Privacy and data security

Net neutrality

What is your jurisdiction’s regulatory stance on net neutrality?

In Australia, there is no mandated net neutrality rule. As a result, the only protections of an equal playing field over the Internet are contained within general laws regarding anti-competitive conduct. The introduction of net neutrality laws was a recommendation of the former Labour government in its Convergence Review, but it is not currently being pursued by the coalition (conservative) government that took office in 2013. Importantly, though, the Australian domestic telecommunications market differs to the US and European markets in a number of respects that impacts on this issue. For example, in Australia there is significantly less vertical integration than in the United States. Further, Australian internet plans are priced principally by reference to the amount of data downloaded (‘user pays’ model), as well as speed. Additionally, as the Australian network is open to use by competitors, customers are able to choose from a wide range of broadband providers (and indeed different technology mixes) and can easily switch between providers and plans.

Encryption

Are there regulations or restrictions on encryption of communications?

Generally, encryption can be used freely within Australia. The Cybercrime Act 2001 provides some provision for law enforcement agencies to compel disclosure of encrypted data. The restrictions on encryption of communications are largely contained in the Customs (Prohibited Exports) Regulations Schedule 13E and Section 112 of the Customs Act 1901. Crypto-software is included on the Defence and Strategic Goods List (DSGL) and the Australian Defence Trade Controls Act 2012 (DTCA) prohibits the ‘supply’ of DSGL technology outside of Australia without a permit. There are exceptions detailed in the DSGL Cryptography Note that include, for example, material in the public domain and software/hardware where the cryptographic function cannot be easily changed. Further exceptions exist for technology that is considered ‘basic scientific research’, software which is for personal use and for specific financial products/applications.

A number of laws such as the Privacy Act 1988 require reasonable steps to be taken to protect the security of personal information or other data. In some circumstances, this could be interpreted as requiring particular types of communication to be encrypted.

Data retention

Are telecoms operators bound by any rules or requirements on the retention of consumer communications data? If so, for how long must data be retained?

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 requires telecommunications providers in Australia to collect and store specific types of telecommunications data (‘metadata’) about their customers’ communications for a minimum of two years from the date when the data was generated. The data must be encrypted and protected from unauthorised interference or access. Pursuant to the retention scheme, ‘metadata’ is defined as information about a communication, not the content or substance of that communication. Specific subscriber data must also be retained for two years after the closure of an account.

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer communications data?

Pursuant to Chapter 2 of the Telecommunications (Interception and Access) Act 1979 (TIAA), the Australian Security and Intelligence Organisation (ASIO) and certain domestic law enforcement agencies (including the Australian Federal Police and the Australian Crime Commission) may authorise the disclosure of telecommunications data by a carrier or carriage service provider. The information commissioner must be consulted about requirements relating to the form of those authorisations. Except in the case of an emergency, the authorities are able to access such communications only for the purposes of their investigations once a warrant has been obtained pursuant to the requirements set out in the TIAA. In the case of ASIO, a warrant may be issued where the person is reasonably suspected of engaging in activities prejudicial to security and the interception will, or is likely to assist, with obtaining intelligence relevant to that investigation. In the case of law enforcement agencies, interception warrants may be issued where the investigation concerns a ‘serious’ offence. Requests for access to metadata are subject to review by the commonwealth ombudsman or the inspector-general of intelligence and security in the case of ASIO.

Data security obligations

What are telecoms operators’ general data security obligations to consumers?

The general data security obligations to consumers are contained in Principle 11 (Security of personal information) of the Australian Privacy Principles (APPs). Principle 11 requires that organisations take reasonable steps, including active measures, to protect personal information held from misuse, interference and loss, unauthorised access, modification and disclosure. Similarly, where an organisation no longer requires the personal information for a purpose permitted by the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified, save for where the information is either part of the Commonwealth record or retention is required by law (or a court/tribunal).  

In addition to the above security obligations, the Australian Privacy Principles and Part XIII of the Telecommunications Act 1997 impose restrictions on the use and disclosure of personal information and telecommunications customer information respectively.

Most recently, specific telecommunications sector security reforms have also been introduced in the Telecommunications and Other Legislation Amendment Act 2017 (TSSR), which aims to establish a security framework within the telecommunications industry to ensure protection of telecommunications networks and engagement between industry and government to identify and mitigate risks from unauthorised interference or access. The two primary obligations introduced in the TSSR includes:

  • a security obligation - carriers and carriage service providers (CSPs) must do their best to protect telecommunications networks and facilities from unauthorised interference, or unauthorised access for the purposes of security; and
  • a notification obligation – if a carrier or nominated CSP proposes to implement a change to a telecommunications service or telecommunications system that is likely to have a material adverse effect on the capacity to comply with the security obligation, then the carrier or nominated CSP will need to notify the communications access coordinator.

Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.