Site search

INSIGHT

Controversial encryption legislation passed

By Valeska Bloch 10 December 2018
Data & Privacy Technology & Outsourcing Technology, Media & Telecommunications

In brief 3 min read

The Government's highly controversial encryption legislation was hastily passed through Parliament last week, making it the first legislation of its kind globally. Partner Valeska Bloch and Paralegal Sophie Peach report.

Jump To

  1. Background
  2. What has changed?
  3. What's next?

Background

The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 passed into law on Thursday 6 December, coming into effect on Sunday 9 December. This was not without considerable resistance from a number of interested parties, and a highly politicised debate between the Government and Opposition. The new laws come at a time where governments and organisations around the world are navigating an ever-changing cybersecurity landscape, and the impact that has on national security.

In light of those national security concerns, Prime Minister Scott Morrison and Home Affairs Minister Peter Dutton recently urged a parliamentary committee to conclude its review of the new laws, to allow Parliament to pass the legislation before the end of the year. In the end, the agreement reached between the Government and Opposition to get the legislation passed by both Houses before the end of the year was that further changes will be made during the first sitting in 2019.

What HAs changed?

Despite the heated debate that has raged over the past few months, the legislation that passed on Thursday is substantially the same as the original draft put forward for consultation earlier this year. For further details on the requirements of the legislation, please see our Focus: Breaking – Australian Government releases draft encryption legislation

However, the legislation does include a small number of notable departures from the original draft  that are intended to ensure:

  • more stringent obligations are imposed on the relevant government agencies to limit the exercise of their powers;
  • designated communications providers are aware of their obligations; and
  • any mandatory request for a designated communications provider to build a means of providing access to the relevant agencies will not contravene the requirement that such a request cannot require the provider to build or implement a systemic weakness or vulnerability.

Specifically:

  • The purposes for which a technical assistance request, technical assistance notice, or technical capability notice may be issued have been limited.
    • Technical assistance requests may only be issued insofar as they relate either to safeguarding national security; protecting Australia's foreign relations and economic well-being; or assisting the enforcement of serious Australian or foreign criminal offences.
    • Technical assistance notices and technical capability notices may only be issued insofar as they relate either to safeguarding national security; or assisting the enforcement of serious Australian and foreign criminal offences.
  • The issuer of a technical assistance request, technical assistance notice and technical capability notice is required to provide notice of the request to the Inspector-General of Intelligence and Security within seven days after the notice is given. This obligation also applies to a variation or revocation of request. Failure to comply has no impact on the validity of the request.
  • Approval requirements:
    • Before a technical assistance notice can be issued by an office of an interception agency, the office must provide the AFP Commissioner with a written proposal to give the assistance notice, which must be approved by the Commissioner.
    • Before a technical assistance notice can be issued to a designated communications provider, the Director-General of security or chief officer of an interception agency must consult the provider. There is an exception to this requirement where the relevant agency is satisfied the notice is urgent, and the provider has waived compliance with this requirement.
    • The Attorney-General must obtain approval from the Minister before issuing a technical capability notice to a designated communications provider.
  • Where ASIO, ASIS, the ASD or other interception agencies issue a 'technical assistance request' for voluntary assistance by a designated communications provider, they are now required to advise the provider that compliance with the request is voluntary.
  • Where the Director-General of Security or chief officer of an interception agency issues a 'technical assistance notice' requiring mandatory assistance by a designated communications provider, they must give the provider advice regarding its obligations under that notice, including their right to make a complaint about the notice to the Inspector-General of Intelligence and Security. The Attorney-General must also give the provider advice regarding its obligations in relation to its issue of any 'technical capability notice'. There is no equivalent right to make a complaint about the notice. Instead, the provider has the benefit of an independent assessment process.
  • The relevant provider may request an assessment of whether the proposed technical capability notice should be given. After receiving this request, the Attorney-General must appoint two persons to carry out the assessment. In particular, the assessment must consider whether compliance with the notice would require a provider to build or implement a systemic weakness or vulnerability into a form of electronic protection. This is in response to mounting concerns about the legislation requiring the creation of 'back doors' to encrypted communications. If the Attorney-General varies the technical capability notice, another assessment must be carried out.
  • Provisions have been included to clarify the matters that the notice issuers (being the Attorney-General, the Director-General of Security and the relevant agencies) will need to consider in determining whether the requirements imposed under those notices are 'reasonable and proportionate'.

What’s next?

We will be reporting on further developments as they come to hand. In the meantime, please contact any of the people below if you would like more information.