A report concerning the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 and related matters

This, my ninth report as Independent National Security Legislation Monitor (INSLM), is a review of the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA) and related matters.

The essential effects of TOLA are as follows: 

1. Schedule 1 gives police and intelligence agencies new powers to agree or require significant industry assistance from communications providers. 
2. Schedules 2, 3 and 4 update existing powers and, in some cases, extended them to new agencies. 
3. Schedule 5 gives the Australian Security Intelligence Organisation (ASIO) significant new powers to seek and receive both voluntary and compulsory assistance.

Schedules 1 and 5 have proven controversial; Schedules 2, 3 and 4 less so.

My task is to consider the operation, effectiveness and implications of TOLA and whether it is necessary, is proportionate to the threats it seeks to meet and treats human rights properly. Where powers have not yet been used, my task involves prediction.

As to necessity, I have concluded that, with 2 exceptions, TOLA is or is likely to be necessary. The first exception is that Schedule 1 must be amended to extend Technical Assistance Requests (TARs), Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) to integrity agencies, including any future Commonwealth Integrity Commission. The other exception is in Schedule 5: one aspect of the voluntary assistance power and corresponding civil immunity in s 21A(1) of the Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act) is unnecessary and should be amended.

As to proportionality and proper rights protection, TOLA will be compliant if, but only if, the central recommendations in this report are implemented. Most importantly, Schedule 1 should be amended to:

1. remove the power from agency heads to issue TANs and from the Attorney-General to approve TCNs¹
2. vest those issuing and approval powers in the Administrative Appeals Tribunal (AAT) in a way which will preserve and protect both classified and commercial-in-confidence material and allow independent rulings on technical questions such as ‘systemic weakness’ (definitions which, among others, should be amended)
3. create a new statutory office – the Investigatory Powers Commissioner (IPC). The IPC should be a retired judge who will be appointed to the AAT and have access to technical advice. The IPC will assist in approving the issue of TANs and TCNs (as above) while monitoring the operation of Schedule 1 and issuing guidelines. (This can be done with minimal expense.)

I have recommended that there be no change to the way that TARs are currently agreed between an interception agency head and a Designated Communications Provider (DCP) and the way the agreement then enables the relevant agency head to issue a TAR (although I have recommended the use of a prescribed form). This is in contrast with my recommendations on TANs and TCNs. It was almost unanimously agreed in non-government submissions that these notices should be authorised by either an independent tribunal member or a judicial officer and subject to meaningful judicial review once issued. Indeed, a number of stakeholders indicated that their main concern with the provisions in Schedule 1 was that no independent person is involved in the decision to issue a notice. The Australian Human Rights Commission raised human rights concerns on this point. Government submitters contended that there are already a number of conditions that apply to the issuing of compulsory notices, and these operate effectively and with sufficient oversight. My recommendations for TANs and TCNs build on these existing mechanisms to guarantee consideration of human rights, privacy and technical implications by the issuing authority.

A related key point is the distinction between TANs and TCNs, which provide technical ‘access’; and warrants (and other similar instruments), which provide ‘content’. TANs and TCNs do not provide the authority to obtain content from a DCP without an underlying warrant, and the Government has submitted that these notices are merely a mechanism to ensure that whatever data is obtained under a lawful warrant is accessible and comprehensible to the interception agency. I have not accepted the Government’s argument as to the distinction in this regard.

I consider that there is a greater need for safeguards in the virtual world than in the physical world, for both reasons of trust and the wide and unknown impact of technology. At a public hearing of this review, Professor Peter Leonard, from the Law Council of Australia, stated in relation to trust:

In the digital world, digital trust of citizens is affected by activities that may not relate to their specific digital activities. So we always need to consider, as we look at the digital world, the effect on broader digital trust of citizens, and potentially undermining that trust. Now, often a degree of undermining that trust will be justified in national security or law enforcement, but I do think that you can’t take the digital world as an exact analogue of the physical world, because of that different nature of the digital system.²

This chapter provides an overview. It should be read with the whole of the report

¹ With the concurrence of the Minister for Communications

² Law Council of Australia, Supplementary Submission to the Independent National Security Legislation Monitor, Review of the Telecommunications and Other Legislation (Assistance and Access) Act 2018 (TOLA), 5-6