Electronic Surveillance Reform in Australia: What can we expect next?

Australia’s regulation of electronic surveillance has been a mess for some time. When it announced it’s review in 2021, the government said that ‘reforming Australia’s existing electronic surveillance legislative framework is the most significant change to Australia’s national security laws in over four decades.

An exposure draft for the proposed reforms of Australia’s electronic surveillance regime is to be released soon. So what can we expect?

Background to Electronic Surveillance Reform

In Australia, the protection of, and access to, information collected by a range of  techniques (including CCTV, video and audio recording and telecommunications interception) is governed by a range of different federal and state legislation, including:

  • the Telecommunications (Interception and Access) Act 1979 (TIA Act)
  • the Surveillance Devices Act 2004 (SD Act)
  • parts of the Australian Security Intelligence Organisation Act 1979 (ASIO Act)
  • parts of the Telecommunications Act 1997 (Telecommunications Act)
  • discrete parts of other Commonwealth and state and territory laws.

These Acts protect several different kinds of information and data and limit the access of government agencies. The Acts also require companies that own telecommunications infrastructure and provide telecommunications services, to protect this information and to assist government agencies to gain access to it in certain circumstances.

However, there have been concerns that the existing laws are based on 1970s technology which has proved challenging for law enforcement and security agencies that want to use electronic surveillance.

The Comprehensive Review of the legal framework of the National Intelligence Community (Comprehensive Review), led by Dennis Richardson AC looked at electronic surveillance regulation in Australia, as part of its review of laws applying to the Australian national intelligence community. That review found that the existing surveillance legislative framework is complex, inconsistent, outdated and inflexible. It recommended that the Government repeal and replace the different laws with one consolidated act.

As part of the Government’s response to the Comprehensive Review, the Government committed to holistically reforming this framework. To deliver the Government’s commitment to undertake this critical reform the Department of Home Affairs established an interagency taskforce, made up of relevant Commonwealth policy departments, operational agencies and oversight bodies.

4 call centre workers sitting at desks with headsets on with a pink overlay to represent the Privacy 108 brand

Electronic Surveillance Reform Objectives

The objective of this reform is to develop a new single Act that:

  • better protects individuals’ information and data, including by reflecting what it means to communicate in the 21st century
  • ensures that law enforcement and security agencies have the powers they need to investigate serious crimes and threats to security
  • is clear, transparent and usable for operational agencies and oversight bodies, as well as industry who need to comply with the obligations of the framework
  • is modernised, streamlined and as technology-neutral as possible, by updating key concepts and clearly identifying the agencies that can seek access to this information
  • contains appropriate thresholds and robust, effective and consistent controls, limits, safeguards and oversight of the use of these intrusive powers.

In developing the new framework, these objectives will be balanced against one another. It is intended that streamlining the existing framework will ultimately lead to a reduced regulatory burden.

Electronic Surveillance Reform Discussion Paper

To support the review, the Department of Home Affairs issued a Discussion Paper on 6 December 2021 and submissions closed on 11 February 2022.​​  Submissions available for public review can be accessed here.

Electronic Surveillance Reform: What can we expect?

The proposed reforms are intended to harmonise existing laws to provide a unified governance framework, cater for technological changes and expand the range of government agencies which may exercise electronic surveillance powers.

The discussion paper refers to a number of “guiding principles”, including, most relevantly for industry, the idea that future surveillance legislation will be “technology neutral”.  This will involve, among other things, revisiting core concepts such as the definition of what constitutes a “communication” and distinguishing between “content” and “non content” information.

The reforms include:

  • Limiting the circumstances where agencies may exercise electronic surveillance powers. Issuing authorities will be required to consider whether the use of electronic surveillance powers is necessary and proportionate and necessary for agencies to perform their functions (i.e. there’s no other way to achieve the purpose).
  • Providing greater certainty on the mechanisms and thresholds for lawful access to information. This will include providing a definition of ‘content and substance’ of a communication (something the legislation does not currently do) e.g whether the URL of a website would be considered ‘content’ information or ‘non-content’ information, or both. A warrant is only required prior to an agency’s access to ‘content’ information. The distinction between ‘live’ communications (e.g. a phone call currently occurring) and ‘stored’ communications (e.g. an email held on a server) will be removed, with the same requirement to access both.
  • Broadening the definition of ‘communication’ which can be intercepted or accessed. The new definition will include:
  • communications stored on a person’s device or personal network (e.g. draft emails and messages which have not been sent);
  • a person’s activities on the internet;
  • interactions between a person and a machine (e.g. through the use of a chat-bot or other automated system); and
  • interactions between machines (e.g. communication between ‘Internet of Things’ devices, or data generated by connected or autonomous vehicles).
  • Expanding the range of agencies which may exercise electronic surveillance powers, for example:
  • the Australian Taxation Office may access telecommunications data to protect public revenue from serious financial crimes; and
  • the Australian Transaction Reports and Analysis Centre may access telecommunications data to prevent money laundering and terrorist financing.

In particular, the discussion paper suggests a significant extension of the regime to entities that have traditionally had limited or no exposure to obligations relating to electronic surveillance, extending from telco’s and ISPs to entities that offer a messaging service as part of their products and services.

Key comments on Discussion Paper

Key industry players have made submissions in response to the discussion paper. Generally, these responses have recommended that:

  • a centralised independent body should be established to authorise and review the use of all electronic surveillance warrants;
  • an outcomes-based warrant system should be adopted (i.e. warrants to be granted for specific outcomes such as access to an individual’s email account, rather than the types of surveillance methods), but this should still require agencies to disclose the method of electronic surveillance used and justify the privacy impact of this method; and
  • immunity from civil and criminal liability should be provided to communications providers where they act in good faith in responding to a warrant.

Civil rights bodies submitted detailed responses. Digital Rights Watch made the following recommendations:

  1. confine authorisations and warrants to the minimum necessary number of agencies and only add to this via a clear and transparent process;
  2. avoid an overly general definition for communications that does not permit nuance, respect individual rights and the capacity to tailor different powers to a demonstrated need by surveillance agencies;
  3. simplify warrants but not at the expense of the individuals’ rights, and subject them to a necessary and proportionate test;
  4. raise the threshold in the definition of a “serious criminal offence”
  5. introduce a double lock system as standard;
  6. provide for the relevant Minister should provide an annual (or more frequent) report that details the number of warrants issued under national security legislation and publish judicial records of these decisions; and
  7. prescribe an independent public interest advocate to make submissions on any warrant application.

Misuse of existing powers

Concerns about the new laws, and the extensions, must be raised in view of evidence of the misuse of existing access powers, by law enforcement agencies.

Student's hand placing their index finger on a fingerprint scanner biometrics in schools

Commonwealth Ombudsman Report

A 2022 report by the Commonwealth Ombudsman reviewed the use of the powers in 2019-20 by 19 of the 20 agencies who have access to metadata and stored communications under the TI Act.  It reported a 38 % year-on-year increase in serious compliance and unfinished remediation issues with the way some agencies – mostly law enforcement – accessed metadata and stored communication content.

Some of the issues identified in the Report included:

  • both Victoria Police and Tasmania Police secured warrants to access the contents of stored communications from officials who did not have the authority to issue them in the first place.
  • lack of evidence that preservation notices had been properly given, as well as instances of template wording and “rubber stamping” of signatures.
  • agencies not “vetting” that the information they received from the telco is covered by the warrant, noting that sometimes excessive or unrelated material was handed over. This additional material is meant to be destroyed, but there were instances where SA Police and WA Police did not delete the material.
  • repeat issues at the Australian Federal Police with documenting why metadata access requests were approved with similar issues being uncovered with Victoria Police and the Australian Criminal Intelligence Commission (ACIC).
  • a finding that the AFP and Victoria Police had lax systems to record the “use and disclosure” of metadata by recipient officers.

JCIS Report

In 2020, the powerful Joint Committee on Intelligence and Security (JCIS) reviewed use of powers to access metadata and published a report with  recommendations to the government designed to:

  • Increase transparency;
  • Raise the threshold for when data can be accessed; and
  • Reduce the broad access to data.

The recommendations included:

  • Publication by the Department of Home Affairs of guidance on the operations of the mandatory data retention scheme to ensure greater clarity, consistency and security in respect of requests for and collection of metadata by law enforcement agencies across Australia;
  • Clarifying the term ‘content or substance of a communication’ particularly in regard to distinguishing between metadata and content;
  • Clarifying the requirements for handling information obtained in breach of the Act;
  • Additional reporting requirements including:
    • the number of authorised officers in each enforcement agency and ASIO;
    • the number of authorisations made by each authorised officer;
    • the number of individuals that the authorisations by each enforcement
      agency and ASIO related to; and
    • in respect of authorisations in relation to criminal investigations, the
      specific offence – or offences – that the authorisations related to.
  • Developing guidelines for ensuing better reporting to oversight agencies, so that at a minimum each report should including (among other things) the following information:
    • the specific offence – or offences – that the investigation related to;
    • if the authorisation related to a missing person case, the name of the
      missing person;
    • brief reasons why the authorised officer was satisfied that the disclosure
      was reasonably necessary;
    • where the data related to a person who did not have an obvious relationship to a suspect in an investigation, brief reasons why the authorised officer was satisfied that any interference with the privacy of the person that may have resulted from the disclosure or use of the telecommunications data was justifiable and proportionate;
    • the name(s) of the officers involved in the case;
    • the name and appointment of the authorising officer.

Where practicable, the report should also include:

  • whether or not the data was used to rule someone out from an investigation;
  • whether or not the person whose data was accessed was eventually charged, prosecuted and/or convicted of a crime;
  • whether or not the data accessed eventually led to the charge, prosecution and/or conviction of another person for a crime; and
  • the cost of the disclosure.
  • Reducing the number of officers who may be designated as authorised officers (to issue warrants etc).
  • Clarifying that access to stored information can only be authorised in relation to the investigation of a serious offence.
  • Removing s280(1)(b) and list those agencies allowed to access telecommunications data.

None of these recommendations seem to have been actioned with the previous government reportedly not responding at all to the bipartisan committee report.

Next steps

The exposure draft of the new harmonised electronic surveillance legislation is expected soon, and feedback from industry will then be collected to finalise the bill within 2023.

It will be interesting to see if a new government takes a different approach to updating surveillance regulation in Australia, and perhaps re-addressing the balance between the rights of individuals and the needs of law enforcement and government agencies.

More references

  • We covered access to metadata in our blog post here.
  • The Department of Home Affairs Discussion Paper is here.
  • Submissions in response to the Discussion Paper can be viewed here.
  • The Digital Rights Watch submission is available here.

Privacy, security and training. Jodie is one of Australia’s leading privacy and security experts and the Founder of Privacy 108 Consulting.