5.1
This chapter discusses:
Directions-making powers – the Bill relocates an existing directions power (proposed section 315A); and creates a new power for the Attorney-General to direct a carrier or carriage service provider (C/CSP) or intermediary to do or refrain from doing certain things in order to reduce or eliminate security risks (proposed section 315B),
Information-gathering powers – the Bill provides the Secretary of the Attorney‑General’s Department with new information-gathering powers under proposed sections 315C to 315G,
Enforcement mechanisms relating to the Bill’s directions-making and information-gathering powers, and
Information sharing and confidentiality – the Bill sets out how certain information obtained under the Bill’s notification and information‑gathering provisions may be shared and disclosed (proposed section 315H).
Directions by the Attorney-General
Attorney-General’s direction power to cease a service
5.2
The Bill relocates the Attorney-General’s existing direction-making power at subsection 581(3) of the Telecommunications Act 1997 to proposed new section 315A. This direction-making power allows the Attorney-General to direct a C/CSP to cease its services on security grounds.
5.3
The Bill does not change the operation or effect of the existing power, with the exception of:
adding a requirement that ASIO must have issued an adverse security assessment before the Attorney‑General can exercise that power, and
removing a current limitation on judicial review of a direction under the Administrative Decisions (Judicial Review) Act 1997.
5.4
Prior to issuing a direction under proposed section 315A, the Attorney‑General must consult the Prime Minister and the Minister with responsibility for administering the Telecommunications Act 1997 (the Minister for Communications and the Arts). The threshold for exercising the power is that the security risk is ‘prejudicial to security’.
5.5
The Explanatory Memorandum states that proposed section 315A is ‘intended to be used in the most extreme circumstances where the continued operation of the service would give rise to such serious consequences that the entire service needed to cease operating’.
The Attorney-General’s power to direct a C/CSP to do or refrain from doing something
5.6
Proposed section 315B will enable the Attorney-General to give a C/CSP or intermediary ‘a written direction requiring the carrier, provider or intermediary to do, or to refrain from doing, a specified act or thing within a specified period’ to eliminate or reduce risks that are prejudicial to security.
5.7
The Explanatory Memorandum notes that this new direction-making power is intended to supplement the Attorney-General’s existing power ‘where circumstances do not require the complete shut-down of the service’. In other words, section 315B is intended to ‘provide a more proportionate and graduated power of intervention and enforcement where security outcomes cannot be reached on a cooperative basis’.
5.8
The types of things the Attorney-General can direct a C/CSP to do or not do are not specified or limited in the Bill. However, any direction must specifically direct action, or refrain a C/CSP from an action, that is ‘reasonably necessary’ to reduce or eliminate the risk of unauthorised access or interference which would otherwise result in a risk prejudicial to security.
5.9
The Explanatory Memorandum notes that there could be circumstances where the direction-making power could be used to empower a C/CSP’s Board of Executives to act where national security interests do not align with commercial interests. This could include situations where implementing security measures may increase the cost of a project and other less expensive options may be more commercially attractive. In these circumstances, a direction could be used where a company board, with fiduciary responsibilities to shareholders, may prefer a clear mandate to govern its decision-making.
5.10
The new directions power in section 315B contains a number of safeguards, including that:
similar to proposed section 315A, the Attorney-General cannot exercise the directions power without an adverse security assessment from ASIO, and
before issuing a direction, the Attorney-General must be satisfied that all reasonable steps have been taken to reach agreement and to consult the affected C/CSP in ‘good faith’.
5.11
There are also a number of factors the Attorney-General must take into account before issuing a direction:
the risk to security, as outlined in the ASIO adverse security assessment,
the potential costs to industry associated with implementing the proposed direction, and
the potential impact on competition in the telecommunications sector and potential impacts on end-users.
5.12
Proposed subsection 315B(6) provides that the adverse security assessment furnished by ASIO is to be given the greatest weight by the Attorney‑General.
5.13
The Explanatory Memorandum notes that the requirement for the Attorney‑General to have regard to a broad range of factors is intended to ensure that a direction is proportionate and does not unnecessarily impede market innovation or competition.
5.14
Prior to issuing a direction, the Attorney-General must consult the Minister with responsibility for administering the Telecommunications Act 1997 (the Minister for Communications and the Arts). The Bill also requires consultation with the affected C/CSP.
5.15
In accordance with the accountability provisions contained within Part IV of the Australian Security Intelligence Organisation Act 1979, the C/CSP may seek merits review of the ASIO adverse security assessment in the Administrative Appeals Tribunal.
Threshold for issuing directions
5.16
Industry Associations raised concerns about the threshold for the Attorney‑General to issue a direction. They suggested that, in order to ensure directions are only issued when ‘absolutely required’, the Bill should make explicit that directions can only be issued when the risk of unauthorised interference and access is specified as ‘substantial and imminent’.
5.17
The Attorney-General’s Department disagreed with this suggestion:
This proposal would undermine the purpose of the reforms, which is to encourage industry to engage early with Government to ensure any potential national security risks are appropriately mitigated before they become substantial and imminent. The Attorney-General would only issue a direction under s315B where he or she is satisfied there is a risk that would be ‘prejudicial to security’ and the direction is reasonably necessary to eliminate or reduce that risk.
Meaning of ‘prejudicial to security’
5.18
Industry Associations suggested that the meaning of ‘prejudicial to security’ used in proposed sections 315A and 315B should be defined in the Bill rather than solely in the Explanatory Memorandum. The Explanatory Memorandum states:
The term ‘prejudicial’ should be given the same meaning as ‘activities prejudicial to security’ which is defined within the Attorney-General’s Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluation and communicating intelligence relevant to security (including politically motivated violence), to mean activities relevant to security and which can reasonably be considered capable of causing damage or harm to Australia, the Australian people, or Australian interests, or to foreign countries to which Australia has responsibilities.
5.19
In response, the Attorney-General’s Department stated:
The Department does not support amending the Bill to introduce a definition of the phrase ‘prejudicial to security’, as doing so may result in the phrase being given inconsistent meanings between different national security legislative frameworks, thereby causing unintended operational consequences.
The Bill specifies that the term ‘security’ has the same meaning as in the ASIO Act. The Department considers that the phrase ‘prejudicial to security’ is readily understood and does not require further definition. What is ‘prejudicial to security’ will be interpreted using the ordinary rules of statutory interpretation. That is, the words ‘prejudicial to’ as used in the Bill have their ‘ordinary meaning’ (as described in a dictionary). The words are not intended to have a special or restricted meaning (and thus do not require a definition) and this approach is currently reflected in the Attorney-General’s Guidelines.
The phrase ‘prejudicial to security’ is not defined in other Acts that reference it. Defining the phrase in the Bill could produce inconsistency between core national security legal frameworks.
Transparency of adverse security assessment criteria
5.20
Industry Associations also sought increased transparency and scrutiny of the adverse security assessment process. In particular, industry requested that government make available to industry the criteria used by ASIO to make an assessment.
5.21
In response, the Attorney-General’s Department noted:
There are no ‘standard criteria’ for the making of an adverse security assessment by ASIO. Each security assessment will be based on:
the individual facts and circumstances of the telecommunications service, network or facilities in question; and
the nature and degree of the assessed risk to security arising from the use of, or unauthorised interference with or access to, the service, network or facilities in light of those facts and circumstances.
It would not be appropriate to make public the criteria for an adverse security assessment in this context. More broadly, the Department would not support making public detailed information about how ASIO assesses risks to security. Making such information public may enable foreign intelligence services, and others seeking to harm Australia’s security, to plan and carry out their activities in a manner designed to go undetected by ASIO.
However, when ASIO does provide an adverse security assessment to the Attorney-General (in connection with ss 315A or 315B of the Bill) section 38A of the ASIO Act requires that the relevant carrier, carriage service provider or carriage service intermediary be given written notice of the assessment, and a copy of that assessment including an unclassified statement of grounds. Providers will be able to seek merits review of an adverse security assessment in the Administrative Appeals Tribunal. In this way, the making of the adverse security assessment and the grounds for that assessment are transparent and ASIO is accountable for them.
Committee comment
5.22
The Committee notes that the existing power for the Attorney-General to issue a direction to a carrier or carriage service provider to cease its use or supply of a carriage service has not been used to date. The Committee also notes that the Bill contains additional safeguard provisions where relatively few have existed previously, thus providing additional accountability with respect to this existing power.
5.23
Further, the Committee recognises that the inclusion of a new directions‑making power in the Bill is intended to allow for more proportionate and graduated powers of intervention than those that are currently available.
5.24
The Attorney-General can only issue a direction under proposed section 315B where he or she is satisfied there is a risk that would be ‘prejudicial to security’, and the direction is reasonably necessary to eliminate or reduce that risk. Further, the Government has stated that the enforcement mechanisms will operate as a last resort rather than to penalise actions taken in good faith.
5.25
The Committee notes the Attorney-General’s Department’s concern that any caveats on the threshold concerning the risk of unauthorised interference and access, as suggested by industry, would undermine the reforms, and that the Government expects that engagement should occur before risks become ‘substantial and imminent’. The Bill as proposed incorporates certain safeguards and protections that limit the use of the directions power. The Committee does not consider any change is required to the Bill in this respect.
5.26
The Committee acknowledges the concern raised by industry that the meaning of ‘prejudicial to security’ is currently defined in the Explanatory Memorandum and not in the Bill.
5.27
The Committee notes that the words ‘prejudicial to’ have their ‘ordinary meaning’ (as defined in a dictionary), and that the term ‘security’ is defined in proposed subsection 313(1A) by reference to the existing definition in the Australian Security Intelligence Organisation Act 1979. The Committee further recognises that the Bill contains a ‘note’ after proposed subsection 313(1A) which states:
Security, among other things, covers the protection of, and of the people of, the Commonwealth and the States and Territories from espionage, sabotage, attacks on Australia’s defence system and acts of foreign interference.
5.28
The Committee does not support further defining the term ‘prejudicial to security’ in the Bill.
5.29
In regards to whether the criteria for an adverse security assessment should be made public, there are national security considerations that must be taken into account. The risks include that such information could be used by those seeking to harm Australia’s security to act in a manner designed to avoid detection by ASIO.
5.30
Accordingly, the Committee does not support making the criteria for adverse security assessments available to industry.
5.31
The Committee notes that C/CSPs subject to a direction will be provided with the grounds for the adverse security assessment underpinning the direction and will be able to seek merits review of that assessment.
Information-gathering powers of the Attorney‑General’s Secretary
5.32
Proposed section 315C would empower the Secretary of the Attorney‑General’s Department to request information from C/CSPs and intermediaries, where that information is relevant to assessing their compliance with the security obligation to protect networks and facilities (as discussed in Chapter 3). In exercising the power, the Secretary must have the belief that the C/CSP or intermediary has information or documents that would assist the Secretary to assess compliance with the duties in proposed subsections 313(1A) and (2A).
5.33
Proposed section 315G allows the Attorney-General’s Secretary to delegate any or all of his or her information-gathering powers to the Director‑General of Security.
5.34
The Explanatory Memorandum notes that the information‑gathering power is modelled on the existing Australian Communication and Media Authority’s information‑gathering powers in Part 27 of the Telecommunications Act 1997, and that the existing protections against self‑incrimination also extend to the information‑gathering powers proposed in the Bill.
5.35
The Attorney-General’s Department submitted that the information‑gathering power is intended to
formalise and extend the existing cooperative relationship of information exchange between Government, and C/CSPs. The information-gathering powers will be most relevant where information is unable to be obtained on a cooperative basis. For example, where a C/CSP considers it is restrained from sharing information for contractual or other legal reasons.
5.36
The Attorney‑General’s Department noted that the sorts of information likely to be sought under this power would be ‘commercial in nature’. Examples include procurement plans, network or service design plans, tender documentation, contracts and other documents specifying business and service delivery models and network layouts.
5.37
Before using the information-gathering powers, proposed subsection 315C(4) requires the Secretary of the Attorney-General’s Department to have regard to the costs to industry in complying with any requirement in the notice. The Explanatory Memorandum states that the Secretary would consider the potential cost, time and effort imposed on a C/CSP or intermediary in complying with the notice.
5.38
Proposed subsection 315C(8) entitles a C/CSP or intermediary to be paid ‘reasonable compensation’ by the Commonwealth for complying with a requirement to provide documents to the Secretary.
5.39
The Australian Centre for Cyber Security at the University of New South Wales submitted that the security obligations in the Bill could require telecommunications companies to retain and analyse session metadata in order to ‘detect and resolve cyber security threats quicker and in near real‑time’, and that this could include ‘more information than what is addressed under the Metadata Creation, Retention and Disclosure Regime’. The Centre suggested that the information‑gathering powers in the Bill may empower the Attorney-General’s Secretary and the Director-General of Security to collect this information from the company. The Centre noted that the information‑gathering powers in the Bill would not, however, be subject to the same oversight arrangements as the data retention regime:
Metadata under the TSSR, which is the vast majority of session metadata and may have greater privacy implications, require no authorisation and notification process, and little independent oversight, unlike the source IP and port addresses under the Metadata Creation, Retention and Disclosure Regime.
The Commonwealth Ombudsman is not granted oversight powers over the AFP over TSSR metadata unlike with metadata collected under the Metadata Creation, Retention and Disclosure Regime. It may therefore be worthwhile to align the TSSR and the Metadata Creation, Retention and Disclosure regimes so as to avoid fragmentation in terms of data types, retention requirements, disclosure rules and oversight.
5.40
In its submission to the inquiry, the Attorney-General’s Department disagreed that the Bill would require companies to retain metadata:
Contrary to the suggestion made by the Australian Centre for Cyber Security in its submission, the Bill does not create any requirements to retain or provide access to metadata. Authorised agencies’ access to metadata under the Telecommunications (Interception and Access) Act 1979 is subject to strict controls and only available in limited circumstances.
Committee comment
5.41
The Committee notes that the information‑gathering powers in the Bill are subject to a clear threshold—that is, in order to request information from a C/CSP or intermediary the Secretary of the Attorney-General’s Department must have ‘reason to believe that the carrier, provider or intermediary has information or a document that is relevant to assessing compliance with’ the security obligations in the Bill. The Committee does not consider that any session metadata retained by a company would meet this threshold, and therefore, it would not be accessible to government in the same way as data retained under the mandatory data retention regime.
5.42
The Committee notes that the intention of the Bill is to facilitate collaboration between industry and government, and expects that the information‑gathering powers will only be used in rare instances where cooperation is not forthcoming, or in circumstances where a C/CSP or intermediary is restrained from sharing information for contractual or other legal reasons.
5.43
The Committee notes that, under existing legislation, the Commonwealth Ombudsman is empowered to investigate the Secretary of the Attorney‑General’s Department’s exercise of information-gathering powers, either in response to a complaint or on his or her own motion.
5.44
The Inspector-General of Intelligence and Security has similar investigatory powers in relation to any exercise of information-gathering powers by the Director-General of Security.
Enforcement mechanisms
5.45
The directions powers granted to the Attorney‑General and information‑gathering powers granted to the Secretary of the Attorney‑General’s Department will be enforceable by virtue of the application of existing civil remedies provided for the Telecommunications Act 1997.
5.46
The Attorney-General’s Department noted that:
The enforcement mechanisms in the Bill are intended to operate as a last resort to address non-cooperative conduct rather than to penalise action and decisions taken in good faith.
5.47
This is consistent with the Explanatory Memorandum which notes that the ‘good faith’ provision in subsection 315B(5) is
intended to underpin the entire objective of the security framework which is to facilitate cooperative and collaborative Government and industry partnership to manage national security risks to the telecommunications sector.
5.48
With respect to enforcement action as a result of a breach of a direction, the Explanatory Memorandum notes:
A breach of a direction given by the Attorney-General under section 315B gives rise to the enforcement regime in the Telecommunications Act 1997. A direction must be complied with by a C/CSP. Non-compliance is one trigger for further action, as provided for in the Bill under Items 15-29. Neither subsection 315B(12) nor subsection 315A(5) preclude enforcement actions being taken against a C/CSP which has breached the obligations in section 313 of the Telecommunications Act (including the new obligation of this Bill) without that C/CSP having been issued with a direction.
5.49
With respect to enforcement action as a result of non-compliance with a notice to provide information or documents, the Explanatory Memorandum notes:
Non-compliance with a notice to provide information or documents would constitute a breach of the Telecommunications Act 1997 and attract the operation of civil remedies regime in Part 30 (injunctions), Part 31 (civil penalties) and Part 31A (enforceable undertakings) of the Telecommunications Act 1997. The Bill authorises the Attorney-General to bring proceedings to enforce these remedies for non-compliance with a notice under section 315C.
Committee comment
5.50
No specific concerns were raised by inquiry participants in relation to enforcement mechanisms. As such, the Committee makes no further comments and supports their inclusion in the Bill.
Information sharing and confidentiality
5.51
Proposed section 315H authorises the further use or disclosure of information or documents obtained under certain sections of the Bill (314A, 314B, 314C, 314D, 315C and 315H) to persons other than the Secretary of the Attorney-General’s Department, or his or her delegate.
5.52
Proposed section 315H is intended to protect commercially sensitive information by ensuring:
disclosures are limited to the purpose of security (as defined by the ASIO Act), and
identifying information must not be disclosed to a person who is not a Commonwealth officer.
5.53
The Explanatory Memorandum contains information about the circumstances in which information is likely to be shared, including for providing threat information and intelligence to foreign partners in support of reciprocal information sharing arrangements.
5.54
The Explanatory Memorandum also notes that disciplinary action would be available under existing legislation in circumstances where Australian Government employees breach the provisions. For example, section 70 of the Crimes Act 1914 applies criminal sanctions to unauthorised disclosure of information by current or former Commonwealth officers.
5.55
The Australian Information Commissioner noted that proposed sub section 315H(2) restricts the disclosure of ‘identifying information’ to a person who is not a Commonwealth officer. The Information Commissioner further noted that identifying information ‘means information that identifies the C/CSP or intermediary concerned’, and suggested that, as an additional protection, this restriction on the disclosure of identifying information be extended beyond commercial information to apply to ‘personal information’ as defined in the Privacy Act 1988.
5.56
In response, the Attorney-General’s Department stated:
Extending subsection 315H(2) to ‘personal information’ is unnecessary as there are already strong protections in place for the protection of personal information.
The Attorney-General’s Department, the Department of Communications and the Arts and other government departments, are subject to the Privacy Act 1988, which sets out how personal information is handled. ASIO’s handling of personal information is governed by the ASIO Act and the Attorney-General’s Guidelines (made under the Act) and is also subject to the oversight of the Inspector-General of Intelligence and Security.
Section 315H of the Bill is intended to cover other information, such as commercially sensitive information, that would not necessarily be captured under existing personal information protections (e.g. company names).
5.57
The Explanatory Memorandum notes that the protections in the Bill for commercial information would
operate to complement the high standard for protecting information which government agencies already operate under including compliance with requirements under the Privacy Act regarding use, disclosure and destruction of personal information and secrecy obligations in the Crimes Act 1914.
Committee comment
5.58
The Committee notes that proposed section 315H authorises the use or disclosure of information obtained under the Bill, and provides measures to protect commercially sensitive information, such as requiring the removal of identifying information and placing limitations on disclosures.
5.59
The Committee acknowledges the Information Commissioner’s suggestion that, as an additional protection, the restriction on the disclosure of ‘identifying information’ in proposed section 315H be extended beyond commercial information to apply to ‘personal information’, as defined in the Privacy Act 1988.
5.60
However, the Committee notes that there are already suitable protections in place for personal information, including the Privacy Act 1988, the Australian Security Intelligence Organisation Act 1979 and the Attorney‑General’s Guidelines (made under the ASIO Act). ASIO’s handling of personal information is also subject to the oversight of the Inspector‑General of Intelligence and Security.
5.61
Nevertheless, the Committee considers that the existing protections for personal information are not readily apparent on the face of the Bill. The Committee recommends that the Bill be amended to make it clear that subsection 315H(2) is intended to complement existing requirements, including those under the Privacy Act 1988, regarding use, disclosure and destruction of personal information.
5.62
The Committee recommends that the Telecommunications and Other Legislation Amendment Bill 2016 be amended to make clear that the Bill does not affect the operation of existing legislated privacy obligations.