10 December 2018
Despite widespread criticism from individuals and industry participants, the controversial Telecommunications and Other Amendments (Assistance and Access) Bill 2018 (Bill) has now passed through both Houses of Parliament. It is now set to become law once it receives Royal Assent.
Probably the most significant aspect of the Bill is that it provides Australian State, Territory and Federal law enforcement agencies with the ability to demand that ‘‘designated communications providers’’ create a capability to provide access to encrypted communications and data. (The legislation uses the terms ‘systemic weakness’ and ‘systemic vulnerability’ to describe the possible consequences of this access.)
While there are some limitations on that power (e.g. the capability can only be exercised to target a particular person, and it should not result in a ‘weakness’ or ‘vulnerability’ that is ‘systemic’), there are significant privacy concerns, and questions about whether compliance with such a demand is even technically possible.
This article takes a look at some of these issues, and the significant impact the Bill may have on most individuals and businesses operating in the technology or communications supply chain.
The Part of the Bill that has received the most controversy is the introduction of the ‘industry assistance’ provisions. These provisions allow Australian law enforcement agencies (including State, Territory and Federal Police and ASIO) to request or order that a ‘designated communications provider’ provides assistance with the decryption of encrypted communications / data.
The industry participants that may be subject to an assistance request or order are called ‘designated communications providers’. The definition is extremely broad, and could include most individuals and businesses in the communications supply chain. For example:
The Bill is intended to apply to foreign companies who provide a relevant communication service with one or more end-users in Australia. It also captures anyone who develops, supplies, or updates software in connection with that service.
It’s not entirely clear how the Bill will interact with certain foreign laws given the proposed extraterritorial scope (including, in particular, the GDPR). The Bill has a defence for not complying with requested assistance if compliance in the foreign country would contravene a law of the foreign country. However, this defence does not cover the situation where compliance in Australia could violate the laws of another country the provider operates in.
After debate in Parliament, the Bill was amended so that a law enforcement agency could only require a ‘designated communications provider’ to do specific acts or things known as ‘listed acts or things’.
However, the definition of ‘listed acts or things’ is almost as broad as the definition of ‘designated communications provider. Importantly, it includes:
There are three types of requests/orders that law enforcement agencies can make (each subject to certain limitations or consultation requirements discussed below).
The requests/orders are:
The scope of a TCN still requires the notice to relate to assisting the enforcement of serious criminal offences (in Australia or a foreign country). There are also additional oversight measures (including requiring the Attorney-General to first issue a ‘consultation notice’ setting out details of the proposed TCN for discussion with the provider). However, there are still major concerns about privacy implications and whether the compliance with the requirements are actually technically possible.
Unless an exception applies (discussed below), the maximum penalty for non-compliance with a TAN or TCN is ~A$10 million (for a body corporate who is not a carrier or carriage service provider).
Compliance with a TAR is voluntary, meaning there are no penalties for non-compliance.
In an attempt to balance privacy concerns and the uncertainty whether it is technically possible to comply with requirements in an order or notice, the Bill includes several exceptions to compliance.
Two of the most significant are:
It’s not clear how ‘practicable’ and ‘technically feasible’ will be interpreted, or how these factors will be balanced by a law enforcement agency.
Another potential avenue available under the Bill is for a designated communications provider to request an assessment of a ‘consultation notice’ (that is, the ‘consultation notice’ which must be given prior to a TCN being issued). Such an assessment will be carried out by a retired judge and an assessor with sufficient technical knowledge. The assessors’ report will be considered before a decision is made whether to proceed with giving the TCN.
The Bill also provides that a ‘designated communications provider’ must comply with the requirements of a TAN or TCN on a no profit-no cost basis (unless otherwise agreed, or the issuing law enforcement agency declares it would be contrary to the public interest). Arbitration is an option for resolving an agreement as to the assessment of costs.
The above is only a general outline of some of the key features of the Bill. Despite voting to approve the Bill, the Labor Party has announced that it will seek to make necessary amendments on the first sitting day of Parliament next year. We will provide further updates as they become available.
 Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, sch 1, s 317.
 Parliament of Australia, Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018, Bills Digest No. 49 of 2018-19, 3 December 2018, 21.
 Ibid 31.
 Voluntary requests can cover any other type of assistance.
 The term ‘technical information’ is not defined in the Bill, which has led to some industry participants being concerned that it could even include the source code for proprietary software.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.