Chapter 4 - Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024

  1. Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024
    1. This chapter outlines the key measures of the Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (ERPBill).
    2. The ERP Bill contains a number of amendments, primarily to the Security of Critical Infrastructure Act 2018 (SOCI Act), but also to the Telecommunications Act 1997 (Telecommunications Act), the Telecommunications (Interception and Access) Act 1979 (TIA Act) and the Australian Security Intelligence Organisation Act 1979 (ASIO Act).
    3. The proposed amendments contained in the ERP Bill are intended to implement Shield 4 of the 2023–2030 Australian Cyber Security Strategy. Shield 4 relates to the protection of critical infrastructure and aims to place Australia in a position where the ‘array of critical infrastructure we rely on every day must be able to better prevent, respond, and be resilient to cyber attacks’ by 2030.[1]
    4. To achieve the 2030 vision, the Australian Government said it would:
  • clarify the scope of critical infrastructure regulation
  • strengthen cyber security obligations and compliance for critical infrastructure
  • uplift cyber security of the Commonwealth Government
  • pressure-test our critical infrastructure to identify vulnerabilities.[2]
    1. The ERP Bill contains six schedules:
  • Schedule 1 would amend the definition of a ‘critical infrastructure asset’ in the SOCI Act to include data storage systems that store or process ‘business critical data’.
  • Schedule 2 would revise Part 3A of the SOCI Act—which currently authorises the Minister to make certain directions in response to serious cyber security incidents—to broaden its application from cyber security incidents to all serious incidents, with the exception of intervention orders which would continue to only be available in relation to cyber security incidents.
  • Schedule 3 would amend the definition of protected information in the SOCI Act and clarify the existing disclosure and information sharing provisions.
  • Schedule 4 would introduce a new power for the Secretary of the Department of Home Affairs, or the relevant Commonwealth regulator, to order a relevant entity to vary its critical infrastructure risk management program—which Part 2A of the SOCI Act requires all critical infrastructure assets to have in place—where a ‘serious deficiency’ is identified.
  • Schedule 5 would integrate the Telecommunications Sector Security Reforms into the SOCI Act and remove duplicative provisions from the Telecommunications Act.
  • Schedule 6 would amend Part 6A of the SOCI Act to simplify the reporting requirements relating to changes in interest holders of systems of national significance.

Schedule 1: Definition of ‘critical infrastructure asset’ to include ‘data storage systems’

4.6Division 2 of Part 1 of the SOCI Act sets out the definitions of terms used throughout the Act. Currently, section 9 of the SOCI Act provides that an asset is a ‘critical infrastructure asset’ if it is contained within a class of assets outlined within paragraphs 9(1)(a) to 9(1)(f). An asset may also be declared by the Minister under section 51 or prescribed by the rules to be a critical infrastructure asset. Subsection9(2) also allows for any of the assets listed in subsection 9(1) to be prescribed by the rules as not being critical infrastructure assets.

4.7Schedule 1 to the ERP Bill would amend the definition of ‘critical infrastructure asset’ by adding proposed subsection 9(7): ‘data storage systems’. Under the proposed amendment, certain data storage systems that store or process ‘business critical data’ used in connection with the asset would be considered as part of the critical infrastructure asset. If an asset is a critical infrastructure asset within the meaning of section 9 of the SOCI Act, a data storage system is determined to be a part of that critical infrastructure asset where:

  1. the responsible entity for the critical infrastructure asset owns or operates the data storage system;
  2. the data storage system is used, or is to be used, in connection with the critical infrastructure asset;
  3. business critical data is stored, or is processed in or by, the data storage system (whether or not other information is also stored, or is processed in or by, the data storage system);
  4. for a hazard where there is material risk that the occurrence of the hazard could have an impact on the data storage system, there is also a material risk that the occurrence of the hazard could have a relevant impact on the critical infrastructure asset.[3]
    1. Business critical data, which is already a defined term within the SOCI Act, means:
  1. personal information (within the meaning of the Privacy Act 1988) that relates to at least 20,000 individuals; or
  1. information relating to any research and development in relation to a critical infrastructure asset; or
  2. information relating to any systems needed to operate a critical infrastructure asset; or
  3. information needed to operate a critical infrastructure asset; or
  4. information relating to risk management and business continuity (however described) in relation to a critical infrastructure asset.[4]
    1. According to the Explanatory Memorandum to the ERP Bill, the purpose of the inclusion of the criteria for data storage systems in proposed subsection 9(7) is to make it clear that not all non-operational systems that hold business critical data should be captured, but rather only those where vulnerabilities could have a relevant impact on critical infrastructure.[5] ‘Relevant impact’ is already defined in section 8G of the SOCI Act—essentially covering the direct or indirect impact of an incident on the availability, integrity or reliability of an asset; or the confidentiality of information about or held by it.
    2. The Explanatory Memorandum provides two examples of data storage systems that would meet the criteria in subsection 9(7) of the SOCI Act:
  • data storage systems that hold business critical data where there is inadequate network segregation between information and operational technology systems
  • data storage systems that hold operational data such as network blueprints, encryption keys, algorithms, operational system code, and tactics, techniques and procedures.[6]
    1. The effect of this proposed amendment would be that the obligations imposed on a responsible entity under existing Part 2 (register of critical infrastructure assets) of the SOCI Act, as well as the critical infrastructure risk management program under Part 2A and the notification obligations under Part 2B, would extend to any qualifying data storage system associated with that critical infrastructure asset.[7]
    2. The amendments in Schedule 1 would also clarify that the responsible entity for the main critical infrastructure asset is the responsible entity for data storage systems that they own or operate.[8] If the responsible entity outsources the data storage system to a third party, then that third party becomes responsible for the data storage system.[9]
    3. According to the Explanatory Memorandum, the amendments would ‘strengthen the protection of data storage systems and business critical data’.[10] The Department of Home Affairs justified the expansion of the definition in the following terms:

The SOCI Act currently imposes positive security obligations on data storage and processing assets, where this is the primary function of the critical infrastructure asset. However, these obligations do not extend to the adequate protection of secondary systems related to other classes of critical infrastructure assets that hold ‘business critical data’.[11]

Schedule 2: Amendments to Part 3A of the SOCI Act

4.14Part 3A of the SOCI Act sets up a regime for the Australian Government to respond to serious cyber security incidents. If a cyber security incident has had, is having or is likely to have a ‘relevant impact’ on a critical infrastructure asset, the Minister may, in order to respond to the incident, authorise the Secretary of the Department of Home Affairs to issue one or more of the below directions to a relevant entity for the asset:

  • an information-gathering direction which requires the relevant entity to give information to the Secretary
  • an action direction which requires the relevant entity to do, or refrain from doing, a specified act or thing
  • an intervention request which requires that the Australian Signals Directorate (ASD), as the ‘authorised agency’, do one or more specified acts or things.
    1. Under the current Part 3A these actions are only available in response to a ‘serious cyber security incident’. However, under the proposed amendments in Schedule 2 to the ERP Bill, the regime would be broadened to apply to all serious incidents, not just serious cyber security incidents. ‘Serious incident’ is not defined in the SOCI Act and the Explanatory Memorandum advises that it is intended to take on its ordinary meaning.[12] Schedule 2 would therefore amend Part 3A of the SOCI Act to allow the Secretary of the Department of Home Affairs to gather information or direct an entity to do or refrain from doing something, when authorised by the Minister, in response to an ‘all-hazards’ incident.[13]
    2. However, the power for the Minister to authorise the Secretary to request ASD to intervene would continue to be limited to serious cyber security incidents.[14] The ERPBill achieves this by adding proposed paragraph 35AB(10)(aa), which would introduce an additional requirement that the Minister must be satisfied the incident is a ‘cyber security incident’ before authorising intervention requests to be made. The intervention power is therefore not proposed to be expanded and would continue to only be available in response to a cyber security incident as is the current law.
    3. Schedule 2 makes another amendment within Part 3A relating to entities being directed to provide personal information. Proposed new subsection 35AB(9A) states that a direction referred to in paragraphs (2)(c) or (d) (relating to ‘action directions’) may require a specified entity to disclose specified personal information (within the meaning of the Privacy Act 1988) held by the entity to another specified entity for a specified purpose. Subsection 35AB(9B) would provide that the Minister could not give a Ministerial authorisation to this effect unless the Minister had obtained the agreement of the Minister administering the Privacy Act 1988.
    4. Schedule 2 also makes a variety of consequential amendments to the SOCI Act to reflect the broadening of the response regime’s application from cyber security incidents to all serious incidents.

Schedule 3: Use and disclosure of information

4.19Part 4 of the SOCI Act governs the gathering and use of information. Under the current law, the Secretary may require a reporting entity for, or an operator of, a critical infrastructure asset to provide certain information or documents.[15] ‘Protected information’, which is defined in section 5 of the SOCI Act, currently includes, amongst other things, any information obtained by a person in the course of exercising powers, or performing duties or functions, under the SOCI Act.

4.20The making of a record, or the use or disclosure, of protected information is authorised in particular circumstances, but is otherwise an offence.[16] The privilege against self-incrimination does not apply in relation to a requirement to provide information or documents under Part 4 of the SOCI Act.[17]

4.21The current protected information provisions under the SOCI Act were designed to apply similar information sharing restrictions on private entities operating critical infrastructure to those imposed on public service employees.[18] However, according to the Explanatory Memorandum, feedback from within government and industry has been that

the SOCI Act may, in some instances, unnecessarily limit the ability of Government, responsible entities and their employees to use or disclose information in the course of ordinary business, or mitigate relevant risk effectively. These limitations have the effect of hobbling the response to high risk or time sensitive events.[19]

4.22Schedule 3 to the ERP Bill would introduce a new section 5A, which would replace the current definition of ‘protected information’ and define it as a subset of ‘relevant information’.[20]

4.23‘Relevant information’ would include any document or information that is obtained or generated by a person in the course of exercising powers, or performing duties or functions, under the SOCI Act; or any information obtained, generated or adopted by an entity for the purposes of complying with the SOCI Act.[21] Proposed paragraphs5A(3)(c)–(p) effectively replicate the existing non-exhaustive list (in current subsections 5(b)–(bl) in the SOCI Act’s definition of ‘protected information’) of the type of documents or information that would meet the more general definition of relevant information in paragraphs 5A(3)(a) and (b), and add an explicit reference to documents relating to a Ministerial direction under subsection 32(2) of the SOCI Act.[22]

4.24Proposed subsection 5A(1) would create a new definition of ‘protected information’ that applies a harm-based approach, being ‘relevant information’

  1. the disclosure of which would or could reasonably be expected to prejudice national security or the defence of Australia; or
  1. the disclosure of which would or could reasonably be expected to prejudice the social or economic stability of Australia or its people; or
  2. that contains, or is, confidential commercial information; or
  3. the disclosure of which would or could reasonably be expected to prejudice the availability, integrity, reliability or security of a critical infrastructure asset.[23]
    1. Schedule 3 to the ERP Bill also clarifies disclosure provisions throughout Part4 of the SOCI Act ‘to enable more effective and timely sharing of information under the SOCI Act’.[24] This includes amendments to:
  • clarify that relevant entities may make a record of, use or disclose protected information where the purpose relates to the continued operation of an asset or to mitigate risks to that asset;
  • introduce a definition for ‘authorised [Australian Public Service] APS employee’ and provisions which enable the Secretary to authorise APS employees to make a disclosure of protected information in the course of the duties – for example, by emailing documents to the entity;
  • introduce a definition for ‘confidential commercial information’ which is included within the definition of protected information and reassures the owners and operators of critical infrastructure that government agencies will treat commercially sensitive information in the same manner as security sensitive information; and
  • allow the Secretary to authorise disclosure of protected information to a Commonwealth, State and Territory Minister, agency head, or member of their staff, where the Minister or agency is responsible for emergency management, law enforcement or the regulation/oversight of the critical infrastructure sector to which the protected information relates.[25]
    1. An ‘authorised APS employee’ would be defined as ‘an APS employee in the Department in respect of whom an authorisation under section 44A is in force’.[26] ‘Confidential commercial information’ would be defined as
  1. information relating to trade secrets;
  2. other information that has a commercial value that would be, or could reasonably be expected to be, destroyed or diminished if the information were communicated.[27]

Schedule 4: New direction power to request variation of critical infrastructure risk management program

4.27Part 2A of the SOCI Act requires responsible entities for critical infrastructure assets to have, and comply with, a critical infrastructure risk management program (CIRMP).[28]

4.28Schedule 4 to the ERP Bill would amend Part 2A to introduce a new power (proposed section 30AI) authorising a ‘relevant official’ to order the variation of a responsible entity’s CIRMP where one or more ‘serious deficiency’ is identified. This amendment purports to address a gap in the powers currently available to regulators to enforce critical infrastructure risk management obligations.[29]

4.29A ‘serious deficiency’ would be defined as a deficiency that poses a risk to national security, the defence of Australia, or the social or economic stability of Australia or its people.[30]

4.30A ‘relevant official’ would be defined as the Secretary of the Department of Home Affairs or, if there is one, the ‘relevant Commonwealth regulator’ that has functions relating to the security of the asset.[31] ‘Relevant Commonwealth regulator’ is already a defined term in section 5 of the SOCI Act and must be specified in the rules made by the Minister under section 61 of the SOCI Act.

4.31Under the proposed amendments, before giving a direction to the responsible entity, the relevant official must first provide a written notice stating that the relevant official is considering giving a direction, specifying the serious deficiencies identified, and inviting the responsible entity to provide a written submission to the relevant official within 14 days of receiving the notice. The relevant official must have regard to any written submission received in response to the notice and any action that is taken or proposed to be taken by the responsible entity in response to the notice.[32]

4.32Proposed subsection 30AI(4) specifies the mandatory requirements for the contents of a direction given under subsection 30AI(1). According to the Explanatory Memorandum, ‘to ensure that this power is exercised in a proportionate and carefully scoped manner’,[33] any direction under this proposed section must:

  • specify the serious deficiencies
  • require the responsible entity to vary the entity’s critical infrastructure risk management program to address those deficiencies
  • specify the period within which the responsible entity must vary that program, which must be a period of at least 14 days starting on the day on which the direction is given.
    1. The responsible entity must comply with a direction made under subsection 30AI(1) and include the content of and response to the direction in its annual report submitted to the relevant Commonwealth regulator or Secretary under section 30AG of the SOCI Act.[34]
    2. The Secretary of the Department of Home Affairs must also include in their periodic report to the Minister the number of directions given to entities under proposed section 30AI during the financial year, along with the other mandatory reporting requirements already set out in section 60 of the SOCI Act.[35]
    3. According to the Explanatory Memorandum:

The ability for the regulator to issue such a direction will help ensure that CIRMP obligations achieve the intent of embedding preparation, prevention, and mitigation activities into the business-as-usual operations of critical infrastructure assets.[36]

4.36The Explanatory Memorandum adds that the proposed directions power should only be used as a last resort:

This new subsection enshrines in legislation the collaborative approach that regulators must use in considering whether to issue directions under section30AI. That is, regulators should seek to work with responsible entities to address risk, and the directions power should only be used where consultation has not yielded the required outcome.[37]

Schedule 5: Security regulation for critical telecommunications assets

4.37Schedule 5 to the ERP Bill would introduce a new Part 2D into the SOCI Act, providing for ‘enhanced security regulation for critical telecommunications assets’.[38]

4.38The amendments transfer into the SOCI Act elements of the Telecommunications Sector Security Reforms (TSSR), currently contained in Part 14 of the Telecommunications Act, which would largely be repealed by the ERP Bill.[39]

4.39In its 2022 statutory review of Part 14 of the Telecommunications Act, the Committee noted the ‘significant crossovers’ between the TSSR regime and the SOCI Act,[40] and various calls for ‘repeal of the TSSR or deactivation of duplicated obligations’.[41] The Committee ultimately recommended that a working group be established and consulted to:

reach an agreed position regarding any duplicated security obligations that may be activated under an amended Security of Critical Infrastructure Act 2018 before they are activated. If agreed, and once activated, the duplicated obligations or other mechanisms in Part 14 of the Telecommunications Act 1997 should be repealed, or deactivated by relevant mechanisms, so as to avoid regulatory duplication on telecommunications entities.[42]

4.40According to the Explanatory Memorandum, Schedule 5 ‘uplifts, enhances and clarifies’ the TSSR’s current security and related obligations into the SOCI Act.[43] This includes by expanding the TSSR’s current focus on espionage and sabotage to include ‘all hazards’ under the SOCI Act.[44]

4.41The ‘security obligation’ currently contained in section 313(1A) of the Telecommunications Act requires carriers and carriage service providers to ‘do their best’ to protect their telecommunications networks and facilities from unauthorised interference or unauthorised access. The ERP Bill would replace this obligation with new section 30EB of the SOCI Act, which would require the responsible entity for a critical telecommunications asset to protect the asset, ‘so far as it is reasonably practicable to do so’, for the purposes of

  1. security; and
  2. the protection of the asset from any hazard where there is a material risk that the occurrence of the hazard could have a relevant impact on the asset.[45]
    1. The specific critical telecommunications assets that are within the scope of the new obligation in section 30EB are proposed to be prescribed by rules.[46] The proposed obligation includes a civil penalty of 1,500 penalty units for non-compliance.[47]
    2. Proposed section 30EC of the SOCI Act would require a responsible entity for a critical telecommunications asset prescribed by the rules to notify the Secretary of certain changes, or proposed changes, to its telecommunications services or systems (as set out in proposed section 30EE) that are ‘likely to have a material adverse effect’ on their capacity to meet their obligation to protect the asset.[48] Proposed section 30ED would require the Secretary to assess the notified changes and advise the entity that either:
  1. there is a ‘risk to the asset that would be prejudicial to security’, and require action to eliminate or reduce that risk; or
  2. that there is no such risk associated with the change.

These notification and assessment requirements are similar to existing requirements in sections 314A and 314B of the Telecommunications Act, which would be repealed.[49]

4.44Proposed section 30EF of the SOCI Act would largely replicate existing section 315A of the Telecommunications Act, which enables the Minister for Home Affairs to issue a direction requiring a carrier or carriage service provider ‘not to use or supply, or to cease using or supplying’ a particular service that the Minister considers to be ‘prejudicial to security’. An adverse security assessment by the Australian Security Intelligence Organisation (ASIO) is a precondition for such a direction to be issued.[50] Proposed section 30EF incorporates a civil penalty of 2,000 penalty units for non-compliance.[51] It also provides that an entity is not liable to an action or other proceeding for damages for actions taken in good faith in compliance with such a direction.[52]

4.45Other TSSR components that would be repealed from the existing Telecommunications Act—including other direction-making powers of the Minister for Home Affairs,[53] the Secretary of the Department of Home Affairs’ information gathering powers,[54] and requirements in relation to security capability plans[55]—are not replicated in proposed Part 2D of the SOCI Act. However, the existing SOCI Act’s direction-making, information-gathering powers and requirements in relation to risk management programs are loosely equivalent to these provisions.

4.46Schedule 5 proposes to require reporting of the number of notifications made to the Secretary under proposed section 30EC, and the number of directions issued by the Minister under proposed section 30EF, in the existing SOCI Act annual report.[56]

4.47Reflecting the removal of TSSR-related sections from Part 14 of the Telecommunications Act, Schedule 5 to the ERP Bill also incorporates consequential amendments to other parts of the Telecommunications Act, the TIA Actand the ASIO Act.[57]

4.48In relation to the ASIO Act, the ERP Bill would amend section 38A to remove the reference to sections 315A and 315B of the Telecommunications Act and insert proposed new section 30EF of the SOCI Act. Section 38A of the ASIO Act provides that where an adverse or qualified security assessment relates to a direction under the Telecommunications Act or the SOCI Act, the Minister must give to the assessed person a notice in writing, with a copy of the assessment attached, within 14 days of receiving the assessment. The Minister must exclude from the assessment any matter the disclosure of which would be prejudicial to the interests of security.[58] This is distinct from other adverse or qualified security assessments made by ASIO, for which notice may additionally be withheld from a person if the Minister certifies that it is ‘essential to the security of the nation’.[59]

Schedule 6: Notification of declaration of systems of national significance

4.49Under existing Part 6A of the SOCI Act, the Minister for Home Affairs may privately declare a critical infrastructure asset to be a system of national significance (SoNS).[60]

4.50Paragraph 52B(3)(a) of the SOCI Act requires that, following the declaration of an asset as a SoNS, the Minister must notify each reporting entity for the asset within 30 days of making the declaration. A ‘reporting entity’ for an asset is currently defined as either:

  1. the responsible entity for the asset,[61] or
  2. a direct interest holder in relation to the asset.[62]
    1. Currently, section 52D of the SOCI Act requires notification to the Secretary of a change to reporting entities for a SoNS. Subsection 52D(4) also requires the Secretary of the Department of Home Affairs to notify additional reporting entities of the declaration of a SoNS under subsection 52B(1).
    2. Schedule 6 to the ERP Bill would amend sections 52B and 52D to remove the requirement for direct interest holders to notify the Secretary if they cease to be a reporting entity, or become aware of another reporting entity for the asset; and for the Minister to notify each direct interest holder of the declaration of a SoNS. Direct interest holders would still be required to report on changes through the Register of Critical Infrastructure Assets obligation in Part 2 of the SOCI Act, as is presently required.
    3. Item 4 of Schedule 6 to the ERP Bill would remove the requirement for the Minister to notify direct interest holders of a declaration of an asset as a SoNS by replacing ‘reporting entity for the asset’ in paragraph 52B(3)(a) with ‘responsible entity for the asset’.[63] The Minister would therefore no longer be required to notify each reporting entity for the asset but instead only be required to notify the responsible entity for the asset within 30 days of declaring the asset to be a SoNS.
    4. Item 5 of Schedule 6 to the ERP Bill would repeal section 52D and replace it with a new section 52D that only requires the responsible entity to notify the Secretary if that entity ceases to be a responsible entity for the asset, within 30 days of that cessation. This would remove the existing requirement to advise the Secretary of changes to direct interest holders for assets declared as SoNS.
    5. Proposed section 52D would continue to carry a civil penalty of 150 penalty units if the responsible entity fails to comply with the notification requirement. The effect of these amendments to section 52D of the SOCI Act would be to remove the requirement for the Secretary to be advised of all instances where direct interest holders change for an asset declared as a SoNS.

Footnotes

[1]Australian Government, 2023–2030 Australian Cyber Security Strategy, November 2023, p. 38.

[2]Australian Government, 2023–2030 Australian Cyber Security Strategy, November 2023, p. 40.

[3]Security of Critical Infrastructure and Other Legislation Amendment (Enhanced Response and Prevention) Bill 2024 (ERP Bill), sch. 1, item 3.

[4]Security of Critical Infrastructure Act 2018 (SOCI Act), s. 5.

[5]ERP Bill, Explanatory Memorandum (EM), p. 8 [19].

[6]ERP Bill, EM, p. 8 [19].

[7]ERP Bill, sch. 1, item 4.

[8]ERP Bill, EM, p. 9 [31].

[9]ERP Bill, EM, p. 8 [20].

[10]ERP Bill, EM, p. 7 [16].

[11]ERP Bill, EM, p. 8 [18].

[12]ERP Bill, EM, p. 13 [50].

[13]ERP Bill, EM, p. 7 [11].

[14]ERP Bill, EM, p. 17 [82]–[83]; ERP Bill, sch. 2, item 19.

[15]SOCI Act, pt. 4, div. 2 (Secretary’s power to obtain information or documents).

[16]SOCI Act, s. 45 (Offence for unauthorised use or disclosure of protected information).

[17]SOCI Act, s. 40.

[18]ERP Bill, EM, p. 23 [124].

[19]ERP Bill, EM, p. 23 [125].

[20]ERP Bill, sch. 3, item 8 (proposed s. 5A).

[21]ERP Bill, sch. 3, item 8 (proposed s. 5A(3)).

[22]ERP Bill, sch. 3, item 8 (proposed s. 5A(3)(m)).

[23]ERP Bill, sch. 3, item 8 (proposed s. 5A(1)).

[24]ERP Bill, EM, p. 23 [123].

[25]ERP Bill, EM, p. 24 [130].

[26]ERP Bill, sch. 3, item 2.

[27]ERP Bill, sch. 3, item 2.

[28]SOCI Act, ss. 30AA, 30AC and 30AD.

[29]ERP Bill, EM, p. 35 [211].

[30]ERP Bill, sch. 4, item 3 (proposed s. 30AI(3)).

[31]ERP Bill, sch. 4, item 3 (proposed s. 30AI(2).

[32]ERP Bill, sch. 4, item 3 (proposed ss. 30AI(6)–(7)).

[33]ERP Bill, EM, p. 37 [224].

[34]ERP Bill, sch. 4, item 2 (proposed s. 30AG(2)(db)); item 3 (proposed s. 30AI(5)).

[35]ERP Bill, sch. 4, item 5 (proposed s. 60(2)(gaa)).

[36]ERP Bill, EM, p. 35 [212].

[37]ERP Bill, EM, p. 38 [233].

[38]ERP Bill, sch. 5, item 27.

[39]ERP Bill, sch. 5, item 46.

[40]Parliamentary Joint Committee on Intelligence and Security, Review of Part 14 of the Telecommunications Act 1997—Telecommunications Sector Security Reforms, February 2022, p. 3.

[41]Parliamentary Joint Committee on Intelligence and Security, Review of Part 14 of the Telecommunications Act 1997—Telecommunications Sector Security Reforms, February 2022, p. 49.

[42]Parliamentary Joint Committee on Intelligence and Security, Review of Part 14 of the Telecommunications Act 1997—Telecommunications Sector Security Reforms, February 2022, p. 50.

[43]ERP Bill, EM, p. 39 [241].

[44]ERP Bill, EM, p. 39 [244].

[45]ERP Bill, sch. 5, item 27 (proposed s. 30EB).

[46]ERP Bill, sch. 5, item 27 (proposed s. 30EB(1)).

[47]ERP Bill, sch. 5, item 27 (proposed s. 30EB(2)).

[48]ERP Bill, sch. 5, item 27 (proposed s. 30EC).

[49]ERP Bill, sch. 5, item 46.

[50]Telecommunications Act 1997, s. 315A(3); ERP Bill, sch. 5, item 27 (proposed s. 30EF(3)).

[51]ERP Bill, sch. 5, item 27 (proposed s. 30EF(5)).

[52]ERP Bill, sch. 5, item 27 (proposed s. 30EF(6)–(7)).

[53]Telecommunications Act 1997, s. 315B.

[54]Telecommunications Act 1997, ss. 315C–315G.

[55]Telecommunications Act 1997, ss. 314C–314E.

[56]ERP Bill, sch. 5, item 28.

[57]ERP Bill, sch. 5, items 29–59.

[58]Australian Security Intelligence Organisation Act 1979, s. 38A(3).

[59]Australian Security Intelligence Organisation Act 1979, s. 38(2)(a).

[60]SOCI Act, s. 52B(1).

[61]A ‘responsible entity’ has the meaning given by section 12L: SOCI Act, s. 5.

[62]SOCI Act, s. 5. ‘Direct interest holder’ is defined in section 8, and includes an entity which (together with any associates of the entity) holds an interest of at least 10 per cent in the asset, or holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset.

[63]ERP Bill, EM, p. 82 [560].

Contents
Previous Next