3.1
This Chapter discusses the proposed powers provided in the Telecommunications Legislation Amendment (International Production Orders) Bill (‘the Bill’) for designated agencies to seek an international production order for interception of data, stored communications and telecommunications data.
Definitional terms
3.2
While the Bill provides key terms that broadly reflect domestic provisions, there are some variances in the definitions contained in the proposed Schedule 1 to the Telecommunications (Interception and Access) Act 1979 (TIA Act).
3.3
Though the TIA Act contains a definition of communications providers, the Bill suggests a more expansive definition. The Department of Home Affairs said that this is because the communications landscape has evolved significantly:
As noted above, the communications landscape and the types of communications service providers have evolved significantly in recent decades. Accordingly, and in recognition of the kinds of international services likely to hold electronic data relevant to Australian criminal matters (such as over-the-top application services like Facebook, Instagram, Skype and Discord), the IPO framework reflects communications technologies in a broad sense. This differs from the current domestic warrant and authorisation regimes for interception, stored communications and telecommunications data access, which are more limited in definition or scope.
3.4
As set out by the Department of Home Affairs, this change would allow an international production order to be directed to the following types of communications services providers:
Carriers and carriage service providers (e.g. internet service providers and telephone carriers)
Message, voice and video call application service providers (e.g. Facebook Messenger, Skype, WhatsApp)
Storage backup providers (e.g. cloud storage providers)
General electronic content providers (e.g. chat forums, social media platforms and other website providers).
3.5
The definitions of intercept and telecommunications data broadly replicate those contained in Chapter 2 and Chapter 4 of the current TIA Act, however, while the TIA Act defines stored communication as:
…a communication that:
is not passing over a telecommunications system; and
is held on equipment that is operated by, and is in the possession of, a carrier; and
cannot be accessed on that equipment, by a person who is not a party to the communication, without the assistance of an employee of the carrier.
the definition of stored communications has been broadened to include ‘material that is uploaded for storage/back-up or posted’.
3.6
Mr Thomas McBride said that the expansion of the definition of stored communications to include uploaded material captures information that would not be available under domestic provisions, and notes that the process of uploading information is often automatic and completed without the users’ express consent.
3.7
The Explanatory Memorandum says that this expanded definition is designed to provide a clear distinction between the definition of interception and the definition for access to stored communications.
3.8
The current TIA Act contains a definition of serious offence in section 5D to include offences that incur a maximum term of 7 years or life in most cases.
3.9
Section 5E of the TIA Act includes an offence punishable by a maximum term of imprisonment of at least 3 years, offences carrying certain pecuniary penalties, or a serious offence as defined above.
3.10
These definitions are largely replicated in the Bill to provide a serious category 1 offence and a serious category 2 offence.
Seeking an International Production Order
3.11
The Bill proposes three different types of international production orders that can be sought for three purposes. The types of production orders include interception of data, access to stored communications, and access to telecommunications data. Such an order may be sought for the following purposes:
the investigation of an offence of a serious nature; or
the monitoring of a person subject to a control order, so as to protect the public from terrorist acts, prevent support for terrorist acts and hostile acts overseas and detect breaches of the control order; or
the carrying out by the Australian Security Intelligence Organisation (ASIO) of its functions.
3.12
The process for seeking an international production order varies depending on the type of production order and the purpose for which it is sought. The differences in each of these processes is set out below.
Enforcement of the criminal law
3.13
The Bill proposes to allow law enforcement agencies to seek an international production order to assist in the investigation or prosecution of serious crimes.
Interception of data
3.14
The ability to request interception of data is covered under current domestic provisions but is not a power available under the mutual legal assistance process.
3.15
An ‘interception agency’ may make an application to an eligible judge or nominated AAT member. As set out by the Bill, an interception agency includes the:
Australian Federal Police
Australian Commission for Law Enforcement Integrity
Australian Criminal Intelligence Commission
Law Enforcement Conduct Commission
State-based Integrity and Corruption bodies.
3.16
Other than in urgent circumstances, an application must be in writing and conform to the form and requirements set out by the Bill. A written application must contain an affidavit to set out the facts and grounds on which the application is based. An application may also take the form of a telephone application in urgent circumstances. A definition of urgent circumstances is not provided in the Bill, and the Inspector-General of Intelligence and Security said:
The Bill does not set out what may constitute an urgent circumstance, and the Explanatory Memorandum does not provide guidance on this matter. The Committee may wish to consider whether the types of circumstances that would amount to ‘urgent circumstances’ should be set out in legislation—perhaps adopting the approach taken in the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, where a specific harm threshold was inserted for urgent requests or notices. That Act provides that technical assistance requests and technical assistance notices must not be issued orally unless:
a.
an imminent risk of serious harm to a person or substantial damage to property exists; and
b.
the request or notice is necessary for the purpose of dealing with that risk; and
c.
it is not practicable in the circumstances to give the request or notice in writing.
A similar statutory definition of ‘urgent circumstances’ could have several benefits: it would clearly articulate the Parliament’s expectations about when ‘urgent circumstances’ are considered to arise, provide legislative guidance to nominated members of the Security Division of the AAT when considering IPO applications, and promote consistent decision-making within ASIO when applying for IPOs.
3.17
In response, the Department of Home Affairs said that a statutory definition may limit the operational effectiveness of the telephone application provisions:
… the Department notes that as currently drafted it relies on its ordinary meaning and is intended to cover circumstances which because of their urgency, mean that it is not possible to make an application in writing in the normal way following normal processes.
While this power is unlikely to be used often, it is important that the legislation does not seek to anticipate every potential scenario where it may be needed because of ‘urgent circumstances’. To do so may limit the operational utility of the regime.
3.18
NSW Police outlined the internal processes associated with the domestic regime, for interception and stored communications requests, prior to being presented to the issuing authority:
Requests for assistance drafted by applicants are reviewed and scrutinised by a specialist ‘Assessment Committee’ at the Telecommunications Interception Branch. This committee is comprised of specialist officers led by a Superintendent of Police, who to date, has been a qualified lawyer. The committee assesses the application for compliance with the Act, ensuring reasonable grounds for suspicion that a requisite ‘serious offence’ for interception or ‘serious contravention’ for stored communications, has been committed or is likely to be committed and the person for whose service the matter applies can be adequately connected to use of that service.
If the application is approved, the proposed deponent drafts an affidavit, which is quality reviewed by a Detective Inspector of Police. The reviewing officer completes a ‘checklist’ and acknowledges they have reviewed relevant aspects of the application for accuracy and compliance with legislative and organisational requirements.
The affidavit is then forwarded to the NSWPF Covert Applications Unit, a specialist unit comprised of Legal Consultants and Solicitors, who review the affidavit for legal compliance, assess its appropriateness to be submitted to an issuing authority, and work with the applicant to ensure all legal considerations are adequately addressed. In circumstances were the Covert Applications Unit determines an individual’s privacy is unjustifiably breached, or alternate, less intrusive means have not been exhausted, the investigator is informed and requested to address any of these concerns.
Once an affidavit has been settled by a legal consultant at the Covert Applications Unit, it is reviewed by a supervisor or senior legal officer at the Covert Applications Unit. The senior legal officer again ensures compliance with each clause within the legislation and must sign off on the application for it to proceed to the issuing authority.
3.19
Noting the intrusive nature of the interception powers, the Bill allows Public Interest Monitors in Queensland and Victoria to make submissions and question certain persons in the process of making submissions, in accordance with the statutory requirements of those jurisdictions. The authorising authority in the state where the application is made must give weight to these submissions in deciding whether to grant the order.
3.20
Other matters that the eligible Judge or nominated AAT member must have regard to includes:
interference with the privacy of an individual;
the gravity of the conduct constituting a serious category 2 offence.
the ability of the information sought to assist in a law enforcement investigation; and
the extent to which other methods of investigation have been exhausted, and the likely assistance or prejudice such methods would cause.
3.21
Where the eligible Judge or nominated AAT member is satisfied, on the basis of the information given, they may issue the IPO on the basis that the application requirements have been complied with, that there are reasonable grounds to suspect that the application relates to an appropriate designated communications provider, and that the information being sought would be likely to assist in connection with the investigation of a serious category 2 offence for the enforcement of criminal law.
3.22
An order may require a carriage provider to intercept communications or an individual message/call application service to intercept messages sent or received, voice calls made or received, use of the service within a specified period and to make relevant material as disclosures as required under the Bill. An order may not be made for a period in excess of 90 days.
3.23
The Bill allows for interception of a communications service of a person who is not a person involved in an investigation of a relevant offence, referred to as a B-Party. When considering a B-Party application, the eligible issuing authority must give consideration to matters of privacy, the availability and use of other means to achieve objectives, and the impact of the use of other means on the objectives of the investigation.
3.24
Finally, the Bill sets out the contents of an IPO, and provides that an eligible Judge or AAT member may make further IPOs in respect of a service to a provider, but only where the period specified in the new order commences after the end of the period in the original order.
Stored communications
3.25
Law enforcement agencies have the ability to access stored communications under existing domestic provisions and under the mutual legal assistance process discussed in Chapter 2.
3.26
The Bill allows a criminal law enforcement agency to make an application for an IPO to an eligible magistrate, judge or member of the AAT (‘issuing authority’). In the case of a written application, it must include an affidavit that sets out the facts and other grounds on which the application is based. Where a criminal law enforcement agency considers that the circumstances are urgent enough to warrant a telephone application, the circumstances contributing to the urgency must be provided to the issuing authority.
3.27
An issuing authority must have regard to the:
interference with the privacy of an individual;
the gravity of the conduct constituting a serious category 1 offence;
the ability of the information sought to assist in a law enforcement investigation;
the extent to which other methods of investigation have been exhausted, and the likely assistance or prejudice such methods would cause; and
any other relevant matters.
3.28
Where the issuing authority is satisfied on reasonable grounds that conditions related to the stored communications are met, they may issue an IPO requiring a designated communications provider to copy and disclose relevant communications to the criminal law enforcement agency. An order may require that the stored communications are made available to a law enforcement agency in a specified way.
Telecommunications data
3.29
Similar to stored communications data, law enforcement agencies have the ability to access telecommunications data under existing domestic provisions and under the mutual legal assistance process.
3.30
In contrast to existing domestic provisions, which allow internal staff members to approve an application to access telecommunications data, an application to access telecommunications data through an IPO must be made to an eligible magistrate, judge or member of the AAT. An application may be written or by telephone in urgent circumstances. In the case of a telephone application, the issuing authority must be satisfied that the matter was urgent.
3.31
The issuing authority must have regard to the following matters:
interference with the privacy of an individual;
the gravity of the conduct constituting a serious category 1 offence.
the ability of the information sought to assist in a law enforcement investigation;
the extent to which other methods of investigation have been exhausted, and the likely assistance or prejudice such methods would cause; and
any other relevant matters.
3.32
Where the issuing authority is satisfied of these matters an IPO may be issued for a period commencing not before the time the order is provided to a designated communications provider, and for no longer than a period of 90 days. The issuing authority may also direct that the information is disclosed to the enforcement agency through the Australian Designated Authority.
Monitoring of a person subject to a control order
3.33
In March 2018, the Committee tabled its report on the control order regime in Australia. A control order may impose obligations, prohibitions and restrictions on the subject of a control order, on the balance of probabilities that such an order is reasonably necessary. For a person over the age of 18, an order may remain in place for a period of 12 months, but for a person between the ages of 14 and 18 a control order may remain in place for no more than 3 months.
3.34
Under the current provisions of the TIA Act, a warrant may be sought to obtain evidence of compliance or non-compliance with a control order. The Bill seeks to allow relevant authorities to apply for information to support the monitoring of control orders to designated communications providers where that information is held overseas.
3.35
In relation to control orders, the Law Council of Australia said that it is opposed to the inclusion of monitoring a person who is subject to a control order as a circumstance where it would be appropriate to seek an IPO:
Part 3 of proposed Schedule 1 to the TIA Act will enable law enforcement agencies to obtain an IPO for the purpose of monitoring a person who is subject to a control order issued under Division 105 of the Criminal Code Act 1995 (Cth). This implements an equivalent international power to the domestic control order monitoring warrants presently available under the TIA Act.
The Law Council maintains its longstanding view that the control order scheme is neither necessary nor appropriate and, as such, should be repealed. Accordingly, the Law Council’s preference is that control order monitoring warrants are not retained in the domestic regime, or enacted in the IPO regime. Rather, the Law Council considers that IPOs should be limited to the investigation of serious offences, and potentially to security intelligence collection but only if adequate information is provided to justify the extension of the scheme to this activity.
3.36
The Department of Home Affairs indicated that the increasing use of online communications platforms means that data that would assist law enforcement to monitor compliance with an order is increasingly located outside of Australia and ‘outside of Australian agencies’ reach’ and the Department said the ability to seek evidence will bolster Australia’s ability to respond to terrorism threats.
In 2020, the AFP applied for and was granted control orders against convicted terrorist offenders upon release from prison after completing their head sentence. These orders have controls that limit their ability to use social media and communication based platforms. The use of social media platforms by a person on a Control Order constitutes a criminal offence that is punishable by a term of imprisonment. Timely access to evidence of these breaches through an IPO would be critical to the AFP’s ability to respond rapidly, prosecute and enforce the breaches of control orders and ultimately assist in preventing an unacceptable escalation of risk to the Australian community. As such, IPOs for the purpose of monitoring and enforcing Control Orders would be an appropriate and proportionate law enforcement capability in the current threat environment.
It is well understood that terrorist threats can evolve rapidly, and the time between attack planning and execution can be very short. While the AFP can conduct monitoring warrants under section 3ZZOA of the Crimes Act 1914 (Cth) and obtain Telecommunication Intercept and Surveillance Device warrants in relation to control order subjects, these have limitations.
For example, if a control order subject was using an associate’s device to access a social media account to contact prohibited associates.
The ability to obtain an IPO in such circumstances would allow the AFP to access critical information stored offshore that may otherwise be unobtainable, at least in time to prevent possible imminent threat.
3.37
The Committee commenced its latest statutory review of control order powers provided to the Australian Federal Police (AFP) under Division 104 of the Criminal Code Act 1995 on 18 June 2020, and therefore while this report does not make comment on the effectiveness or appropriateness of these provisions, the Committee will have the opportunity to provide commentary as part of that inquiry in due course.
3.38
The Bill allows a control order IPO agency to make an application for an IPO in support of monitoring compliance with a control order. The definition is drawn from the current provisions of the Telecommunications (Interception and Access) Act 1979, which provides that a control order warrant agency includes a Commonwealth agency or an eligible authority of a State that a declaration in force under the TIA Act authorises to apply for a control order warrant.
Interception of data
3.39
A ‘control order IPO agency’ may make an application to an eligible judge or nominated AAT member either in writing – accompanied by a written affidavit – or by telephone in urgent circumstances. A control order IPO agency includes:
Australian Federal Police;
Australian Commission for Law Enforcement Integrity;
Australian Criminal Intelligence Commission; and
Designated state authority declared under section 34 of the Telecommunications (Interception and Access) Act 1979.
3.40
As above, the Bill allows Public Interest Monitors in Queensland and Victoria to make submissions and question certain persons in the process of making submissions. The authorising authority in those states where the application is made must give weight to these submissions in deciding whether to grant the order.
3.41
In addition, an eligible judge or nominated AAT member must have consideration of the following matters:
interference with the privacy of an individual;
the ability of the information sought to assist in the protection of the public from a terrorist acts, the ability to prevent support for terrorist activities, or the ability to determine the success of the operation of the control order;
the extent to which other methods that do not involve interception have been exhausted, and the likely assistance or prejudice such methods would cause; and
whether the interception of activities would constitute the least interference with a person’s privacy;
the likelihood that a person has engaged in activities that would contravene a control order; and
any other relevant matters.
3.42
The inclusion of additional considerations for eligible judges and AAT members in issuing an IPO for monitoring compliance with a control order acknowledges that an IPO can be issued for a purpose that does not involve the investigation or prosecution of a serious offence:
For IPOs relating to control orders, the decision maker must consider whether intercepting communications would be the method that is likely to have the least interference with any person’s privacy. This additional requirement was inserted into the Bill (and forms part of the current domestic control order warrant regime) on the basis that additional protection is considered appropriate noting the IPO can be issued for purposes in connection with the monitoring of a person subject to a control order rather than in connection with an investigation into a specific serious offence.
3.43
When the eligible judge or AAT member is satisfied on reasonable grounds of the conditions pertaining to the issue of an international production order, an order may be issued for no longer than 45 days if the order is sought in relation to a party that is not subject to a control order, or for 90 days when the application relates to the subject of a control order.
3.44
When considering a B-Party application, the eligible judge or AAT member is restricted from issuing an order unless they are satisfied that the control order IPO agency has exhausted all other practicable methods of identifying the carriage service and that the interception of communications would not otherwise be possible.
Stored communications
3.45
A control order IPO agency may make an application for access to stored communications to an eligible magistrate, judge or member of the AAT (‘issuing authority’). An application may be written – accompanied by an affidavit – or by telephone where a control order IPO agency considers that the circumstances are urgent enough to warrant a telephone application.
3.46
An issuing authority must have regard to the:
interference with the privacy of an individual;
the ability of the information sought to assist in the protection of the public from a terrorist acts, the ability to prevent support for terrorist activities, or the ability to determine the success of the operation of the control order;
the extent to which other methods that do not involve interception have been used by or are available to the control order IPO agency, and the likely assistance or prejudice such methods would cause; and
any other relevant matters.
3.47
Where the issuing authority is satisfied on reasonable grounds that conditions related to the stored communications are met, they may issue an IPO requiring a designated communications provider to copy and disclose relevant communications to the control order IPO agency. An order may require that the stored communications are made available to a control order IPO agency in a specified way.
Telecommunications data
3.48
A control order IPO agency may make an application to access telecommunications data to an eligible magistrate, judge or member of the AAT. An application may be written – accompanied by an affidavit – or by telephone in urgent circumstances. In the case of a telephone application, the issuing authority must be satisfied that the matter was urgent.
3.49
An issuing authority must consider the following matters prior to deciding whether to issue an IPO for telecommunications data:
interference with the privacy of an individual;
the ability of the information sought to assist in connection with the protection of the public from a terrorist acts, the ability to prevent support for terrorist activities, or the ability to determine the success of the operation of the control order;
the extent to which other methods that do not involve interception have been used by or are available to the control order IPO agency, and the likely assistance or prejudice such methods would cause; and
any other relevant matters.
3.50
Where the issuing authority is satisfied of these matters an IPO may be issued for a period commencing not before the time the order is provided to a designated communications provider, and for no longer than a period of 90 days. The issuing authority may also direct that the information is disclosed to the enforcement agency through the Australian Designated Authority.
The Administrative Appeals Tribunal as an issuing authority
3.51
The Bill allows the Attorney-General to, by writing, nominate the Deputy President, senior member, or member of the Administrative Appeals Tribunal (AAT) to issue international production orders where the conditions of the relevant clause are met.
3.52
The application of such powers to members of the AAT is currently provided for under the domestic provisions of the Telecommunications (Interception and Access) Act 1979.
3.53
When performing these functions, a judge, magistrate or member of the AAT is acting in their personal capacity (persona designata). The Attorney-General’s Department describes persona designata functions:
A judge, magistrate or AAT member exercises a function in their personal capacity as a way to ensure accountability in the course of a sensitive investigation or law enforcement procedure. Requiring an executive action to be approved by a decision-maker who is independent of government and outside of the investigation process can provide an important safeguard and promote public confidence that law enforcement agencies are operating with appropriate oversight.
…
Persona designata functions may only be conferred on a judge where the function is not incompatible with their role as a judicial officer. The independence of judicial officers from executive government is guaranteed by Chapter III of the Australian Constitution. The conferral of powers on federal judicial officers in their personal capacity must reflect the independence of these officers, and meet the ‘incompatibility principle’. This principle ensures that the functions do not undermine the judiciary’s institutional integrity and its independence from the executive and legislative arms of government.
3.54
Further, the Attorney-General’s Department said that the consent component to the appointment of judges, magistrates and eligible AAT members enshrines the principle of persona designata, and allows for independent operation of powers:
The Bill provides that judges of federal courts (excluding the High Court) may consent to being nominated as an eligible judge or issuing authority by the Attorney-General. The Attorney-General may then, by written declaration, confer on the judge a power to issue an IPO.
Importantly, the consent process ensures that the functions conferred under Schedule 1 of the Bill are powers conferred on judges in their personal capacity, and not powers to be exercised by the court to which they are appointed. This arrangement, in which consent may be withdrawn at any time, also ensures that judges are not compelled to exercise the power to issue an IPO. This process is similarly replicated for magistrates.
Similarly, as a matter of practice, AAT members provide written consents prior to being authorised to perform persona designata functions, and will do so for functions under the Bill. These are important features of a properly conferred persona designata power, enshrining the authoriser’s independence and autonomy to decide whether or not to exercise powers vested.
3.55
The Law Council said that while acting persona designata, a judicial officer must act consistently with the essential requirements of the judicial process:
… Even while acting persona designata, a judicial officer must act consistently with the essential requirements of the judicial process. This includes the independence and impartiality of their decision making, their application of the rules of natural justice, and their ascertainment of the law and facts followed by an application of the law to the facts as determined.
3.56
The Attorney-General’s Department said that even though the AAT does not have its independence enshrined by the Australian Constitution, it has sufficient independence to appropriately authorise IPO applications:
While an AAT member is not independent of government in the same way as a judge (although some members of the AAT are also judges), the AAT is similarly seen to require a high degree of independence from government in its decision-making. AAT members are afforded similar protections to judges. For example, termination of the appointment of an AAT member is only possible if determined by the Governor-General following prayer for the termination by both Houses of Parliament on specific grounds and, in exercising persona designata functions, AAT members have the same protection and immunity as a Justice of the High Court of Australia. As such, similar principles which apply to judges also guide provisions relating to AAT members.
3.57
As outlined in Chapter 2, the Independent National Security Legislation Monitor (INSLM) has proposed that an investigatory powers division be established within the AAT with certain controls to provide an additional degree of certainty in the independence of the authorisation process. The INSLM suggests that such a division not exercise their powers as persona designata.
3.58
The INSLM suggested that an investigatory powers division should be equipped with technical and legal advisors that the division can draw upon in considering IPO applications.
3.59
In order to make an executive agreement with a foreign party, the US CLOUD Act requires oversight by a court, judge, magistrate or other independent authority as a pre-condition to an agreement. Some submitters suggested that the AAT may not be sufficiently independent and suggested that the judiciary should be given responsibility for authorising IPOs.
3.60
The Committee notes that the Australian Government has received advice from US House Judiciary Committee indicating concerns with authorisation processes. The Department of Home Affairs responded that these concerns have been taken into account when developing the IPO framework:
The proposed differences between the pre-existing persons who can authorise warrants and authorisations, and the IPO framework, acknowledges the requirement to adopt a model that best accommodates different legal systems working alongside each other. This generally requires the identification and utilisation of similar decision-makers in approving investigatory powers (such as judicial authorities). Relevantly, the US CLOUD Act requires authorisation of orders by persons characterised as a ‘… court, judge, magistrate, or other independent authority’. The IPO framework facilitates this requirement.
Committee comment
3.61
The Committee notes that the evolving nature of telecommunications services requires definitional updates that will enable the efforts of enforcement agencies to investigate and prosecute serious crimes and prevent terrorist acts. The Committee notes the concerns of submitters in relation to definitional amendments, but considers that these concerns can be appropriately managed through the application process.
3.62
The Committee considers that, overall, the provisions related to the application process for IPOs related to the enforcement of the criminal law and monitoring control orders give appropriate weight to the privacy of individuals and the necessary intrusion on privacy in certain circumstances to protect Australians from serious crime and terrorism.
3.63
However, the Committee considers that, in order to provide certainty to law enforcement dealing with IPO requests in urgent circumstances, the Bill should provide a definition of urgent circumstances that accords with the definition contained within the Telecommunications (Interception and Access) Act 1979.
3.64
The Committee recommends that proposed Clause 2 of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 be amended to include a definition of ‘urgent circumstances’ which provides that in circumstances where:
there is an imminent risk of serious harm to a person or substantial damage to property exists or, in the case of a national security IPO application, there is an imminent risk of loss of significant intelligence; and
the production order is necessary for the purpose of dealing with that risk; and
it is not practicable in the circumstances to submit an application in writing;
such circumstances would constitute ‘urgent circumstances’ for the purposes of making an oral or telephone application.
3.65
The Committee considers that such a definition could apply to a broad range of scenarios that would necessitate the use of a telephone application.
3.66
The amount of information of assistance to an investigation that can be obtained through telecommunications data is not insignificant, and the Committee supports the mechanisms in place to ensure that applications for telecommunications data are appropriate and proportionate.
3.67
As discussed in Chapter 2, the Committee notes the INSLM recommended the establishment of an investigatory powers division with the Administrative Appeals Tribunal which would operate as an independent body and have access to technical and legal expertise in considering IPO applications. The Committee refers the Australian Government to the recommendation as a concept to consider as consideration on the IPO framework progresses.
3.68
The Committee notes the evidence from the Attorney-General’s Department that the persona designata function ascribed to members of the AAT provides broad protection to make judgments independently. The Committee supports the qualification requirements set out in clause 16 of the Bill.
3.69
The Committee also notes the range of bodies authorised by the provisions of the Bill to make applications for international production orders. As set out in its Review of the Mandatory Data Retention Regime, the Committee considers that those accessing information under the relevant provisions of the Bill should meet certain standards in order to access telecommunications data. The Committee therefore recommends that the Bill be amended to incorporate an appropriate standard for access.
3.70
The Committee recommends that proposed Clauses 22(3), 33(3)(a), 52(3)(a) and 63(3)(a) of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 be amended in a manner that is consistent with Recommendation 11 of the of the Committee’s Review of the Mandatory Data Retention Regime. That is, these provisions should be amended so that:
only officers or officials who are designated as authorised officers by the head of an enforcement agency may apply for IPOs;
only officers or officials who hold a supervisory role in the functional command chain should normally be capable of being designated as ‘authorised officers’ (although other individuals who hold specific appointments – rather than entire classes of officers or officials – may also be capable of being designated as ‘authorised officers’)
in order to authorise an individual to be an authorised officer, the head of an enforcement agency must be satisfied that it is necessary for an individual to be an ‘authorised officer’ in order for the individual to carry out his or her normal duties;
prior to the head of an enforcement agency authorising an individual to be an ‘authorised officer’:
the relevant senior officer or official must complete a compulsory training program in relation to proposed new Schedule 1 to the Telecommunications (Interception and Access) Act 1979; and
the head of the enforcement agency must be satisfied that the senior officer or official has the requisite experience, knowledge and skills to exercise the powers under proposed Schedule 1 to the Telecommunications (Interception and Access) Act 1979.
For the purposes of upholding Australia’s national security
3.71
The Bill provides new powers for the ASIO – referred to as the Organisation in the Bill – to obtain assistance from designated communications providers for the purposes of upholding Australia’s national security, in addition to the powers of cooperation provided under section 19 of the Australian Security Intelligence Organisation Act 1979.
3.72
Mr Peter Vickery, Deputy Director-General, Enterprise Service Delivery, ASIO said that the Bill will provide the Organisation with the tools it needs to address the ongoing threat of terrorism in Australia:
ASIO welcomes this bill as an important piece of legislation that will assist ASIO in conducting its critical work in protecting Australia from threats to our security. Threats to Australia and Australians from both terrorism and espionage are at unacceptable levels. The terrorist threat remains at 'probable'—that is, we have credible intelligence that individuals and groups have the capability and intent to conduct terrorism onshore. Right now, terrorists are plotting to harm Australians. ASIO have said on a number of occasions that the level of threat we face from espionage and interference activities is unprecedented. Right now, there are more foreign intelligence officers and their proxies operating in Australia than at the height of the Cold War—many with the capability, the intent and the determination to cause significant harm to Australia's national security.
ASIO support the international production orders bill, as it will assist us to protect Australia from violent, clandestine and deceptive efforts to harm Australians and undermine our sovereignty. ASIO activities in confronting these threats are conducted in an environment where almost all electronic communications of investigative value are encrypted.
Authorised, warranted investigations into terrorist or espionage threats to Australia are increasingly hindered through encryption. ASIO have been engaged with the Department of Home Affairs in the formation of the bill as part of the ongoing collaborative work around a potential agreement with the United States to share information under the auspices of the CLOUD Act. The successful negotiation of an agreement between our two countries under the CLOUD Act will enable more timely access to security-relevant data and content held by US communications providers that is critical to ASIO's investigations but currently inaccessible. This would provide the least intrusive method to access such information, which is currently difficult to access via traditional methods of interception due to encryption.
3.73
The Department of Home Affairs said that access to the IPO scheme provides a legislative pathway to ensure information can be provided to assist in the detection, prevention and investigation of serious crimes, including terrorism:
ASIO’s inclusion in the IPO regime provides a clear legislative pathway to ensure that ASIO is able to benefit from future international agreements for obtaining data directly from foreign communications providers. Many of the national security investigations undertaken by ASIO relate to the detection, prevention and investigation of serious crimes, including terrorism.
The Bill is not intended to replace existing foreign cooperation mechanisms but to complement current processes to ensure our agencies have every avenue available to them to protect public safety and combat serious crime. Existing mechanisms do not enable ASIO to compel production of data from foreign providers.
Interception of data and stored communications
3.74
To make an application for interception of data and stored communications, the Director-General of Security may designate ASIO employees or classes of employees to make an application on ASIO’s behalf.
3.75
The Inspector-General of Intelligence and Security said that this clause does not correspond with current provisions of the Telecommunications (Interception and Access) Act 1979 that require the Director-General of Security to authorise warrants:
The Bill proposes to provide the Director-General of Security, a Deputy Director-General of Security or an ASIO employee (in relation to whom a specific authorisation is in force) with the right to make an application for an international production order. There is no requirement in the Bill for the ASIO employee, or class of ASIO employees, be of a particular level of seniority or to possess particular qualifications. Nor does the Bill limit the scope of, or otherwise describe, the ASIO employees that could be authorised to apply for an IPO.
More generally, these provisions are a substantial departure from ASIO’s existing domestic telecommunications warrant regime. In particular, ASIO’s existing warrant framework provides that only the Director-General may apply for a warrant to intercept telecommunications or to access stored communications. This restriction reflects the significant intrusion into a person’s privacy (and that of third parties with whom they communicate) that results from interception and access. Similarly, the Director-General’s power to apply for warrants under the ASIO Act cannot be delegated.
3.76
Mr Vickery noted that any material provided to the Attorney-General’s office is provided to the Director-General:
From the outset, the underlying philosophy of the organisation in relation to all of the bill is that, where we can and where we should, we have existing protocols and policies and procedures that will continue to apply. So, in relation to IPOs, the underlying philosophy of anything that goes to the Attorney-General, like our current warrant regime, will have to go via the DGs office. There's certainly not an intention from anyone within the organisation—and I know from the director-general—that it will be a carte blanche ability for anyone in the organisation to apply for an IPO. That is certainly not the way that the organisation will operate. So our existing protocols and procedures in terms of authorisation levels or access to information will continue to apply.
3.77
ASIO said that it is developing internal policy requirements to allow the Director-General to personally review applications for IPOs related to interception and stored communications:
ASIO is developing an internal policy requirement for the Director-General to personally review and approve each application for an IPO for interception or stored communications before it is provided to the Attorney-General, and ahead of consideration by the Administrative Appeals Tribunal (AAT).
While maintaining his oversight of IPO requests, the Director-General may not necessarily be the ASIO representative signing the IPO request.
The IPO legislation enables the AAT to require the person who signed the IPO request to appear before them to provide further information. It is not efficient, viable or indeed necessary for the Director-General to personally provide this information on each and every occasion as required by the AAT. As such, ASIO will look to develop a system to accommodate this situation while maintaining appropriate Director-General oversight.
3.78
ASIO must apply to the Attorney-General of Australia for approval to submit an application for an IPO. The Attorney-General is prevented from consenting to the making of an application unless satisfied that there are reasonable grounds for suspecting that the services are being, or are likely to be, used for purposes prejudicial to Australia’s security, or that the information would be likely to assist ASIO in carrying out its functions.
3.79
The Attorney-General’s Department said that this threshold is consistent with current domestic provisions:
This threshold is consistent with the thresholds in sections 9 and 109 of the TIA Act for the Attorney-General to issue domestic warrants for interception and access to stored communications to ASIO.
3.80
The Bill requires that a request to the Attorney-General seeking consent should be made in writing, unless urgent circumstances necessitate seeking agreement orally. Any such request must be followed up with a written report to the Attorney-General and the Inspector-General of Intelligence and Security detailing the particulars of the urgent circumstances.
3.81
The Inspector-General of Intelligence and Security said that the Bill does not require ASIO to provide the circumstances justifying making an urgent application to the Attorney-General, and suggest amending the Bill to provide for this:
An amendment to provide that the Attorney-General is also advised orally of the particulars of the urgent circumstances which necessitate a telephone application would ensure that the Attorney-General is apprised of the ‘full picture’ in the same manner and timeframe as the nominated AAT member. The report, proposed in subclauses 83(10) and 92(9), could then formalise the oral advice provided to the Attorney-General, as well as advise the Attorney whether the application was granted, withdrawn or refused.
3.82
Following the Attorney-General’s consent, an application may be made to a nominated member of the Security Division within the AAT. The Law Council of Australia said that judicial officers should have the ability to be appointed to consider national security-related IPO applications:
… the power to appoint judicial officers as issuing authorities for ASIO’s national security IPOs would provide the strongest possible assurance to the Australian community, and Australia’s current and prospective international partners, of the rigour and independence of the issuing process for those IPOs. This is likely to further enhance public trust and confidence in ASIO’s exercise of these powers, notwithstanding that the necessarily covert nature of its activities means that specific information about its activities cannot be disclosed publicly.
3.83
Mr Vickery said that due to the requirement to store and handle classified material, the Security Division of the AAT is appropriately placed to consider IPO applications made by ASIO:
I think our view in relation to that is that we are comfortable with the security division of the AAT being the right place. I say that because that particular division has extensive experience in dealing with the organisation and the matters that we are involved in—for instance, in relation to security assessments and so on—so they're well versed in the way that we operate and what we can and cannot do. I would also note that the staff in that particular division have appropriate security clearances, they are well versed in the storage and handling of classified material, which is what we would be dealing with, and so we are very comfortable that that meets our requirements in terms of somebody to deal with to progress an application.
3.84
The nominated AAT Security Division member must have regard to the extent to which other methods that do not involve interception have been used by ASIO, and the likely assistance or prejudice such methods would cause, as well as any other matters the nominated AAT Security Division member considers relevant.
3.85
The Inspector-General of Intelligence and Security said that unlike law enforcement applications, the nominated AAT Security Division member is not required to consider privacy and proportionality in ASIO IPO applications:
In particular, the nominated member is not required to have regard to the privacy of any person or the gravity of the conduct being investigated, or the level of assistance that would be likely be provided to ASIO in carrying out its functions. The Explanatory Memorandum does not give reasons for this distinction. IPOs issued to ASIO could potentially be very broad in scope, extending beyond individuals reasonably suspected of being engaged in acts prejudicial to security, to services used for ‘purposes prejudicial to security’.
IGIS would expect ASIO to consider privacy and proportionality matters in its applications. The Attorney-General’s Guidelines, issued to ASIO under section 8A of the ASIO Act (discussed further below at page 10), require that any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence; and require ASIO to undertake its investigations using as little intrusion into individual privacy as is possible, consistent with the performance of its functions.
3.86
The Inspector-General of Intelligence and Security further noted that ‘the Attorney-General’s Guidelines do not extend to decisions made by members of the Security Division of the AAT’. The Department of Home Affairs outlined that the matters that must be considered reflect ASIO’s anticipatory role:
The criteria that must be considered by a nominated AAT Security Division member before issuing a national security international production order under Part 4 of the Bill recognises ASIO’s role as being anticipatory and protective in nature.
…
The decision-maker is also able to take into consideration any other matters they consider relevant, which may include further privacy or human rights considerations.
These additional criteria ensure that the nominated AAT Security Division member assesses the potential privacy impacts, and that the proposed interference with privacy is proportionate to the national security purpose.
3.87
Further, the Department of Home Affairs said that any requirement for nominated members of the Security Division of the AAT to consider privacy and proportionality would be duplicative, as ASIO makes these considerations prior to seeking the Attorney-General’s agreement:
The Guidelines ensure that privacy, proportionality and human rights are considered in issuing ASIO warrants under the TIA Act, and the Guidelines will also apply to national security international production orders.
The guidelines provide that information to be obtained by ASIO is to be done in a lawful, timely and efficient way and in accordance with the following:
any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence
inquiries and investigations into individuals and groups should be undertaken using as little intrusion into individual privacy as is possible, consistent with the performance of ASIO’s functions, and
wherever possible, the least intrusive techniques of information collection should be used before more intrusive techniques.
These considerations ensure that ASIO conducts a thorough assessment of the potential privacy impacts before seeking to use covert powers such as those under an international production order, and that the use of those powers, including the necessary interference with a person’s privacy, are proportionate to the relevant conduct. Noting these requirements it is unnecessary and duplicative to replicate them in the Bill.
3.88
The Law Council of Australia said that administrative obligations do not provide appropriate safeguards for the use of intrusive powers, and that consistency between IPO provisions would be appropriate:
… the Law Council considers that an administratively binding obligation about the manner in which an intrusive collection power is to be exercised is a considerably weaker safeguard than a statutory pre-condition to the availability of that power. The consequences for contravening an administrative obligation are purely administrative in character (for example, internal disciplinary action or receiving a Ministerial reprimand). Such contravention does not obviate the legal basis for the collection activity. In this regard, the Bill perpetuates, in the IPO regime, a significant and unjustified imbalance between the statutory prerequisites under the TIA Act for the authorisation of domestic law enforcement powers, and ASIO’s intelligence collection powers. The Law Council does not support the continuation of that approach, and recommends that national security, law enforcement and control order IPOs are subject to consistent statutory issuing criteria, in relation to assessing the privacy impacts of the proposed activity on all persons who may be affected by the exercise of the relevant intrusive collection powers.
The Law Council acknowledges that it would be possible for an issuing authority in relation to ASIO’s national security IPOs to exercise their discretion to consider privacy impacts on third parties in making an issuing decision on an individual IPO application. This matter could be considered under the issuing criterion enabling the consideration of ‘other matters (if any) as the nominated AAT Security Division member considers relevant’. However, the Law Council considers that the explicit statutory prescription of third-party privacy impacts as an issuing criterion would ensure that this matter is given a consistent degree of consideration and weight in the determination of all IPO applications.
3.89
Where the member of the Security Division of the AAT is satisfied of the relevant matters, they may issue the IPO, and can incorporate conditions such as the format of the data and that the information be provided to the Australian Designated Authority. For interception of data, this may be for a period of up to three months or up to six months where certain conditions are met.
3.90
For applications related to B-Party interception, the nominated AAT Security Division member must have regard to whether other less intrusive methods of obtaining the information are available and have been used.
Telecommunications data
3.91
Under domestic laws, applications to access telecommunications data by ASIO are approved by the Director-General of Security, Deputy Director-General of Security or an ASIO employee or ASIO affiliate approved by the Director-General of Security. Under the Bill, such applications would be approved by a nominated member of the Security Division of the AAT and would not have to be approved by the Attorney-General.
3.92
The Department of Home Affairs said that this threshold has been put in place to accord with the requirements of making an executive agreement under the US CLOUD Act:
… all international production orders sought by ASIO must be independently authorised by an Administrative Appeals Tribunal (AAT) Security Division member. This differs from the domestic framework in the TIA Act, under which ASIO warrants for interception or stored communications are authorised by the Attorney-General, ASIO journalist information warrants for telecommunications data are authorised by the Attorney-General, and authorisations for telecommunications data can be internally authorised.
There is a clear policy reasoning for the different authorisation mechanism adopted for ASIO in the Bill, which reflects the unique requirements of the United States CLOUD Act. It is imperative that the framework of international production orders is well-placed to work alongside many different foreign legal systems. For example, the United States CLOUD Act requires that foreign orders under CLOUD Act agreements must be subject to review or oversight by an authority characterised as a “court, judge, magistrate, or other independent authority”.
3.93
An application for telecommunications data should be in writing, and be accompanied by an affidavit, unless urgent circumstances provide that it would be appropriate to make a telephone application.
3.94
In order to issue an IPO for telecommunications data to ASIO, the nominated member of the Security Division of the AAT must be satisfied of several matters, including that the request is made in connection with ASIO’s functions. An application need not satisfy the nominated member that the subject of the request is involved in a serious offence.
3.95
The IGIS said that the nature of telecommunications data and the information it can provide has evolved since the existing domestic provisions were introduced in 2007, and that the authorisation threshold was ‘low’:
While this is consistent with Chapter 4 of the TIA Act (the equivalent domestic authorisation scheme),
IGIS notes that this domestic authorisation scheme is currently the subject of the Committee’s Review of the mandatory data retention regime. In a submission to that review, IGIS noted that the threshold for ASIO to access telecommunications data is ‘low’. This threshold was introduced more than twelve years ago (in 2007, the same year the iPhone was introduced) when the volume and nature of communications data held by carriers and carriage service providers was quite different. IGIS notes that the informative value and relative privacy intrusion of telecommunications data (including a person’s location history, and the details of the persons they contact) to both intelligence agencies and the public, has increased significantly with technological advances. IGIS notes that other countries with similar regimes have set a higher threshold for data access than the Bill. For example, the United States’ CLOUD Act limits any disclosure of communications or data to matters involving serious criminal offences and terrorism matters (which are indictable offences in Australian law).
3.96
Where satisfied of the relevant matters, the nominated member of the AAT may issue an IPO that can require data to be disclosed in a certain format, or to the Australian Designated Authority. An IPO cannot be granted for a period of longer than 90 days.
Committee comment
3.97
The Committee notes the evidence from ASIO regarding the current and ongoing threats of terrorism in Australia, and supports the need for ASIO to have the tools available to address this threat.
3.98
However, given the necessarily classified nature of ASIO’s role in investigating these threats, the Committee considers that there should be robust safeguards built into the international production orders framework to ensure that the public is assured that intrusions into individual privacy are considered with the necessary degree of proportionality.
3.99
The Committee considers that the Director-General of Security’s ability to authorise employees of the Organisation to make applications for interception of data or to access stored communications on its behalf should be restricted to senior position holders of the Organisation as defined in the Australian Security Intelligence Organisation Act 1979.
3.100
The Committee recommends that proposed Clause 2 of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 amended to insert a definition of senior position holder that is consistent with the provisions of the Australian Security Intelligence Organisation Act 1979
3.101
The Committee recommends that proposed Clauses 83 (3)–(4) and 92(3)–(4) of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 be amended so that the Director-General of Security may only delegate powers to a senior position holder
3.102
In recognition of the current authorisation thresholds for ASIO to access telecommunications data, the Committee does not propose to require a senior positon-holder to approve applications. However, the Committee notes the evidence received from the Inspector-General of Intelligence and Security that the nature of material that can be obtained through access to telecommunications data has evolved since the measures were first introduced.
3.103
The Committee therefore considers that applications by ASIO for telecommunications data should only be delegated to staff members at the Executive Level 2 (or equivalent) or above.
3.104
The Committee recommends that proposed Clauses 101(3)–(4) of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 be amended to provide that the Director-General of Security can only authorise Australian Security Intelligence Organisation employees, or classes of Australian Security Intelligence Organisation employees, at the Executive Level 2 (or equivalent) and above to make applications on the Australian Security Intelligence Organisation’s behalf.
3.105
The Committee supports the requirement for ASIO to inform the nominated member of the Security Division of the AAT of the particulars of the urgent circumstances requiring a telephone application, and include the matters that would have been required to be set out in the written application or affidavit in support of the application.
3.106
The Committee notes the evidence from the Inspector-General of Intelligence and Security that ASIO is not required to inform the Attorney-General of the same particulars when seeking oral agreement to make an application.
3.107
The Committee therefore recommends that, in order to provide assurance that the Attorney-General is provided with all relevant information, that the relevant clauses be updated to include the requirement to provide the Attorney-General with the same information as a telephone application to the AAT.
3.108
The Committee recommends that proposed Clause 83(9) and 92(8) of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 be amended to require the Australian Security Intelligence Organisation to provide the Attorney-General with:
the particulars of the urgent circumstances because of which the person making the request considers it necessary to obtain oral agreement
the matters that ASIO would have been required to set out in a written application to the Attorney-General.
3.109
The Committee supports the requirement for such an agreement to be followed up with a written report to the Attorney-General and the Inspector-General of Intelligence and Security within three days of the oral application.