On 6 December 2018, Federal Parliament passed the Telecommunications and Other Legislation (Assistance and Access) Bill 2018 and the legislation is now in force. The legislation has been the subject of considerable debate, both within the houses of Parliament and more broadly by privacy advocates, Big Tech heavyweights and members of the general public who have all had a view.
The legislation gives intelligence and interception agencies (including ASIO, ASIS and the ASD) the ability to monitor the use of encrypted technologies by terrorists, sex offenders and criminal organisations by enlisting support from a broad range of organisations and through increased computer access and search warrants. Explanatory materials state that over 90 percent of telecommunication information being lawfully intercepted by the Australian Federal Police now uses some form of encryption. This is often using the simple messaging applications like WhatsApp the rest of us also use.1
The legislation extends to ‘designated communications providers’ and the eligible activities of those providers. Individuals as well as body corporates, may be designated communications provide and a person may occupy one or more of the categories in the table outlined in section 317C.2
A provider includes any person who provides, or provides a service that facilitates, an electronic service that has one or more end-users in Australia. An electronic service includes a website and the definition is broad enough to capture a provider’s internal network and intranet. Providers include telecommunication companies and over-the-top service providers such as WhatsApp and WeChat but could also extend to most Australian businesses given they will operate websites or other electronic services.
The new powers are expected to extend to devices or services likely to connect to the internet or another network and could also extend to ‘internet of things’ devices and other voice controlled systems.
The details of what is required and the time to comply will be set out in each notice. There are 3 types of industry assistance:
Section 317E(1) provides a list of the ‘acts or things’ that may be specified in a technical assistance request or technical assistance notice. Additional forms of assistance may be requested or required, provided they are of a similar kind to those listed.
Technical capability notices may require a provider to do acts or things that ensure the provider is capable of giving the requested assistance. The listed acts or things are contained in section 317E(1) and with the exception of s 317(1)(a), provide an exhaustive list of the types of acts or things that may be required. The explanatory materials acknowledge that this may require significant investment.
The legislation was passed by the ALP on the understanding that amendments would be debated in relation to the Act early in 2019. Proposed ALP amendments include providing further definitional clarity for the terms ‘systemic weakness’, ‘systemic vulnerability’ and ‘target technology’, as well as mandating that technical assistance and capability notices require prior judicial approval.
Home Affairs Minister Peter Dutton has since stated that the government does not intend to accept Labor’s proposed amendments and will only entertain amendments consistent with recommendations suggested by the Parliamentary Joint Committee on Intelligence and Security, which is due to provide a further report on the Act in April 2019.
© 2020 KPMG, an Australian partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. Liability limited by a scheme approved under Professional Standards Legislation.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.