The Australian Government will soon release an exposure draft for the proposed reforms of Australia’s electronic surveillance regime. The proposed reforms are intended to harmonise existing laws to provide a unified governance framework, cater for technological changes and expand the range of government agencies which may exercise electronic surveillance powers.
The electronic surveillance powers of government agencies are spread across four separate acts (Acts), which are subject to inconsistent thresholds and requirements. Some of the current laws, which were drafted based on technological assumptions and definitions dating back to the 1970s, are struggling to keep up with rapid technological advancements. The Government released a discussion paper in December 2021 highlighting these items, and is expected to issue an exposure draft of the proposed electronic surveillance legislation for public comment in late 2022.
Below, we discuss the key changes proposed in the discussion paper and industry responses which may shape the upcoming legislation.
Key proposed changes
The proposed amendments aim to provide greater certainty to organisations and individuals who are subject to electronic surveillance about when and how surveillance may occur, and what information may be accessed through it, and include:
- Limiting the circumstances where agencies may exercise electronic surveillance powers, such that:
- issuing authorities of warrants for electronic surveillance must consider whether the use of electronic surveillance powers is necessary and proportionate (ie the intrusion on privacy does not outweigh the benefits gained by the use of the powers); and
- agencies can only exercise the powers to the extent necessary to perform their functions.
- Providing greater certainty on the mechanisms and thresholds for lawful access to information, for example:
- providing a definition of ‘content and substance’ of a communication. Broadly speaking, ‘content’ information is the substance or meaning of a communication (e.g. words spoken in a call) whereas ‘non-content’ information is information about a communication (e.g. the time of the call). A warrant is only required prior to an agency’s access to ‘content’ information. However, the Acts do not currently clearly differentiate between ‘content’ information” and ‘non-content’ information (e.g. whether the URL of a website would be considered ‘content’ information or ‘non-content’ information, or both, given that it may reveal both the address of a communication and the content a person could view on a website); and
- removing the distinction between ‘live’ communications (e.g. a phone call currently occurring) and ‘stored’ communications (e.g. an email held on a server). Currently, separate warrants are required to access the same communications content, depending on whether the content is intercepted while passing over the telecommunications network or accessed at a later date as a stored communication.
- Broadening the definition of ‘communication’ which can be intercepted or accessed to include:
- communications stored on a person’s device or personal network (e.g. draft emails and messages which have not been sent);
- a person’s activities on the internet;
- interactions between a person and a machine (e.g. through the use of a chat-bot or other automated system); and
- interactions between machines (e.g. communication between ‘Internet of Things’ devices, or data generated by connected or autonomous vehicles).
- Expanding the range of agencies which may exercise electronic surveillance powers, for example:
- the Australian Taxation Office may access telecommuncations data to protect public revenue from serious financial crimes; and
- the Australian Transaction Reports and Analysis Centre may access telecommunications data to prevent money laundering and terrorist financing.
Key comments from industrial actors
A number of key industry players have responded to the discussion paper. Generally, these responses have provided that:
- a centralised independent body should be established to authorise and review the use of all electronic surveillance warrants;
- ‘content’ and ‘non-content’ information should be clearly defined, particularly whether URL or web-browsing information should be categorised as ‘content’ information;
- an outcomes-based warrant system should be adopted (i.e. warrants to be granted for specific outcomes such as access to an individual’s email account, rather than the types of surveillance methods), but this should still require agencies to disclose the method of electronic surveillance used and justify the privacy impact of this method; and
- immunity from civil and criminal liability should be provided to communications providers where they act in good faith in responding to a warrant.
What comes next?
The exposure draft of the legislation will be released in late 2022, and feedback from industry will then be collected to finalise the bill within 2023. We will provide a further update once the draft legislation is released.
In the interim, organisations should prepare to update their internal policies and procedures on the level of disclosure and cooperation they will provide to agencies.