25 July 2019

Introduction

  1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to provide comments to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the Act).

  2. The OAIC has previously provided comments on:
    • the exposure draft of the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill) to the Department of Home Affairs[1]
    • the first reading version of the Bill to the PJCIS[2], and
    • the PJCIS Inquiry into the Act.[3]
  3. The amendments introduced and passed on 6 December 2018 addressed some of the issues raised by the OAIC in our previous submissions by
    • extending the decision-making criteria of reasonableness, proportionality, practicability and technical feasibility to technical assistance requests (TARs), including that privacy impacts be considered when assessing whether a TAR is reasonable and proportionate[4]
    • providing an option for a designated communications provider (provider) to request an assessment of whether a proposed technical capability notice (TCN) should be given[5]
    • extending the prohibition on systemic weaknesses and systemic vulnerabilities to apply to TARs, in addition to technical assistance notices (TANs) and TCNs[6]
    • providing for review by the Independent National Security Legislation Monitor.[7]
  4. However, as noted in our most recent submission to the PJCIS concerning the Act(dated 26 February 2019), we consider that privacy impacts remain that require further mitigation.

  5. In that submission we recommended:
    • further clarifying the terms ‘systemic weakness’ and ‘systemic vulnerability’, and their interaction with s 317ZG
    • including mechanisms for judicial oversight over TANs and TCNs
    • if our recommendation regarding judicial oversight is not accepted, then decisions to issue a TAN or TCN should be subject to judicial review under the Administrative Decisions (Judicial Review) Act 1997 (ADJR Act)
    • making technical assessments mandatory rather than at the request of a provider and extending the regime to apply to TARs and TANs, in addition to TCNs
    • making technical assessments a necessary part of an application to a judge for issuing or varying a TAN or TCN.
  6. The PJCIS published the report from the review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 on 3 April 2019. The recommendations made in the report have not addressed the OAIC’s concerns and we wish to reiterate our recommendations for your consideration. We have set these out below under the relevant terms of reference for this Inquiry.

Threshold, scope and proportionality of powers provided for by the Act

Clarifying ‘systemic weakness’ and ‘systemic vulnerability’

  1. Section 317ZG of the Act limits a TAR, TAN or TCN from requesting or requiring a provider to implement or build a ‘systemic weakness’ or ‘systemic vulnerability’ into a form of electronic protection, or from rectifying such a weakness or vulnerability.[8]

  2. The OAIC had previously recommended that these terms be defined in the legislation. Clearly defining the terms would provide clarity as to the intended scope of the limitation, which in turn would assist in determining whether the privacy impacts of a notice were reasonable, necessary and proportionate in the circumstances.

  3. The Act includes definitions for these terms.[9] However, the summary of evidence of stakeholder concerns set out at Appendix A of the PJCIS report[10] indicates that uncertainty about the meaning of ‘systemic weakness’ and ‘systemic vulnerability’ remain.

  4. We acknowledge that these terms are complex and that the Act will apply in a wide range of circumstances. However, given the important protections that the OAIC understands s 317ZG is intended to provide, and the subsequent risks to the security of personal information if the meaning of these terms is not sufficiently clear, we recommend that further consideration be given to the way these terms are defined in the legislation and how they interact with s 317ZG.

Recommendation 1The OAIC recommends that further consideration be given to the way ‘systemic weakness’ and ‘systemic vulnerability’ are defined in the legislation and how these terms interact with section 317ZG.

Reporting obligations and oversight measures

Judicial oversight

  1. The OAIC notes that many stakeholders have continued to express concern that judicial authorisation is not required before issuing a TAR, TAN or TCN, as set out at Appendix A of the PJCIS report. [11]

  2. Law enforcement initiatives that impact on privacy require a commensurate increase in oversight, accountability and transparency, to strike an appropriate balance between any privacy intrusions and law enforcement and national security objectives. In order to build trust and confidence in the framework, and as previously submitted, we recommend that the Act be amended to introduce independent judicial oversight before a TAN or TCN is issued or varied. An application to a judge to issue or vary a TAN or TCN should be accompanied by a mandatory technical assessment.

  3. We also note that decisions under this Act are not subject to judicial review under the ADJRAct. If the above recommendation regarding judicial oversight of TANs and TCNs is not adopted, and contrary to our submission the current approval process is retained, then we recommend allowing judicial review under the ADJR Act. This would provide judicial review avenues under both the ADJR Act and the original jurisdiction of the High Court or the Federal Court of Australia.[12]

Recommendation 2 The OAIC recommends that the Act be amended to introduce independent judicial oversight before a TAN or TCN is issued or varied.

Recommendation 3 The OAIC recommends that, if the current approval process is retained, decisions to issue a TAN or TCN should be subject to judicial review under the ADJR Act.

Authorisation processes and decision-making criteria

TCN assessments

  1. Under s 317WA, a provider may request an assessment of whether a TCN should be given. If so requested, the Attorney-General must appoint two assessors, one of whom has technical knowledge and the other of whom has previously served as a judge.[13] The assessors must consider a range of factors including reasonableness, proportionality, practicability, technical feasibility and whether the TCN is the least intrusive measure that would be effective in achieving the legitimate objective of the proposed TCN. The assessors must give the greatest weight to whether the proposed TCN would contravene the limitation on systemic weaknesses and vulnerabilities in s 317ZG.[14] The Attorney-General must have regard to the report that the assessors produce when deciding whether to proceed to give the TCN,[15] but is not obliged to refrain from issuing a TCN even if the assessors determine that it should not be given.

  2. Currently, the assessment provision in s 317WA is limited to TCNs and is invoked at the request of a provider.

  3. However, as previously submitted, we recommend extending the assessment mechanism to enhance its effectiveness as an appropriate safeguard. In particular, we recommend:
    • extending s 317WA to apply to TARs and TANs, in addition to TCNs, reflecting that the prohibition on systemic weaknesses and systemic vulnerabilities in s 317ZG applies to TARs, TANs and TCNs
    • making the assessment mandatory, rather than at the request of a provider
    • making technical assessments a necessary part of an application to a judge for issuing or varying a TAN or TCN.

Recommendation 4 The OAIC recommends extending the assessment mechanism to enhance its effectiveness as an appropriate safeguard.

  1. The OAIC is available to provide further information or assistance to the Committee as required.

Angelene Falk

Australian Information Commissioner
Privacy Commissioner

Footnotes

[1] Submission to Department of Home Affairs dated 13 September 2018.

[2] Submission to the PJCIS dated 15 October 2018

[3] Submission to the PJCIS dated 26 February 2019

[4] Section 317JC.

[5] Section 317WA.

[6] Section 317ZG.

[7] Independent National Security Legislation Monitor Act 2010 (Cth), s 6(1D).

[8] Section 317ZG(1).

[9] Section 317B. See also ss 317ZG(4A)–(5).

[10] Parliamentary Joint Committee on Intelligence and Security, Review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, (3 April 2019)

[11] Parliamentary Joint Committee on Intelligence and Security, Review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, (3 April 2019)

[12] By operation of s 39B(1) of the Judiciary Act 1903

[13] Section 317WA(1)–(5).

[14] Section 317WA(7).

[15] Section 317WA(11).