On 9 July 2020 the Independent National Security Legislation Monitor (INSLM) issued a report recommending amendments to the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (the Act). This report was produced in part in connection with, and will inform, the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) review of the Act, which is due at the end of September.
The Act has been controversial for a number of reasons, including not only its content but also its swift enactment (and minimal consultation). The main focus of concerns raised by industry, and consequently a key part of the INSLM’s report, is the broad powers granted under Schedule 1 of the Act to law enforcement and intelligence agencies to request or compel that entities referred to as designated communications providers (DCPs) do certain ‘acts or things’ in order to enable those agencies to access communications, including encrypted communications. The term ‘DCP’ is intentionally broad, and effectively includes all persons in the communications supply chain.
The Act has been strongly criticised for the breadth of its application, as well as (critically) the actual and perceived weaknesses of many of its current safeguards. In particular:
- Systemic weaknesses and systemic vulnerabilities: A common concern with legislation that seeks to counter the issue of encryption leading to law enforcement access to communications ‘going dark’ relates to the potential consequences of introducing weaknesses or vulnerabilities into a DCP’s products or services through the DCP’s provision of industry assistance (including by building undisclosed ‘back doors’ into products). The Act sought to counter these concerns by prohibiting the introduction of a ‘systemic weakness’ or ‘systemic vulnerability’ into a form of electronic protection. However, both the definitions of these concepts and the way in which the prohibition applies were heavily criticised for their ambiguity and inadequacy.
- Independent authorisation and oversight: The industry assistance notices and requests under the Act are not currently subject to independent judicial authorisation, with very limited availability for judicial review in respect of any subsequent disputes or objections as to their application.
It is clear from the INSLM’s report why the review of the Act was the ‘most complex’ undertaken by the INSLM in his term. In its consideration of the Act, the INSLM’s report engages with many of the issues inherent in regulating for the digital age. It ultimately seeks to apply two fundamental principles to its consideration of the Act:
- first, that ‘just as we do not accept lawlessness in the physical world, we should not accept lawlessness in the virtual world’; and
- second, a companion principle of ‘trust but verify’ — that the trust of the public depends on verification through ‘clear law, fair procedures, rights compliance and transparency’ — perhaps even more so in the virtual world.
Having regard to these principles and the concerns raised by stakeholders, the INSLM made a number of recommendations with respect to the operation and amendment of the Act. Critically, these included (among others):
- clarifying the problematic definitions in the Act, including by seeking to introduce greater specificity in areas of overlap and ambiguity (a proposal that goes towards, but does not adopt in full, suggestions made in many industry submissions); and
- in a move foreshadowed in many of the INSLM’s statements during and after the public hearings held as part of his review, seeking to introduce a new ‘double-lock’ mechanism for the issuance of industry assistance notices and a related new oversight regime.
This new oversight mechanism, based on aspects of the equivalent model in the UK, would be achieved through the establishment of an Investigatory Powers Division (IPD) of the Administrative Appeals Tribunal. The IPD would be made up of a new statutory office of the Investigatory Powers Commissioner (IPC), eminent lawyers and technical experts, and would be tasked with the powers of approval of industry assistance notices. The IPC would also be granted other oversight powers and responsibilities in respect of the Act.
Many of the INSLM’s findings and recommendations will not come as a surprise to those who have been following the Act’s path to date. However, this is far from the end of the road for the Act in its current form, with the PJCIS still yet to comprehensively weigh in.