House of Representatives

Revised Explanatory Memorandum

Circulated by authority of the Minister for Home Affairs, the Honourable Karen Andrews MP

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020

1. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

2. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 amends the Surveillance Devices Act 2004 (SD Act), the Crimes Act 1914 (Crimes Act) and associated legislation to introduce new law enforcement powers and warrants to enhance the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC)'s ability to combat cyber-enabled serious and organised crime, including online child exploitation.

3. The Bill introduces:

•

a data disruption warrant which enables the AFP and the ACIC to access data on one or more computers and perform disruption activities for the purpose of frustrating the commission of criminal activity

•

a network activity warrant to enable the AFP and the ACIC to collect intelligence on criminal networks operating online

•

an account takeover warrant to allow the AFP and the ACIC to takeover a person's online account the purposes of gathering evidence of criminal activity, and

•

minor amendments to the controlled operations regime, to ensure controlled operations can be conducted effectively in the online environment.

Schedule 1 - Data disruption

Application for a data disruption warrant

4. Data disruption warrants will be issued by an eligible Judge or nominated AAT member acting in his or her personal capacity (persona designata). This is consistent with the existing framework for surveillance device warrants and computer access warrants under the SD Act. AAT members, while not judicial officers, are independent decision makers afforded similar protections to that afforded to judges. Termination of the appointment of an AAT member is only possible if determined by the Governor-General.

Threshold for application for a data disruption warrant

5. The AFP and the ACIC will be able to apply for a data disruption warrant where there is a reasonable suspicion that relevant offences of a particular kind have been, are being, are about to be, or are likely to be, committed, and those offences involve, or are likely to involve, data held in a computer, and the disruption of data held in that computer is likely to substantially assist in frustrating the commission of those offences. Relevant offences are generally those that carry a maximum penalty of imprisonment for at least three years.

Permitted actions under a data disruption warrant

6. The AFP and the ACIC will be permitted to covertly access computers to disrupt data and while doing so, if necessary, add, copy, delete or alter that data in order to frustrate the commission of relevant offences.

Dealing in information about data disruption warrants

7. Information collected under a data disruption warrant is treated as 'protected information' under the SD Act, meaning that the Bill prohibits dealing in information collected under a data disruption warrant except in very limited circumstances such as for the purposes of the investigation of a relevant offence, the making of a decision about whether or not to bring a prosecution, or the prevention of serious harm.

Security and destruction of records relating to data disruption warrants

8. The chief officer of the AFP or the ACIC must ensure that information obtained under a data disruption warrant is kept in a secure place that is not accessible to people who are not entitled to deal with the record or report. The chief officer must also destroy records or reports as soon as practicable if no civil or criminal proceedings has been, or is likely to be, commenced and the material is not likely to be required in connection with section 45(5A) or (5B), and within 5 years if they are no longer required under the SD Act.

Schedule 2 - Network activity warrants

Application for network activity warrants

9. Network activity warrants will be issued by an eligible Judge or nominated AAT member acting in his or her personal capacity (persona designata). This is consistent with the existing framework for surveillance device warrants and computer access warrants under the SD Act. AAT members, while not judicial officers, are independent decision makers afforded similar protections to that afforded to judges. Termination of the appointment of an AAT member is only possible if determined by the Governor-General.

Threshold for application for a network activity warrant

10. The chief officer of the AFP and the ACIC will be able to apply for a network activity warrant if there is a reasonable suspicion that:

•

a group of individuals are using the same electronic service or are communicating by electronic communications to engage in, facilitate or communicate about the engagement in, or facilitation of, criminal activity constituting the commission of one or more relevant offences, and

•

access to data held in computers will substantially assist in the collection of intelligence about those networks of individuals in respect of a matter that is relevant to the prevention, detection or frustration of one or more kinds of relevant offences.

Permitted actions under a network activity warrant

11. Network activity warrants will permit accessing data held in a computer that is used by a criminal network of individuals in order to collect intelligence related to that group, as well as actions necessary to conceal the access.

Dealing in information about network activity warrants

12. The Bill prohibits dealing in information collected under a network activity warrant except in very limited circumstances. Information can only be used for intelligence purposes, and cannot be used in evidence in a criminal proceeding.

Security and destruction of records relating to network activity warrants

13. The chief officer of the AFP or the ACIC must ensure that information obtained under a network activity warrant is kept in a secure place that is not accessible to people who are not entitled to deal with the record or report. The chief officer must also destroy records or reports as soon as practicable if no civil or criminal proceeding has been or is likely to be commenced and the material is not likely to be required in connection with section 45(5A) or (5B), and within 5 years if the material is no longer required to be kept under the SD Act.

Schedule 3 - Account takeover warrants

Application for an account takeover warrant

14. Account takeover warrants will be issued under the Crimes Act by a magistrate, to a law enforcement officer of the AFP or the ACIC. Magistrates currently issue section 3E warrants (search warrants), and this issuing authority has been replicated for consistency with other law enforcement powers in the Crimes Act, due to the fact that account takeover warrants will often be applied for at the same time as other warrants in the Crimes Act.

Threshold for application for an account takeover warrant

15. A law enforcement officer may apply for an account takeover warrant on the reasonable suspicion that:

•

one or more relevant offences have been, are being, are about to be, or are likely to be committed

•

an investigation into those offences is being, will be or is likely to be conducted, and

•

taking control of an online account is necessary in the course of that investigation for the purposes of enabling evidence to be obtained.

Permitted actions under an account takeover warrant

16. Account takeover warrants permit the taking control of an account through the modification of data. Taking control of an account means taking steps that result in the person having exclusive access to the account.

Dealing in information about account takeover warrants

17. Dealing in information about account takeover warrants is prohibited, and is an offence, except in certain limited circumstances, such as using the information for the purposes of the investigation, in connection with the AFP or the ACIC's functions, and preventing serious harm.

Security and destruction of records relating to account takeover warrants

18. The chief officer of the AFP or the ACIC must ensure that information obtained under an account takeover warrant is kept in a secure place that is not accessible to people who are not entitled to deal with the record or report. The chief officer must also destroy records or reports as soon as practicable if no civil or criminal proceeding has been or is likely to be commenced and the material is not likely to be required, and within 5 years.

Human rights implications

19. The Bill engages the following human rights under the International Covenant on Civil and Political Rights (ICCPR):

•

protection against arbitrary or unlawful interference with privacy contained in Article 17 of the ICCPR

•

the right to freedom of expression contained in Article 19 of the ICCPR

•

the right to life contained in Article 6 of the ICCPR

•

the right to effective remedy contained in Article 2(3) of the ICCPR, and

•

the right to a fair hearing in Article 14(1) of the ICCPR.

Protection against arbitrary or unlawful interference with privacy contained in Article 17 of the ICCPR

20. The Bill engages the protection against arbitrary or unlawful interference with privacy contained in Article 17 of the ICCPR. Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks.

21. The protection against arbitrary or unlawful interference with privacy under Article 17 can be permissibly limited where the limitations are lawful and not arbitrary. The term 'unlawful' in Article 17 of the ICCPR means that no interference can take place except as authorised under domestic law. The term 'arbitrary' in Article 17(1) of the ICCPR means that any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. The United Nations Human Rights Committee has interpreted reasonableness to mean that any limitation must be proportionate and necessary in the circumstances to achieve a legitimate objective.

22. The purpose of the Bill is to protect national security, ensure public safety, and to address online crime and particularly the challenges posed by the dark web and anonymising technologies. The Bill aims to protect the rights and freedoms of individuals by providing law enforcement agencies with the tools they need to keep the Australian community safe.

23. To that end, the Bill does place limitations on the right to privacy. Those limitations however, are not arbitrary or unlawful. They are carefully framed and considered in order to ensure public safety and a balanced approach to the intrusion on private individuals' data with the maximum safeguards.

Mandatory considerations of issuing authorities upon issuing warrants

24. There are mandatory considerations to which the issuing authority must have regard. In determining whether to issue an account takeover warrant, the issuing authority must have regard to the extent to which the privacy of any person is likely to be affected. In determining whether to issue a network activity warrant or a data disruption warrant, the issuing authority must consider whether the warrants are justified and proportionate, or reasonably necessary and proportionate respectively, having regard to the offences that those warrants are targeting. Both these warrants, as well as account takeover warrants, can only be applied for on the basis of a link to serious offending. They target activity of the most serious nature, including terrorism, child exploitation, drug trafficking and firearms trafficking.

25. Central amongst other considerations that issuing authorities must take into account is consideration of the existence of any alternative means of realising the intention of the warrant. In the case of a data disruption warrant, the issuing authority must consider alternative means of frustrating the criminal activity. In the case of network activity warrants and account takeover warrants the issuing authority must consider the existence of any alternative or less intrusive means of obtaining the information sought. These provisions are particularly important for ensuring that avenues of investigation, information collection and disruption that are less intrusive on individual privacy are considered. Where there are narrower activities that involve a more targeted approach, for example, this should be taken into account by the issuing authority.

26. The issuing authorities must also have regard to the extent to which the execution of the warrant is likely to impact on third parties, which includes considerations of privacy (to the extent known). This will ensure that the issuing authority weighs the anticipated value of the execution of the warrant against the intrusiveness of the activities proposed to be authorised by the warrant. This will assist the issuing authority to assess proportionality by ensuring that they balance the utility of the warrant against the scale, scope and intrusiveness of the activities proposed to be authorised by that warrant.

Limited interference with data and property

27. There are certain actions that are specifically prohibited on the face of the legislation for each of the three warrants. These provide further protections against unlawful and arbitrary interference with privacy. These warrants do not authorise the doing of any thing that is likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use by another person of a computer, unless doing those things is necessary for carrying out the purpose of the warrant. These warrants also explicitly prohibit the doing of any thing that is likely to cause any other material loss or damage to other persons lawfully using a computer unless that loss or damage is reasonably necessary and proportionate having regard to the offences covered by the warrant. These are also statutory conditions stating that neither a data disruption warrant nor an account takeover warrant can result in loss or damage to data unless reasonably necessary and proportionate or justified and proportionate, respectively.

28. These are strong safeguards to ensure that activities carried out under these warrants are justified and proportionate for the purposes of the warrant and are not exercised or issued arbitrarily.

Protections on information collected under warrants

29. Information collected under these warrants will have strict protections placed on it. Data disruption warrant information will have the same strong protections as placed on information collected under existing warrants in the SD Act, such as computer access warrants. Data disruption warrant information is 'protected information' under the SD Act. Similarly, the Bill inserts a definition of 'protected information' into the Crimes Act in respect of account takeover warrants, in order that the information gathered by virtue of conducting an account takeover is governed by the same prohibitions and exceptions as most information under the SD Act, including data disruption warrant information.

30. A person commits an offence if the person uses, records, communicates or publishes protected information except in very limited circumstances. Those circumstances include allowing the use, recording, communication and publication of information, or admittance in evidence where necessary for the investigation of a relevant offence, a relevant proceeding, or the making of a decision as to whether or not to bring a prosecution for a relevant offence.

31. Protected information can only be used, recorded, communicated or published in similarly limited circumstances, such as where that information has been disclosed in proceedings in open court, or where it is necessary to help prevent or reduce the risk of serious violence or damage to property. Information can also be shared with the Australian Security Intelligence Organisation (ASIO) or any agency within the meaning the Intelligence Services Act 2001 (IS Act), if the information relates to the functions of those agencies. Protected information can be shared with a foreign country, the International Criminal Court or a War Crimes Tribunal if relevant to an international assistance authorisation. There are similar allowances for information to be shared under the Mutual Assistance in Criminal Matters Act 1987 and the International Criminal Court Act 2002.

32. The Bill has a different approach to information collected under a network activity warrant. That information is for intelligence purposes, and cannot be used in evidence in a criminal proceeding. There are very limited exceptions to this prohibition, and those exceptions have been made in order either to further investigations into criminal conduct made under other warrants (which will themselves contain protections on information gathered) or to promote the right to a fair trial and facilitate adequate oversight mechanisms. Protected network activity warrant information can be admitted into evidence for, for example, the purpose of making an application for a warrant, for the purpose of an IGIS official exercising powers or performing duties, or for the purposes of an investigation into whether the prohibition on dealing with information has been breached.

Security and destruction of records

33. Each of the three warrant frameworks in the Bill contain measures governing security requirements and record keeping for the information gathered. The chief officer of the AFP or the ACIC must ensure that information obtained under these warrants is kept in a secure place that is not accessible to people who are not entitled to deal with the record or report. The chief officer must also destroy records or reports as soon as practicable if no civil or criminal proceedings has been or is likely to be commenced and the material is not likely to be required, and within 5 years.

34. Requiring the security and destruction of records ensures that private data of individuals subject to a data disruption warrant is not handled by those without a legitimate need for access, and are not kept in perpetuity where there is not a legitimate reason for doing so.

Parliamentary review and sunset

35. The Bill will introduce a legislative basis for the Independent National Security Legislation Monitor (INSLM) and the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to review the operation, effectiveness and implications of the Bill as it relates to network activity warrants, data disruption warrants and account takeover warrants. As the powers are new and impact privacy, independent review will ensure that the safeguards in the framework are appropriate and the Bill achieves its legitimate objective of public safety in the least rights restrictive way possible.

36. The Bill also provides that the framework for the AFP and the ACIC to obtain warrants will only have effect for five years following commencement. This means that the Parliament will be required to reconsider the powers before this time, and be satisfied that they remain reasonable, necessary and proportionate to achieving the legitimate objective of public safety.

Summary

37. The provisions that engage Article 17 of the ICCPR do so in a balanced and carefully considered way so as to protect individual privacy whilst enhancing the AFP and the ACIC's capacity to respond to serious online criminal activity. While the Bill does limit the right to privacy, those limitations are not arbitrary or unlawful. They are accompanied by a range of safeguards, stringent thresholds, proportionality tests, and clear specifications regarding the actions permitted under each warrant. At the same time, the Bill balances privacy with public safety and security. To the extent that there is a limitation on the protection against interference with privacy, statutory safeguards ensure any limitation is reasonable, necessary and proportionate.

Protection of the right to freedom of expression contained in Article 19 of the ICCPR

38. Article 19(2) of the ICCPR provides that everyone shall have the right to freedom of expression, including the right 'to seek, receive and impart information and ideas of all kinds and regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice'.

39. Furthermore, Article 19(3) of the ICCPR provides that the exercise of the rights provided for in Article 19(2) carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary for the protection of national security or public order, or of public health or morals.

40. As the Bill contains measures which are aimed at combatting the use of the dark web and anonymising technologies, as well as any obfuscating of identities and illegal activities online, the Bill may indirectly have the effect of discouraging the use of such technologies for legitimate purposes. It is plausible that a person concerned about access to private data by government agencies may minimise his or her use of anonymising technologies or other online services.

41. However, this Bill will not permit the AFP or the ACIC to access an individual's data or device unless under warrant. The measures in this Bill advance a legitimate objective of protecting Australia's national security and public order by allowing the AFP and the ACIC to respond to the modern communications and cyber environment, and effectively access data to disrupt serious criminal activity and collect intelligence which will inform investigations which may ultimately lead to prosecutions.

42. To the extent that a person refrains from or minimises their legitimate use of anonymising technologies or online services in response to these powers, the additional restrictions on the purposes that the powers may be issued for and the limited things that may be required under these powers complement the protections of a warrant or authorisation and ensure any limitation on the freedom of expression is necessary, reasonable, and proportionate. Any limitation on the right to freedom of expression is consistent with the ICCPR as Article 19(3) allows for limitations for the protection of national security or of public order.

Issuing warrants in respect of a journalist

43. The Bill requires the issuing authority to have regard to an additional matter before issuing each of the warrants in circumstances where the warrant relates to a journalist, or a journalist's employer, and each of the offences sought to be frustrated or investigated under the warrant is an offence against a secrecy provision.

44. In these circumstances, the issuing authority is required to consider whether the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the journalist's source, as well as the public interest in facilitating the exchange of information between journalists and members of the public so as to facilitate reporting of matters in the public interest.

45. It is important that the AFP and the ACIC are able to investigate the unauthorised disclosure of information that, if disclosed, is inherently harmful or would otherwise cause harm to Australia's interests. However, this provision recognises that such investigations should only be conducted while also protecting freedom of expression through consideration for the importance in maintaining the confidentiality of journalist's sources, and reporting on matters in the public interest.

The right to life contained in Article 6 of the ICCPR

46. The right to life in Article 6 of the ICCPR places a positive obligation on states to protect individuals from unwarranted actions by private persons. The obligation to protect life requires the state to take preventative operational measures to protect individuals whose safety may be compromised in particular circumstances, such as by a terrorist act. This includes enhancing the capabilities of law enforcement agencies to respond to a heightened terrorist threat.

47. The Bill promotes the right to life by providing additional tools to manage the risk posed by cyber-enabled serious and organised crime. The Bill is intended to target serious and organised offenders who utilise anonymising technologies to facilitate online criminal activity, including terrorism, child exploitation, and drugs and firearms trafficking.

48. The Bill enhances the capabilities of the AFP and the ACIC to respond to a heightened online threat environment. The Bill extends the ability for the AFP and the ACIC to detect, monitor, identify and disrupt serious online criminal activity.

The right to effective remedy contained in Article 2(3) of the ICCPR

49. Article 2(3) of the ICCPR protects the right to an effective remedy for any violation of rights and freedoms recognised by the ICCPR, including the right to have such a remedy determined by competent judicial, administrative or legislative authorities or by any other competent authority provided for by the legal system of the State.

50. The Bill does not provide for merits review of decision making. Decisions of a law enforcement nature have been identified by the Administrative Review Council as being unsuitable for merits review.

51. Australian courts will also have jurisdiction for judicial review of a decision of an issuing authority in the original jurisdiction of the High Court of Australia and in the Federal Court of Australia by operation of subsection 39B(1) of the Judiciary Act 1903, or under the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act). These judicial review mechanisms will ensure that an affected person or a provider has an avenue to challenge decisions made under these provisions.

52. Consistent with other powers in the Crimes Act and the SD Act, the Commonwealth Ombudsman will have oversight of the use of account takeover warrants and data disruption warrants by the ACIC and the AFP.

53. The Bill provides for IGIS oversight of the AFP's and the ACIC's activities in relation to network activity warrants. These amendments will enable the Inspector-General to review the activities of the AFP and the ACIC in relation to network activity warrants for legality, propriety and consistency with human rights. The Inspector-General may carry out his or her oversight functions through a combination of inspections, inquiries and investigations into complaints.

The right to a fair trial in Article 14(1) of the ICCPR

54. Article 14(1) of the ICCPR provides that all individuals are equal before a court or tribunal and that all individuals are entitled to a fair and public hearing that allows for a reasonable opportunity for individuals to present their case before a fair, impartial, and competent court.

55. New subsection 47A(7) and section 47B introduced in to the SD Act by the Bill provide that in a proceeding (including a proceeding before a court, tribunal or Royal Commission), a person may object to the disclosure of information on the ground that the information, if disclosed, could reasonably be expected to reveal details of data disruption technologies or methods; and the person conducting or presiding over the proceeding may order that the information is not disclosed in the proceeding. These new subsections engage the right to a fair trial in Article 14(1) of the ICCPR.

56. The impact that new subsection 47A(7) and section 47B of the SD Act has on an individual's right to a fair trial is mitigated through the requirement that the person conducting or presiding over the proceeding must take into account whether disclosure of the information is necessary for the fair trial of the defendant or is in the public interest (subsection 47B(3)). Therefore the protections on data disruption technologies or methods being disclosed in hearings are reasonable, necessary and proportionate for protecting national security and safeguarding operational capabilities and sensitivities.

Conclusion

57. This Bill is compatible with human rights and promotes a number of human rights. To the extent that the Bill limits a human right, those limitations are reasonable, necessary and proportionate.