This chapter discusses the role of the Australian Designated Authority, and other oversight bodies in relation to the provisions of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (‘the Bill’).
The role of the Australian Designated Authority
Once a request for an international production order (IPO) has been received by an enforcement agency, a control order agency, or the Australian Security Intelligence Organisation (ASIO), it must be provided to the Australian Designated Authority (ADA). As the Attorney-General’s Department administers the provisions of the mutual legal assistance process – see Chapter 2 – the Secretary of the Attorney-General’s Department is suggested as the appropriate authority.
The Law Council of Australia said that the role of ADA would be more appropriately fulfilled by an independent statutory office holder:
The Law Council is concerned that locating the ADA within the Attorney-General’s Department is incompatible with the degree of independence, both substantive and perceived, that is necessary to perform its important functions.
As mentioned in the Law Council’s earlier comments about the adequacy of review arrangements concerning issuing decisions for IPOs, the Law Council is concerned that the Secretary’s dual responsibilities – as adviser to the Attorney-General in the issuing process for IPOs, and as the ostensibly independent ADA – may give rise to at least a perceived conflict of interest or lack of independence.
To avoid the potential for an actual or perceived conflict of interest and ensure public confidence in the independence of the ADA, the Law Council suggests that the role of the ADA would be better performed by an independent entity. Consideration should be given to creating the position of the ADA as an independent statutory office-holder appointed by the Attorney-General, or alternatively conferring the functions on the head of an existing agency that is demonstrably at arm’s length from the process for the issuing of IPOs.
The Department of Home Affairs said that establishing the ADA as an independent statutory office holder would ‘complicate existing approaches that work well in current international legal cooperation processes.’
Following receipt, the ADA will assess whether an IPO complies with the provisions of the relevant designated international agreement (DIA). Where it determines that an IPO complies with a DIA, the ADA is required to provide the IPO to the designated communications provider as soon as practicable.
Where the ADA determines that an IPO does not comply, it has broad authority to cancel an IPO and return the document to the relevant agency along with any details it deems necessary for the reason it has determined that the IPO is incompatible with the conditions of the DIA. A cancellation may be made on the basis of the ADA’s own assessment, or following the lodgement of a complaint by a provider. The Attorney-General’s Department outlined the proposed process:
Key functions of the ADA, as set out in Part 5, will be to review IPOs for compliance with the relevant DIA and, if satisfied that the IPO is compliant, give the IPO to the DCP in the foreign country (subclause 111(1)(c)). The ADA will liaise with the agency that obtained the IPO to obtain further information if necessary to determine the IPOs compliance with the DIA (subclauses 111(7) and 112(7)). If not satisfied that the IPO is compliant with the relevant DIA, the ADA must cancel the IPO and give the relevant agency such advice regarding compliance as may be required (clause 111(1)(d)). Under Part 7, the ADA also has a role in managing and considering objections from DCPs where the DCP has reason to believe that an IPO directed to it does not comply with the relevant DIA.
The ADA has a broad discretion to cancel an IPO, including before or after it has been provided to the DCP (clause 122). In practice, the ADA may decide to cancel an IPO for a range of reasons including, for example, because the ADA receives new information that indicates the IPO does not in fact comply with the DIA, or the ADA considers it in the public interest to do so following dispute resolution with the DCP or the government of a foreign country pursuant to Part 7 or the terms of the DIA.
The Law Council of Australia said that the powers granted to cancel an IPO under the Bill are not sufficiently prescriptive:
The power conferred on the ADA in Clause 122 of proposed Schedule 1 to the TIA Act to cancel an IPO after it has been given to a DCP is discretionary rather than mandatory. Subclause 122(1) simply provides that the ADA may cancel an IPO, without specifying the minimum matters to which it must have regard in exercising that discretion or the process it must follow to make a decision. Clause 122 does not impose a requirement on the ADA to cancel an IPO if it upholds a DCP’s objection made under Clause 121 and determines that the IPO does not comply with the underlying DIA. This appears to raise the legal possibility that the ADA may form a view that its previous assessment made under Subclause 111(1)(b) or 112(1)(b) that the IPO complied with the underlying DIA was incorrect, but may nonetheless decline to exercise its discretionary power to cancel the IPO after giving it to the DCP and considering the DCP’s objection.
In response the Department of Home Affairs said that the discretionary power provides flexibility in dealing with IPOs:
Clause 122 of the Bill stipulates the Australian Designated Authority may cancel an international production order. The construction gives adequate flexibility for agreed review and dispute resolution processes to operate by virtue of designated international agreements. For example, a designated international agreement may allow a designated communications provider to raise an objection to the requesting party’s authorities on particular grounds and set out a process for that to occur.
Administrative guidance will also set out the procedures and process that the Australian Designated Authority will go through when it receives an objection from a designated communications provider.
If an order is found to be incompatible with the agreement after an objection has been raised by a designated communications provider (in circumstances there was an original assessment that it was compliant), the Australian Designated Authority would be under an obligation under the designated international agreement to ensure that the order is not progressed.
The Law Council of Australia suggested that the Bill should be amended to require the ADA to cancel an IPO when it determines the conditions are not consistent with an IPO application. The Department of Home Affairs said that this would constrain the ability to remedy issues before seeking cancellation:
Adopting this recommendation would limit Australia’s flexibility – under the proposed model the ultimate outcome if there is non-compliance with the international agreement is the international production order would be cancelled. However, the construction adopted in the Bill provides an ability to remedy issues before this is to occur.
The ADA is intended to be the first point of contact for designated communications providers who object to provisions of an IPO. Several submitters identified concerns with the lack of judicial review for decision-making. In its submission to the inquiry, Google said that consideration should be given to appeals options in the Bill:
We respectfully suggest that the appeal options contained within the Bill could be strengthened. Deferring to existing appeal mechanisms is not satisfactory given the lack of appropriate merit based appeal processes in other relevant legislation such as the Telecommunications and Other Legislation (Assistance and Access) Act 2019. The reliance on existing law as the primary source for appeal procedures is especially problematic in light of the enforcement provision discussed above. In particular, overseas providers may be subject to other third-country laws, conflicts with which are not and cannot be lifted through the international agreement, yet no option would exist to raise such an impediment to compliance. This would create exactly the type of conflict of laws scenario that the CLOUD Act is designed to prevent.
However, the Department of Home Affairs said in its supplementary submission that Australian courts would retain jurisdiction for judicial review of a decision to issue an IPO through the original jurisdiction of the High Court of Australia and the Federal Court of Australia:
The Bill provides for independent authorisation of international production orders. In addition, Australian courts will retain jurisdiction for judicial review of a decision to issue an IPO, through the original jurisdiction of the High Court of Australia and in the Federal Court of Australia by operation of subsection 39B(1) of the Judiciary Act 1903. This ensures that an affected person or a provider has an avenue to challenge decision-making.
The Australian Designated Authority will perform the role of ensuring that international production orders comply with the terms of the designated international agreements. The Australian Designated Authority will be the key facilitator and single point of contact for Australian agencies and foreign providers with experience, expertise and a broad view across international crime cooperation matters. The Bill contains a specific mechanism for designated communications providers to raise objections with the Australian Designated Authority, and it is anticipated the international agreements themselves will also contain processes for objections and resolution of disputes between governments and between providers and governments. Decisions of the Australian Designated Authority will also be subject to judicial review.
Outside of the ADA’s ability to cancel an IPO, enforcement agencies, control order agencies and ASIO have the ability to revoke IPOs in a variety of circumstances, including revocation of an IPO where the grounds on which the order was issued have ceased to exist.
Similar to the approval powers discussed in Chapter 3, the revocation provisions allow for the Director-General of Security to delegate revocation powers to any ASIO employee.
As noted in Chapter 3, an issuing authority has the power to subject an IPO to conditions requiring information to be supplied directly to the enforcement agency, control order agency, or ASIO. The issuing authority can also require the information to be supplied through the ADA. Google suggested that designated communications providers should be required to provide all information to the ADA:
Designated communications providers are instructed under Schedule 1 Part 6 of the Bill to provide any requested communications and data to the requesting agency or the Australian Designated Authority, depending on the directions of the IPO. Respectfully, our experience is that a better approach would be that all communications to and from an Australian law enforcement agency be channelled through the Designated Authority and that this Authority acts as a coordinator across multiple agencies. Putting in place a coordinating body will guard against the risk of duplication and will act as a single point of contact for training, education and access to designated communications providers.
Compliance with IPO requests
In order to comply with an IPO request, a designated communications provider must provide information within the requested timeframe. Where the conditions of an IPO are not complied with, a civil penalty may apply.
Ms Lucie Krahulcova of the International Civil Liberties and Technology Coalition said that the civil penalties for non-compliance encroach on the sovereign jurisdiction of a foreign country:
This is I think less about penalty than an attempt to exert jurisdiction over data that is held in a different country. Although, how far can one country reach into the other where the provider is located to demand the data? To date, that has been only through government-to-government requests under the mutual legal assistance treaty process. The CLOUD Act structure is designed to create a more streamlined process, recognising that in the MLAT process the rights protected are cumbersome, so it's a question of how far one country can reach into the others. I think it's a jurisdictional question separate from how you can condition the rights of companies that try to do business within your borders.
In order for the compliance framework to take effect, there has to be a material link to Australia. The Bill provides that a designated communications provider must supply a service to one or more Australians; must own or operate a telecommunications network that is used to supply a carriage service; or one or more Australians have posted material on an electronic content service provided by a designated communications provider.
In addition, for the compliance framework to apply, a two-part test must be satisfied. The Explanatory Memorandum sets out the requirements of the test:
This provision sets out a two-part test for the compliance framework to apply. Firstly, the ‘minimum contacts’ test that requires there be a minimum of one or more Australians using the service, who are ordinarily resident in Australia. The second part sets out when a designated communications provider does not meet the threshold, on an exception basis. The second part is a ‘reasonableness’ test that goes to whether the designated communications provider could not reasonably be considered to have offered or provided the service to Australians at the time the order was given. The intention is to permit legal process to be served on a wide array of providers, but to exclude from the compliance framework local services that restrict their services to particular local identifiers for access, or passive services that have no intention that Australians use their services.
Where the designated communications provider meets the elements of the threshold, the Bill provides for an civil penalty provision that allows the Communications Access Co-ordinator as an independent officer within the Department of Home Affairs to apply for an order – that is enforceable by Part 4 of the Regulatory Powers (Standard Provision) Act 2014 – to the Federal Court or the Federal Circuit Court.
Evidentiary certificates to demonstrate compliance with IPO requests
The Bill provides for enforcement agencies, control order agencies, ASIO, the ADA, and designated communications providers to make evidentiary certificates to detail their compliance with the requirements of an IPO.
A designated communications provider may set out an evidentiary certificate in lieu of an affidavit detailing acts or things done by a provider to comply with an IPO:
Part 12 of the Bill includes provisions for the issuing of evidentiary certificates that set out facts in respect of acts or things done by DCPs in compliance with IPOs. For example, subclauses 161(1) and (2) provide that where an IPO is directed to a DCP such DCPs may issue certificates setting out relevant facts ‘with respect to acts or things done to comply with the [IPO]’. Subclause 161(3) goes on to provide that in proceedings in Australia, such certificates are to be received in evidence without further proof and will be deemed conclusive evidence of the matters stated within.
An evidentiary certificate negates the requirement for a designated communications provider to travel to Australia to provide evidence, and also replicates domestic provisions:
Current practices within the TIA Act for domestic interception, access to stored communications and telecommunications data allow for evidentiary certificates. The use of evidentiary certificates for IPOs is of significant utility as requiring the appearance of employees of foreign designated communications providers to court proceedings held in Australia will be complex and, at times, impractical. This also recognises the novel fact that whilst it will be easier to obtain information by virtue of the new order framework, Australian prosecutorial and law enforcement bodies will not be able to compel foreign provider employees to attend court to give evidence.
The Law Council of Australia questioned the appropriateness of conclusive evidentiary certificates for this purpose:
The Law Council acknowledges that existing provisions of the TIA Act, such as subsection 18(2), make provision for telecommunications carriers to issue conclusive evidentiary certificates in relation to acts or things done to give effect to a domestic interception or stored communications warrant. However, the Law Council considers that this provision is not suitable for reproduction in the IPO regime, which covers a considerably broader range of electronic communications technologies than telecommunications (including technologies that may not yet exist). This means that there is likely to be extensive variation in the specific acts or things that DCPs may undertake to give effect to an IPO, and therefore greater scope for a party to legal proceedings to seek to challenge the evidence of a DCP about the specific acts or things they did to give effect to the IPO, including on the basis that they exceeded what was necessary to give effect to that IPO (for example, by contravening any applicable conditions or limitations). There is also an open question as to whether subsection 18(2) itself remains appropriate in contemporary circumstances.
The Attorney-General’s Department said that the content of conclusive evidentiary certificates should be limited to matters not generally in contestation:
The content of conclusive evidentiary certificates should be limited to procedural, formal, technical and non-controversial matters, so that the certificates:
cover matters sufficiently removed from the main facts in issue
would not prevent the admissibility of the content of communications produced under IPOs from being challenged
would not prevent the legality of the issuance of IPOs from being challenged.
Clause 161 is consistent with the approach in subsection 18(2) of the TIA Act, which was upheld by the New South Wales Court of Criminal Appeal in R v Cheikho. Subsection 18(2) allows certificates to conclusively set out such facts relevant to ‘acts or things done by, or in relation to, employees of the carrier in order to enable a warrant to be executed’. As the matters in clause 161 are non-controversial and well removed from the ultimate facts in a case, it is acceptable for clause 161 certificates to be received as conclusive evidence.
The Department of Home Affairs said that the inclusion of conclusive evidentiary certificates does not prevent the judge from exercising discretion in deciding whether to adduce the evidence:
Subclause 161(3) of the Bill is consistent with the approach taken for provider evidentiary certificates in the TIA Act. These provisions specify that certificates are conclusive evidence of the matters stated in the certificate where they cover technical matters that are sufficiently removed from the main facts at issue. This will ensure that Australian courts have complete information before them to assist in the administration of justice.
This provision recognises the difficulties associated with having staff from communications providers attend court to give witness testimony on technical or formal matters undertaken by the provider to comply with an order. These difficulties are expected to be greater under the international production order framework as designated communications providers will be based overseas and would need to travel internationally to attend court in Australia. In addition, it is expected that large global communications providers may receive a high number of international production orders.
This provision does not prevent a defendant from challenging the admissibility of illegally or improperly obtained evidence during proceedings. The presiding judge retains discretion over whether to admit evidence.
Information related to other matters contained in the Bill may be provided in a prima facie evidentiary certificate:
By contrast, evidentiary certificates issued under clauses 162 to 166 will be considered prima facie evidence of their respective matters. These certificates relate to: voluntary provision of associated information (subclause 30(2)(j)), interception (subclause 163(4)(b)), stored communications (subclause 164(4)(b)), telecommunications data (subclause 165(4)(b)), and the ADA (subclause 166(5)(b)).
Prima facie evidentiary certificates may be challenged by contradictory evidence against the facts, which is in line with the ordinary rules of evidence. The Law Council of Australia said that all evidentiary certificates should be prima facie:
In the absence of a compelling justification for the use of conclusive evidentiary certificates, the Law Council recommends that all evidentiary certificates under Part 12 of proposed Schedule 1 to the TIA Act should be of a prima facie nature.
Oversight by the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security
The Commonwealth Ombudsman will have oversight responsibility of the actions of the ADA, law enforcement agencies and control order agencies with access to the IPO regime. In line with its traditional oversight role, the Inspector-General of Intelligence and Security (IGIS) will retain oversight responsibility of ASIO in relation to the IPO regime.
The functions and powers of the Commonwealth Ombudsman in overseeing the regime is set out in Part 10 of the Bill. The Commonwealth Ombudsman notes that the provisions of the Bill fit with its existing oversight role, and outlines the impact of the Bill on inspection requirements:
The Bill would provide my Office with responsibility for inspecting and reporting on law enforcement and integrity bodies' use of international production orders (IPOs) to intercept telecommunications provided by organisations overseas, or gain access to stored communications and telecommunications data held by these organisations. While my Office currently inspects those bodies' use of the above powers within Australia,' the Bill would create three new, parallel regimes which would impose an additional set of requirements to access data and content held overseas.
The Commonwealth Ombudsman said that overseeing compliance with the IPO regime would be resource intensive, despite efforts to ameliorate this:
My Office would be able to leverage its existing knowledge and expertise from inspecting use of domestic access regimes to develop and implement approaches for inspecting the use of IPOs. Further, we would look to minimise costs by scheduling multiple inspections with a single agency wherever possible.
However, the Bill proposes requirements that my Office inspect and report about the use of IPOs separate from the inspection reporting requirements for the domestic regime. For this reason, my staff would likely need to inspect both a full sample of IPOs and a full sample of domestic authorisations for each type of access and for each agency.
Under the Bill, six Commonwealth agencies and 15 State and Territory agencies could gain access to data and information held overseas under each of the three IPO regimes. The Office would also have the function of inspecting the records of the Australian Designated Authority. This could result in up to 65 additional inspections each year.
The Commonwealth Ombudsman said that the primary means of inspection is through the examination of records:
The primary means through which the Ombudsman will carry out oversight of the IPO scheme is through the inspection of records. To support the Ombudsman’s inspection role, the Bill provides the Ombudsman with a range powers, including powers to:
enter the premises of a relevant agency or the ADA at any reasonable time
obtain full and free access to all records of the relevant agency or the ADA which are relevant to the inspection, and the ability to make copies of relevant documents
require staff members of a relevant agency or the ADA to provide the Ombudsman with any information in their possession (or which the member has access to) that the Ombudsman considers necessary and relevant for the inspection
require staff of a relevant agency and the ADA to provide the Ombudsman any assistance the Ombudsman requires to perform the inspection function
require specific staff members of a relevant agency and the ADA to provide information and answer questions relevant to an inspection, with the failure to provide such information or answer such questions subject to a penalty of up to six months’ imprisonment.
The Commonwealth Ombudsman had raised resourcing requirements with Government:
While I am broadly comfortable with the oversight role the Bill provides my Office, if the Bill is passed without appropriate funding, my Office will not be able to undertake the activities necessary to assure the Parliament these new powers are being used appropriately. I note that my Office is engaged in conversations with the Government, with funding proposed to be determined in an upcoming budget process.
The Bill provides a positive notification requirement for relevant agency heads to notify the Commonwealth Ombudsman of matters relating to the issue and revocation of IPOs. The Australian National University Law Reform and Social Justice Research Hub suggested that the timeframe for reporting the issue of an IPO should be one month:
We are also concerned about the timeframe provided to agencies to notify the Ombudsman and provide a copy of the IPO order. Given the general concern regarding the timeliness of the orders (indeed the delay in the present international information access scheme is the primary justification for the Bill), a similar degree of haste in reporting the orders to ensure compliance should be expected.
Law enforcement and integrity agencies are comfortable with the positive notification and broader oversight requirements:
ACLEI is also comforted by the clear guidance and safeguards the Bill provides in terms of accessing and handling this information. The requirements on Agency heads to notify the Ombudsman of the issue of an order, and to produce a copy of that order, enable clear oversight of the use of the proposed provisions.
Every three months, ASIO is required to provide a report to the Attorney-General regarding its use of interception orders under the IPO regime. The IGIS said that this reporting requirement should be extended to IPOs issued for access to stored communications and telecommunications data, and should require reporting on additional matters:
The Bill provides that the Director-General must give a written report to the Attorney-General in respect of each IPO issued for intercepted communications within three months of its expiry, revocation or cancellation. However, IGIS notes that the Bill currently provides that a report to the Attorney-General is not required for IPOs for access to stored communications or IPOs for telecommunications data. The Explanatory Memorandum does not give any reasons for this difference. To close this lacuna and to ensure consistency and accountability, IGIS suggests that written reports, within three months of expiry, should be provided to the Attorney-General for all IPOs, or at least those IPOs where the Attorney-General’s consent is required prior to issue.
Further, while clause 129(a) requires ASIO to provide a report to outline how the information collected under an IPO for interception has assisted the Organisation in carrying out its functions, IGIS suggests that these reports should be required by statute to include more comprehensive reporting requirements, such as an explanation of what information or data was obtained (including any information or data relating to persons other than the subject of the IPO), how ASIO has used the information or data (including whether such information or data was shared with other agencies) and whether the data is still being retained (and, if so, why).
Additionally, ASIO is required to provide notice to the IGIS on matters relating to revocation of IPOs, however the Bill is silent on notifying the IGIS on when an order is sought. The IGIS suggested that a recommendation to this effect should be incorporated:
As a result [of implementing notice recommendations of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018], that Act requires ASIO to notify IGIS within seven days of issuing an industry assistance request or notice, regardless of the urgency of the assistance sought.
There are no equivalent notification requirements in the IPO Bill for ASIO to notify the IGIS, and the Committee may wish to consider an amendment to the Bill to provide for a statutory notification obligation. Noting that the frequency of ASIO’s use of IPOs may be difficult to quantify for some time, it may be sufficient for there to be a statutory obligation to notify IGIS within three months, with the option of other notification periods being agreed to by the Inspector-General and the Director-General. This could allow for bulk or batch-style reporting on a periodic basis, if necessitated by the quantity of orders issued.
The IGIS is granted broad oversight of ASIO by virtue of its enabling legislation and by the provisions of the Bill:
IGIS will have oversight of ASIO’s use of the IPO framework. This oversight will be supported by existing provisions in the Inspector-General of Intelligence and Security Act 1986 (IGIS Act), which confers broad oversight powers on the IGIS in relation to ASIO activities. In addition, the Bill includes a number of mechanisms designed to ensure that IGIS has access to relevant information to facilitate effective ASIO oversight, including notably:
The Bill imposes obligations on ASIO to share certain information with IGIS and keep records of ASIO’s use of the IPO framework (clauses 83(11), 92(10), 135 and 136).
The Bill also provides an exemption to the information protection requirements in Part 11 to allow protected information to be disclosed to an IGIS official for the purposes of the performance of a duty, power or function under the IGIS Act (clause 153). In addition to allowing ASIO employees to disclose IPO-related information to IGIS, this exemption also supports IGIS’ visibility of ASIO’s IPOs as they progress through the assessment phase undertaken by AGD (as the ADA) by permitting AGD employees to share relevant information with IGIS.
However, the IGIS raised concerns about the wording of the legislation in its potential to constrain its oversight ability. The IGIS notes that the secrecy provisions as worded could limit the extent of cooperation between the Attorney-General’s Department as ADA and the IGIS:
As noted by the Attorney-General’s Department in its submission, the exception will permit both ASIO and Attorney-General’s Department employees to share relevant information with IGIS, including for the purpose of IGIS’s inspections, inquiries or in response to complaints about ASIO’s activities under the IPO framework
However, IGIS notes two limitations in the scope of this exception as drafted:
The exception at clause 153(1)(p) only extends to an IGIS official’s functions, duties and powers under the IGIS Act. IGIS officials also have functions and duties under other pieces of legislation, including the ASIO Act, the Freedom of Information Act 1982 and the Public Interest Disclosure Act 2013. Unnecessarily limiting the exception to functions and duties under the IGIS Act could limit our ability to respond appropriately to matters arising under each of those Acts in connection with ASIO’s activities under the IPO regime. This limitation would be resolved if the exception was amended to enable disclosure for the purpose of ‘an IGIS official exercising a power, or performing a function or duty, as an IGIS official’.
The exception at clause 153(1)(p) only extends to information being used, recorded or disclosed (for example, by the Attorney-General’s Department) in support of IGIS’s functions. Given that IGIS and the Attorney-General’s Department will have oversight roles for different parts of the process for ASIO IPOs, IGIS may need to work closely with the Department to ensure that the respective roles are effective. This may, at times, require IGIS to share information with the Department in support of its functions. Under the secrecy offence at section 34 of the IGIS Act, however, it is an offence for an IGIS official to divulge to any person information acquired under the IGIS Act by reason of the person being an IGIS official, except in the performance of his or her functions or duties or in the exercise of his or her powers under the IGIS Act (or other named Acts). A broadly drafted amendment to the IGIS Act, providing explicit authority for IGIS officials to share information with the Attorney-General’s Department for the purpose of its role as Australian Designated Authority, would achieve the necessary level of certainty for IGIS and the Attorney-General’s Department to cooperate in this manner.
The IGIS suggested that the construction of the relevant clauses of the Bill may unintentionally constrain the sharing of information by the ADA in relation to its functions under the Australian Security Intelligence Organisation Act 1979, the Freedom of Information Act 1982, and the Public Interest Disclosure Act 2013. In addition, the provisions of the secrecy offences in the Inspector-General of Intelligence and Security Act 1986 may prevent the ADA from sharing information with the IGIS.
While the Bill allows the Commonwealth Ombudsman to access the mandatory register of IPOs maintained by the ADA, the IGIS is not provided with access to the register. The IGIS noted that it does not have oversight of the ADA, however, the IGIS indicated that access to the register would assist with oversight of ASIO’s compliance with the requirements of the regime.
The Law Council of Australia suggested that the ability of the IGIS to give protected information to the Commonwealth Ombudsman and the ADA should be expanded to enable more efficient oversight:
The Bill should amend the IGIS Act to enable IGIS officials to give protected IPO information to the Ombudsman and ADA, in relation to the oversight of ASIO’s national security IPOs. The purposes of the permitted disclosures should be to:
respond to a request for assistance from the Ombudsman in relation to the Ombudsman’s oversight of the ADA’s administration of ASIO’s national security IPOs; and
discuss with the ADA matters relating to ASIO’s national security IPOs that are relevant to the functions of both IGIS and the ADA, including the compliance of those IPOs with the underlying DIAs.
Reporting and record-keeping requirements
The Department of Home Affairs said that there are several components of the Bill that are designed to allow for reporting to occur:
Comprehensive oversight and reporting is a key objective of the IPO framework. This has been developed to reflect Australian community expectations of appropriate oversight around the interception of communications, and access to stored communications and telecommunications data under the TIA Act. Core aspects of the oversight and reporting under the IPO framework include:
Comprehensive oversight regime by the Commonwealth Ombudsman of law enforcement agencies’ use of the IPO framework, and the Australian Attorney-General’s Department insofar as it relates to its duties as the Australian Designated Authority (see below).
The Minister, upon receipt of annual inspection reports conducted by the Commonwealth Ombudsman, must cause a copy to be tabled in Parliament.
Comprehensive oversight regime by the Inspector-General of Intelligence and Security of ASIO’s use of the IPO framework (under its existing powers).
Reporting on ASIO’s use of the IPO framework as part of ASIO annual reporting requirements under the Australian Security Intelligence Organisation Act 1979
Reporting on inspections provided as part of the regular Inspector-General of Intelligence and Security reporting.
Furthermore, agencies will only be able to keep sensitive personal communications where there is a legitimate reason to do so; otherwise, agencies will be required to immediately destroy all records obtained using an IPO.
The ADA and law enforcement agencies are required to provide information regarding the use of the IPO regime to their Minister each year which will be tabled in Parliament. However, information relating to ASIO’s operation will be contained in its classified annual report, and information relating to control orders will be excluded from reporting requirements if it could identify a person subject to a control order.
The Explanatory Memorandum outlines the reasons that control order information may be excluded from reporting requirements:
Clause 132 broadly aligns with reporting requirements that are applied to control order information in Australia’s current regime. It is intended to recognise that control orders have been sought and made only rarely, with the effect that it is uncommon for there to be more than a limited number of control orders in force at any given time. If the Minister were required to contemporaneously report publicly on control orders, and only a limited number of persons are subject to control orders at that time, annual reporting may effectively reveal that a particular person who is subject to a control order is or is not also subject to covert surveillance.
The Law Council of Australia said that historically, ASIO has been excluded from reporting requirements for similar reasons and considers that such consideration could apply to ASIO reporting requirements:
… the Law Council notes that the Bill proposes to apply a more nuanced test to the exclusion of ‘control order information’ from law enforcement agencies ’unclassified annual reports on control order IPOs. The definition of ‘control order information’ means that the Minister is specifically required to consider whether aggregated statistical information would enable a reasonable person to conclude that an IPO is likely to be in force, or not in force, in relation to a particular person, or a particular electronic communication service by a particular person. It is unclear why a similar test could not be applied to ASIO’s national security IPOs (and, by extension, reporting requirements for its domestic warrants and authorisations).
The IGIS invited the PJCIS to consider requiring ASIO to report publicly on its use of the IPO regime, noting that this approach contrasts with international approaches and the reporting requirements of domestic law enforcement agencies:
The Bill amends the ASIO Act to require that ASIO include a range of statistics on its use of the IPO regime in its annual report. Although unclassified portions of ASIO’s annual report are required to be tabled in the Parliament, the Minister, on the Director-General of Security’s advice, may make such deletions as he or she considers necessary in order to avoid prejudice to security, the defence of the Commonwealth, the conduct of the Commonwealth’s international affairs, or the privacy of individuals. Statistics on ASIO’s use of warrants and other powers are generally excluded from the public version of the report.
This approach contrasts with provisions for law enforcement agencies, for which the Bill includes a specific provision requiring statistics on each agency’s use of the IPO regime to be included in a public annual report that is tabled in the Parliament and a scheme for reconsideration of a decision that it is necessary to exclude some information. If it was considered necessary to allow the exclusion of certain information from ASIO’s public reporting, the proposed scheme for reconsideration of such decisions for law enforcement could be extended to ASIO’s reporting requirements.
The absence of public statistical reporting for ASIO contrasts with international approaches; for example, in the United Kingdom, where a wide range of statistics on the use of investigatory powers, including by intelligence agencies, is reported in the annual report of the Investigatory Powers Commissioner’s Office.
In response to this suggestion, the Department of Home Affairs said that such an amendment would conflict with the requirements of the current domestic regime and could provide insight on the use of the framework to persons of interest in ASIO investigations:
The inclusion of statistics in an unclassified annual report would highlight specifically how much ASIO utilises the international production order framework. This may permit inferences to be drawn as to how ASIO utilises the proposed international production order framework, and may assist persons of interest to change their behaviour due to public reporting on the use of investigatory powers.
As outlined in Chapter 2, the agreement between the United States and the United Kingdom contains a requirement that the issuing country shall provide a report of the requests it has made each year to the receiving country.
In addition, the Bill requires the Commonwealth Ombudsman to provide a report to the Minister at the end of each financial year detailing inspection outcomes:
The Ombudsman is required to provide a written report to the Minister for Home Affairs as soon as practicable after the end of each financial year about the inspection of records of relevant agencies and the ADA. The report must then be tabled by the Minister in each House of Parliament. The Ombudsman also has the ability to provide a report to the Minister at any time about the outcomes of an inspection, and must do so if requested by the Minister. The Ombudsman may also include any information in the report regarding contraventions of the IPO scheme by a relevant agency or the ADA (clause 150).
The IGIS is also required to report publicly each year on the outcome of its inspections:
Under the IGIS Act, the IGIS is required to report on its inquiries and has the discretion to do so in relation to inspections (see Part II, Division 4 of the IGIS Act). These arrangements will apply to IGIS’ oversight of ASIO’s use of the IPO framework. AGD considers that these oversight arrangements are appropriate and will keep them under review after the framework is implemented.
Notice to the subject of an IPO
Several submitters to the inquiry raised the issue of providing notice to a subject that their data has been accessed, even where such notice is delayed to prevent destruction of evidence or prejudice to an investigation. The International Civil Liberties and Technology Coalition said that the Bill does not provide certainty for designated communications providers to notify an individual that their data is being accessed:
In general, users have a universal right to notice. The International Production Orders Bill does not provide any requirement, or even mechanism, for government officials to notify data subjects of requests. We would note that unlike the U.K.’s Investigatory Powers Act, the International Production Orders Bill does not explicitly prohibit providers from providing notice to their customers.
The Synod of Victoria and Tasmania, Uniting Church in Australia said that notifying the subject of an investigation that their data is being accessed carries a risk of destruction of evidence:
The Synod is concerned by the views of the International Civil Liberties and Technology Coalition that suspected offenders of severe crimes should be tipped off they are under investigation. The Coalition provides no consideration of the dangers this poses to victims, witnesses or the likelihood that an offender will be able to destroy evidence as a result. Often offenders will use multiple platforms and communication devices. Law enforcement agents may seek an IPO on over one platform. Even if data on this platform were to be protected from destruction, after being tipped off, the offender might be able to destroy evidence on other platforms. The Coalition makes only a passing reference in their submission to delaying tipping off a suspected offender "where necessary to protect an on-going investigation." However, they do not refer to any concerns for victims or witnesses.
The Sheriff’s office in Brevard County in Florida reported they had to force entry into a house to stop an alleged child sex offender from continuing to run CDs through a shedder after they were tipped off by an ICT technology corporation that they were under investigation.
As an example, there is a very real danger that paedophiles will seek to intimidate victims and destroy evidence if tipped off that an IPO has been issued. Paedophiles often operate in large online networks that assist each other. Thus, the Committee should strongly avoid recommending any measures that would allow a suspected paedophile they are under investigation. Any process that would tip off a suspected paedophile may enable them to alert others in their network and possibly seek assistance from others in the network to cover up their activities.
Ms Lucie Krahulcova, International Civil Liberties and Technology Coalition said that notice should occur to allow the subject of an order to advocate for their interests:
In practice we have to look at what happens here and the sort of interests that are at play— whether it's a law enforcement agency or an intelligence agency almost directly submitting an IPO, for instance for telecommunications data. The discretion doesn't have to be exercised. They can go direct. There's no intervention on behalf of the individual. There should be an interactive notification for individuals. But I think you have to look at the weighing mechanism, when a warrant like that is presented, of who is representing the individual. Often this ends up being companies just because they have the legal team and they are bound by consumer legislation in different jurisdictions to respect individuals' rights. As I flagged, my concern is that this sort of mechanism that the individual has over the company has been removed. I think that's a huge area of concern. I was part of the EU negotiations on very similar mechanisms for several years when I worked in Brussels. From my perspective, companies being in a position to reject requests is not a perfect system, but it is often the last frontier for individuals' rights, because there isn't a human rights body or an independent reviewer who is part of that mechanism. Again, I recognise that there are public interest monitors who would be engaged in several states as a part of that process. However, that sort of neutral or independent reviewer should be part of every evaluation that happens, because there is such a power discrepancy between an agency going directly or an agency with the Attorney-General's signing-off going directly to the company, where the company is not liable to the user. It presents a really tragic power paradigm.
Record-keeping requirements and retention of data
The Bill requires an agency to destroy records of intercepted and stored communications data when it is no longer required for a legitimate purpose, with an exception for telecommunications data mirroring domestic legislation.
The Law Council of Australia said that information that is intercepted or stored communications must be deleted where it is determined that the retention of information is no longer required:
Clause 140 of proposed Schedule 1 to the TIA Act imposes obligations on agency heads to cause the deletion of information in their agencies’ possession that is obtained under an outgoing IPO which authorises access to electronic communications content (via interception or access to stored communications). The obligation applies if the relevant agency head becomes satisfied that retention is not likely to be required for the performance by their agency of a permitted purpose in Part 11, clauses 153 and 158 of which provide wide coverage of their functions. This includes, for ASIO, the performance of any of its statutory functions. The Explanatory Memorandum suggests that Clause 140 ‘will ensure that records of sensitive, personal communications are not kept by agencies where no longer needed’.
The Law Council of Australia and the IGIS raised concerns that the requirement to review materials obtained through the IPO regime to ensure its retention is consistent with a legitimate purpose is not adequately provided for in the Bill.
The Law Council of Australia recommended that a statutory requirement for review be incorporated into the Bill:
The Law Council is concerned that Clause 140 does not provide the strong guarantee described in the Explanatory Memorandum. In particular, the provision falls short of imposing a positive obligation on agency heads to periodically review their holdings of that content and assess whether it remains relevant. The absence of a positive obligation, combined with the breadth of permitted purposes in Part 11, creates a risk that agencies will potentially hold, for prolonged periods of time, large volumes of highly sensitive personal data (namely, the content of communications) that is no longer relevant to their functions.to conduct periodic reviews of holdings.
The Law Council recommends that Clause 140 of proposed Schedule 1 to the TIA Act is amended to require agencies to undertake periodic reviews of the information they have obtained under the IPO regime, to assess whether it is likely to remain relevant to a permitted purpose under Part 11, and therefore whether the obligation to destroy irrelevant information is enlivened.
The Law Council said that the evidence does not support the exclusion of telecommunications data from the requirement for review:
… the Law Council considers that the justification given for excluding telecommunications data from the deletion obligations in proposed Clause 140 requires further analysis. In the absence of compelling evidence to substantiate a claim that it would be impractical to impose a prospective requirement on law enforcement agencies and ASIO in relation to the review and deletion of irrelevant telecommunications data obtained under an IPO, the Law Council considers that Clause 140 should be amended to cover that data.
In relation to the requirement to retain records, the IGIS suggested that amending the requirements to retain records would assist the IGIS in its oversight function:
The record retention requirements for ASIO’s domestic telecommunications warrants are regulated by a 2016 determination of the National Archives under the Archives Act 1983. The determination specifies that records related to warrants for security intelligence collection may be destroyed from ten to 150 years after last action or must be retained indefinitely (depending on the class of record). IGIS notes that ASIO’s recordkeeping in respect of its current warrant framework is of a high standard, and anticipates that similar standards would be maintained in respect of the IPO regime.
Nonetheless, IGIS considers that oversight is greatly assisted by clear legislative requirements for the retention of information. The Bill’s requirement that ASIO retain certain records for three years could be enhanced by adding an additional requirement to provide that certain records must be kept for three years, or for as long as any of the data obtained under an IPO is retained, whichever is the longer. This would ensure that there is a clear accountability record for data received under an IPO that is subsequently retained.
However, IGIS also notes that not all documents that must be prepared under the Bill are required by clauses 135 and 136 to be kept. For example, the documentation provided to the Attorney-General seeking consent to an application for an IPO, and a record of whether the Attorney-General consented to that application or refused consent, is not required to be retained.
IGIS considers that legislating a specific list of records that are required to be kept carries a risk that not all records associated with the administration of the IPO regime would be captured. The Committee may therefore consider it preferable that the Bill contain a general record retention obligation that requires ASIO to keep all relevant records for IGIS inspection. IGIS notes that the inspection regime undertaken by IGIS for ‘legality and propriety’ looks to a much wider range of information than the specific regime prescribed for inspections by the Ombudsman.
Review of the overall IPO regime
The Bill does not presently provide a statutory review mechanism for the Independent National Security Legislation Monitor (INSLM) or the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
The Law Council recommended that the INSLM’s enabling legislation be reviewed to incorporate a statutory review provision:
The Bill does not propose to amend the Independent National Security Legislation Monitor Act 2010 (Cth) to confer oversight functions on the INSLM with respect to the IPO scheme, either as part of the INSLM’s annual reporting functions, or a one-off statutory review, as is the case for other recent amendments including the TOLA Act.
The Law Council considers that this omission is anomalous with the established legislative practice in relation to significant pieces of security legislation, in which the INSLM Act is amended to provide that a function of the INSLM is to conduct a review of the amendments after they have been operational for a specified period of time.
The omission of an ongoing annual reporting function may also lead to an anomalous outcome that the INLSM’s existing jurisdiction could cover parts of the IPO legislation, in relation to its use by the Australian Federal Police to investigate the security offences in Chapter 5 of the Criminal Code. However, it would not appear to cover ASIO’s use of national security IPOs in respect of security matters that are comprised of the same or similar facts as police investigations of security offences.
Given the ability for the IPO scheme to be used in connection with major counter-terrorism and national security investigations, the Law Council considers that there would be benefit in having the INSLM consider the ongoing necessity, proportionality, appropriate use and adequacy of safeguards in relation to the IPO regime as whole.
The Law Council of Australia said that the PJCIS’s existing oversight functions may not provide for scrutiny of the regime in its entirety:
Specifically, it would appear that the PJCIS’s existing functions in section 29 of the Intelligence Services Act would cover: ASIO’s use of national security IPOs; the AFP’s use of law enforcement IPOs in relation to the investigation of terrorism offences in Part 5.3 of the Criminal Code and the AFP’s use of control order IPOs. However, the PJCIS would not appear to have jurisdiction in relation to the AFP’s use of law enforcement IPOs to investigate other security offences in other parts of Chapter 5 of the Criminal Code, such as foreign incursions, incitement of violence, espionage and foreign interference, and harming Australians.
The Law Council recommends that the Bill should be amended to ensure consistency of the PJCIS’s scrutiny functions, by amending section 29 of the Intelligence Services Act to confer the following additional functions on the PJCIS in relation to the IPO scheme:
A function with respect to the use by the AFP of the scheme in relation to all matters within Chapter 5 of the Criminal Code, thereby covering the use of IPOs for the investigation of all offences against the security of the Commonwealth;
A function with respect to reviewing relevant parts of ASIO’s classified annual reports providing information on its use of the IPO scheme (equivalent to its existing functions to review those parts of ASIO’s reports which provide statistical information on certain of its retained data activities under the TIA Act); and
A statutory review of the operation of the IPO scheme after a period of operation (for example, in the range of 12 to 18 months).
The Law Council also considers it would be desirable for the Committee to have the power to require briefings from the ADA on request, via an amendment to section 30 of the Intelligence Services Act.
The Department of Home Affairs said that any statutory review undertaken by the INSLM or the PJCIS should occur ‘a significant period after the operationalisation of the first designated international agreement.’
In relation to the oversight responsibilities of the PJCIS, the Department of Home Affairs said that the IPO regime would be subject to extensive oversight arrangements:
Agencies’ use of the international production order framework and the Australian Designated Authority will be subject to comprehensive operational oversight by the Commonwealth Ombudsman and IGIS.
The Department notes that the Committee has existing functions under section 29 of the Intelligence Services Act 2001 to review the administration and expenditure of ASIO and matters relating to ASIO that have been referred to the Committee, and to monitor and review legislation referred to it
Currently the Australian Designated Authority is not required to provide briefings on request to the PJCIS. Pursuant to section 30 of the Intelligence Services Act 2001, it would be open for the PJCIS to request briefings from the Commissioner of the AFP or Director-General of Security on the AFP and ASIO’s use of the international production order framework to support their functions in relation to the Australian Intelligence community.
The Committee notes the role of the ADA is designed to reflect the current authorisation processes associated with the mutual legal assistance regime, and agrees that the Attorney-General’s Department has the relevant subject matter knowledge to manage the process.
The Committee notes the concerns of submitters in relation to potential for civil penalties to apply to instances of non-compliance with the conditions of an international production order. The Committee expects that the Department of Home Affairs will exercise this power judiciously and as a tool of last resort.
In addition, the Committee notes the views of submitters in relation to the use of evidentiary certificates. Noting that adducing the evidence of compliance with an international production order can be challenged by the defendant in the event of prosecution, and noting that the elements of a conclusive evidentiary certificate should be confined to non-controversial matters, the Committee is not persuaded by the Law Council of Australia that there is no place for a conclusive evidentiary certificate in the international production orders process.
The Committee notes with concern the evidence provided by the Commonwealth Ombudsman regarding resource matters. As articulated in Chapter 1, the Committee considers that robust oversight arrangements are essential when considering intrusive powers, and that resourcing limitations can have a significant impact on this important assurance role. The Committee therefore recommends that the Government should ensure the Commonwealth Ombudsman has sufficient resources to oversee the powers provided by the Bill.
The Committee recommends that the Australian Government ensure that the Commonwealth Ombudsman has sufficient resources to enable effective oversight of the proposed powers granted by the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.
Though the Inspector-General of Intelligence and Security has not identified resourcing concerns as a result of its oversight of the international production orders regime, the Committee considers that the Australian Government should continue to ensure that the resourcing levels of the Office of the Inspector-General of Intelligence and Security are appropriate.
The Committee recommends that the Australian Government continue to ensure that the Inspector-General of Intelligence and Security is given appropriate resources to enable effective oversight of the proposed powers granted by the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.
The Committee considers that the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security should have unambiguous access to the information required to oversee access to the regime.
The Committee therefore supports the recommendations proposed by the IGIS and the Law Council of Australia to allow full and unimpeded cooperation between the ADA, the Commonwealth Ombudsman and the IGIS.
The Committee recommends that the proposed Schedule 1, Division 4 be amended to include an express provision for the Inspector-General of Intelligence and Security, or an official of the Inspector-General of Intelligence and Security, to access the register of international production orders in connection with its oversight responsibilities.
The Committee recommends that proposed Schedule 1, Clause 153 be amended to allow international production order information to be used, recorded or disclosed for the purposes of an official of the Inspector-General of Intelligence and Security exercising their duty as an official.
The Committee recommends that the Inspector-General of Intelligence and Security Act 1986 be amended to allow for officials of the Inspector-General of Intelligence and Security to share information relating to the international production orders regime with members of the Office of the Commonwealth Ombudsman and members of the Attorney-General’s Department where sharing such information is connected to the roles and duties of the member of the organisation.
The Committee was not convinced that aggregated public reporting from ASIO, with the ability to withhold information should it have the potential to identify a party involved in an international production order, would prejudice an ASIO investigation.
The Committee therefore considers it would be appropriate to recommend that ASIO provide public statistics on the use of the regime where the data would not inadvertently identify the subject of an investigation.
The Committee recommends that:
the Australian Security Intelligence Organisation Act 1979 be amended to provide that a report made under proposed subsection 94(2BBA) should form part of the Australian Security Intelligence Organisation’s unclassified annual report; and
the proposed subsection provide that the recommended statistics would not be provided where the Director-General of Security considers that providing such statistics would prejudice Australia’s national security, or prejudice a national security investigation.
The Committee notes the conditions of the agreement between the United Kingdom and the United States requiring data to be provided regarding incoming IPOs. The Committee expects that such information will be captured in the designated international agreement and does not propose any additional recommendations in relation to the material.
The Committee notes the views of submitters in relation to notice provisions. The Committee considers there are significant risks in allowing notice to be given to the subject of an investigation, especially noting the propensity of parties to work in groups.
However, the Committee acknowledges the evidence from the International Civil Liberties and Technology Coalition that designated communications providers are not always best placed to contest an international production order application from the position of an individual. The Committee considers that the Independent National Security Legislation Monitor’s recommendation – as discussed in Chapter 2 and Chapter 3 – regarding the establishment of an investigatory powers division within the Administrative Appeals Tribunal could be an appropriate mechanism to address these concerns.
The Committee notes the evidence provided by the IGIS relating to document retention. As stated above, the Committee supports the IGIS’s ability to have access to relevant records it needs to complete its oversight role.
Therefore the Committee supports amendments to require ASIO to retain production orders information for the length of time the order is in place, and to require ASIO to retain extrinsic material to a request that would assist the IGIS in overseeing ASIO’s compliance with the regime.
The Committee recommends that proposed Schedule 1, Clause 135 and 136 be amended to require the Australian Security Intelligence Organisation to:
retain a copy of a particular document for three years, or for as long as any of the data obtained under an international production order is retained, whichever is the longer; and
retain all relevant materials supporting an application for international production order for this period.
As discussed in Chapter 2, the Bill is designed to operate as a framework to allow designated international agreements to prescribe relevant details in line with the laws of like-minded countries that Australia is seeking an agreement with. As a consequence, the Committee considers that it is necessary to provide for a statutory review to evaluate the effectiveness of the regime once a designated international agreement is in place.
The Committee acknowledges the advice of the Department of Home Affairs, and considers that such a statutory review would need to commence after a designated international agreement had time to operate, and therefore recommends that a statutory review be commenced on the earlier of 3 years after the date of the first designated international agreement coming into effect or 5 years following the commencement of the provisions of the Bill.
The Committee recommends that the Bill be amended to require the Parliamentary Joint Committee on Intelligence and Security to commence a review on the effectiveness and continuing need for an international production orders regime on the earlier of the date that is:
three years after the date on which the first designated international agreement comes into force; or
five years after the commencement of the proposed Schedule 1 of the Telecommunications (Interception and Access) Act 1979.
The Committee acknowledges that the Bill will provide significant assistance to agencies to investigate and prosecute serious crimes, monitor compliance with control orders, and maintain Australia’s national security. The Committee supports the passage of the Bill following implementation of these recommendations.
The Committee recommends that, following implementation of the recommendations in this report, the Bill be passed by Parliament.
Senator James Paterson