15 August 2018


'Let’s be careful out there … : how digital rights advocates educate citizens in the digital age' by Efrat Daskal in (2018) 21(2) Information, Communication and Society 241-256 comments
From the early days of the printed press, citizens have challenged and modified the information environment as constructed by governments and media organizations. In the digital era, this struggle is manifested in the work of civil-society organizations calling to expand the boundaries of digital rights such as access to the internet, freedom of speech, and the right to privacy. Alongside their traditional activity of confronting governments and internet organizations, these bodies have also engaged in educating citizens about their rights. In order to shed light on such educational efforts, I examine the activities of four civil-society organizations operating in three countries (Germany, Israel, and the U.S.) by conducting a content analysis of their websites between 2013 and 2015. The results suggest that the organizations’ interactions with the public are guided by three main principles: (1) cultural informational framing: delivering accurate technological and political information, which is framed so as to resonate with the cultural premises and everyday lives of the target audiences; (2) personal activism: propelling citizens toward participation, primarily through political clicktivism and by providing them with technological guidance and tools for digital self-protection; and (3) branding digital rights activism: fostering a unique image for a particular organization’s digital rights activism, mostly through selling merchandise to citizens. Using these strategies, the organizations aim to construct the social–political–cultural identity of a generation who are knowledgeable, politically active, and aware of their rights in the digital age. The characteristics of this identity are discussed in the conclusion.


'Do labels matter when implementing change? Implications of labelling an academic as a champion − results from a case study' by Moira Cordiner, Sharon Thomas and Wendy Green in (2018) 43(3) Studies in Higher Education 484-499 comments
Organisational change literature is littered with labels for those who instigate, support, resist, or implement change. Absent is research into the perspectives of those who are given these labels. This paper reports findings from a literature search, journal scan and a case study of an Australian university where change agents were labelled ‘School Champions’. Data analysis of the authors suggests that labels do matter, not only to change agents, but also other academics who interacted with them such as Associate Deans. The authors found that, because a label implies an identity, when the choice of labels is unexamined, unintended consequences can result. These include ridicule, derision, and serious or light-hearted teasing, plus dismissive and cynical attitudes towards senior management’s endorsement of buzz words as labels. The authors suggest strategies to ensure that a label or identity badge suits academe, has minimal potential to cause emotional or professional harm, and is embraced rather than renounced.
The authors argue
There are numerous labels for those involved in organisational change with some having more longevity than others. For example, change agent and champion appeared in the literature over 60 years ago and remain current; while terms such as change maker arose in the early 1990s (Mabey and Mayon-White 1993), and change artist in 2012 (Jurow and Ruben 2012). Many of these labels are not mutually exclusive. Their definitions are not agreed upon and they are used inconsistently within different disciplines. These discrepancies mean that making a valid comparison of project outcomes extremely challenging. Absent from the literature is research into the perspectives of those who are given one of these labels. Do labels matter when implementing change? We answer this question by interpreting a dataset from a larger case study investigating the use of the distributive leadership model to implement change in an Australian university. The concept of rhetoric is used to analyse the mixed message responses of interviewees beyond the literal level (Billig 1987). 
Our findings reveal that the impact of a label – how those labelled felt about it and how their peers reacted to it − has been neglected in the literature and underestimated. We contend that the choice of labels for change agents requires careful and sensitive consideration of the context, and the identity badge (Grant, Berg, and Cable 2014) implied by the label, so that it empowers rather than inadvertently disempowers or disaffects. Thus this choice has implications extending well beyond uncritical adoption of the latest management discourse buzz word as a label, in an attempt to appear current in the field of organisational change.

Organ Markets

'Still A Vexed Question: Postmortem Gamete Removal And Use', a forthcoming HLB article by Wendy Bonython and myself, considers questions about property and the parens patriae jurisdiction in Re Cresswell [2018] QSC 14 and Chapman v South Eastern Sydney Local Health District [2018] NSWSC 1231.

A different perspective is provided in 'Private parts: an interrogation of private property rights in cadaveric organs' by Christopher Smol in (2017) 4 Public Interest Law Journal of New Zealand 150, with Smol commenting
This paper makes a tentative case for a futures sales model for cadaveric donor organs, wherein individuals can contract out the right to harvest their organs for transplant following their death, in exchange for compensation. The law of the United Kingdom, New Zealand, Australia and the United States are generally adverse to the notion of property rights in human bodily materials, and this article criticises this paradigm as serving to disenfranchise materials’ originators. New Zealand’s framework for cadaveric donation under the Human Tissue Act 2008 does not fully address practical barriers to successful donations. This article advocates a tightly-regulated government-run futures scheme as having potential to overcome some of these barriers, while mitigating serious ethical concerns. Non-instrumental concerns around commerce in the human body can be reconciled with the proposed model.
Smol argues
Almost all jurisdictions agree that human organs should not be able to be bought and sold. Similarly, most agree that an increase in the supply of organs available for potentially life-saving transplantations is desirable. However, the former position, as reified in the legal principle that there is no property in the body, has impeded the latter objective. While organ transplantation training and technology in developed nations has grown affordable and accessible, the supply of donated organs for these operations remain vastly lower than demand. 
One explanation for this organ shortage is that attitudes to the body, living and dead, have not kept pace with technology. Most organs are procured for transplantation by altruistic donation. This article focusses specifically on cadaveric donation by the recently deceased or brain-dead, which can be done for various organs with high rates of success. The no property in the body principle forbids sales, thus limiting the supply of transplant organs to those donated (that is, without compensation). Unfortunately, this practice facilitates fewer transplantations than are needed to save the lives of all who suffer organ failure. In 2011, 477 New Zealanders began to receive renal replacement therapy, while replacement kidney transplants totalled only 118; patient deaths totalled 412; of these, 44 had undergone transplant surgeries, but the vast majority (368) died while on dialysis (an expensive and non-curative alternative), presumably waiting for a transplant. 
This article will analyse this organ shortage problem from a consequentialist perspective. The restriction of property rights over cadaveric organs under the current legal paradigm fails to efficiently incentivise and safeguard the retrieval of those organs for lifesaving procedures. Part II overviews domestic and international law regarding property rights in cadavers and organs. Part III provides an economic analysis of cadaveric procurement, and recommends a heavily regulated property right in cadaveric organs, exercisable through futures contracts for cadaveric procurement. Part IV assesses non- consequentialist opposition to property rights revolving around Kantian dignity and the commodification of the human body. Ultimately, a detailed and highly regulated monopsonistic system allowing the sale and purchase of futures contracts for the right individuals’ organs in the event of their death would efficiently increase organ procurement. With careful implementation it could save lives while negotiating and accommodating legitimate normative concerns.

Fake medications and professional discipline

Last year I noted controversy over fake pharmaceuticals in Sydney. It is of interest regarding the identification of product authenticity and professional regulation.

In Attia v Health Care Complaints Commission [2018] NSWCATOD 131 the Tribunal yesterday stated
The applicant having graduated with a Bachelor of Pharmacy from the University of Sydney in 1998 was granted provisional registration as a pharmacist in New South Wales on 7 October, 1998 and full registration on 10 October, 1999. At the time of the occurrence of the events which led up to the cancellation of the applicant’s registration he owned a number of pharmacies. He also operated a pharmacy wholesale business under the trading name Hillmear Trading Pty Limited (“Hillmear”). Hillmear had a licence to wholesale pharmaceutical goods under the Poisons and Therapeutic Goods Regulation, being goods which in general terms were restricted substances and required a prescription from a medical practitioner before they could be sold to the public. One such restricted substance is Viagra, which is used to treat erectile dysfunction, and is also used in the treatment of pulmonary arterial hypertension. This latter use has application for paediatric patients. A condition of the wholesaler licence was that restricted substances could only be obtained from the holder of a licence or authority issued under a Commonwealth or State law. 
Hillmear acquired a quantity of Viagra from a Mr Sajay Rai in March 2010. At that time the applicant had had previous dealings with Mr Rai, in supplying by way of wholesale “general products” such as confectionery and coffee and over-the-counter medication such as Panadol. He thought that Mr Rai “dealt in sort of oversupply and end lines and that type of nature.” At that time the applicant was dealing with about half a dozen licensed wholesalers all of whom except for Mr Rai would send a product list from which purchases could be made. However, Mr Rai operated in a different manner. He did not send a product list, and he would call in from time to time offering product which he carried with him in a van. The applicant said that he assumed that Mr Rai was a TGA licensed wholesaler because he had offered to sell him a variety of products some of which were scheduled and some unscheduled. These included cold and flu products, Panadol, Nurofen and Nicabate. 
In late February 2010 Mr Rai came to the applicant and offered to sell him some Viagra at a price which was less than could be obtained directly from the manufacturer, Pfizer. Mr Rai left one or two samples with him. The applicant said he did not test the samples but did check their expiry date, batch number and other details. He could not recollect seeing anything different from the normal product. The applicant did not contact Pfizer to ascertain whether the product was genuine, and did not conduct any tests himself. He purchased 55 units of Viagra from Mr Rai on 3 March, 2010 and a further 1000 units on 9 March, 2010. His purchase price was $54.27 a unit, whereas the “normal” price was between $60 and $63. Those products were on-sold to other wholesalers. 
As it transpired, at least some of the Viagra which had been purchased from Mr Rai was counterfeit. A number of complaints had been made by customers of retail pharmacies that the product “did not work”, and a pharmacist at the Sydney Children’s Hospital had alerted Pfizer to the fact that these tablets were of a different consistency to the normal product when mixing them to be given to children. Pfizer immediately recalled its product and instituted an investigation, as did the TGA Regulatory Compliance Unit. Enquiries were later conducted of the applicant by the respondent. 
When initially questioned by TGA officers, the applicant informed them that he had purchased 55 units of Viagra on 3 March, 2010 at a cost of $2985.71 and 1000 units of Viagra together with a shipment of shampoo also in early March for a total cost of $83,583.50. He produced a copy of an invoice relating to the first purchase issued in the name of Tamer Distributors Pty Limited. At the bottom of that invoice there was handwritten the name “Michael”, a phone number and “cheque 1612”. It was later discovered that that company did not exist, the phone number was no longer current and that the cheque 1612 had been paid into the bank account of a pharmacist employee of the applicant. At a later time the applicant told investigators that he may have paid for the first invoice in cash but had written cheque number 1612 in order to reconcile his company’s books of account. His explanation given in evidence in the original proceedings before the Tribunal was that he had been untruthful in claiming that he had paid for the first purchase by cheque because he was concerned “about the transactional aspects of the deal.” 
When interviewed on 16 June 2010 the applicant told the investigators that the paperwork for the second purchase was not on his premises and undertook to forward it to them. Upon receipt of a further request for that invoice the applicant informed the TGA officers on 21 June, 2010 that payment for the first invoice had been paid into an account belonging to CD3 Investments. On 24 June, 2010 the applicant informed the TGA investigators that he had located the invoice for the second purchase which had been issued by Tamer Distributors for 1000 units of Viagra at a cost of $57,000 and for shampoo at a cost of $26,538.66, being a total cost of $83,538.66. He said he had been instructed to pay the second purchase by money transfer to a nominated Commonwealth Bank account which he understood belonged to CD3 Investments. It was later ascertained that that entity did not exist. An investigator retained by Pfizer noted that the two invoices were “completely different”. The second invoice was computer-generated on A4 paper and the other was handwritten on a manual invoice. 
There were also discrepancies concerning payments made by the applicant’s company for the second invoice in the sum of $83,583.50 and an amount which had been deposited into Mr Rai’s account of $85,538. The applicant was not able to offer any explanation for this discrepancy. 
In addition to the above payments, investigators discovered that Hillmear had made a further payment to Mr Rai by bank transfer in June 2010 in the sum of $86,000. When asked why he had not disclosed this payment, the applicant replied that he had not been questioned about it. His explanation was that he had put in a further order for Viagra, but had cancelled that order when approached by TGA investigators. He said that Mr Rai had not repaid that amount. 
In the course of its decision, the Tribunal made the following factual findings;
(1) On two occasions in 2010 the applicant purchased a substance purporting to be Viagra tablets by wholesale from a person without a wholesaler licence, namely Mr Rai, in breach of a condition of his wholesale licence. So much was conceded by him for the purpose of those proceedings. 
(2) The Viagra was counterfeit, the applicant failed to ensure that it was genuine by contacting Pfizer to confirm the batch number and expiry date, the price offered by Mr Rai was significantly below the market rate, and this was the first occasion that Mr Rai had offered to supply a restricted substance 
(3) The applicant had given untruthful accounts to the investigators, particularly in describing the manner in which payment for the first delivery had been made. He had delayed informing the investigators of the identity of Mr Rai, and failed to refer to the last payment of $86,000 in June 2010 until he was confronted with Mr Rai’s bank records. 
(4) In his evidence before the Tribunal the applicant claimed that he had not looked inside the sample boxes of Viagra left by Mr Rai. This evidence was rejected because it was inconsistent with information given by him to the respondent’s investigators in February 2015 of having looked at the information leaflet and observing that the tablets were stamped. 
(5) In all the circumstances, the applicant should have known that the Viagra being supplied was not genuine. (It should be noted that the Tribunal specifically eschewed any finding that the applicant had actual knowledge that the product was not genuine). 
(6) The applicant provided false or misleading information to the TGA throughout the course of its investigation. He took 10 days to supply the TGA with the name and contact details of Mr Rai, he claimed the first payment was made by cheque and did not disclose the $86,000 bank transfer made in June 2010. 
(7) The invoice for the first payment was false because Tamer Distribution did not exist, no payment was made by cheque and cheque number 1612 was an incorrect number. A reference to a person named Michael and a telephone number were also incorrect. The applicant had sought to conceal “critical details and the true nature of the transaction” and thus mislead the investigators, as had been conceded by him in the course of giving evidence.
Based on the factual findings made and having regard to the totality of the circumstances, the Tribunal concluded that the conduct of the applicant fell significantly below the relevant standard being that of a pharmacist of an equivalent level of training or experience of the applicant. It concluded that he was guilty of professional misconduct.
In its latest decision the Tribunal considered the appeal by Mr Attia regarding his suspension as a health professional. After a discussion of community expectations, examination of references and assessment of Attia's acknowledgment of wrongdoing the Tribunal continued the suspension.

Consumer Data Right Consultation

The national Department of the Treasury has opened consultation regarding the Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Cth), dealing with the Consumer Data Right.

Treasury summarises the Bill as follows -
1.1 The Consumer Data Right (CDR) will provide individuals and businesses with a right to efficiently and conveniently access specified data in relation to them held by businesses; and to authorise secure access to this data by trusted and accredited third parties. The CDR will also require businesses to provide public access to information on specified products they have on offer. CDR is designed to give customers more control over their information leading, for example to more choice in where they take their business, or more convenience in managing their money and services. Over time it is expected that these same benefits will be rolled out to other sectors of the economy. 
1.2 The Government has committed to applying the CDR to the banking, energy and telecommunications sectors. The CDR relating to banking data is commonly referred to as “Open Banking”. 
1.3 CDR will reduce the barriers that currently prevent potential customers from shifting between banking and other service and utility providers. Through requiring service providers to give customers open access to data on their product terms and conditions, transactions and usage, coupled with the ability to direct that their data be shared with other service providers, we would expect to see better tailoring of services to customers and greater mobility of customers as they find products more suited to their needs. 
1.4 The CDR places the value of consumer derived data in the hands of the consumer and will enable a range of business opportunities to emerge as new ways of using the data are discovered. Consumers will be the decision makers in the CDR system and will be able to direct where their data goes in order to obtain the most value from it. 
1.5 Strong privacy and information security provisions are a fundamental design feature of the CDR. These protections include Privacy Safeguards and additional privacy protections through the consumer data rules. The OAIC will advise on and enforce privacy protections. Consumers will have a range of avenues to seek remedies for any breach of their privacy including access to internal and external dispute resolution. 
Context of amendments 
1.6 On 26 November 2017, the Government announced, as a partial response to the Productivity Commission’s Inquiry into Data Availability and Use (the PC Data Report), the introduction of a Consumer Data Right (CDR) with application initially in the banking, energy and telecommunications sectors. The Government confirmed its commitment to the CDR and announced the creation of a new National Data Commissioner, as part of its full response to the PC Data Report on 1 May 2018. 
1.7 In its response to the Productivity Commission’s Data Report the Government announced that CDR will be introduced to provide individuals and businesses with a right to efficiently and conveniently access specified data about them held by businesses. Under the CDR consumers can also authorise secure access to this data by trusted and accredited third parties The CDR will also require businesses to provide public access to information on specified products they have on offer. A key feature of the right is that access must be provided in a timely manner and in a useful digital format. 
1.8 On 20 July 2017, the Treasurer commissioned the Review into Open Banking in Australia 2017 (Open Banking Review) to recommend the best approach to implementing Open Banking. The report recommended that Open Banking be implemented through a broader CDR framework. The report was then released for public consultation on 9 February 2018 and on 9 May 2018 the Government responded to the Open Banking Review, agreeing to all the recommendations, other than the recommendation about the timing for implementation. 
1.9 The CDR implements recommendations from a wide range of reviews. Notably, the Competition Policy Review 2015 (the Harper Review), was the first to recommend data access and portability rights in an efficient format across the economy. This recommendation was further developed in the Productivity Commission’s Inquiry into Data Availability and Use 2017 and the Australia 2030: Prosperity through Innovation Review 2017 (ISA 2030). 
1.10 A number of reviews have recommended data portability rights in specific sectors including the Financial System Inquiry 2015 (the Murray Inquiry), the Northern Australia Insurance Premiums Taskforce Final Report 2016, the Review of the Four Major Banks 2016 (the Coleman Review), the Independent Review into the Future Security of the National Electricity Market – Blueprint for the Future 2017 (the Finkel Review), the draft report on Competition in the Australian Financial System 2018, COAG’s report Facilitating Access to Consumer Energy Data, the Australian Small Business and Family Enterprise Ombudsman’s report Affordable Capital for SME Growth, and the ACCC’s Electricity Supply and Prices Inquiry 2018. 
1.11 The CDR provides access to a broader range of information within designated sectors than is provided for by Australian Privacy Principle (APP) 12 in the Privacy Act. While APP 12 allows individuals to access personal information about themselves, the CDR applies to data that relates to individual consumers, as well as business consumers. It also provides access to information that relates to products. 
1.12 As the CDR covers both competition and consumer matters, as well as privacy and confidentiality concerning the use, disclosure and storage of data, the system will be regulated by both the ACCC and the OAIC. The ACCC will take the lead on issues concerning the designation of new sectors of the economy to be subject to the CDR and the establishment of the consumer data rules. The OAIC will take the lead on matters relating to the protection of individual and small business consumer participants’ privacy and confidentiality, and compliance with the CDR privacy safeguards. 
1.13 A Data Standards Body will also be established to assist a Data Standards Chair as he or she makes data standards. These data standards will explain the format and process by which data needs to be provided to consumers and accredited entities within the CDR system. Initially, this function will be undertaken by Data61 of the CSIRO. 
Summary of new law 
1.14 The CDR creates a new framework to enable consumers to more effectively use data relating to them for their own purposes. While initial application will be to the banking sector, the Government has committed that the telecommunications and energy sectors will soon also be subject to the CDR creating opportunities in these key areas of the economy for consumers to ensure that they are getting the best deal for their circumstances. 
1.15 Further sectors of the economy may be designated over time, following sectoral assessments by the ACCC in conjunction with the OAIC. 
1.16 The CDR framework gives consumers control over their consumer data. It will enable them to direct the data holder to provide their data, in a CDR compliant format, to accredited entities including other banks, telecommunications providers, energy companies or companies providing comparison services. CDR also allows consumers to access their own data without necessarily directing that the data be provided to a third party. The CDR system may also see the emergence of new data driven service providers. 
1.17 The ACCC is provided with the power to make rules, in consultation with the OAIC, that will determine how CDR functions in each sector. 
1.18 Entities must be accredited before they are able to receive consumer data. This will ensure that the accredited entities have satisfactory security and privacy safeguards before they receive CDR data. 
1.19 Data relating to a consumer will be subject to strong privacy safeguards once a consumer requests its transfer to an accredited recipient. These safeguards are comparable to the protections for individuals contained in the APPs. The safeguards provide consistent protections for consumer data of both individuals and business enterprises. They also contain more restrictive requirements on participants than those applying under the Privacy Act. 
1.20 The data must be provided in a format which complies with the standards. While the standards may apply differently across sectors, it is important that the manner and form of the data coming into the CDR system be consistent within and between designated sectors, as far as is practicable. This will promote interoperability, reduce costs of accessing data and lower barriers to entry by data driven service providers – promoting competition and innovation. 
1.21 All individual and small business consumers in a designated sector to which the CDR applies will have access to dispute resolution processes to resolve disagreements with participants in the system. It is envisaged that sectors will access existing alternative dispute resolution arrangements, for example AFCA. 
1.22 The CDR will provide the OAIC with the function of enforcing the privacy safeguards and providing individual remedies to consumers, while the ACCC will have the function of enforcing the balance of the regime and for taking strategic enforcement actions.

14 August 2018


'Integrity of Purpose: A Legal Process Approach to Designing a Federal Anti-Corruption Commission' by Grant Hoole and Gabrielle Appleby in (2017) 38(2) Adelaide Law Review 397 draws
from traditional legal process theory to advance a methodology for the design of a federal anti-corruption commission. Legal process theory stresses the dynamic, evolving, and interactive nature of legal institutions within a systemic context. It highlights the fact that the strength of legal systems depends upon their institutional components functioning harmoniously according to purpose, and observing appropriate institutional boundaries. Drawing from the legal process literature, we articulate a theory of ‘integrity of purpose’: a vision of how institutions can be designed to fulfil their roles through simultaneous pursuit of their mandates and cognisance of their boundaries. We then apply integrity of purpose to inform design choices surrounding several aspects of a potential federal anti-corruption commission: its normative purpose, investigative jurisdiction, and power to conduct formal hearings and issue findings. Our approach treats questions of institutional purpose as inseparable from questions of procedure, and presents a novel means of translating legal analytic principles into a forward-thinking framework for institutional design. 
The Authors argue
The time is ripe for a renewed conversation about the purpose and design of standing anti-corruption commissions across Australia. Such commissions have been prominent fixtures in Australian public and political life at the state level for more than three decades. Their creation in the 1980s and 1990s followed the sweep of ‘new administrative law’ reforms designed to strengthen and increase the accessibility of public accountability mechanisms. Since that time, each state has created a standing anti-corruption commission, and there has been ongoing debate about their proper role and conduct. The Commonwealth government has resisted calls for it to create a federal commission, but in the wake of recent bribery, expenses and foreign donations scandals, pressure to do so is growing. 
Any civic institution having the lifespan, profile, and influence of Australia’s anti-corruption commissions is bound to attract ongoing critical attention. For the most part, this is a good thing: revisiting foundational questions of institutional design is essential to ensuring that anti-corruption commissions remain relevantly faithful to their animating values and limits. Such debates offer a rich and informative base from which to derive questions of institutional purpose and design for a possible federal body. These questions include:
1. What precisely is the impropriety against which standing anti-corruption commissions are directed? 
2. How should commissions be integrated with the existing mandates, powers, and activities of institutional counterparts, including, for instance, the police and the processes of criminal law? 
3. Should jurisdictional concepts like ‘corruption’ and ‘integrity’ be cast broadly, allowing commissions latitude to investigate and address wrongdoing of diverse varieties, or narrowly, confining the powers of commissions to highly specific mandates?  
4. What powers do commissions require to achieve their objectives? 
5. Are the specified institutional objectives of commissions best advanced by undertaking their functions in public or in private? 
6. To what extent should the pursuit of those objectives be balanced against possibly harsh effects of the exercise of the commissions’ powers on individuals? 
7. How can institutional design reconcile the pursuit of the commissions’ objectives with higher-order public law principles, including natural justice? 
There are no straightforward answers to these questions, and their resolution will ultimately depend on balancing a range of competing priorities in context. That process will nevertheless be aided by linking specific design decisions to coherent and consistent base principles which reflect the commission’s essential purpose and its fidelity to values latent in Australia’s legal system (and indeed, in the very idea of the rule of law). To this end, we offer an approach rooted in legal process theory. 
Legal process theory describes a field of analytic jurisprudence that held broad influence over American legal scholars in the middle of the 20th century. By focusing attention on the manner in which procedure simultaneously enables and bounds public purposes, the legal process school presents a distinct and very pragmatic way of understanding legal institutions and their interrelation. We employ principles from that school to advance our own theory of integrity of purpose: a vision of how institutions can be designed so as to fulfil their roles through simultaneous pursuit of their mandates and cognisance of their boundaries. 
While the legal process tradition has fallen into relative desuetude, its influence is felt in many familiar legal approaches, including in the conventional account of statutory interpretation, in ascertaining questions of jurisdiction, and in reconciling discrete legal outcomes with higher order principles of law. What our unearthing and deployment of traditional legal process theory reveals is that these methods are useful not only to conventional legal problem-solving, but to informing proactive, pragmatic, forward-looking decisions in the design of legal institutions themselves. It is this goal that we pursue in applying our integrity of purpose approach to advance design features for a future federal anti-corruption commission. 
In Part II, we introduce legal process theory and link its tenets to recent scholarship on the ‘integrity branch’ in Australian law. Legal process theory helps to shed light on the dynamic, interactive, and evolving nature of institutions comprising the integrity branch. We incorporate each of these ideas into our theory of integrity of purpose, outlining an analytic to guide the introduction of new integrity institutions to an existing governance landscape. In Part III, we apply integrity of purpose to address a series of design questions that accompany the creation of a federal anti-corruption commission. Our account moves from the theoretical to the practical: having shared a legal process account of what it means for legal institutions to embody distinct purposes and honour intended boundaries, we offer a series of specific recommendations about the powers and procedures of a new federal commission. Several of these recommendations challenge the current design and conduct of anti-corruption commissions at the state level.

Crypto and the Cth Telco 'Assistance and Access' Bill

The Australian Government has released the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth) "to secure critical assistance from the communications industry and enable law enforcement to effectively investigate serious crimes in the digital era", significantly extending the Telecommunications (Interception and Access) Act 1979 (Cth).
The Bill provides national security and law enforcement agencies with powers to respond to the challenges posed by the increasing use of encrypted communications and devices. The proposed changes are designed to help agencies access intelligible communications through a range of measures, including improved computer access warrants and enhanced obligations for industry to assist agencies in prescribed circumstances. This includes accessing communications at points where it is not encrypted. The safeguards and limitations in the Bill will ensure that communications providers cannot be compelled to build systemic weaknesses or vulnerabilities into their products that undermine the security of communications. Providers cannot be required to hand over telecommunications content and data.
The Bill seeks to amend the Telecommunications Act 1997 (Cth), Australian Security Intelligence Organisation Act 1979 (Cth), Mutual Assistance in Criminal Matters Act 1987 (Cth), Surveillance Devices Act 2004 (Cth), Telecommunications Act 1997 (Cth), Telecommunications (Interception and Access) Act 1979 (Cth), International Criminal Court Act 2002 (Cth), International War Crimes Tribunals Act 1995 (Cth), Crimes Act 1914 (Cth), and Customs Act 1901 (Cth).

The 167 page background document states
... encrypted devices and applications are eroding the ability of our law enforcement and security agencies to access the intelligible data necessary to conduct investigations and gather evidence. 95 per cent of the Australian Security Intelligence Organisation's (ASIO) most dangerous counter-terrorism targets actively use encrypted messages to conceal their communications. 
In many instances encryption is incapable of being overcome, limiting possible avenues for agencies to gain important information. However, in some instances, law enforcement agencies may access data by employing specialist techniques to decrypt data, or access data at points where it is not encrypted. This can take considerable time. In order to do this more effectively, Australia’s agencies need assistance from companies and individuals involved in the supply of communications services and devices in Australia. Globalisation and the advent of the internet have significantly increased the volume of communications that cross national borders and crucial services and products are increasingly being sourced from offshore providers. The purpose of the Bill is to allow agencies to seek help from providers, both domestic and offshore, in the execution of their functions. The Bill also provides agencies with alternative-collection powers, allowing them, under warrant, to access devices. The Bill explicitly provides that the new industry assistance powers cannot be used to compel communications providers to build weaknesses into their products. Cyber security will be ensured and privacy will be protected through robust safeguards in the Bill and the existing warrant regime for access to telecommunications content. ... 
The Bill introduces a suite of measures that will improve the ability of agencies to access intelligible communications content and data. Three distinct reforms will help achieve this purpose:
1. Enhancing the obligations of domestic providers to give reasonable assistance to Australia’s key law enforcement and security agencies and, for the first time, extending assistance obligations to offshore providers supplying communications services and devices in Australia. 
2. Introducing new computer access warrants for law enforcement that will enable them to covertly obtain evidence directly from a device. 
3. Strengthening the ability of law enforcement and security authorities to overtly access data through the existing search and seizure warrants.
It goes on to state -
Under section 313 of the Telecommunications Act 1997 (Telecommunications Act), domestic carriers and carriage service providers are required to provide ‘such help as is reasonably necessary’ to law enforcement and national security agencies. 
Schedule 1 of the Bill will enhance industry-agency cooperation by introducing a new framework for industry assistance, to operate alongside section 313. The Bill introduces new powers for agencies to secure assistance from the full range of companies in the communications supply chain both within and outside Australia. In consultation with industry, national security and law enforcement agencies and the Attorney-General will be able to specify what assistance or capability is required. 
Specifically, the Bill inserts a new Part 15 into the Telecommunications Act. This Part will:
  • Provide a legal basis on which a ‘designated communications provider’ can provide voluntary assistance under a technical assistance request to assist ASIO, the Australian Secret Intelligence Service (ASIS) and the Australian Signals Directorate (ASD) and interception agencies in the performance of their functions relating to Australia’s national interests, the safeguarding of national security and the enforcement of the law. 
  • Allow the Director-General of Security, or the head of an interception agency, to issue a technical assistance notice requiring a designated communications provider to give assistance they are already capable of providing that is reasonable, proportionate, practicable and technically feasible. This will give agencies the flexibility to seek decryption in appropriate circumstances where providers have existing means to decrypt. This may be the case where a provider holds the encryption key to communications themselves (i.e. where communications are not end-to-end encrypted). 
  • Allow the Attorney-General to issue a technical capability notice, requiring a designated communications provider to build a new capability that will enable them to give assistance as specified in the legislation to ASIO and interception agencies. A technical capability notice cannot require a provider to build or implement a capability to remove electronic protection, such as encryption. The Attorney-General must be satisfied that any requirements are reasonable, proportionate, practicable and technically feasible. The Attorney-General must also consult with the affected provider prior to issuing a notice, and may also determine procedures and arrangements relating to requests for technical capability notices. ...
 The type of assistance that may be requested or required under the above powers include (amongst other things):
  • Removing a form of electronic protection applied by the provider, if the provider has an existing capability to remove this protection. 
  • Providing technical information like the design specifications of a device or the characteristics of a service. 
  • Installing, maintaining, testing or using software or equipment given to a provider by an agency. 
  • Formatting information obtained under a warrant. 
  • Facilitating access to devices or services. 
  • Helping agencies test or develop their own systems and capabilities. 
  • Notifying agencies of major changes to their systems, productions or services that are relevant to the effective execution of a warrant or authorisation. 
  • Modifying or substituting a target service. 
  • Concealing the fact that agencies have undertaken a covert operation.
Assistance is expected to be provided on a no-profit, no-loss basis and immunities from civil liability are available for help given. The Bill maintains the default position that providers assisting Government should not absorb the cost of that assistance nor be subject to civil suit for things done in accordance with requests from Government. 
The new industry assistance framework is designed to incentivise cooperation from industry, providing a regime for the Australian Government and providers to work together to safeguard the public interest and protect national security. However, in the unlikely event that enforcement action is required, the Commonwealth can apply for enforcement remedies, like civil penalties, injunctions or enforceable undertakings. Enforcement of notices for carriers and carriage service providers will continue to be regulated by the Telecommunications Act. 
What are the limitations and safeguards? 
The new industry assistance framework has several important limitations and robust safeguards to protect the privacy of Australians, maintain the security of digital systems and ensure agency powers are utilised only where necessary for core law enforcement and security functions. Reasonable, proportionate, practicable and technically feasible. In every case, the decision-maker must be satisfied that requirements in a technical assistance notice and technical capability notice are reasonable and proportionate and compliance with the notice is practicable and technically feasible. This means the decision-maker must evaluate the individual circumstances of each notice. In deciding whether a notice is reasonable and proportionate it is necessary for the decision-maker to consider both the interests of the agency and the interests of the provider. This includes the objectives of the agency, the availability of other means to reach those objectives, the likely benefits to an investigation and the likely business impact on the provider. The decision-maker must also consider wider public interests, such as any impact on privacy, cyber security and innocent third parties. In deciding whether compliance with the notice is practicable and technically feasible, the decision-maker must consider the systems utilised by a provider and provider expertise. 
Agencies still need an underlying warrant or authorisation. The new framework is designed to facilitate industry assistance – not serve as an independent channel to obtain private communications. Importantly, Schedule 1 does not change the existing mechanisms that agencies use to lawfully access telecommunications content and data for investigations (see process diagram on page 12). New technical assistance notices and technical capability notices cannot require that providers hand over telecommunications content and data without an underlying warrant or authorisation. Access to this material will still require a warrant or authorisation under the Telecommunications (Interception and Access) Act 1979 (TIA Act). The TIA Act has strict statutory thresholds that must be met. For example, a judge or Administrative Appeals Tribunal (AAT) member can only issue a warrant authorising the interception of communications where he or she is satisfied that the intercepted information would assist in the investigation of a serious offence (generally offences punishable by at least 7 years – see section 5D of the TIA Act). The judge or AAT member must have regard to the nature and extent of interference with the person’s privacy, the gravity of the conduct constituting the offence, the extent to which information gathered under the warrant would be likely to assist an investigation, and other available methods of investigation. The TIA Act also has prohibitions on communicating, using and making records of communications. 
Systemic weaknesses or vulnerabilities cannot be implemented or built into products or services. 
The Bill expressly prohibits technical assistance notices or technical capability notices from requiring a provider to build or implement a systemic weakness or systemic vulnerability into a form of electronic protection. This includes systemic weaknesses that would render methods of authentication or encryption less effective. The Australian Government has no interest in undermining systems that protect the fundamental security of communications. The new powers will have no effect to the extent that requirements would reasonably make electronic services, devices or software vulnerable to interference by malicious actors. Importantly, a technical capability notice cannot require a provider to build a capability to remove electronic protection and puts beyond doubt that these notices cannot require the construction of decryption capabilities. 
Notices must be revoked if requirements cease to be reasonable. Decision-makers must revoke a technical assistance notice or technical capability notice if satisfied that any ongoing requirements are no longer reasonable, proportionate, practical or technically feasible. Accordingly, notices that have become obsolete or excessively burdensome must be discontinued. These same notices may be varied to account for changing commercial and operational circumstances. 
Agencies cannot prevent providers from fixing existing systemic weaknesses. Notices cannot prevent a provider from fixing a security flaw in their products and services that may be being exploited by law enforcement and security agencies. Providers can, and should, continue to update their products to ensure customers enjoy the most secure services available. 
Core interception and data retention will not be extended. The powers cannot be used to impose data retention capability or interception capability obligations. These will remain subject to existing legislative arrangements in the TIA Act. 
Assistance that may be requested is defined. The types of things a provider may be required to do under a technical assistance notice is listed in the Bill. While this list is not exhaustive, as it relates to technical assistance notices, anything specified in these notices must be consistent with the matters specified in the legislation. In the case of technical capability notices, new capabilities can only be developed to ensure that a provider is capable of giving help as specified (exhaustively) in the Bill. 
The scope of agency notices is limited to core functions. Things specified in notices must be for the purpose of helping an agency perform its core functions conferred under law, as they specifically relate to:
  • enforcing the criminal law and laws imposing pecuniary penalties, or 
  • assisting the enforcement of the criminal laws in force in a foreign country, or 
  • protecting the public revenue, or 
  • safeguarding national security.
This will ensure that the scope of the powers is consistent with the purposes for which agencies currently seek assistance from domestic carriers and carriage service providers under section 313 of the Telecommunications Act.
Schedule 2 of the Bill provides an additional power for Commonwealth, State and Territory law enforcement agencies to apply, in certain circumstances, for computer access warrants under the Surveillance Devices Act 2004, similar to those available to ASIO in section 25A of the ASIO Act. An eligible judge or AAT member must approve the warrant and authorise the activities that can be done under the warrant. 
A computer access warrant will enable law enforcement officers to search electronic devices and access content on those devices. These warrants are distinct from surveillance device warrants, which enable agencies to use software to monitor inputs and outputs from computers and other devices. 
The things that may be specified in a warrant include:
  • entering premises for the purposes of executing the warrant 
  • using the target computer, a telecommunications facility, electronic equipment or data storage device in order to access data to determine whether it is relevant and covered by the warrant 
  • adding, copying, deleting or altering data if necessary to access the data to determine whether it is relevant and covered by the warrant 
  • using any other computer if necessary to access the data (and adding, copying, deleting or altering data on that computer if necessary) 
  • removing a computer from premises for the purposes of executing the warrant 
  • copying data which has been obtained that is relevant and covered by the warrant 
  • intercepting a communication in order to execute the warrant 
  • any other thing reasonably incidental to the above things. 
A computer access warrant will also authorise the doing of anything reasonably necessary to conceal the fact that anything has been done in relation to a computer under a computer access warrant. Concealment activities may occur at any time while the warrant is in force, or within 28 days after it ceases to be in force, or at the earliest time after this period at which it is reasonably practicable to do so. 
Where a computer access warrant is in place, a law enforcement officer may apply to a judge or AAT member for an order requiring a person with knowledge of the device to provide reasonable and necessary assistance. This provision is similar to section 3LA of the Crimes Act, which allows a constable to apply to a magistrate for an order requiring a person to provide assistance where a search warrant is in place. This ensures that law enforcement agencies that have a warrant for computer access will be able to compel assistance in accessing devices.