3 July 2020

Executive Summary

1 The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to provide this submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Bill).[1]

2 The OAIC is an independent Commonwealth statutory agency established to bring together the functions of oversight of privacy protection, freedom of information and information policy. Under the Privacy Act 1988 (Cth) (Privacy Act) the Australian Information Commissioner and Privacy Commissioner has a range of privacy regulatory functions and powers. The Commissioner is required to have regard to the objects of the Privacy Act in performing these functions, which include:[2]

  1. promoting the protection of the privacy of individuals
  2. implementing Australia’s international obligation in relation to privacy
  3. facilitating the free flow of information across national borders while ensuring that the privacy of individuals is respected, and
  4. promoting responsible and transparent handling of personal information while recognising that the protection of the privacy of individuals must be balanced with the interests of entities in carrying out their functions and activities.[3]

3 Initiatives which impact privacy must be reasonable, necessary, and proportionate to achieving legitimate policy aims. Proposed measures must be subject to appropriate safeguards, oversight and accountability.

4 The OAIC notes the importance of the foreign government issuing orders or making requests under Part 13 of the Bill being subject to thresholds and safeguards to ensure requests for personal information are reasonably necessary and proportionate. In the time available the OAIC has focused on the issue of foreign governments protecting personal information received under Part 13 of the Bill. The OAIC recommends that the Bill be amended to ensure personal information that is disclosed by Australian designated service providers to foreign governments is appropriately protected.

5 The Bill should require that, in relation to foreign countries which do not have privacy protections equivalent to the Privacy Act, designated international agreements contain provisions which afford comparable privacy safeguards.

6 The OAIC also recommends that the permitted use, recording and disclosure of protected information for the purposes of an investigation under the Privacy Act (subsection 153(1)(r) of the Bill) be expanded to include preliminary inquiries and complaint resolution processes, compliance with the Notifiable Data Breach scheme and the OAIC’s assessment functions.

The IPO regime

7 The Bill establishes a legislative framework to give effect to future ‘designated international agreements’, bilateral and multilateral agreements which will facilitate cross border access to electronic information and communications data for criminal investigations and prosecutions, law enforcement and national security purposes.[4]

8 As we understand it, the Bill does not prohibit the Australian Government from entering into designated international agreements with foreign countries that do not have, or have less robust, privacy regimes than Australia.

9 The Bill enables a ‘competent authority’ of a foreign country with which Australia has a designated international agreement to issue an order or make a request directly to an Australian designated service provider.[5] This authorises disclosures for the purposes of the Privacy Act, to the extent the disclosure is in accordance with a foreign order or request.

10 The proposed International Production Order (IPO) regime will enable the collection, use, storage and disclosure of a wide range of data including messages, voice and video calls, ‘stored communications’ and ‘telecommunications data’. This data can be requested from a range of entities including carriers, carriage service providers, message/call application service providers, storage/back-up service providers and general electronic content service providers.[6]

11 The wide range of data that could potentially be accessed under an IPO can provide a rich and detailed picture of an individuals’ location, habits, associations, beliefs and preferences, with detail increasing commensurately with the volume of data collected and the methods used to process it.

12 The OAIC notes the policy objectives of the Bill to streamline cross border and reciprocal access to electronic information and communications data to combat serious crime and terrorism.[7] However, initiatives which impact privacy in pursuit of these policy objectives must be reasonable, necessary and proportionate to achieving the policy aims.[8] The scope of proposed measures must be as clear and transparent as possible and subject to appropriate safeguards, oversight and accountability.

Cross border disclosure of personal information

13 Australian Privacy Principle (APP) 8.1 requires that before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information. Where an APP entity discloses personal information to an overseas recipient, the APP entity is accountable for an act or practice of the overseas recipient that would breach the APPs. This reflects a central object of the Privacy Act to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected.[9] It also enables Australians to have confidence that their personal information is being handled to a standard that they would expect, regardless of where in the world it is disclosed.

14 Part 13 of the Bill authorises the overseas disclosure of personal information by an Australian designated service provider in response to a foreign order or request. To the extent this disclosure is in accordance with a foreign order or request and the relevant designated international agreement, for the purposes of the Privacy Act:

  1. the exception in APP 8.2(c) would apply, and
  2. designated service providers would not need to take reasonable steps to ensure that the overseas recipient does not breach the APPs, due to the disclosure being authorised by or under an Australian law.

15 The APP Guidelines provide that an agency that intends to rely on this exception could consider establishing administrative arrangements, memorandums of understanding or protocols with the overseas recipient that set out mutually agreed standards for the handling of personal information that provide privacy protections comparable to the APPs.[10] While this APP guidance is for an agency, the principles apply equally to circumstances where an Australian designated service provider[11] is required to disclose information in response to an incoming order or request under this Bill.

16 The APP Guidelines set out examples of contractual arrangements to assist an APP entity to take reasonable steps to ensure the overseas recipient does not breach the APPs, such as:

  1. provisions that specify and limit the type of personal information to be disclosed and describe the purpose of disclosure
  2. a requirement that the overseas recipient complies with the APPs in relation to the collection, use, disclosure, storage and destruction or de-identification of the disclosed personal information, with a requirement that the overseas recipient enter into similar contractual arrangements with any third party, for example a sub-contractor
  3. provisions that describe the complaint handling process for privacy complaints, and
  4. a requirement that the recipient implement a data breach response plan which includes a mechanism for notifying the APP entity where there are reasonable grounds to suspect that a data breach has occurred and sets out appropriate remedial action.[12]

17 Designated international agreements should incorporate similar arrangements to afford privacy protections for Australians’ personal information that is being disclosed by an Australian designated service provider directly to a foreign government in accordance with this Bill.

18 The OAIC recommends that the definition of designated international agreement in the Bill is amended to require that:

  1. in relation to
    1. a foreign country which does not have equivalent data protection laws to Australia, and
    2. personal information obtained by the receiving foreign government under an incoming order or request
  2. the designated international agreement must contain provisions which afford equivalent privacy protections to those in the Privacy Act in relation to:
    1. the collection, use, disclosure, storage, security and destruction or de-identification of personal information
    2. complaint handling process for privacy complaints, and
    3. requirements that the recipient implement a data breach response plan which includes a mechanism for notifying the Australian Government where there are reasonable grounds to suspect that a data breach has occurred involving the personal information of Australians which is likely to result in serious harm, and sets out appropriate remedial action information.

Exceptions — disclosure of protected information

19 Subsection 153(1)(r) of the Bill includes an exception which permits protected information to be used, recorded or disclosed in evidence in an ‘investigation’ under the Privacy Act.

20 The investigative powers of the OAIC are outlined in Part V of the Privacy Act. An investigation under the Privacy Act may be preceded by a complaint from an individual under section 36 of the Privacy Act. Following receipt of a complaint, the Commissioner may then make preliminary enquiries under section 42 of the Privacy Act and attempt to conciliate the complaint prior to commencing an investigation. The Commissioner may also commence an investigation on their own initiative under subsection 40(2) of the Privacy Act.

21 The drafting of subsection 153(1)(r) refers to an ‘investigation’, rather than the range of inquiry and complaint resolution mechanisms which are often utilised prior to the commencement of a formal investigation. The current drafting may limit use, recording and disclosure of protected information to circumstances in which the OAIC is utilising its formal investigation powers only. The OAIC recommends that subsection 153(1)(r) is amended to include those inquiry and dispute resolution processes.

22 The OAIC also notes that subsection 153(1)(r) does not include permissible use of protected information in relation to other regulatory powers, including assessments under Division 4 of Part IV of the Privacy Act and oversight of eligible data breaches under Part IIIC of the Privacy Act. The OAIC recommends that subsection 153(1)(r) is also amended to permit the use, recording and disclosure of protected information for these important privacy protections.

23 The OAIC notes that the existing exceptions in the Privacy Act and the APPs in relation to enforcement bodies and the exemptions for intelligence agencies, and the exceptions in Part IIIC of the Privacy Act for enforcement related activities, would continue to apply.

Footnotes

[1] https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/IPOBill2020

[2] Section 29, Privacy Act.

[3] Section 2A, Privacy Act.

[4] Explanatory Memorandum (EM), Bill, General Outline, [7], ‘designated international agreements’ are defined in section 3 of schedule 1 of the Bill.

[5] Part 13, Bill.

[6] Schedule 1, clause 2, Bill.

[7] EM, General Outline [6].

[8] EM, [2].

[9] Section 2A(f), Privacy Act.

[10] APP Guidelines [8.36].

[11] An Australian designated service provider is likely to be an organisation for the purposes of section 6C of the Privacy Act.

[12] APP Guidelines [8.16].

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia