Senate

Telecommunications and Other Legislation Amendment Bill 2017

Telecommunications and Other Legislation Amendment Act 2017

Revised Explanatory Memorandum

(Circulated by authority of the Attorney-General, Senator the Honourable George Brandis QC)
This memorandum takes account of amendments made by the Senate to the bill as introduced and supersedes the Explanatory Memorandum tabled in the Senate on 9 November 2016

Notes on Clauses

Clause 1 - Short title

97. Clause 1 provides for the short title of the Act to be the Telecommunications and Other Legislation Amendment Act 2016.

Clause 2 - Commencement

98. Clause 2 sets out when the various parts of the Act will commence as described in the table.

99. Item 1 in the table provides that sections 1 to 3, which concern the formal aspects of the Act, will commence (i.e. come into effect) on the day the Act receives Royal Assent.

100. Item 2 in the table provides that Schedule 1, which amends the Telecommunications Act 1997 (Telecommunications Act), the Telecommunications (Interception and Access) Act 1979 (TIA Act), the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act) and the Australian Security Intelligence Organisation Act 1979 (ASIO Act) will commence 12 months after the date of Royal Assent.

Clause 3 - Schedules

101. Clause 3 provides that each Act specified in a Schedule to this Act is amended or repealed as set out in the Schedule. Any other item in a Schedule to this Act has effect according to its terms. This is a technical provision to give operational effect to the amendments contained in a Schedule.

SCHEDULE 1 - AMENDMENTS

PART 1 - MAIN AMENDMENTS

Overview of measures

102. Part 1 of Schedule 1 will insert new provisions into Part 14 of the Telecommunications Act which concerns national interest matters. In particular:

a new security obligation will be added to the existing law enforcement obligation in section 313 of the Telecommunications Act to require carriers, carriage service providers and carriage service intermediaries (C/CSPs) to protect networks and facilities they own, operate or use from unauthorised access and interference;
a notification requirement, modelled on section 202B of the TIA Act, will be created in Part 14 which will oblige carriers and nominated carriage service providers to notify of proposed changes to systems and services which are likely to have a material adverse effect on the carriers and nominated carriage service providers' (C/NCSPs) ability to comply with the new security obligation in sections 313(1A) and 313(2A) (in other words, to protect network and facilities from unauthorised access and interference). Provision is also made for a C/NSCP to be exempted, in full or in part, from the notification requirement based on ASIO's assessment of the risk profile of the C/NCSP or aspects of the C/NCSP's business. C/NCSPs will also be provided with the option of submitting a Security Capability Plan (SCP) forecasting multiple proposed changes to their systems and services in lieu of individual notifications, and setting out matters that describe the company's security policies and practices and how it proposes to meet its new security obligation. It would provide a greater degree of certainty for the company that it is meeting the government's national security expectations (although would not amount to approval of policies or immunity from any obligations);
the Secretary of AGD will be vested with an information gathering power to facilitate compliance monitoring and investigations of the new security obligation;
the Attorney-General will be provided an additional directions power to direct a C/CSP to do or not do a specified thing (for example, alter a procurement that has been assessed as giving rise to security risks);
additional safeguards will be added to the Attorney-General's existing directions power in subsection 581(3) and the provision will be relocated within the Act to place the national security related provisions within the same part of the Act; and
the existing civil remedies regime provided for in Part 30 (injunctions), Part 31(civil penalties), and Part 31A (enforceable undertakings) will be made available for taking enforcement action to address non-compliance with the security obligation, a direction, or notice to produce information or a document. The Attorney-General would be authorised to commence proceedings to seek these remedies.

103. The TIA Act will be amended so that the notification requirement in section 202B of that Act will not be invoked by the new obligations in subsections 313(1A) and 313(2A) of the Telecommunications Act.

104. The ASIO Act will be amended so that the exercise of the new directions power in section 315B will be included in the list of prescribed administrative actions in subsection 35(1) of the ASIO Act. This will enable ASIO to provide security assessments in respect of the exercise of the new directions power to the Attorney-General. The definition of prescribed administrative action in the ASIO Act will also be amended to reflect the repeal of subsection 581(3) to relocate it in new section 315A.

Item 1 - Section 5

105. Section 5 provides a simplified outline of the Telecommunications Act. Item 1 amends Section 5 by including a reference to the new security obligations to protect networks from unauthorised interference or unauthorised access in the simplified outline for the Act.

Item 2 - Section 7

106. Item 2 inserts new definitions for the following eight terms into section 7 for the purpose of the new security scheme: adverse security assessment, Attorney-General's Department, Attorney-General's Secretary, Director-General of Security, nominated carriage service provider, notifiable equipment, telecommunications service and telecommunications system. The definitions are self-explanatory. An adverse security assessment is defined in section 35 of the ASIO Act and means a security assessment made by ASIO in respect of a person (including a company) that contains:

any opinion or advice, or any qualification of any opinion or advice, that is or could be prejudicial to the interests of the person, and
a recommendation that prescribed administrative action be taken or not taken in respect of that person, being a recommendation the implementation of which would be prejudicial to the interests of the person.

Item 3 - After subsection 105(5A)

107. Item 3 provides that the telecommunications regulator (the Australian Communications and Media Authority (ACMA)) is not required to monitor or report each financial year to the Minister on the operation of the provisions in this Bill (instead the Secretary of AGD will report annually on the operation of the provisions). It does so by providing that paragraph 105(5A)(a) does not apply in relation to Part 14 of the Act to the extent that it has been amended by this Bill and by inserting new section 315J.

Item 4 - Before section 311

108. Item 4 inserts the heading 'Division 1-Simplified Outline' into 'Part 14 - National interest matters' of the Telecommunications Act to apply consistent drafting conventions.

Items 5 and 6 - Section 311 and at the end of section 311

109. Section 311 outlines the key provisions in Part 14 of the Act. Items 5 and 6 amend section 311 to also include a reference to the new security obligations, as well as the directions powers of the Attorney-General and the information-gathering powers of the Secretary of AGD.

Item 7 - Before section 312

110. Item 7 inserts the heading 'Division 2-Obligations of ACMA and carriers and carriage service providers' to apply consistent drafting conventions.

Item 8 - After subsection 313(1)

111. Item 8 inserts a new subsection (subsection 313(1A)) into section 313 to establish a new obligation for C/CSPs to protect telecommunications networks and facilities they own, operate or use from unauthorised interference or access for the purposes of security. Section 313 already imposes obligations on C/CSPs to: (1) do their best to prevent networks and facilities being used to commit offences; and (2) to provide reasonable assistance to authorities for the purposes of enforcing criminal and pecuniary laws, protecting public revenue and safeguarding national security.

112. The new security obligation will also apply universally to all C/CSPs to require all network operators and service providers to actively manage security risks to telecommunications services and infrastructure. The obligation to do their best to protect networks and facilities from unauthorised access and interference is limited to protecting Australia's national security interests. In other words, the inclusion of the words 'for the purposes of security' in subsection 313(1A) clarifies that the purpose of the obligation is to protect the integrity and availability of networks and facilities and the confidentiality of information stored and carried across them from threats such as espionage, sabotage, and foreign interference. The first note under section 313(1A) clarifies that that the terms 'unauthorised access' and 'unauthorised interference' are to be read within the meaning of 'security' as defined in the ASIO Act with particular reference to security threats of espionage, sabotage and interference. This in no way limits the scope of the meaning of 'security' as defined in the ASIO Act, rather it highlights the security threats of most relevance. The second note under section 313(1A) clarifies that in circumstances where a broadcaster is exempt from being treated as a carriage service provider under section 93 of the Telecommunications Act, they are also not intended to be subject to the obligations within the Bill.

113. The obligation is framed in terms of the C/CSP doing 'its best' to protect networks from unauthorised interference or unauthorised access. This is consistent with the existing obligations in section 313 and avoids imposing an absolute obligation. In other words, compliance with the obligation requires C/CSPs to take all reasonable steps to prevent unauthorised access and interference for the purpose of protecting the confidentiality of information and the availability and integrity of networks. In this way, the provision acknowledges that it may not be possible to prevent all unauthorised access and interference.

114. It encourages a risk based approach to managing risks of espionage, sabotage and foreign interference rather than imposing absolute liability. For example, the cost of implementing controls should be balanced against the harm to security interests if the risk is not adequately managed. Security threats and risks are ever evolving, as are the capabilities of those who wish to gain access to sensitive parts of telecommunications systems and undertake activities contrary to our national interest or law. Despite best efforts, it may not be possible to prevent every instance of unauthorised access and interference. As such, evidence of unauthorised access to, or interference with, a network would not necessarily constitute a breach of the security obligation.

115. Importantly, while the obligation applies universally to all C/CSPs, the requirement to do their best imposes a subjective element which means that what is required to comply with the obligation will differ according to the risk profile of the C/CSP. Not all networks and facilities will pose the same level of risk to security or will be as actively targeted by malicious actors. However, it is important that all parts of the sector take proactive steps to secure the networks and facilities they own, operate or use from unauthorised access and interference to harden the entire Australian telecommunications network against security threats, such as espionage, sabotage and foreign interference activities. The following factors will contribute to whether a C/CSP is more likely to be actively targeted and therefore have an increased risk from espionage, sabotage or foreign interference:

percentage of market share - the larger the customer base the greater the aggregated data;
sensitivity of customer base - some customers will have more information of a sensitive nature being communicated and held on networks and facilities than others - including government and critical service providers, science and research organisations, large or significant commercial organisations, and large healthcare provider organisations (or their suppliers and business partners); and
criticality of the network - for example, where the telecommunications network or service supports the delivery of other critical services, such as power, water, health, banking or where it provides services to critical customers.

116. Not all parts of networks and facilities are equally vulnerable to national security risks. Some parts of networks and facilities are generally considered to be more sensitive and at a greater risk of intrusion and interference than other parts because they either house or carry sensitive communication and information (e.g. billing systems and lawful interception systems) or because they affect the availability and integrity of the network (e.g. operations support systems). These areas of greater security interest are:

network operation centres, including infrastructure used to facilitate support of the network;
lawful interception equipment or operations;
any part of a telecommunications network that manages or stores:

o
aggregated information about customers
o
aggregated authentication credentials of a significant number of customers
o
administrative (privileged user) authentication credentials for the network or related systems

any place in a telecommunications network where data belonging to a customer or end user aggregates in large volumes, being either in transit or stored data; and
any additional area as advised in writing, in response to changes in threat, technology and business practices.

117. The parts considered more vulnerable are likely to change over time due to changes in the way networks and services are operated and delivered. For this reason, administrative guidelines will outline what is expected of C/CSPs to comply with the security obligation based on whether they have a low, medium or high risk profile and the parts of networks and facilities considered most vulnerable to national security risks. This advice and guidance will assist C/CSP to implement a risk managed approach to meeting the security obligation.

118. In terms of compliance, a C/CSP will be expected to be able to demonstrate that it has implemented effective security practices and measures to manage risks of unauthorised access and interference to protect the confidentiality of communications stored on and carried across networks (i.e. manage the risk of espionage) and ensure the availability and integrity of networks (i.e. guard against sabotage activity). For example, a C/CSP would need to take reasonable steps to ensure that intrusions or breaches do not occur within networks or facilities that they own, use or operate, and that the potential for malicious activity is minimised, demonstrable by the security controls in place. This will be particularly relevant where activity, left unchecked, could provide opportunity to compromise the confidentiality, availability or integrity of telecommunications infrastructure or information carried by, or across it.

119. While the security obligation will have immediate effect from the expiry date of the implementation period, existing networks and facilities in place at the time the security obligation comes into effect that are non-compliant will not be subject to civil penalties for non-compliance with the security obligation to protect networks and facilities under subsections 313(1A) and (2A). C/CSPs are not expected to retrofit all systems on commencement of this security obligation. However, there may be very rare cases where a significant security vulnerability is found in an existing system that could facilitate acts of espionage, sabotage and foreign interference. In such cases, government agencies will seek to work with the provider to develop cost effective solutions to better manage the risks posed by the existing vulnerability. Subject to how serious the security risk is and how willing the C/CSP is to collaborate with government to manage the risk, the Attorney-General could issue a direction requiring mitigation measures to be implemented.

120. The Bill does not prescribe what technical solutions a C/CSP should use to secure networks to protect information or the integrity and availability of the network, as this will be highly dependent on factors specific to each network and business delivery model. Mitigation measures required to secure networks will be particular to each network. There will be degrees of risk that vary across networks and providers. However, as specified in subsection 313(1B), from a compliance perspective a C/CSP will be expected to demonstrate effective control and competent supervision over the networks and facilities that are owned or operated by the C/CSP, targeted at addressing vulnerabilities that can arise through equipment supply, outsourcing and offshoring arrangements. Subsection 313(1B) is not intended to otherwise limit the potentially broad scope of the obligation to just addressing risks that arise through ineffective control and incompetent supervision arrangements.

121. The term 'competent supervision' means the ability of a C/CSP to maintain proficient oversight of its networks and facilities and could include arrangements to maintain:

visibility of network and facility operations;
visibility of key data flows and locations;
awareness of parties with access to network infrastructure; and
the ability to detect security breaches or compromises.

122. The term 'effective control' in this context means the ability of the C/CSP to maintain direct authority and/or contractual arrangements which ensure that networks, facilities, infrastructure and information stored or transmitted within networks, is protected from unauthorised interference. This would include authority over all parties with access to network infrastructure and data. It could include the ability to:

direct actions to ensure the integrity of network operations and the security of information carried on them;
terminate contracts without penalty where there has been a security breach or data breach reasonably attributable to the contracted services or equipment;
address issues of data sovereignty;
direct contractors to carry out mitigation or remedial actions;
oblige contractors to monitor and report breaches to the C/CSP; and
re-establish the integrity of data or systems where unauthorised interference or unauthorised access has occurred (for example to confirm accuracy of information or data holdings).

123. A key vulnerability for unauthorised access and interference arises through the telecommunications supply chain. Therefore, the concepts of effective control and competent supervision are largely directed at ensuring C/CSPs build security considerations into their arrangements with suppliers of equipment, services and support arrangements, particularly where data and/or service delivery operation or support is to be provided from offshore locations. For example, if a C/CSP is using a supplier or managed service arrangement, or has outsourced elements of its enterprise such as data hosting, the C/CSPs will need to consider the controls it has in place, or is proposing to put in place, to manage who can access and control sensitive parts of the network. If a C/CSP is engaged in offshore arrangements, one of the key risks it would be expected to consider is the legislative environment in the particular country and whether offshoring particular parts of their business may mean that personal information about Australians, as well as sensitive commercial information or communications, may have to be provided to a foreign government under a lawful request. These reforms are not about preventing offshoring. However, C/CSPs would be expected to take a risk based approach to considering which parts of networks, facilities, systems and operations should be offshored.

124. More broadly, demonstrating best efforts to secure networks would include as a minimum, ensuring mechanisms for facilitating corporate awareness of the broad national security vulnerabilities and risks posed to telecommunications networks and embedding security considerations in to business decision-making and business delivery models. In this regard, the obligation is intended to encourage C/CSPs to regularly and proactively engage with ASIO and AGD to inform themselves of these risks and develop strategies for managing those risks. Further guidance on particular areas of vulnerability and possible measures and controls to mitigate associated risks will be provided in the form of administrative guidelines to be developed in consultation with C/CSPs. It is expected that C/CSPs will familiarise themselves with the guidance material and, where in doubt, seek advice from the AGD and/or ASIO.

125. Paragraph 313(1A)(c) requires C/CSPs to protect the confidentiality of information carried across and stored on telecommunications networks and facilities, through the protection of those networks and facilities themselves. Many C/CSPs are already required to comply with the obligations in the APPs contained in the Privacy Act, including APP6 regarding use or disclosure of personal information, APP8 regarding cross-border disclosure of personal information and APP11 which requires that they take reasonable steps to protect personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. While there are similarities between C/CSPs' obligations under APP11 and the obligation under paragraph 313 (1A)(c), there are a number of differences, including:

subsection 313(1A) has as its objective the protection of all information, not just personal information, to ensure that sensitive government and commercial information is also protected; and
the steps a C/CSP will be required to take under subsection 313(1A) focus on protecting the information 'for the purposes of security', whereas APP11 is concerned with protecting individual's privacy.

126. Importantly, while there may be overlap between the steps that a C/CSP might take under subsection 313(1A) and APP 11, steps taken to comply with one obligation will not necessarily mean that the C/CSP has complied with the other obligation. For example, while subsection 313(1A) is focused on protecting a broader range of information from threats such as espionage, sabotage, and foreign interference through the protection of a C/CSP's networks and facilities, APP11 is focused only on personal information, but requires C/CSPs to consider broader sources of risks to information - a C/CSP must take reasonable steps to protect it from any misuse, interference and loss and from any unauthorised access, modifications or disclosure.

127. Guidance produced by agencies such as ACMA and the Office of the Australian Information Commissioner to assist entities comply with their obligations to protect the security of personal information will also assist C/CSPs to meet their obligations to protect the confidentiality of information under paragraph 313(1A)(c). However, C/CSPs will also need broader approaches to protect all categories of information, such as commercial-in-confidence and sensitive government information.

Item 9 - After subsection 313(2)

128. Item 9 mirrors the obligation under Item 8, although new subsection 313(2A) applies specifically to carriage service intermediaries. This is consistent with the application of existing obligations in section 313 and ensures that all parts of the telecommunications sector are taking responsibility for protecting telecommunications networks and facilities.

129. Item 8 does not include a similar provision to subsection 313(1B) in recognition of the fact that not all carriage service intermediaries would be able to demonstrate effective control and competent supervision of networks and facilities. Similarly to Item 8, the obligation for carriage service intermediaries to 'do their best' to protect telecommunications networks and facilities will depend on what steps are reasonable in particular circumstances (taking into account the extent that an intermediary can influence security outcomes in a particular situation). For example, an intermediary may be given access to services that may provide them with information about security vulnerabilities. They would therefore be expected to have appropriate procedural, governance and contractual arrangements to secure this type of information so that this knowledge of security vulnerabilities cannot be accessed by other parties and exploited.

Items 10 and 11 - Paragraph 313(5)(a) and at the end of subsection 313(5)

130. Items 10 and 11 extend the operation of the existing protections in subsection 313(5) of the Telecommunications Act to actions undertaken by a C/CSP to comply with the new security obligation in sections 313(1A) and 313(2A) and/or with a direction issued by the Attorney-General under either sections 315A or 315B. This means that a C/CSP is not liable to any action or proceedings for damages for an act done or omitted in good faith, if that act or omission was in the performance of a duty imposed by the new obligation of subsection 313(1A) or 313(2A) or in compliance with a direction issued by the Attorney-General.

131. In other words, the provision provides a C/CSP with a broad protection from any liability to a third party for any damage caused by negligence or breach of contract arising from the C/CSP acting or not acting in the course of performing its duties under the security obligation or pursuant to a direction given by the Attorney-General under new sections 315A or 315B. The most likely remedy that would be sought in such circumstances is damages.

132. Subsection 313(6) provides that this protection extends to all officers, employees and agents of a carrier/carriage service provider.

133. Although the immunity would not prevent third parties from commencing an action or proceedings for damages, the C/CSP would be able to rely on the protections under subsections 313(5) and (6) to defeat an alleged liability.

Item 12 - After section 314

Division 3 - Notification of changes to telecommunications services or telecommunications systems relating to obligation under subsections 313(1A) or (2A)

134. Item 12 will insert the heading Division 3 after an existing provision in Part 14, section 314 to apply consistent drafting conventions.

Subdivision A - Individual notifications

135. Section 314A will insert a new notification requirement in the Telecommunications Act. Section 314A will oblige C/NCSPs nominated under the TIA Act to notify the CAC of planned changes to telecommunications services or systems which the C/NCSP has become aware are likely to have a material adverse effect on the capacity of the C/NCSP to meet its security obligation under the new subsections 313(1A) and (2A) of the Telecommunications Act to protect telecommunications networks and facilities from unauthorised access and interference. 'Nominated carriage service provider' means a carriage service provider declared to be a nominated carriage service provider by the Attorney-General under section 197 of the TIA Act.

136. Section 314A is modelled on the existing notification requirement in section 202B of the TIA Act, which requires C/NCSPs to notify the CAC of planned changes to telecommunications systems and services which are likely to have a material adverse effect on the ability of the C/NCSP to meet its obligations under the TIA Act or section 313 of the Telecommunications Act. This Bill will exclude the new security obligations under subsections 313(1A) and (2A) of the Telecommunications Act from operation of the existing notification requirement in section 202B of the TIA Act so there is no duplication between the notification requirements.

137. The notification requirement is one method of formalising information sharing between C/NCSPs and the government and is triggered at the time of planning proposed changes to networks and services, rather than following implementation. Although the legislation does not specify when a C/NCSP should notify government of changes, it is in the C/NCSP's best interests to notify of a proposed change as early as possible in the design and planning stage and prior to finalising arrangements to implement the change. For example, the stage at which a detailed business case is being prepared for the company Board for decision might provide a guide for the appropriate time in the planning process for notifying the CAC. This will allow security considerations to be built into the proposal in the most cost effective manner and provide the Board with a more realistic understanding of all aspects of the proposal and associated security costs. Administrative guidelines will provide detailed advice on when a C/NCSP should notify of proposed changes. Early, close and regular engagement with security agencies will also assist C/NCSPs to assess the types of changes that must be notified and at what stage of the planning and decision making process.

138. Even the most informed C/NCSP is unlikely to have access to the most up to date threat information available to ASIO. Early engagement with government during the planning and design stage of changes to networks may help the C/NCSPs to mitigate security risks in the most cost-effective manner. Further, notification early in the procurement process can avoid unnecessary delay in the progress of procurements and minimise costs associated if procurement plans need to be modified to address security concerns.

Kinds of changes

139. The requirement to notify arises only from a change to a system or service, not from existing operations. Section 314A outlines the types of changes in arrangements that should be notified to government, which include but are not limited to: outsourcing or offshoring arrangements affecting sensitive parts of a network and/or procuring new equipment or services for sensitive parts of a network, and changes to the management of services. Paragraph 314A(2)(f) provides that a C/NCSP entering into a new or changed offshoring arrangement in relation to information retained under subsection 187A(1) of the Telecommunications (Interception and Access) Act 1979 is an example of a kind of change that could trigger the notification requirements. This is not an exhaustive list and may include other types of changes.

140. Like section 202B of the TIA Act the requirement to notify is only triggered where a proposed change is likely to have a 'material adverse effect'. This means that the proposed change may have an actual or measurable negative impact on the ability of the C/CSP to comply with the duties in subsections 313(1A) or 313(2A) to protect networks from risks of unauthorised access and unauthorised interference.

141. The notification requirement is only triggered where the C/NCSP 'becomes aware' that the implementation of a proposed change is likely to have a material adverse effect on the capacity of the C/NCSP to protect telecommunications networks and facilities. This is in recognition of the fact that C/NCSPs are well-placed through their practices and processes to identify risks associated with proposed changes. However, C/NCSPs would be expected to also make themselves aware of guidance issued by AGD and information provided by security agencies, as appropriate, when assessing whether a proposed change is likely to have national security implications.

142. Not all parts of networks and facilities are equally vulnerable to security risks. Some parts of networks and facilities are generally considered to be more sensitive and at a greater risk of intrusion and interference than other parts because they either house or carry sensitive communication and information (e.g. billing systems and lawful interception systems) or because they affect the availability and integrity of the network (e.g. operations support systems).

143. In particular, C/NCSPs would be expected to notify the CAC when they are planning changes to these more sensitive or vulnerable parts of networks. The parts considered more vulnerable are likely to change over time due to changes in the way networks and services are operated and delivered. Administrative guidelines will outline what is expected of C/CSPs to comply with the notification obligation under section 314A.

Exemptions

144. Subsections 314A(4) and (5) authorises the CAC to exempt a C/NCSP from compliance with the notification requirement in section 314A. Subsection 314A(5A) provides that the CAC may grant an exemption under subsections 314A(4) or (5), either on the CAC's initiative or on written application by a C/NCSP. The exemption may be a complete exemption from the operation of this section made under subsection 314A(4) (i.e. the C/NCSP does not have to notify the CAC of any planned changes to telecommunications systems or services) or a partial exemption made under subsection 314A(5). For example, a partial exemption may be given in relation to certain categories of changes or in respect of particular parts of the C/NCSP's business. For instance, a large carrier which offers a number of different types of services, may be exempted from providing any notifications in relation to a part of their business (for example, a subscription television service), but would still be required to notify of changes to other parts of their business. The details of a partial exemption would be specified in a notice provided to the C/NCSP.

145. In practice, the CAC's decision to grant a full or partial exemption, or to refuse an application, will be based on advice from ASIO that takes into account the security risk profile of a company. ASIO's assessment of security risk will be based on a number of factors such as:

percentage of market share - the larger the customer base the greater the aggregated data;
sensitivity of customer base - some customers will have more information of a sensitive nature being communicated and held on networks and facilities than others - including government and critical service providers, science and research organisations, large or significant commercial organisations, and large healthcare provider organisations (or their suppliers and business partners); and
criticality of the network - for example, where the telecommunications network or service supports the delivery of other critical services such as power, water, health, banking or where it provides services to critical customers.

146. The CAC may revoke or amend an exemption made under subsections 314A(4) or (5) in line with subsection 33(3) of the Acts Interpretation Act 1901, which specifies that the power to make an instrument of a legislative or administrative character also includes the power to vary or revoke that instrument. Again, a decision to vary or revoke an exemption will likely be based on advice from ASIO having regard to any changes to security risks and services offered by the C/NCSP and the national security threat environment.

147. The statement in subsection 314A(7) that an exemption granted under subsections 314A(4) or (5) is not a legislative instrument is declaratory of the law and included to assist the reader. It does not represent a substantive exemption from the requirements of the Legislative Instruments Act 2003.

148. Paragraphs 314A(5B)(a) and (b) require the CAC, upon receiving an application in accordance with subsection 314(5A), and within 60 days of receiving the application, to either give the C/NCSP that exemption under subsection 314A(4) or 314A(5), or to refuse the application in writing. Paragraph 314A(5B)(b) includes a requirement for the CAC to set out the reasons for the refusal. The intention of the amendment is to provide a framework for C/NCSPs to request partial or complete exemption from the operation of section 314A for certain types of changes.

Administrative review

149. Subsection 314A(5C) allows applications to be made to the AAT for review of a decision of the CAC under paragraph (5B)(b) to refuse an application. This is to ensure that administrative decisions with respect to applications for exemptions from the notification requirements are correct and preferable.

Class exemptions

150. Classes of providers may also be exempt from the notification requirement on the same grounds, for example, exemptions may relate to a particular type of low risk service or network operator based on the factors identified above (i.e. market share, customer base and criticality).

151. Subsection 314A(2A) provides that the notification obligation in subsection 314A(1) does not apply to changes to a telecommunications service or a telecommunications system that are identified in a determination made by the CAC in accordance with subsection 314A(2B).

152. Subsection 314A(2B) supports this process by providing that the CAC may, by legislative instrument, make a determination for the purposes of subsection 314A(2A).

153. Subsections 314A(2A) and (2B) ensure that the CAC can specify types of changes that will not be subject to the notification requirement, without a requirement to identify a specific C/NCSP.

Duration and conditions

154. Subsection 314A(6A) provides that an exemption made under subsection 314A(4) or (5) may specify the period during which it remains in force. The paragraph also provides that the exemption remains in force for that period unless it is revoked earlier, or ceases to be in force as provided by new subsection 314A(6B).

155. Subsection 314A(6B) enables the CAC to specify conditions on an exemption made under subsection 314A(4) or (5). The paragraph also provides that such an exemption ceases to be in force if the C/NCSP breaches a condition.

Assessment of proposed change

156. Section 314B specifies the assessment processes for proposed changes following notification under subsection 314A(3). When the CAC receives a notification under this section he or she will generally consult ASIO for the purposes of assessing any potential security risks associated with the proposed change.

157. In all circumstances following notification the C/NCSP will receive one of the following notices from the CAC:

request under subsection 314B(1) for further information about the planned change so the CAC can assess whether there is a risk of unauthorised access to, or interference with, telecommunications networks or facilities; or
notice under subsection 314B(3) advising the C/NCSP of a risk associated with the planned change of unauthorised access to, or interference with, telecommunications networks that is prejudicial to security; or
notice under subsection 314B(5) advising that the CAC is satisfied there is not a risk from the planned change of unauthorised access to, or interference with, telecommunications networks or facilities that is prejudicial to security.

158. Subsection 314B(6) provides that a C/NCSP will be provided with a notice under subsection 314B(3) or (5) within 30 days of notifying the CAC of a proposed change. However, if the CAC has sought further information under subsection 314B(1), the C/NCSP will be provided with a notice as soon as practicable and within 30 days of providing the further information.

159. There are no penalties associated with non-compliance with a request for further information made under subsection 314B(1). Therefore if a C/NCSP did not comply with a request made by the CAC under this section, the Secretary of AGD may consider use of his or her new information gathering powers under section 315C of the Telecommunications Act.

160. The provision does not prevent a C/NCSP from implementing the proposed change within the 30 day period specified for the CAC to assess the proposed change or following a notice provided to the C/NCSP by the CAC under subsection 314B(3). However, as inferred in paragraphs 314B(3)(d) and (e), if a proposed change poses security risks and is implemented without any steps taken to manage this risk the C/NCSP will be potentially acting in contravention of its duties in subsections 313(1A) and (2A).

161. In circumstances where the CAC notifies the C/NCSP that a proposed change poses security risks, the CAC (on advice of ASIO) may also advise the C/NCSP of the types of measures and mitigations that could or should be implemented to manage the security risk. It is likely that ASIO will have already directly engaged with the C/NCSP on any proposed change that gave rise to security risks and the notification from the CAC will simply formalise this advice. In any event, ASIO and government agencies would seek to engage the relevant C/NCSP on the proposed change and provide advice on possible control measures and mitigations to reduce or eliminate the risk in circumstances where a proposed change did give rise to security risks (i.e. unauthorised access and interference) that are prejudicial to security.

162. The CAC cannot force the C/NCSP to implement this advice, however, again as inferred by paragraphs 314B(3)(d) and (e), if a proposed change poses security risks and is implemented without any steps taken to manage this risk the C/NCSP will be potentially acting in contravention of its duties in subsections 313(1A) and (2A).

163. However, ultimately if the C/NCSP chose to ignore this advice and implementation of the change resulted the C/NCSP operating in breach of the security obligation the Attorney-General could apply to the Federal Court for a civil remedy such as a civil penalty or an injunction to penalise non-compliance. The Attorney-General could also consider issuing a direction under section 315B (or section 315A in extreme circumstances) requiring the C/NCSP to implement mitigation or remedial measures to address the security risk. A direction could also be issued before the proposed change is implemented (i.e. before there is an actual breach of the security obligation) to prevent a breach of the security obligation, if the circumstances warranted this action.

164. The notice provided to the C/NCSP under subsection 314B(5) advising of a security risk with a planned change will specifically alert the C/NCSP to the fact that the failure to mitigate the security risk could mean the C/NCSP is in breach of the obligations under subsection 313(1A) and (2A) and that this could give rise to the Attorney-General issuing a direction or enforcement action being taken to penalise the C/NCSP for non-compliance with the security obligation.

Subdivision B - Security capability plans (SCPs)

165. Item 12 will also add new sections 314C to 314E to Part 14 of the Telecommunications Act, which will allow C/NCSPs to submit a SCP to the CAC. The SCP could facilitate a C/NCSP meeting its notification requirement more efficiently and provide it with an opportunity to outline proposed changes within the context of the company's approach to security management.

166. Section 314C will enhance the new notification requirement under section 314A by clarifying that a C/NCSP can choose to meet the notification requirement through the submission of a SCP. The SCP would be in lieu of individual notifications under section 314A. Section 314E will clarify that if a change is included in a SCP further notification is not required unless there is a modification to a previously proposed change (subsection 314E(2)). Furthermore any further change/s not included in the original SCP would need to be separately notified under section 314A. For clarity submission of a SCP would not operate to exempt the C/NCSP from the notification requirements in section 314A, where the SCP failed to adequately notify of a planned change or changes.

167. The submission of a SCP would be optional and would provide a mechanism for a C/NCSP to notify all or multiple proposed changes to systems and services within a defined period. Subsection 314C(8) limits the number of SCPs which can be submitted by a C/NCSP in any 12 month period to one. This is to avoid administrative burden on government agencies to consider detailed plans on an ad hoc and frequent basis and promote the efficient and effective operation of the SCP process. As noted above, section 314E clarifies that if a proposed adverse change included in a SCP is later modified following the CAC's consideration of the change, it will be necessary for the C/NCSP to treat the modification as if it were a new change and formally notify of the change (if it is likely to have a material adverse effect on the ability of the C/NCSP to meet its obligations to protect networks and facilities from unauthorised access and interference) unless advised otherwise by the CAC. For example, if a notification was made to locate a core control system in one country and the proposal changed to locate the system in a different country then the proposal would need to be notified again under section 314A.

168. The benefits of submitting a SCP include facilitating more holistic engagement with security agencies on investment planning and decision making, and assisting security agencies to understand more comprehensively the C/NCSP's arrangements with suppliers and its service delivery model for operating and managing key components of its network and service. For this reason, a SCP may also outline the C/NCSP's general approach to managing risks of espionage, sabotage, disruption and interference and what measures or mitigation it proposes to apply to each proposed change (subsections 314C(6) and (7)). Subsection 314C(7) allows the C/NCSP to detail any current or proposed mitigation measures or controls to reduce the risk of unauthorised access or interference. For example, this may include access controls in systems or oversight arrangements that are proposed to be built into contracts with third parties. These additional details will help expedite the assessment of the security plan by reducing the need to request additional information from a C/NCSP about the likely operation of a proposed change.

169. Early engagement and notification of changes to networks will enable any security risks associated with a proposed business model to be identified early and mitigation measures built into the design stage. Early incorporation of security controls from the design stage will be easier and more cost effective for C/NCSPs than if measures are added late in the process.

170. Inclusion of information about a C/NCSP's security polices, practises and strategies could facilitate more targeted engagement between the C/NCSP and government agencies on the C/NCSP's approach to the performance of its duties under the security obligation in subsections 313(1A) and (2A). It could also streamline the process of assessing the security risks associated with each proposed change and ultimately provide the CAC (and ASIO) with sufficient information to assess whether proposed changes can be implemented without further engagement with government agencies. Importantly, the submission of a SCP is not intended to remove the need to engage with ASIO where this is already occurring or where ASIO considers it necessary to ensure compliance with the security obligation.

Kinds of changes

171. The SCP provisions are intended to complement and supplement the new notification provisions in section 314A. For example, a SCP should only capture those changes the C/NCSP is planning to implement that are likely to have a material adverse effect on the provider's ability to meet its requirements. This applies the same test as section 314A. The phrase 'material adverse effect' includes any change which could have an actual or measurable negative impact on the ability of the C/CSP to comply with the duties in subsections 313(1A) or 313(2A).

172. Section 314C sets out the matters that may be included in a SCP if a C/NCSP chooses to submit a SCP. There is no particular date on which a SCP may be submitted (for example there is no requirement it be submitted by the end of the financial year). However, it should be noted that any changes that require consideration before the expiry of the 60 day period may need to be notified separately under section 314A, which specifies a 30 day period for CAC consideration.

173. This includes specifying that the kinds of changes that should be included in the SCP include (but are not limited to) the changes listed in new section 314A of the TIA Act, which are outsourcing arrangements, offshoring equipment or services, changes to services, procuring new equipment, and changes to the management of services. Greater clarity on what should and should not be notified and included or not included in a SCP will also be provided in administrative guidelines.

Assessment process following notification

174. Section 314D outlines the administrative process following submission of a SCP to the CAC. Under subsection 314D(6) the CAC has 60 days to assess all of the proposed changes in the SCP. In this timeframe, the CAC (in consultation with ASIO as necessary) will consider whether there is sufficient information about each proposed change to assess the potential security risks and whether proposed mitigations (if included) are adequate to manage the risk. If there is insufficient information, the C/NCSP will be contacted in writing and requested to provide further information under subsection 314D(1). Subsection 314D(6) further provides that if the CAC requests further information under subsection 314D(1), the C/NCSP will be provided with a notice as soon as practicable and within 60 days of providing the further information.

175. Like the process for individual notifications under section 314A, the C/NCSP will receive a notice from the CAC regarding each specific change in the SCP (the only difference being that the notification will be made within 60 days). This may be either a:

request under subsection 314D(1) for further information about a planned change so the CAC can assess whether there is a risk of unauthorised access to, or interference with, telecommunications networks or facilities;
notice under subsection 314D(3) advising the C/NCSP of a risk associated with a planned change of unauthorised access to, or interference with, telecommunications networks that would be prejudicial to security; or
notice under subsection 314D(5) that the CAC is satisfied there is not a risk from a planned change of unauthorised access to, or interference with, telecommunications networks or facilities that would be prejudicial to security.

176. The effect of section 314D is that each change included in a SCP is assessed individually. For example, a C/NCSP may receive a notice that there is a risk of unauthorised access or interference that would be prejudicial to security with two out of the ten changes listed in the plan and the C/NCSP would be encouraged to engage with ASIO on mitigation measures for these particular changes. The notice would then specify that no risks have been identified with the remaining eight changes and no further consultation on these changes is required.

177. Like section 314A, this provision does not contain a power to enforce compliance with mitigation advice. Instead, ASIO and government agencies would seek to engage the relevant C/NCSP on the proposed change and advice on possible control measures and mitigations to reduce or eliminate the risk in circumstances where a proposed change did give rise to security risks (i.e. unauthorised access and interference) that are prejudicial to security.

178. Failure to address potential security risks and cooperate to implement security advice could lead to ASIO furnishing an adverse security assessment relating to the C/CSP's ability to meet its obligation to secure networks and facilities to support the Attorney-General in exercising the new directions powers in section 315B. Further, in circumstance where failure to implement mitigation advice resulted in a breach of the security obligation, the Attorney-General could also take enforcement action in the Federal Court to pursue civil remedies such as a civil penalty or an injunction. The notice provided to the C/NCSP under subsection 314D(3) advising of a security risk with a planned change will clarify that a failure to mitigate security risks could mean the C/NCSP is in breach of the obligations under subsections 313(1A) and (2A) to protect telecommunications networks and facilities from unauthorised access and interference and could result in enforcement action or the Attorney-General issuing a direction under section 315B (or section 315A in extreme cases).

179. The purpose of the notification process is to avoid network operational and management changes being implemented without proper regard to the potential national security vulnerabilities that the change could expose the network to. It will help to ensure that C/CSPs have proper regard to their obligation to protect networks and facilities from unauthorised access and interference under subsections 313(1A) and (2A) of the Telecommunications Act. As noted with respect to individual notifications under section 314A, ASIO will have access to the latest threat information concerning espionage, sabotage, and foreign interference activity. Particular outsourcing arrangements, especially when combined with sensitive parts of the network and facilities, can increase the vulnerability of a network or facility to exploitation. For higher risk C/NCSPs (i.e. those networks likely to be more targeted by malicious actors) the notification process and/or submission of SCPs will be supported by ongoing engagement to proactively manage risks on networks and ensure proposals are modified as appropriate to reduce or eliminate these risks.

180. There is no exemption process associated with SCPs as they are not mandatory. However, any C/NCSP exempted under section 315A from making individual notifications for planned changes to telecommunications systems and services would also be expected not to submit a SCP.

181. Item 12 will also insert the heading 'Division 4 - Carriage service provider may suspend supply of carriage service in an emergency' to apply consistent drafting conventions.

Item 13 - After section 315

Division 5 - Directions by Attorney-General

182. Item 13 inserts new Division 5 into Part 14 to co-locate the existing directions making power of the Attorney-General (new section 315A) and the new directions making power of the Attorney-General (section 315B).

Attorney-General's direction power to cease a service

183. Item 13 relocates repealed subsection 581(3) as new section 315A, which is the Attorney-General's direction making power to not use or supply, or cease using or supplying, carriage services where use or supply is considered to be prejudicial to security. Subsection 581(3) of the Telecommunications Act is repealed under Item 27 of the Bill.

184. The Bill does not change the operation or effect of the existing power vested in the Attorney-General to direct a C/CSP to cease its services on security grounds, with the exception of adding a requirement that ASIO must have issued an adverse security assessment before the Attorney-General can exercise the power. An adverse security assessment is subject to the accountability requirements contained in Part IV of the ASIO Act, including the provision of notice of the adverse assessment to the subject of the assessment, and the availability of review in the AAT. The Bill will also remove a current limitation on judicial review of a direction under the ADJR Act.

185. The new section 315A is intended to be used in the most extreme circumstances where the continued operation of the service would give rise to such serious consequences that the entire service needed to cease operating. 'Security' is defined for the purposes of section 315A by reference to the definition of security in the ASIO Act which includes the protection of, and of the people of, the Commonwealth, States, and Territories from espionage, sabotage, politically motivated violence, promotion of communal violence, attacks on Australia's defence system, or acts of foreign interference, as well as the protection of Australia's border integrity. The threshold for exercising the power is that the security risk is prejudicial to security. 'Prejudicial to security' is intended to be interpreted in a manner consistent with the definition of the term 'activities prejudicial to security' contained in the ASIO Act. 'Prejudicial to Security' is described within the Attorney-General's Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), to mean activities relevant to security and which can reasonably be considered capable of causing damage or harm to Australia, the Australian people, or Australian interests, or to foreign countries to which Australia has responsibilities.

186. The creation of the new directions power in section 315B is intended to supplement this existing power with a regulatory tool which will enable other action to be taken to address a security risk where the circumstances do not require the complete shut-down of the service. The power to cease a service will remain the ultimate protection measure where action needs to be taken immediately to protect Australia's security interests. For these reasons, some of the additional requirements and protections included in the new directions power under section 315B, for example the Attorney-General must be satisfied all reasonable steps have been taken to reach agreement and consult the affected C/CSP in good faith, are not replicated in the existing provision. However, alternative safeguards are provided for use of the power under section 315A through the requirement to consult the Prime Minister, in addition to the Minister responsible for administering the Telecommunications Act, the Minister for Communications.

187. The Bill will now provide further safeguards by increasing the threshold for exercising the power to circumstances where ASIO has furnished an adverse security assessment. While subsection 581(3) was already included in the list of prescribed administrative actions which could be the subject of an ASIO security assessment, Item 13 will now impose a requirement on the Attorney-General to obtain an adverse security assessment from ASIO prior to using the power in subsection 315A(2).

188. The adverse security assessment triggering the use of the directions power will be issued by ASIO in accordance with Part IV of the ASIO Act and will set out in writing ASIO's advice in respect to the exercise of the directions power by the Attorney-General. In practice a security assessment under Part IV will be prepared by ASIO, following engagement with the affected C/CSP about potential security risks posed to the C/CSPs' network and/or facilities and providing advice on possible mitigation or remedial measures. If the C/CSP is unwilling to cease the service or take other remedial measures voluntarily, then an adverse security assessment would be prepared by ASIO for the purpose of recommending the Attorney-General issue a direction under section 315A.

189. In accordance with the accountability provisions contained within Part IV of the ASIO Act, the C/CSP would be able to seek merits review of the ASIO security assessment in the AAT. The Attorney-General would be required to provide a copy of the security assessment to the C/CSP within 14 days. The security assessment would be accompanied by an unclassified statement of grounds that would set out the information ASIO has relied upon and a written notice informing the C/CSP of its right to apply to the AAT for merits review of the security assessment.

190. The Bill (Item 32) also amends the ADJR Act to remove the current exemption from judicial review under the ADJR Act. Currently, while judicial review of a direction to cease a service would likely be available through the High Court's original jurisdiction, the process is more complicated and does not provide as many grounds of review. Removing the current exemption will enable a C/CSP to seek judicial review under the ADJR Act and therefore increase the transparency and accountability of the direction process. It will also align with the review rights provided under the new directions power in subsection 315(2) which will also provide for judicial review under the ADJR Act.

The Attorney-General's power to direct a C/CSP to do or refrain from doing something

191. The Bill will vest an additional directions power in the Attorney-General (section 315B) to provide a more proportionate and graduated power of intervention and enforcement to achieve national security outcomes where this cannot be done on a cooperative basis. Noting that the framework is premised on cooperative engagement and collaboration, it is expected this power will be used only as a last resort to achieve compliance. The intention is that government agencies and C/CSPs continue to operate in the current environment of cooperative engagement and exchange of information, but if national security outcomes cannot be achieved on a cooperative basis, the Attorney-General can consider requiring compliance through the issue of a formal direction.

192. Alternatively, there may be circumstances in which a C/CSP would prefer the certainty of a formal direction. For example, implementing security measures may increase the cost of a particular investment option and other less secure options may be more commercially attractive. Fiduciary duties to shareholders can operate as a disincentive to invest in security measures for the purpose of protecting national security interests. For these reasons, a company board may prefer a clear mandate to govern its decision making.

193. Section 315B provides the Attorney-General with the power to give a written direction requiring the C/CSP to act, or refrain from an act. Before issuing a direction, the Attorney-General must be satisfied that there is a risk of unauthorised interference or access (subsection 315B(1)) that would be prejudicial to security having reference to the meaning of 'security' in the ASIO Act (subsections 315B(1) and 315B(13)). In other words, the Attorney-General would only be authorised to issue a direction where there was a risk of unauthorised interference or access and it threatened the confidentiality of information contained on or carried across telecommunications networks and/or facilities or the availability and integrity of telecommunications networks and facilities and this was prejudicial to security.

194. As noted above, 'security' is defined for the purposes of section 315B by reference to the definition of security in the ASIO Act which includes the protection of the Commonwealth, States, Territories and the people of Australia from espionage, sabotage, attacks on Australia's defence system, or acts of foreign interference, as well as the protection of Australia's border integrity. The threshold for exercising the power is the same threshold as the existing directions powers under section 315A: it must pose a risk that is prejudicial to security. 'Prejudicial to security' is intended to be interpreted in a manner consistent with the definition of the term 'activities prejudicial to security' contained in the ASIO Act. The Attorney-General's Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), describe 'prejudicial to security' to mean activities relevant to security and which can reasonably be considered capable of causing damage or harm to Australia, the Australian people, or Australian interests, or to foreign countries to which Australia has responsibilities.

195. The types of things the Attorney-General can direct a C/CSP to do or not do are not specified or limited, with the exception of the limitation imposed in subsection 315B(3). Subsection 315B(3) limits the purpose for which the Attorney-General can issue a direction to do, or refrain from doing, specified acts or things that are 'reasonably necessary' for reducing or eliminating the risks identified in subsection 315B(1). In other words, the direction must specifically direct action, or refraining from an action, that is 'reasonably necessary' to reduce or eliminate the risk of unauthorised access or interference which would otherwise result in a risk prejudicial to security.

196. Noting that the security framework is directed at better managing national security risks associated with the supply of equipment, services and support arrangements, the directions power is likely to be exercised to address vulnerabilities that arise through these arrangements. For example, this could include requiring certain access controls to be implemented to restrict third party access to sensitive parts of networks such as lawful interception systems. Again, the aim of the framework is that C/CSPs will engage with ASIO and AGD when developing procurement plans to outsource capability or network support to a supplier (third party) and if required, mitigation measures would be developed and agreed on a cooperative basis. Where there is disagreement about the need to implement mitigation measures, or an actual failure to implement ASIO recommended mitigation measures, or a C/CSP seeks a more formal request to empower its Board of Executives, the Attorney-General can issue a direction compelling the C/CSP to implement the mitigation measures.

197. A direction would be based on addressing a security risk as set out in an ASIO adverse security assessment. The circumstances where this might arise could also include potential risks associated with planned changes to networks, facilities or services which are notified under new section 314A of the Telecommunications Act. For example, while those provisions themselves identify mechanisms for how the CAC might respond to a notified change that gave rise to a risk of non-compliance with the security obligation, it is possible that where the affected C/CSP failed to implement recommended mitigation measures through that process ASIO would prepare an assessment recommending the Attorney-General issue a direction.

198. Subsection 315A(3) of the Telecommunications Act provides that the Attorney-General cannot exercise the directions power without an adverse security assessment. In this circumstance, an adverse security assessment will set out ASIO's advice in respect of the requirements of security in regard to the exercise of the directions power in the relevant circumstances, including its recommendation that the power be exercised and the statement of grounds for its assessment. An adverse security assessment would normally be prepared in circumstances where ASIO or another relevant agency had informed a C/CSP of the security risks to the C/CSP's network and/or facilities and tried to work with the C/CSP to develop control measures and mitigations but the C/CSP was uncooperative and/or refused to implement ASIO's advice. The adverse security assessment would be prepared by ASIO for the purpose of recommending the Attorney-General issue a direction under section 315B.

199. In accordance with the accountability provisions contained within Part IV of the ASIO Act, the C/CSP may seek merits review of the ASIO security assessment in the AAT. The Attorney-General is required to provide a copy of the security assessment to the C/CSP within 14 days of receiving the assessment. The security assessment must be accompanied by an unclassified statement of grounds setting out the information ASIO has relied upon and a written notice informing the C/CSP of its right to apply to the AAT for merits review of the security assessment.

200. In addition to making an adverse security assessment a pre-condition to the exercise of the directions power in section 313B, the Attorney-General will also have to be satisfied that reasonable attempts have been made to negotiate an outcome between government agencies (for example, ASIO and AGD) and the C/CSP that reduces or eliminates the security risk. The requirement in subsection 315B(5) has the effect of placing an obligation on government agencies to ensure that they have acted in good faith in engaging the C/CSP to alert them to the risk, the consequences of not managing the risk and sought to work collaboratively with the C/CSP to develop appropriate measures that reduces the risk to security and no more. Likewise, the C/CSP will be under an obligation to engage in good faith and seek to work with ASIO and government agencies to address security risks.

201. Good faith in this context is intended to impose a requirement that engagement is genuine and solutions-focussed and all reasonable options for addressing the risk are considered by both parties. This provision is intended to underpin the entire objective of the security framework which is to facilitate cooperative and collaborative government and industry partnership to manage national security risks to the telecommunications sector.

202. Good faith in subsection 315B(5) is intended to include consideration of whether the CAC has complied with the applicable statutory timeframes relevant to notifications and SCPs. This is intended to ensure that the Attorney-General takes into account whether the CAC responded to any relevant notifications or SCPs received from industry within the applicable statutory timeframe, prior to issuing a direction.

Avenues available to industry to recover reasonable costs

203. The Commonwealth has a number of means by which it may provide compensation to individuals or organisations that have been disadvantaged by: the effects of legislation; misinformation provided, or actions taken, by Non Corporate Commonwealth Entities or staff; or other circumstances. Each mechanism covers a different situation where a need for special financial assistance might arise; the different mechanisms together provide a suite of options that allows the Government to offer the remedy most appropriate to the individual circumstance of need.

204. In the context of these reforms usual avenues are available to recover reasonable costs for individuals or organisations disadvantaged by relevant actions taken. This may include circumstances where the CAC has not responded to a notification within the statutory timeframe, and, as a result, a C/CSP is required to change a business decision it has already proceeded with.

205. Possible options may include:

Act of grace payments pursuant to subsection 65(1) of the Public Governance and Performance Act 2013; and/or
The Scheme for Compensation for Detriment Caused by Defective Administration (CDDA Scheme) which is an administrative scheme, giving all portfolio Ministers (or officers authorised by Ministers) a discretionary authority to compensate persons who have suffered detriment due to the 'defective' actions, or inactions, of Non Corporate Commonwealth Entities within the particular Minister's portfolio, and where the applicant has no legal or statutory right of redress.

Matters to which regard must be had before giving direction

206. Subsection 315B(6) outlines the types of factors the Attorney-General should have regard to in determining whether it is reasonable to issue a direction having regard to all the circumstances of the case and what should be included in that direction. Factors that the Attorney-General must consider include: the risk to security and other considerations such as the potential costs associated with implementing the proposed direction, the potential impact for competition in the sector and potential impacts for end-users. The harm to security is to be given the greatest weight in this balancing exercise to ensure that Australia's security interests are properly safeguarded despite potential impacts on the C/CSP, competition and end-users. The requirement to have regard to other factors, in addition to the risk to security, will ensure that a direction is proportionate and reasonable in all of the circumstances and guard against imposing directions that would possibly address security risks but have an unnecessary crippling effect on the C/CSP's business or impede market innovation and competition. Subsection 315B(7) clarifies that the matters listed in subsection 315B(6) are not intended to limit or prescribe the matters to which the Attorney can have regard when exercising the power.

207. To ensure that the directions power is exercised in an objective manner and complies with procedural fairness requirements, mandatory consultation requirements have been imposed on the exercise of the directions power. Paragraph 315B(8)(a) imposes mandatory consultation with the Minister administering the Telecommunications Act (the Minister for Communications) to ensure that the exercise of the power takes into account broader communications policy considerations, for example, any potential impact on the telecommunications sector, including effects for competition. This requirement is in addition to the requirement in subsection 315B(6) specifying that the Attorney-General must have regard to the potential consequences of a direction on industry competition and on the C/CSP and its customers. This requirement imposes a high degree of scrutiny and accountability on the Attorney-General's exercise of this power. Mandatory consultation with the Minister for Communications highlights the significance of the decision and will ensure a range of views inform the Attorney-General's exercise of the directions power and the Attorney-General takes into account factors such as the potential impact for the affected C/CSP, end-users and the economy more broadly.

208. Paragraph 315B(8)(b) imposes mandatory consultation with the affected C/CSP. The Attorney-General is required to write to the C/CSP and notify them of his or her intention to issue a direction, set out the terms of the proposed direction, and provide the C/CSP the opportunity to make written representations about the proposed direction. In practice, the Attorney-General will generally provide the C/CSP with a copy of draft direction at the time he/she provides the ASIO security assessment (as required under the ASIO Act).

209. Subsection 315B(9) sets a minimum timeframe in which the Attorney-General can require the C/CSPs to provide written representations, which is at least 28 days from the date the notice is given. The exception is where a shorter timeframe is required because the circumstances require action to be taken quickly to address a threat, for example where the risk of espionage, sabotage or foreign interference was high and required urgent resolution. The provision does not by implication prevent the Attorney-General from providing a C/CSP longer than 28 days in which to make representations. In fact a notice might seek to provide a timeframe for making representations in the event the C/CSP decided to seek merits review of the security assessment through the AAT which might have the effect of staying the process for issuing a direction. Subparagraph 315B(8)(b)(iii) provides that the Attorney-General is only required to take into account representations made within the specified timeframe. This qualification will ensure that directions can be issued and implemented within a timely manner.

210. Subsection 315B(8) does not specify the form in which representations should be made other then they must be in writing. Given the Attorney-General is required to consider factors such as the potential cost and impact on the C/CSP and their customers, it would be desirable if representations were able to address these matters. C/CSPs should also set out their reasons as to why the C/CSP does not agree to implement ASIO's advice.

211. Subsection 315B(10) clarifies that subsection 315B(8) does not operate to restrict the Attorney-General from consulting other persons. This could include other Ministers with an interest, such as the Minister for Foreign Affairs and Trade where there are international sensitivities. A direction would also likely be informed by the advice of other security agencies and relevant government agencies through consultations by AGD.

212. Subsection 315B(11) requires the Attorney-General to provide the telecommunications regulator, the ACMA, with a copy of any direction that is issued under new subsection 315B(1). This is a notification only to the ACMA and does not require intervention by the ACMA.

213. Subsection 315B(12) is intended to make clear that a breach of a direction given by the Attorney-General under section 315B gives rise to the enforcement regime in the Telecommunications Act. A direction must be complied with by a C/CSP. Non-compliance is one trigger for further action, as provided for in the Bill under Items 15-29. Neither subsection 315B(12) nor subsection 315A(5) preclude enforcement actions being taken against a C/CSP which has breached the obligations in section 313 of the Telecommunications Act (including the new obligation of this Bill) without that C/CSP having been issued with a direction.

214. Given the potential implications of a direction to the operations of a C/CSP, the Attorney-General's power to issue directions under sections 315A or 315B cannot be delegated (unlike the Secretary of AGD's information-gathering powers under section 315C which may be delegated to the Director-General of Security- see notes on Division 6 below). There is also no implied power to authorise an official to exercise the power to issue directions on the Attorney-General's behalf.

Division 6 - Attorney-General's Secretary's information-gathering powers

215. Item 13 inserts Division 6, which sets out the Secretary of AGD's new information-gathering powers under sections 315C-315H.

216. The Secretary of AGD is empowered to request information from C/CSPs under section 315C where that information is relevant to assessing their compliance with the obligation to protect networks and facilities under subsections 313(1A) and (2A). In exercising the power the Secretary of AGD must have the belief that the C/CSP has information or documents that would assist the Secretary of AGD to assess compliance with the duties in subsections 313(1A) and (2A). It is not necessary that the Secretary of AGD be satisfied that a breach has occurred before exercising the information gathering power. The information gathering power has been drafted with reference to the Administrative Review Council's twenty best practice principles for implementing and exercising information gathering powers in its 2008 report on the Coercive Information Gathering Powers of Government Agencies. In particular, the information gathering power is limited to obtaining material directly relevant to monitoring compliance with the proposed security obligation.

217. Paragraph 315C(2)(c) provides that the Secretary of AGD may exercise his or her information gathering power in respect of copies of documents or information, rather than original versions of requested documents, including electronic documents and applications. Subsection 315C(8) provides that if a C/CSP provides copies of documents in compliance with a requirement under paragraph 315C(2)(c), the C/CSP will be entitled to be paid reasonable compensation by the Commonwealth. Paragraph 315C(2)(c) will operate in a similar manner to the information gathering powers granted to the ACMA in paragraphs 521(2) (b) and (c) of the Telecommunications Act.

218. Subsection 315C(4) requires the Secretary of AGD to consider the potential cost, time and effort imposed on the C/CSP in complying with the notice. In practice, government agencies will likely engage the C/CSP prior to issuing a notice to discuss the terms of the notice. The purpose of this discussion will be to ensure the notice targets the information sought and does not put the C/CSP to unnecessary expense. There may be circumstances where it is not feasible or necessary to engage the C/CSP prior to issuing the notice. A failure to engage or consult does not affect the validity of the notice as it is not a pre-condition for issuing the notice.

219. The information-gathering power is intended to formalise and extend the existing cooperative relationship of information exchange between government and C/CSPs. The new power is not intended to replace these existing practices, but instead would be exercised in circumstances where a C/CSP considers it is restrained from sharing information for contractual or other legal reasons, or for some other reason refuses to cooperate. There may be instances where C/CSPs are reluctant to provide information because of commercial-in-confidence reasons or because it is potentially self-incriminating. The powers are modelled on the ACMA's existing information-gathering powers in Part 27 of the Telecommunications Act and include existing protections against self-incrimination.

220. The information-gathering power in section 315C (combined with the provision on self-incrimination in new section 315D) will operate to override reasons for non-disclosure and compel the provision of information or documents. The compulsion element has the effect of authorising the disclosure of personal information under the Privacy Act (i.e. the disclosure is authorised by law) and offers a statutory protection for breach of confidentiality provisions in contracts.

221. Subsection 315C(3) clarifies that a C/CSP issued with a notice to produce information or documents must comply with that notice. Furthermore, subsection 315D(1) clarifies that a notice under section 315C must be complied with even if it exposes the person (an individual or a body corporate) to criminal or civil liability. Subsection 315D(1) reflects section 187 of the Commonwealth Evidence Act 1995, which abolishes the privilege against self-incrimination for bodies corporate, including where the body corporate is required to answer a question, give information or produce a document under a law of the Commonwealth.

222. Subsection 315D(2) provides broad protections for individuals against criminal or civil proceedings if the information is self-incriminating. For example, it clarifies that the documents or information cannot be used in evidence in any criminal or civil proceedings against the individual with the exception of Commonwealth criminal proceedings for providing false or misleading information or documents or civil proceedings to recover a penalty for non-compliance with the exercise of the information gathering power itself. The common law privilege against self-incrimination only extends to natural persons, not to bodies corporate. This is a well-established principle in common law, as outlined in AGD's 2011 A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers.

223. Non-compliance with a notice to provide information or documents will constitute a breach of the Telecommunications Act and will attract the operation of the civil remedies regime in Part 30 (injunctions), Part 31 (civil penalties) and Part 31A (enforceable undertakings) of the Telecommunications Act. The Bill authorises the Attorney-General to bring proceedings to enforce these remedies for non-compliance with a notice issued under section 315C.

224. The information to be sought under subsection 315C(2) is likely to be of a commercial nature, rather than personal information. It is very unlikely that this information would relate to end-users. Rather it would likely fall into the category of procurement plans, network or service design plans, tender documentation, contracts and other documents specifying business and service delivery models and network layouts.

225. Subsection 315C(4) sets out the requirements for a notice issued by the Secretary of AGD under subsection 315C(2). Subsections 315C(2) and 315C(4) have the effect of requiring the Secretary of AGD to make any request for information and documents by written notice which sets out when the information or documents are required, the form in which they are required to be provided or produced, and outline the effect of provisions relevant to C/CSPs concerning compliance with the Telecommunications Act and offences under the Criminal Code for providing false or misleading information. This ensures C/CSPs understand the consequences of failure to comply with a notice issued under section 315C, including the criminal consequences for providing misleading or false information.

226. Given the potential sensitivities of information required to be provided to the Secretary of AGD (or his or her delegate, see new subsection 315G) under section 315C, and given that self-incrimination does not excuse non-compliance with a notice issued under subsection 315(2) (see new section 315D), the Bill inserts a number of provisions to clarify the use, retention and further disclosure of the information to other persons.

227. Section 315E clarifies that the Secretary of AGD may inspect a document produced under section 315C and may make and retain copies as necessary. Section 315F empowers the Secretary of AGD to take possession of the documents obtained under section 315C (including original documents) and keep them for as long as he or she deems necessary. Noting that section 315H enables the further disclosure of that document for other purposes (as specified by section 315H), the document could be retained for a period beyond the purpose of the initial request. Confidentiality of retained documents would be protected under existing legislative requirements governing the use and disclosure of documents and information held for official purposes, including secrecy obligations and storage requirements under the Archives Act 1983. It is important to note that the type of information or documents that can be required to be provided is however limited by relevance to the security obligation imposed in subsections 313(1A) and (2A). Section 315F imposes requirements on the Secretary of AGD (or his or her delegate) to provide a certified copy of the original documents to the person who is entitled to possess the document that was produced pursuant to the notice and otherwise provide reasonable access to inspect or copy the document.

228. Section 315G allows the Secretary of AGD to delegate any of the information-gathering powers referred to in new sections 315C, 315E and 315F to the Director-General of Security. The purpose of this delegation power is to counter protracted engagement processes and in particular to enable the Director-General, whose Organisation is likely to be directly engaging with C/CSPs, to obtain relevant information for the purpose of assessing the risk of unauthorised access and interference. In accordance with usual administrative law practices, the delegation must be in writing and specify to whom or to what position the power is delegated. Also in accordance with administrative law practices, the Secretary of AGD may revoke the delegation at any time. Subsection 315G(2) contains a further protection in the exercise of the information gathering power by a delegate by enabling the Secretary of AGD to specify how the delegate is to exercise the power. The delegate must comply with any directions issued by the Secretary of AGD otherwise the exercise of the power will be invalid.

Division 7 - Information sharing and confidentiality

229. Item 12 inserts Division 7, which sets out how information obtained under sections 314A, 314B, 314C, 314D, 315C and 315H may be shared and disclosed.

230. Section 315H authorises the further use or disclosure of information or documents obtained under sections 314A, 314B, 314C, 314D, 315C and 315H to persons other than the Secretary of AGD or their delegate. Disclosure must be either for the purpose of assessing compliance with a C/CSP's obligation to protect networks and facilities from unauthorised access or interference, or for broader security purposes (paragraphs 315H(1)(a) and (b)). In practice it is likely that information sharing may take place between relevant government agencies, such as with the Department of Communications and the Arts or the Australian Signals Directorate. For example, information or documents may be shared in cases where technical expertise or assistance is required to assess risks to security. It may also be used to inform the Attorney-General or other relevant Ministers for the purpose of exercising the Attorney-General's power in new section 315A (previously subsection 581(3), or more broadly for the purposes of security. 'Security' is defined by reference to the ASIO Act. The powers would therefore also potentially authorise sharing of information or documents with state authorities and international partners, pursuant to the ASIO Act and formal information sharing arrangements with those countries.

231. While section 315H allows an expanded number of people to access the information or document required to be provided, this is limited to the protection of security. For example, a document or information may also be relevant in assessing the vulnerability of another Australian network to unauthorised access or interference. It is important that government agencies are not prevented from relying on a piece of information or document that reveals or addresses other security threats and risks. Again, the information and documents that are captured by this information sharing provision are likely to be commercial in nature and restricted to being relevant to the duty in subsections 313(1A) or 313(2A).

232. Safeguards are built into section 315H to protect commercially sensitive information provided by C/CSPs. Subsection 315H(2) requires the Secretary of AGD, the Director-General of Security or other Commonwealth officers who have access to the information or documents to remove from the information or documents information that identifies the C/CSP before sharing them outside of the Australian Government. In practice, information would only likely be shared outside Commonwealth Government officials for reasons of providing threat information and intelligence to foreign partners in support of reciprocal information sharing arrangements. Australia is dependent on intelligence provided under these arrangements to support preparation of its own threat advice to Australian companies. C/CSPs will not be advised when information is shared with foreign partners as this could potentially compromise national security by identifying the types of issues considered by security agencies and the nature of sharing arrangements.

233. Only information that does not identify the C/CSP (i.e. the threat-based information) would be shared in these circumstances and information shared in these circumstances is protected through formal arrangements such as a Memorandum of Understanding. In practice this would involve removing the identifying details of the C/CSP such as company name and logo before the information or documents are shared. As outlined above, information or documents would be shared with other security agencies and foreign intelligence partners to better protect national security. It would not be shared with a C/CSP's competitors or with other stakeholders who may gain a commercial advantage from seeing this information. Subsection 315H(3) also imposes a confidentiality obligation on people who obtain information or documents. This would include protection of information and documents in line with Australian Government policies and procedures and only disclosing the information or documents for the purposes of section 315H or where otherwise provided for other under other legislation.

234. Australian Government agencies subject to the Privacy Act are required to protect, use, disclose and destroy personal information in line with the requirements of the Privacy Act. Section 315H is intended to allow information to be shared for reasons of providing threat information and intelligence to foreign partners in support of reciprocal information sharing arrangements. Information or documents would therefore generally be de-identified prior to being shared to remove personal information, unless information about a particular person needs to be shared for the purposes of security (such as where information about an individual is directly relevant to a security threat). The note under subsection 315H(1) clarifies, for the avoidance of doubt, that existing legislative privacy obligations under the Privacy Act continue to apply to Australian Government agencies subject to the Privacy Act.

235. The restrictions in section 315H will not override existing legislative provisions that authorise ASIO to communicate information obtained in the performance of its functions. Parliament has already set out the circumstances in which it is considered appropriate for an agency such as ASIO to be able to communicate information collected as part of the performance of its functions, including personal and other information collected under warrant.

236. The ASIO Act provides the authority for ASIO to seek information from, and provide information to, authorities in other countries that is relevant to Australia's security, or the security of the foreign country. In general, the types of foreign authorities that are approved by the Attorney-General perform broadly similar functions to ASIO, and include security and intelligence authorities, law enforcement, immigration and border control, and government coordination bodies.

237. ASIO has internal guidelines that govern the communication of information about Australians and foreign nationals to approved foreign authorities. These guidelines impose an internal framework for assessing and approving the passage of such information.

238. In addition to these safeguards, the activities of ASIO (including intelligence sharing activities) are reviewed by the independent statutory office of the Inspector-General of Intelligence and Security (IGIS). The IGIS publicly reports each year about inquiries or inspection activity conducted during that year.

239. Although there are no express consequences for a breach of the confidentiality requirements in subsections 315H (2) or (3), disciplinary action would be available under existing legislation for Australian Government employees who breach these provisions. Under the Public Service Act 1999 Australian Public Service employees must comply with all applicable Australian laws and could face disciplinary action for any breaches. Section 70 of the Crimes Act 1914 applies criminal sanctions to unauthorised disclosure of information by current or former Commonwealth officers. Many Australian state and territories have similar offences for unauthorised disclosure of information by public officials.

Division 8 - Annual report

240. Section 315J obliges the Secretary of AGD to provide an annual report to the Attorney-General on the operation of the provisions in this Bill. Subsection 315J(3) obliges the Attorney-General to cause a copy of this report to be laid before each House of the Parliament within 15 sittings days of that House after receiving the report.

241. Subsection 315J(1A) prescribes specific reporting obligations for the Secretary of the Attorney-General's Department to include in his or her annual report on the operation of the reforms. The reporting requirements are intended to support transparency and accountability of the reforms.

Attorney-General's directions

242. Paragraph 315J(1A)(a) requires the Secretary to report on the number of directions the Attorney-General gave under subsection 315A(1).

243. Paragraph 315J(1A)(b) requires the Secretary to report on the number of directions the Attorney-General gave under subsection 315B(2).

CAC notifications and response timeframes

244. Subparagraphs 315J(1A)(c)(i) to (iii) require the Secretary to report information relating to notifications received by the CAC in accordance with section 314A. This includes:

the number of notifications the CAC received under subsection 314A(3);
in response to such notifications, the average number of days taken by the CAC to give a notice under subsection 314B(3) or (5); and
in response to such notifications, the percentage of notices given by the CAC under subsection 314B(3) or (5), within the period under subsection 314B(6).

Applications for exemptions from notification

245. Subparagraphs 315J(1A)(d)(i) to (iii) require the Secretary to report information relating to notifications received by the CAC under subsection 314A(5A). This includes:

the number of applications the CAC receives under subsection 314A(5A);
in response to such notifications, the average number of days taken by the CAC to give a notice under either subsection 314A(4) or (5) or paragraph 314A(5B)(b) when responding to an application under subsection 314A(5A); and
in response to such notifications, the percentage of notices given by the CAC under subsection 314A(4) or (5) or paragraph 314A(5B)(b), within the period under subsection 314A(5B).

Security capability plans

246. Subparagraphs 315J(1A)(e)(i) to (iii) require the Secretary to report information relating to SCPs. This includes the:

total number of SCPs received under subsection 314C(1);
average CAC response time to give a notice under subsection 314D(3) or (5), in days; and
percentage of notices given by the CAC under subsection 314D(3) or (5), within the period under subsection 314D(6).

Secretary's information-gathering powers

247. Paragraph 315J(1A)(f) requires the Secretary to report on the number of notices the Secretary gave under subsection 315C(2).

Information sharing arrangements

248. Paragraph 315J(1A)(g) requires the Secretary to report on the details of the information sharing arrangements between the Commonwealth and industry on the reforms.

Feedback, complaints, trends and issues

249. Paragraph 315J(1A)(h) requires the Secretary to report a summary of any feedback or complaints made in relation to the reforms.

250. Paragraph 315J(1A)(i) requires the Secretary to report on any trends or issues in the matters covered by paragraphs 315J(1A)(a) to (h).

Division 8A - Review by the Parliamentary Joint Committee on Intelligence and Security

251. Subsection 315K(1) requires the PJCIS to review the operation of the reforms. Paragraph 315K(2)(a) provides that the review must start on or before the second anniversary of the commencement of this section, while paragraph 315K(2)(b) requires the review to conclude on or before the third anniversary of the commencement of this section. Schedule 1 is intended to commence on the day after the end of the period of 12 months, beginning on the day the Act receives Royal Assent.

Item 14 - Before section 316

252. Item 14 will insert the heading 'Division 7 - Generality of Part not limited' before the existing section 316 of the Telecommunications Act to separate this section from the new sections added by this Bill.

Item 15- Subsections 564(1) and (2)

253. The directions powers granted to the Attorney-General and the information-gathering powers granted to the Secretary of AGD by this Bill will be enforceable by virtue of the application of existing civil remedies provided for in the Telecommunications Act. These are located in Part 30 (injunctions), Part 31 (civil penalties) and Part 31A (enforceable undertakings) of the Act. These provisions provide remedies to penalise breaches of obligations under the Act and to prevent a breach.

254. It is expected that the Attorney-General (supported by AGD) would manage all compliance and enforcement action with respect to provisions in this Bill and the ACMA would not act as a regulator with respect to the provisions in this Bill to ensure there is no duplication of roles. However, this Bill does not expressly preclude the ACMA from taking separate and independent action with regard to these new provisions given their roles as regulator for the communications sector.

255. Item 15 has the effect of vesting the Attorney-General with the same powers vested in the Communications Minister, the ACMA and the Australian Competition and Consumer Commission (ACCC), to apply to the Federal Court of Australia for an injunction to restrain a C/CSP from engaging in conduct that contravenes the Telecommunications Act. The Attorney-General may also apply for an injunction requiring a C/CSP to take action (paragraphs 564(1)(a) and (b)). For example, the Attorney-General may wish to seek an injunction where information has been obtained that a C/CSP is about to enter into a contract which poses a risk to security in the form of unauthorised access or interference.

Item 16 - After subsection 564(3)

256. The standing of the Attorney-General to apply for an injunction in the Federal Court of Australia is limited by subsection 564(3) of the Telecommunications Act. Item 16 inserts subsection 564(3A) which has the effect of limiting the standing of the Attorney-General to apply for injunctive relief to address non-compliance with the security obligation (new sections 313(1A) and 313(2A)), a direction issued under new subsection 315A(5) or 315B(12) or notice to provide information or a documents under new subsection 315C(3). Any one of these types of breaches has the potential to give rise to an application by the Attorney-General for an injunction.

257. C/CSPs are encouraged to notify the CAC, where appropriate, of changes to systems and services under section 314A and 314C and engage early before entering into contractual arrangements. The ability for the Attorney-General to apply to the Federal Court for an injunction is designed to encourage this early engagement with government. Injunctions and other enforcement powers will only be used as a last resort following engagement between government and C/CSPs and attempts to address security risks cooperatively.

Item 17 - Before subsection 564(4)

258. Item 17 inserts the heading 'Definition' before subsection 564(4) of the Telecommunications Act to clarify an existing subsection within Division 6 relating to the Telecommunications (Consumer Protection and Service Standards) Act 1999 and regulations under that Act.

Item 18 - Subsection 571(1)

259. Section 570 of the Telecommunications Act provides that pecuniary penalties are payable for contraventions of civil penalty provisions. The Communications Minister, the ACMA or the ACCC may institute a proceeding in the Federal Court of Australia for the recovery of those penalties (subsection 571(1)). Item 18 grants the Attorney-General that same ability.

Item 19 - Before subsection 571(3)

260. Item 19 inserts the heading 'Limit on standing of the ACMA' before existing subsection 571(3) of the Telecommunications Act, which identifies provisions under which the ACMA is not entitled to institute a proceeding for the recovery of a penalty.

Item 20 - At the end of section 571

261. Like the limitation imposed on the standing of the Attorney-General to seek injunctive relief, Item 20 inserts new subsection 571(4) into the Telecommunications Act to limit the standing of Attorney-General to recover pecuniary penalties provided for in Part 31 of the Telecommunications Act to address non-compliance with the security obligation (new subsections 313(1A) and 313(2A)), a direction issued under new subsection 315A(5) and 315B(12) or notice to provide information or a documents under subsection 315C(3). Any one of these types of breaches has the potential to give rise to an application to the Federal Court of Australia by the Attorney-General for the imposition of a pecuniary penalty.

Item 21 - Section 572A

262. Item 21 enables the Attorney-General to enter into enforceable undertakings with C/CSPs provided for in Part 31A of the Telecommunications Act. This is achieved by extending the operation of section 572A to refer to the Attorney-General along with the ACMA as being authorised to accept an undertaking.

Item 22 - Subsections 572B(1), (3) and (4)

263. The Attorney-General will have a role in the operation of enforceable undertakings equivalent to that played by the ACMA under the current legislation. A C/CSP which has been identified as being in breach of its obligations under section 313 of the Telecommunications Act, or in breach of new subsections 315A(5), 315B(12) or 315C(3), may make a formal commitment to the Attorney-General to remedy that breach. The commitment may be to take action, refrain from taking action, or to ensure that the Telecommunications Act is not contravened in the future. The undertaking may only be withdrawn by the C/CSP, with the consent of the Attorney-General.

Item 23 - At the end of subsection 572B(5)

264. Item 23 authorises (but does not oblige) the Attorney-General to publish the undertaking on the Attorney-General's Department's website.

Item 24 - After subsection 572B(5)

265. Item 24 limits the Attorney-General's authority to accept an undertaking to an undertaking which addresses compliance with the security obligation (new subsections 313(1A) and 313(2A), a direction issued under new subsections 315A(5) or 315B(12) or notice to provide information or a documents under new subsection 315C(3) of the Telecommunications Act. These circumstances are the same as those which enable the Attorney-General to institute proceedings in the Federal Court of Australia to apply for an injunction or to recover pecuniary penalties.

Item 25 - Subsection 572C(1)

266. Item 25 extends the operation of subsection 572C(1) of the Telecommunications Act to apply to the Attorney-General, in addition to the ACMA. The effect of this is to give the Attorney-General standing to apply to the Federal Court of Australia to enforce an undertaking that the Attorney-General entered into with a C/CSP in circumstances where the C/CSP has failed to comply with the terms of the undertaking.

Item 26 - At the end of section 572C

267. Item 26 has the effect of clarifying that the authority which the ACMA and the Attorney-General have to bring proceedings in the Federal Court of Australia to enforce an undertaking only exists for those undertakings they are authorised to accept. In other words, the Attorney-General can only bring proceedings to enforce undertakings he or she has accepted that relate to compliance with the security obligation (new subsections 313(1A) and 313(2A), a direction issued under new subsections 315A(5) or 315B(12) or notice to provide information or a document under new subsection 315C(3).

Item 27 - Subsections 581(3) and (3A)

268. Item 27 repeals subsections 581(3) and (3A) of the Telecommunications Act relating to the Attorney-General's power to direct a C/CSP to cease using or supplying a service. These sections are reinserted in section 315A (Item 12 above).

Item 28 - Subsection 581(4)

269. Item 28 removes reference to repealed subsection 581(3) of the Telecommunications Act in existing subsection 581(4). The effect of this amendment is that Part 34 only relates to the powers of the ACMA to give a direction to carriers and service providers.

Item 29 - Subsection 581(5)

270. Item 29 repeals subsection 581(5) of the Telecommunications Act to remove the definition of 'security' as this relates specifically to the Attorney-General's powers under Part 34 which have been repealed. The definition of security appears in new subsection 315A(6).

PART 2 - OTHER AMENDMENTS

Telecommunications (Interception and Access) Act 1979

Item 30 and 31 - Subparagraph 202A(a)(ii) and at the end of paragraph 202B(1)(b)

271. Item 30 will amend the TIA Act to exclude the new obligations to protect networks and facilities from unauthorised access and interference in subsections 313(1A) and (2A) of the Telecommunications Act from the purpose of Part 5-4A of the TIA Act.

272. Item 31 will amend the TIA Act so that the notification requirement in section 202B of that Act will not be invoked by the new obligations in subsections 313(1A) and 313(2A).

273. This exclusion from Part 5-4A of the TIA Act is to ensure there is no duplication of reporting requirements between the existing notification obligations in section 202B of the TIA Act and the new specific notification obligation that will be created by this Bill under section 314A of the Telecommunications Act.

Administrative Decisions (Judicial Review) Act 1977

Item 32 - Paragraph (daa) of Schedule 1

274. Item 32 omits the reference to repealed subsection 581(3) in Schedule 1 to the ADJR Act. This is not substituted with a reference to new subsection 315A (the Attorney-General's power to direct that a C/CSP cease using or supplying a service) to give effect to the decision to now allow review under the ADJR Act.

Australian Security Intelligence Organisation Act 1979

Item 33 - Subsection 35(1) (subparagraph (d)(ii) of the definition of prescribed administrative action )

275. Item 33 repeals the reference to existing subsection 581(3) in the definition of prescribed administrative action and substitutes a reference to the Attorney-General's directions power under new sections 315A and 315B. The inclusion of these powers in the definition of prescribed administrative action will enable ASIO to provide advice in respect of the exercise of these powers to the Attorney-General in the form of a security assessment. This security assessment will attract the accountability obligations contained in Part IV of the ASIO Act, for example notification requirements and review rights.

Item 34 - Paragraph 38A(1)(b)

276. Item 34 repeals paragraph 38A(1)(b) which references the Attorney-General's direction making powers and substitutes reference to the new sections 315A and 315B.

PART 3 - TRANSITIONAL AND SAVING PROVISIONS

Item 35 - Transitional and saving provisions

277. New subsection 315A(1) will have the same purpose and effect as existing subsection 581(3), which will be repealed under Item 27 of these amendments.

278. Item 35 provides that any directions made by the Attorney-General under the existing subsection 581(3) will continue to operate upon repeal of that provision as if they were a direction in force under section 315A of the Act.

279. Item 35 also provides for the assessments made under subsection 38A(1) of the ASIO Act in relation to existing subsection 581(3) of the Telecommunications Act to continue to have effect upon the commencement of new subsection 315A.

280. Item 35 will also mean that the exemption from review under the ADJR Act of any directions issued under subsection 581(3) will continue upon repeal of this subsection by this Bill.

Copyright notice

© Australian Taxation Office for the Commonwealth of Australia

You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).