Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 [2018] AUSStaCSBSD 229 (17 October 2018)

	Home \| Databases \| WorldLII \| Search \| Feedback Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests

Purpose	This bill seeks to amend various Acts in relation to telecommunications, computer access warrants and search warrants to: • introduce new provisions that will allow law enforcement and security agencies to secure assistance from key providers in the communications supply chain both within and outside Australia; and • increase agencies' ability to use a range of measures, including: - a new authority for Commonwealth, State and Territory law enforcement agencies to obtain computer access warrants; - expanding the ability of law enforcement agencies to collect evidence from electronic devices; - a new authority for the Australian Border Force to request a search warrant in respect of a person for the purposes of seizing a computer or data storage device; and - providing immunities from civil liability for cooperating with ASIO
Portfolio	Home Affairs
Introduced	House of Representatives on 20 September 2018

Broad discretionary powers
Significant matters in delegated legislation
Privacy (Schedule 1)^[23]

1.36 Schedule 1 of the bill seeks to amend the Telecommunications Act 1997 (Telecommunications Act) to establish a legislative framework under which a 'designated communications provider' (provider) may be requested or required to undertake a range of actions in order to assist law enforcement, intelligence and security agencies. The explanatory memorandum explains that this framework is intended 'to better deal with the challenges posed by ubiquitous encryption'.^[24] Proposed section 317C sets out a broad range of circumstances in which a person is considered to be a provider for the purposes of the proposed framework, and also sets out the 'eligible activities' of the person in each case.^[25] The explanatory memorandum states that the definition of 'designated communications provider' is intended to include the 'full range of participants in the global communications supply chain', has been written in 'technologically neutral language to allow for new types of entities and technologies to fall within its scope as the communications industry evolves', and includes both individuals and bodies corporate.^[26]

1.37 The proposed framework includes three means by which providers may be requested or required to do certain acts or things: a technical assistance request, a technical assistance notice, or a technical capability notice. Such requests and notices may only be issued to a provider, and may only relate to the eligible activities of the provider.^[27] The acts or things the provider is requested or required to do must be directed either towards giving help to the relevant agency, or towards ensuring a provider is capable of giving help to the relevant agency, in the performance of a function or exercise of a power, insofar as the power or function relates to a relevant objective.

1.38 A technical assistance request may be issued by the respective Director-General of the Australian Security Intelligence Organisation (ASIO), the Australian Secret Intelligence Service (ASIS), or the Australian Signals Directorate (ASD), or the chief officer of an interception agency.^[28] Compliance by a provider with a technical assistance request is voluntary.^[29]

1.39 A technical assistance notice may be issued by the Director-General of ASIO or the chief officer of an interception agency, while a technical capability notice may be issued by the Attorney-General at the request of the Director-General of ASIO or the chief officer of an interception agency.^[30] Compliance with both types of notice is compulsory, and a failure to comply, to the extent that a provider is capable of complying, would be subject to a significant civil penalty of up to 47,619 penalty units (approximately $10 million) for a body corporate and 238 penalty units (approximately $50,000) for an individual.^[31]

1.40 The explanatory memorandum states that the increasing use of encryption 'has significantly degraded law enforcement and intelligence agencies' ability to access communications and collect intelligence, conduct investigations into organised crime, terrorism, smuggling, sexual exploitation of children and other crimes, and detect intrusions into Australian computer networks.'^[32] As such, the explanatory memorandum states that Schedule 1 of the bill introduces 'a new, graduated approach to industry assistance', as the communications industry is in a unique position to assist in dealing with the challenges posed by encryption.^[33] However, the committee considers that a number of aspects of the proposed framework raise scrutiny concerns with respect to whether the proposed powers to issue requests and notices are appropriately limited.

Acts or things that may be specified in a request or notice

1.41 Proposed subsection 317E(1) contains a definition of 'listed acts or things' which a provider may be requested or required to do under the proposed framework. This includes:

1.42 The bill provides that the acts or things specified in a technical assistance request or a technical assistance notice may include, but are not limited to, these listed acts or things.^[35] It also provides that the specified acts or things must be in connection with the eligible activities of the provider and be by way giving help to, or be directed at a provider being capable of giving help to, the relevant agency in relation to the performance of a function or the exercise of a power insofar as it relates to a relevant objective.^[36]

1.43 The explanatory memorandum does not provide a justification as to why it is necessary to allow a technical assistance request or a technical assistance notice to specify acts or things beyond those acts or things listed in proposed section 317E. The explanatory memorandum does state that, although acts or things beyond those specified under proposed section 317E may be specified in the request or notice, these additional acts or things must be 'of the same kind, class or nature as those listed.'^[37] However, the bill does not appear to limit the additional acts or things that may be specified under a request or notice in the manner set out in the explanatory memorandum.

1.44 With respect to technical capability notices, proposed section 317T provides that a provider can be given a written notice that requires the provider to do one or more specified acts or things that must be for one of the following two purposes:

1.45 In relation to proposed subsection 317T(5), the committee's view is that significant matters, such as the acts or things a provider may be required to do under a technical capability notice (particularly where compliance with such a notice is subject to a civil penalty of up to $10 million), should be included in primary legislation unless a sound justification for the use of delegated legislation is provided.

1.46 In this instance, the explanatory memorandum notes that proposed subsection 317T(5) would allow the minister to list further areas with respect to which capabilities under a notice may be built, in addition to those listed acts or things in proposed section 317E. It further states that this is necessary due to the dynamic nature of the communications industry and the need to ensure that law enforcement and security agencies retain the ability to address crime and national security threats notwithstanding advances in technology.^[42]

1.47 The bill requires the minister to have regard to a number of matters when making a determination under proposed subsection 317T(5): the interests of law enforcement, the interests of national security, the objects of the Act, the likely impact of the determination on providers, and any other matters the minister considers relevant.^[43] The explanatory memorandum states that it is expected that the minister will consult with industry before tabling an instrument.^[44] However, the bill does not contain any specific consultation obligations in relation to such a legislative instrument.

1.48 Where the Parliament delegates its legislative power in relation to significant matters, such as the acts or things a provider may be required to do under a technical capability notice, the committee considers that it is appropriate that specific consultation obligations (beyond those in section 17 of the Legislation Act 2003) are included in the bill and that compliance with these obligations is a condition of the validity of the legislative instrument. In this regard, the committee notes that section 17 of the Legislation Act 2003 sets out the consultation to be undertaken before making a legislative instrument. However, section 17 does not strictly require that consultation be undertaken before an instrument is made. Rather, it requires that a rule-maker is satisfied that any consultation, that he or she thinks is appropriate, is undertaken. In the event that a rule maker does not think consultation is appropriate, there is no requirement that consultation be undertaken. In addition, the Legislation Act 2003 provides that consultation may not be undertaken if a rule-maker considers it to be unnecessary or inappropriate; and the fact that consultation does not occur cannot affect the validity or enforceability of an instrument.^[45]

1.49 The committee is concerned that the 'acts or things' that may be specified under technical assistance requests, technical assistance notices and technical capability notices, may not be effectively limited by the bill and that the proposed framework thereby gives decision makers a broad discretion in relation to the acts or things that may be specified. In addition, the committee is concerned that what constitutes giving 'listed help' under a technical capability notice can be expanded by way of delegated legislation. The committee notes that a legislative instrument, made by the executive, is not subject to the full range of parliamentary scrutiny inherent in bringing proposed changes in the form of an amending bill.

Relevant objectives in relation to which a provider may be requested or required to do an act or thing

1.50 As noted above, the bill requires that the acts or things specified in a request or notice must be by way of giving help to, or ensuring a provider is capable of giving help to, the relevant agency in the performance of a function or exercise of a power in relation to a relevant objective. In the case of a technical assistance notice or a technical capability notice, these objectives are:

1.51 The relevant objectives for a technical assistance request similarly include enforcing the criminal law and laws imposing pecuniary penalties, or assisting the enforcement of the criminal laws in force in a foreign country, but also include: the interests of Australia's national security, the interests of Australia's foreign relations or the interests of Australia's national economic well-being.^[47]

1.52 The explanatory memorandum states that 'criminal law' includes any Commonwealth, state or territory law that makes a particular behaviour an offence punishable by a fine or imprisonment, and that 'enforcing the criminal law' includes the process of investigating a crime and prosecuting suspects, as well as 'precursory and secondary intelligence gathering activities that support the investigation and prosecution of suspected offences.^[48] The explanatory memorandum also states that 'pecuniary penalties' includes penalties for breaches of Commonwealth, state or territory law that are not prosecuted criminally or that impose a penalty as an administrative alternative to prosecution, but is not intended to include small-scale administrative fines.^[49] The explanatory memorandum further states that including 'assisting in the enforcement of criminal laws in force in a foreign country' as an objective is intended to ensure Australia can meet its international obligations under the Council of Europe Convention on Cybercrime or the Mutual Assistance in Criminal Matters Act 1987.^[50]

1.53 The explanatory memorandum states that the additional objectives specified in relation to technical assistance requests (that is, the interests of Australia's national security, the interests of Australia's foreign relations or the interests of Australia's national economic well-being) reflect the functions of Australia's intelligence and security agencies, and that it is intended to support voluntary technical assistance requests made by intelligence and security agencies (but not voluntary technical assistance requests made by other interception agencies).^[51]

1.54 The committee notes that the objectives relating to the enforcement of the criminal law and laws imposing pecuniary penalties, and assisting the enforcement of foreign criminal laws, may allow a large number of agencies to use the proposed framework to request or require providers to do certain acts or things when investigating or prosecuting even very minor offences or breaches of the law subject to a pecuniary penalty. It therefore appears that the proposed framework is not limited to investigating only serious offences relating to organised crime, terrorism, smuggling, and sexual exploitation of children, as identified in the explanatory memorandum.^[52] The committee further notes that this already broad range of objectives is further expanded in the case of voluntary technical assistance requests to matters that are not related to enforcing the law or national security but to the interests of Australia's foreign relations or national economic well-being. The explanatory memorandum provides no guidance as to the range of activities these latter objectives might encompass.^[53]

Decision-making criteria

1.55 The bill provides that the decision maker authorised to give a technical assistance notice or a technical capability notice must not give such a notice unless he or she is satisfied that the requirements that would be imposed by the notice are reasonable and proportionate, and that compliance with the notice is practicable and technically feasible.^[54] In considering whether the requirements imposed by a notice are reasonable and proportionate, the bill also requires the decision maker to have regard to:

1.56 The explanatory memorandum states that these decision-making criteria are 'designed to ensure that providers cannot be required to comply with excessively burdensome or impossible assistance measures'.^[56] However, the committee notes that, while the decision maker would be required to consider these matters in determining whether the requirements imposed by a notice are reasonable and proportionate, 'satisfaction' for the purposes of the test is a 'subjective state of mind of the administrative decision maker',^[57] and not an objective test.

1.57 The explanatory memorandum states that, in deciding whether compliance with the requirements imposed by a notice are practicable and technically feasible, the decision maker must consider the systems utilised by the relevant provider and the provider's expertise, and would need to consider material information given to the agency by the provider.^[58] The explanatory memorandum also states that it is expected that 'the agency would be engaged in a dialogue with the provider prior to issuing a notice' and the decision maker may also 'make inquiries with other persons who have relevant experience and technical knowledge.'^[59]

1.58 However, the committee notes that while proposed section 317W requires the Attorney-General to conduct a consultation process prior to issuing a technical capability notice, the bill does not require a similar process be conducted in relation to technical assistance notices. The explanatory memorandum states that, because a technical capability notice would require a provider to 'build something that goes beyond current business requirements', the decision-making thresholds, particularly those of proportionality and reasonableness, will be raised.^[60] However, no information is given as to why similar consultation obligations have not been included in relation to technical assistance notices. While noting that technical assistance notices are intended to be limited to requiring forms of assistance that a provider is already capable of providing, it is not clear to the committee why it would not be appropriate to include in the bill a consultation requirement similar to that set out for technical capability notices, given the difficulty for decision makers in assessing the full consequences of requiring a provider to do certain acts or things in such a highly complex and technical environment.

Privacy

1.59 Proposed subsection 317ZH(1) provides that a technical assistance notice or technical capability notice has no effect to the extent to which it would require a provider to do an act or thing for which a warrant or authorisation under specified laws is required. These laws include the Telecommunications (Interception and Access) Act 1979 (TIA Act), the Surveillance Devices Act 2004 (SD Act), the Crimes Act 1914 (Crimes Act), the Australian Security Intelligence Organisation Act 1979 (ASIO Act), the Intelligence Services Act 2001 (IS Act), or any other law of the Commonwealth, State or Territory. Proposed subsection 317ZH(3) also provides that a technical assistance notice or technical capability notice has no effect to the extent that it would require a designated communications provider to either use a surveillance device or access data held in a computer within the meaning of the SD Act, if a law of a State or Territory requires a warrant or authorisation for that use or access. The explanatory memorandum states that these provisions are intended to ensure that neither type of notice can be used as an alternative to gaining a warrant or authorisation under Commonwealth, State or Territory law.^[61]

1.60 While the proposed framework does not itself appear to provide a means of accessing the content of private information and communications, it is nevertheless intended to facilitate and enhance the ability of agencies to utilise information gained under warrant or authorisation regimes that raise significant scrutiny concerns in their own right. The committee has previously discussed the potential for inappropriately framed warrant regimes to trespass on personal rights and liberties, including in relation to the warrant and authorisation regimes set out in the Acts listed in paragraph 1.5 [62] above.⁶² Relevantly, the committee has expressed concern about warrant regimes that: do not adequately guard against the seizure of material unrelated to an investigation; do not adequately protect third parties; authorise covert access to material and thereby deny individuals the opportunity to protect privileged information or to challenge the grounds on which access has been granted; and are not subject to adequate judicia[63]oversight.⁶³ A range of similar issues are raised below with regard to provisions in the bill that propose to modify or establish computer access warrants (see discussion at paragraphs 1.88 to 1.121). The committee’s scrutiny concerns in relation to the breadth of the proposed framework outlined above are heightened, given its intended use in conjunction with such warrant regimes.

Exclusion of judicial review (Schedule 1)^[68]

1.63 Where a provision excludes the operation of the ADJR Act, the committee expects that the explanatory memorandum should provide a justification for the exclusion. In this instance, the explanatory memorandum states that decisions made under proposed Part 15 of the Telecommunications Act will 'deal with highly sensitive information relevant to agency capabilities or ongoing investigations and will involve matters of high policy importance, like national security, where judgments are best made by the executive arm of government'.^[69] The explanatory memorandum also explains that judicial review will be available in the High Court under the Commonwealth Constitution, and in the Federal Court by operation of section 39B(1) of the Judiciary Act 1903 (Judiciary Act).^[70]

1.64 However, the committee notes that the ADJR Act is beneficial legislation that overcomes a number of technical and remedial complications that arise in an application for judicial review under alternative jurisdictional bases (principally, section 39B of the Judiciary Act). The ADJR Act also provides for the right to reasons in some circumstances. From a scrutiny perspective, the committee considers that the proliferation of exclusions from the ADJR Act should be avoided. The committee also notes that the justification provided in the explanatory memorandum for excluding judicial review under the ADJR Act is more commonly a justification for excluding merits review,^[71] and does not appear to adequately explain the need to exclude judicial review under the ADJR Act. The committee notes that it is possible to exclude classes of decisions from the requirement that reasons be provided under section 13 of the ADJR Act if this is considered necessary to protect sensitive information from disclosure.

1.65 The committee also notes that, although compulsory notices under the framework may be issued in relation to national security objectives, they may also be issued in relation to objectives relating to the enforcement of the criminal law (including foreign offences) and laws imposing pecuniary penalties. Therefore it does not appear that decisions made under proposed Part 15 would always involve matters relevant to national security.

1.66 The committee requests the minister's detailed explanation of why it is considered appropriate to exclude judicial review under the Administrative Decisions (Judicial Review) Act 1977 in relation to decisions made under proposed Part 15 (industry assistance) (noting that it is already possible to prevent the disclosure of sensitive information by excluding classes of decisions from the requirement to provide reasons under the ADJR Act).

Immunity from liability (Schedule 1)^[72]

1.67 Proposed paragraphs 317G(1)(c) and (d), and proposed section 317ZJ, state that a provider (or an officer, employee or agent of the provider) that does an act or thing in accordance/compliance with, or in good faith purportedly in accordance/ compliance with, a technical assistance request, technical assistance notice or technical capability notice is not subject to any civil liability for, or in relation to, the act or thing.^[73]

1.68 These provisions seek to remove any common law right to bring an action to enforce legal rights if a provider has acted in compliance or purported compliance with a request or notice, unless it can be demonstrated that lack of good faith is shown. The committee notes that in the context of judicial review, bad faith is said to imply a lack of an honest or genuine attempt to undertake the task and that it will involve a personal attack on the honesty of the decision-maker. As such the courts have taken the position that bad faith can only be shown in very limited circumstances.

1.69 The committee expects that if a bill seeks to provide immunity from civil liability, particularly where such immunity could affect individual rights, this should be soundly justified. In this instance, the explanatory memorandum provides no explanation of the need to provide immunity from civil liability in relation to technical assistance notices and technical capability notices. In relation to technical assistance requests, the explanatory memorandum merely states, by way of an example, that the immunity would protect a provider that is asked to give details of the development of a new service or technology from liability for any breach of intellectual property rights.^[74]

1.70 The committee's scrutiny concerns in relation to these provisions are heightened because, as discussed above at paragraphs 1.41 to 1.49, the acts or things that a provider may be requested or required to do under the framework is not exhaustively set out in the bill. The full range of acts or things in relation to which a provider may be granted immunity from civil liability therefore remains unclear.

1.71 The committee requests the minister's advice as to why it is considered necessary and appropriate to provide immunity from civil liability to designated communications providers with respect to any act or thing done in accordance or compliance with a technical assistance request, technical assistance notice or a technical capability notice (noting that the acts or things that may be specified under a request or notice are not exhaustively set out in the bill).

Reversal of evidential burden of proof (Schedule 1)^[75]

1.72 Proposed subsection 317ZF(1) seeks to make it an offence for specified persons to reveal technical assistance notice information, technical capability notice information or technical assistance request information, or information obtained in accordance with a request or notice, where the person obtained the information in connection with their function under proposed Part 15 of the Telecommunications Act. Proposed subsections 317ZF(3), (5) to (11) and (13) provide exceptions (offence-specific defences) to this offence, stating that the offence does not apply if the disclosure was made in specified circumstances. The offence carries a maximum penalty of imprisonment for five years.

1.73 Subsection 13.3(3) of the Criminal Code Act 1995 provides that a defendant who wishes to rely on any exception, exemption, excuse, qualification or justification bears an evidential burden in relation to that matter.

1.74 At common law, it is ordinarily the duty of the prosecution to prove all elements of an offence. This is an important aspect of the right to be presumed innocent until proven guilty. Provisions that reverse the burden of proof and require a defendant to disprove, or raise evidence to disprove, one or more elements of an offence, interferes with this common law right.

1.75 While in this instance the defendant bears an evidential burden (requiring the defendant to raise evidence about the matter), rather than a legal burden (requiring the defendant to positively prove the matter), the committee expects any such reversal of the evidential burden of proof to be justified. The reversals of the evidential burden of proof in proposed subsections 317ZF(3), (5) to (11) and (13) have not been addressed in the explanatory materials.

1.76 As the explanatory materials do not address this issue, the committee requests the minister's advice as to why it is proposed to use offence-specific defences (which reverse the evidential burden of proof) in this instance. The committee's consideration of the appropriateness of a provision which reverses the burden of proof is assisted if it explicitly addresses relevant principles as set out in the Guide to Framing Commonwealth Offences.^[76]

Broad discretionary powers (Schedule 1)^[77]

1.77 Proposed section 317ZK sets out the bases on which a provider would be required to comply with a technical assistance notice or a technical capability notice. Proposed subsection 317ZK(3) provides that a provider must comply with a requirement on the basis that the provider neither profits from, nor bears the reasonable costs of, complying with a requirement unless the provider and a costs negotiator otherwise agree.

1.78 Proposed paragraphs 317ZK(1)(c) to (e) provide that proposed section 317ZK does not apply where the relevant decision maker^[78] is satisfied that it would be contrary to the public interest for this section to apply to a requirement under the notice. Proposed subsection 317ZK(2) provides that, in deciding whether it would be contrary to the public interest for the section to apply to a requirement, the relevant decision maker must have regard to:

1.79 The explanatory memorandum states that in some circumstances 'it will not be appropriate to compensate a provider subject to a notice; for example, where it has been issued to remediate a risk to law enforcement or security interests that has been recklessly or wilfully caused by a provider'.^[79] The committee notes that proposed subsection 317ZK(15) also provides that proposed section 317ZK has no effect to the extent to which its operation would result in an acquisition of property otherwise than on just terms.^[80]

1.80 While noting that the bill specifies a number of matters to which the relevant decision maker must have regard when making this decision, the committee considers that the bill would nevertheless grant decision makers a broad discretion not to apply the general rule that the provider need only comply with a notice on a no profit, no loss basis. The committee also notes the example provided in the explanatory memorandum of when it may not be appropriate to compensate a provider subject to a notice, but considers that it may be more appropriate to specify such circumstances in the bill rather than leaving it to the discretion of the relevant decision makers.

1.81 The committee's scrutiny concerns in relation to this broad discretionary power are heightened by a number of factors. First, it does not appear that decisions under proposed Part 15 would be subject to any form of merits review or to judicial review under the ADJR Act (see discussion above at paragraphs 1.62 to 1.66). Providers would therefore have limited means of seeking review of a decision that it would not be in the public interest to compensate them for complying with a requirement under a notice. Second, it is not clear to the committee that a provider can reasonably be expected to know whether particular actions would cause a risk to law enforcement or security interests, given that law enforcement and security agencies often operate covertly. While the example cited in the explanatory memorandum states that it would be appropriate to not compensate a provider where they acted 'recklessly or wilfully' to cause a risk law enforcement or security interests, the bill does not limit the discretion granted to decision makers in this way.

Broad delegation of administrative power (Schedule 2)^[81]

1.83 Currently, section 24 of the ASIO Act provides that the Director-General of ASIO, or a senior position holder, may approve 'a person' or a class of persons as people authorised to exercise powers under certain warrants or powers to conceal access. As such, this allows for a broad delegation of administrative power to a relatively large class of persons, with no specificity as to their qualifications or attributes (and no requirement that the person be employed by ASIO). Items 2 and 3 of Schedule 2 seek to add new powers enabling ASIO to conceal activities undertaken under certain warrants to the list of powers that may be delegated in this way.

1.84 The committee has consistently drawn attention to legislation that allows the delegation of administrative powers to a relatively large class of persons, with little or no specificity as to their qualifications or attributes. Generally, the committee prefers to see a limit set either on the scope of powers that might be delegated, or on the categories of people to whom those powers might be delegated. The committee's preference is that delegates be confined to the holders of nominated offices or to members of the Senior Executive Service. Where broad delegations are provided for, the committee considers that an explanation of why these are considered necessary should be included in the explanatory memorandum.

1.85 In this instance, the explanatory memorandum states that these items provide:

1.86 However, given there is no limit on who may be appointed to exercise these coercive powers, it does not appear to the committee that this provides any sort of legislative safeguard. The explanatory memorandum provides no information as to why it is considered necessary to be able to delegate these powers to 'any person' or any class of persons.

1.87 The committee requests the minister's advice as to why it is considered necessary to allow for the delegation of ASIO's authority in relation to the concealment of activities undertaken under certain warrants to 'any person' or class of persons, and the appropriateness of amending the bill to provide some legislative guidance as to the categories of people to whom those powers might be delegated.

Coercive powers
Privacy (Schedules 2 to 5)^[83]

1.88 ASIO currently has the power to obtain covert computer access warrants, which enable it to use technology to collect information directly from 'computers', either remotely or physically. The definition of 'computer' is intended to include mobile phones, laptops, tablets and smart watches, and any system that uses computers or computing technology as their functional basis.^[84] A computer access warrant can be issued by the Attorney-General under section 25A of the ASIO Act; however, if ASIO seeks to intercept material for the purposes of executing the computer access warrant, it must currently obtain a telecommunications interception warrant under the TIA Act.

1.89 Schedule 2 seeks to amend the ASIO Act and the TIA Act to allow ASIO to intercept communications for the purpose of executing a computer access warrant, removing the need to obtain a second warrant for that purpose. It also seeks to amend the ASIO Act to allow ASIO to temporarily remove a computer from premises and to take steps to conceal access to a computer after the warrant has expired.

1.90 Schedule 2 also seeks to amend the SD Act to provide computer access warrants for Commonwealth, State and Territory law enforcement agencies to covertly access computers to: investigate a relevant federal offence^[85] or foreign offence under a mutual assistance authorisation;^[86] assist in the location and safe recovery of a child;^[87] assist in the investigation of an offence suspected of being committed by a staff member of an agency that is the target of an integrity operation;^[88] or where a control order is in force against a person. Proposed section 27E provides that, in addition to authorising the doing of specified things in relation to a target computer, a computer access warrant may also authorise entering specified premises (or other premises to gain access to the specified premises), removing a computer, adding, copying or deleting certain data and intercepting certain communications. The warrant must also authorise the use of force against persons and things necessary and reasonable to do the things specified in the warrant, and authorises anything reasonably necessary to be done to conceal the fact that any thing has been done in relation to a computer.

1.91 In addition, Schedules 3 and 4 seek to empower law enforcement agencies and the Australian Border Force (ABF) to access private communications and other information on a device using a range of methods. Currently, when executing a warrant under the Crimes Act and the Customs Act 1901 (Customs Act), an executing officer must be physically located at the search premises to access data held on computers at the premises. The amendments in Schedules 3 and 4 would enable law enforcement agencies and the ABF to remotely access 'account-based data', and to compel any person to assist them to access certain devices (Schedule 5 would also enable ASIO to compel a person to assist in accessing data on devices subject to an ASIO warrant). Schedule 4 would also enable a judicial officer to issue a warrant authorising an ordinary search or frisk search of a person for a computer or data storage device (for example, a smart phone) held in their possession.^[89]

1.92 The committee considers that the authorisation of coercive search powers has the potential to unduly trespass on personal rights and liberties. Indeed, the need to properly scrutinise entry, search and seizure powers was the basis on which the Senate in 1978 moved towards establishing this committee.^[90] As such, the committee considers it essential that legislation enabling coercive search powers be tightly controlled, with sufficient safeguards to protect individual rights and liberties.

Authorisation of coercive powers

1.93 As noted above, Schedule 2 proposes to allow Commonwealth, State and Territory law enforcement agencies to apply for covert computer access warrants under the SD Act. Proposed subsection 27A(7)^[91] provides that an application for such a warrant may be made to an eligible judge or to a nominated member of the Administrative Appeals Tribunal (AAT). Section 13 of the SD Act provides that a nominated AAT member can include any member of the AAT, including full time and part-time senior members and general members. Part-time senior members and general members can only be nominated if they have been enrolled as a legal practitioner for at least five years. The committee has had a long-standing preference that the power to issue search warrants should only be conferred on judicial officers. In light of the extensive personal information that could be covertly accessed from an individual's computer or device, the committee would expect a detailed justification be given as to the appropriateness of conferring such powers on AAT members, particularly part-time senior members and general members. In this instance, the explanatory memorandum provides no such justification.

Interception of communications

1.94 Schedule 2 seeks to make amendments to the ASIO Act^[92] and the SD Act^[93] to permit ASIO or law enforcement agencies to intercept communications if it is for the purposes of doing anything specified in a computer access warrant. In addition, items 120 to 131 of Schedule 2 seek to make amendments to the TIA Act to enable information intercepted by ASIO or law enforcement agencies under a computer access warrant to be used in limited circumstances.

1.95 The committee notes that there are restrictions proposed on the use of material intercepted during the execution of a computer access warrant. The proposed amendments to the TIA Act provide that such information can only be communicated, used, recorded or given as evidence if:

1.96 However, despite the limitation on the use that may be made of any intercepted communications, the committee considers that the interception of communications over a telecommunications system has the potential to unduly trespass on personal rights and liberties, particularly the right to privacy, and as such, the committee would expect the explanatory materials to soundly justify this power.

1.97 In relation to the new computer access warrants under the SD Act, the explanatory materials do not specifically justify the need to intercept communications. Rather, the explanatory memorandum notes that the use, recording and communication of such information is restricted as where agencies want to gain intercept material for its own purpose they must obtain an interception warrant under the TIA Act.^[95] In relation to the exceptions to the general prohibition on dealing in computer access information, the explanatory memorandum also notes that these exceptions would allow intercepted information to be used or communicated for a purpose reasonably incidental to the purposes of carrying out a computer access warrant and if the information relates to the involvement of a person in activities that generally exist in life threatening or emergency situations.^[96]

1.98 In relation to ASIO's powers, the statement of compatibility explains that it is currently 'almost always necessary for ASIO to undertake limited interception for the purposes of executing a computer access warrant', and as such, ASIO currently has to obtain a second warrant if it intercepts material when executing that warrant:

1.99 However, the committee notes that the threshold for ASIO to obtain a computer access warrant is significantly lower than the threshold required to obtain an interception warrant under the TIA Act. Under section 25A of the ASIO Act, the Attorney-General may issue a computer access warrant:

1.100 In contrast, when seeking an interception warrant under section 9 of the TIA Act, the Attorney-General must be satisfied that:

1.101 As such, removing the need for ASIO to gain a separate interception warrant lowers the threshold for obtaining access (albeit limited) to intercepted information. While the committee notes that the statement of compatibility states that the current arrangements cause operational inefficiency, it has not generally considered a desire for administrative convenience to be a sufficient basis for trespassing on personal rights and liberties. The committee notes that it would be possible for the legislation to provide for a single warrant process but at a higher threshold for the grant of the warrant. The committee also reiterates its preference for the power to issue search warrants to be conferred on judicial officers, whereas in the case of computer access warrants issued under the ASIO Act, the power is conferred on a member of the executive.

Use of coercive powers without a warrant

1.102 Schedule 2 to the bill sets out a range of circumstances in which coercive action can be taken without a warrant, namely in emergency circumstances and in order to conceal access to a computer.

1.103 Item 50 seeks to amend section 28 of the SD Act to allow law enforcement officers to apply to an appropriate authorising officer for an emergency authorisation for access to data held in a target computer if the officer reasonably suspects that there is an imminent risk of serious violence to a person or substantial damage to property, access to the data is immediately necessary to deal with the risk, the circumstances are serious and urgent, and it is not practicable to apply for a computer access warrant. 'Appropriate authorising officer' is defined in section 6A of the SD Act, and includes the head or deputy head of the agency, but also certain executive level officers. Item 52 would also allow for emergency authorisations in relation to a child recovery order, while item 54 would enable emergency authorisations to be made where it is considered immediately necessary to prevent the loss of evidence related to certain investigations.

1.104 Within 48 hours after an emergency authorisation is given, the appropriate authorising officer must apply to a judge or nominated AAT member for approval of the giving of the emergency authorisation.^[98] However, if the judge or AAT member refuses to approve the emergency authorisation, in making an order as to how information obtained under an invalid authorisation is to be dealt with, proposed subsection 35A(6) provides that the manner of dealing with the information must not involve the destruction of that information.

1.105 As a computer access warrant can involve significant coercive powers (for example, the ability to covertly access data held on particular computers, enter premises and use force), the committee is particularly concerned that such powers only be authorised under a warrant issued by a judicial officer. Allowing a law enforcement agency to authorise its own actions under an emergency authorisation has the potential to unduly trespass on the right to privacy, and as such the committee would expect the explanatory materials to provide a detailed justification for such provisions. In this instance, the statement of compatibility provides no such justification, and the explanatory memorandum merely restates the provision. Further, no information is provided as to when it may be impractical to apply to a judge or nominated AAT member (noting that proposed section 27B^[99] would allow an application for a warrant to be made by telephone, fax, email or any other means of communication). In relation to the use of information obtained under an emergency authorisation, the explanatory memorandum states that the judge or member 'may not order that such information be destroyed because such information, while improperly obtained, may still be required for a permitted purpose, such as an investigation'.^[100] It is not clear to the committee what the justification is for retaining information coercively and covertly obtained by a law enforcement officer in circumstances that have not been approved by a judge or AAT member.

1.106 The committee notes that Schedule 2 of the bill also proposes to give ASIO^[101] and law enforcement agencies^[102] the power to act to conceal their activities after a warrant has ceased to be in force. These provisions authorise the agencies to do anything reasonably necessary to conceal the fact that anything has been done under a warrant, enter premises, remove anything to conceal things, add, copy, delete or alter data and intercept communications, at any time while the warrant is in force or within 28 days after it ceases to be in force. In addition, the bill provides that if concealment activities have not been done within 28 days after the warrant ceases to be in force, those things can be done at the earliest time after that 28 day period in which it is reasonably practicable.^[103] In effect, this allows coercive action to be taken which has not been authorised under an existing warrant. The statement of compatibility explains why the concealment powers are necessary in relation to ASIO:

1.107 The explanatory memorandum similarly states in relation to law enforcement agencies:

1.108 However, while the committee acknowledges there may be difficulties in knowing when the process of concealment may be complete, there are scrutiny concerns in allowing agencies to exercise coercive powers after a warrant has ceased to be in force. The committee notes that it would be possible to have a separate statutory process for applying for a new warrant to allow the agency to carry out concealment activities, which would remove concerns about not being able to meet the statutory threshold for obtaining a new computer access warrant, but would ensure coercive powers are undertaken under an existing warrant.

Innocent third parties

1.109 The committee also has concerns that the coercive powers in the bill may adversely affect third parties who are not suspected of wrongdoing.

Entry onto third party premises

1.110 In particular, proposed paragraph 27E(2)(b) of the SD Act provides that a computer access warrant may authorise entering 'any premises' for the purposes of gaining entry to, or exiting, the specified premises. The explanatory memorandum explains that this may allow for entry into third party premises where there is no other way to gain access to the subject premises or where, for operational reasons, adjacent premises may be the best means of entry, or in emergency or unforeseen circumstances.^[106] The committee notes there is nothing in the legislation that would require persons entering third party premises under these provisions to first seek the consent of the occupiers, or even announce their entry.

Access to third party computers and communications in transit

1.111 In addition, proposed paragraph 27E(2)(e) of the SD Act provides that a computer access warrant may authorise using any other computer or a communication in transit to access relevant data and, if necessary to achieve that purpose, to add, copy, delete or alter data in the other computer or communication in transit. These things can be done if, having regard to other methods to effectively obtain access, it is considered reasonable to do so. The explanatory memorandum states that this 'ensures that law enforcement agencies can effectively use a third party computer or a communication in transit'. It goes on to state:

1.112 However, the committee notes that proposed paragraph 27E(2)(e) does not specifically require the judge or nominated AAT member to consider the privacy implications for third parties of accessing third party computers or communications in transit.^[108] In particular, the committee notes that the provision would enable the addition, copying, deletion or alteration of a third party's data if necessary to access the target data. Proposed section 27E(5) provides that this does not authorise the addition, deletion or alteration of data or doing of any thing that would materially interfere with, interrupt or obstruct the lawful use of other persons of a computer, unless it is necessary to do anything specified in the warrant (i.e. if necessary for concealment),^[109] or which would otherwise cause material loss or damage to other persons lawfully using a computer. However, the committee notes that this restriction would not prevent 'copying' of a third party's data, and would allow for the destruction of their data if necessary to carry out the warrant.

1.113 The committee also notes that there are similar provisions in Schedules 3^[110] and 4^[111] relating to law enforcement agencies and the ABF remotely accessing computers under the Crimes Act and Customs Act. In addition, a number of other provisions in Schedule 3^[112] authorise relevant law enforcement officers to use a computer found in the course of a search or use a telecommunications facility or other electronic equipment for the purpose of obtaining 'account-based data' in relation to 'a person who uses or has used' the computer found in the course of the search. The explanatory materials do not explain why it is necessary to be able to obtain the account-based data of any person who has ever used the target computer. In addition, 'account-based data' is broadly defined, and would appear to include the data of third parties who have links with an individual who is the subject of a search warrant. The explanatory memorandum states:

1.114 The explanatory materials do not provide any justification for the expansion of these coercive search powers to include potentially substantial amounts of personal data of persons who are not the subject of the warrant.

Compelling third parties to provide information

1.115 Schedules 2 to 5^[114] also introduce or amend existing provisions that make it an offence for a person not to comply with an assistance order. An assistance order can be made to a judge or AAT member (or in the case of ASIO, to the Attorney-General), and it can provide that any specified person is required to provide any information or assistance that is reasonable or necessary to allow the relevant officer to access, copy or convert data held in any target computer or relevant device. Such orders can be made if there are reasonable grounds for suspecting that access to data held in the computer is necessary for the relevant investigation.^[115] Such orders can be made in relation to the person who is suspected of the relevant activity, but can also be made against the following persons, so long as they have relevant knowledge of the target computer or device or related computer network or measures used to protect data in that computer of device:

1.116 A person who is capable of complying with the order but omits to do so would be subject to penalties of up to five to ten years imprisonment (see the committee's comments regarding the significance of these penalties at paragraphs 1.134 to 1.140 below). These provisions could result in a person not suspected of any wrongdoing being compelled to provide information which could lead to access to their own personal information held on a computer or device. The explanatory materials provide limited justification for impacting on the privacy of third parties in this way. In relation to amendments in Schedules 3 and 4, the statement of compatibility states that the ability to compel assistance is critical to Australia's national security 'and ensures that law enforcement have the tools necessary to be able [116]protect Australians',¹¹⁶ as it will provide access to information 'which may otherwise be inaccess[117]e or unintelligible'.¹¹⁷ The statement of compatibility further states that the requirement for a judicial officer to authorise the warrants provides[118] important safeguard.¹¹⁸ In relation to Schedule 5, the statement of compatibility notes that the types of assistance that ASIO may seek under these amendments include 'compelling a target or a target's associate to provide the password, pin code, sequence or fingerprint neces[119]y to unlock a phone'.¹¹⁹ The committee reiterates that it would expect the explanatory materials to provide greater justification when introducing coercive powers that could substantially impact on innocent third parties.

Control orders

1.117 The proposed new computer access warrants under the SD Act would enable a law enforcement officer to apply for a warrant if a control order is in force in relation to a person and the officer suspects on reasonable grounds that access to data held in a computer would substantially assist in, among other things, determining whether the control order has been, or is being, complied with.^[120] The committee has previously raised scrutiny concerns about control orders, noting that the control order regime constitutes what is generally acknowledged to be a substantial departure from the traditional approach to restraining and detaining persons on the basis of a criminal conviction. In contrast, control orders provide for restraint on personal liberty without there being any criminal conviction (or without even a charge being laid) on the basis of a court being satisfied on the balance of probabilities that the threshold requirements for the issue of the orders have been satisfied. Protections of individual liberty built into ordinary criminal processes are necessarily compromised by control orders (at least, as a matter of degree). As such, given the committee's scrutiny concerns with control orders more broadly, enabling a computer access warrant to be issued where it may assist in determining whether the control order itself has been complied with, raises scrutiny concerns.

1.118 The committee also notes that a computer access warrant can be granted in relation to control orders simply if it would substantially assist a law enforcement officer to 'determine' if the control order has been complied with. This is in contrast to the requirements for warrants issued to investigate a relevant offence, which require the officer to suspect that access to the data is 'necessary' to enable evidence to be obtained of the commission of a relevant offence or the identity or location of offenders (not simply to determine if the offence has been committed). The committee notes that it is an offence to contravene a control order, punishable by imprisonment of up to five years,^[121] and as such, an investigation in relation to whether a person has committed the offence of contravening a control order could be investigated under a computer access warrant for offence investigations more broadly. As such, it is unclear to the committee why it is necessary to separately, and on a lower threshold, enable a law enforcement officer to obtain a warrant to determine if a control order is being complied with.

1.119 In addition, the committee notes that item 119 of the bill would allow information obtained under a computer access warrant issued because an interim control order was in force to continue to be used even where the control order is subsequently declared void. Proposed section 65B of the SD Act^[122] provides that such information could continue to be used, communicated or published if the person reasonably believes doing so is necessary to prevent or reduce the risk of a terrorist act or serious harm to a person or serious damage to property, but also for a purpose related to a preventative detention order (PDO). The committee is particularly concerned that such information may be used for purposes relating to PDOs. PDOs are administrative orders made, in the first instance, by a senior Australian Federal Police member, which authorise an individual to be detained without charge, and without a necessary intention to charge the subject with any offence. The committee considers PDOs raise scrutiny concerns as they permit a person's detention by the executive without charge or arrest.

1.120 The committee notes that the use of information obtained in circumstances where a court has declared a control order to be void and of no effect, may have serious implication for personal rights and liberties. As such, the committee would expect a comprehensive justification for allowing the use of such material after the order has been declared void. In this instance, the explanatory memorandum merely restates part of the effect of the amendment (without noting the use for the purposes of a PDO),^[123] and does not justify why such information should continue to be able to be used after a control order has been declared void.

Presumption of innocence: certificate constitutes prima facie evidence (Schedules 2 and 5)^[136]

1.122 Subsection 34AA(1) of the ASIO Act currently provides that the Director-General or Deputy Director-General of ASIO may issue a written certificate, setting out such facts as he or she considers relevant with respect to acts or things done by, or on behalf of, ASIO, in connection with a relevant warrant or in accordance with a relevant authorising provision.^[137] Subsection 34AA(4) provides that, 'in a proceeding', a certificate issued under subsection (1) is prima facie evidence of the matters it certifies (meaning that a defendant or respondent in any proceeding would need to raise evidence to rebut the matters set out in the certificate). Items 17 and 18 of Schedule 2 to the bill seek to amend subsection 34AA(5) of the ASIO Act to add new subsections^[138] to the definition of 'relevant authorising provision', the effect of which would be to empower the Director-General or Deputy Director-General to issue evidentiary certificates in relation to acts or things done in order to conceal the fact that any thing has been done under a computer access warrant.

1.123 In addition, currently subsection 62(1) of the SDA provides that an appropriate authorising officer for a law enforcement officer may issue a written certificate setting out any facts he or she considers relevant with respect to things done by the law enforcement officer in connection with particular matters.^[139] Subsection 62(2) provides that a certificate issued under subsection 62(1) is admissible in evidence in any proceedings as prima facie evidence of the matters it certifies. Item 112 of Schedule 2 to the bill seeks to amend this provision to add a new paragraph 62(1)(c), the effect of which would be to enable an evidentiary certificate to be issued in connection with information obtained from access to data under a computer access warrant or an emergency access authorisation.

1.124 Finally, item 2 of Schedule 5 seeks to insert a new section 21A into the ASIO Act, which provides that in certain circumstances a person or body is not subject to any civil liability for, or in relation to, conduct that involves providing assistance to ASIO. Proposed subsection 21A(1)(b) relevantly provides that, in order for the immunity conferred by proposed subsection 21A(1) to apply, the Director-General must be satisfied that the relevant conduct is likely to assist ASIO in the performance of its functions. Proposed subsection 21A(8) provides that the Director-General may give a certificate in writing, certifying one or more facts relevant to the question of whether the Director-General was satisfied on reasonable grounds that particular conduct was likely to assist ASIO, and proposed subsection 21A(9) provides that, in any proceedings that involve determining whether the immunity applies, a certificate given under proposed subsection 21A(8) is prima facie evidence of the facts it certifies.

1.125 The committee notes that where an evidentiary certificate is issued, this allows evidence to be admitted into court which would need to be rebutted by the other party to the proceeding. While a person still retains a right to rebut or dispute those facts, that person assumes the burden of adducing evidence to do so. The issue of evidentiary certificates therefore effectively reverses the evidential burden of proof, and may, if used in criminal proceedings, interfere with the common-law right to be presumed innocent until proven guilty. In this instance, the committee is concerned that the provisions outlined above could place a significant and potentially insurmountable burden on persons seeking to challenge the validity of actions taken by law enforcement agencies under warrants, as well as things done to conceal those actions. For example, if a certificate was issued under section 31AA(1) of the ASIO Act in relation to things done to conceal covert access undertaken by ASIO, a person wishing to challenge the lawfulness of the matters in the certificate would be required to raise evidence to rebut these matters, however, as they relate to covert access and concealment of that access, raising such evidence may be extremely difficult.

1.126 The committee also notes that evidentiary certificates issued under subsection 34AA(1) of the ASIO Act and subsection 62(1) of the SD Act would be taken as prima facie evidence in any proceeding. However, the nature of the proceedings in which such certificates are intended to be used remains unclear to the committee, and the explanatory memorandum provides no information in this regard. The committee is concerned that the use of such certificates could trespass on individuals' rights, particularly if it related to circumstances where a certificate is taken as evidence of matters relevant to a person's culpability for an offence.

1.127 Noting the burden that the issue of an evidentiary certificate may place on a person wishing to challenge the validity of actions taken by law enforcement agencies and officials, and the potential to trespass on individuals' rights, the committee would expect a detailed justification for the powers to issue evidentiary certificates identified above (including the expansion of those powers) to be included in the explanatory materials.

1.128 In relation to items 17 and 18 of Schedule 2, and proposed subsection 21A(8) of Schedule 5, the explanatory memorandum provides no such justification. It merely restates the operation and effect of the relevant provisions.^[140] In relation to item 112 of Schedule 2, the explanatory memorandum states:

1.129 However, the committee does not generally consider streamlining court processes to be sufficient justification for conferring powers to issue evidentiary certificates in relation to things done in connection with information obtained under a warrant. Moreover, the explanatory memorandum does not explain how evidentiary certificates protect 'sensitive capabilities' or what these are.

1.130 Additionally, the committee notes that the Guide to Framing Commonwealth Offences states, in relation to criminal proceedings, that evidentiary certificates:

1.131 The Guide further provides that evidentiary certificates 'may be appropriate in limited circumstances where they cover technical matters sufficiently removed from the main facts at issue'.^[143]

1.132 In this instance, it is not clear that the matters in evidentiary certificates issued under the provisions identified above would be sufficiently removed from the main facts at issue in relevant proceedings.

1.133 As the explanatory materials do not address, or do not adequately address, these issues, the committee requests the minister's detailed advice as to:

Significant penalties (Schedules 2 to 5)^[144]

1.134 As outlined above at paragraphs 1.115 to 1.116, Schedules 2-5 introduce or amend existing provisions that make it an offence for a person not to comply with an assistance order. An assistance order can provide that any specified person is required to provide any information or assistance that is reasonable or necessary to allow the relevant officer to access, copy or convert data held in any target computer or relevant device. In relation to the new offence of a failure to comply with an assistance order made under the SD Act, the penalty is proposed to be set at 10 years imprisonment or 600[145]nalty units, or both.¹⁴⁵ Under section 3LA of the Crimes Act a failure to comply with an assistance order is currently subject to a maximum penalty of 2 years imprisonment while under section 201A of the Customs Act a person would be subject to a maximum of 6 months imprisonment. The amendments in Schedules 3 and 4 seek to amend these maximum penalties to five years or 300 penalty units, or where the offence being investigated is a serious offence or serious terrorism offence, to 10 years imprisonment or 60[146]enalty units or both.¹⁴⁶ Finally, the new offence in Schedule 5, of failing to comply with an assistance order to assist ASIO, would be subject to a maximum of five years imprisonment or 300[147]nalty units, or both.¹⁴⁷

1.135 The committee's expectation is that the rationale for the imposition of significant penalties, especially if those penalties involve imprisonment, will be fully outlined in the explanatory memorandum. In particular, penalties should be justified by reference to similar offences in Commonwealth legislation. This not only promotes consistency, but guards against the risk that liberty of the person is unduly limited through the application of disproportionate penalties. These provisions impose the possibility of significant custodial penalties (respectively five years and 10 years imprisonment). In this instance, the statement of compatibility states in relation to the increase in penalties under the Crimes Act and Customs Act that the current penalty 'is of insufficient gravity to incentivise compliance with the assistance obligation'.^[148] The explanatory memorandum also states:

1.136 The explanatory memorandum explains that the proposed penalty under the SD Act 'is consistent with the amended penalty in Schedule 3',^[150] while the penalty set in Schedule 5 has not been justified in the explanatory materials.

1.137 In effect, the justification for the substantial increase in penalties appears to have two elements to it. In relation to third parties who are not the subject of an investigation the justification appears to be that the higher penalty will provide a greater incentive to comply with the order. However, it is not clear to the committee that a person would be more likely to comply with an assistance order if subject to a significantly higher penalty, given the potential for imprisonment that currently exists. The second element of the justification appears to be that a person who is suspected of having committed an offence would be more likely to comply with an assistance order if the penalty were higher, as otherwise they would weigh up the possibility of conviction for the offence (which would be possible based on the information they provided under the assistance order) compared to conviction for the failure to assist. However, it does not appear that the bill or the existing provisions in the amended Acts specifically override the common law privilege against self-incrimination. As such, it is the committee's understanding that a person who may be suspected of an offence could refuse to comply with the assistance order and at any trial for the offence could claim the common law privilege against self-incrimination. As such, it would appear to the committee that increasing the penalty for failing to comply with the assistance order would not necessarily have any effect on a suspect's decision as to whether to provide the required assistance.

1.138 The committee also notes, as set out above, that its usual expectation in relation to the setting of a penalty in legislation is that those penalties would be justified by reference to similar offences in Commonwealth legislation. No such comparable offences and penalties have been set out in the explanatory materials.

1.139 The committee therefore seeks the minister's detailed justification for setting a penalty of five to 10 years imprisonment for a failure to comply with an assistance order, by reference to comparable Commonwealth offences.

1.140 The committee also seeks the minister's advice as to whether it is intended that the offence of a failure to comply with an assistance order would abrogate the common law privilege against self-incrimination (and if not, why the explanatory memorandum suggests the higher penalty is to incentivise a suspect to comply with the order).

Immunity from liability (Schedule 2 and 5)^[151]

1.141 Section 313 of the Telecommunications Act currently imposes an obligation on carriers and service providers to give agencies 'such help is reasonably necessary' to enforce the criminal law and safeguard national security. Subsections 313(5) and (6) of that Act confer an immunity from liability on carriers and carriage service providers, and their officers, employees and agents, in relation to acts done or omitted to be done in good faith in connection with the provision of help. Item 119A of Schedule 2 to the bill seeks to amend this provision to insert a new paragraph (caa), which would provide that 'giving help' includes giving effect to authorisations under section 31A of the TIA Act to develop and test certain interception capabilities.^[152]

1.142 The amendment proposed by item 119A would thereby extend the immunity conferred by subsections 313(5) and (6) to actions taken to give effect to authorisations (to develop and test interception capabilities) given under section 31A (including as amended). This removes any common law right to bring an action to enforce legal rights in relation to such actions unless it can be demonstrated that lack of good faith is shown. The committee notes that in the context of judicial review, bad faith is said to imply a lack of an honest or genuine attempt to undertake the task and that it will involve personal attack on the honesty of the decision-maker. As such the courts have taken the position that bad faith can only be shown in very limited circumstances.

1.143 Item 2 of Schedule 5 to the bill also seeks to insert a new section 21A into the ASIO Act, relating to the provision of voluntary assistance to the Director-General. Proposed subsections 21A(1) and (5) provide that, in certain circumstances, a person or body is not subject to any civil liability for, or in relation to, conduct that involves:

1.144 Proposed subsections 21A(1) and (5) would therefore remove any common law right to bring an action to enforce legal rights, with no requirement that actions are taken in good faith. The committee is concerned that these immunities may capture a broad range of conduct which would otherwise be actionable under the common law. For example, it appears that the immunity conferred by proposed subsection 21A(5) could extend to giving defamatory information to ASIO, so long as the person giving that information reasonably believes that the information would assist with the performance of ASIO's functions.

1.145 The committee expects that if a bill seeks to confer immunity from civil liability, particularly when such an immunity could affect individual rights, this should be soundly justified in the explanatory materials. In this instance, the explanatory memorandum provides no justification for the conferrals of immunity outlined above, merely restating the operation and effect of the relevant provisions.^[155]

1.146 The committee requests the minister's advice as to why it is considered necessary and appropriate to confer immunity from civil liability in item 119A of Schedule 2 and item 2 of Schedule 5, such that affected persons would no longer have a right to bring an action to enforce their legal rights.

[23] Schedule 1, item 7, various proposed sections. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i) and (ii).

[28] Schedule 1, item 7, proposed subsection 317G(1). Proposed section 317B defines 'interception agency' to include: the Australian Federal Police, the Australian Commission for Law Enforcement Integrity, the Australian Crime Commission, the police force of a state or the Norther Territory, the Independent Commission Against Corruption of New South Wales, the New South Wales Crime Commission, the Law Enforcement Conduct Commission of New South Wales, the Independent Broad-based Anti-corruption Commission of Victoria, the Crime and Corruption Commission of Queensland, the Independent Commission Against Corruption (SA) and the Corruption and Crime Commission (WA). Proposed section 317ZM defines 'chief officer' with respect to each interception agency.

[31] Schedule 1, item 7, proposed section 317ZB. Proposed section 317ZA deals separately with a failure by a carrier or a carriage service provider to comply with a requirement under either type of notice and relies on pecuniary penalty provisions set at a similar level under Part 31 of the Telecommunications Act 1997.

[34] Proposed subsection 317E(2) provides that an act or thing done to conceal the fact that a thing has been done covertly does not include making a false or misleading statement, or engaging in dishonest conduct.

[36] Schedule 1, item 7, proposed paragraphs 317G(6)(a) and (b) and 317L(3)(a) and (b).

[39] Proposed paragraph 317E(1)(a), which relates to removing one or more forms of electronic protection that are or were applied by, or on behalf of, the provider, is excluded from the list of acts or things that may be specified under a technical capability notice.

[62] Senate Standing Committee for the Scrutiny of Bills, Entry, Search and Seizure Provisions in Commonwealth Legislation, 4 December 2006, pp. 308-316.

[63] Senate Standing Committee for the Scrutiny of Bills, Entry, Search and Seizure Provisions in Commonwealth Legislation, 4 December 2006, pp. 308-316.

[66] Schedule 1, item 7, proposed subsections 317G(5) and 317T(3), and proposed paragraph 317L(2)(c).

[68] Schedule 1, item 1. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(iii).

[71] In this regard, the committee notes that decisions of a 'high political content' may justify excluding merits review. See Administrative Review Council, What decisions should be subject to merit review? (1999), [4.22]-[4.30].

[72] Schedule 1, item 7, proposed paragraph 317G(1)(c), and proposed section 317ZJ. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[73] Note, Schedule 1, item 7, proposed subsections 317ZJ(2) and (4), contain an additional limitation that the immunity for acting in good faith in purported compliance with the notice only applies where the act or thing done is in connection with any or all of the eligible activities of the provider.

[75] Schedule 1, item 7, proposed subsections 317ZF(3), (5) to (11) and (13). The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[76] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, pp. 50-52.

[77] Schedule 1, item 7, proposed subsection 317ZK(1). The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(ii).

[78] The Director-General of ASIO or chief officer of an interception agency in the case of a technical assistance notice, and the Attorney-General in the case of a technical capability notice.

[81] Schedule 2, items 2 and 3. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(ii).

[83] Schedules 2 to 5. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[84] Such as security systems, internet protocol cameras and digital video recorders. See explanatory memorandum, pp. 88, 131, and 137.

[85] 'Relevant offence' is defined in section 6 of the Surveillance Devices Act 2004 as including an offence against the law of the Commonwealth that is punishable by a maximum term of imprisonment of three years or more or life.

[88] Which relates to an offence that is suspected of being committed by a staff member of a target agency.

[90] Senate Standing Committee on the Scrutiny of Bills, Twelfth Report of 2006: Entry, Search and Seizure Provisions in Commonwealth Legislation, 4 December 2006, p. 317.

[91] See Schedule 2, item 49. See also Schedule 2, item 145, which would enable a judge or nominated AAT member to grant a computer access warrant in relation to an international assistance authorisation.

[103] Schedule 2, item 7, proposed paragraph 25A(8)(k); item 8, proposed paragraph 27A(3C)(k); item 12, proposed paragraph 27E(6)(k); and item 49, proposed paragraph 27E(7)(k).

[108] The committee notes that proposed paragraph 27C(2)(c) provides that, in determining whether to issue a computer access warrant, the judge or AAT member must have regard to the extent to which the privacy of any person is likely to be affected. However, this is limited to deciding whether to issue the warrant in the first instance, and not to the type of things that are authorised by the warrant.

[110] Schedule 3, item 3, proposed paragraphs 3F(2A)(c) and 3F(2B)(c) and subsection 3F(2C); item 6A, proposed paragraphs 3K(5)(c) and 3K(6)(c).

[111] Schedule 4, item 4A, proposed paragraph 199(4)(c) and subsection 199(4B); item 5, proposed paragraph 199B(2)(c) and subsection 199B(3).

[112] Schedule 3, item 3, proposed subparagraph 3F(2B)(a)(v) and item 6A, proposed subparagraph 3K(6)(a)(v).

[114] Schedule 2, item 114, proposed section 64A; Schedule 3, item 9; Schedule 4, item 18; Schedule 5, item 3, proposed section 34AAA.

[115] Or to assist in the location and safe recovery of a child; or to assist the conduct of an integrity operation; or to substantially assist in relation to control order matters; or to prevent the loss of evidence: see Schedule 2, item 114, proposed section 64A. Or where there are reasonable grounds to suspect evidential material is held in the computer or storage device: see Schedule 3, item 9, existing paragraph 3LA(2)(a) of the Crimes Act 1914 and Schedule 4, item 18, existing paragraph 201A(2)(a) of the Customs Act 1901. Or the Attorney-General is satisfied on reasonable grounds access is for the purpose of obtaining certain foreign intelligence: see Schedule 5, item 3, proposed paragraphs 34AAA(2)(a) and (b).

[130] Schedule 2, item 49, proposed paragraph 27E(2)(e). Schedule 3, item 3, proposed paragraphs 3F(2A)(c) and 3F(2B)(c); item 6A, proposed paragraphs 3K(5)(c) and 3K(6)(c). Schedule 4, item 4A, proposed paragraph 199(4)(c); item 5, proposed paragraph 199B(2)(c).

[131] Schedule 2, item 49, proposed subsection 27E(5). Schedule 3, item 3, proposed subsection 3F(2C); item 6A, proposed subsection 3K(7). Schedule 4, item 4A, proposed subsection 199(4B); item 5, proposed subsection 199B(3).

[132] Schedule 3,item 3, proposed paragraph 3F(2B)(v) and item 6A, proposed subparagraph (6)(a)(v).

[136] Schedule 2, items 17, 18 and 119A; and Schedule 5, item 2, proposed section 21A. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[137] 'Relevant authorising provision' and 'relevant warrant' are defined in proposed subsection 34AA(5).

[139] For example, things done by a law enforcement officer in connection with the execution of a warrant, in accordance with an emergency authorisation, or in accordance with a tracking device authorisation.

[142] Attorney-General's Department, Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 54.

[143] Attorney-General's Department, Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 55.

[144] Schedule 2, item 114, proposed subsection 64A(8); Schedule 3, item 9; Schedule 4, item 18; and Schedule 5, item 3, proposed subsection34AAA(4). The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[151] Schedule 2, item 119A and Schedule 5, item 2. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[152]

Section 31A

of the Telecommunications (Interception and Access) Act 1979 currently provides that the Attorney-General may authorise the interception of certain communications by employees of authorised security authorities. Schedule 2, item 123B of the bill seeks to amend

section 31A

to enable the Attorney-General to authorise security authorities to work with carriers to test interception technologies.

[153] Schedule 5, item 2, proposed subsection 21A(1). The relevant circumstances are that the Director-General is satisfied on reasonable grounds that the conduct is likely to assist ASIO in the performance of its functions; the person engages in the conduct in accordance with the Director-General's request; and the conduct does not involve the commission of an offence or significant loss or damage to property.

[154] Schedule 5, item 2, proposed subsection 21A(5). The relevant circumstances are that the person reasonably believes that the conduct is likely to assist ASIO in the performance of its functions; the conduct does not result in the commission of an offence or in significant loss of or serious damage to property; and the conduct is not covered by subsection 21A(1).

Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests