Following the controversial passage of theTelecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA Act) (colloquially referred to as the 'decryption laws') in December last year, the Senate referred the operation of the TOLA Act to the Joint Committee for inquiry and report.

Key takeouts

The Parliamentary Joint Committee on Intelligence and Security (Joint Committee) has finalised its review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA Act). 

The Joint Committee did not make any recommendations to amend the TOLA Act.

The Independent National Security Legislation Monitor is currently reviewing the TOLA Act and is due to report by 1 March 2020.

On 3 April 2019, the Joint Committee delivered its report.

The Bill introduces a package of amendments to assist law enforcement agencies to overcome the challenges of accessing encrypted communications when investigating suspected criminal activity. Our previous articles, from October 2018 and from January 2019, set out the background to this law. The Joint Committee made just three recommendations, none of which change the nature of the TOLA Act. Instead, the Joint Committee recommended that, as well as a procedural matter regarding the timing of a further report of the Joint Committee by June 2020, the Independent National Security Legislation Monitor (INSLM), the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman be sufficiently resourced to ensure they can properly carry out the various functions.

Having previously referred the TOLA Act to the INSLM in February 2019 (the first of its kind), and in light of the impending election, the Joint Committee took the view that new powers introduced by the TOLA Act warrant ongoing consideration and that it is appropriate to schedule a further statutory review of the Act to commence this month.

Even though numerous submissions have previously been made at various stages prior to the passing of the TOLA Act, the Joint Committee received a further 71 submissions and seven supplementary submissions from a range of government agencies, lawyers, industry representatives from the telecommunications and technology sectors and members of the public.

It is clear from the tone of these submissions that the decryption laws remain as controversial and complex as ever, especially among those in the technology industry.

On the one hand, the submission from the Department of Home Affairs referred to the fact that Commonwealth law enforcement and national security agencies have already used their powers under the TOLA Act to issue notices, which demonstrates the need for the laws.

On the other hand, industry remains firmly opposed to the laws. The co-CEO of Atlassian, Scott Farquhar, has publicly stated that the tech companies in Australia were already losing business to overseas competitors as a direct result of these laws. Common themes among those who made submissions were that the laws should be amended to:

  1. narrow the breadth of the types of assistance that can be requested or compelled;
  2. clarify ambiguities in the critical definition of 'systemic weakness and systemic vulnerabilities';
  3. introduce a warrant-based system for Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs), so that they can only be issued with judicial approval;
  4. change the definition of 'serious offences' to offences punishable by at least 7 years in jail (thereby narrowing the circumstances in which a notice can be issued), in line with the definition in the Telecommunications (Interception and Access) Act 1979 (Cth);
  5. require that, where a designated communications provider refers a TCN for assessment and report, the report is binding on the Attorney-General;
  6. provide guidance for a decision-maker who is making a 'reasonable and proportionate' determination when deciding whether or not to issue a notice. For example, whether perceived law enforcement or national security considerations should outweigh the affected individuals’ and businesses’ reasonable expectations of confidentiality and privacy of communications;
  7. remove the ability for agencies to avoid consultation with a designated communications provider by stating that the request is urgent; and
  8. include as a consideration for the decision-maker who is assessing the reasonableness of a notice, the fact that compliance with the notice would require a designated communications provider who is in Australia to breach a foreign law (for example, an Australian company that is subject to the GDPR, which also imposes significant fines for non-compliance).

The Joint Committee noted that not all of its previous recommendations had been in adopted in version of the TOLA Act that was passed in December 2018.

It remains to be seen what lies ahead for the future of the decryption laws. Opposition Leader Bill Shorten had stated in December 2018 that, while the Labor Party agreed to the passage of the TOLA Act ahead of the 'high-risk' festive period, it intended to introduce amendments to the laws. The outcome of the upcoming election may impact whether such amendments are passed. However, at this point, it seems unlikely that the notice regime will be significantly altered in the short term.