Written by Sean Field.
TLDR
The Department of Home Affairs has released a Discussion Paper outlining proposed reforms to Australia’s electronic surveillance framework, kicking off a consultation process which on current projected timing will see the release of exposure drafts of new legislation later this year and the passage of legislation into law in 2023.
The paper outlines some proposals for regulatory change which have the potential for significant impact on the telecommunications industry such as moving to “technology neutral” definitions of key concepts and potentially extending the reach of the regime to a number of adjacent industry sectors, including operators of online platforms.
Digital service providers that may consider themselves to fall outside the scope of the current electronic surveillance framework should track the progress of the reforms closely and participate in stakeholder engagement activities available over the next twelve months or so, to maximise opportunities to shape the reforms in so far as they may impact on their businesses.
Submissions on the Discussion Paper may be made up until 5pm AEST Friday 11 February 2022. KWM would be happy to assist in the preparation of submissions.
Alert
Scattered across in excess of 1,000 pages of legislation and catering for thirty five different types of warrants, there can be no argument that Australia’s legal and regulatory framework relating to government electronic surveillance powers is in need of reform and rationalisation.
This most recent paper picks up and builds upon many of the themes of the Richardson Review and is an important step in implementing into legislation the findings of that earlier review.
It also forms the latest chapter in a series of significant reforms over the past few years, including:
- the industry assistance regime under Part 15 of the Telecommunications Act 1979 (Cth);
- the metadata retention regime;
- the mandatory privacy breach scheme; and
- a raft of changes around critical infrastructure, including most recently, the cyber security incident notification and government assistance requirements under the Security of Critical Infrastructure Act 2018 (Cth).
The key driver for the reforms canvassed in this most recent Discussion Paper remains the government’s fear of “going dark” – that is to say, the inability of law enforcement and national security agencies to access communications which are encrypted or conducted in a form or by industry sectors not contemplated by or dealt with, either adequately or at all, in existing legislation.
The proposed reforms seek to respond to the evolution of communications services and the businesses that provide them. Communications have not been the exclusive preserve of traditional telcos for some time, meaning that, for law enforcement purposes, governments need increasingly to expand their investigative powers into new areas to capture new forms of communications and associated service providers, or else risk further erosion of their ability to detect and respond to unlawful behaviour.
We’ve already seen that expansion begin in the industry assistance regime established under Part 15 of the Telecommunications Act 1997 (Cth), which is not limited to traditional telcos and applies to a wide range of digital and “over the top” messaging services. Building on that theme, the discussion paper heralds a significant extension of the regime to entities that have traditionally had limited or no exposure to obligations relating to electronic surveillance, including entities that offer a messaging service as part of their products and services.
The discussion paper refers to a number of “guiding principles”, including, most relevantly for industry, the idea that future surveillance legislation will be “technology neutral”. This will involve, among other things, revisiting core concepts such as the definition of what constitutes a “communication” and distinguishing between “content” and “non content” information.
The review considers that the current definition of “communication” in the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA Act) is in essence based on an assumption that “conversations and messages between people were the main type of information passing over the telecommunications network”. But now, the paper considers, the concept of “communication” needs to cover new kinds of information and interactions – for example:
- “machine-to-machine signals between servers and models that enable the network to route communications to their intended destination”;
- interactions between a person and machine – such as IMs between a human and a chat bot; and
- interactions/signalling between IoT devices, such as data generated by connected or autonomous vehicles, or smart home security systems.
The paper suggests that the concept of a “communication” should be expanded in a way “that reflects the range of information and data transmitted electronically” and is expressed in a way that is “as technology-neutral as possible so that it can apply to future information and communications technologies”.
Such an approach is not without its potential risks from a compliance perspective. While the current rules may be complex, their boundaries are reasonably well understood by industry. Industry needs this clarity so that, among other things, it can design its systems and processes with compliance in mind. For example, recording customer communications is permissible if it is done with the customer’s knowledge. If clear principles such as these are to be changed the implications of this need to be well thought through and understood by government and industry alike.
The discussion paper recognises that revising the concept of covered “communications” in this way necessarily involves pushing government powers into new industry sectors. The paper specifically calls out data centre operators, equipment manufacturers and providers of internet based messaging applications.
Conclusion
It can be seen from the brief comments above that the proposed reforms have the potential to expand the scope of industry obligations into new types of “communication” as well as pushing them into new industry sectors.
Industry sectors that may previously have had little or no exposure should prepare themselves for compliance potentially as early as 2023. This will be no trivial matter, as existing telco providers will be able to attest, given the significant cost burden of complying with past reforms in this area, such as the metadata retention regime introduced in 2015. There may be open questions as to whether the investigative value of extending existing surveillance frameworks to certain types of communications will outweigh the compliance costs and potential privacy concerns.