Australia's 'decryption' laws have been passed; however, further debate and amendments are expected.
A parliamentary committee has begun a review of the laws as passed in December 2018, and is now receiving public submissions on new matters arising from the law.
Following parliamentary and public debate, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was passed on the last sitting day of Parliament for 2018, introducing the first laws of this kind globally. Despite its reservations, the opposition Labor Party ultimately agreed to the passage of the Bill, subject to assurances that further amendments would be agreed when Parliament resumes in February 2019.
Our earlier article, Decrypting the decryption Bill, sets out the history of the law.
The Act as passed included amendments to reflect the recommendations of the Parliamentary Joint Committee on Intelligence and Security, which had been requested to accelerate its examination of the laws by the Home Affairs Minister, to enable the law to be passed ahead of the festive season.
The key provisions in the Act are fundamentally the same as the previous versions that were published for debate and introduced into Parliament. The breadth of organisations (designated communications providers) that could be subject to a voluntary or mandatory notice, including those overseas, has not changed. Nor has the nature of the Technical Access Request (TAR), Technical Access Notices (TAN) or Technical Capability Notice (TCN).
However, there has been some attempt to introduce stricter oversight and address industry concerns about the potential for Australia's IT security arrangements to become weaker and more vulnerable to malicious attack. Of note, the Act now establishes:
- stricter circumstances in which a request or notice may be issued:
- voluntary and mandatory notices can only be issued if the relevant agency is seeking to safeguard national security or enforce serious criminal offences in Australia (punishable by at least three years imprisonment) and serious foreign offences; or
- TARs may also be issued in circumstances where the agency is seeking to protect Australia's foreign relations and economic well-being
- more oversight and approvals by requiring:
- notification to the Inspector-General of Intelligence and Security, which has independent oversight of security agencies (or the Commonwealth Ombudsman for interception agencies) within seven days of a notice being issued;
- prior approval of the Minister to issue a TCN (or the AFP Commissioner if the TCN is requested by an interception agency)
- more consultation between the issuer of a notice and a provider:
- before issuing a TAN (this was already the case for TCNs);
- as part of the consultation process about a proposal to issue a TCN, providers now have the ability to request the Attorney-General to appoint two people to assess whether the TCN should be given. The assessors are required to consult with both parties before forming a view about whether the TCN should be issued
- obligations on the agency to notify providers at the time of issuing:
- a TAR about the fact that compliance is voluntary; and
- a TAN about the provider's rights, including to make a complaint
- additional considerations when deciding whether a notice is 'reasonable and proportionate', including:
- whether the requirements of a notice are the least intrusive form of industry assistance to people whose activities are not of interest to an agency; and
- whether the requirements are necessary
- statutory limitations on the operation of a notice (which can be extended).
While the Act is specifically expressed not to impact parliamentary privilege, no provisions were included to protect journalists' confidential sources (a concern referred to in our earlier article).
Further amendments are expected to be introduced when the Parliament resumes in February. The Parliamentary Joint Committee on Intelligence and Security is also undertaking a further review of the laws, as passed in December 2018. The Committee is receiving submissions and is due to report by 3 April 2019. The Committee's review is in addition to other statutory reviews that are scheduled, including a review of the laws 18 months on.
The submissions that the Committee has received to date indicate that communications, technology and legal industry groups still have serious concerns with the laws. Submissions that have been received include support for the Labor Party's proposal to require judicial oversight of the issuing of notices, similar to the way in which a warrant is issued. Industry groups have also expressed concern about the remaining uncertainty and lack of clarity in the legislation. As an example, providers will be placed in a difficult position if required to comply with a notice in Australia that would be a breach of foreign laws, such as the European Union's General Data Protection Regulation.
However, despite continuing concerns about the impact of the new laws, it seems unlikely that these further reviews will result in substantial changes to the regime. At most, we expect that there may be some further independent oversight introduced and greater clarity around definitions of the circumstances in which notices can be issued and things that providers may be required to do.