House of Representatives

Explanatory Memorandum

(Circulated by authority of the Minister for Home Affairs, the Honourable Peter Dutton MP)

Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

1. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Overview of the Bill

2. The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Bill) will amend the Telecommunications Act 1997 and related legislation, including the Telecommunications (Interception and Access) Act 1979 (TIA Act), Surveillance Devices Act 2004 (SD Act), the Crimes Act 1914 (Crimes Act), the Mutual Assistance in Criminal Matters Act 1987 (MACMA), the Australian Security Intelligence Organisation Act 1979 (ASIO Act) and the Customs Act 1901 (Customs Act), to assist agencies to adapt to an operating environment characterised by ubiquitous encryption.

3. The Bill:

•

introduces new provisions that will allow law enforcement and security agencies to secure assistance from key providers in the communications supply chain both within and outside Australia (Schedule 1), and

•

enhances agencies' ability to use a range of capabilities, including:

i.

a new power for Commonwealth, State and Territory law enforcement agencies to obtain computer access warrants under the SD Act and enhancements to the computer access warrants already available to ASIO (Schedule 2)

ii.

increased ability of criminal law enforcement agencies to collect evidence from electronic devices under Crimes Act search warrants (Schedule 3)

iii.

a new power for the Australian Border Force (ABF) to request a search warrant to be issued in respect of a person for the purposes of seizing a computer or data storage device (Schedule 4), and

iv.

an enhanced ability for persons to voluntary cooperate with ASIO by providing immunities from civil liability (Schedule 5).

Human rights implications

4. The Bill engages the following human rights:

•

protection against arbitrary or unlawful interference with privacy contained in Article 17 of the International Covenant on Civil and Political Rights (ICCPR)

•

the right to a fair trial, the right to minimum guarantees in criminal proceedings and the presumption of innocence contained in Article 14 of the ICCPR

•

the right to effective remedy contained in Article 2(3) of the ICCPR, and

•

protection of the right to freedom of expression contained in Article 19 of the ICCPR.

5. All Schedules of the Bill engage the protection against arbitrary or unlawful interference with privacy contained in Article 17 of the ICCPR. Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour or reputation, and that everyone has the right to the protection of the law against such interference or attacks.

6. The right to privacy under Article 17 can be permissibly limited in order to achieve a legitimate objective and where the limitations are lawful and not arbitrary. The term 'unlawful' in Article 17 of the ICCPR means that no interference can take place except as authorised under domestic law. Additionally, the term 'arbitrary' in Article 17(1) of the ICCPR means that any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. ^[1] The United Nations Human Rights Committee has interpreted 'reasonableness' to mean that any limitation must be proportionate and necessary in the circumstances.

7. The purpose of the Bill, and the associated limitations on the right to privacy, are to protect national security, public safety, address crime and terrorism. The Bill aims to protect the rights and freedoms of individuals by providing law enforcement and national security agencies with the tools they need to keep Australians safe.

Schedule 1

Protection against arbitrary or unlawful interferences with privacy - Article 17 of the ICCPR

Technical assistance requests and technical assistance notices

8. The provisions that will enable law enforcement, security and intelligence agencies to request assistance (technical assistance request) and compel assistance (technical assistance notice) from designated communications providers (providers) engage the right to protection against arbitrary and unlawful interferences with privacy in Article 17 of the ICCPR. This is because communications providers may facilitate law enforcement, security and intelligence agencies' access to private communications and data where an underlying warrant or authorisation is present.

9. New section 317G of the Telecommunications Act will allow the head of an interception agency, the Director-General of ASIO, the Director-General of the Australian Secret Intelligence Service (ASIS) or the Director-General of the Australian Signals Directorate (ASD) to issue a technical assistance request asking a provider to do specified acts or things. Interception agency includes the Australian Federal Police, Australian Commission for Law Enforcement Integrity, the Australian Criminal Intelligence Commission, State and Territory police forces and State and Territory crime and corruption commissions. A provider who receives a request is not legally required to fulfil the request but may do so voluntarily.

10. New section 317L of the Telecommunications Act will allow the head of an interception agency or the Director-General of ASIO to issue a technical assistance notice where the requirements imposed by the notice are reasonable, proportionate, practicable and technically feasible. Once received, a provider is required to comply with a notice.

11. The assistance that can be requested under a technical assistance request or technical assistance notice must be connected to the activities of a provider and the listed acts or things in new section 317E. This includes providing technical information about a service operated by a provider, assisting with the testing or modification of an agency's internal system or modifying the characteristics of a service. Therefore, any interference with the right to privacy would not arbitrary because a technical assistance request or notice may only be issued for a specified list of acts or things.

12. Under a technical assistance request or technical assistance notice, a provider cannot be asked to provide the content of a communication or private telecommunications data, such as the date, time and duration of a communication without an existing warrant or authorisation under the TIA Act. Subsection 317ZH(1) makes clear that notices have no effect to the extent that they would require a provider to do a thing for which a warrant or authorisation under the TIA Act, the SD Ac t, the Crimes Act, the ASIO Act, the IS Act or equivalent State and Territory laws would be required.

13. Subsection 317ZH(2) provides that for the purposes of the limitations in subsection 317ZH(1), the Acts referred to are assumed to apply extra-territorially. This means that the limitation under section 317ZH(1) in relation to the need for a warrant or authorisation applies equally to onshore and offshore providers. The head of an agency cannot require an overseas provider to do anything that would require a warrant or authorisation if the provider was a carriage service provider located in Australia. Consequently, the existing legislative schemes will govern how agencies request and receive personal information from all providers. The existing legislative safeguards will continue to apply.

14. For example, the TIA Act prohibits the interception of communications unless a criminal law enforcement agency meets strict statutory thresholds and receives a warrant from a Judge or Administrative Appeals Tribunal (AAT) member. The Judge or AAT member can only issue a warrant if he or she is satisfied that the intercepted information would assist in the investigation of a serious offence (generally offences punishable by at least 7 years - see section 5D of the TIA Act). They are required have regard to the nature and extent of interference with the person's privacy, the gravity of the conduct constituting the offence, the extent to which information gathered under the warrant would be likely to assist an investigation, and other available methods of investigation. The TIA Act also has prohibitions on communicating, using and making records of communications.

15. Where an existing warrant or authorisation under the TIA Act is in place, a notice or request may be issued to facilitate agency access to personal information or communications. For example, a technical assistance notice may ask a provider to decrypt information that would otherwise be unintelligible if the provider has the ability to do so.

16. The Bill pursues the legitimate objective of protecting national security and public order by addressing crime and terrorism. The Bill includes safeguards to protect the right to privacy. The amendments only go so far as is necessary in limiting the right to privacy. Specifically, the assistance requested or compelled must relate to the performance of a function or exercise of a power conferred by law.

17. In the case of a technical assistance notice, an agency head may only issue the notice if satisfied the acts required are reasonable, proportionate, practicable and technically feasible. This means the decision-maker must evaluate the individual circumstances of each notice. The decision-maker must turn his or her mind to the interests of the agency, the interests of the provider, as well as wider public interests, such as the impact on privacy.

18. In determining what is reasonable and proportionate, the decision-maker must have regard to: the interests of national security; the interests of law enforcement; the legitimate interests of the designated communications provider to whom the notice relates; the objectives of the notice; the availability of other means to achieve the objectives of the notice; the legitimate expectations of the Australian community relating to privacy and cybersecurity, and any other matters (if any) that the decision-maker considers to be relevant.

19. The ability to issue a technical assistance request or technical assistance notice is restricted to senior executive staff in all agencies. Accordingly, requests will only be issued by persons with the appropriate seniority and expertise who are in a position to effectively determine the proportionality, reasonableness, practicability and technical feasibility of any request.

20. A technical assistance notice cannot have the effect of requiring a provider to implement or build a systemic weakness or vulnerability into a form of electronic protection. This protection limits the privacy implications of the power by ensuring the security of third parties' communications is not impacted. While systemic weaknesses cannot be built into services or devices, a technical assistance notice can require the selective deployment of a weaknesses or vulnerability in a particular service, device or item of software on a case-by-case basis. Deployment of this kind is necessary to access protected information of suspect individuals and gather intelligence or evidence in the course of an investigation. This will ensure that the powers achieve legitimate, national security and law enforcement objectives without unduly jeopardising the legitimate privacy and information security interests of innocent parties.

21. The measures are permissible limitations on individual privacy. The assistance that agencies may request or compel from providers is not arbitrary as it is prescribed by law. The provisions achieve the legitimate objective of protecting national security and public order. The Bill will assist agencies to fulfil their functions in a digital environment characterised by encryption and enable them to discharge their law enforcement and security functions more effectively. Terrorism, espionage, acts of foreign interference and serious and organised crime are regularly conducted through electronic communication services and devices operated by private providers. Industry is in a unique position to help agencies degrade, disrupt and prosecute criminal activity of this kind.

22. The amendments do not constitute an arbitrary or unlawful incursion into a person's right to privacy. To the extent that there is a restriction on an individual's right to privacy, statutory safeguards ensure any interference is reasonable, necessary and proportionate.

Technical capability notices

23. The new power for the Attorney-General to issue technical capability notices to designated communications providers engages the right to privacy in Article 17 of the ICCPR.

24. To the extent that a person's rights to privacy under Article 17 may be limited, the limitations are reasonable, proportionate and necessary. The power is proportionate and not arbitrary. It is set out in law and subject to a number of safeguards.

25. New section 317T of the Telecommunications Act will allow the Attorney-General to issue a technical capability notice requiring a provider to do acts or things to ensure that the provider is capable of giving help to ASIO or an interception agency.

26. The types of capabilities that may be required to be built under a technical capability notice are limited and must be directed towards ensuring a provider is capable of providing the types of assistance set out in new section 317E or as otherwise determined by the Minister by legislative instrument in 317T(5). Providers cannot be required to build a decryption capability or a capability that removes electronic protection or renders systemic methods of encryption or authentication less effective.

27. Capabilities built under a technical capability notice may assist agencies to access private communications for investigative purposes. However, as discussed above, an existing warrant or authorisation will still be required. The new provisions complement, but do not replace, the existing warrant processes with in-built legislative safeguards.

28. Before issuing a technical capability notice the Attorney-General must be satisfied that the requirements imposed by the notice are reasonable, proportionate and that compliance with the warrant is practicable and technically feasible. This means the Attorney-General must evaluate the individual circumstances of each notice and turn his or her mind to the interests of the agency, the interests of the provider, as well as wider public interests, such as the impact on privacy.

29. In determining what is reasonable and proportionate, the Attorney-General must have regard to: the interests of national security; the interests of law enforcement; the legitimate interests of the designated communications provider to whom the notice relates; the objectives of the notice; the availability of other means to achieve the objectives of the notice; the legitimate expectations of the Australian community relating to privacy and cybersecurity, and any other matters (if any) that the Attorney-General considers to be relevant.

30. Capabilities required under a notice must be related to the established functions of ASIO or an interception agency and related to enforcing the law or safeguarding national security.

31. The power to issue a technical capability notice is limited to the Attorney-General, the highest level of the executive, ensuring direct Ministerial oversight.

32. Prior to a notice being issued, there is a mandatory 28 day consultation period with the relevant provider. This will ensure that the powers are not exercised arbitrarily and give providers an opportunity to make a submission on a notice before having to comply with its requirements. The same obligation to consult applies to a variation of an existing technical capability notice.

33. A technical capability notice cannot require a provider to implement or build a systemic weakness or vulnerability into a form of electronic protection. This includes actions which would make systemic methods of authentication or encryption less effective. This protection limits the privacy implications of the power by ensuring that the Attorney-General cannot require providers to undermine systems that protect the security of personal information. Similar to technical assistance notices, these limitations do not prevent the building of a capability that is able to be deployed selectively to weaken the electronic protection of a particular service, device or item of software.

Use and disclosure of information

34. Information obtained through the new powers will primarily be of a technical nature. Information may include procurement plans, information regarding products and services, network or service design plans and other technical information necessary to execute a request for assistance or to build a capability. Once received, section 317ZF of the Act restricts the ability of agencies to disclose this information without a lawful exception.

35. Strict non-disclosure provisions in 317ZF apply to any information in, or in accordance with, a technical assistance request, technical assistance notice and technical capability notice. Unauthorised disclosure of this information attracts a maximum penalty of imprisonment for five years.

36. To the extent that the information obtained is primarily of a technical nature, the right to privacy is not engaged. However, in the unlikely event that information provided contains information about a person, the prohibition on disclosure without lawful authority promotes the right to privacy. The restrictions on the use and disclosure of information further promote the right to privacy by ensuring any information obtained is only shared for the necessary and legitimate functions of Australian law enforcement, security and intelligence agencies.

37. The measures will not alter the existing framework in the TIA Act for agencies to obtain telecommunications interception information, stored communications and telecommunications data. If an agency receives private information, which was otherwise unintelligible, with the assistance of a notice or request, the range of protections for use and disclosure of this information will apply, including under the TIA Act, Telecommunications Act and Privacy Act 1988.

Right to freedom of expression - Article 19 of the ICCPR

Technical assistance requests, technical assistance notices and technical capability notices

38. Article 19(2) of the ICCPR provides that everyone shall have the right to freedom of expression, including the right 'to seek, receive and impart information and ideas of all kinds and regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.

39. Furthermore, Article 19(3) of the ICCPR provides that the exercise of the rights provided for in Article 19(2) carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary (in part) for the protection of national security or of public order, or of public health or morals.

40. The new measures may engage the right to freedom of expression by indirectly making some people more reluctant to use communications services. It is plausible that a person may minimise their use of communication services if they believe government agencies can ask providers to facilitate access to communications carried through these services, for example by removing forms of electronic protection applied to their communications if they are capable of doing so.

41. However, the amendments will not enable agencies to access communications absent a warrant or authorisation under the TIA Act. Warrants and authorisations under the TIA Act are subject to strict thresholds. For example, interception warrants can generally only be issued to investigate serious offences attracting a maximum penalty of at least 7 years imprisonment.

42. The measures advance a legitimate objective of protecting Australia's national security and public order by allowing law enforcement, security and intelligence agencies to respond to the modern communications environment and effectively access information which will assist investigations and prosecutions.

43. To the extent that a person refrains from or minimises their use of electronic communications in response to these powers, the additional restrictions on the purposes that the powers may be issued for and the limited things that may be required under these powers complement the protections of a warrant and ensure any limitation on the freedom of expression is necessary and proportionate. Additionally, to the extent that the measures do restrict the right to freedom of expression, such a restriction is contemplated by the ICCPR as Article 19(3) allows for restrictions for the protection of national security or of public order.

Right to effective remedy - Article 2(3) of the ICCPR

44. Article 2(3) of the ICCPR protects the right to an effective remedy for any violation of rights and freedoms recognised by the ICCPR, including the right to have such a remedy determined by competent judicial, administrative or legislative authorities or by any other competent authority provided for by the legal system of the State. To the extent that a legal entity subject to a technical capability notice argues that complying with the notice would infringe the rights of natural persons affected by compliance with the notice, the remedies discussed here are applicable.

45. Australian courts will retain jurisdiction for judicial review of a decision of an agency head to issue a technical assistance notice or the Attorney-General's decision to issue a technical capability notice. This will ensure that an affected person, or a provider or behalf of an affected person, has an avenue to challenge unlawful decision making.

46. The Bill does not provide for merits review of decision making and excludes judicial review under the Administrative Decisions (Judicial Review) Act 1977 (ADJR Act). This approach to review is consistent with similar decisions made for national security and law enforcement purposes - for example those made under the IS Act, ASIO Act, IGIS Act and the TIA Act. Decisions of a law enforcement nature were identified by the Administrative Review Council in its publication What decisions should be subject to merits review? as being unsuitable for merits review.

47. Security and law enforcement agencies may require a technical assistance notice in order to access appropriate electronic evidence for an investigation that is underway and evolving. It is imperative that a technical assistance notice can be issued and used quickly. It would not be appropriate for a decision to issue a technical assistance notice to be subject to merits review or judicial review under the ADJR Act, as review could adversely impact the effectiveness and outcomes of an investigation. Decisions by the Attorney-General to issue a technical capability notice are particularly unsuitable for review as they are ministerial decisions to develop law enforcement and national security capabilities.

48. The new industry assistance framework is designed to incentivise cooperation from industry, providing a regime for the Australian government and providers to work together to safeguard the public interest and protect national security. In the unlikely event that enforcement action is required; applications for enforcement under new Division 5 of Schedule 1 will be considered independently by the Federal Court or the Federal Circuit Court.

Schedule 2

Protection against arbitrary or unlawful interferences with privacy - Article 17 of the ICCPR

Amendments to the ASIO computer access warrant to allow limited interception

49. Amendments to the ASIO Act and TIA Act will allow ASIO to intercept communications for the purpose of executing a computer access warrant, removing the need to obtain a second warrant for that purpose.

50. These amendments engage the right to privacy insofar as interception (including interception to enable remote access to a computer) is inherently privacy intrusive. To the extent the right is limited, the limitation is reasonable, necessary and proportionate to the legitimate need for ASIO to have effective powers to execute its statutory function to protect national security.

51. It is almost always necessary for ASIO to undertake limited interception for the purposes of executing a computer access warrant. Currently, ASIO is required to obtain a computer access warrant to gain access to a device and a telecommunications interception warrant under section 9 or 9A of the TIA Act for this interception to establish computer access.

52. The current arrangements cause administrative inefficiency by requiring ASIO to prepare two warrant applications, addressing different legal standards, for the purpose of executing a single computer access warrant. The process requires the Attorney-General to consider each application separately and in accordance with each separate criterion.

53. The amendments will mean ASIO will be able to obtain a single computer access warrant, which authorises an officer to undertake all activities that are required to give effect to that warrant. The amendments enhance the operational efficiency of ASIO to collect intelligence in Australia's interest.

54. The power is proportionate because the new provisions tightly constrain the purposes for which ASIO may use information intercepted under this provision. ASIO can only use intercepted information in order to execute the computer access warrant. In order for ASIO to use intercepted information for its own intelligence value, ASIO must obtain an interception warrant under the TIA Act.

55. Consistent with the existing provisions in the ASIO Act, computer access warrants are subject to strict tests and must be signed by the Attorney-General. The Attorney-General may only issue a warrant if he or she is satisfied that there are reasonable grounds for believing that access to data held in a computer will substantially assist the collection of intelligence in respect of matter that is important in relation to security.

56. The warrant must specify the target computer and premises, as well as the things the warrant authorises.

Amendments to the ASIO computer access warrant to allow temporary removal of a computer

57. Amendments to the ASIO Act will allow ASIO to temporarily remove a computer from a premises for the purpose of executing a computer access warrant. ASIO will not be able to retain the device.

58. Removing a person's device from premises engages the right to privacy because it enables access to devices. ASIO's ability to temporarily remove computers from premises is important in situations where ASIO may require specialist equipment to access the computer. Such equipment may not always be able to be brought onto the premises covertly.

59. As outlined above, statutory safeguards in the ASIO Act protect the right to privacy.

60. The authority to remove a computer is confined to a specific purpose in the warrant. The authority is only available where the Attorney-General has issued a computer access warrant. The Attorney-General must consider the removal of a computer to be appropriate in the circumstances. The Attorney-General may only issue a warrant if he or she is satisfied that there are reasonable grounds for believing that access to data held in a computer will substantially assist the collection of intelligence in respect of matter that is important in relation to security.

61. Oversight of computer access warrants is conducted by the IGIS to ensure the power is exercised lawfully, with propriety and with respect for human rights.

Amendments to the ASIO Act to allow ASIO to take steps to conceal access to a computer

62. Amendments to the ASIO Act will allow ASIO to take steps to conceal its access to a computer following the expiry of a computer access warrant.

63. The amendments engage the right to privacy by enabling ASIO officers to access devices, which hold personal information, for the purposes of concealment.

64. The amendments are necessary to address situations where ASIO no longer has access to the computer at the time the warrant expires but needs to undertake concealment activities. Concealment activities are crucial to ensure that a person does not become aware they are the subject of an investigation, the investigation does not become compromised and sensitive agency capabilities are not revealed.

65. ASIO cannot always reliably predict whether, or when, it will be able to safely retrieve its devices without compromising a covert security intelligence operation. For example, a person may unexpectedly relocate their computer or device prior to the expiry of the warrant, precluding ASIO from taking the necessary steps to conceal the fact that it had accessed the device under warrant until the computer or device is available to be access again.

66. Once the warrant has expired ASIO may not be able to obtain a further computer access warrant to undertake retrieval and concealment activities, as retrieving and concealing would (by definition) not necessarily meet the statutory threshold of 'substantially assisting the collection of intelligence'.

67. The requirement that the concealment activities be performed 'at the earliest time after than 28-day period at which it is reasonably practicable to do so' acknowledges that this authority should not extend indefinitely, circumscribing it to operational need.

68. The authority conferred by the amendments can only be exercised by the Director-General, or a person or class of persons approved by the Director-General in writing. This item provides a safeguard against the arbitrary exercise of the range of activities permitted by the new subsection.

69. Each of the ASIO measures in Schedule 2 is necessary to protect the rights and freedoms of individuals by providing ASIO with the tools it requires to keep Australians safe. To the extent that the right to privacy is limited, the limitation is reasonable, proportionate and necessary to allow ASIO to effectively investigate matters within its statutory remit. The amendments are limited to those which are necessary to address the barriers ASIO faces in using its computer access powers, and are subject to existing statutory protections.

Amendments to the SD Act which grant law enforcement agencies a computer access power, and consequential amendments to the TIA Act

70. Schedule 2 will allow Commonwealth, State and Territory law enforcement agencies to apply for covert computer access warrants under the SD Act. Computer access involves the use of technology to collect information directly from devices, either remotely or physically. This measure engages the right to privacy insofar as accessing a person's personal information held in a computer is inherently privacy intrusive.

71. The measure is directed towards the legitimate purpose of ensuring that law enforcement agencies have appropriate powers to investigate serious crimes. Computer access is a valuable in the current digital environment because it allows officers to access data held on a device in an unencrypted state. The ability to execute computer access remotely limits interference with property and limits the risk of harm to law enforcement officers.

72. The measure includes a range of safeguards to ensure that the limitation on privacy is reasonable, proportionate and necessary.

73. The law enforcement officer must have reasonable grounds to suspect that access to data held on a particular computer is necessary to investigate a federal offence which carries a maximum penalty of at least three years imprisonment.

74. A Judge or nominated AAT member is responsible for issuing a computer access warrant. In all cases, the Judge or AAT member must have regard to the extent to which the privacy of any person is likely to be affected and the existence of any alternative means of obtaining the evidence or information sought to be obtained.

75. A computer access warrant must specify the things that are authorised under the warrant. The Judge or AAT member must consider whether each thing specified is appropriate in the circumstances. By specifying the types of things authorised in a warrant, there is a limit on the types of things a computer access warrant can enable law enforcement agencies to undertake.

76. A computer access warrant does not authorise the material loss or damage to other persons lawfully using a computer, except where necessary for concealment.

77. The chief officer of the law enforcement agency to which the computer access warrant was issued must revoke the warrant if it is no longer required to obtain evidence of the offence. The chief officer also has an obligation to ensure that access to data is discontinued.

78. The use of information obtained under a computer access warrant is restricted by Division 1, Part 6 of the SD Act. Unauthorised disclosure of information about, or obtained under, a computer access warrant is an offence. The maximum penalty for the offence is two years imprisonment, or 10 years if the disclosure endangers the health or safety of any person or prejudices an investigation into an offence.

79. The use, recording and communication of information obtained in the course of intercepting a communication in order to execute a computer access warrant is also restricted. Where agencies want to gain intercept material for its own purpose, they must apply for, and be issued with, an interception warrant under Chapter 2 of the TIA Act.

80. The chief officer of a law enforcement agency must report to the Minister on every computer access warrant issued. The report must state whether the warrant or authorisation was executed, the name of the person primarily responsible for the execution, the name of each person involved in accessing data, the name of any person whose data was accessed, and the location at which the computer was located. The report must also give details of the benefit to the investigation.

81. Agencies must report annually on the number of warrants applied for and issued during the year and the number of emergency authorisations.

82. Agencies must keep records about computer access warrants, including in relation to decisions to grant, refuse, withdraw or revoke warrants. Agencies must also keep records of how the information in the warrant has been communicated.

83. The Commonwealth Ombudsman must inspect the records of law enforcement agencies to determine compliance with the law and report the results to the Minister ever six months. The Minister must table Ombudsman reports in the Parliament.

84. These measures are necessary to pursue the legitimate objectives of protecting national security and public order. The amendments address the advances in technology which enable serious criminals to conduct activities and communicate anonymously. To the extent that the right to privacy is limited or interfered with, the interference is appropriate and necessary for law enforcement agencies to effectively investigate and prosecute crime. The limitation to individual privacy is proportionate because the measures are limited to those necessary to meet this legitimate aim and contain strong legislative safeguards.

Amendments to the testing provisions in the TIA Act

85. The Bill amends the testing framework for security authorities in Part 2-4 of the TIA Act to allow security authorities to work with carriers and carriage service providers to test their interception capabilities. Currently, the TIA Act only allows testing by employees of a security authority.

86. The amendments limit the right to privacy to the extent that they provide carriers and carriage service providers with access to intercepted communications.

87. The limitation on privacy is necessary to ensure interception agencies under the TIA Act can effectively test their capabilities which allow them to undertake interception under a warrant. The amendments reflect the practical operation of interception over carrier networks and the people who can effectively assist in testing capabilities.

88. The amendments are subject to a range of safeguards to ensure that, to the extent privacy is interfered with, the interference is reasonable, proportionate and necessary.

89. Security authorities are not able to use information gathered for testing for investigative or intelligence purposes. Information obtained for testing purposes must only be used for testing purposes, and must be destroyed as soon as the purpose for which the information was gathered is no longer applicable. Information gathered for testing purposes may only be exchanged between the relevant carrier/s, a security authority, and interception agencies for the purposes of testing and development.

90. The Attorney-General is responsible for issuing an authorisation to test upon application by a security authority. The amendments will allow carriers to work with security authorities under authorisation, reflecting the practical operation of interception capabilities, and are necessary to pursue the legitimate objectives of protecting national security and public order.

Right to a fair trial, the right to minimum guarantees in criminal proceedings and the presumption of innocence - Article 14 of the ICCPR

91. Article 14 provides (in part) that everyone shall be entitled to a fair and public hearing by a competent, independent and impartial tribunal established by law. Additionally Article 14 (3) of the ICCPR provides that in the determination of any criminal charge against him, everyone shall be entitled to certain minimum guarantees including (but not limited to) the right to be informed of the charge and to understand the nature and cause of the charge (14(3)(a)), and to have adequate time and facilities for the preparation of a defence (14(3)(b)). Limiting the right to a fair trial is permissible where it is necessary for the protection of national security and public order and is prescribed by law, and is reasonable, necessary and proportionate in the pursuit of a legitimate objective.

92. Article 14(3)(b) is the right 'to have adequate time and facilities for the preparation of a defence'. The right applies to all stages of the trial and 'facilities' means access to all documents necessary for the defence. Schedule 2 of the Bill engages the right in Article 14(3)(b) by making provision for the protection of computer access technologies and methods in a proceeding. Under section 47A, a person may object to the disclosure of information on the grounds that the information could reveal details of computer access technologies or methods which may be sensitive or reveal capabilities that law enforcement agencies need to keep closely held. The result of section 47A is that there may be circumstances where a defendant will not have a chance to review material that the relevant Judge has decided warrants capability protection.

93. To the extent the right to a fair trial is limited, the limitation is necessary and proportionate. Safeguards include that the presiding officer of the proceeding must make a determination whether the disclosure of the information is necessary for the fair trial of the defendant. It is anticipated that agencies will use computer access powers to gather such material as is necessary to enable other powers to collect evidentiary material, where it is possible to do so. For example, an agency may use a computer access power to gather such intelligence as to enable the application for search warrants under the Crimes Act to be made for a number of suspects. The Crimes Act search warrant would collect such evidence as would be presented in a relevant proceeding. Section 47A does not engage with the right to be informed in detail, in a language the defendant understands, as it only takes effect after charges have been laid.

94. Section 47A(3) provides protection for the right to a fair trial by ensuring that in determining whether or not to make an order not to disclose certain information, the person presiding over the proceeding must take into account whether disclosure of the information is necessary for the fair trial of the defence and whether disclosing it is in the public interest.

95. To the extent that the rights in Article 14 are limited, section 47A of the Bill is a reasonable, necessary and proportionate measure to achieve a legitimate objective. Preventing the release of sensitive operational information into the public domain is essential for the protection of the public and for national security. Releasing such information has inevitable harmful consequences for the ability of law enforcement to conduct future operations.

Schedule 3

Protection against arbitrary or unlawful interferences with privacy - Article 17 of the ICCPR

The power for law enforcement to remotely access computers under the Crimes Act

96. Schedule 3 engages the right to privacy by enabling law enforcement agencies to access private communications and other information on a device using a range of methods. The search warrant framework in the Crimes Act enables law enforcement agencies to search premises and persons, and seize evidential material, in accordance with judicial authorisation. Schedule 3 enhances the ability for executing officers or constables to use electronic equipment, data storage devices and telecommunications facilities in order to obtain access to data held in the computer or device or account based data accessible by the device.

97. Currently under section 3L of the Crimes Act, the executing officer of a warrant in relation to premises or a constable assisting, may operate electronic equipment at the warrant premises to access data if he or she suspects on reasonable grounds that the data constitutes evidential material. To use this power, an officer must be physically located at the warrant premises.

98. These amendments will allow law enforcement agencies to access data without having to physically be on warranted premises. The amendment provides that a warrant in force authorises the officer or assisting constable to use a computer, data storage device found in the course of a search, or a telecommunications facility, or other electronic equipment or a data storage device to obtain data on the computer, or data storage device found in the course of a search to determine whether the data on it is evidential material. The provisions also allow for data to be added, copied, deleted or altered where reasonable to do so. The warrant can be used to access account-based data of a person who is the owner or lessee of the computer, who uses the computer or has used the computer.

99. The Bill includes limitations to ensure that the power is proportionate and does not impact other users of communications services, including joint account holders. Subsection 27E(5) provides that activities undertaken to access data do not authorise the addition, deletion or alteration of data when those actions are likely to interfere with communications in transit or the lawful use by other persons of a computer, unless specified in the warrant. Subsection 27E(5) further provides that activities do not authorise the material loss or damage to other persons lawfully using a computer.

100. The amendments advance the legitimate objectives of protecting national security and public order by providing law enforcement agencies with the tools they require to investigate crimes and protect Australians in a modern context. Interference with privacy is not arbitrary as it is authorised under domestic law. The power for law enforcement to access computers is necessary and proportionate to achieve the legitimate objectives.

Amendments to the Crimes Act which allow criminal law enforcement agencies to compel assistance with accessing devices through a person-based warrant

101. Schedule 3 engages the right to privacy by enabling law enforcement agencies to access private communications and other information on a device held on a person. Under the current section 3LA of the Crimes Act, law enforcement agencies can compel certain persons (including owners and users of a device) to assist in providing access to data held in, or accessible from, a device that has been seized, moved or found in the course of a search, which has been authorised by a warrant. An order may also require a person to assist in copying data to another device and converting data into an intelligible form. Section 3LA also imposes an obligation, in limited circumstances, upon a person with knowledge of a computer or a computer system to assist access for law enforcement purposes. The current section 3LA predates the existence and common usage of smartphones - it refers to accessing data held in, or accessible from, a computer or data storage device that is on a warrant premises, has been moved from a premises or seized. Those provisions do not envision people carrying smartphones in their pockets.

102. The Bill will resolve this gap by allowing law enforcement agencies to compel persons to assist in providing access to a device under person-based warrant. Inability to access information held on devices may impede legitimate investigations and prosecutions.

103. The amendments in the Bill increase the penalty for a person who commits an offence under this section to five years imprisonment or 300 penalty units from the current penalty of imprisonment of two years, given that this penalty is of insufficient gravity to incentivise compliance with the assistance obligation. The Bill introduces an aggravated offence where a person fails to assist a law enforcement officer to access a device and the offence to which the underlying warrant relates is a serious offence (a Commonwealth offence punishable by imprisonment for two years of more) or a serious terrorism offence. The aggravated offence carries a penalty of 10 years imprisonment or 600 penalty units.

104. Although compelling a person to assist to access a device engages the right to privacy, the limitation is proportionate as a person-based search warrant regime engages the privacy rights of specific persons as opposed to the privacy rights of a wider group of people as does a premises-based warrant.

105. The requirement for a judicial officer to authorise warrants provides an important safeguard for person-based search warrant powers.

106. Before a Judge or AAT member issues a person-based warrant, section 3E(2) of the Crimes Act states that they must be satisfied that there are reasonable grounds for suspecting that the person has in his or her possession, or will within the next 72 hours have in his or her possession, any evidential material. Evidential material is anything relevant to an indictable offence or summary offence that has been or will be committed. A number of additional conditions in Section 3LA(2) must be met before a magistrate grants an order to allow enforcement to compel a person to give assistance accessing data. The person must be connected to the device (for example, as the device owner or user) and have the relevant knowledge to enable them to access the device.

107. The ability to compel assistance is critical to Australia's national security and ensures that law enforcement have the tools necessary to be able to protect Australians. The power for law enforcement to access portable technology devices is necessary and proportionate to achieving the legitimate objectives of protecting national security and public order.

Amendments to the Crimes Act which allow electronic devices moved under warrant to be kept for analysis for 30 days (rather than the current 14 days.)

108. The Bill amends the Crimes Act by extending the timeframes for which a computer or data storage device found in the course of a search may be moved to another location for examination and processing in order to determine whether the computer or data storage device constitutes evidentiary material that should be seized. Moving a person's computer or data storage device engages the right to privacy, as it may restrict a person's access to personal information.

109. Under the current section 3K, a thing moved from a premises must be returned within 14 days, while extensions of no more than seven days may be granted. These amendments will allow a computer or data storage device to be moved for 30 days with an extension of 14 days. These timeframes will allow law enforcement agencies adequate time to conduct the lengthy and intricate forensic processes necessary to determine whether there is evidential material in the electronic device, which may be seized.

110. The amendments achieve a legitimate objective of protecting Australia's national security and public order by ensuring law enforcement can undertake criminal and terrorism investigations in accordance with forensic best practice. The current law does not take into account the length of time that forensic examination of electronic equipment commonly takes.

111. Authorisation of a warrant by a judicial officer will also ensure that movements only occur when necessary and proportionate to meet the legitimate law enforcement and national security objectives. The requirement that the executing officer must believe on reasonable grounds that the computer or data storage device is evidential material, and that the seizure is necessary to prevent the concealment, loss or destruction of that item, provides a limitation on the power. Similarly the requirement that the executing officer must believe on reasonable grounds that the computer or data storage device must be examined to determine whether it constitutes evidentiary material, and movement is necessary to conduct analysis to determine whether the moved item contains or constitutes evidentiary material, provides a limitation on the power. Authorisation by a judicial officer will also ensure that movements and seizures only occur when necessary and proportionate to meet the legitimate law enforcement and national security objectives.

112. Extending the timeframe for examination and processing of computers and data storage devices to 30 days is a proportionate and necessary measure to achieve the legitimate objective of protecting national security and public order.

Schedule 4

Protection against arbitrary or unlawful interferences with privacy - Article 17 of the ICCPR

The power for the Australian Border Force to search persons who may have computers or storage devices under the Customs Act

113. Schedule 4 engages the right to privacy by enabling a judicial officer to issue a warrant authorising the ABF to search or frisk search a person if the judicial officer is satisfied that there are reasonable grounds for suspecting that the person possesses, or will possess in the next 72 hours, a computer or data storage device that is evidential material. Evidential material is anything relevant to an indictable offence or summary offence. Under existing laws, the ABF could only obtain a judicial warrant to search premises. The amendments recognise that information is often stored on devices, held physically by persons, and that an inability to access this information may impede legitimate investigations and prosecutions.

114. While the nature of searching a person in order to gain access to a device is inherently intrusive, it is not arbitrary as it is a targeted law enforcement tool designed to assist the ABF to effectively investigate crimes in the current technological environment. The power has the legitimate objective of protecting national security and public order.

115. The requirement for a judicial officer to authorise warrants will provide an important safeguard for the new power of the ABF. Under the amendments, there is a strict time limit of seven days to undertake a search authorised by the warrant. To the extent that the right to privacy is limited or interfered with, the interference is proportionate and necessary to meet legitimate objectives.

The power for the Australian Border Force to remotely access computers under the Customs Act

116. Schedule 4 engages the right to privacy by enabling the ABF to access private communications and other information on a device using a range of methods. Amendments to the search warrant framework in the Customs Act will enable the ABF to use electronic equipment, data storage devices and telecommunications facilities where a search warrant is in force in order to obtain access to data held in the computer or device or account based data accessible by the device.

117. At present, under section 201 of the Customs Act, the executing officer of a warrant in relation to premises or a person assisting, may operate electronic equipment at the warrant premises to access data if he or she believes on reasonable grounds that the data constitutes evidential material. To use this power, an officer must be physically located at the warrant premises.

118. New subsection 199(4A) and 199B(2) will allow the ABF to access data without having to physically be on warranted premises. The amendments provide that a warrant in force authorises the officer or assisting person to use a computer, data storage device found in the course of a search, or a telecommunications facility, or other electronic equipment or a data storage device to obtain data on the computer, or data storage device found in the course of a search to determine whether the data on it is evidential material. The provisions also allow for data to be added, copied, deleted or altered where reasonable to do so. The warrant can be used to access account-based data of a person who is the owner or lessee of the computer, who uses the computer or has used the computer.

119. The Bill includes limitations to ensure that the power is proportionate and does not impact other users of communications services, including joint account holders. The addition, deletion or alteration of data is not authorised when those actions are likely to interfere with communications in transit or the lawful use by other persons of a computer, unless specified in the warrant. The addition, deletion or alteration of data is also not authorised when those actions are likely to cause any other material loss or damage to other persons lawfully using a computer.

120. The amendments pursue the legitimate objectives of protecting national security and public order by providing the ABF with the tools they require to investigate criminal activity and protect Australian's national security in a modern context. Interference with privacy is not arbitrary as it is authorised under domestic law. The power for ABF to access computers is necessary and proportionate to achieving the legitimate objectives.

The power for the Australian Border Force to move a computer or data storage device in the course of a search under a warrant pursuant to the Customs Act

121. Schedule 4 engages the right to privacy by enabling a person-based search warrant to authorise the movement of a computer or data storage device in the course of a search to another location in order to determine whether the computer or data storage device constitutes evidentiary material that should be seized. The executing officer must believe on reasonable grounds that the computer or device is evidential material in relation to an offence to which the warrant relates, and the movement is necessary to prevent its concealment, loss or destruction or its use in committing an offence. These amendments reflect the current provisions for premises-based search warrants in the Customs Act, which allow an executing officer to move evidential material or suspected evidential material found on a premises.

122. This power will allow the ABF to analyse the computer or data storage device for evidence, enhancing their ability to conduct investigations and assist prosecutions. Any limitation or interference with the right to privacy is necessary and in the interests of law enforcement and national security.

123. Authorisation of a warrant by a judicial officer will also ensure that movements only occur when necessary and proportionate to meet the legitimate national security and public order objectives. The requirement that the executing officer must believe on reasonable grounds that the computer or data storage device is evidential material, and that the seizure is necessary to prevent the concealment, loss or destruction of that item, provides a limitation on the power. Similarly the requirement that the executing officer must believe on reasonable grounds that the computer or data storage device must be examined to determine whether it constitutes evidentiary material, and movement is necessary to conduct analysis to determine whether the moved item contains or constitutes evidentiary material, provides a limitation on the power. Authorisation by a judicial officer will also ensure that movements and seizures only occur when necessary and proportionate to meet the legitimate objectives.

Amendments to the Customs Act which allows the Australian Border Force to compel assistance with accessing data held in devices that have been seized or moved under a person-based search warrant

124. Schedule 4 engages the right to privacy by enabling the ABF to access private communications and other information on a device held on a person. The amendments will enable a magistrate to issue an order requiring a specified person to provide access to data held in, or accessible from, a computer or data storage device that has been seized, moved or found in the course of a person-based search, which has been authorised by a warrant. An order may also require a person to assist in copying data to another data storage device and converting data into an intelligible form. A similar order, requiring a person to provide access to data held in a computer on a warrant premises, is available under the Customs Act.

125. The amendments in the Bill increase the penalty for a person who does not provide access to a computer or device to five years imprisonment or 300 penalty units from the current penalty of imprisonment of two years, given that this penalty is of insufficient gravity to incentivise compliance with the assistance obligation. The Bill introduces an aggravated offence where a person fails to assist a law enforcement officer to access a device and the offence to which the underlying warrant relates is a serious offence or a serious terrorism offence. The aggravated offence carries a penalty of 10 years imprisonment or 600 penalty units.

126. These amendments will assist the ABF to access information within a computer or data storage device, which may otherwise be inaccessible or unintelligible. They are designed to assist the ABF in their investigations, particularly in the areas of national security and organised crime.

127. The requirement for a magistrate to authorise warrants provides an important safeguard for person-based search warrant powers. To grant an order, the magistrate must be satisfied of a number of things set out in the legislation, including that: there are reasonable grounds for suspecting that evidential material is held in, or accessible from, the computer or device; that the person is connected to the computer or device (for example, as the owner or user); and that the person has relevant knowledge to enable access to data held in, or accessible from, the computer or device.

128. To the extent these amendments limit the right to privacy, the interference would be reasonable, necessary and proportionate to achieving the legitimate objectives of protecting national security and public order.

Amendments to the Customs Act which allow computers or storage devices moved under warrant or found in the course of a search authorised by a warrant to be kept for examination or processing for 30 days (rather than the current 72 hours.)

129. The Bill also includes amendments to timeframes for how long a device may be moved for analysis. Moving a person's computer or data storage device engages the right to privacy, as it may restrict a person's access to personal information.

130. Under the current section 200 of the Customs Act, a thing moved from premises must be returned within 72 hours. These amendments will extend the time period for moved computers and data storage devices to 30 days and allow time extensions of 14 days. These timeframes will allow the ABF adequate time to conduct the lengthy and intricate forensic processes necessary for electronic devices.

131. The amendments achieve a legitimate objective of protecting Australia's national security and public order by ensuring the ABF can fulfil its statutory functions with forensic best practice.

Schedule 5

132. Schedule 5 enables ASIO to require a person with knowledge of a computer or a computer system to provide assistance that is reasonable and necessary to ASIO in order to gain access to data on a device that is subject to an ASIO warrant. A person commits an offence if he or she does not comply with an order where capable of doing so. The maximum penalty is 5 years imprisonment.

133. The types of assistance that ASIO may seek under these amendments include compelling a target or a target's associate to provide the password, pin code, sequence or fingerprint necessary to unlock a phone.

134. This measure engages the right to privacy by assisting ASIO to access private communications and other information on a person's device. Legislative safeguards ensure any limitation on the right to privacy is reasonable and proportionate.

135. ASIO must seek an order from the Attorney-General to require a person to provide assistance. The Attorney-General must be satisfied that the device is subject to an issued ASIO warrant. This means that the thresholds of the particular warrant have been met. For example, under a computer access warrant, access to data must substantially assist the collection of intelligence in accordance with the ASIO Act in respect of a matter that is important in relation to security.

136. The person who is to be given the order must also be reasonably suspected of being involved in activity prejudicial to security, or a person who is otherwise connected to the device. The person must also have relevant knowledge of the device or computer network.

137. The measures are directed towards the legitimate objective of ensuring that ASIO can give effect to warrants which authorise access to a device. ASIO's inability to access a device can frustrate operations to protect national security. The measures are a reasonable and proportionate response to the challenges brought about by new technologies, including encryption.

Conclusion

138. This Bill is compatible with human rights and promotes a number of human rights. To the extent that the Bill limits a human right, those limitations are reasonable, necessary and proportionate.