Allens

Technology, Media & Telecommunications

Increase text sizeDecrease text sizeDefault text size

Focus: The new cybercrime regime

27 November 2012

In brief: The Federal Government has introduced amendments to Australia's telecommunications regulatory regime that will facilitate Australia's accession to the Council of Europe Convention on Cybercrime. Partner Ian McGill (view CV) , Senior Associate Valeska Bloch and Lawyer Matthew Tracey examine the impact of these amendments.

How does it affect you?

  • Carriers may be required to preserve telecommunications data when requested by certain domestic agencies or by the Australian Federal Police (AFP) on behalf of foreign agencies as a condition of their licence.
  • Carriers must observe certain confidentiality obligations in relation to authorisations to disclose telecommunications data. They will need to have sufficient internal and external security measures in place to ensure that any information concerning authorisations (or the application, making, notifying or revoking of authorisations) is kept confidential and only disclosed in those situations contemplated by the Act.
  • Carriers that routinely destroy or de-identify data that is no longer needed in accordance with the Privacy Act 1988 (Cth) will need to have systems in place to ensure that data, the subject of preservation orders, is not deleted as part of this process.

Background

On 30 April 2010, the Australian Government announced its intention to accede to the Council of Europe Convention on Cybercrime (the Convention). The Convention, which came into force on 1 July 2004, is the first international treaty in this area and aims to 'develop a common criminal policy to combat cyber crime, in particular by adopting appropriate legislation and international co-operation'1. Thirty-one countries are party to the Convention and a further 16 countries are signatories. Although Australia is not a member of the Council of Europe, the Convention allows the accession of non-member states.

The Convention requires countries to criminalise certain offences relating to computers, content, security and intellectual property subject to fundamental rights of free expression and access to information. The Convention also allows for law enforcement agencies to more easily coordinate and share resources. Although Australia is mostly compliant with the Convention's obligations, the Cybercrime Legislation Amendment Act 2011 (Cth) (the Act), which was passed by the Senate on 22 August 2012, aims to make the final amendments necessary to facilitate Australia's accession to the Convention.

The Act amends four key pieces of legislation in the national communications regulatory framework:

  • the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA Act);
  • the Criminal Code Act 1995 (Cth) (the Criminal Code);
  • the Mutual Assistance in Criminal Matters Act 1987 (Cth) (the MA Act); and
  • the Telecommunications Act 1997 (Cth) (the Telco Act).

The explanatory memorandum to the Act states that where the Act enacts a requirement of the Convention, the Act should be interpreted as operating consistently with the Convention.

Preservation of stored communications

The TIA Act regulates communications such as emails, SMS and voice mail messages that are stored on a carrier's equipment (that is, communications that either have not commenced, or that have completed, passing over a telecommunications system) (stored communications). The TIA Act establishes a general prohibition on accessing stored communications and also sets out a warrant regime for enforcement agencies seeking to gain access to such communications.

The Act amends the TIA Act and the Telco Act to enable certain domestic agencies or the AFP (on behalf of foreign countries) to require that carriers preserve certain stored communications.2

The Act provides for the following three types of preservation notices that may be issued to carriers:

  • two types of domestic preservation notices, relating to stored communications that might relate to the contravention of certain Australian laws:
    • historic domestic preservation notices;
    • ongoing domestic preservation notices; and
  • foreign preservation notices, relating to stored communications that might relate to the contravention of certain foreign laws.

Compliance with preservation notices is a condition of a carrier licence. However, no communications, the subject of a preservation notice, will need to be disclosed by a carrier unless a warrant is issued which authorises the disclosure of that material.

The requirements of each type of preservation notice are set out below.

Domestic preservation notices
Historic domestic preservation notices

Historic domestic preservation notices may be issued either by an enforcement agency or the Australian Security Intelligence Organisation (the ASIO), and they require that all communications held by a carrier relating to a specified person or telecommunications service on the day the carrier receives the notice must be preserved by that carrier for up to 90 days following the date of the notice. These notices may only be issued where:

  • there are reasonable grounds for suspecting there are stored communications which might assist the issuing party in obtaining intelligence relating to security and that relate to the person or service covered by the notice; and
  • the issuing party intends to access the communications with a warrant.

Where the issuing party is an enforcement agency, there is an additional requirement that the agency must be investigating a domestic offence punishable by imprisonment for at least three years, or a fine of at least A$19,800 for an individual or A$99,000 for a corporation (a serious contravention).

Ongoing domestic preservation notices

Ongoing domestic preservation notices may be issued by the ASIO, and require that all communications held by a carrier during the 29 day period after a notice is received must be preserved by that carrier during that period. These notices must only be issued where:

  • there are reasonable grounds for suspecting there are stored communications which might assist the ASIO in obtaining intelligence relating to security;
  • the Director-General of Security considers that there are reasonable grounds for suspecting that there are stored communications that relate to the person or service covered by the notice; and
  • the ASIO intends to access the communications with a warrant.
Foreign preservation notices

Like historic domestic preservation notices, foreign preservation notices relate to stored communications held by a carrier on a particular day. Foreign preservation notices require that all communications held by a carrier from the time of receipt of the notice until the end of that day relating to a specified person or telecommunications service must be preserved from the time of receipt of the notice until that notice is revoked or a warrant authorising the disclosure of such communications ceases to be in force.

The Act compels the AFP to issue a foreign preservation notice if it receives a request from an approved foreign enforcement agency that complies with certain conditions. Those conditions include the foreign country intending to submit a formal mutual assistance application for a warrant under the MA Act, that the communications relate to an identified person or telecommunications service, and that the communications are relevant to a contravention of the law of a foreign country that is punishable by a maximum penalty of three or more years imprisonment, life imprisonment of the death penalty or a fine of at least equivalent to A$99,000 (a serious foreign contravention).

Revocation of preservation notices

An issuing agency may revoke a domestic preservation notice at any time and for any reason. In addition, an issuing agency must revoke a domestic preservation notice where a condition of granting the notice ceases to apply, including where the issuing agency no longer suspects that the relevant stored communications are in existence or likely to come into existence, or the issuing agency decides not to request a warrant to access the stored communications.

The AFP must revoke a foreign preservation notice if:

  • the foreign country has not made a formal mutual assistance request to the Attorney-General for access to the communications within 180 days from the day the carrier was given a foreign preservation notice;
  • the Attorney-General has refused a request by a foreign country to arrange for access to such stored communications; or
  • a foreign country has withdrawn a mutual assistance request.

Compliance with mutual assistance requests

Stored communications warrants for foreign law enforcement purposes

The Act enables the Attorney-General to authorise the AFP or state police to apply for a stored communications warrant under the TIA Act for foreign law enforcement purposes (not just for domestic law purposes, as was previously the case) where:

  • a foreign country has requested access to the stored communications;
  • an investigation or investigative proceeding into a criminal matter has commenced in that country;
  • the offence the subject of the investigation or investigative proceedings is a serious foreign contravention; and
  • there are reasonable grounds to believe that a carrier holds stored communications relevant to the investigation or investigative proceeding.

In considering a mutual assistance application, the issuing authority must have regard to the likely interference with any person's privacy, the gravity of the conduct constituting the serious foreign contravention, and how much the information obtained by accessing the stored communication would assist in connection with the foreign investigation.

The amendments also limit the purposes for which information obtained through the execution of a warrant issued as a result of a mutual assistance application can be used, which include transmission of information to a foreign country and record keeping requirements. The amendments also set out the conditions that must be complied with in communicating information obtained under such a warrant, to a foreign country. The conditions are:

  • that the information will only be used for the purposes for which the foreign country requested the information;
  • that any document or other thing containing the information will be destroyed when it is no longer required for those purposes; and
  • any other condition determined, in writing, by the Attorney-General.
Authorisations for access to telecommunications data

The Act permits the disclosure of existing telecommunications data to a foreign law enforcement agency, without the need for a request to be made by the foreign country under the MA Act. Conversely, the Attorney-General does need to have provided authorisation under the MA Act in order for disclosure of prospective telecommunications data to be disclosed to a foreign law enforcement agency.

In the case of the disclosure of both existing and prospective telecommunications data, the authorised officer must be satisfied that:

  • the disclosure is reasonably necessary for the enforcement of the criminal law of a foreign country; and
  • the disclosure is appropriate in all the circumstances.

Use and disclosure of information (except in limited circumstances) about the existence, revocation or notification of an authorisation is an offence punishable by a maximum penalty of two years imprisonment. Carriers will need to have sufficient internal and external security measures in place to ensure that any information concerning authorisations (or the application, making, notifying or revoking of authorisations) is kept confidential and only disclosed in those situations contemplated by the Act, such as:

  • where the disclosure is for the purposes of the authorisation, revocation or notification concerned;
  • where the disclosure is reasonably necessary;
  • enabling the ASIO to perform its function of obtaining intelligence relating to security;
  • enforcing the criminal law;
  • enforcing a law imposing a pecuniary penalty; or
  • protecting public revenue.

Amendments to the Criminal Code

The Act expands the scope of computer-related offences within the Criminal Code (which previously only outlawed certain conduct involving a computer owned, leased or operated by a Commonwealth entity) by removing the requirement:

  • for a carriage service to be used;
  • for a Commonwealth computer to have been involved or affected; or
  • for data held on behalf of the Commonwealth in a computer to have been affected, in the commission of an offence.

Next steps

The majority of the provisions of the Act came into force on 10 October 2012. The Act is perhaps only the first stage of significant reforms of the legislation underpinning Australia's national security legislation.

The Attorney-General's Department released the discussion paper – Equipping Australia Against Emerging and Evolving Threats – in July 2012 to accompany consideration by the Parliamentary Joint Committee on Intelligence and Security (the PJCIS) of a package of reform proposals regarding telecommunications interception, telecommunications sector security and the Australian intelligence community. The discussion paper canvassed some of the perceived deficiencies with the existing interception regime and identifies key areas (including strengthening safeguards and privacy protections and reforming the lawful access regime for agencies) that require review. It also focused on technology not only as an effective means of law enforcement, but on telecommunications infrastructure as a key national security risk and identifies perceived gaps in the powers of the Australian intelligence community.

The closing date for submissions was 20 August 2012. The PJCIS received 232 submissions in total. Since the closing date, various submitters have been invited to attend hearings to give evidence and answer further questions. As at the date of publication, no further releases have been made by the PJCIS.

It seems likely that the telecommunications interception and mutual assistance regime is likely to undergo further changes over the next few years.

Footnotes
  1. Convention on Cybercrime Budapest, 23.XI.2001, Not yet in force [2011] ATNIF 5, Preamble.
  2. This amendment seeks to implement Articles 16 and 29 of the Convention.

For further information, please contact:

Share or Save for later

What are these?

 

To save this publication on your smartphone or
tablet for off-line reading (eg on a plane flight),
we recommend Pocket.

 

 

You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.

Comment Box is loading comments...