Revised Explanatory Memorandum
(Circulated by authority of the Attorney-General, Senator the Honourable George Brandis QC)Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Telecommunications and Other Legislation Amendment Bill 2017
29. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
Overview of the Bill
30. The Telecommunications and Other Legislation Amendment Bill 2017 (the Bill) will establish a risk-based framework to effectively manage national security risks to Australia's telecommunications infrastructure. The Bill will implement recommendation 19 of the June 2013 PJCIS' Report of the Inquiry into Potential Reforms of Australia's National Security Legislation.
31. Recommendation 19 of the PJCIS's 2013 report was that the government amend the Telecommunications Act to create a security framework that would provide a telecommunications industry-wide obligation to protect infrastructure and the information held on it, or passing across it, from unauthorised interference. The PJCIS also recommended the security framework include a requirement for industry to provide information to government to assist in the assessment of security risks to telecommunications infrastructure, in addition to powers of direction and a penalty regime to encourage compliance.
32. The Bill will also implement a recommendation from the PJCIS in its advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 that the government enact the proposed telecommunications sector security reforms.
33. The Bill will also implement recommendations of the PJCIS's Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016, tabled in Parliament on 30 June 2017. The PJCIS advisory report aimed to strengthen the reforms by providing greater clarity and certainty for industry, encouraging information-sharing, and enhancing the transparency of the regime's operation.
34. The Bill will implement each of these recommendations through amendments to the Telecommunications Act. The amendments will impose a new security obligation on the telecommunications industry, including carriers, carriage service providers and carriage service intermediaries (C/CSPs). C/CSPs will be required under new sections 313(1A) and (2A) to do their best to protect networks and facilities they own, operate or use from unauthorised access and interference for the purposes of security. This will complement the existing scheme in subsections 313(1) and (2) of the Telecommunications Act which requires C/CSPs to do their best to prevent their networks and facilities from being used to commit offences.
35. New section 315B of the Bill will give the Attorney-General powers to direct a C/CSP to do, or refrain from doing, a specified act or thing if there is a risk to security. This is in addition to the current power of the Attorney-General to provide a direction to C/ CSPs not to use or supply, or to cease using or supplying, carriage services if the use or supply is, or would be, prejudicial to security under existing section 581(3) of the Telecommunications Act (this Bill will move this power to new section 315A). The Attorney-General's directions powers under new section 315B will complement the existing power by providing a mechanism for a more proportionate and graduated response to managing security risks and promoting compliance with the security framework.
36. New section 315C of the Bill will grant the Secretary of AGD the power to obtain information and documents from C/CSPs, where that information is relevant to assessing compliance with the obligations imposed under subsections 313(1A) and (2A) of this Bill.
37. Under existing section 202B of the TIA Act, C/NCSPs have a requirement to notify the CAC of any changes to their systems or services which could have a material adverse effect on their ability to meet their obligations under section 313 of the Telecommunications Act. A new notification provision, section 314A, modelled on section 202B, will be created in Part 14 of the Telecommunications Act. The new provision will require carriers and carriage service providers nominated under the TIA Act (C/NCSPs) to notify the CAC of proposed changes to networks and services which could have a material adverse effect on the C/NCSPs ability to comply with the new security obligation in sections 313(1A) and 313(2A). The CAC will also be vested with the power to exempt C/NSCP's from compliance with the notification requirement in full or in part. It is envisaged that the CAC would grant an exemption based on a recommendation from ASIO that considered the security risk profile of a company or aspects of a company's business. C/NCSPs will also be provided with the option of submitting an annual Security Capability Plan (SCP) forecasting multiple proposed changes to their systems and services in lieu of individual notifications, and setting out matters that describe the company's security policies and practices and how it proposes to meet its new security obligation.
38. The ASIO Act will also be amended to include the directions power of the Attorney-General under section 315B within the definition of prescribed administrative action within Part IV. Currently, in respect of the existing direction power under subsection 581(3) the Attorney-General is not required to obtain advice from ASIO, but if he does and wishes to rely on such advice it must be in the form of a security assessment. Following amendment of the Telecommunications Act, the Attorney-General will be required to obtain an adverse security assessment from ASIO before he or she can exercise the existing directions power (new section 315A which replaces existing section 581(3)).
Human rights implications
39. The Bill engages the following human rights:
- •
- the right to privacy (Article 17 of the International Covenant on Civil and Political Rights (ICCPR));
- •
- the right to freedom of expression (Article 19 of the ICCPR);
- •
- the right not to incriminate oneself (Article 14 of the ICCPR); and
- •
- the right to a fair trial (Article 14 of the ICCPR).
Right to privacy - Article 17 of the ICCPR
40. Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour or reputation, and that everyone has the right to the protection of the law against such interference or attacks.
41. Interferences with privacy may be permissible, provided that they are authorised by law and not arbitrary. In order for an interference with the right to privacy not to be arbitrary, the interference must be for a reason consistent with the provisions, aims and objectives of the ICCPR and be reasonable in the particular circumstances. [1] The United Nations Human Rights Committee (the HRC) has interpreted 'reasonableness' in this context to mean that 'any interference with privacy must be proportional to the end sought and be necessary in the circumstances of any given case'.
42. The following measures in the Bill engage the right to privacy under Article 17 of the ICCPR:
- •
- obligations for C/CSPs to protect networks and facilities from unauthorised access and interference under new subsections 313(1A) and (2A) of the Telecommunications Act; and
- •
- information gathering powers granted to the Secretary of AGD under new section 315C.
- •
- a clarifying note following subsection 315H(1) of the Bill; and
- •
- including a C/NCSP entering into a new or changed telecommunications metadata offshoring arrangement as an example of a kind of change to a telecommunications service or system that could trigger the notification requirement under section 314A.
Obligations of C/CSPs to protect networks and facilities
43. The new obligations for C/CSPs to protect networks and facilities from unauthorised access and interference under new subsections 313(1A) and (2A) of the Telecommunications Act will promote the right to protection against arbitrary and unlawful interferences with privacy in Article 17 of the ICCPR.
44. New subsection 313(1A) of the Telecommunications Act will require C/CSPs to do their best to protect telecommunications networks and facilities they own, operate or use from unauthorised interference or unauthorised access to ensure the confidentiality, availability and integrity of communications. New subsection 313(2A) will apply this obligation to networks and facilities used to supply carriage services by carriage service intermediaries. These measures seek to protect the increasing amounts of information, including personal information, stored electronically in telecommunications facilities and passed across networks. Information and networks are becoming increasingly vulnerable to interference and disruption by malicious actors. It is essential that legislation reflects and meets those new and advanced risks with protection of critical infrastructure and telecommunications data.
45. The Bill responds to the advances in the technologies available to state-based and non-state based actors with malicious intent toward sabotage and espionage that can expose the personal information of users. The Bill promotes the right to privacy under Article 17 by providing additional protections under law from interference with personal information through improved protection of telecommunications infrastructure to prevent unauthorised access.
46. The obligations for C/CSPs to protect networks and facilities under new sections 313(1A) and (2A) will also promote the privacy of telecommunications customers by strengthening the protection of telecommunications data retained under the data retention regime established by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. The new obligations will complement the data retention regime by improving the security of networks as a whole, thereby providing an additional layer of protection for retained telecommunications data. This Bill will implement recommendation 36 of the PJCIS in its advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, which was that the government enact the proposed telecommunications sector security reforms prior to the end of the implementation phase of the data retention regime to better protect telecommunications data.
Information gathering powers granted to the Attorney-General's Secretary and notification requirements
47. The right to privacy under Article 17 of the ICCPR will also be engaged by the notification requirements under sections 314A to 314D and the information gathering powers granted to the Secretary of AGD under new section 315C of the Telecommunications Act.
48. New sections 314A to 314D of the Telecommunications Act provide that C/NCSPs must notify the CAC of changes to their systems or services if they become aware that the changes are likely to have a material adverse effect on their ability to protect telecommunications networks and facilities from unauthorised access and interference.
49. New section 315C of the Telecommunications Act will provide that the Secretary of AGD may obtain from C/CSPs information and documents relevant to assessing compliance under new subsections 313(1A) and (2A). New section 315E enables the Secretary of AGD to inspect a document produced under section 315C and may make and retain copies as necessary. New section 315F empowers the Secretary of AGD to take possession of the original documents and keep them for as long as he or she deems necessary.
50. The information sought under new section 315C or provided under sections 314A to 314D will primarily be of a commercial nature and unlikely to interfere with the privacy of telecommunications customers in most cases. This information may include procurement plans, network or service design plans, tender documentation, contracts and other documents specifying business and service delivery models and network layouts. Subsection 315C(1) specifies that the information must be relevant to an assessment of the C/CSP's compliance with subsections 313(1A) or (2A). This requirement that the information must be relevant increases the likelihood that information obtained will be commercial. Information collected of a personal nature will be minimal and purely incidental to the key objective of assessing compliance. Information about end-users will be similarly incidental to the collection of commercial information under sections 314A to 314D or 315C, and in any event, these sections are not intended to target end-users.
51. To the extent that new sections 314A to 314D and 315C may result in the incidental collection of personal information, it will limit the right to privacy in Article 17. However, any collection of personal information would be lawful, would not be arbitrary and would be reasonable, necessary and proportionate to achieving a legitimate objective.
52. The requirements under new sections 314A to 314D and the power in new section 315C are necessary to ensure that the government will have the information needed to make an assessment regarding the C/CSP's compliance with its obligations. It is also necessary for the assessment of the risk to security, including the confidentiality of communications carried on, and of information contained on, telecommunications networks and the availability and integrity of telecommunications networks and facilities.
53. The power in new section 315C is reasonable and proportionate, as it is limited to the collection of information or documents that are relevant to the duties imposed on C/CSPs under new subsections 313(1A) and (2A) to do their best to protect networks and facilities from unauthorised access and interference. Subsection 315F(2) ensures that the person otherwise entitled to possession of a document that is taken is entitled to be supplied with a certified copy as soon as practicable. In addition, subsection 315F(4) provides that until a certified copy is supplied, the Secretary of AGD must permit the person (or a person authorised by the person) to inspect and make copies of the document.
54. Further, safeguards for the protection of personal information specified in the Australian Privacy Principles (APPs) under the the Privacy Act will apply to information gathered under sections 314A to 314D and 315C for any incidental personal information collected by the Secretary of AGD. This includes requirements regarding the security of personal information specified under Australian Privacy Principle 11 and requirements regarding use or disclosure under Australian Privacy Principle 6.
55. Under section 315G the Secretary of AGD may delegate his or her information gathering power to the Director-General of Security, ASIO. This delegation power is necessary to facilitate more efficient implementation of the regime. The power is reasonable and proportionate as it is limited to the Director-General, who will provide the appropriate seniority and expertise necessary to exercise this function.
56. In accordance with usual administrative law practices, the delegation must be in writing and specify to whom, or to what position the power is delegated. Also in accordance with administrative law practices, the Secretary of AGD may revoke the delegation at any time. Subsection 315G(2) contains a further protection in the exercise of the information gathering power by a delegate by enabling the Secretary of AGD to specify how the delegate is to exercise the power. The delegate must comply with any directions issued by the Secretary of AGD otherwise the exercise of the power will be invalid.
57. New section 315H of the Telecommunications Act will provide that a person who obtains information or a document under sections 314A to 314D and 315C may provide that information to another person under certain circumstances. Subsection 315H(1) provides that information may be shared either for the purpose of assessing the risk of unauthorised interference with, or unauthorised access to, telecommunications networks or facilities and to assess any such risk to security or for the purposes of security. To the extent that this information may include personal information, this provision also limits the right to privacy.
58. It is necessary that the Secretary of AGD be able to consult with officials in AGD, ASIO, and other relevant government agencies such as the Department of Communications and the Arts and the Australian Signals Directorate where technical expertise or assistance is required to assess risks to security. It may also be necessary to disclose information to the Attorney-General or other relevant Ministers for the purpose of exercising the Attorney-General's directions power in new section 315A (previously subsection 581(3)), new section 315B), or more broadly for the purposes of security.
59. Information obtained under sections 314A to 314D and 315C can also be shared for the purposes of security. 'Security' is defined in the ASIO Act, and includes the protection of the Commonwealth, states, territories and the people of Australia from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia's defence system, or acts of foreign interference, as well as the protection of Australia's border integrity. The ability to share the information for the purposes of security ensures that information can be shared with appropriate agencies to address identified security issues. It parallels the operation of the communication provisions contained in the ASIO Act, which authorise ASIO to communicate information it obtains for purposes relevant to security. This provision authorises the Secretary of AGD or their delegate (i.e. the Director-General of ASIO) to share this information for security purposes without first consulting or notifying the C/CSP. The fact that the information was relevant for security purposes would likely be highly sensitive and protected information in itself.
60. New section 315H also contains important protections governing how the information and documents obtained under either sections 314A to 314D and 315C (original purpose) and section 315H (secondary disclosure) is to be treated. Subsection 315H(3) provides that information and documents are to be treated as confidential. This would operate to complement the high standard for protecting information which government agencies already operate under including compliance with requirements under the Privacy Act regarding use, disclosure and destruction of personal information and secrecy obligations in the Crimes Act 1914. Importantly, subsection 315H(2) also prevents information which would identify the affected C/CSP from being disclosed to anyone who is not a Commonwealth Officer (as defined by subsection 315H(4)). This means that sensitive information about the company would be protected and only threat information relevant to protecting Australia's security interests will be shared.
61. The restrictions in section 315H will not override existing legislative provisions that authorise ASIO to communicate information obtained in the performance of its functions. Parliament has already set out the circumstances in which it is considered appropriate for an agency such as ASIO to be able to communicate information collected as part of the performance of its functions, including personal and other information collected under warrant.
Clarification of section 315H
62. The clarifying note following subsection 315H(1) of the Bill gives effect to Recommendation 6 of the PJCIS Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016, tabled in Parliament on 30 June 2017. This clarifies, for the avoidance of doubt, that existing legislative privacy obligations continue to apply. The specific disclosures authorised by subsection 315H(1) are an authorisation for the purposes of the Privacy Act.
63. Australian Government agencies subject to the Privacy Act are required to protect, use, disclose and destroy personal information in accordance with that Act. The provision protects the right to privacy as it confirms the continued application of the Privacy Act to personal information obtained under the legislation.
C/NCSP notification of new or amended offshoring arrangements
64. Recommendation 11 of the PJCIS Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016 proposed that the Bill be amended to ensure that a C/NCSP entering into a new or changed telecommunications metadata offshoring arrangement is an example of a kind of change to a telecommunications service or system that could trigger the notification requirement under section 314A. Paragraph 314A(2)(f) specifies that the notification requirements in section 314A apply to entry into an arrangement to have all or some information retained under subsection 187A(1) of the Telecommunications (Interception and Access) Act 1979, kept outside Australia.
65. This protects the right to privacy as it ensures greater scrutiny of arrangements for storing and securing personal data that may be retained under a provider's obligations under subsection 187A(1) of the Telecommunications (Interception and Access) Act 1979. This provision will provide greater visibility to government of telecommunications data storage arrangements, in particular, offshore storage arrangements. This provides opportunities for government to work with industry to ensure that effective security mitigation strategies are in place. In accordance with data retention laws, providers are already required to protect and encrypt this data.
PJCIS Reviews
66. Recommendation 12 of the PJCIS Advisory report on the Telecommunications and Other Legislation Amendment Bill 2016 proposed that the PJCIS undertake a review of the operation, effectiveness and implications of the reforms, within three years of the Bill receiving Royal Assent. The Bill specifies that the review must start on or before the second anniversary of the commencement of the reforms. Each of the issues above will be considered in the context of that review. The prospect of review supports ensuring accountability for compliance with applicable privacy protections.
Right to freedom of expression - Article 19 of the ICCPR
67. Article 19(2) of the ICCPR sets out the right to freedom of expression, including the right 'to seek, receive and impart information and ideas of all kinds' and extends to any medium, including written and oral communications, the media, public protest, broadcasting, artistic works and commercial advertising.
68. The following measures in the Bill engage the right to freedom of expression under Article 19 of the ICCPR:
- •
- existing directions powers of the Attorney-General under subsection 581(3) of the Telecommunications Act (moved to new section 315A); and
- •
- new directions powers of the Attorney-General under new section 315B of the Telecommunications Act.
69. Under existing section 581(3) the Attorney-General may direct a C/CSPs not to use or supply, or to cease using or supplying, a carriage service if he or she considers it is prejudicial to security. Item 12 of the Bill will amend the Act to move that power in its current form to section 315A of the Act. This is a technical amendment which does not change the substantive nature of the provision with the exception of adding an additional safeguard to remove the current exemption from review under the ADJR Act. Furthermore, it will now also be clear on the face of the provision that a pre-requisite to the Attorney-General exercising the power to cease a service is the provision by ASIO of an adverse security assessment. These two changes will ensure consistency with the operation of the new direction power in section 315B.
70. Notwithstanding the fact that the Attorney-General's directions powers under new section 315A have not changed substantially (except to provide an additional safeguard and clarity) from the existing subsection 581(3), it is important to note that this power engages the right to freedom of expression under Article 19(2) as the ability of the Attorney-General to shut down a communications service may limit the right to freedom of expression in Article 19 of the ICCPR as it could reduce the availability of communications mechanisms to individuals.
71. Article 19(3)(b) of the ICCPR states that the exercise of the right to freedom of expression may be subject to certain restrictions if provided by law and if necessary for the protection of national security or public order. Existing subsection 581(3) of the Telecommunications Act, now moved to new section 315A, is provided by law and is necessary for the protection of national security and public order. It may only be exercised when the Attorney-General, after consultation with the Prime Minister and the Minister for Communications, considers that the proposed or continued use or supply of that carriage service would be or is prejudicial to security. 'Security' is defined for the purposes of these sections by reference to the definition of security in the ASIO Act which includes the protection of the Commonwealth, states, territories and the people of Australia from espionage, sabotage, attacks on Australia's defence system, and acts of foreign interference. 'Prejudicial to security' is intended to be interpreted in a manner consistent with the definition of the term 'activities prejudicial to security' contained in the ASIO Act. 'Prejudicial to security' is described in the Attorney-General's Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence).The term is described to mean activities that are relevant to security and which can reasonably be considered capable of causing damage or harm to Australia, the Australian people, Australian interests, or to foreign countries to which Australia has responsibilities.
72. The power of the Attorney-General to suspend supply of a carriage service is reasonable and proportionate as it has been designed for use in exceptional or extreme cases only to prevent harm to Australia's interests. In its existing form in subsection 581(3), the power to cease a service has never been used by the Attorney-General, in recognition of the potential impact on C/CSPs and end users. The Bill will amend subsection 581(3) to clarify that the power cannot be exercised unless it is on the basis of an adverse security assessment from ASIO. Subsection 581(3) is already included within the definition of prescribed administrative actions in subsection 35(1) of the ASIO Act which may be the subject of an ASIO qualified or adverse security assessment. The Bill will now effectively restrict the type of ASIO assessment that can be relied upon by the Attorney-General to suspend a carriage service to an adverse security assessment and expressly include the requirement within the provision vesting the Attorney-General with the power to cease a service (now section 315A). This will have the effect of increasing the threshold for exercising the power and make the requirement transparent on the face of the provision.
73. Further, introduction of the new power of the Attorney-General to give directions to C/CSPs in new section 315B is intended to reduce the need to rely on the existing powers under subsection 581(3) of the Telecommunications Act. This new power enables the Attorney-General to take a more proportionate response to a security risk posed by a C/CSP. Section 315B provides the Attorney-General with the option to give a written direction requiring a C/CSP to do, or refrain from doing, a specified act or thing within the period specified in the direction.
74. The power in 315B is intended to be used in a cooperative way alongside engagement with industry. While it is an intrusive power, a number of protections and safeguards have been included to ensure that it is only used where absolutely necessary (including in circumstances where the C/CSP itself requests a direction) and the threshold for its exercise is high.
75. Subsection 315B(1) provides that the Attorney must be satisfied that there is a risk of unauthorised access or unauthorised interference and that the risk is prejudicial to security. As noted above, 'prejudicial to security' is intended to be interpreted in a manner consistent with the definition of the term 'activities prejudicial to security' contained in the ASIO Act.
76. Second, the power cannot be exercised without an adverse security assessment or negotiating with the relevant C/CSP in good faith. Both sections 315A and 315B require the Attorney-General to obtain an adverse assessment prior to exercising the relevant power, which ensures that he or she is provided with specific security advice in making a decision, and that ASIO makes a recommendation that adverse action should be taken. An adverse security assessment is defined in section 35 of the ASIO Act and means a security assessment made by ASIO in respect of a person (including a company) that:
- •
- contains any opinion or advice, or any qualification of any opinion or advice, that is or could be prejudicial to the interests of the person, and
- •
- recommends that prescribed administrative action be taken or not taken in respect of that person (e.g. the exercise of one of the listed legislative powers in relation to the affected person), which would of be prejudicial to the interests of that person.
77. Third, subsection 315B(5) clarifies that the exercise of the directions power is to be a measure of last resort where all efforts to reach agreement cooperatively have failed. The Attorney-General must not give a C/CSP a direction unless the Attorney-General is satisfied that all reasonable steps to negotiate measures to reduce or eliminate the risk have been negotiated in good faith. The requirement to act in good faith means that attempts to reach agreement must be genuine. Government agencies will need to have taken adequate steps to engage the C/CSP, listen to the C/CSP's concerns and work with the C/CSP to develop mitigation measures reasonably necessary for addressing the risk.
78. In addition, subsection 315B(5) limits the purpose for which the Attorney-General can issue a direction to be for the purpose of reducing or eliminating the risks identified in subsection 315B(1). The direction must therefore specifically direct action that seeks to reduce or eliminate the risk of unauthorised access or interference which would otherwise result in a risk to security.
79. There are also a number of safeguards included to ensure that the exercise of the power does not unnecessarily impinge the right to freedom of expression and is not exercised arbitrarily. These include:
- •
- Listing the matters which the Attorney-General must have regard to when exercising the power. Section 315B stipulates that the Attorney-General may only issue a direction to a C/CSP if he or she has had regard to the cost and impact on the C/CSP of implementing the direction, as well as the impact on customers, the market, competition and innovation. This is an inbuilt protection for customers using telecommunications networks in that their market choices are no more restricted than is necessary.
- •
- Imposing mandatory consultation requirements. The Attorney-General will be required to consult both the Minister for Communications and the affected C/CSP. Consultation with the Minister will further ensure that security considerations do not unnecessarily impede market innovation and business autonomy. The requirement to consult the affected C/CSP will further ensure the direct impact on the C/CSP is taken into account and the C/CSP is given a voice to explain their position on why they cannot agree to implement ASIO's security advice.
Right not to incriminate oneself - Article 14 of the ICCPR
80. Article 14 of the ICCPR provides for the right to a fair hearing and includes in 14(3)(g) the right of protection against self-incrimination. The right to be free from self-incrimination may be subject to permissible limitations provided that the limitations are for a legitimate objective, and are reasonable, necessary and proportionate to that objective.
81. New subsection 315D(1) of this Bill abrogates the privilege against self-incrimination as it provides that a person is not excused from giving information or a document under new section 315C on the ground that the information or document might tend to incriminate the person or expose the person to a penalty.
82. The information gathering powers under section 315C of this Bill are modelled on similar powers under section 521 of the Telecommunications Act. The existing powers also abrogate the privilege against self-incrimination under section 524.
83. Abrogation of the privilege in this circumstance is necessary as there are no other appropriate avenues for collecting the information needed by the regulator to assess compliance with the obligation to protect networks and facilities under subsections 313(1A) and (2A). The information-gathering powers of the Secretary of AGD under section 315C form a core part of the telecommunications security framework that will be established by this Bill and would be significantly impaired if persons were excused from providing self-incriminating information.
84. However, subsection 315D(2) will provide both a use and derivative use immunity to the individual who provides information or documents under section 315C. As such, the information and documents obtained through this mechanism will be inadmissible, as well as any evidence obtained as a direct or indirect consequence of the documents or information being provided, in any criminal proceedings against the person (except proceedings under sections 137.1 and 137.2 of the Criminal Code), or civil proceedings, with the exception of a proceeding to enforce the information gathering power itself. These are very narrow exceptions to an otherwise broad immunity. In this regard, section 315D is reasonable and proportionate for monitoring compliance with the duty in subsections 313(1A) and (2A). The common law privilege against self-incrimination only extends to natural persons, not to bodies corporate. This is well-established in common law, as outlined in the Attorney-General's Department's 2011 A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers.
85. Subsection 315C(3) will deem it mandatory for a person to comply with the information gathering power under section 315C. Section 570 of the Telecommunications Act provides that pecuniary penalties may be issued against a person for contravention of the Act, including new subsection 315C(3). Hence only when the proceedings at hand arise directly from the refusal or failure to provide information, would that information be admissible as evidence against that person. This is a similarly narrow exception.
86. The protections in Article 14(3) of the ICCPR include minimum guarantees that are applicable in criminal proceedings. However, in some cases it is possible for a civil penalty which subjects a person to a high penalty and is intended to be punitive or deterrent in nature to constitute a 'criminal charge' for the purposes of the prohibition on the right to be free from self-incrimination under Article 14(3). The Secretary of AGD may institute a proceeding for the recovery of a pecuniary penalty relating to a contravention of subsection 315C(3) regarding compliance with a written notice given to a C/CSP to give the Secretary of AGD information or documents. The pecuniary penalties for contraventions of civil penalty provisions are specified in section 570 of the Telecommunications Act, which is that the maximum amount that could be payable would be $10m for a body corporate and $50 000 for a natural person.
87. The threshold for exercising the information gathering power is relatively high. Espionage and sabotage through cyber-attacks targeting Australia's telecommunications networks and facilities have the potential to cause considerable damage to Australia's national interest. This includes damage to businesses and individuals where commercially sensitive information or personal information is accessed.
88. The Secretary of AGD must have reason to believe the C/CSP has information relevant to assessing compliance with the duty. This is to protect against general fishing expeditions, by imposing a state of mind test and a relevance test. Monitoring compliance is critical as the impact of non-compliance can have significant national security implications.
89. The penalties are also reasonable and proportionate measures to encourage compliance as they are consistent with the existing penalties for non-compliance by carriers and carriage service providers under the Telecommunications Act. The threshold of $10m applies to a breach of any carrier licence condition or service provider rule, which includes a breach of the Telecommunications Act. Enforcement action and the penalty regime will only be activated as a last resort, where national security outcomes are not able to be achieved through cooperative engagement.
Right to a fair trial - Article 14 of the ICCPR
90. The right to a fair trial is protected in Article 14 of the ICCPR and is aimed at ensuring the proper administration of justice by upholding, among other things, the right to a fair hearing. [2] The Bill engages and supports the right to a fair trial through the availability of judicial review of all decisions and merits review of ASIO security assessments, and applications for review of a decision to refuse an application for exemption for notification requirements.
91. This Bill will remove an existing exemption of the Attorney-General's directions powers under subsection 581(3) of the Telecommunications Act (new section 315A) from review under the ADJR Act.
92. The Bill does not seek to limit the principles of procedural fairness within administrative law, available as recourse to a C/CSP by virtue of the new and existing directions power of the Attorney-General. The legislation will require the Attorney-General to consult the affected C/CSP before a direction is issued, notifying it of the proposed direction and providing a minimum of 28 days (unless circumstances are urgent) to provide a written response which must be taken into account in issuing a direction.
93. Further, there are a number of other thresholds and safeguards built in to the exercise of the directions power. These are set out above in paragraphs 67 to 71. As noted in paragraph 68 the directions powers can only be exercised in circumstances where ASIO has provided an adverse security assessment. Not only does this increase the threshold for the exercise of the powers, it also attracts the accountability protections associated with a security assessment in Part IV of the ASIO Act, which provide for merits review of the assessment in the Security Appeals Division of the Administrative Appeals Tribunal (AAT).
94. Part IV also provides notification obligations which require the recipient of the assessment, in this case, the Attorney-General, to provide the affected party with a copy of the security assessment within 14 days. In accordance with section 38A of the ASIO Act, the security assessment might be redacted to remove information that would be prejudicial to the interests of security before being provided to the affected party. The security assessment must be accompanied by an unclassified statement of grounds setting out the information ASIO has relied upon and a written notice informing the affected party (the C/CSP) of its right to apply to the AAT for merits review of the security assessment.
95. Subsection 314A(5C) allows applications to be made to the AAT for review of a decision of the CAC under paragraph (5B)(b) to refuse an application. This will ensure that administrative decisions with respect to applications for exemptions from the notification requirements are correct and preferable.
Conclusion
96. The Bill is compatible with human rights because it will promote rights and, to the extent that the Bill may also limit rights, those limitations are reasonable, necessary and proportionate to the objective of ensuring telecommunication networks and facilities are appropriately protected.