By Julian Lincoln, Anna Jaffe, Siobhan Lane, Elliott Mann and Emily La
The Australian Federal Parliament’s final sitting fortnight for the year has been exceptionally busy for technology regulation. Amongst the flurry accompanying the introduction of the news media bargaining code and the final Data Availability and Transparency Bill into Parliament, two other key developments arose. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 (the Surveillance Bill) was introduced and swiftly referred to committee, and the Comprehensive Review of the Legal Framework of the National Intelligence Community (Richardson Report) was also published. Both of these developments are significant for tech industry, and are summarised below.
Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020
The Surveillance Bill was introduced into Parliament on 3 December 2020 and has since been referred to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) for inquiry and report. If passed, the Surveillance Bill will introduce new law enforcement powers (i.e. the ability to issue three new types of warrants) to enhance the ability of the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to collect intelligence, conduct investigations, disrupt and prosecute ‘the most serious of crimes’. Submissions to the PJCIS on the Surveillance Bill are open until 12 February.
The Surveillance Bill enables the AFP and ACIC to issue three new types of warrants as follows:
- data disruption warrants: a covert power to access computers in order to “disrupt” or alter data to frustrate the commission of offences;
- network activity warrants: powers to access devices or networks in order to determine the scope of offences and identities of those committing the offences (i.e. where criminal activity is occurring but its scope is unclear) over the life of the warrant; and
- account takeover warrants: powers to take over online accounts (and prevent continued access) to gather evidence about offences without the account owner’s consent.
Unlike the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (the AA Act), the Surveillance Bill requires judicial oversight for the issuance of warrants. If an AFP or ACIC officer has reasonable grounds to suspect that the relevant offences are being, or are likely to be committed, they must apply to an eligible judge, nominated AAT member or magistrate (as applicable) for any of these warrants. In general, to grant the warrant the issuer must be satisfied that there are reasonable grounds for the officer’s suspicions, and the requested conduct is justified. This is consistent with the existing framework for surveillance device warrants and computer access warrants under the Surveillance Devices Act 2004 (Cth).
The Surveillance Bill includes reporting mechanisms to the Commonwealth Ombudsman and Inspector-General of Intelligence and Security (IGIS) for the purposes of increasing accountability, however the scope and nature of these new powers have already raised concerns. These include:
- Serious offences: When unveiling the legislation, the federal government noted that these powers are intended to target crimes such as child abuse and terrorism. However, the relevant offences covered by the Surveillance Bill are those that carry a maximum penalty of imprisonment for at least three years, which fall under the AFP’s jurisdiction. These extend beyond the types of crimes noted by the government to crimes including theft, fraud, tax evasion, illegal gambling, forgery and privacy. This threshold is not consistent with the definition of serious offences under the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA Act), but is consistent with the current threshold in the AA Act. That 3 year threshold under the AA Act has been the subject of significant criticism and a recommendation from the Independent National Security Legislation Monitor (INSLM) that this threshold be abandoned in favour of the higher threshold in the TIA Act.
- Emergency authorisations: Although the warrants process is the focus of the Surveillance Bill, a separate process for ‘emergency authorisations’ by an ‘appropriate authorising officer’ to grant data disruption powers is also included. This allows agencies to bypass the warrant process in serious and urgent circumstances, based on an ‘imminent risk of serious violence or substantial damage to property’.
- Circumventing encryption: The additional and more extensive powers in the Surveillance Bill, which could overlap with and go further than those in the AA Act, also suggest that the Surveillance Bill may be used as a way to bypass the AA Act. The AA Act has undergone and is continuing to undergo extensive review and assessment by both the INSLM and PJCIS, and it is not clear that the lessons learned and concerns raised through those reviews will be or have been addressed in the Surveillance Bill.
- Legitimate oversight: The government has noted that there will be necessary safeguards in place, including oversight mechanisms and controls to ensure the new warrants are used in a ‘targeted and proportionate manner to minimise the potential impact on legitimate users of online platforms’. It remains to be seen whether the IGIS and Commonwealth Ombudsman are in a position to do so, having regard to their funding and the number of similar schemes that they are required to oversee.
On 4 December, the Commonwealth Government also published the Richardson Report, and its response. The Richardson Report reviewed the entire legal framework underpinning intelligence in Australia, and was critical of how the TIA Act in particular has developed over time (including its failure to recognise progressive changes in technology), its undue complexity, and lack of inbuilt transparency and oversight.
Ultimately, the key recommendations of the Richardson Report were as follows:
- The repeal and replacement of the TIA Act, the Surveillance Devices Act 2004 (Cth), and the parts of the Australian Security Intelligence Organisation Act 1979 (Cth) which pertain to electronic surveillance. The reformed Act should be simplified, drafted to account for technology changes, and expanded to more agencies that are able to engage in electronic surveillance (e.g. AUSTRAC, corrective services authorities, and the Australian Border Force).
- The new Act should not amalgamate multiple warrants for multiple surveillance methods into a single warrant.
- As one of its more controversial recommendations, that warrants to exercise intrusive intelligence powers should be authorised by the Minister alone and not overseen by a judge. This recommendation has already given rise to significant concerns from stakeholders including the Law Council of Australia, especially noting the existing public dissatisfaction with the lack of judicial oversight under the AA Act.
These are just two developments that sit in a complex web of overlapping regulations which already include the AA Act, the critical infrastructure reforms, and existing electronic surveillance laws. The recommended repeal and reform of electronic surveillance legislation will take time (likely over five years), and will involve significant industry consultation. As such, even if the Surveillance Bill passes Parliament in its current form it is likely that this will be further captured and refined as part of these reform processes. This would be cause for significant concern amongst industry participants, and reinforces the need to engage consistently with the Government consultation process in the coming years to ensure that the electronic surveillance legislation in Australia is appropriate, internally consistent and coherent, and adapted to the risks that it seeks to address.
To ensure that industry concerns are heard, interested parties should consider actively engaging with the PJCIS’s current review of the Surveillance Bill and preparing a submission by 12 February, as well as preparing for the forthcoming reform process. Please reach out to our experts listed below if you would like any further information or assistance engaging in this processes.