stored communications by criminal law-enforcement agencies also potentially impacts on individual privacy. As such, it is important that access to, and dealing with, such communications occurs only as permitted under the TIA Act.

682.           The purpose of an Ombudsman oversight regime in relation to preservation notices and stored communications is to ensure, from a public accountability perspective, that criminal law-enforcement agencies only use such powers strictly in accordance with the statutory requirements under Chapter 3 of the TIA Act. The oversight regime is also intended to reassure the public that agencies are exercising these covert and intrusive powers in accordance with the law.

683.           Subsection 186B(2) provides that the Ombudsman, for the purpose of an investigation under subsection 186B(2), can enter premises occupied by an agency at any reasonable time after notifying the chief officer of the agency. The Ombudsman is then entitled to full and unimpeded access at all reasonable times to all records of the agency that are relevant to the Ombudsman’s inspection. The Ombudsman is entitled to make copies of, and take extracts from, the agency’s records where relevant to the investigation. The provision also gives the Ombudsman the power to require a member of staff of the agency to provide any information relevant to the inspection that is in their possession or to which the staff member has access.

684.           Subsection 186B(2) ensures that the Ombudsman has sufficient powers to carry out the Ombudsman’s inspection functions under Chapter 4A in relation to agencies.

685.           Under subsection 186B(2), the Ombudsman is not restricted in the frequency with which the Ombudsman may inspect the records of an agency. For example, the Ombudsman could choose inspection cycles of twelve months, six months, three months or some other period to inspect the records of any particular agency. This flexibility is intended to cater for the significant differences in the size, structure, functions, and internal systems and procedures of the various criminal law-enforcement agencies, the variable nature and flow of investigations and to ensure the new inspection regime is sufficiently responsive to differing contingencies encountered during an inspection. Depending on the circumstances, this may necessitate other adaptive approaches, including, for example, staged or rolling inspection programs, a quarter-sized inspection four times a year, or inspecting different field offices at different times if that was more convenient for the agency from an operational perspective or logistically more feasible. The current stored communications inspection regime under the TIA Act and the regime under the SD Act do not cap the number of inspections, and section 186B is consistent with those existing statutory frameworks.

686.           Subsection 186B(3) requires the Ombudsman to give the chief officer of an enforcement agency reasonable notice of an inspection under subsection 186B(2).

687.           Subsection 186B(4) requires the chief officer of an agency to ensure that his or her staff provide the Ombudsman with any assistance that the Ombudsman reasonably requires to enable the Ombudsman to perform his or her functions under section 186B. The purpose of subsection 186B(4) is to ensure that agency staff provide reasonable cooperation to the Ombudsman in relation to the Ombudsman carrying out his or her statutory inspection functions.

688.           Subsection 186B(5) provides that subsection 186B(1) does not require the Ombudsman to inspect all of the information or documents which could conceivably come under the auspices of paragraphs 186B(1)(a) and (b). As subsection 186B(1) provides that the Ombudsman ‘must’ inspect the records of an agency to determine the extent of compliance by the agency with Chapter 3 or Chapter 4 of the TIA Act, subsection 186B(5) serves as an avoidance of doubt clause to qualify the directive obligation set out in section 186B(1).

689.           The purpose of this subsection is to make it clear that the Ombudsman can use any appropriate inspection methodology (for example, sampling as indicative of compliance across a particular record field, or focusing the majority of the Ombudsman’s attention on areas considered to be higher risk). The subsection is also intended to clarify that the Ombudsman has the discretion to inspect records the Ombudsman considers to be appropriate in fulfilling his or her inspection functions under Chapter 4A, and is not required to inspect every record held by an agency.

690.           In addition, subsection 186B(5) is not intended to impact upon, or result in a diminution of, the Ombudsman’s inspection function under subsection 186B(1).

691.           Subsection 186B(6) provides that the Ombudsman may choose to refrain from inspecting records of an agency that concern the obtaining or the execution of a stored communications warrant or telecommunications data authorisation while an ongoing operation is being conducted in relation to that warrant or authorisation.

692.           The purpose of subsection 186B(6) is to ensure that inspections do not interfere with the progress of a current operation. This provision is intended to avoid inspections occurring at an intermediate juncture when operations being conducted under a stored communications warrant or an authorisation under Division 3, 4 or 4A of Part 4-1 of the TIA Act are actively being progressed. Inspecting records at these times could potentially hamper the conduct of proceedings or impede the progress of investigations. Further, the inspection results may be improperly calibrated because they would measure compliance before critical events have occurred in respect of the issuing, or execution of a warrant or may occur during the course of obtaining an emergency or tracking device authorisation.

Section 186C—Power to obtain relevant information

693.           Section 186C empowers the Ombudsman to require an officer of an enforcement agency to provide information to the Ombudsman in writing, signed by the officer, at a specified place and within a specified period of time where the Ombudsman has reason to believe that the officer is able to give the information required.

694.           Section 186C ensures that the Ombudsman has sufficient power to carry out the Ombudsman’s inspection functions under Chapter 4A and can acquire supplementary information where necessary to effectively conduct an investigation, including by requiring officers of an agency to attend and answer relevant questions.

695.           Under paragraph 186C(1)(a), if the Ombudsman knows the officer’s identity, the Ombudsman must write to the officer in order to require the officer to provide the written information and/or attend to answer questions.

696.           Paragraph 186C(1)(b) applies when the Ombudsman does not know the identity of the relevant officer in an agency. In these circumstances, the provision authorises the Ombudsman to write to the chief officer of an enforcement agency to require them, or a person nominated by the chief officer, to answer questions relevant to the inspection before a specified inspecting officer, at a specified place and within a specified period, or at a particular time on a particular day, which is reasonable having regard to the circumstances.

697.           Subsection 186C(2) provides that the Ombudsman must specify a place and time for an officer to attend as required under subsection 186C(1). The place and time nominated must be reasonable in the circumstances.

698.           Subsection 186C(3) establishes an offence where a person refuses to attend before a person, give information or answer questions when required to do so under section 186C. The maximum penalty for the offence is imprisonment for six months.

699.           The purpose of an offence provision under subsection 186C(3) is to ensure that agency officers do not hinder the Ombudsman inspection functions under Chapter 4A of the TIA Act by unreasonably refusing to attend, give information or answer questions as required. It is also broadly consistent with similar provisions under the Surveillance Devices Act 2004 (section 56) and the Inspector-General of Intelligence and Security Act 1986 (section 18). The offence provision is only enlivened in relation to officials of law enforcement agencies. Such officials hold positions of public trust and exercise intrusive and covert powers under the TIA Act. Accordingly, public confidence in the justice system requires that officials are held to a higher standard of conduct, particularly because there are fewer avenues to identify misconduct or systemic non-compliance in the telecommunications interception environment due to its covert nature.

Section 186D—Ombudsman to be given information and access despite other laws

700.           Section 186D provides that a person is to be given information and access to documents despite other laws, including the laws of any State or Territory. The purpose of this provision is to ensure that the Ombudsman is able to obtain all the information and documents required to carry out the Ombudsman’s inspection functions under the TIA Act, and that agency officers are not prevented by other laws from providing necessary information or assistance.

701.           Subsection 186D(1) provides that a person is not excused from giving information, answering a question or giving access to a document (disclosing information), as required under Chapter 4A (oversight by the Commonwealth Ombudsman) of the TIA Act, despite other matters which may otherwise bar the giving of that information.

702.           These matters are listed at paragraphs 186D(1)(a) to (c) and are that disclosure of the information would be: a contravention of a law (including the law of any State or Territory); contrary to the public interest, or might tend to incriminate the person or make the person liable to a penalty.

703.           Paragraph 186D(1)(c) abrogates the privileges against self-incrimination or self-exposure to a civil or administrative penalty (hereinafter referred to together as ‘self-incrimination’) in relation to the disclosure of information required under Chapter 4A.

704.           However, subsection 186D(2) provides that the disclosed information cannot be used as evidence against the person who disclosed that information, whether directly or indirectly (a ‘use immunity’ and ‘derivative use’ immunity). The use and derivative use immunity does not apply to prosecutions for offences against sections 133, 181A, 181B and 182 of the TIA Act or Part 7.4 or 7.7 of the Criminal Code.

705.           Section 133 of the TIA Act creates an offence of unlawful dealing in accessed stored communications under Chapter 3, Part 3-4, Division 1 of the TIA Act. Sections 181A, 181 and 182 create offences for unlawful dealing in telecommunications data authorisation information or unlawful secondary disclosure of accessed telecommunications data under Chapter 4, Part 4-1, Division 6 of the TIA Act. Parts 7.4 (false or misleading statements) and Part 7.7 (forgery and related offences) of the Criminal Code create offences relating to hindering, obstructing, intimidating or resisting a public official in the performance of their functions.

706.           The use and derivative use immunity does not prevent the admission of disclosed information as evidence against a person other than the person who disclosed the information.

707.           The immunity is an important human right. However, the public interest in abrogating the privilege outweighs the interest in maintaining the privilege. First, the powers to access stored communications and telecommunications data are intrusive and covert powers, the unlawful use or disclosure of which could potentially result in significant harm to individuals, including a significant intrusion on their privacy. There is, therefore, a strong public interest in the Ombudsman, being the relevant oversight body for these powers, to be able to compel an officer of an enforcement agency to reveal information that might indicate that stored communications or telecommunications data have been unlawfully used or disclosed, even if doing so would show that the person had committed an offence, or might be liable to a penalty.

708.           Second, the integrity of the stored communications and telecommunications data regimes, and public confidence therein, are important in their own right. The powers afforded to agencies under these regimes are key investigative tools for a range of serious criminal offences, the investigation of which are manifestly in the public interest. Officers exercising these powers are afforded a high degree of public trust, given their intrusive and covert nature. A serious breach of the integrity of the regime, and/or a loss of confidence therein (including a loss of confidence based on a perception of a lack of integrity,) would create a serious risk that these powers would be fettered or removed, to the detriment of agencies’ investigative capabilities. It is, therefore, important that the Ombudsman have the power to compel an officer of an enforcement agency to reveal information that might indicate that stored communications or telecommunications data have been unlawfully used or disclosed, and to be seen to have such a power, even if doing so would show that the person had committed an offence, or might be liable to a penalty.

709.           Third, the abrogation of the privilege occurs within the context of a regulatory regime, and applies only to people who are voluntarily subject to that regime, being in all cases people who have chosen to be officers of enforcement agencies and, in most cases, officers who have chosen to be involved in, or in relation to the exercise of these powers under Chapters 3 and 4 of the TIA Act.

710.           The harm to individual rights is minimised by the provision of a use and derivative use immunity. The immunity is however limited, and does not apply to proceedings for specific offences, prosecutions and civil penalties under the TIA Act and certain Criminal Code offences.

711.           The regime contained in Chapter 4A strengthens oversight and accountability of agency access to stored communications and telecommunications data. The benefit to the public of an effective oversight regime is high, given the privacy sensitive nature of this information. The disclosure of information to the Commonwealth Ombudsman, and the ability to prosecute a person involved in wrongdoing under the TIA Act, forms a core part of the inspection and oversight functions of the Ombudsman. This function would be significantly impaired if persons were excused from providing self-incriminating information, or if that information could not be used as evidence in TIA Act proceedings.

712.           Other laws do not prevent the disclosure of information for the purposes of an inspection. Subsections 186D (3) and (4) provide that the unlawful disclosure provisions in sections 133, 181A, 181B or 182 of the TIA Act or in any other law do not prevent the disclosure of information to an inspecting officer of the Commonwealth Ombudsman for the purposes of an inspection under the oversight provisions contained in Chapter 4A.

713.           The purpose of provisions such as those in sections 133, 181A, 181B or 182 of the TIA Act is to protect the privacy of impact on persons whose information was accessed under the TIA Act. Given the purpose of the oversight regime in ensuring that agencies access this privacy sensitive information in a lawful manner, it is appropriate that the requirement to disclose information to the Ombudsman under section 186D overrides any other laws that prevent the disclosure of that information. Subsection 186D(3) provides that nothing in sections 133, 181A, 181B or 182 of the TIA Act or any other law prevents an officer of an enforcement agency from providing information to an inspecting officer in any form or from providing access to records of the enforcement agency for the purposes of an inspection under Chapter 4A.

714.           Subsection 186D(4) provides that nothing in sections 133, 181A, 181B, 182 of the TIA Act or any other law, prevents an officer of an enforcement agency from making a record of information, or causing such a record to be made for the purposes of giving the information to a person as permitted by subsection 186D(3).

Section 186E—Application of Ombudsman Act

715.           Section 186E sets out the interaction of the Ombudsman Act 1976 (Cth) (the Ombudsman Act) with the new Ombudsman oversight regime in Chapter 4A of the TIA Act. This provision ensures that the specific powers and duties of the Ombudsman in Chapter 4A interact correctly and appropriately with the general powers and duties of the Ombudsman in the Ombudsman Act.

716.           Subsection 186E(1) provides that section 11A of the Ombudsman Act, regarding the power of the Federal Court of Australia to determine matters concerning the Ombudsman’s powers, does not apply to the exercise of a power or function by the Ombudsman under Chapter 4A.

717.           Subsection 186E(2) provides that section 19 of the Ombudsman Act, regarding annual reporting to Parliament, does not apply to any act or omission of an Ombudsman inspecting officer under Chapter 4A.

718.           Subsection 186E(3) provides that, subject to section 186D (which provides that the Ombudsman is to be given information and access despite other laws), sections 35(2), (3), (4) and (8) of the Ombudsman Act (regarding the preservation of confidentiality of inspecting officers) apply for the purposes of Chapter 4A.

Section 186F—Exchange of information between Ombudsman and State inspecting authorities

719.           Section 186F allows the Ombudsman to develop more effective and consistent inspection arrangements with State and Territory inspection authorities, including State or Territory Ombudsmen. Section 186F ensures that the Ombudsman and State and Territory inspecting authorities (including State and Territory Ombudsmen) can exchange information with each other that is relevant to their inspection functions.

720.           Subsection 186F(1) enables the Ombudsman to give information that relates to an authority of a State or Territory, which was obtained by the Ombudsman under the TIA Act, to the inspecting authority in relation to the agency in the relevant State or Territory.

721.           Subsection 186F(2) qualifies subsection 186F(1) by providing that the information can only be passed where the Ombudsman believes the information is necessary for the inspecting authority to perform its functions in relation to the State or Territory agency.

722.           Subsection 186F(3) also provides that the Ombudsman can receive from an inspecting authority information relevant to the performance of the Ombudsman’s functions under the TIA Act.

Section 186G—Delegation by Ombudsman

723.           Section 186G provides for the Ombudsman’s powers of delegation. This provision ensures that members of the staff of the Ombudsman’s office can perform the functions of the Ombudsman as required. It is envisaged that the functions of the Ombudsman will be carried out by members of the Ombudsman’s staff under a Carltona type delegation. Carltona delegates would act in the name of the person making the delegation—the Ombudsman. The delegation provisions would not preclude the Ombudsman from making an ordinary statutory delegation of powers.

724.           Subsection 186G(1) provides that the Ombudsman may delegate the Ombudsman’s powers under Chapter 4A to an Australian Public Service (APS) employee responsible to the Ombudsman (which may include, for example, an employee of another APS agency seconded to the Ombudsman’s office) or an employee of a State or Territory oversight body that has similar oversight functions to the Commonwealth Ombudsman.

725.           Subsection 186G(1) also provides that the Ombudsman does not have the power to delegate the power to report to the Minister as set out in section 186J. In addition, the Ombudsman’s power to delegate does not include the power of delegation set out in subsection 186G(1).

726.           A delegation by the Ombudsman under subsection 186G(1) does not prevent the exercise of that power by the Ombudsman.

727.           Subsection 186G(2) provides that a delegate must produce, upon the request of any person affected by an exercise of power under a delegation under s186G(1), the instrument to the person (or a copy of the instrument). The delegate can satisfy this requirement by producing an electronic copy of the delegation.

Section 186H—Ombudsman not to be sued

728.           Section 186H confers immunity from suit to the Ombudsman, an inspecting officer or a person acting under an inspecting officer’s authority, for an act or omission made in good faith in the performance of the Ombudsman’s inspection functions under Chapter 4A.

729.           Section 186H ensures that the Ombudsman and the Ombudsman’s staff are able to perform their inspection functions under Chapter 4A without being impeded by the possibility of legal action. However, this immunity only applies if the inspection functions are being carried out in good faith.

Section 186J—Reports

730.           Section 186J implements a new public reporting regime in relation to the Ombudsman’s oversight functions set out under section 186B. The Ombudsman is required to report on the results of its oversight functions relating to compliance by agencies generally with the requirements of Chapters 3 and 4 of the TIA Act relating to issue of preservation notices, access to stored communications and access to telecommunications data.

731.           One of the purposes of section 186J is to ensure that the Ombudsman is able to make public the results of its inspections under Chapter 4A. Public reporting by the Ombudsman is a key element in providing public accountability and transparency in relation to the use by agencies of their powers under Chapters 3 and 4 of the TIA Act. It is also designed to reassure the public that agencies are using their powers under Chapters 3 and 4 of the TIA Act lawfully and appropriately.

732.           Subsection 186J(1) provides that the Ombudsman must provide a written report to the Minister containing the results of the inspections undertaken under section 186B of the TIA Act.

733.           Subsection 186J(2) provides that the Ombudsman must give the Minister the report as soon as practicable by the end of each financial year. This gives the Ombudsman’s inspectors some further latitude given the wide ranging compliance assessments that need to be conducted across a range of agencies against all powers potentially exercisable under Chapters 3 and 4. An extended timeframe may be required, particularly with the introduction of the mandatory data retention regime, which may collaterally impact upon the time needed to conduct, and the complexity of, compliance assessment.

734.           Subsection 186J(3) provides that a copy of the Ombudsman’s report is to be tabled by the Minister before each House of Parliament within 15 sitting days of that House after the Minister has received the report.

735.           Subsection 186J(4) provides that the Ombudsman can report to the Minister at any time and also that the Minister may require the Ombudsman to do so. The purpose of this provision is to clarify that the Ombudsman is not restricted to providing reports to the Minister only at twelve monthly intervals. For example, the Ombudsman could choose to report more frequently in relation to a particular agency. This is consistent with the provisions in section 186B which provide that the Ombudsman may inspect the records of an agency at any time.

736.           Subsection 186J(4) also clarifies that the Minister can require the Ombudsman to report to the Minister on an inspection by the Ombudsman under Chapter 4A.

737.           Subsection 186J(5) provides that the Ombudsman can include in an inspection report any suspected contravention of the TIA Act by an officer of an enforcement agency the Ombudsman has inspected. This provision ensures that the Ombudsman has a general power to report on purported contraventions of the TIA Act that the Ombudsman discovers in relation to its inspections under Chapter 4A of the Act.

738.           A suspected contravention reported by the Ombudsman does not, as a matter of course, give rise to, or imply legal liability. In complying with this section, the Ombudsman is bound by the obligations imposed by sections 133, 181B and 182 of the TIA Act. Section 133 of the TIA Act creates an offence of unlawful dealing in accessed stored communications under Chapter 3, Part 3-4, Division 1 of the TIA Act. Sections 181B and 182 create offences for unlawful dealing in telecommunications data authorisation information or unlawful secondary disclosure of accessed telecommunications data under Chapter 4, Part 4-1, Division 6 of the TIA Act.

739.           Subsection 186J(6) requires the Ombudsman to give a copy of a report to the chief officer of the relevant enforcement agency which is the subject of the report.

740.           Subsection 186J(7) provides that an Ombudsman’s report must not contain information that could endanger a person’s safety, prejudice an investigation or prosecution, or compromise an enforcement agency’s lawful activities or methods. The purpose of this provision is to ensure that the report does not contain security sensitive information or information which reveals law enforcement capability that should not be made public.

Part 2—Application provisions

741.           Part 2 of Schedule 3 contains application provisions in relation to Ombudsman inspections, Ombudsman reports and the obligation by agencies to retain records for the purposes of Ombudsman inspections.

Item 8—Existing inspections by the Ombudsman

742.           Item 8 is an application provision. It provides that Ombudsman inspections in existence before the commencement of Schedule 3, but not yet completed, are treated as Ombudsman inspections conducted as if they were being conducted under the regime in Chapter 4A of the TIA Act. The provision also provides that anything done under the inspection before the commencement of Chapter 4A is deemed to have been done under Chapter 4A.

743.           This provision ensures that existing Ombudsman inspections still in progress prior to the commencement of the new inspection regime in Chapter 4A remain valid.

Item 9—Reports

744.           Item 9 is an application provision. It applies to Ombudsman inspections under the current section 152 of the TIA Act that had been completed prior to the commencement of the new inspection regime, but which the Ombudsman had not yet reported on under current section 153 of the TIA Act. The provision applies the reporting provisions in section 186J to these circumstances.

745.           This item ensures that the Ombudsman can still report on material for which it had completed an inspection under the current section 152, but had not yet been able to provide a report under current section 153 of the TIA Act.

Item 10—Obligation to keep records

746.           Item 10 is an application provision. It provides that the new record keeping provisions in relation to Ombudsman inspections in sections 151 and 186A do not apply to anything done before commencement of the new inspection regime in Chapter 4A of the TIA Act. This provision clarifies that agencies are not required to comply with the more detailed record keeping obligations in sections 151 and 186A of the TIA Act in relation to their use of powers under Chapters 3 and 4 of the TIA Act prior to the commencement of the new Ombudsman inspection regime.

747.           The item also provides that the record keeping provisions in the current 150A of the TIA Act (relating to preservation notices) and section 151 of the TIA Act (relating to stored communications access) continue to apply to anything done prior to the commencement of the new inspection regime. This ensures that enforcement agencies (as that term applied under the TIA Act prior to the commencement of this legislation) must comply with the record keeping provisions in current sections 150A and 151 of the TIA Act in relation to their use of powers in Chapter 3 of the TIA Act prior to the commencement of the new Ombudsman inspection regime.

 




[1] The Privacy Act sets out the circumstances in which a carrier or carriage service provider (C/CSP) may use or disclose personal information, and sets out detailed requirements that must be met before a C/CSP may disclose personal information outside Australia. The proposed Telecommunications Sector Security Reform, as recommended by the Parliamentary Joint Committee on Intelligence and Security, will involve introducing a new obligation on C/CSPs to do their best to prevent unauthorised access and unauthorised interference to telecommunications networks and facilities, including where a C/CSP outsources functions.

 

[2] Judicial consideration of Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC [2006]

O J L 105/54.

[3] Paragraph 4.121 at 146.

[4] R v Wholesale Travel Group Inc [1991] 3 SCR 154.

[5] Attorney-General’s Reference (No 4 of 2002) [2005] 1 AC 264; see also R v DPP; ex parte Kebilene [2000]

[6] R v Johnstone [2003] UKHL 28

[7] Pham Hoang v France (1993) 16 EHRR 53.

[8] Ballantyne, Davidson, McIntyre v. Canada , Human Rights Committee Communications Nos. 357/1989 snf 385/1989 at 11.3.

[9] J.R.T and the W.G Party v Canada , Human Rights Committee Communication No 104/1981, 8.

[10] Human Rights Committee , General Comment No 6 (1982), para 5

[11] Osman v United Kingdom (1998) 29 EHRR 245, para 115.

[12] Osman v United Kingdom (1998) 29 EHRR 245; see also Kontrová v Slovakia [2007] ECHR 7510/04 (31 May 2007) . See also Smith v Chief Constable of Sussex Police [2008] EWCA Civ 39 (5 February 2008).

[13] Judicial review remains available for decisions made under the TIA Act pursuant to paragraph 75(v) of the Constitution and s 39B of the Judiciary Act 1901 (Cth))

[14] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice , Report No 108 (2008) 73.33.

[15] See section 3 of the Telecommunications Act 1997 .

[16] Australian Government Attorney-General’s Department (2013), Telecommunications (Interception and Access) Act 1979 Annual Report 2012-13 , 47-51.

[17] Opened for signature 23 November 2001, ETS 185 (entered into force 1 July 2004).

[18] See also Council of Europe, Explanatory Report to the Convention on Cybercrime, paragraph 141.

[19] Stephens v Abrahams (1902) 27 VLR 753 at 767; see also Lush v Coles (1967) 2 All ER 585 at 588.