Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Telecommunications and Other Legislation Amendment Bill 2016



Download PDFDownload PDF

ISSN 1328-8091

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest.

BILLS DIGEST NO. 9, 2017-18 8 AUGUST 2017

Telecommunications and Other Legislation Amendment Bill 2016 Monica Biddington and Jaan Murphy Law and Bills Digest Section

Contents

The Bills Digest at a glance ................................................... 4

Purpose of the Bill ............................................................... 6

Structure of the Bill ............................................................. 6

Background ......................................................................... 6

2013 PJCIS report..................................................................... 7

2015 PJCIS report..................................................................... 8

2016 Australian Cyber Security Strategy ................................. 9

Committee consideration .................................................... 9

Parliamentary Joint Committee on Intelligence and Security .................................................................................... 9

Senate Standing Committee for the Selection of Bills ............. 9

Senate Standing Committee for the Scrutiny of Bills .............. 9

Policy position of non-government parties/independents ... 10

Opposition ............................................................................. 10

Other non-government parties and independents ............... 10

Position of major interest groups ....................................... 10

Previous consideration of TSSR and position of interest groups .................................................................................... 10

Current position of major interest groups ............................ 11

Joint submission from industry associations ....................... 12

Australian Centre for Cyber Security ..................................... 13

The Bill and the Metadata Act ............................................ 14

Financial implications ........................................................ 15

Statement of Compatibility with Human Rights .................. 15

Parliamentary Joint Committee on Human Rights ................ 15

Date introduced: 9 November 2016

House: Senate

Portfolio: Attorney-General

Commencement: 12 months after the date of Royal Assent.

Links: The links to the Bill, its Explanatory Memorandum and second reading speech can be found on the Bill’s home page, or through the Australian Parliament website.

When Bills have been passed and have received Royal Assent, they become Acts, which can be found at the Federal Register of Legislation website.

All hyperlinks in this Bills Digest are correct as at

August 2017.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 2

Key issues and provisions................................................... 15

Administrative guidelines ...................................................... 15

Over-the-top services ............................................................ 16

Security obligations ............................................................... 19

Concerns about the use of the ASIO Act definition of security ................................................................................ 21

Key definitions underpinning the security obligations ........ 21

The security obligations generally ....................................... 22

Table 1: security obligations ................................................ 23

Immunity from liability ........................................................ 24

Elements of the security obligation .................................... 24

Meaning of ‘do their best’ element of the security obligations ........................................................................... 24

Security obligations and their application ........................... 27

The definition of ‘facility’ and the security obligations ....... 27

Concerns about retrofitting ................................................. 29

Notification regime—overview ............................................. 29

Individual notifications ........................................................ 30

Annual Security Capability Plans ......................................... 32

Interaction between SCPs and individual notification regime Annual Security Capability Plans ............................. 33

Assessment of notified proposed changes ............................ 33

Criticism of notification regime ............................................. 34

Logic of the approach .......................................................... 35

Asymmetry of the notification requirements ..................... 35

Inconsistency with the direction regime ............................. 35

Length of time to finalise a decision ................................... 35

Unnecessary interference with commercial decisions of carriers and CSPs ................................................................. 36

Offshoring ............................................................................ 36

Unclear thresholds and unnecessarily broad scope of application ........................................................................... 38

Directions by the Attorney-General ...................................... 39

Current position .................................................................. 39

Power to require a carrier or CSP to cease operating a telecommunications service ................................................ 39

Power to require a carrier, CSP or intermediary to do or refrain from doing a specified act ................................... 41

Criticisms of the directions powers ....................................... 43

Potential to undermine investment decisions and reduce competition ............................................................. 44

Inappropriate weighting given to adverse security assessments......................................................................... 44

The impact of uncertain definitions and the opacity of adverse security assessments ............................................. 45

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 3

Lack on consultation requirement in shutdown power ...... 46

Information gathering and sharing powers ........................... 46

Power to obtain information or documents ....................... 47

Content of notice to produce information or documents ........................................................................... 47

Availability of compensation ............................................... 48

Abrogation of privilege against self-incrimination .............. 48

Information sharing ............................................................. 48

Criticisms of the information gathering and sharing powers ................................................................................. 51

Reporting and oversight ........................................................ 53

Concluding comments ....................................................... 53

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 4

The Bills Digest at a glance

Purpose of the Bill

• The purpose of the Bill is to create a regulatory framework for industry and government to collaboratively manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities.

• The Bill will provide the Attorney-General with a new power to direct a carrier or carriage service provider (CSP) or a carriage service intermediary (intermediary) to do or not do a specified thing on security related grounds (for example, alter a procurement assessed as giving rise to security risks).

Background

• The proposed measures in the Bill form part of a package of reforms to national security legislation, identified by the former government in 2012, commonly referred to as Telecommunications Sector Security Reforms (TSSR). The TSSR is the process of developing regulatory mechanisms to ensure that industry engages with security agencies to enable the early identification and collaborative management of security risks in their infrastructure, and information held on or carried over it.

• TSSR has been an issue of sustained parliamentary and industry interest and consideration, including inquiries by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in 2012-13 and 2014-15 and public consultations on two exposure draft Bills released by the Government in 2015.

• The overall intent and objectives of the Bill reflect and are largely consistent with recommendations of the PJCIS on TSSR related measures, and Government responses to those recommendations.

Stakeholder concerns

• Stakeholders have expressed concerns including that because the regime favours security interests over commercial or competition interests, it is an inappropriate intrusion into the commercial decision-making of telecommunications companies’ that will undermine sound investment decisions and reduce innovation in the sector.

• In addition to raising in-principle concerns about the Bill, some stakeholders have supported amendments to specific provisions of the proposed regime, generally to strengthen safeguards, place limits on administrative discretions and enhance protections for commercially sensitive information that may be required to be disclosed under the proposed framework.

• Some members of the PJCIS questioned whether the Bill contains adequate mechanisms to identify the amount of data held by Australian telecommunications companies that is stored offshore (commonly referred to as ’offshoring’) and ensure its protection.

Key elements

• The regime will have a delayed commencement (12 months), including the development of administrative guidelines website.1

• The regime established by the Bill will apply to carriers, CSPs and intermediaries to varying degrees.

• A new security obligation is imposed on carriers and CSPs to ‘do their best’ to manage risks related to unauthorised access and interference to networks and facilities they own, operate or use to ensure the availability and integrity of networks and facilities and to protect the confidentiality of information stored on and carried across them.

1. Attorney-General’s Department (AGD), Telecommunications sector security guidelines: knowing your legislative obligations to protect telecommunications networks and facilities form unauthorised access and interference: draft version, AGD, Canberra, November 2015, p. 37.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 5

• A new notification requirement is imposed on carriers and certain CSPs to notify the government of planned changes to their systems and services that are likely to make the network or facility vulnerable to unauthorised access and interference.

• The Secretary of the AGD is provided with coercive information gathering powers in relation to carriers, CSPs and intermediaries subject to the new regime to facilitate monitoring of and investigations into compliance with the new security obligations.2

Key issues for debate

• The scope of key definitions including applying all components of the definition of ‘security’ in the Australian Security Intelligence Organisation Act 1979 (the ASIO Act) to the new security obligations and notification requirements in proposed sections 313(1A) and (2A), rather than specifically limiting it to the components of the definition listed in the notes to the provisions contained in the Bill.

• The suitability and breadth of application of the new security obligations.

• The compliance burden and risk associated with the notification obligation.

• The adequacy of the threshold that must be satisfied (and matters to be considered) before the directions or shutdown power can be used by the Attorney-General requiring a carrier, CSP or intermediary to do, or refrain from doing, a specified act or thing (or ceasing to supply a carriage service).

• The application of the regime to web-based email, voice over internet protocol (VoIP) and cloud computing services.

• The adequacy of safeguards in relation to compulsory disclosure and information-sharing powers, including:

- potential limitations in the protections available for the secondary disclosure of information for the purposes of security under proposed section 315H(1)(b) and - possible ways in which protections of commercially sensitive information could be strengthened under the proposed information-sharing arrangements in proposed section 315H (both legislative and

administrative). • The adequacy of the oversight and reporting requirements in relation to the operation of the proposed scheme and

• The collection of data offshore(and more specifically, the storage of data required to be retained under the Telecommunications (Interception and Access) Act 1979 (the TIA Act).

2. For further information including a flowchart of the administration of the TSSR, see ibid., p. 37.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 6

Purpose of the Bill The purpose of the Telecommunications and Other Legislation Amendment Bill 2016 (the Bill) is to amend the Telecommunications Act 1997 (the Act), TIA Act, ASIO Act and the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act) to provide a regulatory framework for industry and government to collaboratively manage national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities.3 It does so by:

• imposing a new security obligation on carriers and CSPs to ‘do their best’ to manage risks related to unauthorised access and interference to networks and facilities they own, operate or use to:

- ensure the availability and integrity of networks and facilities and - to protect the confidentiality of information stored on and carried across them • imposing notification requirements on carriers and certain nominated CSPs (‘NCSPs’) to notify the government of planned changes to their systems and services that are likely to make the network or facility

vulnerable to unauthorised access and interference

• providing the Secretary of the AGD with information gathering powers to facilitate monitoring of and investigations into compliance with the new security obligations

• providing the Attorney-General with two directions powers (subject to certain conditions being met) to:

- direct a carrier or CSP to do or not do a specified thing (the ‘directions power’), for example, alter a procurement assessed as giving rise to security risks or - shut down a specific service (the ‘shutdown power’) and • providing enforcement mechanisms by extending the civil remedies regime provided for in Part 30

(injunctions), Part 31 (civil penalties), and Part 31A (enforceable undertakings) of the Act to address non-compliance with the security obligations, a Ministerial direction, or notice to produce information or a document.4

Structure of the Bill This Bill has one Schedule, divided into three parts.

Part 1 contains the main amendments to the Act and TIA Act to implement the new framework, which relate to the security obligations, notification obligations and requirements, information gathering powers, the directions and shutdown powers of the Attorney-General and the enforcement mechanisms.

Part 2 contains consequential amendments to the ASIO Act and ADJR Act with respect to the issuing of security assessments for the purpose of the new regime, and the statutory judicial review of Ministerial directions.

Part 3 contains transitional and saving provisions, which deal with Ministerial directions and security assessments issued under the existing legislation, immediately before the commencement of the proposed amendments.

Background There has been parliamentary interest and consideration of issues related to security of the telecommunications sector for a number of years. The Bill reflects previous consideration of issues pertaining to the security of the telecommunications sector generally by the PJCIS, as well as more recent Government policy. In particular, the PJCIS, as constituted in the 43rd and 44th Parliaments, gave bipartisan support to the development of TSSR measures, including in-principle support for the core elements of a regulatory framework. The Government supported the PJCIS’s recommendations and now proposes to implement them in this Bill.

3. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 2, 4. 4. Ibid., pp. 4-5.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 7

2013 PJCIS report In 2013, as part of its report examining potential reforms to the Australia’s national security legislation,5 the PJCIS recommended that ‘the Government amend the Telecommunications Act 1997 to create a telecommunications security framework’ with the following features:

 a telecommunications industry-wide obligation to protect infrastructure and the information held on it or passing across it from unauthorised interference a requirement for industry to provide the Government with information to assist in the assessment of national security risks to telecommunications infrastructure and

 powers of direction and a penalty regime to encourage compliance. 6

The PJCIS also recommended that (through a Regulation Impact Statement (RIS)) the Government also consider:

 the interaction of any such proposed regime with existing legal obligations imposed upon corporations

 the compatibility of the proposed regime with existing corporate governance where a provider’s activities might be driven by decisions made outside of Australia

 consideration of an indemnity to civil action for service providers who have acted in good faith under the requirements of the proposed framework and

 the impacts of the any such proposed regime on competition in the market-place, including:

- the potential for proposed requirements to create a barrier to entry for lower cost providers

- the possible elimination of existing lower cost providers from the market, resulting in decreased market competition on pricing and

- any other relevant effects.7

The Government released a response to parts of the 2013 PJCIS report in July 2015, supporting this recommendation and indicating its intention to introduce legislation within the year, following public consultation on an exposure draft Bill. The Government further indicated its intention to refer the Bill, once introduced, and a RIS to the PJCIS for inquiry and report.8 The measures proposed by the Bill are broadly consistent with the above recommendations and the Government’s response. The Government released two exposure draft (ED) Bills for public consultation in June and November 2015.9 The second Exposure Draft made a ‘number of changes to improve the operation of the proposed legislation in response to feedback received …’10 It also issued an unclassified RIS (with some redactions of classified information) in July 2015.11 The finalised RIS is annexed to the Explanatory Memorandum to the Bill and addresses the key considerations noted above and analyses the respective net regulatory benefits of the policy options.12

5. In May 2012, the then Attorney-General Nicola Roxon, referred potential TSSR measures to the PJCIS for inquiry during the 43rd Parliament and in particular, sought the PJCIS’s views on whether a regulatory response was necessary or appropriate and, if so, the appropriate structure of the regulatory model. As part of this process, the Government issued a discussion paper See: AGD, Equipping Australia against emerging and evolving threats, AGD, Canberra, July 2012, pp. 29-39.

6. Parliamentary Joint Committee on Intelligence and Security (PJCIS), Report of the inquiry into potential reforms of Australia’s national security legislation, PJCIS, Canberra, May 2013, pp. xxviii-xxix. 7. Ibid., p. xxix.

8. Australian Government, Australian Government response to chapters 2 and 3 of the Parliamentary Joint Committee on Intelligence and Security's report of the inquiry into potential reforms of Australia's national security legislation, Australian Government, July 2015, p. 13. 9. G Brandis (Attorney-General) and M Turnbull (Minister for Communications), Consultation opens on reforms to strengthen the security of Australia's telecommunications networks, joint media release, 26 June 2015; and G Brandis (Attorney-General) and M Fifield (Minister for

Communications and the Arts), Further consultation on telecommunications sector security reform, joint media release, 27 November 2015. Non-confidential submissions on the two exposure drafts are published at AGD, ‘Telecommunications security’, AGD website. A summary of changes made to the Bill in response to stakeholder feedback on exposure drafts are published at AGD, ‘Telecommunications sector security reforms’, AGD website, n.d. 10. AGD, ‘Telecommunications security’, AGD website. 11. Office of Best Practice Regulation, Department of the Prime Minister and Cabinet (DPMC), Telecommunications sector security reforms:

regulatory impact statement, DPMC website, 6 July 2015. (The RIS also indicates that targeted consultations were held with C/CSPs in 2012, 2014 and 2015: RIS, Attachment B, p. 44.) 12. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 50-103.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 8

2015 PJCIS report In its advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (examined in Bills Digest No. 89, 2014-15) the PJCIS also recommended that ‘the Government enact the proposed telecommunications sector security reforms prior to the end of the implementation phase for the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014’.13 Following passage of the latter Bill in March 2015, the 18-month implementation phase for the data retention regime commenced on 13 October 2015 and ended on 13 April 2017.14

The PJCIS noted several potential security risks associated with the (then) proposed mandatory data retention scheme, including the potential for increased unlawful access to, or compromise of, personal information that may be required to be retained under the scheme. It considered that the timely implementation of TSSR measures was critical to the integrity of, and community confidence in, the data retention regime (particularly as the data retention regime was non-prescriptive as to where retained data must be stored, and therefore allowed its storage at offshore facilities). The PJCIS stated it was ‘strongly of the view’ that the TSSR measures it considered in its 2013 report ‘should be finalised and implemented prior to the end of the [data retention] implementation period’.15 The PJCIS also indicated its preference for any future TSSR-related legislation to be referred to it for inquiry and advisory report to the Parliament.16

The Government supported the PJCIS’s recommendation, stating that it would ‘introduce a [TSSR] scheme prior to the conclusion of the data retention implementation period’.17 The introduction of the Bill in November 2016 gives effect to that response.

That said, there is likely to be a period of time in which the data retention regime (DDR) will be fully operational in the absence of a dedicated regulatory framework for TSSR (given the commencement date specified in the Bill (12 months after royal assent) and the likely timing for the debate in Parliament and potential passage of the Bill. This delay means that the Government will arguably have a reduced capacity during the 12-month period before the TSSR scheme commences to inform itself about storage arrangements for data that is retained, and take steps to ensure its security (particularly in relation to offshore storage arrangements). The AGD explained that during the implementation period for DRR that (at that time) it did not have visibility of the nature and extent of offshoring arrangements, with Mrs Anne Sheehan (Assistant Secretary, Communications Security Branch, National Security Division of the AGD) stating:

We do not have a complete picture of every company's offshore storage of data. In conversations with some industry members, we may have some visibility, but not across the board. What this bill would introduce is a notification requirement, and one of the kinds of changes that would have to be notified is information that is being stored offshore.

18

Much may therefore depend on informal cooperation during this period. One risk is that when the TSSR scheme commences, the new notification requirements might identify data storage practices adopted in response to the DDR over the previous 12 months that are inconsistent with the new security obligations. If this risk eventuated, the early period in which the TSSR scheme is operational may need to focus on remedial actions and possibly require ‘retrofitting’ (despite the stated policy intention that the measures proposed in the Bill will not generally require carriers, CSPs or intermediaries to engage in retrofitting19). In this regard, arguably the delayed

13. PJCIS, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, PJCIS, Canberra, 27 February 2015, recommendation 36. (While the formal language used in the recommendation—that the government should enact legislation—is a non sequitur, the Committee’s supporting justification at p. 297 makes clear its intention that the TSSR framework should be implemented before the end of the implementation phase for data retention. Hence, it appears that the PJCIS was of the view that the government should introduce a Bill in sufficient time for its passage and commencement prior to the end of the implementation phase for data retention.)

14. Telecommunications (Interception and Access) Act 1979, subsection 187H(2). 15. PJCIS, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, op. cit., p. 297. 16. Ibid., p. 298. 17. G Brandis (Attorney-General) and M Turnbull (Minister for Communications), Government response to committee report on the

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, joint media release, 3 March 2015. 18. A Sheehan (Assistant Secretary, Communications Security Branch, National Security Division of the AGD), Evidence to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 16 February 2017, p. 5. 19. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 23-24: ‘While the security obligation will

have immediate effect from the expiry date of the implementation period, existing networks and facilities in place at the time the security

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 9

introduction (and consequently, passage and commencement) of the legislation deprives security agencies of the maximum possible opportunity to pro-actively ensure that national security considerations are given appropriate weight in decision-making about the storage of retained data, particularly decisions about offshoring, before those decisions are made and implemented.

2016 Australian Cyber Security Strategy The Government’s Australian Cyber Security Strategy, launched in April 2016, referred to ongoing work in developing the TSSR initiatives in the course of implementing the PJCIS’s recommendations to develop a regulatory framework:

Recognising the particular importance of secure telecommunications networks, the Government is working with telecommunications companies to manage supply chain risks by providing advice on protecting their networks and the information stored and carried across them. This includes work the Government is doing on Telecommunications Sector Security Reform to establish more formal and comprehensive arrangements to better manage national security risks of espionage, sabotage and interference.

20 (emphasis added)

Committee consideration Parliamentary Joint Committee on Intelligence and Security The Bill was referred to the PJCIS for inquiry and report by April 2017. Details of the inquiry are at Review of the Telecommunications and Other Legislation Amendment Bill 2016. The Committee reported on 30 June 2017 and made 12 recommendations for the Government to consider prior to the passage of the Bill. The Committee was unanimously satisfied that the legislative framework approach proposed in the Bill is the most appropriate mechanism to ensure the security of Australia’s telecommunications infrastructure.21 The recommendations can be summarised as:

• the revision and expansion of the administrative guidelines (recommendations 1 and 4)

• the exemption of broadcasters from the obligations set out in the Bill (recommendation 2)

• ensuring effective and regular information sharing (recommendation 3)

• allowing requests for exemptions by carriers and carriage service providers for certain changes (recommendation 5)

• clarifying that the Bill does not affect the operation of privacy obligations (recommendation 6)

• expanding the annual reporting and review requirements (recommendations 7, 10 and 12)

• clarifying responsibilities of the Communications Access Co-ordinator (recommendations 8 and 9).

Senate Standing Committee for the Selection of Bills The Senate Standing Committee for the Selection of Bills recommended that the Bill not be referred to Committee.22

Senate Standing Committee for the Scrutiny of Bills The Senate Standing Committee for the Scrutiny of Bills had no comment on the Bill.23

obligation comes into effect that are non-compliant will not be subject to civil penalties for non-compliance with the security obligation to protect networks and facilities under subsections 313(1A) and (2A). C/CSPs are not expected to retrofit all systems on commencement of this security obligation. However, there may be very rare cases where a significant security vulnerability is found in an existing system that could facilitate acts of espionage, sabotage and foreign interference. In such cases, government agencies will seek to work with the provider to develop cost effective solutions to better manage the risks posed by the existing vulnerability. Subject to how serious the security risk is and how willing the C/CSP is to collaborate with government to manage the risk, the Attorney-General could issue a direction requiring mitigation measures to be implemented’. 20. Department of Prime Minister and Cabinet (DPMC), Australia's cyber security strategy: enabling innovation, growth and prosperity, DPMC,

Canberra, 21 April 2016, p. 29. 21. Parliamentary Joint Committee on Intelligence and Security (PJCIS), Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016, PJCIS, Canberra, June 2017, p.25. 22. Senate Standing Committee for the Selection of Bills, Report, 10, 2016, The Senate, Canberra, 1 December 2016, p. 3.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 10

Policy position of non-government parties/independents Opposition TSSR reforms were initially an ALP proposal. In May 2012, the then Attorney-General Nicola Roxon, referred potential TSSR measures to the PJCIS for inquiry during the 43rd Parliament and in particular, sought the PJCIS’s views on whether a regulatory response was necessary or appropriate and, if so, the appropriate structure of the regulatory model. As part of this process, the then ALP Government issued a discussion paper.24

Bipartisan support for the development of TSSR measures and the core features of the regulatory model continued. For example, in the PJCIS’s 2013 Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation (2013 PJCIS Report), the PJCIS unanimously recommended that a TSSR framework be created ‘whether or not Government chooses to introduce a data retention regime’ and that ‘there cannot be an effective and equitable security regime without enforcement mechanisms’.25

Likewise the PJCIS, in its Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (2015 PJCIS Report), unanimously recommended:

… the Government enact the proposed Telecommunications Sector Security Reforms prior to the end of the implementation phase for the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. 26

In addition, ALP Senators noted in the Senate Legal and Constitutional Affairs References Committee’s 2015 Report on the Comprehensive revision of the Telecommunications (Interception and Access) Act 1979 (2015 L&CA Report) that ‘Labor will continue to press for improvements to data security through the Telecommunications Sector Security Reform (TSSR) process’.27

The Opposition does not appear to have commented publicly about its position on the specific provisions of the Bill as introduced. However, in 2015 the Opposition criticised the first exposure draft of the Bill in light of industry concerns, and called upon the Government to develop and refer a revised exposure draft to the PJCIS for inquiry before introducing a Bill to Parliament.28

Other non-government parties and independents As of the time writing, the position of independents and cross-bench parties was unknown.

However, in 2015 the Australian Greens reportedly expressed some general reservations (in the context of the first Exposure Draft of the Bill), and in particular about proposed the new directions power now contained in proposed section 315B. The Greens noted the potential for directions to be overly prescriptive, effectively telling ‘telecommunications companies how to run their networks and their data centres’.29 Despite this, the Greens do not appear to have announced a position on the current Bill.

Position of major interest groups Previous consideration of TSSR and position of interest groups As noted above, TSSR has been considered by a number of previous Parliamentary and departmental inquiries, with key issues raised by stakeholder having been considered on previous occasions. For example, the 2013 PJCIS’s Inquiry into Potential Reforms of Australia’s National Security Legislation (2013 PJCIS Inquiry) considered

23. Senate Standing Committee for the Scrutiny of Bills, Alert digest, 9, 2016, The Senate, Canberra, 23 November 2016, p. 13. 24. AGD, Equipping Australia against emerging and evolving threats, Commonwealth of Australia, Canberra, July 2012, pp. 29-39. See also: Parliamentary Joint Committee on Intelligence and Security (PJCIS), Report of the inquiry into potential reforms of Australia’s national security legislation, op. cit.

25. PJCIS, Report of the inquiry into potential reforms of Australia’s national security legislation, op. cit., pp. 82-84, recommendation 19. 26. PJCIS, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, op. cit., recommendation 36. 27. Senate Standing Committee on Legal and Constitutional Affairs, Report on the comprehensive revision of the Telecommunications

(Interception and Access) Act 1979, The Senate, Canberra, March 2015, p. 94. 28. S Martin, ‘ALP urges fresh draft of telco security laws’, The Australian, 12 August 2015, p. 6. 29. M Clarke and C Uhlmann, ‘Telcos draw the line at latest Federal Government changes to national security laws’, ABC News, 22 July 2015.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 11

whether there was a case for regulatory intervention in relation to TSSR, and, if there was, the appropriate regulatory model. After considering industry submissions, the PJCIS did not support stakeholder suggestions for voluntary or co-regulatory models.30

More recently, a large number of interest groups made submissions to the AGD as part of the consultation process regarding the two EDs of the Bill released in June and November 2015.31 Telecommunications companies and industry associations raised similar issues, which resulted the Government making a number of amendments to the first Exposure Draft Bill.32 Briefly these included:

• narrowing the scope of the security obligation

• increasing the threshold for the exercise of the directions powers

• the inclusion of additional safeguards around the exercise of the directions powers

• the inclusion of additional safeguards to protect the confidentiality of commercially sensitive information obtained through the exercise of the information gathering power

• providing that directions issued by the Attorney-General will now be reviewable under the ADJR Act

• streamlining and clarifying the operation of the notification obligation

• increasing the implementation timeframe from six months to 12 months from Royal Assent

• narrowing the scope of the obligation to protect networks or facilities to networks or facilities owned, operated or used by a carrier or CSP.

• extending the response time imposed on the CAC in relation to notifications to 30 days and capability plans to 60 days (unless further information relating to a notification has been requested)

• increasing timeframes for affected parties to provide a submission after a written notice of direction from 14 to 28 days

• providing that companies will now be able to provide copies of documents, and also be entitled to reasonable compensation for complying with a requirement to provide a copy of a document under the information gathering powers

• providing that the Secretary of the AGD is required to have regard to the likely cost to comply with an information gathering request before issuing that request and

• expanding the confidentiality requirements to protect the confidentiality of commercially sensitive information or documents provided in individual notifications or security capability plans.33

Current position of major interest groups The issues raised by major interest groups in submissions to the Exposure Draft consultation process (to the extent they relate to provisions that are consistent between the Bill and ED) as well as those made to the PJCIS’s inquiry into the Bill are examined under the heading ‘Key issues and provisions’. However, briefly those issues included:

• the appropriateness of key definitions

• the appropriateness and breadth of application of the security obligation

• compliance with the notification obligation

30. PJCIS, Report of the inquiry into potential reforms of Australia’s national security legislation, op. cit., recommendation 19. See also: pp. 84-86: ‘Although there are currently indirect incentives for service providers to protect their customers’ information (such as public relations damage), commercial interests will not always align with the national interest. To account for those instances where advice is not acted upon and where national security is threatened, the Committee agrees that Government should create a scheme including the capacity for Government to direct service providers to take certain remediation actions. The Committee believes there cannot be an effective and equitable security regime without enforcement mechanisms … an infrastructure and information security regime should be introduced whether or not Government chooses to introduce a data retention regime’.

31. The submissions can be accessed from: AGD, ‘Telecommunications security’, AGD website, n.d. 32. AGG, ‘Telecommunications sector security reforms’, AGD website, n.d. 33. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 12

• the threshold that must be satisfied and matters to be considered before a direction can be given by the Attorney-General and

• application of the regime to ‘over-the-top’ (OTT) services such as web-based email, voice over internet protocol (VoIP) and cloud computing services.

Joint submission from industry associations The Australian Industry Group (AiGroup), Australian Information Industry Association (AIIA), Australian Mobile Telecommunications Association (AMTA) and Communications Alliance (the Associations) made a joint submission to the PCJIS’s inquiry into the Bill.34 The Associations raised a number of concerns about the Bill, including its underlying policy.

Incorrect policy approach The Associations stated in its submission to the PCJIS’s inquiry into the Bill that the regime proposed by the Bill ‘appears to be founded on the incorrect assumption that security risks are known … before service introduction or equipment deployment occurs’ and noted that in practice, security threats ‘typically emerge, or become known, after introduction/deployment’.35

More specifically, the Associations stated that the Exposure Draft ‘fail to answer the fundamental question of what specific failings and/or weaknesses Government is seeking to address’ and that it was:

… unclear how this additional layer of regulation and cost to Industry and intrusion into the commercial decision making processes of C/CSPs and carriage service intermediaries can be justified. 36

In particular, the Associations expressed concern that the proposed regime will grant to the Government ‘wide-ranging’ powers to intervene in industry participants internal commercial decisions relating to:

• network design

• M&A activities and

• vendor selection, procurement and service supply options (including resale of global or regionally based services and the use of global or regionally based network or business resources of multinational organisations).37

The Associations also noted ‘there is no corresponding obligation on Government to justify its actions, take responsibility for any unintended outcomes’ or ‘bear the costs’ (a concern possibly partially ameliorated by proposed subsections 315B(2) and (6), 315C(4) and (8) and proposed section 315J, discussed below under ‘Key issues and provisions’).38 The Associations concluded that the proposed regime ‘runs the very serious risk that it will not be adaptable or flexible enough to tackle the risks that will emerge’ and that a traditional ‘‘command-and-control’ regulatory framework’ will not be ‘agile enough’ to respond to emerging security threats and ‘also runs the risk of unnecessarily increasing costs and investment risks of the telecommunications industry which will impact Australia’s digital capability’.39

Support for alternative policy approaches The Associations outlined what they considered to be ‘more collaborative approaches’ to dealing with security threats to telecommunications infrastructure and services used or being ‘contemplated in major international markets’ and suggested ‘the benefits of adopting a more collaborative, less prescriptive and less onerous

34. Australian Industry Group (AiGroup), Australian Information Industry Association (AIIA), Australian Mobile Telecommunications Association (AMTA) and Communications Alliance (Associations), Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2016. The Associations also made a submission to the AGD’s consultation process regarding the Exposure Draft: Associations, Joint submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, January 2016.

35. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2016, p. 6. 36. Ibid., p. 6. 37. Ibid., pp. 6-7. 38. Ibid., p. 7. 39. Ibid., p. 7.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 13

strategy be carefully considered and examined in Australia’ before the Bill is passed.40 The Associations provided a summary of the current regimes of the US and UK, as well as the proposed Canadian regime.

In summary, the Associations argue that industry-led (and possibly voluntary) frameworks developed either independently of (or in collaboration with) Government that reflect standards and practices from other jurisdictions is a more effective, adaptable and cost-effective policy approach than the regime proposed by the Bill.

However, in relation to the policy approaches adopted by other countries the AGD noted in its submission to the Inquiry into the Bill:

International voluntary compliance frameworks, such as those outlined in the joint submission of the Australian Industry Group, Australian Information Industry Association, Australian Mobile Telecommunications Association and Communications Alliance [The Associations], are often cyber security focused and outline voluntary procedures for sharing cyber threat information.

41

The AGD went on to note that Australia already ‘has voluntary information sharing forums in place which focus on cyber security generally’ and that the proposed TSSR ‘extends beyond general cyber security to enable the protection of Australia’s critical infrastructure from specific national security risks’ and therefore the Bill seeks to formalise ‘the existing and emerging relationships with the telecommunications industry’ with a view to enabling government ‘to identify where security risks are and enable engagement at the earliest possible time’.42

Inability of the Bill to deal with emerging technology and innovation in the sector The Associations argued that the regime proposed by the Bill would slow down industry responsiveness and ability to innovate ‘and will be more likely to stifle innovation necessary to keep pace with the increasing sophistication of cyber threats’.43 This, it was argued, would be because telecommunications sector businesses would ‘focus on minimising exposure to regulatory imposts or on compliance’ instead of on innovation ‘particularly in the context of the Internet of Things’.44

The Associations noted that ‘the Security Capability Plans that the revised draft legislation has introduced, while being very useful in many areas, would ‘not be able to overcome the problems that the proposed reforms pose for flexible and fast innovation processes’.45

The Associations concluded ‘it appears even more evident that the proposed reforms do not strike an appropriate balance between risk and opportunity’ as the regime proposed by the Bill would unable to deal with emerging technology and would stifle innovation.46

However, in response to this issue, the AGD noted that the Bill ‘proposes a balanced and risk-based approach to take into account the needs of the Australian telecommunications sector to remain competitive and innovative in the market, having regard to minimising regulatory impacts’.47

Australian Centre for Cyber Security The Australian Centre for Cyber Security (ACCS) was the only published submission to note the potential overlap between the regime proposed by the Bill and the data retention regime created by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (the Metadata Act).

The ACCS noted that under the Bill the AGD will have the power to collect any type of information from a carrier or CSP and:

• this power is only overseen by an annual report submitted by the AGD to Parliament

40. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, February 2016, p. 5. 41. AGD, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., p. 6. 42. Ibid.

43. Ibid., p. 10. 44. Ibid., p. 10. 45. Ibid., p. 11. 46. Ibid., p. 11. 47. Ibid., p. 7.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 14

• this power may be delegated to the Director-General of the ASIO and

• ASIO may in turn share the information gathered with the AFP and third parties.48

The ACCS noted that from a technical perspective, metadata includes IP (Internet Protocol) source and destination addresses, source and destination port addresses and protocol numbers and ‘therefore includes URLs/web browsing history’.49 The ACCS referred to this set of session metadata as ‘5-tuple’ and noted that ‘the 5-tuple falls within the pool of ‘any information’ the AGS and ASIO may collect from’ carries and CSPs under the Bill.50

The ACCS noted that ‘using metadata to detect and resolve cyber security threats quicker and in near real-time is a developing trend’ and that as a result, a carrier or CSP ‘may therefore retain more metadata, and for longer, than it usually would’ as not collecting, retaining and analysing the 5-tuple session metadata ‘from most devices connected to the Internet’ may result in a carrier or CSP not ‘doing your best and exercising competent supervision’, which is what the Bill requires.51

The Bill and the Metadata Act The ACCS noted that as the regime proposed by the Bill and the Metadata Act both address the issues related to national security, there is therefore effectively duplication of the ‘metadata creation, retention and disclosure’ obligations imposed on carriers and CSPs.

The ACCS noted that whilst the Metadata Act regime does not apply to the ‘3-tuple’ (destination IP, destination port and protocol number), the regime proposed by the Bill will. The ACCS stated that whilst 3-tuple metadata ‘is not required to be retained and is not being disclosed by the TelCo to the agencies’ under the Metadata Act, under the regime proposed by the Bill ‘the 3-tuple may potentially be required to be disclosed to the AGD and the agencies’.52

The ACCS noted that both the Metadata Act regime and that proposed by the Bill ‘essentially address the same metadata but with different procedures’ and that as a result of those differences ‘oversight, governance and ethical risks’ may arise.53 Further, the ACCS noted that whilst the Metadata Act regime oversight powers have been introduced:

There are no clear public guidelines and oversight mechanisms regarding the collection and sharing of the 5-tuple information between the AGS, ASIO, the AFP and third parties. 54

The ACCS again noted that the metadata dealt with ‘is more information than what is addressed under’ the Metadata Act and that as result of the lack of ‘clear boundaries’ regarding ‘how overlaps are to be addressed between collecting the information for the purposes of national security’ under the regime proposed by the Bill and that collected under the Metadata Act regime ‘may lead to forum-shopping by the agencies’ between the Bill’s regime and the Metadata Act regime.55

The ACCS noted that as ‘it makes little sense not to simultaneously retain destination information under a ‘situational awareness’ and ‘threat intelligence’ strategy’, compliance with the Bill’s regime may result in carriers and CSPs collecting, retaining and analysing the 5-tuple (which includes source and destination metadata) in order to identify emergent threats, incidents and attacks.56 In turn, the AGD could then require carriers and CSPs to provide that 5-tuple metadata (including the 3-tuple metadata), and in turn share it with ASIO, the AFP and

48. Australian Centre for Cyber Security (ACCS), Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2016, p. 2. 49. Ibid., p. 3. 50. Ibid., p. 3. A 5-tuple refers to a set of five different values that comprise a Transmission Control Protocol/Internet Protocol (TCIP/IP)

connection. It includes a source IP address/port number, destination IP address/port number and the protocol in use. System and network administrators (NA) use 5-tuples to identify key requirements for creating a secure, operational and bidirectional network connection between two or more remote and local machines: Techopedia, ‘5-tuple: definition: what does 5-tuple mean?’, Techopedia website, n.d. 51. ACCS, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2016, pp. 2-3. 52. Ibid., p. 4. 53. Ibid.

54. Ibid.

55. Ibid.

56. Ibid., p. 5.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 15

other third parties, despite the contrary intention and requirements under the Metadata Act regime in relation to the 3-tuple and that this represented ‘potentially conflicting positions between the law and policy and the two regimes’.57 The ACCS concluded:

Overall, the metadata under both regimes are just the same metadata at the end of the day. The same metadata is accessed for the same purposes: law enforcement and national security. However, the oversight mechanisms regarding access for security under the two regimes differ vastly. The purpose for this difference in treatment is not made clear. Metadata under the TSSR, which is the vast majority of session metadata and may have greater privacy implications, require no authorisation and notification process, and little independent oversight, unlike the source IP and port addresses under the Metadata Creation, Retention and Disclosure Regime.

58

The ACCS also noted that the Commonwealth Ombudsman ‘is not granted oversight powers’ over the AFP and metadata collected under the Bill’s regime (unlike with metadata collected under Metadata Act) and therefore recommended the alignment of the Bill’s regime with that of the Metadata Act ‘so as to avoid fragmentation in terms of data types, retention requirements, disclosure rules and oversight’.59

Financial implications The Explanatory Memorandum notes that cost of resourcing and administering the scheme proposed by the Bill by ASIO and AGD is estimated at $1.6m annually ‘due to increased engagement with C/CSPs and to review notifications of proposed changes to telecommunications systems and services’.60

The Explanatory Memorandum estimated the total cost to industry of the TSSR regime proposed by the Bill at approximately $220,000 per C/CSP per year and noted that such costs ‘would represent a modest additional cost to the sector which has revenue in excess of $43b a year’.61

Statement of Compatibility with Human Rights As required under Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), the Government has assessed the Bill’s compatibility with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of that Act. The Government considers that the Bill is compatible.62

Parliamentary Joint Committee on Human Rights On 22 November 2016, the Parliamentary Joint Committee on Human Rights reported that the Bill did not raise human rights concerns.63

Key issues and provisions As table item 2 of proposed section 2 provides that the TSSR will commence 12 months after the Act receives Royal Assent, the TSSR will have a delayed commencement in line with feedback from industry.

Administrative guidelines To aid the transition to the TSSR, the AGD will develop, in consultation with industry, non-binding administrative guidelines that will provide carriers and CSPs with guidance about:

• which parts of networks and facilities are particularly vulnerable to unauthorised access and interference and how they can maintain competent supervision and effective control over their networks

• what is required to meet their legislative requirements, including what is expected of carriers and CSPs to comply with the security obligation (including possible control measures and mitigations) and

• when a carrier or NCSP should notify of proposed changes (including what should and should not be notified and included or not included in a SCP).64

57. Ibid.

58. Ibid., p. 6. 59. Ibid., p. 6. 60. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 7. 61. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 79-82. See also: AGD, Submission to PJCIS,

Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., p. 8. 62. The Statement of Compatibility with Human Rights can be found at page 8 of the Explanatory Memorandum to the Bill. 63. Parliamentary Joint Committee on Human Rights (PJCHR), Report, 9, 2016, Canberra, 22 November 2016, p. 39.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 16

The AGD published draft administrative guidelines in November 2015.65 The PJCIS Advisory report recommended that the administrative guidelines be revised to provide ‘comprehensive information, clarity and certainty to industry in a greater range of circumstances’, prior to the conclusion of the 12 month implementation period.66

Over-the-top services The uncertainty regarding the potential application of the proposed regime to ‘over the top-services’ was an issue raised by a number of stakeholders. ‘Over the top’ (OTT) service providers are services ‘such as such as web-based email, VoIP or [a] cloud service’.67 In relation to the application of the Bill’s provisions to OTT services, the Law Council of Australia (LCA) noted that the regime proposed by the Bill ‘appears to apply to Australian based’ carriers, CSPs and intermediaries ‘that supply OTT services’ but will ‘not apply to international OTT services or internationally based’ carriers or CSPs ‘that provide OTT services’ to Australians.68 The LCA noted that ‘it is not apparent as to how the level of risk will be calculated’ when determining whether Australian based carriers and CSPs fulfilled the security obligations ‘when they supply OTT services’.69 The LCA recommended that ‘the security obligations should relate to any additional likely level of security risk with the supply of OTT services when compared with the level of risk that applies where the service is obtained directly from the OTT service’.70

The Associations argued:

… the legislation continues to only apply to a subset of the Australian telecommunications sector, i.e. C/CSPs and carriage service intermediaries, but it does not apply to overseas OTT services. … The regulatory burden of the reform falls onto a subset of the global market place for the supply of services, i.e. the burden only falls on Australian-based C/CSPs, including intermediaries as defined in the Act. Overseas service suppliers providing OTT services will not be subject to the TSSR. An Australian based C/CSP simply reselling OTT services faces substantial regulatory uncertainty and regulatory risk under the TSSR framework.

71

The Associations recommended that carriers and CPSs should only be required to ‘take action under the legislation’ if their supply of relevant services (including OTT services) ‘adds substantive security risk’.72 Further, the Associations argue that the obligations of carries and CSPs should be assessed solely on the basis of the:

• level of security risk that applies if the service is obtained directly from the service supplier

• level of security risk that applies if the service is obtained via the carrier or CSP and

• steps can be implemented by the carrier or CSP to address ‘any added security risk’.73

The Associations expressed their concern that the reforms proposed by the Bill would relegate Australian-based telecommunications businesses to ‘play minor, low-value roles in the supply of internet services’ and that the reforms would result in overseas companies dominating ‘the supply of value-adding OTT services, resulting in a negative effect on competition, the industry and the overall framework required to assist in achieving the TSSR policy objective’.74

Whilst the Bill will not apply to international OTT service providers or internationally based carriers or CSPs that provide OTT services to Australians (due to the lack of a physical presence in Australia), it will apply to Australian carriers and CSPs that provide or re-sell OTT services.

In this regard the concerns noted above should be considered within the context of the deliberately non-prescriptive approach taken to the content of the security obligations (discussed below). Importantly the

64. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 7, 23, 25, 27 and 33. 65. Attorney-General’s Department (AGD), ‘Telecommunications Sector Security Guidelines: draft version’, AGD website, November 2015. 66. PJCIS, Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016, 30 June 2017, p.41, paragraph [3.49]. 67. Ibid., p. 154, paragraph [5.13]. 68. Ibid., p. 4. 69. Ibid., p. 4. 70. Ibid., p. 4. 71. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2016, p. 15. 72. Ibid., p. 16. 73. Ibid.

74. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 17

security obligations ‘impose a subjective element which means that what is required to comply with the obligation will differ’ according to the risk profile and the specific activities of the relevant entity.75 The Explanatory Memorandum outlines how the risks of the security obligation is aimed at can be assessed:

The following factors will contribute to whether a C/CSP is more likely to be actively targeted and therefore have an increased risk from espionage, sabotage or foreign interference:

 percentage of market share - the larger the customer base the greater the aggregated data;

 sensitivity of customer base - some customers will have more information of a sensitive nature being communicated and held on networks and facilities than others - including government and critical service providers, science and research organisations, large or significant commercial organisations, and large healthcare provider organisations (or their suppliers and business partners); and

 criticality of the network - for example, where the telecommunications network or service supports the delivery of other critical services, such as power, water, health, banking or where it provides services to critical customers. 76

Most OTT services would be considered at less risk of espionage, sabotage or foreign interference than non-OTT services or facilities of the types noted above. Further, the Explanatory Memorandum also noted:

Not all parts of networks and facilities are equally vulnerable to national security risks. … [The]areas of greater security interest are:

 network operation centres, including infrastructure used to facilitate support of the network;

 lawful interception equipment or operations;

 any part of a telecommunications network that manages or stores:

o aggregated information about customers

o aggregated authentication credentials of a significant number of customers

o administrative (privileged user) authentication credentials for the network or related systems

 any place in a telecommunications network where data belonging to a customer or end user aggregates in large volumes, being either in transit or stored data; and

 any additional area as advised in writing, in response to changes in threat, technology and business practices. 77

Therefore OTT services would be considered at less risk of intrusion and interference that the types of non-OTT services or facilities noted above.

Finally, whilst there is no legislative prescription as to what constitutes ‘best endeavours’, ‘competent supervision’ or ‘effective control’ in relation to OTT services provided by carriers or CPSs, the Explanatory Memorandum notes:

The Bill does not prescribe what technical solutions a C/CSP should use to secure networks to protect information or the integrity and availability of the network, as this will be highly dependent on factors specific to each network and business delivery model. 78

75. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 22. 76. Ibid., p. 22. 77. Ibid., p. 23. 78. Ibid., p. 24.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 18

However, it does note that carries and CSPs will be expected to ‘demonstrate effective control and competent supervision over the networks and facilities’ that they own or operate, and this would include implementing measures that address ‘vulnerabilities that can arise through equipment supply, outsourcing and offshoring arrangements’.79 Further, the Explanatory Memorandum provides guidance to the ‘competent supervision’ aspect of the security obligations, stating it means:

… the ability of a C/CSP to maintain proficient oversight of its networks and facilities and could include arrangements to maintain:

 visibility of network and facility operations;

 visibility of key data flows and locations;

 awareness of parties with access to network infrastructure; and

 the ability to detect security breaches or compromises. 80

In relation to the ‘effective control’ aspect of the security obligations, the Explanatory Memorandum states that this:

… means the ability of the C/CSP to maintain direct authority and/or contractual arrangements which ensure that networks, facilities, infrastructure and information stored or transmitted within networks, is protected from unauthorised interference. This would include authority over all parties with access to network infrastructure and data. It could include the ability to:

 direct actions to ensure the integrity of network operations and the security of information carried on them;

 terminate contracts without penalty where there has been a security breach or data breach reasonably attributable to the contracted services or equipment;

 address issues of data sovereignty;

 direct contractors to carry out mitigation or remedial actions;

 oblige contractors to monitor and report breaches to the C/CSP; and

 re-establish the integrity of data or systems where unauthorised interference or unauthorised access has occurred (for example to confirm accuracy of information or data holdings). 81

This would appear to suggest that the security obligation is an outcome-based one, and therefore provides Australian carriers and CSPs that provide or re-sell OTT services a significant degree of flexibility regarding how they meet their obligations. However, at the PJCIS’s hearing into the Bill, a number of witnesses again raised concerns about how the risk posed by OTT services would be evaluated (and therefore how carriers and CSPs could meet their security obligation) and the supposed competitive disadvantage Australian based OTT service providers would face by having to comply with the security obligation.82

79. Ibid.

80. Ibid., p. 24. 81. Ibid., pp. 24-25. 82. See for example: M Stanton (CEO, Communications Alliance), Evidence to PJICS, Inquiry into Telecommunications and Other Legislation Amendment Bill 2016, 16 February 2017, p. 10: ‘It is the case that increasing the core carriage services while they provide an underlay is only

part of the mix that consumers are looking for, be they messaging apps, be they non-carrier based email—any one of hundreds of over-the-top services that form part of the bouquet for Australian providers. There is uncertainty around what obligations you have to protect or to guard against any risk to something that is a value-add that you do not own or control’ and : C Gillespie-Jones (Director, Program Management, Communications Alliance), Evidence to PJICS, Inquiry into Telecommunications and Other Legislation Amendment Bill 2016, 16 February 2017, p. 10: ‘At the moment, I would say that unfortunately there is not too much uncertainty about it. If you are providing an over-the-top service and you are reselling it as an Australian carriage service provider, you would be bound by TSSR obligations. If, as a consumer, you were to buy the same service from a non-Australian over-the-top provider—exactly the same service just not rebranded with a

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 19

In relation to any residual concerns raised by stakeholders about the ‘uncertain’ application of the TSSR to Australian-based OTT services provided by carriers and CSPs, how risk is to be evaluated and the security obligation discharged in relation to OTT services, members of the Parliament might wish to consider requesting the Government develop targeted administrative guidance to relevant Australian carriers and CSPs that provide OTT services. This could be done, for example, by including some guidance in the Administrative Guidelines supporting the scheme, a draft copy of which is available on the AGD’s website.83

Security obligations The Government notes that because telecommunications networks and facilities of carriers, CSPs, and carriage service intermediaries (intermediaries) transfer and hold sensitive information and data they are ‘attractive targets for espionage, sabotage and foreign interference activity by state and non-state actors’.84 The national security risks that may arise from such espionage, sabotage and foreign interference include:

• compromise or degradation of telecommunications networks

• compromise of valuable data or information of a sensitive nature, such as aggregate stores of personal data or commercial or other sensitive data

• impairment of the availability or integrity of telecommunications networks or

• the potential impact on other critical infrastructure or government services (such as banking/finance, health or transport services).85

Currently section 313 of the Act requires that carriers, carriage service providers and carriage service intermediaries must ‘do their best’ to prevent networks and facilities being used to commit offences and also to provide ‘reasonable assistance’ to authorities for the purposes of enforcing criminal and pecuniary laws, protecting public revenue and safeguarding national security.

Proposed subsections 313(1A), (1B) and 313(2A) are designed to complement the existing obligations imposed by the Act by imposing a new security obligation on the telecommunications industry that the Government argues is an appropriate response to manage ‘national security risks’ on a ‘cooperative basis rather than through the formal exercise of regulatory powers’.86

In general terms the security obligation requires carriers, CSPs and some intermediaries to (for the ‘purpose of security’) ‘do their best’ to protect telecommunications networks and facilities that they own, operate or use from unauthorised interference, or unauthorised access. The term ‘security’ is defined by reference to the meaning of that term in section 4 of the Australian Security Intelligence Organisation Act 1979 (ASIO Act). The term ‘security’ is defined in the ASIO Act to mean:

(a) the protection of, and of the people of, the Commonwealth and the several States and Territories from:

(i) espionage;

(ii) sabotage;

(iii) politically motivated violence;

(iv) promotion of communal violence;

(v) attacks on Australia’s defence system; or

different Australian brand—then the obligations would not apply … One is bound by the obligations; the other one is not. That, as such, is not a desirable outcome for competition, because it does mean the Australian providers that offer these over-the-top services are disadvantaged over other non-Australian providers’. 83. Ibid., p. 108; AGD, Telecommunications sector security guidelines, Draft version, AGD, Canberra, November 2015. 84. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 2. 85. Ibid.

86. Ibid., p. 3.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 20

(vi) acts of foreign interference;

whether directed from, or committed within, Australia or not; and

(aa) the protection of Australia’s territorial and border integrity from serious threats; and

(b) the carrying out of Australia’s responsibilities to any foreign country in relation to a matter mentioned in any of the subparagraphs of paragraph (a) or the matter mentioned in paragraph (aa).

The above definition is further expanded by connected definitions contained in section 4 of the ASIO Act. For example, the acts of foreign interference is defined as meaning activities relating to Australia that are carried on by or on behalf of, are directed or subsidised by or are undertaken in active collaboration with, a foreign power, being activities:

• are clandestine or deceptive and:

- are carried on for intelligence purposes - are carried on for the purpose of affecting political or governmental processes or - are otherwise detrimental to the interests of Australia or • involve a threat to any person.

Likewise the term attacks on Australia’s defence system is defined expansively as including:

… activities that are intended to, and are likely to, obstruct, hinder or interfere with the performance by the Defence Force of its functions or with the carrying out of other activities by or for the Commonwealth for the purposes of the defence or safety of the Commonwealth. 87

The term politically motivated violence, used in paragraph (a)(ii) of the definition of security is defined as meaning:

• acts or threats of violence or unlawful harm that are intended or likely to achieve a political objective, whether in Australia or elsewhere, including acts or threats carried on for the purpose of influencing the policy or acts of a government, whether in Australia or elsewhere or

• acts which:

- involve violence or are intended or are likely to involve or lead to violence (whether by the persons who carry on those acts or by other persons) and - are directed to overthrowing or destroying, or assisting in the overthrow or destruction of, the government or the constitutional system of government of the Commonwealth or of a State or Territory

or

• acts that are terrorism offences88 or

• acts that are offences punishable under Division 119 of the Criminal Code Act 1995, the Crimes (Hostages) Act 1989 or Division 1 of Part 2, or Part 3, of the Crimes (Ships and Fixed Platforms) Act 1992 or under Division 1 or 4 of Part 2 of the Crimes (Aviation) Act 199189 or

• acts which:

- are offences punishable under the Crimes (Internationally Protected Persons) Act 1976,90or - threaten or endanger any person or class of persons specified by the Minister for the purposes of this subparagraph by notice in writing given to the Director General.

87. Australian Security Intelligence Organisation Act 1979, section 4. 88. Defined as an offence against Subdivision A of Division 72 or Part 5.3 of the Criminal Code Act 1995. 89. These deal with foreign incursions and recruitment, hostage-taking offences, various ship and fixed-platform related offence (such as seizing a ship or fixed platform, damaging a ship or fixed platform, or giving false information that will endanger a ship) and various offences related to

aircraft (for example, hijacking or endangering the safety of aircraft in flight). 90. Various offences in relation to internationally protected persons (for examples, diplomats) include murder, kidnapping and damaging official premises (for example, an embassy).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 21

Finally, promotion of communal violence, used in paragraph (a)(iv) of the definition of security is defined as ‘activities that are directed to promoting violence between different groups of persons in the Australian community so as to endanger the peace, order or good government of the Commonwealth.’

Whilst the notes in proposed subsections 313(1A) and (2A) provides a summary of the definition of security that the Explanatory Memorandum states is intended to highlight the most important aspects of the definition as it would apply to the TSSR scheme, those notes in no way limit the broad meaning of the term ‘security’ for the purpose of the new security obligations.91

The Explanatory Memorandum does not appear to explain the need to apply all components of the definition of security in the ASIO Act noted above, rather than specifically limiting it to the matters extracted in the notes to proposed subsection 313(1A) and (2A). For example, it is not clear why there is a need to impose the security obligation for the purpose of the paragraph (b) of the definition of security (the carrying out of Australia’s responsibilities to any foreign country in relation to a matter encompassed by the definition of security). Arguably this could result in the proposed security obligations being extended to cover other countries’ security interests where Australia has responsibilities to that country (for example, under a treaty or other agreement).

Concerns about the use of the ASIO Act definition of security One interest group expressed concern about the Bill using the ASIO Act’s definition of ‘security’ in relation to the security obligation, stating it would ‘have the serious consequences’ of:

• preventing the use of network facilities or other infrastructure located offshore to supply services

• creating smaller scale, higher cost and delayed services using onshore infrastructure and

• encouraging customer migration to direct supply from offshore entities.92

However, most of the stakeholders concerns about the security obligation are related to its breadth of application. This is discussed below.

Key definitions underpinning the security obligations The security obligations are linked to existing definitions in the Act. To give context to the discussion regarding the security obligation, and concerns raised by stakeholders, these are briefly examined below.

The security obligation applies to facilities and telecommunications networks. Facility is defined in section 7 of the Act as meaning:

(a) any part of the infrastructure of a telecommunications network; or

(b) any line, equipment, apparatus, tower, mast, antenna, tunnel, duct, hole, pit, pole or other structure or thing used, or for use, in or in connection with a telecommunications network.

Telecommunications network is defined as ‘a system, or series of systems, that carries, or is capable of carrying, communications by means of guided and/or unguided electromagnetic energy.’ In turn, communications is defined as ‘any communication’ including (but not limited to):

(a) whether between persons and persons, things and things or persons and things; and

(b) whether in the form of speech, music or other sounds; and

(c) whether in the form of data; and

(d) whether in the form of text; and

(e) whether in the form of visual images (animated or otherwise); and

(f) whether in the form of signals; and

91. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 22. 92. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2016, pp. 13- 14.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 22

(g) whether in any other form; and

(h) whether in any combination of forms.

In addition to the above, the Act regulates three types of entities that the Bill proposes to regulate: carriers, carriage service providers (CSPs), and carriage service intermediaries (intermediaries). These entities are characterised as follows:

• carriers own or operate telecommunications infrastructure or otherwise elect to be a carrier, and must hold a carrier licence

• a CSPs is any entity that supplies, or proposes to supply, a listed carriage service to the public (for example, telephone services) to the public whether or not they own the telecommunications infrastructure and

• in simple terms an intermediary is any entity that, for reward, arranges for the supply of a listed carriage service by a CSP to a third person, would be a CSP if the intermediary had supplied that carriage service, or is in a contractual relationship with the third person for the continuing supply of the carriage service. As such, intermediaries are entities such as resellers and other entities that arrange the supply of a carriage service.93

A listed carriage service is any carriage service for carrying communications by electromagnetic energy between a point in Australia and one or more other points. The definition requires a carriage service with one of the end points in Australia, whether or not the other point is in or outside of Australia. A ‘point’ includes a mobile (or potentially mobile point), regardless of whether it is on land, underground, in the atmosphere, in outer space, underwater, at sea or anywhere else.94

Importantly, carriers, CSPs and intermediaries have a degree of overlap. For example, an entity may be both a carrier and a CSP, and therefore must obtain a carrier licence and also comply with the laws that apply to carriers in addition to the laws that relevantly apply to CSPs (such as those proposed by the Bill). Further, subsection 87(5) of the Act provides that intermediaries are CSPs.95

As the above definitions are broad, they encompass a range of infrastructure and devices ‘used, or for use, in or in connection with’ a telecommunications network, and therefore the entities that own, operate or control them.

The security obligations generally Proposed subsections 313(1A), (1B) and (2A) collectively impose the security obligations on carriers, CSPs and intermediaries. Whilst the obligations vary according to type of entity, generally the security obligation requires carriers, CSPs or intermediaries to ‘for the purposes of security … do their best’ to protect certain telecommunications networks and facilities from unauthorised interference or unauthorised access to ensure:

• the confidentiality of communications and information carried or contained on the network or facilities and

• the availability and integrity of the network and facilities.96

The meaning of ‘do their best’ is discussed below under the heading ‘Elements of the security obligation’.

The table below sets out the obligations that apply to carriers and CSPs, those that apply to intermediaries and to which networks or facilities those obligations relate. Proposed subsection 313(1A) sets out the general security obligations listed above, which are owed by carriers and CSPs in relation to any telecommunications networks or facilities that they own, operate or use.

In contrast, the specific obligation imposed on carriers and CSPs by proposed subsection 313(1B) provides that the general obligation imposed on C/CSPs includes, but is not limited to, a requirement to maintain competent supervision of, and effective control over, telecommunications networks and facilities they own or operate. The obligation imposed on intermediaries by proposed subsection 313(2A) applies to telecommunications networks

93. Telecommunications Act 1997, sections 7, 16, 56 and 86. 94. Telecommunications Act 1997, sections 7 and 16. 95. Telecommunications Act 1997, subsection 87(5). 96. See also the amendment to section 311 of the Act proposed by item 5 of the Bill.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 23

and facilities that they use to supply certain services and does not depend upon ownership of, or the exercise of direct control or supervision of, a network or facility.

Table 1: security obligations

Entity Obligation Networks or facilities

it applies to

Possible consequences for breaches

Carriers and CSPs Protect

telecommunications networks and facilities from unauthorised interference or unauthorised access to ensure:

 the confidentiality of communications and information carried or contained on the network or facilities and

 the availability and integrity of the network and facilities97

Telecommunications networks and facilities they:

 own

 operate or

 use.98

 Enforcement action99

 Being issued with a Direction100

 Possible contravention of licence condition (and associated enforcement actions)101

Maintain competent supervision of and effective control over telecommunications networks and facilities102

Telecommunications networks and facilities they:

 own or

 operate.103

Intermediaries Protect

telecommunications networks and facilities from unauthorised interference or unauthorised access to ensure:

 the confidentiality of

Telecommunications networks and facilities used to supply a carriage service referred to in subsection 87(5) of the Act105 - essentially the infrastructure used by a person for the

97. Proposed subsection 313(1A). 98. Proposed subsection 313(1A). 99. Under section 570 of the Telecommunications Act the pecuniary penalties for contraventions of civil penalty provisions (which would include the security obligation) provide that the maximum amount that could be payable would be $10m for a body corporate and $50 000 for a

natural person: Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 17, 31, 34, 46, and 54. 100. Under proposed sections 315A and 315B. 101. Section 68 of the Telecommunications Act provides that a carrier or person must comply with the conditions of its carrier licence - which

includes compliance with the Telecommunications Act, TIA Act and other legislation. Schedule 1, section 1 of the Telecommunications Act also provides that a carrier must comply with the Telecommunications Act 1997, the Telecommunications (Consumer Protection and Service Standards) Act 1999 and regulations under that Act and Chapter 5 of the Telecommunications (Interception and Access) Act 1979. In turn section 570 of the Telecommunications Act sets out the pecuniary penalties for contravention of the civil penalty provisions and Part 1 of Schedule 1 of the Telecommunications Act provides that a standard conditions of a carrier licence includes compliance with the Telecommunications Act, TIA Act and other legislation. Collectively this ensures that failure to comply with the security obligation, the information gathering powers or a direction would result potentially significant civil penalties being imposed. 102. Proposed subsection 313(1B). 103. Proposed subsection 313(1B).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 24

Entity Obligation Networks or facilities

it applies to

Possible consequences for breaches

communications and information carried or contained on the network or facilities and

 the availability and integrity of the network and facilities104

purpose of arranging the supply of a carriage service to a third person for reward.106

Source: proposed subsections 313(1A), (1B) and (2A).

Immunity from liability Currently subsection 313(5) of the Act provides that a carrier or CSP is not liable in relation to an act done or omitted in good faith in the performance of the duties imposed by section 313, or in compliance with a direction given by ACMA under section 312.

Items 10 and 11 would extend immunity from liability to an act done or omitted in good faith in the performance of the security obligations and in compliance with a direction issued under proposed subsections 315A(1) or 315B(2).

Elements of the security obligation The security obligations contain a number of elements. Most importantly these include:

• a requirement to ‘do their best’ to prevent the relevant risk and

• a requirement to maintain ‘competent supervision’ of, and ‘effective control’ over telecommunications networks and facilities they own or operate.

These are discussed below to give context to the concerns about the security obligation.

Meaning of ‘do their best’ element of the security obligations The security obligations contain a requirement that the carrier, CSP or intermediary ‘do their best’ to fulfil the relevant obligation. As noted earlier, the overarching design of the TSSR proposed by the Bill is both outcome-based and deliberately non-prescriptive (in a technical sense). The Bill’s security obligations are high-level obligations, the content of which are to be determined on a case by case basis, with the aid of administrative guidelines. The Explanatory Memorandum notes that the requirement ‘to do their best imposes a subjective element which means that what is required to comply with the obligation will differ according to the risk profile of the C/CSP’.107

The Explanatory Memorandum then notes that, as ‘the parts considered more vulnerable are likely to change over time due to changes in the way networks and services are operated and delivered’, administrative guidelines ‘will outline what is expected of C/CSPs to comply with the security obligation’.108

The Explanatory Memorandum notes that demonstrating ‘best efforts’ to:

105. Subsection 87(5) of the Telecommunications Act 1997 provides that an entity who receives a reward for arranging the supply of a listed carriage service by a carriage service provider to a third person who would be a carriage service provider if the person had supplied that carriage service and who has a commercial relationship with the third person which is governed by an agreement relating to the continuing supply of the service.

104. Proposed subsection 313(2B). 106. As noted by the Australian Communications and Media Authority (AMCA) subsection 87(5) of the Telecommunications Act 1997 is ‘intended to capture switchless resellers and/or aggregators who may not themselves be supplying a listed carriage service’: ACMA, ‘Service provider obligations’, ACMA website, 7 November 2016.

107. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 22. 108. Ibid., p. 23.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 25

… secure networks would include as a minimum, ensuring mechanisms for facilitating corporate awareness of the broad national security vulnerabilities and risks posed to telecommunications networks and embedding security considerations in to business decision-making and business delivery models. 109

The Explanatory Memorandum then notes that the security obligation will be discharged where a carrier, CSP or intermediary can demonstrate that it has ‘implemented effective security practices and measures’ to manage the relevant risks.110

When determining whether a carrier, CSP or intermediary has ‘done their best’ to discharge the security obligation a court will consider whether the actions or decisions taken (or not taken) are ‘reasonable steps’, as discussed below.

‘Reasonable steps’ aspect of the ‘do their best’ element of the security obligations

The Explanatory Memorandum notes that ‘do their best’ to fulfil the security obligation ‘will depend on what steps are reasonable in particular circumstances’.111 The Explanatory Memorandum provides an example of reasonable steps:

… an intermediary may be given access to services that may provide them with information about security vulnerabilities. They would therefore be expected to have appropriate procedural, governance and contractual arrangements to secure this type of information so that this knowledge of security vulnerabilities cannot be accessed by other parties and exploited.

112 (emphasis added)

In relation to carriers and CSPs:

… a C/CSP would need to take reasonable steps to ensure that intrusions or breaches do not occur within networks or facilities that they own, use or operate, and that the potential for malicious activity is minimised, demonstrable by the security controls in place. This will be particularly relevant where activity, left unchecked, could provide opportunity to compromise the confidentiality, availability or integrity of telecommunications infrastructure or information carried by, or across it.

113

As such, it would appear that whether a carrier, CSP or intermediary has done ‘their best’ by taking ‘reasonable steps’ to fulfil the security obligations will be determined on a case by case basis, and will be based on the information available to the entity at the time. Further, a variety of factors such as the type and degree of risk, the cost of mitigating the risk and so forth will be important in determining if the relevant obligation was effectively discharged.

Competent supervision and effective control

Proposed subsection 313(1B) provides that, as part of the security obligations, carriers and CSPs are required to maintain ‘competent supervision’ of and ‘effective control’ over telecommunications networks and facilities that they own or operate. Whilst not defined in the Bill, the Explanatory Memorandum states that the ‘competent supervision’ means the ability the of carrier or CSP ‘to maintain proficient oversight of its networks and facilities’ and may include arrangements to maintain:

• visibility of network and facility operations

• visibility of key data flows and locations

• awareness of parties with access to network infrastructure and

• the ability to detect security breaches or compromises.114

The Explanatory Memorandum outlines that ‘effective control’ means the ability of a carrier or CSP to:

109. Ibid., p. 25. 110. Ibid., p. 23. 111. Ibid., p. 26. 112. Ibid., p. 26. 113. Ibid., p. 23. 114. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 24.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 26

… maintain direct authority and/or contractual arrangements which ensure that networks, facilities, infrastructure and information stored or transmitted within networks, is protected from unauthorised interference. This would include authority over all parties with access to network infrastructure and data. 115

The Explanatory Memorandum expanded on the above, stating ‘it could include’ the ability to:

direct actions to ensure the integrity of network operations and the security of information carried on them

terminate contracts without penalty where there has been a security breach or data breach reasonably attributable to the contracted services or equipment

address issues of ‘data sovereignty’

direct contractors to carry out mitigation or remedial actions

require contractors to monitor and report breaches to the carrier or CSP, and

re-establish the integrity of data or systems where unauthorised interference or unauthorised access has occurred (for example, to confirm accuracy of information or data holdings). 116

Whether a carrier or CSP has maintained ‘competent supervision’ of and ‘effective control’ over telecommunications networks and facilities that they own or operate (and therefore if they have discharged their security obligations) will be considered on a case by case basis. Further, a variety of factors such as the terms of relevant contacts, thoroughness of arrangements regarding other parties’ access to network infrastructure will be important in determining if the relevant obligation was effectively discharged.

Practical examples

Non-binding administrative guidelines will outline to carriers and CPSs how to comply with the security obligation, and that this will be based on whether they have a low, medium or high risk profile and the parts of networks and facilities considered most vulnerable to national security risks.117

The Explanatory Memorandum then notes that ‘this advice and guidance will assist C/CSP to implement a risk managed approach to meeting the security obligation’.118 The AGD has produced draft guidelines that specifically deal with how the security obligation is to be discharged.119 Under the heading ‘What do you need to do to meet your security obligation?’ the AGD state that the security obligation ‘is not absolute and is underpinned by a 'reasonableness' test’.120

In summary, the AGD notes that to meet the security obligations a carrier or CSP:

[is] expected to adopt ‘a risk-managed approach to managing risks of espionage, sabotage and foreign interference to their networks and facilities’

[has] a risk management culture and ‘processes and structures that underpin the effective management of potential opportunities and adverse effects’ that is based on a ‘structured approach to identifying, assessing and controlling risks that emerges during a program or project life cycle’ such as AS/NZS ISO 31000:2009 Risk management - Principles and guidelines which is ‘the key standard for risk management’

focuses on risks posed by arrangements with suppliers (in particular managed service providers) and particular service delivery models (that is, outsourcing/offshoring)

115. Ibid. 116. Ibid., pp. 24-25. 117. Ibid., p. 23. 118. Ibid., 119. AGD, Telecommunications sector security guidelines, op. cit., p. 15. 120. Ibid., p. 15.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 27

demonstrates that it has processes, controls and arrangements in place to manage ‘who’ can access systems, networks and communications (that is, has competent supervision and effective control of its network)

use third-party assurance where appropriate

ensuring that authorised users have access to information, communications and telecommunications networks and facilities when required

ensure the accuracy and completeness of information and communications, as well as the protection of telecommunications networks and facilities from compromise or unauthorised modification and

implementing robust access controls to limit who has access to confidential communications and information, including information both in transit and in storage and potentially using encryption as a key method of ensuring confidentiality of information and communications. 121

Security obligations and their application The Exposure Draft applied the security obligations to carriers, intermediaries and CSPs to ‘telecommunications networks and facilities’ generally. A number of stakeholders expressed concern about the breadth of the security obligations in the Exposure Draft Bill, including their application to intermediaries:

It would not be reasonable for a duty to be imposed with regards to the supervision and control of any other infrastructure than that which the provider owns and controls - ‘their’ networks and facilities. 122

The Bill appears to have responded to those concerns. The security obligation now only applies to telecommunications networks and facilities that are ‘owned, operated or used’ by the carrier or CSP.123 In relation to intermediaries, instead of the security obligations applying to ‘telecommunications networks and facilities’ generally, it is now restricted to ‘telecommunications networks and facilities used to supply the carriage service’ offered by the intermediary.124

However, despite these changes the Associations expressed concern that the security obligation will apply to the telecommunications networks and facilities used by carriers, CSPs and intermediaries, arguing that ‘it is unclear what ‘use’ may actually entail and, maybe more importantly, what would be required of C/CSPs/intermediaries to protect networks that they are merely using’.125

The definition of ‘facility’ and the security obligations A number of interest groups expressed concern about the definition of ‘facility’ in the Act and the range of facilities to which the security obligations would therefore apply.

The Associations argue that the definition of ‘facilities’ in the Act and used in the Bill is ‘vague and open to discretionary interpretation’.126 The Associations contend that the proposed obligation to protect networks and facilities from unauthorised interference and unauthorised access and to maintain competent supervision and effective control of them is likewise ‘vague and open to discretionary interpretation’ and therefore it is:

… conceivable that the term ‘facility’ could be interpreted to encompass cloud computing and cloud storage solutions implemented by C/CSPs as any supporting equipment would appear to meet the above definition. This has the potential to significantly broaden the regulatory burden that C/CSPs face under the regime and will leave them at a competitive disadvantage compared with suppliers of equivalent services that are not C/CSPs.

127

121. Ibid., pp. 15-22. 122. Optus, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, 14 January 2016, p. 2. 123. Proposed subsection 313(1A). 124. Proposed subsection 313(2). 125. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2017, p. 13. 126. Ibid., p. 16. 127. Ibid., p. 17.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 28

The Associations noted that ‘ex-post interpretation of undefined (and even defined) terms in the technical areas of communications create confusion at best and randomness at worst’ and should therefore be avoided.128

The LCA expressed similar concerns and noted that the definition of ‘facility’ appears ‘to capture cloud computing and cloud storage options implemented’ by carriers and CSPs and that it was unclear how carriers and CSPs ‘will be able to effectively maintain their security obligations in this context’.129 The LCA recommended that ‘the Attorney-General's Department consult with industry’ on an adequate definition of ‘facility’ for the purposes of the regime proposed by the Bill’.130

Optus noted similar concerns and in particular that the practical effect of the definition of ‘facility’ would the application of the security obligations to ‘infrastructure that would not normally be expected to be relevant’ to the security obligations such as ‘content serving platforms for streaming television or streaming content services’.131 Optus recommended that refining the definition of ‘facility’ would ‘prevent overreach’ of the security obligations.132

Foxtel also expressed similar concerns noting that as the Act’s definitions of ‘telecommunications network’, ‘communications’ and ‘carriage service’ are not limited or described in any way by reference to the supply of telephony or internet access services’ those terms could be interpreted as applying to ‘infrastructure and facilities used to supply broadcasting and content services (even where this is the sole or principal use of the infrastructure or facilities)’.133

Foxtel then noted that it remained ‘concerned that the scope of the proposed reforms is broad and unclear in relation to their application to infrastructure and facilities used to supply broadcasting and content services’.134

Foxtel argued that because broadcasting and content services do not carry sensitive corporate or government information or sensitive, confidential information about law enforcement activities, protected information or potentially disclose the location of politicians or other protected persons and they are not essential to the delivery and support of critical services, such as, power, water and health, they should be excluded from the security and notification obligations.135

Foxtel recommended that proposed subsection 313(1A) and (2A) be amended to ‘clarify that infrastructure and facilities used solely or principally for broadcasting or content services are not intended to be subject to this additional regulation’.136 Foxtel argued that such amendments would ‘provide certainty in relation to the application of the regulatory framework in future’.137 In relation to these concerns, the AGD noted that whilst the Bill ‘applies to the protection of telecommunications networks and facilities, irrespective of the type of service being provided over the networks’ it also enables exemptions from the notification requirements to be provided to carriers and CSPs ‘that offer a range of services’ including ‘in relation to broadcasting or a subscription television service’.138 The AGD further noted whilst ‘the exemption process will be refined during the implementation phase, in consultation with industry’, nonetheless:

128. Ibid., p. 17. 129. Law Council of Australia (LCA), Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, 18 January 2016, p. 4. 130. Ibid., p. 4. 131. Optus, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 1. 132. Ibid., p. 1. 133. Foxtel, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2016, p. 2. Foxtel

made a similar point in its submission regarding the ED: Foxtel, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, 19 January 2016, p. 2. 134. Foxtel, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., p. 2. Foxtel made a similar point in its submission regarding the ED, stating: it’s not clear whether its broadcasting and content infrastructure and facilities will also be

subject to the new protection obligations’: Foxtel, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 2. 135. Foxtel, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., pp. 3-4; Foxtel, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 4. 136. Foxtel, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., p. 4; Foxtel, Submission to

AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., pp. 3-4. 137. Foxtel, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., p. 4. 138. AGD, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, submission no. 4, 3 February 2016,

p. 15.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 29

… the provider would still be required to notify of changes to other parts of their business that apply to the provision of other services, such as telephony and broadband access. 139

The PJCIS Advisory Report has recommended that the Bill clarify that in circumstances where a broadcaster is exempt from being treated as a carriage service providers under the Telecommunications Act 1997, they are also not intended to be subject to the obligations set out in the Bill.140

Concerns about retrofitting Some stakeholders raised concerns that compliance with the security obligation would require expensive retrofitting of existing facilities, systems and networks.141 For example, the Associations argued that the security obligation will apply ‘without further distinction of the age of the systems, networks and facilities (jointly systems) or whether systems are already existing and in place vs. newly installed systems.’142

The Associations indicated that ‘industry could face very high costs to rebuild existing networks’ if required to ‘retrofit or remove existing facilities’143 and therefore recommended:

• ‘the legislation itself ought to be amended to reflect the intention to not require retrofits except in rare and extremely serious circumstances’ or

• ‘the legislation should include a sunset clause on the ability to issue a direction for a network retrofit’ and limit the ability of the government to require retrofitting to ‘12 months after the expiry of the implementation period (i.e. two years after the date of Royal Assent)’ which the Association argued ‘would provide at least some element of certainty for C/CSPs as to the longevity of existing systems’.144

Despite these concerns, it would appear unlikely that carriers or CPSs will be required to conduct extensive retrofitting to comply with the security obligations. The Explanatory Memorandum notes:

C/CSPs are not expected to retrofit all systems on commencement of this security obligation. However, there may be very rare cases where a significant security vulnerability is found in an existing system that could facilitate acts of espionage, sabotage and foreign interference. In such cases, government agencies will seek to work with the provider to develop cost effective solutions to better manage the risks posed by the existing vulnerability. Subject to how serious the security risk is and how willing the C/CSP is to collaborate with government to manage the risk, the Attorney-General could issue a direction requiring mitigation measures to be implemented.

145

Notification regime—overview The CAC liaises between security and law enforcement agencies and the telecommunications industry, and is committed to supporting industry in understanding its interception capability obligations.146 Currently section 202B of the TIA Act requires carriers and NCSPs to notify the CAC within the AGD of planned changes to telecommunications systems and services which are likely to have a material adverse effect on the ability of the carrier or NCSP to meet its obligations:

• under the TIA Act (for example, retaining telecommunications data (‘metadata’) under section 187A)

139. Ibid., p. 16. 140. PJCIS, Advisory report, op.cit, p.42. 141. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., pp. 3, 18; Macquarie Telecom, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, submission no. 2,

February 2016, p. 3. 142. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., p. 18. 143. Ibid., p. 3. 144. Ibid., p. 18. 145. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 24. 146. AGD, ‘Interception capability plans’, AGD website, n.d.; Under section 6R of the Telecommunications (Interception and Access) Act 1979 (TIA

Act), the CAC is the Secretary of the Department (AGD) or a person specified in a legislative instrument by the Minister to be the CAC. Under the TIA Act the CAC has various powers related to authorisations, consultation with ACMA, the Information Commissioner, declaring the application of various parts of the TIA Act to carriers, and service providers, approving and amending data retention implementation plans, granting exemptions from certain the obligations imposed on service providers or carriers by the TIA Act: see for example sections 183, 187B, 187E, 187F, 187G, 187H, 187J, 187K, 187KA, 192, 196, 197 of the TIA Act.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 30

• under section 313 of the Act (that is, preventing networks and facilities being used to commit offences and also providing reasonable assistance to authorities for the purposes of enforcing criminal and pecuniary laws, protecting public revenue and safeguarding national security).

Proposed section 314A is modelled on section 202B and will require carriers and NCSPs to notify the CAC of individual proposed changes to networks and services which could have a material adverse effect on its ability to comply with the proposed security obligations. The CAC will have the power to exempt carriers and NCSPs from the notification requirement in full or part.147

Proposed section 314C will also provide carriers and NCSPs with the option of submitting an annual SCP that forecasts multiple proposed changes to their systems and services (in lieu of making multiple individual notifications) that sets out how it proposes to meet the security obligation in light of those proposed changes.

Individual notifications Proposed subsections 314A(1) and (3) provide that carriers and NCSPs are to notify the CAC in writing of its intention to implement proposed individual changes to networks and services if that change ‘is likely to have a material adverse effect’ in its ability to comply with the security obligations in proposed subsections 313(1A) and (2A).

Types of changes to be notified Proposed subsection 314A(2) provides a non-exhaustive list of the types of changes to a telecommunications system or service that must be notified by the carrier or NCSP:

• providing one or more new telecommunication services

• changing the location of notifiable equipment (including moving equipment outside Australia)

• procuring notifiable equipment (including procuring equipment that is located outside Australia)

• entering into outsourcing arrangements:

- to have all or part of the telecommunication services provided or managed for the carrier or NCSP - to have all or some information to which section 276 of the Act applies managed for the carrier or NCSP (for example, information or documents that relate to the contents or substance of a communication that has been carried by a carrier or NCSP (‘metadata’)) or

- to have all or some information to which section 276 applies (for example, metadata) accessed by persons outside Australia.148 The Explanatory Memorandum provides further guidance about the types of matters in relation to which carriers and NCSPs would be expected to notify the CAC about. In particular the Explanatory Memorandum notes that carriers and NCSPs would be expected ‘to notify the CAC when they are planning changes to these more sensitive or vulnerable parts of networks’ and that the administrative guidelines would ‘outline what is expected of C/CSPs to comply with the notification obligation’.149

When notification should occur The draft guidelines also outline that it is in the C/CSP's best interests to notify as early as possible, such as early in the stages of considering a C/NCSP finalising any business plans, contracts or negotiations and before entering into any binding undertakings.150

More specifically, the draft guidelines suggest that the obligation should be discharged:

• in relation to procurement or acquisition: before taking any steps as part of the decision-making approach (such as before issuing a request for quote, tender or otherwise approaching the market) to allow security considerations to be built into the proposal from the start and

147. Proposed subsections 314A(4)-(7). 148. Section 276 of the Telecommunications Act 1997 contains an offence for the unauthorised disclosure and use of certain information. This includes information that ‘relates to’ the contents or substance of a communication that has been carried by a C/CSP; carriage services supplied or intended to be supplied to another person; and the affairs or personal particulars (including any unlisted telephone number or

any address) of another person (and hence included metadata as it ‘relates to’ the content of communications). 149. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 28. 150. Ibid., p. 29.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 31

• in relation to offshoring plans: before any plans are finalised (and as early as possible) to allow the carrier or CSP to receive advice from ASIO and the CAC regarding the process and thereby prevent inadvertently exposing the networks to an increased risk of espionage, sabotage and foreign interference activities.151

Notification obligation only triggered where a proposed change is likely to have a ‘material adverse effect’

However, the notification obligation is only triggered where:

• a proposed change is likely to have a ‘material adverse effect’, that is ‘an actual or measurable negative impact on the ability of the C/CSP’ to comply with security obligations to protect networks from risks of unauthorised access and unauthorised interference and

• the carriers or NCSPs ‘becomes aware’ that the implementation of a proposed change is likely to have a material adverse effect on the capacity of the carriers or NCSPs to protect telecommunications networks and facilities, which recognises that ‘C/NCSPs are well-placed through their practices and processes to identify risks associated with proposed changes’.152

The draft guidelines indicate that carriers and NCSPs will be able to contact a hotline at AGD for advice as to whether a proposed change constitutes a material adverse change.153

Exemptions from the notification obligation Proposed subsections 314A(4)-(7) allow the CAC to provide (in writing) exemptions to a carrier or NCSP from the operation of proposed section 314A generally or from the requirement to provide notifications in relation types of changes specified in the notice of exemption.

The policy intent underlying the granting of exemptions from the notification obligation is to allow non-critical or low-risk parts of a carriers’ or CSPs’ business to be exempted, thus reducing the regulatory burden imposed by the notification regime.

When determining whether to grant an exemption, the CAC will seek advice from ASIO regarding security risk profile of a company which in turn would be based on factors such as:

• the percentage of market share of the entity applying for the exemption (the larger the customer base the greater the aggregated data)

• the sensitivity of the customer base (some customers will have more information of a sensitive nature being communicated and held on networks and facilities than others—including government and critical service providers, science and research organisations, large or significant commercial organisations, and large healthcare provider organisations (or their suppliers and business partners) and

• the criticality of the network (for example, where the telecommunications network or service supports the delivery of other critical services such as power, water, health, banking or where it provides services to critical customers).154

The Explanatory Memorandum notes that it is envisaged that ‘classes of providers may be exempt from the notification requirement on the same grounds, for example, exemptions may relate to a particular type of low risk service or network operator’ based on the factors such as those noted above.155 However, the draft guidelines note that ‘there is no application process’ for carriers or NCSPs wanting to be exempted from the notification obligation (in part or in full’ and instead the ‘CAC will decide if and when to grant any exemption’ based on advice received from ASIO noted above.156

The PJICS Advisory Report recommended that the Bill be amended to outline the application process for exemptions from notification requirements, noting that the Attorney-General’s Department is ‘open’ to amending the Bill to include an exemption application process.157

151. Ibid., pp. 29-30. 152. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 28. 153. AGD, ‘Telecommunications Sector Security Guidelines (Draft version)’, op. cit., p. 27. 154. Ibid. 155. Ibid. 156. AGD, Telecommunications sector security guidelines (draft version), op. cit., pp. 25-26. 157. PJIC Advisory report, op.cit. p.57.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 32

Annual Security Capability Plans Proposed section 314C allows carriers and NCSPs to submit an annual SCP to the CAC. Annual SCPs are a mechanism by which carriers and NCSPs can notify the CAC of its intention to implement one or more proposed changes to networks and services if those change ‘are likely to have a material adverse effect’ its ability to comply with the security obligations.158

Further, SCPs will provide carriers and NCPSs with ‘an opportunity to outline proposed changes within the context of the company’s approach to security management’, and thereby ‘streamline the process of assessing the security risks associated with each proposed change and ultimately provide the CAC (and ASIO) with sufficient information to assess whether proposed changes can be implemented without further engagement with government agencies’.159

Types of changes that can be included in a SCP Proposed subsection 314C(4) provides that the types of changes to a telecommunications system or service that can be notified by the carrier or NCSP to the CAC in an annual SCP includes (but is not limited to) the types of changes listed in proposed subsection 314A(2) as well as any types of changes specified by the CAC in a legislative instrument issued under proposed subsection 314C(5). The draft guidelines noted:

… security capability plans should only include changes that are likely to have a material adverse effect on the capacity of the C/NCSP to comply with their obligation to protect their networks and facilities from unauthorised access or interference under subsections 313(1A) and (2A). 160

The use of SCPs to forecast changes Whilst SCPs can be used to forecast and advise the CAC of proposed future changes, the draft guidelines note that as a matter of practicality there are limits to ‘how far in advance’ a SCP ‘should capture proposed changes’ as (when the CAC’s maximum of 60 days to consider notifications covered in a SCP is considered):

… it may not be feasible to include changes that have tight deadlines for implementation and which require CAC consideration in a shorter timeframe to avoid delaying a project. 161

The draft guidelines further note that to ‘maximise the benefit’ of submitting a SCP, it should, at a minimum ‘forecast proposed changes to systems and services for the upcoming 12 months’.162 The draft guidelines also note that carriers or NCSPs that choose to submit as SCP ‘are encouraged to notify proposed major changes such as development of a new service or network as soon as possible’ but that the SCP should:

… include sufficient detail about each proposal to enable the CAC and security agencies to adequately assess whether the proposed change is likely to give rise to national security risks. 163

Further, the major limiting factors on the length of time that a SCP can be used to forecast proposed changes include the proposed subsection 314C(8) which restricts carriers and NCSPs from submitting one SCP per year, and prevents a previously submitted SCP from being updated during that 12-month period.164

Other information that can be included in a SCP Proposed subsections 314C(6) and (7) provide that an annual SCP may also include the practices, policies and strategies adopted by the carrier or NCSP to comply with the security obligations and any measures or proposed measured to mitigate the risk of unauthorised interference or access to telecommunications networks or facilities. The draft guidelines provide the following examples of other types of information that can be included in a SCP:

158. Proposed subsection 314D(2). 159. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 31-32. 160. AGD, Telecommunications sector security guidelines, op. cit., p. 31. 161. Ibid. 162. Ibid. 163. Ibid., pp. 31-32. 164. Ibid., p. 32.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 33

• a description of the risk assessment processes used to identify and manage security risks on networks, systems and services

• arrangements and mechanisms in place for overseeing contracted managed service provider compliance with security requirements and so forth (for example standard contract terms concerning personnel, logical and physical security requirements and access restriction and how compliance with these terms is monitored and enforced) and

• any assurance processes for vetting security practices of a vendor.165

The draft guidelines also note that a CSP can ‘detail any current or proposed mitigation measures or controls to reduce the risk of unauthorised access or interference’ and this this could ‘include access controls in systems or oversight arrangements that are proposed to be built into contracts with third parties’.166 The AGD notes that the inclusion of such additional information in a SCP:

… will help expedite the assessment of the security plan by security agencies by reducing the likelihood that the CAC will need to request additional information from a C/CSP about a proposed change. 167

The Explanatory Memorandum also notes that where a carrier or NCSP includes information about its ‘security polices, practises and strategies’ in a SCP, it could help:

… streamline the process of assessing the security risks associated with each proposed change and ultimately provide the CAC (and ASIO) with sufficient information to assess whether proposed changes can be implemented without further engagement with government agencies. 168

However, the Explanatory Memorandum also notes that submission of a SCP is ‘not intended to remove the need to engage with ASIO’ either ‘where this is already occurring or where ASIO considers it necessary’ to ensure a carrier or NCSP complies with the security obligation.169

Interaction between SCPs and individual notification regime Annual Security Capability Plans Proposed subsection 314E(1) provides that where an annual SCP is submitted, the carrier or NCSP is not required to notify those proposed changes under the individual notification regime. However, proposed subsection 314E(2) does require that where a carrier or NCSP becomes aware of any modification to proposed changes notified to the CAC through an annual SCP ‘are likely to have a material adverse effect’ its ability to comply with the security obligations in proposed subsections 313(1A) and (2A) then those modifications must be individually notified under proposed section 314A.

Interaction between SCPs and exemptions from the notification regime generally Whilst proposed subsections 314A(4)-(7) allow the CAC to provide exemptions from the notification obligation, this does not apply to the SCP process as it is not mandatory, with the Explanatory Memorandum noting that any carrier or NCSP exempted from making individual notifications for planned changes to telecommunications systems and services ‘would also be expected not to submit a SCP’.170

Assessment of notified proposed changes Proposed sections 314B (individual notifications) and 314D (annual SCPs) deal with the assessment of proposed changes to a telecommunications system or service by the CAC.

If the CAC considers that further information about the proposed change is required to assess whether there is a risk of unauthorised interference with, or unauthorised access to telecommunications networks or facilities that would be prejudicial to security the CAC may, in writing, require the carrier or NCSP to provide such further

165. Ibid. 166. Ibid. 167. Ibid. 168. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 32. 169. Ibid. 170. Ibid., p. 34.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 34

specified information.171 Such a notice must be given to the carrier or NCSP within 30 days of the individual notification being provided to the CAC, or 60 days of the annual SCP being given to the CAC.172

If after considering an individual notification or annual SCP or any further information provided in response to a notice issued request further information, the CAC is satisfied that, in relation to the proposed change:

• there is a risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities and

• that risk would be prejudicial to security (as defined by reference to the definition of that term in the ASIO Act)173

then the CAC must give a written notice to the carrier or NCSP:

• advising the carrier or NCSP provider of the relevant risk

• setting out security obligations and

• setting out the consequences for the carrier or NCSP for not complying with the security obligations.174

Proposed subsections 314B(4) and 314D(4) provide that a notice issued by the CAC of the above kind ‘may also set out the measures’ the CAC ‘considers the carrier or provider could adopt to eliminate or reduce’ the relevant risk.

Proposed section 314B does not prevent a carrier or NCSP from implementing the proposed change within the 30 day period specified for the CAC to assess the proposed change or following a notice provided to the carrier or NCSP by the CAC under proposed subsection 314B(3).175 However, when viewed in the context of the powers provided to the Attorney-General under proposed section 315B, and the (likely) advice provided by ASIO and other government agencies, arguably a carrier or CSP should comply with any measures proposed by the CAC to eliminate or reduce the relevant risk to avoid the risk of potentially breaching the security obligations or having a direction issued to it by the Attorney-General covering the same or substantially similar matters.176

If, after considering the notification or annual SCP (and any further information requested) the CAC is satisfied that the proposed change does not create a risk of unauthorised interference with or access to telecommunications networks of facilities, the CAC must provide a written notice to that effect to the carrier or NCSP.177

The CAC must issue the relevant notice to the carrier or NCSP within the following timeframes (as applicable):

• within 30 days (in the case of individual notifications) or 60 days (in the case of annual SCPs) of the individual notification or SCP being provided to the CAC or

• as soon as practicable and no later than 30 days (in the case of individual notifications) or 60 days (in the case of SCPs) after the carrier or NCSP provided further information in response to a request from the CAC.178

Importantly, the 30 or 60 day time limit for a formal response from the CAC runs from when the individual notification or annual SCP is received but that time-limit effectively ‘re-sets’ each time the CAC requests further information.179 This has attracted some criticism, discussed below.

Criticism of notification regime Both the individual notification regime and annual SCP regime have been criticised by stakeholders on a number of grounds.

171. Proposed subsections 314B(1) and 314D(1). 172. Proposed subsections 314B(2) and 314D(2). 173. Proposed paragraphs 314B(3)(a) and (b) and proposed paragraphs 314D(3)(a) and (b).See also the definition of the term ‘security’ in proposed subsections 314B(7) and 314D(7).

174. Proposed paragraphs 314B(3)(c)-(e) and 314D(3)(c)-(e). 175. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 30. 176. The reasons for this are set out at paragraphs [144]-[148] and [161]-[163] of the Explanatory Memorandum to the Bill. 177. Proposed subsections 314B(5) and 314D(5). 178. Proposed subsections 314B(6) and 314D(6). (Notices issued under proposed subsection 314D(6) may relate to one or more proposed changes

to an SCP.)

179. Proposed paragraphs 314B(6)(b) and 314D(6)(b).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 35

Logic of the approach The Associations argued that ‘the basic logic of the approach’ underpinning the notification regime ‘continues to be fundamentally flawed’ on the basis:

… if … C/CSPs have a “duty to do their best to protect telecommunications networks and facilities from unauthorised interference, or unauthorised access”, then anything “likely to have a material adverse effect on their capacity to comply with this duty” cannot exist - irrespective of any notification and potential subsequent authorisation - without already causing a breach of the obligation “to do their best to protect”. Doing something that may adversely affect protection while not breaching the obligation cannot co-exist with the duty to do one’s best to protect, whether notified or authorised, or not.

180

The Associations argued that the principle underpinning the notification regime should be:

• carriers and CSPs ‘have a duty to do their best to protect their networks’ and

• where they ‘seek to do one or more of the following: [list of specific items], notification is required’.181

Asymmetry of the notification requirements The Associations noted that the proposed notification regime may require carriers and CSPs to ‘engage with Government early in their planning, design and procurement activities’ but that the Bill did not impose an ‘equivalent obligation on Government to proactively notify’ carriers and CSPs ‘early when it becomes aware of security threats’ to carriers and CSPs telecommunications networks or facilities.182 The Associations argued:

It appears highly inefficient that C/CSPs are obliged to proactively notify Government of proposed changes to their networks (i.e., outsourcing, offshoring, equipment procurement or change in management) and proposed risk mitigation strategies while Government is not compelled to equally notify C/CSPs of any potential or real security threats to networks and facilities. This means that C/CSPs may receive an adverse security assessment and, consequently, commit scarce resources to developing risk mitigation strategies based on incomplete or no threat information from Government. This is an inefficient process and is likely to add to compliance costs which ultimately will be borne by consumers.

183

The Associations recommended that the Bill be amended to require the Government to proactively make carriers and CSPs ‘aware of any known security threats to their networks and facilities’ through a newly established ‘single point of truth and advice facility’, such as a Threat Advisory Service.184

Inconsistency with the direction regime The Associations noted that the requirement that there be an adverse security assessment before the directions powers can be used by the Attorney-General does not apply to the notification and consultation processes that precede the issuing of a direction and argued:

This allows the Attorney-General to apply pressure onto C/CSPs without a formal basis for doing so. 185

The Associations recommended that ‘the adverse security assessment be a prerequisite for the entire process rather than just its last step’.186

Length of time to finalise a decision As noted above, the Bill provides that the CAC must respond to individual notifications in 30 days and to SCPs in 60 days. However, if the CAC seeks further information from the carrier or CSP the Bill provides for the CAC’s decision-making time period be ‘re-set’ and commence again with a further full decision-making period (30 or 60

180. Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2017, p. 12. 181. Ibid. 182. Ibid. 183. Ibid. 184. Ibid. 185. Ibid., p. 15. 186. Ibid., p. 15.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 36

days) starting from when the carrier or CSP responds to the information request. Optus was critical of this approach, stating that in response to the second Exposure Draft of the Bill:

This approach raises the prospect of extended overall decision-making periods (with providers bearing the additional commercial risk and uncertainty), well beyond the 30 or 60 day periods envisaged in the main legislative provision. It would be more appropriate for the 30 or 60 day clock to ‘stop’ for the duration of the period it takes the applicant to respond to the information request, and then for the ‘clock’ to resume, starting with the same number of elapsed days as when the information request was made.

187

The corresponding provisions in the second Exposure Draft of the Bill provided simply that the CAC must issue a notice ‘within’ 30 or 60 days (as applicable) of the carrier or NCSP providing the further information. The Bill as introduced contains the additional requirement that the CAC must respond as soon as practicable and no later than 30 or 60 days (as applicable) after the carrier or NCSP provided further information. However, it is not clear that this amendment will fully address the concern raised by Optus on the second Exposure Draft. Further, in its submission to the PJCIS on the Bill, Optus noted that the Bill is ‘silent on what occurs if these timeframes are not met by the CAC’188 and argued that ‘this places an unacceptable commercial risk on providers’ and recommended that the Bill should provide:

The Bill should outline what the outcome will be if the CAC does not respond with the required timeframe. In Optus’ view, if the CAC does not respond with a decision within the specified time limits, the notification or SCP should be deemed agreed unless formal notice is provided by the CAC of an extended assessment period with a revised notification date. Such a notice should be open to administrative review and further deadlines so it cannot be rolled over indefinitely.

189

Unnecessary interference with commercial decisions of carriers and CSPs Vodafone Hutchison Australia (Vodafone) argued that the notification regime, along with other aspects of the Bill, would ‘dramatically impact the incentives for outcomes orientated collaboration and impose significant costs and commercial risks into the telecommunications industry’.190

TPG Telecom Limited Group also expressed similar concerns and argued that the proposed notification regime is ‘unreasonably lengthy and is intrusive on the ordinary operations of the Telco’.191

Offshoring Macquarie Telecom noted that whilst it ‘very concerned at the prospect of the costs and intrusion into its commercial operations’ resulting from the regime proposed by the Bill, it ‘takes a different view in relation to the potential impact the legislation may have on the practice of offshoring infrastructure’.192 Macquarie Telecom noted:

Macquarie Telecom considers that the benefits of retaining certain types of data within Australia outweigh any additional costs of using onshore infrastructure and services… Macquarie Telecom Group contends that Australian based services and infrastructure can be efficient, innovative and cost effective. From a security and intelligence perspective, Australian based services and infrastructure can allow a high degree of collaboration and access between industry and security agencies (within an appropriate framework).

193

187. Optus, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 3. 188. Optus, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, submission no. 1, 3 February 2017, p. 7. 189. Ibid. 190. Vodafone Hutchison Australia (Vodafone), Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation

Amendment Bill 2015, n.d., pp. 3-4. 191. TPG Telecom Limited Group (TPG), Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, 18 January 2016, p. 2. 192. Macquarie Telecom, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, submission no. 2,

February 2017, p. 3. 193. Ibid., p. 4.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 37

Macquarie Telecom concluded that there is ‘significant risk in offshoring certain data and considers it important that Australia retains sovreignty [sic] over certain types of information’.194 However, overall Macquarie Telecom nonetheless expressed concern over ‘the real possibility’ that the Bill ‘could stimie [sic] its ability to innovate and respond to changes in technology and customer demand’ and ‘could lead to increased security threats as the implementation of new technology is delayed or deferred due to concerns about any approvals required from Government’.195

Despite Macquarie Telecom’s concern, the principal concern of industry stakeholders in relation to the offshoring of services or equipment appears to be that the security obligation would impose a legal obligation on carriers and CSPs to exert control over aspects of networks and facilities that they use, including those located offshore, over which they may not have legal or physical control.

It is argued that this requirement may limit the extent to which carriers and CSPs can utilise offshoring arrangements, which could reduce Australia’s international competitiveness with respect to investment and innovation in the telecommunications sector. For example, the security obligations of carriers and CSPs under the Bill might be incompatible with the laws of the foreign jurisdiction in which the network or facility is located, such as obligations to provide assistance to law enforcement or intelligence agencies of that foreign country (or potentially its allies). It is also possible that a carrier or CSP may not have ownership of the relevant infrastructure and therefore cannot take the steps considered necessary to protect the network.196

The CEO of the Communications Alliance, Mr John Stanton, also gave evidence to the PJCIS that the offshore storage of data did not, in his organisation’s opinion, present an elevated security risk compared to onshore storage:

Senator McKENZIE: … My question goes to managing risk and the increasing propensity of our Australian providers to offshore aspects of their operations and the subsequent increase in risks in that for all of us—not just you but also us. It is something that we need to manage. Also, you are obviously offshoring as a result of competitive tensions. Are there things we need to change in the bill to address that, or are you comfortable with the measures within the bill around your need to offshore certain aspects—and increasingly it seems that the trend continues— and our ability to manage the risks to the Australian public?

Mr Stanton : …I will start with the underlying premise, which is that offshoring is inherently more risky than storing data onshore. To my mind it is not so much about geography; it is about security and the robustness of the arrangements that you have got in place, whether they be in Australia or offshore. 197

However, in contrast the draft guidelines appear to indicate that the practice of offshoring necessarily raises security concerns because it creates a greater level of vulnerability to espionage and sabotage:

Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.

198

The draft guidelines further identify some specific security vulnerabilities presented by offshoring arrangements, which appear to focus on the outsourcing or sub-contracting of some of a carriers or CSPs activities to third party providers located overseas: The draft guidelines state:

Foreign solutions often function in different legal and cultural environments which present a number of potential national security risks and vulnerabilities, further exacerbated by an operator's lack of security visibility or involvement in:

194. Ibid., p. 4. 195. Ibid., p. 4. 196. See, for example, Associations, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 3 February 2017, pp. 13-14.

197. M Stanton (CEO, Communications Alliance), Evidence to PJICS, Inquiry into Telecommunications and Other Legislation Amendment Bill 2016, 16 February 2017, p. 8. 198. AGD, Telecommunications sector security guidelines, op. cit., p. 30.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 38

• the use of cloud services and infrastructure, and where they are located

• equipment running out of a foreign country and integrated back into the main network of an operator in Australia

• staff recruitment (including staff vetting processes) where the general culture around these processes may not be on par with Australian requirements, noting that the staff may also not share a sense of corporate loyalty to the operator

• the procurement and management of third party equipment vendors

• a solution being run under a vendor's security policy, which may not align with Australian legislation, best practice and/or existing compliance requirements or with the operator's own risk profile.

C/CSPs should seek specific guidance from government agencies if they are unsure of the particular risks posed by their existing and planned supplier arrangements. 199

As such, the security of data retained offshore and the use of offshore service providers by carriers and CSPs would appear to be unresolved issues of concern to a range of stakeholders.

Unclear thresholds and unnecessarily broad scope of application Optus argued that the notification obligations imposed by proposed subsections 314A(1) and 314C(2) are ‘expressed in a way that creates a logic trap and an associated compliance risk for providers which is not satisfactory’. 200 Optus also expressed concern about how that threshold would be applied and how the decisions of carriers and CSPs would be viewed, noting that if (based on the information it has available) a carrier or CSP forms a view that change is not notifiable and proceeds on this basis:

• it runs the risk ‘that some ‘after-the-event’ investigation’ by the CAC will draw a different conclusion and

• therefore be found to have breached the notification and security obligations, even though the security assessment may have been based on information which the CAC (or a security agency) conducting such an investigation had ‘uniquely available to it and to which the provider was not privy when considering the threshold question’.201

As a result, Optus recommend that the drafting of proposed subsections 314A(1) and 314C(2) should be reviewed to take into account the above concerns.202

Foxtel also noted that the notification requirements in proposed section 314A may also apply to ‘its broadcasting and content infrastructure and facilities’.203 Foxtel therefore sought ‘clarification that networks and facilities used to supply broadcasting and content services are not intended to be subject to … the notification requirements in section 314A’.204

Foxtel argued that because broadcasting and content services do not carry sensitive corporate or government information or sensitive, confidential information about law enforcement activities, protected information or potentially disclose the location of politicians or other protected persons and they are not essential to the delivery and support of critical services, such as, power, water and health they should be excluded from the security and notification obligations. As result, Foxtel recommended that proposed section 314A be amended to

199. Ibid., p. 9. 200. Optus, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., p. 5. 201. Ibid., p. 2. 202. Ibid. 203. Foxtel, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 2. 204. Ibid., p. 2; Foxtel, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, op. cit., pp. 3-4: ‘Foxtel

considers it should be clarified that where infrastructure and facilities are used solely or principally for the supply of broadcasting services it is not subject to the proposed reforms … Foxtel requests the Committee recommend there be further clarification … about the purpose and application of the proposed … notification requirements … to clarify that infrastructure and facilities used solely or principally for broadcasting or content services are not intended to be subject to this additional regulation’.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 39

expressly exclude networks and facilities to the extent that these are used to supply broadcasting services and content services (as defined by the Broadcasting Services Act 1992) from the notification requirements.205

Foxtel argued that such amendments would ‘provide clarity and certainty in relation to the application of the regulatory framework in future’.206 In that regard it is worth noting that the Explanatory Memorandum notes that it is envisaged that ‘classes of providers may be exempt from the notification requirement’ potentially including subscription television services (see the discussion above under the heading ‘Exemptions from the notification obligation’).207 This would appear to suggest an intention to deal with this issue via exemptions granted by the CAC, and the proposal to develop an approach to the granting of exemptions during the implementation phase.

Directions by the Attorney-General

Current position Currently subsection 581(3) of the Act provides that the Attorney-General may (after consulting the Prime Minister and Minister administering the Act208) direct a carrier or CSP to cease operating a telecommunications service where the proposed or continued operation of that service is, or would be, prejudicial to security. The Explanatory Memorandum notes that the power provided under subsection 581(3) of the Act is:

… an extreme measure and only appropriate for managing the most extreme national security risks given the potentially significant flow on consequences for the affected company’s business, their customers, and possibly the broader Australian economy. For these reasons the power has not been exercised to date. 209

Subsection 581(4) of the Act provides that a person must comply with a direction given under subsection 581(3). In turn, compliance with the Act (and hence directions issued under subsection 581(3) area standard licence condition (as per item 1 of Schedules 1 and 2 to the Act). This means that non-compliance with a direction issued under section 581 of the Act may amount to a breach of licence conditions. It may also be a civil penalty provision and attract other remedial action under section 68-69 and 101-102 of the Act. Collectively this means that such directions have a degree of regulatory force to ensure compliance. However, current subsection 581(3A) of the Act prevents the power from being expressed ‘to apply to the supply of a carriage service to a particular person, particular persons or a particular class of persons’.

The Bill repeals subsections 581(3) and (3A) of the Act in order to re-locate it within the TSSR framework in proposed Division 5 of Part 14.210 Proposed section 315A largely replicates the power in existing subsection 581(3), with some procedural changes. The Bill will also grant the Attorney-General a new and separate directions power to direct a carrier or CSP to do or refrain from doing something.

Power to require a carrier or CSP to cease operating a telecommunications service The first power (provided in proposed section 315A) is modelled on existing subsections 581(3) and (3A).211 It allows the Attorney-General to direct a carrier or CSP to cease operating a telecommunications service where the proposed or continued operation of that service is, or would be, prejudicial to security (‘shutdown power’).

Whilst it is modelled on existing subsections 581(3) and (3A), and is not intended to change the operation or effect of the power, there are some differences relating to the issuing requirements, and provisions for the statutory judicial review of decisions to issue directions.212 The first difference is that ASIO must have issued an adverse security assessment before the Attorney-General can exercise the power.213 The second difference is

205. Ibid., pp. 3-4. 206. Ibid., p. 4. 207. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 29. 208. This is the Communications Minister: Administrative Arrangements Order, 1 September 2016, p. 9. 209. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 3. 210. Schedule 1, items 27-29. 211. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 35. 212. Ibid. 213. Proposed subsection 315A(3), Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 35.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 40

that the current limitation on judicial review of a direction under the ADJR Act is removed.214 These are discussed below.

However, prior to discussing those differences it is worth noting that proposed subsection 315A(2) replicates existing subsection 581(3A) and hence will prevent the Attorney-General from issuing directions that apply to a particular person, particular persons or a particular class of persons—they must apply to a carrier or CSP generally.

When a direction to cease operating a telecommunications service is given to a carrier or CSP, a copy of the direction must be provided to the ACMA and proposed subsection 315A(5) provides a person must comply with the direction.215 In turn, compliance with the Act (and hence directions issued under proposed section 315A) area standard licence condition (as per item 1 of Schedules 1 and 2 to the Act). This means that non-compliance with a direction issued under proposed section 315A of the Act may amount to a breach of licence conditions. It may also be a civil penalty provision and attract other remedial action under section 68-69 and 101-102 of the Act. Collectively this means that such directions have a degree of regulatory force to ensure compliance.

It is also worth noting that the Explanatory Memorandum states that the directions power is:

… intended to be used in the most extreme circumstances where the continued operation of the service would give rise to such serious consequences that the entire service needed to cease operating. 216

Further, the Government also notes that in relation to the directions power provided by current subsection 581(3) of the Act (which does not contain the limitations on its exercise that proposed section 315A has) that ‘it is such an extreme measure that it has never been used’ and that it is ‘designed for use in exceptional or extreme cases only to prevent harm to Australia’s interests’.217 This would suggest that the ‘shut down’ power contained in proposed section 315A is also only designed for use in exceptional or extreme cases, only to prevent harm to Australia’s interests, and only when there has been an adverse security assessment provided by ASIO. In other words, the ‘shut down’ power proposed by the Bill will be more limited (and will have greater review and appeal rights) than the current power provided by subsection 581(3) of the Act.

Requirement for an adverse security assessment from ASIO The first difference is a new restriction on the powers is provided under proposed subsection 315A(3): a direction cannot be issued to a carrier or CSP unless an adverse security assessment in respect of the relevant carrier or CSP is given to the Attorney-General. This is a change from the current regime, where there is no requirement for an adverse security assessment prior to issuing a direction under section 581 of the Act.

Briefly, security assessments are a means by which ASIO provides advice. They only consider factors related to ‘security’ and ‘are not character checks and factors such as criminal history, dishonesty or deceit are only relevant to ASIO’s advice if they have a bearing on security considerations’.218 An adverse security assessment is where ‘ASIO recommends that a prescribed administrative action be taken … or not taken’.219 In the context of the proposed TSSR regime, a ‘prescribed administrative action’ could relate to approving SCP (and hence proposed changes) or issuing a direction to a carrier or CSP.

Adverse security assessments are subject to merits review under Division 4 of Part IV of the ASIO Act. The notification requirements under s 38A of the ASIO Act also apply.

Allowing review of directions under the ADJR Act The second difference is that decisions to issue directions made under proposed section 315A will now be subject to judicial review. Item 32 of Schedule 1 of the Bill removes the limitation currently imposed on directions issued under subsection 581(3) of the Act. The Explanatory Memorandum notes:

Currently, while judicial review of a direction to cease a service would likely be available through the High Court’s original jurisdiction, the process is more complicated and does not provide as many grounds of review. Removing

214. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 35. 215. Proposed subsections 315A(4) and (5). 216. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 35. 217. Ibid., p. 14. See also p. 58. 218. ASIO, ASIO’s security assessment function, ASIO, Canberra, September 2013, p. 1. 219. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 41

the current exemption will enable a C/CSP to seek judicial review under the ADJR Act and therefore increase the transparency and accountability of the direction process. It will also align with the review rights provided under the new directions power in subsection 315(2) which will also provide for judicial review under the ADJR Act. 220

Power to require a carrier, CSP or intermediary to do or refrain from doing a specified act The second power, provided in proposed subsection 315B(2) allows the Attorney-General to direct a carrier, CSP or intermediary to do or refrain from doing a specified act. The relevant act must be connected to:

• the operation by a carrier or CSP of telecommunications networks or facilities or

• the supply of a carrier service by a carrier or CSP (or when supply is arranged by an intermediary).221

To exercise the power, the Attorney-General must be satisfied:

• there is, in connection with one of the above activities:

- a risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities - the risk would be prejudicial to security (by reference to the meaning of that term in the ASIO Act) and • requiring the carrier, CSP or intermediary to do, or refrain from doing, the specified act or thing is reasonably

necessary for purposes relating to eliminating or reducing the abovementioned risk.222

‘Prejudicial to security’ means activities relevant to security, which can reasonably be considered capable of causing damage or harm to Australia, the Australian people, or Australian interests, or to foreign countries to which Australia has responsibilities.223

The Explanatory Memorandum notes that the power in proposed section 315B ‘is intended to reduce the need to rely on the existing powers under subsection 581(3) of the Act’ (and therefore also proposed section 315A). The Explanatory Memorandum also notes that it ‘is intended to be used in a cooperative way alongside engagement with industry’ but ‘it is expected this power will be used only as a last resort to achieve compliance’ or where ‘C/CSP would prefer the certainty of a formal direction’.224 Whilst proposed section 315B ‘is an intrusive power’225 it is subject to a number of thresholds and safeguards.

First, proposed subsection 315B(4) provides that a direction cannot be issued by the Attorney-General unless they have received an adverse security assessment in respect of the carrier, CSP or intermediary (for discussions regarding adverse security assessments, refer to ‘Requirement for an adverse security assessment from ASIO’ above, which is equally applicable to proposed section 315B).

Second, proposed subsection 315B(3) provides the Attorney-General must be satisfied that providing a direction is ‘reasonably necessary’ for the purposes of eliminating or reducing the risks of unauthorised interference with (or access to) telecommunications networks or facilities that would be prejudicial to security.

Third, proposed subsections 315B(5) and (8)-(10) provide that a direction cannot be issued by the Attorney-General until:

• they have consulted the Minister administering the Act (and any other persons the Minister sees fit)226

• gives to the carrier, CSP or intermediary a written notice setting out the proposed direction that includes an invitation to make written representations to the Attorney-General in relation to the proposed direction within the period specified in the notice (which must be at least 28 days after the notice is given, unless the

220. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 36. 221. Proposed paragraphs 351B(1)(a)-(c). 222. Proposed subsections 315B(1) and (3). 223. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 35; ASIO, ‘Attorney-General’s guidelines’,

n.d.; ASIO, Attorney-General's guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), n.d., (made under s 8A of the ASIO Act), para 4.1(b) at p. 3). 224. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 14-15 and p. 36. 225. Ibid., p. 15. 226. Proposed paragraph 315B(8)(a) and proposed subsection 315B(10).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 42

Attorney-General specifies a shorter period because he or she considers it necessary to do so because of urgent circumstances)227

• has had ‘regard to any such representations made within that period’228

• they are satisfied that reasonable steps have been taken to negotiate in ‘good faith’ with the carrier, CSP or intermediary ‘to achieve an outcome of eliminating or reducing’ the relevant risk229 and

• has had regard to the matters listed in proposed subsection 315B(6) (discussed below).

Requirement to consult with other Ministers Proposed subsection 315B(8) provides that the Attorney-General must consult with the Minister administering the Act before issuing a Direction. Proposed subsection 315B(10) then provides that proposed subsection 315B(8) does not limit the persons with whom the Attorney-General may consult, prior to issuing a Direction. The Explanatory Memorandum notes that this mandatory consultation requirement and flexibility to consult with other persons is designed to ensure:

… the exercise of the power takes into account broader communications policy considerations, for example, any potential impact on the telecommunications sector, including effects for competition… This requirement imposes a high degree of scrutiny and accountability on the Attorney-General’s exercise of this power. Mandatory consultation with the Minister for Communications highlights the significance of the decision and will ensure a range of views inform the Attorney-General’s exercise of the directions power and the Attorney-General takes into account factors such as the potential impact for the affected C/CSP, end-users and the economy more broadly.

230

By way of example, the Explanatory Memorandum explains that proposed subsection 315B(1) would allow the Attorney-General to consult with other Ministers with an interest ‘such as the Minister for Foreign Affairs and Trade where there are international sensitivities’ and that this would result in directions being ‘informed by the advice of other security agencies and relevant government agencies’ through such consultations.231

However, proposed paragraph 315B(8)(b) also imposes mandatory consultation with the affected carrier or CSP. This is because the Attorney-General is required to write to the carrier or CSP and notify them of the intention to issue a Direction. However in addition, the Attorney-General must also provide a draft Direction, and provide the carrier or CSP the opportunity to make written representations about it. In practice, the Attorney-General will ‘generally provide the C/CSP with a copy of the draft direction at the time he/she provides the ASIO security assessment (as required under the ASIO Act)’.232

When the above procedures are considered, it is apparent that it is possible for:

• an adverse security assessment to be provided to the carrier or CSP and

• at some later point in time, the Attorney-General to provide the carrier or CSP with the draft Direction.

Whilst it could be argued that the material in the adverse security assessment may allow a carrier or CSP to start processes and steps to ensure compliance with its TSSR obligations related to the contents of the adverse security assessment, alternatively it could be argued that a more efficient method would be to include a statutory obligation to provide the draft direction at the same time the carrier or CSP is notified about the adverse security assessment, rather than the as part of the (presumably later) notice requirement in proposed subparagraph 315B(8)(b)(i).

Requirement to negotiate in ‘good faith’ with the carrier, CSP or intermediary In relation to the requirement to negotiate in ‘good faith’ with the carrier, CSP or intermediary ‘to achieve an outcome of eliminating or reducing’ the relevant risk imposed by proposed subsection 315B(5), the Explanatory Memorandum states:

227. Proposed subparagraphs 315B(8)(b)(i)-(ii) and proposed subsection 315B(9). 228. Proposed subparagraph 351(8)(b)(iii). 229. Proposed subsection 315B(5). 230. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 39. 231. Ibid., p. 40. 232. Ibid., p. 39.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 43

Good faith in this context is intended to impose a requirement that engagement is genuine and solutions-focussed and all reasonable options for addressing the risk are considered by both parties. This provision is intended to underpin the entire objective of the security framework which is to facilitate cooperative and collaborative government and industry partnership to manage national security risks to the telecommunications sector.

233

In addition to the good faith requirement that underpins consultations with the potentially affected carrier, CSP or intermediary, proposed subsection 315B(9) requires that (absent urgent circumstances) the consultation period must be ‘at least’ 28 days after the proposed direction is given. This means that, barring where the Attorney-General considers it necessary to shorten the consultation period due to urgent circumstances, a carrier, CSP or intermediary will generally have adequate time to consider the draft Direction and adverse security assessment, and potentially seek a merit review of the adverse security assessment (which would in effect stay ‘the process for issuing a direction’).234 Reflecting the gravity of the direction power, the Explanatory Memorandum notes:

… the Attorney-General’s power to issue directions under sections 315A or 315B cannot be delegated (unlike the Secretary of AGD’s information-gathering powers under section 315C which may be delegated to the Director-General of Security- see notes on Division 6 below). There is also no implied power to authorise an official to exercise the power to issue directions on the Attorney-General’s behalf.

235 (emphasis added)

Proposed subsection 315B(6) provides that in addition to the above, the Attorney-General must, before issuing a direction,’ have regard to the following matters:

• the adverse security assessment

• the costs, in complying with any direction, that would be likely to be incurred by the carrier, CSP or intermediary

• the potential consequences that any direction may have on competition in the telecommunications industry

• the potential consequences that any direction may have on customers of the carrier, CSP or intermediary.

The subsection also provides that ‘the Attorney-General must give the greatest weight to the matter’ mentioned in proposed paragraph 315B(6)(a): the adverse security assessment.

Proposed subsection 315B(7) provides that proposed subsection 351B(6) does not limit the matters to which the Attorney-General may have regard (that is, the mandatory considerations do not preclude the Attorney-General from having regard to other considerations at his or her discretion).

It is unclear on the face of the provisions whether any discretionary considerations taken into account— consistent with the recognition in proposed subsection 315B(7)—would also be subject to the requirement in proposed subsection 315B(1) that the Attorney-General must give the greatest weight to the adverse security assessment.

It appears that the requirement to give greatest weight to the adverse security assessment is limited to the mandatory considerations in proposed subsection 315B(6). If this interpretation is accepted, then it would theoretically be open to the Attorney-General to place a greater degree of weight on discretionary considerations as determined in the circumstances of individual cases, as compared to an adverse security assessment (and any other mandatory considerations) prescribed by proposed subsection 315B(6).

In the absence of explanation in the EM, it is unclear whether this result is intended.

Criticisms of the directions powers Both the directions powers contained in proposed sections 315A and 315B have been criticised on various grounds.

233. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 38. 234. Ibid., p. 39. 235. Ibid., p. 40.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 44

Potential to undermine investment decisions and reduce competition A number of stakeholders expressed a view that the powers contained in proposed sections 315A and 315B amounted to inappropriate interference in the commercial decisions of telecommunications companies.

For example, TPG stated that the power to ‘tell Telcos what to do about their networks and facilities’ will ‘undermine sound investment decisions made by industry’.236 Further, TPG also argued that there is a risk that that decisions about whether to issue a Direction ‘could be inappropriately influenced by the prevailing socio-political climate or the relationship (or lack of a relationship) with the Government of the day’ instead of being ‘based on the need to promote network security’ (so that vendors of equipment are motivated to compete based on their security credentials)’.237

Likewise, Vodafone argued that the use of the directions power ‘potentially limits competition especially where the pool of technology vendors for particular equipment is in low single digits, increasing the chance that this draconian approach runs afoul of anti-competition laws’.238

Inappropriate weighting given to adverse security assessments A number of stakeholders expressed concerns at the factors that the Attorney-General must consider before issuing a Direction in proposed subsection 315B(6) and the emphasis placed on the adverse security assessment.

For example, TPG noted that whilst the power to issue a Direction under proposed section 315B is limited to circumstances where the Attorney-General has received an adverse security assessment ‘this does little to limit the potential favouring of one particular manufacturer of equipment, or a particular country’s manufacturer, as against other manufacturers’.239 TPG also argued that whilst the power provided by proposed section 315B to direct a carrier, CSP or intermediary to do or refrain from doing specified acts requires the Attorney-General to have regard to the compliance costs and burdens and competition implications ‘the Attorney General is free, and is indeed required, to discount such considerations in favour its consideration of the adverse security assessment’.240 Optus likewise noted that the Attorney-General must give the greatest weight the adverse security assessment and argued:

… this decision-making “bias” be removed by deleting this sentence. If it is retained, the most likely practical outcome would be for this factor to dominate decision-making. This outcome would have the effect of undermining the point of including the factors (b), (c) and (d) in the list of decision-making factors in the first place. It is critical that this coercive power only be exercised in the full understanding of its practical impact and for these other aspects to be given suitable weight and potential to influence decisions.

241

Optus also recommended that proposed subsection 315B(6) be amended to include a new paragraph (e) which would require the Attorney-General to consider ‘whether the network or service to which the proposed direction would apply is critical national infrastructure or a critical service’.242 Optus argued that such an amendment would:

… ensure decision-making takes into account a view, not just of costs, customer impact, competition and security as currently proposed, but also the significance of the infrastructure or criticality of the service in the national context and in the context of the network and services which the providers offers to the public in Australia. The addition of this factor would also assist to align the exercise of the power to give directions with the stated policy intent of protecting critical national infrastructure.

243

Vodafone also argued that despite the obligation to negotiate in good faith before issuing a Direction, the directions powers posed a risk that agencies would ‘invoke the security assessment as a reason not to

236. TPG, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 3. 237. Ibid., p. 4. 238. Vodafone, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 3. 239. TPG, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 4. 240. Ibid. 241. Optus, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 4. 242. Ibid. 243. Ibid.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 45

collaborate with a service provider to find more reasonable and just as effective national security outcomes’ and this would in turn limit competition.244

In relation to concerns about the weighting given to adverse security assessments in proposed subsection 315B(6) the Government notes:

The harm to security is to be given the greatest weight in this balancing exercise to ensure that Australia’s security interests are properly safeguarded despite potential impacts on the C/CSP, competition and end-users. The requirement to have regard to other factors, in addition to the risk to security, will ensure that a direction is proportionate and reasonable in all of the circumstances and guard against imposing directions that would possibly address security risks but have an unnecessary crippling effect on the C/CSP’s business or impede market innovation and competition.

245

As such, it appears that the Government has (through the consultation process regarding the ED) considered the stakeholder concerns discussed above and determined that as the reforms are aimed at ensuring security, proposed subsection 35B(6) aims to ensure that a balance between security issues and non-security issues such as cost and competition is struck, without necessarily requiring equilibrium between those factors.

The impact of uncertain definitions and the opacity of adverse security assessments The LCA noted that the rule of law is predicated on the basis that laws are both readily known and available, and certain and clear. In that regard, in relation to the thresholds proposed by the Bill the LCA noted that ‘any process that may result in substantial impacts on providers and potentially the services provided to consumers must be, to the extent possible, transparent.’246

The LCA argues that because issuing of an adverse security assessment is not required to be based on conventional standards of proof such as a 'balance of probabilities' test and the specific criteria by which ASIO make their assessments are also largely unknown (beyond that it must relate to ASIO's functions and the definition of security in section 4 of the ASIO Act) the proposed provisions resulted in uncertainty:

… as to when a cyber risk or threat will be considered to be of a sufficient level of seriousness to warrant the issuing of a direction by the Attorney-General. 247

The LCA concluded that as it was also ‘unclear whether a risk or prejudice to security must be substantial, likely, imminent or of severe potential impact before an adverse security assessment is issued’ that the threshold was not sufficiently transparent and recommended:

… the exercise of the directions powers should only be permitted where there is a sufficient level of risk to security to justify the exercise of the powers. This could be achieved, for example, by amending subsection 315B(1) to require that the Attorney-General is satisfied that there is a substantial and imminent risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities that would be prejudicial to security.

248 (emphasis added).

The LCA also noted that the definition of ‘prejudicial to security’—which forms part of the thresholds that must be satisfied before the shut down or directions power can exercised—is not defined in the Bill itself.249 The meaning of ‘prejudicial to security’ is not defined in the ASIO Act, but is instead defined in guidelines issued under section 8A of that Act as meaning activities relevant to security, which can reasonably be considered capable of causing damage or harm to Australia, the Australian people, or Australian interests, or to foreign countries to which Australia has responsibilities.250

244. Vodafone, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 3. 245. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 38-39. 246. LCA, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 3. 247. Ibid., p. 3. 248. Ibid., p. 3. 249. Ibid., p. 3. 250. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 35; ASIO, ‘Attorney-General’s guidelines’,

n.d.; ASIO, Attorney-General's Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), n.d., (made under s 8A of the ASIO Act), para 4.1(b) at p. 3).

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 46

The LCA again reiterated that ‘the rule of law requires that the law must be both readily known and available, and certain and clear’ and that ‘this requires that key terms should be defined’.251 The LCA therefore recommended that the term 'prejudicial to security' should be defined in the legislation itself so as to ensure:

• that the definition of 'prejudicial to security' could not be redefined without ‘adequate Parliamentary scrutiny’ and

• that the Attorney-General's directions powers under proposed subsections 315A(3) and 315B(4) could only be exercised in the circumstances intended by the Explanatory Memorandum.252

Whilst legislative certainty regarding definitions is an often-sought goal, a statutory definition of ‘prejudicial to security’ may have adverse security implications because it would require the Parliament to decide the relevant criteria in the abstract, necessarily without the benefit of intelligence about threats to Australia’s security (as well as without the detailed knowledge of the security environment that the Attorney-General would possess due to his or her portfolio responsibility for ASIO). This is why the ASIO’s guidelines are non-legislative instruments, as recommended by the Hope Royal Commission in 1984, and are partially classified (as a compromise, the unclassified portions must be tabled in Parliament under section 8A of the ASIO Act).

Lack of consultation requirement in shutdown power TPG noted that in contrast to the direction power contained in proposed section 315B (which requires the Attorney-General undertakes good faith negotiations with carriers, CSPs or intermediaries before issuing a direction) the shutdown power provided by proposed section 315A could be exercised by the Attorney-General without any need to consult with the impacted carrier, CSP or intermediary.253 TPG argued that the shutdown power ‘should be subject to judicial oversight rather than just a bare power for the executive branch’.254

The Government argues that the directions power in proposed section 315B is intended to supplement the shutdown power in proposed section 315A and hence is aimed at enabling ‘other action to be taken to address a security risk where the circumstances do not require the complete shut-down of the service’.255

As such, the shutdown power provided by proposed section 315A ‘will remain the ultimate protection measure where action needs to be taken immediately to protect Australia’s security interests’ and therefore:

For these reasons, some of the additional requirements and protections included in the new directions power under section 315B, for example the Attorney-General must be satisfied all reasonable steps have been taken to reach agreement and consult the affected C/CSP in good faith, are not replicated in the existing provision. However, alternative safeguards are provided for use of the power under section 315A through the requirement to consult the Prime Minister, in addition to the Minister responsible for administering the Telecommunications Act, the Minister for Communications.

256

Whilst as noted above, TPG argues that the shutdown power should be subject to judicial oversight, decisions to issue a direction under proposed section 315A can be challenged through:

• a merits review of the adverse security assessment (which is a necessary pre-condition of giving a direction) and

• judicial review of the decision to issue a direction itself.257

Information gathering and sharing powers The Bill proposes to give the Attorney-General’s Secretary (Secretary) a number of coercive information gathering powers, as well as information sharing powers, in relation to assessing compliance with the new security obligations imposed by proposed subsections 313(1A) and 313(2A) inserted by items 8 and 9 (discussed above).

251. Ibid., p. 4. 252. Ibid., p. 4. 253. TPG, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 4. 254. Ibid. 255. Explanatory Memorandum, p. 35. 256. Ibid. 257. Explanatory Memorandum, pp. 35-26.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 47

Power to obtain information or documents Proposed section 315C provides that when the Secretary ‘has reason to believe’ that a carrier, CSP or intermediary has information or a document that is relevant to assessing compliance with the security obligations they may issue a written notice requiring them to give the Secretary:

• any information or documents (in a form specified) within a specified time-period or

• copies of documents (in a form specified) and produce them within a specified time-period.258

However, proposed subsection 315C(4) provides that before the Secretary (or the Director-General of Security in the event that the Secretary delegates his or her powers to the Director-General)259 issues such a notice, they must ‘have regard to’ the costs that would be incurred by the carrier, CSP or intermediary in complying with the notice. Proposed subsection 315C(5) provides that proposed subsection 315C(4) does not limit the matters to which the Secretary (or the Director-General as the Secretary’s delegate) may have regard at their discretion. Once issued, proposed subsection 315C(3) provides that a person must comply with such a notice.

This means that non-compliance with a Direction issued under proposed section 315CA of the Act may amount to a breach of licence conditions. It may also be a civil penalty provision and attract other remedial action under sections 68-69 and 101-102 of the Act. Collectively this means that such directions have a degree of regulatory force to ensure compliance.260

Content of notice to produce information or documents Proposed subsections 315C(6) and (7) provide that if a notice to produce information or documents is issued, it must set out a number of matters including:

• if the notice is issued to a carrier:

- the effect of proposed subsection 315C(3) (which requires a person to comply with the notice) - section 68 of the Act (a carrier or person must comply with the conditions of its carrier licence—which includes compliance with the Act, TIA Act and other legislation)261 - section 570 of the Act (which sets out the pecuniary penalties for contravention of the Act’s civil penalty

provisions) - Part 1 of Schedule 1 of the Act (which provides that a standard conditions of a carrier licence includes compliance with the Act TIA Act and other legislation)262 - Sections 137.1 and 137.2 of the Criminal Code (which are offences for providing false or misleading

information or documents) • if the notice is issued to a CSP or an intermediary:

- the effect of proposed subsection 315C(3) (which requires a person to comply with the notice) - section 101 of the Act (a service provider must comply with the service provider rules—which includes compliance with the Act, TIA Act and other legislation)263 - section 570 of the Act (which sets out the pecuniary penalties for contravention of the Act’s civil penalty

provisions) - Part 1 of Schedule 2 of the Act (which provides that a service provider rule includes compliance with the Act TIA Act and other legislation)264

258. Proposed subsections 315C(1) and (2). 259. Proposed section 315G. (The Secretary may delegate certain of his or her information-gathering powers to the Director-General of Security, by a written instrument of delegation. In exercising delegated powers, the Director-General is required under proposed subsection 315C(2) to comply with any directions the Secretary may issue.)

260. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 42: ‘Non-compliance with a notice to provide information or documents will constitute a breach of the Telecommunications Act and will attract the operation of the civil remedies regime in Part 30 (injunctions), Part 31 (civil penalties) and Part 31A (enforceable undertakings) of the Telecommunications Act. The Bill authorises the Attorney-General to bring proceedings to enforce these remedies for non-compliance with a notice issued under section 315C.’

261. Telecommunications Act 1997, Schedule 1, section 1: a carrier must comply with the Telecommunications Act 1997, the Telecommunications (Consumer Protection and Service Standards) Act 1999 and Regulations under that Act and Chapter 5 of the Telecommunications (Interception and Access) Act 1979.

262. Ibid. 263. Telecommunications Act 1997, Schedule 2, section 1: a service provide must comply with the Telecommunications Act 1997, the Telecommunications (Consumer Protection and Service Standards) Act 1999 and Regulations under that Act and Chapter 5 of the Telecommunications (Interception and Access) Act 1979.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 48

- Sections 137.1 and 137.2 of the Criminal Code (which are offences for providing false or misleading information or documents).

Availability of compensation Proposed subsection 315C(8) provides that a carrier, CSP or intermediary is entitled to be paid ‘reasonable compensation’ for complying with a requirement to provide copies of a document to the Secretary under proposed paragraph 315C(2)(c). In contrast, no compensation is available for compliance with a notice to produce information or documents issued under proposed paragraphs 315C(2)(a) and (b).

This approach is consistent with section 523 of the Act (in relation to the ACMA’s information-gathering powers). This may suggest an intention that compensation is for the costs of producing copies, rather than foregone productivity or other business costs as a result of searching for and producing documents, or providing information in compliance with a notice.

Abrogation of privilege against self-incrimination The information-gathering power in proposed section 315C (combined with the provision on self-incrimination in proposed section 315D, discussed below) will operate to override reasons for non-disclosure and compel the provision of information or documents. The compulsion element has the effect of authorising the disclosure of personal information under the Privacy Act (that is, the disclosure is authorised by law) and offers a statutory protection for breach of confidentiality provisions in contracts.

Proposed subsection 315D(1) abrogates the privilege against self-incrimination by providing that a person is not excused from giving information or providing a document (or a copy of a document) under proposed section 315C on the grounds it might tend to incriminate the person or expose them to a penalty.

However, as is relatively common with such types of coercive powers, the abrogation of the privilege against self-incrimination is accompanied by ‘use’ and ‘derivative use’ immunities.265 Proposed subsection 315D(2) provides that where such information is given or a document (or copy of a document) is provided under proposed section 315C that information, document or copy or any information, document or thing obtained as a direct or indirect consequence of giving the information, document or copy is not admissible in evidence against the individual who provided it in:

• criminal proceedings other than proceedings for an offence against sections 137.1 and 137.2 of the Criminal Code (offences for providing false or misleading information or documents) or

• civil proceedings other than proceedings under section 570 of the Act related to the recovery of a penalty for contravening proposed subsection 315(C)(3) (failing to comply with a notice to give information, provide a document or copy).

Information sharing Proposed section 315H authorises the further use or disclosure of information or documents obtained under proposed sections 314A, 314B, 314C, 314D, 315C and 315H to persons other than the Secretary or their delegate.

However, proposed subsection 315H(1) provides that any such disclosure must be either for the purpose of assessing compliance with the security obligations or for the purposes of security (within the meaning of that term in the ASIO Act). The Government notes:

In practice it is likely that information sharing may take place between relevant government agencies, such as with the Department of Communications and the Arts or the Australian Signals Directorate. For example, information or documents may be shared in cases where technical expertise or assistance is required to assess risks to security. It may also be used to inform the Attorney-General or other relevant Ministers for the purpose of exercising the

264. Ibid. 265 ‘Use’ immunity is defined as where a person is required to answer questions which would tend to incriminate or expose him or herself to a penalty, any information or evidence given that would tend to incriminate the person may not be used against him or her directly in court. In comparison, ‘derivative use’ immunity is where any information or evidence given that would tend to incriminate the person may not be used

to gather other evidence against that person: AGD, A guide to framing Commonwealth offences, infringement notices and enforcement powers, AGD, Canberra, September 2011, pp. 97, 98.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 49

Attorney-General’s power in new section 315A (previously subsection 581(3), or more broadly for the purposes of security. ‘Security’ is defined by reference to the ASIO Act. The powers would therefore also potentially authorise sharing of information or documents with state authorities and international partners, pursuant to the ASIO Act and formal information sharing arrangements with those countries.

266

In addition to the above restriction on the purposes of disclosure, proposed subsection 315(2) provides that a person must not disclose information or documents obtained under proposed sections 314A, 314B, 314C, 314D, 315C and 315H to the extent the information is ‘identifying information’ or the document (or copy) contains ‘identifying information’ to persons who are not are not Commonwealth officers (some stakeholders criticised the breadth of the definition, as discussed below).267 The term ‘identifying information’ is defined in proposed subsection 315H(4) as ‘information that identifies the carrier, carriage service provider or carriage service intermediary concerned’. Proposed subsection 315H(3) provides that, subject to the disclosures permitted under section 315H, a person who obtains information or a document under proposed sections 314A, 314B, 314C, 315C or 315H must treat that information or document as confidential.

Protection of commercially sensitive information The intent of proposed subsection 315H is to enable the disclosure of information as necessary for the purposes of security, while also protecting commercially sensitive information provided by carriers, CSPs and intermediaries. It seeks to balance interests in security and the confidentiality of commercially sensitive information primarily by requiring the Secretary, Director-General of Security or other Commonwealth officers who have access to the information or documents to remove information that identifies the carrier, CSP or intermediary before sharing them outside of the Australian Government.268 The Government notes:

In practice, information would only likely be shared outside Commonwealth Government officials for reasons of providing threat information and intelligence to foreign partners in support of reciprocal information sharing arrangements. Australia is dependent on intelligence provided under these arrangements to support preparation of its own threat advice to Australian companies. C/CSPs will not be advised when information is shared with foreign partners as this could potentially compromise national security by identifying the types of issues considered by security agencies and the nature of sharing arrangements.

Only information that does not identify the C/CSP (i.e. the threat-based information) would be shared in these circumstances and information shared in these circumstances is protected through formal arrangements such as a Memorandum of Understanding. In practice, this would involve removing the identifying details of the C/CSP such as company name and logo before the information or documents are shared … Information and documents would be shared with other security agencies and foreign intelligence partners to better protect national security. It would not be shared with a C/CSP’s competitors or with other stakeholders who may gain a commercial advantage from seeing this information. Subsection 315H(3) also imposes a confidentiality obligation on people who obtain information and documents. This would include protection of information and documents in line with Australian Government policies and procedures and only disclosing the information or documents for the purposes of section 315H or where otherwise provided for under other legislation.

269

Protection of personal information In addition to safeguards directed to the protection of commercially sensitive information, the broader legislative framework within which the Bill will operate may provide some protection to personal information that may be contained in information or a document obtained under proposed sections 314A-314D, 315C and 315H. In particular, the Explanatory Memorandum notes that Australian Government agencies subject to the

266. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 43. 267. ‘Commonwealth Officer’ is defined in proposed subsection 315H(4) as including (a) a person who is in the employment of the Commonwealth, other than a person who is engaged outside Australia to perform duties outside Australia as an employee; or (b) a person who holds or performs the duties of any office or position established by or under a law of the Commonwealth; or (c) a member of the

Australian Defence Force; or (d) the Commissioner of the Australian Federal Police, a Deputy Commissioner of the Australian Federal Police, an AFP 9 employee, a special member or a special protective service officer (all within the meaning of the Australian Federal Police Act 1979). Importantly, this includes persons employed by the Director-General of Security, on behalf of the Commonwealth, under subsection 84(1) of the Australian Security Intelligence Organisation Act 1979. 268. Ibid. 269. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 43-44.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 50

Privacy Act 1988 are required to protect, use, disclose and destroy personal information in line with the requirements of that Act. Accordingly, the Explanatory Memorandum states that information or documents proposed to be shared in accordance with the requirements of proposed section 315H would ‘therefore generally be de-identified prior to being shared to remove personal information’ except where ‘information about a particular person needs to be shared for the purposes of security’ (such as where information about an individual is directly relevant to a security threat).270 The complaints, investigation and enforcement mechanisms under the Privacy Act would be available in relation to disclosures that contravened the requirements of that Act.271

It is also worth noting that some Commonwealth agencies that are not subject to the requirements of the Privacy Act, such as intelligence agencies, are required to comply with administrative privacy rules or other administrative guidelines for the protection of personal privacy, which may offer some protections in for the use and handling of any personal information disclosed in accordance with proposed section 315H.272 Intelligence agencies’ compliance with applicable administrative rules or guidelines is subject to the independent oversight of the Inspector-General of Intelligence and Security (IGIS) under the Inspector-General of Intelligence and Security Act 1986.

Safeguards in relation to secondary disclosures made for the purposes of security Where information or a document obtained under proposed sections 314A-314D and 315C is shared with another person under proposed subsection 315H(1) for the purposes specified in proposed paragraphs 315H(1)(a) or (b), that provision appears to authorise the recipient to engage in subsequent (secondary) disclosures of that information for one or both of the purposes specified in proposed paragraphs 315H(1)(a) and (b). The Explanatory Memorandum states that proposed paragraph 315H(1)(b) would ‘potentially authorise sharing of information or documents with state authorities or international partners, pursuant to the ASIO Act and formal information sharing arrangements with those countries’ (emphasis added).273 As discussed below, however, proposed subsection 315H(1) would appear to allow secondary disclosures for the purpose of proposed paragraph 315H(1)(b) in a broader range of circumstances.

If ASIO proposes to engage in a secondary disclosure of information or documents ‘for the purposes of security’ under proposed paragraph 315H(1)(b), any such disclosure will be governed by the existing requirements contained in, or made under, the Australian Security Intelligence Organisation Act 1979 (ASIO Act) that authorise ASIO to communicate information obtained in the performance of its functions.274 Significantly, these requirements include the authorisation or approval of persons to communicate information, and a requirement for the prior Ministerial approval of authorities of other countries to which ASIO may communicate information.275 The ASIO Act contains criminal offences for the unauthorised communication of information.276ASIO’s compliance with the relevant statutory requirements, and supporting internal administrative guidelines, is also subject to the independent oversight of the IGIS.277

However, proposed subsection 315H(1) appears to allow a wider range of persons and agencies than ASIO to engage in secondary disclosures of information to other persons for the purposes specified in proposed paragraphs 315H(1)(a) and (b).

270. Ibid., p. 43, paragraph [210]. 271. For a useful summary, see: Office of the Australian Information Commissioner (OAIC), Guide to privacy regulatory action, June 2015. 272. For a useful summary of privacy rules applied to Australian Intelligence Community (AIC) agencies, see: Inspector-General of Intelligence and Security (IGIS), ‘AIC privacy protections’, IGIS website.

273. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, pp. 43-44. 274. See further: Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 44. 275. ASIO Act, subsections 18(1) and 18(3)-(4B) (authorisations in relation to the disclosure of intelligence and other information) and section 19 especially paragraph 19(1)(c) (cooperation with other entities for the purpose of ASIO performing its functions, including cooperation and

information-sharing with authorities of other countries approved by the Attorney-General). See further: Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 44, paragraph [216] which states that ‘in general, the types of foreign authorities that are approved by the Attorney-General perform broadly similar functions to ASIO, and include security and intelligence agencies, law enforcement, immigration and boarder control, and government coordination bodies’. 276. ASIO Act, subsection 18(2). See also sections 18A and 18B (offences for unauthorised dealings with records and the unauthorised making of

records of information, which apply to conduct that places information at risk of unauthorised disclosure that falls short of communication). 277. See further: Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 44.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 51

It is not clear whether there are any statutory or administrative safeguards in existence that would ensure a purported secondary disclosure of information or documents under proposed paragraph 315H(1)(b) was, in fact, rationally connected to, and necessary for, the purposes of security. It might be questioned whether every person or agency to which information is disclosed under proposed subsection 315H(1) would have the capacity to accurately assess this matter, or to assess the potential security implications of a secondary disclosure to a particular recipient or recipients.

Consideration might therefore be given to placing some further limitations on secondary disclosures of information or documents under proposed subsection 315H(1). This might be achieved in a variety of ways, such as: limiting the persons or agencies that can engage in secondary disclosures; limiting the range of persons or agencies to which secondary disclosures can be made; or making provision for administrative limitations, such as authorising the primary discloser of the information or documents to impose conditions or limitations on secondary disclosures in individual cases; or imposing requirements for the prior approval of certain proposed secondary disclosures (or proposed secondary disclosures to certain recipients).

Consequences for contravening the limitations on disclosure in proposed section 315H Although the Bill does not propose to create any specific sanctions for contravening the limitations on disclosure in proposed subsections 315H(1) and 315H(2) or the confidentiality obligation in proposed subsection 315H(3), a number of criminal and administrative sanctions may apply under existing legislation. For example, the Explanatory Memorandum notes:

[D]isciplinary action would be available under existing legislation for Australian Government employees who breach these provisions. Under the Public Service Act 1999 Australian Public Service employees must comply with all applicable Australian laws and could face disciplinary action for any breaches. Section 70 of the Crimes Act 1914 applies criminal sanctions to unauthorised disclosure of information by current or former Commonwealth officers. Many Australian state and territories have similar offences for unauthorised disclosure of information by public officials.

278

Noting that proposed section 315F allows the Attorney-General to retain documents and copies provided under proposed section 315C, the confidentiality of documents retained under the section would also be protected under existing legislative requirements that govern the use and disclosure of documents and information held for official purposes, including secrecy obligations and storage requirements under the Archives Act 1983.279

Viewed as a whole, the existing legislative obligations placed on Commonwealth officers, including criminal offences and administrative sanctions for contravention, would appear to operate with proposed subsection 315H(3) as an effective deterrent against unauthorised disclosure. However, as outlined below, some stakeholders have raised concerns about the scope of the disclosures capable of being authorised under proposed section 315H.

Criticisms of the information gathering and sharing powers

Concern about the definition of ‘identifying information’ Proposed subsection 315H(4) defines ‘identifying information’ for the purpose of information or documents obtained under proposed sections 314A, 314B, 314C, 314D and 315C as ‘information that identifies the carrier, carriage service provider or carriage service intermediary concerned’. As such, it does not apply to information that would identify individuals.

The OAIC recommended that this definition be amended to include ‘personal information’ within the meaning of that term in the Privacy Act, so that the limitation on disclosures to non-Commonwealth officers in proposed subsection 315H(2) would also apply to personal information.280

However, Australian Government agencies subject to the Privacy Act are required to protect, use, disclose and destroy personal information in line with the requirements of that Act. Noting that proposed section 315H ‘is

278. Ibid., p.45. 279. Ibid., p.42. 280. OAIC, Submission to PJCIS, Review of the Telecommunications and Other Legislation Amendment Bill 2016, 8 February 2017, pp. 2-3.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 52

intended to allow information to be shared for reasons of providing threat information and intelligence to foreign partners in support of reciprocal information sharing arrangements’, nonetheless:

Information or documents would therefore generally be de-identified prior to being shared to remove personal information, unless information about a particular person needs to be shared for the purposes of security (such as where information about an individual is directly relevant to a security threat). 281

The Government also notes that ‘the restrictions in section 315H will not override existing legislative provisions that authorise ASIO to communicate information obtained in the performance of its functions’ and:

Parliament has already set out the circumstances in which it is considered appropriate for an agency such as ASIO to be able to communicate information collected as part of the performance of its functions, including personal and other information collected under warrant. 282

If the recommendation of the OAIC to expand the definition of ‘identifying information’ in proposed subsection 315H(4) to include ‘personal information’ as defined in the Privacy Act were followed, there may be a risk the amendment would frustrate the intention that information (including personal information in some circumstances) should be shared with Australia’s foreign partners, including information in which an individual is identified where the information about that individual is directly relevant to a security threat.283 As such, implementation of the OAIC’s recommendation would require proposed subsection 315H(2) to contain an exemption for disclosures of personal information in such circumstances.

Concerns about information-gathering powers Vodafone expressed concern that the ‘sweeping’ information-gathering powers could be used to obtain information or documents from service providers ‘which could include documents that may contain commercially or personally sensitive information only some of which that may relate to matters specific to a security assessment’.284 TPG also expressed concerns about the information-gathering powers, describing them as ‘very wide’ and stated that they amounted to a power to ‘require the Telco to go on a fishing-expedition to establish compliance’ with the security obligations.285

Telstra noted that ‘there are no limits on the scope of information that may be required’ and therefore compliance with a requirement to provide information or documents ‘may be time consuming, costly and difficult’ as a carrier or CSP is essentially required to comply with ‘an open-ended request for information’ that may involve ‘many potential sources of information’.286

Concerns about information-sharing powers Despite the confidentiality obligation imposed by proposed subsection 315H(3) and the existing legislative obligations placed on Commonwealth officers and criminal offences related to the unauthorised disclosure of confidential information, Vodafone argued that the information-sharing power ‘is still too broad in the capability to demand and distribute commercially sensitive information’.287

Similarly, Telstra recommended that the definition of ‘identifying information’ in proposed subsection 315H(4) should be expanded to cover any information that could identify the carrier or CSP ‘including in combination with other reasonably accessible information.’288

Whilst acknowledging the introduction of a requirement to de-identify information acquired under proposed section 315C before disclosing it to a person other than a Commonwealth officer, Telstra argued that the process still posed:

281. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 44. 282. Ibid. 283. Ibid. 284. Vodafone, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 4. 285. TPG, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 4. 286. Telstra, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015,

22 December 2015, p. 5. 287. Vodafone, Submission to AGD, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 4. 288. Telstra, Submission to AGB, Second exposure draft of the Telecommunications and Other Legislation Amendment Bill 2015, op. cit., p. 5.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 53

… a real risk that a person with industry knowledge would be able to connect the remaining information to the relevant C/CSP. This is of particular concern when the disclosure is to a private third party who may, either now or in the future, work for Telstra's commercial competitors. 289

Telstra recommended that before disclosing any information to a person other than a Commonwealth officer that the Secretary should be required to provide the relevant carrier or CSP ‘with a copy of the information proposed to be disclosed’ and to then ‘consider in good faith’ any of the carrier’s or CSP’s comments and objections ‘including suggestions about how the information could be better de-identified’.290

The Explanatory Memorandum notes that carriers and CSPs will not be informed of proposed disclosures of information under proposed section 315H because this could ‘potentially compromise national security by identifying the types of issues considered by security agencies and the nature of sharing arrangements’.291

Reporting and oversight Proposed section 315J requires the Secretary to provide an annual report to the Attorney-General on the operation of the Bill as soon as practicable after the end of the relevant financial year. Proposed subsection 315J(3) requires the Attorney-General to cause the tabling of a copy of the report in each House of the Parliament within 15 sitting days of that House after receiving the report.

Item 3 of the Bill prevents duplication of reporting and oversight by providing that the ACMA is not required to monitor or report to the Communications Minister on the operation of the Bill’s provisions as part of its annual reporting obligations in relation to the Act. Item 3 inserts proposed paragraph 105(5B) which provides that the ACMA’s reporting obligation in paragraph 105(5A)(a) of the Act does not apply in relation to Part 14 of the Act to the extent that it has been amended by this Bill (if enacted).

The PJCIS has recommended that the Bill be amended to specify what should be included in the annual report including:

• the number of occasions the information-gathering powers have been exercised

• the number of notificaitons and security capability plans received

• regulatory performance measures, including the average response timeframes of the CAC to notifications and the proportion of responses made within the statutory timeframes

• details of the Government’s information-sharing arrangements with industry

• a summary of any feedback or complaints received from stakeholders and

• the number of occasions the directions-power have been exercised.

Concluding comments The overall objectives and approach of the Bill appear to be largely consistent with previous consideration of security of the telecommunications sector by the PJCIS and Government responses to that committee’s recommendations. Although stakeholders have expressed concerns that the regime favours security considerations over commercial or competition concerns, it appears that the Government has determined that security considerations should be given priority while seeking to ensure that completion and cost issues are considered in decision making processes.

The Bill’s reporting mechanism in proposed section 315J may enable Parliament and interested stakeholders to monitor and evaluate the operation of the proposed regime over time and assess whether an appropriate balance is struck in practice.

289. Ibid. 290. Ibid. 291. Explanatory Memorandum, Telecommunications and Other Legislation Amendment Bill 2016, p. 44.

Warning: All viewers of this digest are advised to visit the disclaimer appearing at the end of this document. The disclaimer sets out the status and purpose of the digest. Telecommunications and Other Legislation Amendment Bill 2016 54

© Commonwealth of Australia

Creative Commons

With the exception of the Commonwealth Coat of Arms, and to the extent that copyright subsists in a third party, this publication, its logo and front page design are licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia licence.

In essence, you are free to copy and communicate this work in its current form for all non-commercial purposes, as long as you attribute the work to the author and abide by the other licence terms. The work cannot be adapted or modified in any way. Content from this publication should be attributed in the following way: Author(s), Title of publication, Series Name and No, Publisher, Date.

To the extent that copyright subsists in third party quotes it remains with the original owner and permission may be required to reuse the material.

Inquiries regarding the licence and any use of the publication are welcome to webmanager@aph.gov.au.

Disclaimer: Bills Digests are prepared to support the work of the Australian Parliament. They are produced under time and resource constraints and aim to be available in time for debate in the Chambers. The views expressed in Bills Digests do not reflect an official position of the Australian Parliamentary Library, nor do they constitute professional legal opinion. Bills Digests reflect the relevant legislation as introduced and do not canvass subsequent amendments or developments. Other sources should be consulted to determine the official status of the Bill.

Any concerns or complaints should be directed to the Parliamentary Librarian. Parliamentary Library staff are available to discuss the contents of publications with Senators and Members and their staff. To access this service, clients may contact the author or the Library’s Central Enquiry Point for referral.

Members, Senators and Parliamentary staff can obtain further information from the Parliamentary Library on (02) 6277 2500.