On 30 June 2017, the Australian Parliamentary Joint Committee on Intelligence and Security (PJCIS) released its report on the Telecommunications and Other Legislation Amendment Bill 2016 (TSSR Bill). The PJCIS recommended that the TSSR Bill, which will implement the telecommunications sector security reforms announced by the Government in mid-2015, should be passed, albeit with amendments. The amendments and other additional steps recommended by the PJCIS in its June 2017 report are intended to address industry concerns that the proposed legislation is vague, would be difficult to interpret and costly to comply with. Given the PJCIS has supported the TSSR Bill it seems likely that it will be passed in 2017, noting it will be subject to a 12 month implementation period.
The PJCIS first recommended legislation to strengthen the protection of Australia’s telecommunications networks from national security risks in its Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation in mid-2013.
An earlier version of the TSSR Bill was released for public consultation in June 2015. In their joint media release announcing the commencement of consultation, the Australian Attorney-General and the Prime Minister (in his then role as Australian Minister for Communications), noted that the intention of the proposed legislation was to provide a security framework to strengthen Australia’s ability to manage national security risks to telecommunications networks, given Australia’s increasing economic and social dependence on those networks. The consultation draft of the bill reflected the approach recommended by the PJCIS and provided for:
- Telecommunications carriers, as well as carriage service providers and intermediaries, to be obliged to:
- protect their networks from unauthorised access and interference; and
- notify the Government of changes to networks and management systems that could adversely affect their ability to protect their networks.
- Direction and information gathering powers to be granted to the Secretary of the Attorney-General’s Department.
The obligations imposed on the sector were to be in addition to other legislative protections, including under the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act), which requires regulated entities to notify planned changes to services or systems that are likely to have an adverse effect on a relevant entity’s ability to secure its systems and under the Telecommunications Act 1997 (Cth), which provides a power to the Attorney-General to direct a relevant telecommunications company to cease operating its service where operation of the service is or would be prejudicial to security.
Although supportive of the goal of strengthening protection against national security threats, industry stakeholders objected to the 2015 consultation draft of the bill. These concerns centred on the broad scope of the provisions of the bill and the difficulties of interpreting vaguely worded provisions in the bill. The bill was also seen as very prescriptive, with telecommunications companies being required to comply with directions relating to security risks, without general rights of consultation or rights of appeal. Of course, the potential costs of compliance were also seen as a concern.
Introduction of the TSSR Bill
The TSSR Bill was introduced into the Australian Senate on 9 November 2016. The Bill had been amended from the earlier draft to reflect concerns raised in the consultations that occurred in 2015 and early 2016. For example:
- Some clarification was made regarding the scope of the obligation to protect telecommunications networks. This would only apply to risks of unauthorised access and interference for the purposes of security.
- The powers to issue directions would be vested only in the Attorney-General, not the Secretary of the Attorney-General’s Department.
- Restrictions would be imposed around the power to issue directions. For example, the Attorney-General would only be permitted to issue directions where the Australian Security Intelligence Organisation (ASIO) has issued an adverse security assessment and if consultation with the impacted company and the Minister for Communications had occurred (amongst other conditions). In addition, decisions to issue a direction would be reviewable under the Administrative Decisions (Judicial Review) Act 1977 (Cth).
On being introduced, the TSSR Bill was promptly referred to the PJCIS. That referral provided an opportunity for stakeholders to raise remaining concerns with the terms of the TSSR Bill.
Recommendations of Parliamentary Committee on the TSSR Bill
The PJCIS released its report on the TSSR Bill on 30 June 2017, a delay from the proposed release date of April 2017. The PJCIS recommended that TSSR Bill should be passed, subject to a number of amendments being made and other actions being taken.
The amendments to the TSSR Bill supported by the PJCIS include, amongst other things:
- Inserting provisions requiring a three year review by the PJCIS of the operation of the legislation, including consideration of the security of critical and sensitive data, the adequacy of information sharing arrangements between the Government and industry and how well the administrative guidelines (discussed further below) operate to provide clarity to industry.
- Reflecting a concern regarding the security of data held offshore as required by the new data retention provisions of Part 5-1A of the TIA Act, including a requirement for notification of any new or amended arrangements for holding that data offshore.
The PJCIS also placed great emphasis on the proposed administrative guidelines for the TSSR Bill, which will be issued by the Government to assist regulated entities in determining what is required to comply with the security and notification obligations in the TSSR Bill. The PJCIS recommendations regarding the guidelines included:
- The guidelines should provide greater detail and certainty for industry, including by providing clarification of an entity’s obligations, for example, where it uses telecommunications infrastructure but does not own or operate it, where any of its infrastructure is located outside Australia or where it provides over-the-top services or cloud computing and storage services.
- The guidelines should provide greater detail regarding the changes to telecommunications services or systems that will, or will not, be required to be notified to the Government’s new Communications Access Co-ordinator.
The PJCIS also recommended greater sharing of information by the Government with industry, including regarding security threats, though this would occur outside the legislation and the administrative guidelines.
What happens now?
The Prime Minister had hoped that the TSSR Bill would be passed in the recently completed 2017 Winter Parliamentary sittings, but this did not occur. Given the recommendation from the PCJIS, which has bipartisan support, that the TSSR Bill should be passed it would seem likely that it will be passed, potentially with the amendments recommended by the PJCIS, in Parliamentary sittings to be held later in 2017. Once the legislation commences, there will then be a 12 month implementation period to comply with the new requirements. Unfortunately there will remain uncertainty for industry as the administrative guidelines will be further amended during this implementation period.