11 July 2020

Sunlight and 'Dirty Money'

The Commonwealth Electoral Amendment (Banning Dirty Donations) Bill 2020 (Cth) - a private members bill from Greens Senator Larissa Waters - is unlikely to get any legislative traction but is of interest in terms of the claim that it 'advances equality in the protection of freedom of expression'.

The Bill proposes amendments to the Commonwealth Electoral Act 1918 (Cth) to prohibit political donations from certain industries, and impose a cap on all other donations.
The purpose of the amendments is to strengthen the integrity and accountability framework underpinning Australia’s electoral system by preventing certain industries that have used, or have a strong public perception of using, political donations to influence policy decisions. Specifically, amendments are proposed to ban donations from:
  • property developers; 
  • the tobacco industry; 
  • the banking industry; 
  • liquor and gambling businesses; 
  • pharmaceuticals companies; 
  • the mining industry; and 
  • representative organisations for these industries. 
Waters claims
These amendments will improve the electoral system by strengthening the independence of parliament and increasing public confidence that politicians are guided by the public interest when making decisions, rather than the interests of donors. The amendments seek to remove undue influence by powerful industries on policy and funding decisions and enhance individuals’ capacity to take part in public life without those influences compromising their decision making capacity. 
The Bill also recognises the potentially corrupting influence of large donations, irrespective of their source, and imposes a cumulative limit on donations from any source (individual, organisation or business) of $3,000 per election term. The amendments extend the definition of “gift” to include subscription and membership fees and attendance at fundraising events to close the loophole that has allowed these significant sources of campaign income to remain undisclosed and unaccounted for.
An amended definition of ‘gift’ encompasses:
  • a gift of money or property; 
  • provision of a service for free or less than market-value; 
  • tickets or entry fees for fundraising events; 
  • membership fees for political parties, associated entities and political campaigners over $1,000; and 
  • interest-free loans. 
The restriction on prohibited entities, such as a 'mineral resources or fossil fuel extraction industry business entity' and 'tobacco industry entity (including both tobacco and inhaled nicotine products such as vaping)' encompasses 'close associates of the entity, including directors, officers or significant shareholders (or their spouses), related corporations, stapled entities, and significant unit holders in a trust company'. The 'prohibited donor' also  extends to industry representative organisations where the majority of the organisation’s members are prohibited donors, thus preventing donations being funnelled through industry bodies to seek to influence policies that would impact on industry members.

The amended Act would make it unlawful for any prohibited donor proxy to make a political donation. It is also unlawful for a person to accept a political donation made by or on behalf of a prohibited donor. To avoid any collusive schemes to circumvent the ban  a prohibited donor or proxy must not solicit another person to make a political donation. Where an unlawful political donation is accepted, an amount equal to the donation can be recovered by the Commonwealth as a debt against the body that received the donation.

Waters states
The industries included as prohibited donors were identified by the Senate Select Committee on the Political Influence of Donations as key industries exhibiting donation patterns that suggest undue influence over policy decisions and project approvals. The inquiry report of the Select Committee sets out various examples and recommends that these industries be banned from making political donations. This Bill implements that recommendation.
Less contentiously, the Bill seeks to cap donations per se, with  a $3,000 cap within a single election term and aggregation of donations. ( Donations to individual members, candidates, endorsed groups or State branches are treated as a donation to the relevant political party. Similarly, a political donation to a candidate or a member of a group will be treated as a donation to the group for the purpose of aggregating donations.)

Capping is intended to prevent
political donations made to, or for the benefit of a political party (including a State or local branch), a member of the Commonwealth parliament, a candidate, associated entity or political campaigner where the cumulative total of the donations exceeds the donation cap in the donation period. This provision recognises that unfettered freedom to donate significantly increases the risk of corruption through undue influence. Restricting the amount donors can contribute minimises the risk that large political donations will be used to exert disproportionate influence on the political process. ...  For the purposes of aggregated caps, the intention of the Act is not to capture all donations made to political campaigners that undertake a range of non-electoral work. For example, a large environmental organisation may engage in a wide range of conservation activities as well as some activities characterised as political campaign activities. Only donations or gifts received for the purpose of electoral expenditure will be counted towards the aggregate donations cap for associated entities and political campaigners. 
Waters comments that 'implementation of these provisions relies to an extent on the introduction of a comprehensive disclosure regime, which the Greens have long proposed and will introduce separate legislation to establish'.

In discussing the Bill the Explanatory Statement argues
A Bill to cap or prohibit political donations will ultimately limit the ability of political parties to engage in activities like electoral advertising and promotion, to express their policy positions to the public. Some argue that this could limit the right of prohibited donors to engage in the political process. However, the right to donate to a political party is not equivalent to the right to freedom of speech or political communication. Prohibited donors retain the right to campaign publicly, to advertise, and to articulate their political views on any issues they wish – they are simply prohibited from donating monies to political parties. 
The sectors identified as prohibited donors have demonstrated a frequent nexus between their operations and public policy, and the strong public perception of impropriety associated with political donations and decision making. The Select Senate Committee on the Political Influence of Donations sets out clear examples of this nexus and the extent to which the proximity of donations from key industries to policy or project determinations that advantage that industry suggest undue influence. Consistent with the majority judgment in McCloy v NSW, any burden on the implied freedom of political communication will be acceptable if it is for a legitimate purpose and a proportionate response to the corruption risks presented by the prohibited donors. The nature of the business activities undertaken by the prohibited industries identified in the Bill make it very likely that they will seek to influence policy outcomes in their collective self-interest. Banning political donations from these industries is a proportionate response to achieve the legitimate aim of more representative democracy.  ... 
The Bill only restricts the ability of prohibited donors to participate in political debate in one way – by restricting their ability to donate to political parties. Individuals will still be able to vote and corporations will still be able to publicly engage in the debate in every way possible, aside from making donations to political parties. The decision in McCloy v NSW supports the view that capping donations seeks to achieve the legitimate end of preventing and reducing corruption and undue influence by preventing the payments of large sums of money through political donations. The majority judgment notes (at [45] – [47]):
[t]he risk to equal participation posed by the uncontrolled use of wealth may warrant legislative action to ensure, or even enhance, the practical enjoyment of popular sovereignty”.

10 July 2020

Stablecoins

The FATF Report to G20 on so-called Stablecoins comments
 1. So-called stablecoins have the potential to spur financial innovation and efficiency and improve financial inclusion. While so-called stablecoins have so far only been adopted on a small-scale, new proposals have the potential to be mass-adopted on a global scale, particularly where they are sponsored by large technology, telecommunications or financial firms. In the same way as any other large scale value transfer system, this propensity for mass-adoption makes them more vulnerable to be used by criminals and terrorists to launder their proceeds of crime and finance their terrorist activities, thus significantly increasing their risk of criminal abuse for money laundering and terrorist financing (ML/TF) purposes. 
2. The Financial Action Task Force (FATF) sets international standards to combat money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction. The FATF Standards place specific anti-money laundering and countering the financing of terrorism (AML/CFT) obligations on intermediaries between individuals and the financial system, such as financial institutions. To mitigate the ML/TF risks of virtual assets, the FATF revised its Standards in June 2019 to require virtual asset service providers (VASPs) to implement the full range of preventive measures against ML/TF. 
3. In October 2019, the G20 asked the FATF to consider the AML/CFT issues relating to so-called stablecoins, particularly “global stablecoins” (i.e. those with potential for mass-adoption). This report sets out the FATF’s analysis of the AML/CFT issues relating to so-called stablecoins. Complementary reports from the Financial Stability Board (FSB), the International Monetary Fund (IMF) consider other implications of so-called stablecoins, including their financial stability and macroeconomic implications. 
4. The FATF has found that so-called stablecoins share many of the same potential ML/TF risks as some virtual assets, in virtue of their potential for anonymity, global reach and layering of illicit funds. Depending on how they are designed, they may allow anonymous peer-to-peer transactions via unhosted wallets. These features present ML/TF vulnerabilities, which are heightened if there is mass-adoption. 
5. When reviewing current and potential projects, so-called stablecoins appear better placed to achieve mass-adoption than many virtual assets, if they do in fact remain stable in value, are easier to use and are under sponsorship of large firms that seek to integrate them into mass telecommunication platforms.
6. The revised FATF Standards clearly did apply to so-called stablecoins. Under the revised FATF Standards, a so-called stablecoin will either be considered to be a virtual asset or a traditional financial asset depending on its exact nature. A range of the entities involved in any so-called stablecoin arrangement will have AML/CFT obligations under the revised FATF Standards. Which entities will have AML/CFT obligations will depend on the design of the so-called stablecoin, particularly theUnder the revised FATF Standards, a so-called stablecoin will either be considered to be a virtual asset or a traditional financial asset depending on its exact nature. A range of the entities involved in any so-called stablecoin arrangement will have AML/CFT obligations under the revised FATF Standards. Which entities will have AML/CFT obligations will depend on the design of the so-called stablecoin, particularly the extent to which the functions of the so-called stablecoin are centralised or decentralised, and what activities the entity undertakes. 
7. In a centralised arrangement, one entity governs the arrangement, and may operate the stabilisation and transfer mechanism, and act as the user interface (e.g. by offering custodial wallet and exchange and transfer services). In a decentralised arrangement, there may not be a central entity governing the system, and the stabilisation and transfer functions and user interface may be distributed amongst a range of different entities or be done through software. This is a continuum and a so- called stablecoin may sit anywhere along this spectrum. For example, a stablecoin arrangement may operate the stabilisation centrally, but the user interface may be distributed amongst other VASPs. 
8. Importantly, central developers and governance bodies of so-called stablecoins will have AML/CFT obligations under the revised FATF Standards, where they are carrying out the activities of a financial institution or VASP, in addition to the AML/CFT obligations of other entities with AML/CFT obligations, e.g. wallet providers. The central governance bodies of so-called stablecoins are in a unique position to undertake ML/TF risk mitigation, as they determine the functions of the so-called stablecoin, who can access the arrangement and whether AML/CFT preventive measures are built into the arrangement. For example, they could ensure that the access to the transfer system is only possible through AML/CFT-compliant regulated VASPs. Not all so-called stablecoins may have a readily identified central body however. 
9. Based on current known models, the FATF consider that so-called stablecoins with potential for mass-adoption will be centralised to some extent, with an identifiable central developer or governance body. The FATF considers that these developers and governance bodies will be, in general, financial institutions (e.g., as a business involved in the ‘issuing and managing means of payment’) or a VASP (e.g., as a business involved in the ‘participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset’) under the revised FATF Standards. This is an important control to mitigate the ML/TF risks poses by such so-called stablecoins. Furthermore, there will be a range of other entities with AML/CFT obligations even in a centralised arrangement, including customer-facing exchanges and transfer services and custodial wallet providers. 
10. While decentralised so-called stablecoins without such an identifiable central body, prima facie, may carry greater ML/TF risks due to their diffuse operation, the FATF considers that their potential for mass-adoption is lower than centralised arrangements and, therefore, their associated ML/TF risks are smaller (although still present). However, even in a decentralised structure, there could also be a range of entities with AML/CFT obligations, including customer-facing exchanges and transfer services and custodial wallet providers. Importantly, there are functions that may mean an entity has AML/CFT obligations prior to the launch of a decentralised so- called stablecoin, as the process necessary to bring a product to launch is unlikely to be able to be fully decentralised. 
11. The FATF considers that the preventive measures required of intermediaries under the revised FATF Standards have worked to mitigate the ML/TF risks posed by so-called stablecoins currently in existence. Accordingly, the FATF does not consider that the revised FATF Standards need amendment at this point in time. Nonetheless, the FATF recognises that this is a rapidly evolving area that must be closely monitored and that jurisdictions must be effectively implementing the revised Standards. 
12. In particular, it is important that ML/TF risks of so-called stablecoins, particularly those with potential for mass-adoption and increased anonymity, are analysed in an ongoing and forward-looking manner and are mitigated before such arrangements are launched. As so-called stablecoins could quickly become available globally, with their functions decentralised across multiple jurisdictions, international co-operation between jurisdictions is critical to ensure ML/TF risks are appropriately addressed. 
13. The FATF has also identified potential risks which may require further action, including; so-called stablecoins located in jurisdictions with weak or non-existent AML/CFT frameworks (which would not properly implement AML/CFT preventive measures) and so-called stablecoins with decentralised governance structures (which may not include an intermediary that could apply AML/CFT measures) and anonymous peer-to-peer transactions via unhosted wallets (which would not be conducted through a regulated intermediary). 
14. Accordingly, the FATF proposes four actions:
  • The FATF calls on all jurisdictions to implement the revised FATF Standards on virtual assets and VASPS as a matter of priority.
  • The FATF will review the implementation and impact of the revised Standards by June 2021 consider whether further updates are necessary. This will include monitoring the risks posed by virtual assets, the virtual asset market, and proposals for arrangements with potential for mass-adoption that may facilitate anonymous peer-to-peer transactions. 
  • The FATF will provide guidance for jurisdictions on so-called stablecoins and virtual assets, as part of a broader update of its Guidance. This will set out in more detail how AML/CFT controls apply to so-called stablecoins, including the tools available to jurisdictions to address the ML/TF risks posed by anonymous peer-to-peer transactions via unhosted wallets. 
  • The FATF will enhance the international framework for VASP supervisors to co-operate and share information and strengthen their capabilities, in order to develop a global network of supervisors to oversee these activities.

09 July 2020

Spooks, Telecommunications and the INSLM

The Independent National Security Legislation Monitor Report No. 9—A report concerning the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (aka TOLA) states
 1.2. The essential effects of TOLA are as follows:
a. Schedule 1 gives police and intelligence agencies new powers to agree or require significant industry assistance from communications providers. 
b. Schedules 2, 3 and 4 update existing powers and, in some cases, extended them to new agencies. 
c. Schedule 5 gives the Australian Security Intelligence Organisation (ASIO) significant new powers to seek and receive both voluntary and compulsory assistance. 
1.3. Schedules 1 and 5 have proven controversial; Schedules 2, 3 and 4 less so. 
1.4. My task is to consider the operation, effectiveness and implications of TOLA and whether it is necessary, is proportionate to the threats it seeks to meet and treats human rights properly. Where powers have not yet been used, my task involves prediction. 
1.5. As to necessity, I have concluded that, with 2 exceptions, TOLA is or is likely to be necessary. The first exception is that Schedule 1 must be amended to extend Technical Assistance Requests (TARs), Technical Assistance Notices (TANs) and Technical Capability Notices (TCNs) to integrity agencies, including any future Commonwealth Integrity Commission. The other exception is in Schedule 5: one aspect of the voluntary assistance power and corresponding civil immunity in s 21A(1) of the Australian Security Intelligence Organisation Act 1979 (Cth) (ASIO Act) is unnecessary and should be amended. 
1.6. As to proportionality and proper rights protection, TOLA will be compliant if, but only if, the central recommendations in this report are implemented. Most importantly, Schedule 1 should be amended to:  
a. remove the power from agency heads to issue TANs and from the Attorney-General to approve TCNs 
b. vest those issuing and approval powers in the Administrative Appeals Tribunal (AAT) in a way which will preserve and protect both classified and commercial-in-confidence material and allow independent rulings on technical questions such as ‘systemic weakness’ (definitions which, among others, should be amended) 
c. create a new statutory office - the Investigatory Powers Commissioner (IPC). The IPC should be a retired judge who will be appointed to the AAT and have access to technical advice. The IPC will assist in approving the issue of TANs and TCNs (as above) while monitoring the operation of Schedule 1 and issuing guidelines. (This can be done with minimal expense.) 
1.7. I have recommended that there be no change to the way that TARs are currently agreed between an interception agency head and a Designated Communications Provider (DCP) and the way the agreement then enables the relevant agency head to issue a TAR (although I have recommended the use of a prescribed form). This is in contrast with my recommendations on TANs and TCNs. It was almost unanimously agreed in non-government submissions that these notices should be authorised by either an independent tribunal member or a judicial officer and subject to meaningful judicial review once issued. Indeed, a number of stakeholders indicated that their main concern with the provisions in Schedule 1 was that no independent person is involved in the decision to issue a notice. The Australian Human Rights Commission raised human rights concerns on this point. Government submitters contended that there are already a number of conditions that apply to the issuing of compulsory notices, and these operate effectively and with sufficient oversight. My recommendations for TANs and TCNs build on these existing mechanisms to guarantee consideration of human rights, privacy and technical implications by the issuing authority. 
1.8. A related key point is the distinction between TANs and TCNs, which provide technical ‘access’; and warrants (and other similar instruments), which provide ‘content’. TANs and TCNs do not provide the authority to obtain content from a DCP without an underlying warrant, and the Government has submitted that these notices are merely a mechanism to ensure that whatever data is obtained under a lawful warrant is accessible and comprehensible to the interception agency. I have not accepted the Government’s argument as to the distinction in this regard. 
1.9. I consider that there is a greater need for safeguards in the virtual world than in the physical world, for both reasons of trust and the wide and unknown impact of technology. At a public hearing of this review, Professor Peter Leonard, from the Law Council of Australia, stated in relation to trust:
In the digital world, digital trust of citizens is affected by activities that may not relate to their specific digital activities. So we always need to consider, as we look at the digital world, the effect on broader digital trust of citizens, and potentially undermining that trust. Now, often a degree of undermining that trust will be justified in national security or law enforcement, but I do think that you can’t take the digital world as an exact analogue of the physical world, because of that different nature of the digital system. 
1.10. This chapter provides an overview. It should be read with the whole of the report. 
The review 
1.11. TOLA was enacted in December 2018 after targeted government consultation and limited time for parliamentary scrutiny. Many communications providers regarded this as unsatisfactory. 
1.12. By s 7A of the Independent National Security Legislation Monitor Act 2010 (Cth) (INSLM Act), the Parliamentary Joint Committee on Intelligence and Security (PJCIS) may refer to me any matter which it ‘becomes aware of in the course of performing its functions … and … considers should be referred’. 
1.13. In March 2019, having issued 2 reports on TOLA, the PJCIS requested that I consider the necessity and proportionality of that legislation in view of the threats it seeks to meet, and its effects on human rights, and to report back by June 2020. 
1.14. The review has held extensive consultations in Australia, the United Kingdom (UK) and the United States (US); held public and private hearings; and received many submissions, which are listed in Appendix B and summarised in Appendix E of this report. 
1.15. This report complies not only with the request from the PJCIS but also with the requirements contained in s 6(1D) of the INSLM Act to review TOLA. The report’s  aim is both to assist the PJCIS in its pending review of TOLA and also, as the INLSM Act’s object states, to ‘assist Ministers’. I have had access to the as yet unpublished Comprehensive Review of the Legal Framework of the National Intelligence Community and taken it into account. 
1.16. This report is suitable to be, and should be, made public save for a small but necessarily classified annexure, which I am only able to provide to the PJCIS and ministers. 
1.17. If, as I recommend, TOLA and related Acts are included in my ‘own motion’ powers of review in the INSLM Act, my successors will be able to update this review as necessary and as they see fit. 
1.18. TOLA is a lengthy and complex Act which itself amends many laws, extends beyond national security and counter-terrorism concerns to crime generally, and operates in an environment of ever-changing technology. Also, as extensive engagement with this review has shown, it could affect many important and legitimate businesses both in Australia and overseas. 
1.19. Because of these matters, and the need for extensive consultation, it has been the most complex and difficult report I have produced. I am therefore grateful for the indispensable support I have received from those providing briefings, submissions and feedback; and, of course, those assisting me. 
TOLA’s 5 schedules 
1.20. TOLA is an Act with 5 schedules which runs to over 200 printed pages. Apart from the Telecommunications Act 1997 (Cth) itself, TOLA amends, sometimes extensively, complex and frequently amended Acts such as the ASIO Act, the Crimes Act 1914 (Cth), the Customs Act 1901 (Cth), and the Surveillance Devices Act 2004 (Cth) (SD Act). I analyse TOLA in detail later. Here I note its essence. 
1.21. Schedule 1 is the main focus of this report. It contains amendments that enable police and intelligence agencies (but not integrity agencies) to either request or compel by notice a DCP - a term which deliberately covers a broad range of persons and companies in the communications supply chain - to provide technical assistance, thereby overcoming the problem of ‘going dark’, and making intelligible digital content and data.  
(a) review the operation, effectiveness and implications of the amendments made by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018; and 
(b) do so as soon as practicable after the 18-month period beginning on the day that Act receives the Royal Assent. 
1.22. The assistance which may be required from or agreed with a DCP is not only access to content and metadata but also technological assistance such as removing electronic protection, providing technical information, formatting information and facilitating access to devices and other listed acts or things. Schedule 1 provides for:
a. a TAR, which is a request agreed by an agency and a DCP 
b. a TAN, which is issued by an agency head 
c. a TCN, which is issued by the Attorney-General with the concurrence of the Minister for Communications. 
1.23. TARs (now being used), TANs and TCNs (not yet used but very likely to be used) cannot be specifically disclosed publicly or to DCP customers. They provide civil and criminal immunity according to their terms. There are a number of technical concepts or limits in Schedule 1, including whether a TAN or TCN is reasonable and proportionate, technically feasible or would result in a systemic weakness or systemic vulnerability. 
1.24. The 3 most significant complaints about Schedule 1, which I largely accept as valid, concern:
a. the absence of independent authorisation for the notices 
b. the inadequacy of various definitions of technical matters 
c. the absence of independent technical assessment of proposed notices. 
1.25. Schedule 2 establishes powers which enable federal, State and Territory law enforcement agencies to obtain covert computer access warrants when investigating certain federal offences. It amends a number of Acts to reform the existing computer access warrants available to ASIO, introduces computer access warrants for law enforcement agencies, and establishes an avenue for foreign governments and international courts and tribunals to request assistance in accessing data via a computer access warrant. Warrants are issued by the Attorney-General (for ASIO computer access warrants), or by an eligible judge or a nominated AAT member (for  SD Act computer warrants requested by a law enforcement officer or on behalf of foreign governments). 
1.26. Schedule 3 amends the existing search warrant framework under the Crimes Act to expand the ability of criminal law enforcement agencies to collect evidence from electronic devices. Other amendments include authorising the adding, copying, deleting or altering of other data if that is necessary to give effect to a warrant, while making it clear a search warrant cannot authorise police to do anything likely to materially interfere with, interrupt or obstruct a communication in transit or the lawful use of a computer or cause other material loss or damage.  Warrants are issued by judicial officers or AAT members, acting as persona designata rather than as representatives of the courts or tribunals of which they are members. Further, Schedule 3 expands the scope of the Australian Federal Police’s (AFP’s) power to obtain an assistance order to compel an individual to provide certain information or assistance to police; and amends the criminal penalties for failing to comply with an assistance order. 
1.27. Schedule 4 amends the search warrant framework under the Customs Act to ‘enhance the ability of the Australian Border Force (ABF) to collect evidence from electronic devices under warrant in person or remotely’.11 TOLA expands the types of actions that a warrant may authorise under the Customs Act. It authorises ABF officers to search premises for evidential material in relation to a specified offence, including using electronic equipment to access ‘relevant data’ that is held in a computer or data storage device found during a search, to determine whether the data is evidential material of a kind specified in the warrant.  Similar new provisions apply as under the Crimes Act (amended by Schedule 3), including with regard to adding and copying data and remote access, material interference and increased penalties for noncompliance.13 Approvals are the same as for Schedule 3. Further, Schedule 4 makes amendments to the ABF’s power to obtain an assistance order, including by amending the criminal penalties for failing to comply with an assistance order. 
1.28. Schedule 5 provides 2 new powers or capacities to ASIO.  
1.29. First, the Director-General of Security may issue a voluntary assistance request to a (legal or natural) person to engage in ‘conduct’ to assist ASIO in the performance of its functions (ASIO Act, s 21A(1)), and a person may volunteer to provide more limited assistance in relation to documents (ASIO Act, s 21A(5)). Where a person provides assistance requested by ASIO or volunteers assistance, immunity from civil liability ordinarily attaches to that conduct. 
1.30. Secondly, at the request to the Director-General of Security the Attorney-General may issue a compulsory assistance order compelling a person to assist in accessing data held on a computer or data storage device (ASIO Act, s 34AAA). 
1.31. My main concern with Schedule 5 is that s 21A provides a limited and certain capacity for assistance to be volunteered under sub-s (5) but a wider and uncertain power for ASIO to request conduct under sub-s (1). Given ASIO’s other powers to obtain information and assistance, I consider it is only necessary for ASIO to have power under s 21A(1) to request what equally could be volunteered under s 21A(5). 
Key principles and findings 
1.32. The stated purpose of TOLA is to amend a range of Commonwealth legislation to allow law enforcement and national security and intelligence agencies to ‘better work in the increasingly complex digital environment’ and ‘introduce measures to better deal with the challenges posed by ubiquitous encryption’.  Some of the many issues raised in these notions are discussed in more detail in Chapter 5, dealing with technology, Chapter 6, dealing with privacy, and in the detailed and helpful submissions I have received (see Appendix B for a list of submissions). Here I set out the key findings I have made and principles I have acted on. 
The threat landscape 
1.33. In assessing the necessity of the provisions of TOLA, I must consider the current threat landscape. 
1.34. In previous reports, I have noted that the level of threat of a terrorist act occurring in Australia remains at ‘probable’, and the evidence I have considered for the present review indicates that this position remains unchanged. 
1.35. This review has caused me to consider broader security and other threats to the political, commercial and societal interests of the nation. There are real threats of foreign interference in facets of our lives that we may take for granted. The extent of the use of the internet by hostile foreign states and their agents to engage in   espionage and foreign interference is still not fully appreciated, partly because of the covert and disguised means these actors use in their online activity. 
1.36. Because the World Wide Web and the related Internet of Things (together, the internet) have a large and growing role in all aspects of life around the globe, but particularly in a technologically advanced democracy such as Australia, the threats TOLA seeks to meet extend beyond the counter-terrorism and national security activities that I normally consider as INSLM, to the behaviour of criminal and other bad actors more generally. 
1.37. There is an ever-present threat of criminals engaging in online activities to perpetrate general but serious crimes, such as child sexual exploitation and sophisticated frauds. The breadth of these threats is facilitated by means which are increasingly complex and difficult to detect. As the Minister for Home Affairs recently said, ‘almost every crime type and national security concern has an online element’. 
1.38. To counter what is called ‘going dark’ by reason of encryption, agencies must adapt their techniques, and laws must be updated. I am satisfied from the evidence I have received from intelligence, police and integrity agencies that encryption of content and, to a lesser extent, metadata has made their essential tasks significantly more difficult, and in some instances impossible. I accept the necessity of a legislative response to ‘going dark’. 
Proportionality Context 
1.39. Necessity is one aspect of my review. The other is proportionality. Any legislative response to threats must be adapted, and proportionate, to the risk of them occurring. International human rights law and the INSLM Act both require consideration of proportionality and the related question of human rights protections. 
1.40. What makes this review unusually challenging is not only the complexity of the law but also the technological context, which includes events that can be viewed, metaphorically, as the shifting tectonic plates of our times. As Professor Sir David Omand has recently written, in terms I gratefully adopt:
We are living through the beginning of a revolution in human affairs enabled by the digitization of information and the means of communication through the Internet, the World Wide Web, and mobile devices (with the Internet of Things rapidly growing). We are now dependent on this technology for economic and social progress, for international economic development, and for national security and public safety. Trust has to be built both in the open Internet as a safe place to innovate, to do business, to shop, and to interact socially, and in the ability of the authorities to be able to uphold the law in cyberspace. That trust cannot be taken for granted. The Internet, and the World Wide Web that it carries, were not originally designed with security in mind, and many seek to exploit this weakness for their own antisocial, criminal, or aggressive ends. A global coincidence over the last fifteen years has shaped the rapid development of digital intelligence and heightened ethical concerns: the post-Cold War growth in demand for information about individuals to manage the threats from terrorists (especially after 9/11), international criminals, and other individuals of concern has coincided with the ability of the Internet and Web-based technologies, developed for commercial purposes, to supply detailed data about individuals in ways never before possible. Demand for and supply of such data have been interacting dynamically, and the process continues. 
The internet, privacy and trust: key conclusions 
1.41. Although many matters which arose in this review are open for debate, in my opinion at least the following matters are clearly established. 
1.42. As the internet became indispensable to the legitimate operations of, and interactions between, governments, corporations and other organisations, and individuals, it was also used by criminals and other bad actors for their illicit purposes. 
1.43. The internet was not designed with security in mind. To remedy this inherent weakness, widespread data content encryption and, to an increasing extent, metadata encryption has been used. Encryption seeks to maintain general confidence in the security of the internet. It is not only appropriate but also essential that it seeks to provide effective security and protection for:
a. internet communications and transactions 
b. government, commercial and private data 
c. the maintenance of legitimate personal rights to privacy, and its near relative, anonymity. 
1.44. Privacy can be an elusive concept and each legal jurisdiction has its own approach. Thus: 
a. international law recognises a right to privacy, while giving some leeway to nation states in how they respond 
b. European Union (EU) law enables the right to be forgotten  
c. the 4th Amendment to the Constitution of the United States is of significance to Australia in obtaining mutual assistance for the purposes of intelligence and countering crime 
d. although Australia has enacted a Privacy Act 1988 (Cth), neither the Australian Constitution nor the common law of Australia recognises a specific right to privacy. Instead, the common law mainly protects privacy through the requirement that, absent consent, there must be a legal basis for interference with personal property. 
1.45. In particular, Australia has inherited from English law and still maintains: 
a. a common law rule that holders of public office can only seize or access private property as authorised by law 
b. the historically entrenched practice that this is typically done by warrant, issued by persons independent of the agency which seeks to exercise the warrant. 
1.46. This rule:
a. applies to accessing and copying data content and metadata on personal devices such as computers and mobile phones, just as much as it does to searches of people or premises 
b. has rightly been said to recognise the ‘link between protection of personal property and protection of freedom of thought and political expression’   
c. as it states a fundamental right, is protected by the principle of legality, so that a statute which seeks to overcome it will only be effective in doing so by clear statement of intent or by necessary implication. Smethurst v Commissioner of Police [2020] HCA 14 [23] (Kiefel CJ, Bell and Keane JJ): ‘The power to search has always been regarded as an exceptional power, to be exercised only under certain justifying conditions. One essential condition, found in statutes authorising the issue of warrants for search and seizure, both Commonwealth and State and Territory, is that the object of the search be specified by reference to a particular offence.’ 
1.47. With rare exceptions - most notably, some ASIO warrants issued by the Attorney-General - independent serving judges and tribunal members issue these warrants to executive agencies and police in Australia. They act in a personal capacity, ‘persona designata’. This practice is rightly seen as a vital democratic safeguard in Australia - so much so that departing from it requires justification. 
1.48. Pre-TOLA, coercive statutory powers for access to intelligible data content and metadata were heavily relied on by intelligence, police and integrity agencies. (I should note that I do not generally see it as my role in this review to revisit the justification for such powers, many of which have operated for some time.) As encryption steadily deprived them of this access, the effectiveness of those powers diminished. A key justification put forward for TOLA is that it will reverse this trend. 
1.49. A fundamental principle guiding me in this review is that, just as we do not accept lawlessness in the physical world, we should not accept lawlessness in the virtual world. Therefore, in principle, the surveillance powers that apply in the physical world should also apply to the virtual world unless there are good reasons that they should not. 
1.50. In this report, I apply this fundamental principle together with a companion principle - that of ‘trust but verify’, which I have adopted from A Question of Trust as the theme of this work. The companion principle is that in the sceptical world in which Australian democracy operates: trust depends on verification rather than reputation, trust by proxy is not enough. Hence the importance of clear law, fair procedures, rights compliance and transparency. 
1.51. In this report I reject the notion that there is a binary choice that must be made between the effectiveness of agencies’ surveillance powers in the digital age on the one hand and the security of the internet on the other. Rather, I conclude that what is necessary is a law which allows agencies to meet technological challenges, such as those caused by encryption, but in a proportionate way and with proper rights protection. Essentially this can be done by updating traditional safeguards to meet those same technological challenges - notably, those who are trusted to authorise intrusive search and surveillance powers must be able to understand the technological context in which those powers operate, and their consequences. If, but only if, the key recommendations I set out in this report in this regard are adopted, TOLA will be such a law. 
Safeguards updated for new technology 
1.52. My UK counterpart, Jonathan Hall QC, in his most recent report has rightly written of terrorism legislation as follows:
[2.30] Modern technology calls into question legislation written in an earlier era, and terrorism legislation is no exception. Interrogating a phone can reveal more data than searching a house; information is electronic, and accessed, rather than physical, and seized; contact is encrypted and routed around the world; worldwide publication is open to every person with a smartphone. 
1.53. The same holds true for TOLA, whose scope and purpose extends well beyond countering terrorism. Take the familiar example of the personal mobile phone/device, which:
a. is an essential aspect of modern life: its use is not really optional for anyone seeking to fully participate in Australian life 
b. amalgamates the functions that were once performed by several devices: telephone, address book, calendar, emails, internet browser, camera, video camera, calculator, thermometer, pedometer, heart monitor, dictaphone and more 
c. is a ‘data rich’ environment - it contains not only an unprecedented amount of data content that its user may be broadly aware of, but also highly revealing metadata about the user’s movements, communications and thoughts that the user may be unaware of and, in some cases, is not capable of being aware of 
d. is the paradigm example of monetisation of our personal data, usually with technical consent but rarely, if ever, with our informed consent e. when its contents are revealed, can be devastating for the user’s privacy. As the US Supreme Court recently said of movement metadata of one man due to his phone’s tracking capacity, it was ‘revealing not only his particular movements, but through them his “familial, political, professional, religious, and sexual associations”’.   
1.54. DCPs are able to analyse and then profit from personal and commercial information that we reveal when we use the web - for example, they can ‘data mine’ using proprietary algorithms. This has resulted in some ‘tech titan’ DCPs having enormous (although opaque) power that is in some ways greater than many nation states. 
1.55. All of that information, frequently unknown and even unknowable to the user of a mobile but entirely new in its size, scope and type, if it is available to a DCP, is available to the Government and its agencies if there is a law permitting intelligible access (if that is technically possible). TOLA is such a law. 
Schedule 1 A double-lock for TANs and TCNs - a proportionate and more technically sound decision-making process 
1.56. In relation to Schedule 1, for the reasons set out in greater detail in the report, TANs and TCNs should be authorised by a body which is independent of the issuing agency or government. These are powers designed to compel a DCP to reveal private information or data of its customers and therefore the usual practice of independent authorisation should apply. 
1.57. I reject the argument advanced by agencies that ‘a key safeguard in Schedule 1 powers is that they cannot authorise access to data’, access being granted by separate warrant issued by a tribunal member or judge. This argument elevates form over substance; after all, Schedule 1 states that its purpose is to reverse the effect of going dark by making intelligible or otherwise useful the content of data already, or in future to be, accessed by warrant. Having accepted that as a key justification in the context of necessity, I cannot ignore it when considering proportionality and rights protection. 
1.58. A key safeguard in Schedule 1 is the general limitation that TANs and TCNs must be reasonable and proportionate. The factors to be weighed up in making that decision are comprehensive and, appropriately, cover such key issues as the interests of the issuing agency and the DCP, the necessity and objectives of the notice, its impact on third parties, the availability of other means to achieve the objectives of the notice, and the legitimate expectations of the Australian community relating to privacy and cybersecurity. But those factors should be weighed up by someone independent of the Government or the agency. That should also be so when determining whether complying with the notice is not ‘practicable’, not ‘technically feasible’, or would create a ‘systemic weakness’ or ‘systemic vulnerability’. 
1.59. I accept that the decision-makers who make decisions under TOLA (be they agency heads or the Attorney-General) will receive advice on technical matters, but the real question is one of independence and the appearance of it. This independence    engenders the necessary trust in the minds of members of the public that the powers are being exercised in a manner that is no more than is necessary. A proper appreciation of the impact of an intrusive TOLA power depends upon the issuer being independent of the agency concerned and, importantly, having technical knowledge. The powers under TOLA cannot be exercised, let alone their impact understood, in the absence of independent technical expertise. 
1.60. It was a consistent and, indeed, unanimous theme across non-government submissions that TANs and TCNs should be authorised by either an independent tribunal member or a judicial officer with the benefit of expert technical advice. A number of submissions drew upon the UK’s double-lock model of judicial authorisation which, as I explain later, involves an independent exercise of decision-making with the assistance of technical advisers. 
1.61. Law enforcement agencies, intelligence agencies and the Department of Home Affairs submitted that TOLA already contains safeguards as to independence and technical advice. 
1.62. The desirability of a decision-maker independent of the executive and its agencies is recognised in the Government’s Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), which is a critical step that enables Australia to seek a bilateral agreement with the US under their Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act). The IPO Bill would enable Australia to give effect to such a bilateral agreement by creating a new international production order framework that allows Australian law enforcement and intelligence/security agencies to issue or obtain extraterritorial orders for electronic data on foreign DCPs (where there is an agreement in place). 
1.63. Under the regime proposed under the IPO Bill, the Director-General of Security, a Deputy Director-General or ASIO employee may approve an application for an International Production Order (IPO), which then goes to the Attorney-General for consent, after which the application is sent to a nominated member of the Security Division of the AAT to approve persona designata. In view of the extensive powers already conferred upon the AAT, the mechanisms outlined in the IPO Bill and the other conclusions I have come to, I recommend the following: 
a. A new statutory office - the IPC - should be created to monitor the operation of the system of TANs and TCNs. The IPC should be a retired judge of the Federal Court or the Supreme Court of a State or Territory. The IPC would be appointed by the Governor-General, on the advice of the Attorney-General, following mandatory consultation on the appointment with the Leader of the Opposition.   
b. The IPC should be ‘dual hatted’ - the IPC should be appointed as a part-time Deputy President within the AAT and designated as the head of a new Investigatory Powers Division (IPD) of the AAT, with powers and procedures based upon the existing Security Division. One of the first tasks of the IPC, following wide consultations with interested persons, would be to recommend in detail how that system should work. 
c. The IPC would be required to concur in the appointment by the Governor-General of a suitable number of eminent, independent technical experts, who would also be assigned to the new IPD as part-time Senior Members. 
d. On the advice of the technical advisers, the IPC would approve and, where necessary, conduct hearings concerning TANs and TCNs. 
e. There should also be a registrar of the new IPD who would ensure proper protection of sensitive and classified material. 
f. In order to encourage industry support, there should be consultation with industry groups as to who should be appointed to these roles. 
g. To promote the interests of transparency and accountability, the IPC would provide the Attorney-General and the PJCIS with an annual report on the operation of Schedule 1, and any other functions that are later be conferred upon the IPC and the IPD. There should be the capacity to provide a classified annexure to these reports as necessary. 
No change to TARs 
1.64. For the reasons I give later in this report, I do not consider that there is any need to alter the present arrangements relating to TARs (except to recommend that a prescribed form be used). The TAR is not a coercive instrument. A DCP may freely choose to comply or not comply with a TAR without any legal consequence. Extension to integrity and anti-corruption agencies 
1.65. Integrity and anti-corruption agencies should have the same access to Schedule 1 TOLA powers as police do. These agencies are already empowered under other legislative schemes to exercise various investigative powers. 
The definitions of ‘systemic weakness’ and ‘systemic vulnerability’ 
1.66. I have been persuaded that the definitions of ‘systemic weakness’ and ‘systemic vulnerability’ are overlapping, create confusion and are not fit for purpose. 
1.67. There is little difference conceptually, or in normal or technical usage, between a ‘systemic weakness’ and ‘systemic vulnerability’. These terms are already used  interchangeably in industry and public discourse; there is no further need to use both in the TOLA. 
1.68. I have made other recommendations to amend the definition of ‘systemic weakness’ to bring it into line with the many helpful submissions I received from industry as to the application of those definitions to the technologies at hand. I am satisfied that these amendments, when considered and applied by the IPC, with the assistance of technical advisers, will best ensure that the integrity of the technology and systems used by DCPs is not compromised or the effects limited. 
Schedule 2 
1.69. I am satisfied that the computer access warrant and associated powers conferred by Schedule 2 are both necessary and proportionate, subject to some amendments. 
1.70. I am satisfied that agencies should retain the power to engage in telecommunications interception for the purposes of a computer access warrant without being required to obtain a separate warrant under the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act) authorising that interception. 
1.71. However, to the extent that computer access warrants permit steps to be taken to conceal the activities of the agency in accessing the relevant computers outside of a 28-day period following the expiry of the warrant, I consider that the agency should be required to obtain external approval for those steps. These warrants authorise actual, or potentially significant, incursions into privacy and property, whether it is in the accessing of the computer or the premises on which the computer is located. The decision-maker should be given the opportunity to consider and approve the steps that the agency proposes to take to conceal its activities where they occur a month or more after the warrant has expired. 
1.72. To the extent that a computer needs to be removed, I do not consider it a satisfactory limitation that the computer be returned ‘within a reasonable period’.  Instead, I recommend the item’s return ‘as soon as is reasonably practicable’. 
Schedules 3 and 4 
1.73. I am generally satisfied that the powers conferred by Schedules 3 and 4 are both necessary and proportionate, but there are some matters that should be addressed and further monitored.  Where the computer access warrant has been obtained by ASIO, this is subject to a situation in which the return of the item would be prejudicial to security. Where that is the case, it is permissible to retain the item until it is no longer the case. 
1.74. It should be declared that the powers under Schedules 3 and 4 do not authorise the detention of a person to whom the order applies where the agency in question does not otherwise have any lawful basis on which to do this. A simple statutory recognition of this would go a long way toward appeasing fears frequently expressed to me. 
1.75. I note that Schedules 3 and 4 introduced significant new offences and increased the penalties for noncompliance with an assistance order. The introduction of a monetary penalty as an alternative to imprisonment appears to be an appropriate and proportionate addition, but I consider it appropriate that the prospect of imprisonment for the new offences remains. Despite some concerns about the broadening of offences and increases in penalties, I accept the necessity and proportionality of the increase in criminal penalties for failure to comply with an assistance order and of the introduction of aggravated offences in relation to the more general offences. However, I do recommend that agencies and external stakeholders continue to monitor any prosecutions or penalties. 
Schedule 5 
1.76. I have concluded that Schedule 5 should be amended to limit its breadth and clarify its scope. 
1.77. Section 21A(1) of the ASIO Act empowers the Director-General of Security to ‘request a person or body to engage in conduct’ that assists ASIO. In my view, as ‘conduct’ is undefined, it may operate too broadly and, as so drafted, has not been shown to be necessary. I recommend that s 21A(1) be limited to the types of voluntary assistance that are specified in s 21A(5). 
1.78. Several stakeholders submitted that the powers conferred on the Director-General of Security under s 21A(1) represent a significant step, as previously the power to confer immunity from civil liability on a person assisting ASIO was limited to the Attorney-General. That function may be further sub-delegated to a ‘senior position-holder’ under s 16A of the ASIO Act, and I recommend that this power now be exercised by an officer not lower than a Deputy Director-General. 
1.79. The legislation is silent on the interaction between the new powers introduced in Schedules 1 and 5. The power to issue a TAR, includes a number of important safeguards and it is necessary to make clear that s 21A does not empower the Director-General to circumvent those protections by making the request under s 21A instead.   
1.80. Submitters raised the question of whether a person subject to an assistance order (under s 34AAA) is effectively being detained during the period in which they are required to provide the assistance, by being effectively prevented from leaving a specified place prior to the completion of the designated assistance task, under pain of criminal penalties. The Director-General of Security expressly rejected this proposition and the AFP likened its s 3LA power to other powers that compel production or attendance, including production orders, summonses and subpoenas. I am comforted by the agencies’ clear assurances on this matter and therefore do not recommend amendments to introduce protections for a person under detention. I still consider it necessary to make it clear, in the ASIO Act, that an assistance order under s 34AAA does not authorise detention of a person to whom this order applies. 
Reporting and record-keeping and own motion review powers 
1.81. In a number of respects the TOLA reforms fail to provide for adequate, or sometimes any, reporting or record-keeping. Trust is essential to the exercise of the powers conferred by TOLA and the public’s acceptance of them. Trust is eroded where the public has inadequate insight into or knowledge of the exercise of the powers. While confidential and sensitive information must be appropriately protected, that is not a licence to keep all such information from the public if it can be conveyed within limits. 
1.82. Finally, my successors should be able, of their own motion, to revisit these complex and important matters when they consider it necessary, and the INSLM Act should be amended accordingly. 
Structure of this report 
1.83. The report is set out in 2 parts. The first part, ‘Context’, explains the legislation, the threat the legislation responds to and the impact that technology has had on business practice, as well as detailed legal analysis covering common law privacy protections, Australia’s international obligations and relevant international comparative approaches. The second part, ‘Findings’, provides a detailed explanation for my recommendations.  
List of recommendations 
Schedule 1 
Recommendation 1 
I recommend that State and Territory anti-corruption commissions be given power to agree to or apply for all 3 types of industry assistance notice - that is, TARs, TANs and TCNs. This power should also be given to the foreshadowed Commonwealth Integrity Commission, when and if it is established. 
Recommendation 2 
I recommend no change to the capacity of the relevant agencies and a DCP to freely agree a TAR with each other, other than that a prescribed form be used. 
Recommendation 3 
I recommend that the powers of approval of TANs and TCNs, presently vested in agency heads (for TANs) and the Attorney-General (for TCNs), instead be vested in the AAT and assigned to a new Investigatory Powers Division (IPD). The new IPD, building on the powers and procedures in the Security Division, would operate in a similar way to protect classified material of agencies that are applying for TANs and TCNs and the commercial-in-confidence material of DCPs that are resisting the issue of those notices. The IPD should be able to sit in private as necessary. It would be able to utilise existing AAT powers and procedures, including alternative dispute resolution, to decide for itself whether to issue a TAN or TCN. It would hear submissions and receive evidence from the applying agency and the DCP and be in a position to promptly determine technical questions, such as whether a notice is practicable, reasonable and proportionate or would create a systemic weakness. The Attorney-General’s approval would be required for a federal agency to lodge an application for a TCN with the AAT, but this should not be required for any State or Territory body or the Commonwealth Integrity Commission, if and when it is established. 
Recommendation 4 
I recommend that the IPD consist of a new part-time Deputy President, who would also be the Investigatory Powers Commissioner (IPC), and other eminent lawyers and technical experts as needed. So that they can build up the necessary specialised expertise, and because these powers will not be exercised ex parte, the exercise of these powers should not be persona designata. 
Recommendation 5 
I recommend the creation of the IPC as a new statutory office holder, whose functions would be:
a. monitoring the operation of TOLA Schedule 1, including by sharing information with other oversight bodies (such as the Inspector-General of Intelligence and Security (IGIS) and the Commonwealth Ombudsman) and reporting annually on its operation to the Attorney-General and the PJCIS 
b. as an additional, part-time Deputy President of the AAT, taking part in the issue of TANs and TCNs as head of the IPD 
c. concurring in the appointment of other part-time technical and legal decision-makers assigned to the new IPD who will also be able to assist the IPC in the monitoring roles 
d. developing and approving the prescribed form for TAR, TAN and TCN applications and issuing guidelines e. with the concurrence of the AAT President, issuing practice notes for the IPD. 
Recommendation 6 
In recognition of the importance of the IPC and the need for the role to be, and be seen to be, filled by someone who is independent of government, is eminent in the law and its application, enjoys bi-partisan support and is not diverted by judicial duties, I recommend that the IPC be a retired judge of the Federal Court or the Supreme Court of a State or Territory, appointed by the Governor-General, on the advice of the Attorney-General, following mandatory consultation on the appointment with the Leader of the Opposition. I would expect there would also be consultation with industry, but I would not mandate it. 
Recommendation 7 
I recommend amending the definitions in TOLA of ‘serious Australian offence’ and ‘serious foreign offence’ so that they align with the definition in existing s 5D of the TIA Act. The effect of this is that, by and large, it would not be open to an agency to obtain an industry assistance notice in respect of an offence punishable by only 3 years’ imprisonment. 
Recommendation 8 
As to systemic weakness and vulnerability, I recommend removing all references to ‘systemic vulnerability’ in Schedule 1, as it is redundant. 
Recommendation 9 
I recommend that s 317ZG(4A) state prohibited effects as follows: 
(4A) In a case where a weakness is selectively introduced to one or more target technologies that are connected with a particular person, the reference in paragraph (1)(a) to implement or build a systemic weakness into a form of electronic protection means a reference to any act or thing that creates a material risk that otherwise secure information will be accessed, used, manipulated, disclosed or otherwise compromised by an unauthorised third party. 
I further recommend the introduction of the following definitions:
a. ‘Otherwise secure information’ means ‘information of, any person who is not the subject, or is not communicating with the subject of, an investigation’. 
b. ‘Unauthorised third party’ means ‘anyone other than a party to the communication, the agency requesting the relevant TAR, TAN or TCN and/or integrity agencies’. 
Recommendation 10 
I recommend clarification of definitions through the use of non-exhaustive statutory examples:
a. Clarify that ‘target technology’ in s 317B refers to the specific instance used by the intended target. 
b. Include non-exhaustive examples of what is excluded from the meaning of ‘electronic protection’ in s 317B. 
Recommendation 11 
I recommend that a ‘Designated Communications Provider’ not be taken to include a natural person (where that natural person is an employee of a DCP) but only apply to natural persons insofar as required to capture sole traders. 
Schedules 2, 3 and 4 
Recommendation 13 
I recommend that agencies retain the power to engage in limited telecommunications interception, for the purposes of a computer access warrant, without the need to obtain a separate warrant under the TIA Act authorising that interception. 
Recommendation 14 
I recommend that an agency be required to seek external authorisation to exercise a concealment of access power if it proposes to take that step more than 28 days after the warrant has expired. 
Recommendation 15 
I recommend that the legislation be amended to require that a computer or thing which is removed from warrant premises during the execution of a computer access warrant (or related authorisation) be returned to warrant premises if returning the computer or thing is no longer prejudicial to security or, otherwise, as soon as is it reasonably practicable to do so. 
Recommendation 16 
I recommend that agencies and external stakeholders continue to monitor the prosecutions and convictions (to the extent that information is made publicly available) so as to permit any trends to be discerned as more time passes. 
Recommendation 17 
I recommend that both s 3LA of the Crimes Act and s 201A of the Customs Act be amended to state, for the avoidance of doubt, that neither authorises the detention of a person to whom the order applies where the agency in question does not otherwise have any lawful basis to detain the person. 
Recommendation 12 
I recommend that the AFP no longer have any role in the consideration of industry assistance notices requested by or issued on behalf of State and Territory police. 
Schedule 5 
Recommendation 19 
I recommend that the power to request conduct in s 21A(1) be limited in scope to the conduct which can be volunteered under s 21A(5). 
Recommendation 20 
I recommend that s 21A(1)(e) and s 21A(5)(e) be amended to confine the scope of that immunity from civil liability by requiring instead that ‘the conduct does not result in serious personal injury or death to any person or significant loss of, or serious damage to, property’ (emphasis added). 
Recommendation 21 
I recommend that s 21A arrangements be approved by the Director-General of Security or a Deputy Director-General. 
Recommendation 22 
I recommend that s 21A of the ASIO Act be amended to make clear that nothing in s 21A authorises the Director-General of Security to make a request of a person that is properly the subject of a TAR. 
Recommendation 23 
I recommend that the ASIO Act be amended so as to expressly state, for the avoidance of doubt, that the power does not authorise the detention of a person to whom the order applies where ASIO does not otherwise have any lawful basis on which to do this. 
Recommendation 18 
I recommend that a monetary penalty be retained as an alternative to a penalty of imprisonment for failing to comply with an industry assistance order. 
Reporting, disclosure and oversight 
Recommendation 24 
I recommend that the definition of ‘counter-terrorism and national security legislation’ in s 4 of the INSLM Act be amended to include TOLA so that future INSLMs may review it of their own initiative as necessary. 
Recommendation 25 
I recommend that relevant agencies keep a record of the number of industry assistance orders that are executed and provide them annually to the IPC. 
Recommendation 26 
I recommend that the various industry assistance order provisions be amended to mandate that the agency in question report to its oversight agency (such as the Commonwealth Ombudsman or the IGIS) as to the number of assistance orders that it executes each year and, other than for ASIO, publish those figures in the public annual reports of the relevant agencies and the oversight bodies. I recommend that statistics on the use of TOLA powers, including a broad description of the acts or things implemented, be made public annually by the IPC (tabled in Parliament within 15 sitting days of receipt) provided that publication would not reveal operationally sensitive or classified information. 
Recommendation 27 
I recommend that agencies be required to keep records of the number of requests they make of carriers or carriage service providers under s 313 of the Telecommunications Act and to report on those matters annually to the IPC. 
Recommendation 28 
I recommend that the capacity of the Commonwealth Ombudsman to undertake a joint investigation with State Ombudsmen or Independent Commission Against Corruption oversight bodies such as Inspectors-General be made explicit within s 317ZRB of the Telecommunications Act. 
Recommendation 29 
As to the Commonwealth Ombudsman’s powers of reporting, I recommend that s 317ZRB(7) be repealed so that the Minister cannot remove material from an Ombudsman report under that provision. 
Recommendation 30 
I recommend that Commonwealth officials be authorised to disclose TAR/TAN/TCN information to the public and to State, Territory and Commonwealth officials when that disclosure is in the national or public interest. A decision to disclose based on those factors may be made by the relevant agency or departmental head or the relevant minister. 
Recommendation 31 
I recommend that the information disclosure provisions be amended so as to permit DCPs to obtain not merely legal advice but also technical advice in relation to the request or potential request of TARs and the issue or potential issue of TANs and TCNs. 
Recommendation 32 
As to Schedules 3 and 4, I recommend that there is no need to keep any record of any industry assistance order that an agency issues but which is ultimately not executed. 
Recommendation 33 
I recommend that ASIO’s exercise of powers under Schedule 5 be detailed in its annual report (in a classified appendix as necessary) and that this information be provided to the PJCIS, the Leader of the Opposition, the IGIS, the INSLM, the Attorney-General and the Minister for Home Affairs.

Fake News

'‘A war against truth’ - understanding the fake news controversy' by Linda Monsees in (2020) Critical Studies in Security comments
Fake News, dis- and misinformation campaigns are a core concern for current democratic societies. Whereas most academic interventions have focused on the epistemological and political implication, this paper provides an empirically informed analysis of the fake news controversies. Through an empirical analysis of the German fake news controversy, this paper advances two points: It first gives insights into how the fake news controversy unfolded in Germany. The article shows how multiple issues such as racism, social media and the geopolitical threat of Russia were bound together. Second, on a conceptual level, this article argues for analysing security controversies as a valuable tool to understand new security anxieties. In the context of fake news, studying the controversy reveals how anxieties concerning fake news are produced and reinforced by linking them through a multiplicity of issues. (In)security emerges in controversies where threats in and through new media are linked with the problem of fake news. As a result, ‘fake news’ becomes part of the broader security landscape of contemporary societies.

'QAnon and Conspiracy Beliefs' by Professor Brian Schaffner, an Institute for Strategic Dialogue report, states 

The findings in this report are based on a survey of 4,057 American adults. The survey was designed to probe the relationship between QAnon and conspiracy belief in the United States. Among the key findings: • Only a small percentage of Americans know a lot about QAnon, and a majority report that they have not heard anything at all about it. • The average American had heard less than one of the four QAnon conspiracy theories we asked about. Surveys that simply ask about belief in conspiracy theories likely overstate how much Americans believe in conspiracies outside of the survey context. • Nevertheless, conspiracy belief is still fairly widespread; 41% of Americans had heard about and believed in at least one of the eight conspiracy theories we asked about. About one-in-five Americans recognized and believed in at least one of the four conspiracy claims that originated from QAnon. • After accounting for the fact that most Americans have not heard of QAnon, only 7% have a favorable view of QAnon and a similar percentage say they can trust QAnon to provide accurate information at least most of the time. • Views towards QAnon should not be taken as synonymous with conspiracy belief. The average respondent who viewed QAnon favorably had heard less than half of the four QAnon conspiracies we asked about and they only believed one of the four. Thus, QAnon supporters do not even know about, much less believe, all of the QAnon conspiracies. • Similarly, conspiracy belief is not limited to QAnon supporters. In fact, 16% of those who did not rate QAnon favorably recognized and believed at least one of QAnon’s conspiracy claims.

08 July 2020

Consent

'Commonsense Consent' by Roseanna Sommers in (2020) 129(8) Yale Law Journal 2232 comments
Consent is a bedrock principle in democratic society and a primary means through which our law expresses its commitment to individual liberty. While there seems to be broad consensus that consent is important, little is known about what people think consent is. 
This Article undertakes an empirical investigation of people’s ordinary intuitions about when consent has been granted. Using techniques from moral psychology and experimental philosophy, it advances the core claim that most laypeople think consent is compatible with fraud, contradicting prevailing normative theories of consent. This empirical phenomenon is observed across over two dozen scenarios spanning numerous contexts in which consent is legally salient, including sex, surgery, participation in medical research, warrantless searches by police, and contracts. 
Armed with this empirical finding, this Article revisits a longstanding legal puzzle about why the law refuses to treat fraudulently procured consent to sexual intercourse as rape. It exposes how prevailing explanations for this puzzle have focused too narrowly on sex. It suggests instead that the law may be influenced by the commonsense understanding of consent in all sorts of domains, including and beyond sexual consent. 
Meanwhile, the discovery of “commonsense consent” allows us to see that the problem is much deeper and more pervasive than previous commentators have realized. The findings expose a large—and largely unrecognized—disconnect between commonsense intuition and the dominant philosophical conception of consent. The Article thus grapples with the relationship between folk morality, normative theory, and the law.

06 July 2020

Corporate Control

'American Asset Manager Capitalism' by Benjamin Braun (Institute for Advanced Study and Max Planck Institute for the Study of Societies) asks
Who holds power in corporate America? Scholars have invariably answered this question in the language of ownership and control. This paper argues that tackling this question today requires a new language. Whereas the comparative political economy literature has long treated dispersed ownership and weak shareholders as core features of the U.S. political economy, a century-long process of re-concentration has consolidated shareholdings in the hands of a few very large asset management companies. In an historically unprecedented configuration, this emerging asset manager capitalism is dominated by shareholders that are fully diversified ‘universal owners’, while lacking direct economic interest in the performance of portfolio companies. The paper reconstructs the history of this institutional configuration and examines the fault lines of the new political economy of corporate governance. 
 Braun argues
 Who holds power in corporate America? The question is central for students of American political economy. Students of corporate governance have invariably phrased their answers in the language of ownership and control. This language stems from Berle and Means (1932), who observed that trust-busting policies and the diversification of robber baron fortunes had dispersed stock ownership in the United States, while concentrating corporate control in the hands of a small class of managers. Jensen and Meckling’s (1976) agency theory, while reiterating the notions of shareholder dispersion and weakness, conceptualized shareholders as principals – the only actors with a strong material interest in the economic performance of the corporation. Offering a simple solution to what Berle and Means had considered a complex political problem, agency theory reduced corporate governance to the problem of protecting outside minority shareholders against “expropriation” by insiders, namely corporate managers and workers (La Porta et al. 2000: 4). Notwithstanding the political chasm between these two pairs of authors – New Deal liberals versus pro-market libertarians – the field of corporate governance melded these ideas into a single Berle-Means-Jensen-Meckling (BM-JM) ontology – the United States as a society in which shareholders, while dispersed and weak, are the owners and principals of the corporation. This ontology underpins ‘shareholder primacy’ (or ‘shareholder value’), which in the late 20th century emerged as the dominant corporate governance regime. This regime is geared towards three goals – ensuring a market for corporate control, allowing shareholders to monitor managerial performance, and aligning the material interests of managers with those of shareholders (Fourcade and Khurana 2017: 355). So complete was its victory that two prominent legal scholars announced the “[t]he triumph of the shareholder-oriented model of the corporation” and the “end of history for corporate law” (Hansmann and Kraakman 2001: 468). 
Political economists, while critical of the regressive distributive consequences of shareholder primacy (Lazonick and O'Sullivan 2000), have largely taken the BM-JM ontology at face value. The ideas that shareholders in the United States are dispersed and weak but are nonetheless the owners and principals of the corporation have been absorbed by the comparative political economy (CPE) literature on corporate governance (Aguilera and Jackson 2003; Gourevitch and Shinn 2005; Hall and Soskice 2001; Roe 1994). While this has always been problematic, the rise of asset managers has dramatically transformed the investment chain – see Figure 1 – pulling the empirical rug from under the BM-JM ontology. The present paper maps this transformation and contributes to the task of putting the political economy of corporate governance on a new conceptual foundation. It argues that a ‘Great Re-Concentration’ of U.S. stock ownership that began in the mid-20th century and accelerated dramatically at the beginning of the 21st century has brought about a new corporate governance regime, asset manager capitalism (2016). 
This paper seeks to come to grips with the empirical observation that today the “Big Three” asset managers – Vanguard, BlackRock, and State Street Global Advisors – together hold more than 20 per cent of the shares of the average S and P 500 company (Backus, Conlon, and Sinkinson 2019: 19). Four hallmarks characterize this new regime. First, U.S. stock ownership is concentrated in the hands of giant asset managers. Second, due to the size of their stakes, asset managers are, in principle, strong shareholders with considerable control over corporate management. While this divergence from ‘dispersed and weak’ alone would require CPE to rekindle its conceptual toolkit, two additional features distinguish asset manager capitalism from previous stock ownership regimes. The third hallmark is that large asset managers are “universal owners” that hold fully diversified portfolios (Hawley and Williams 2000). Finally, as for-profit intermediaries with a fee-based business model, asset managers hold no direct economic interest in their portfolio companies. Clearly, the BM-JM ontology does not map onto this new institutional landscape. Whereas the shareholder primacy regime was geared towards maximizing the value of the shares of individual firms, asset manager capitalism is geared towards maximizing the aggregate value of assets under management. 
The paper is organized as follows. The next section gives a big-picture overview of the evolution of U.S. stock ownership and corporate governance regimes. Section 3 traces the policies and economic developments behind the growth of the asset management sector since the Revenue Act of 1936. Section 4 takes a closer look at the questions of universal ownership and of assets managers’ economic interests. Section 5 explores the political economy of asset manager capitalism at the firm, sectoral, and macroeconomic levels, as well as in the realm of politics. The conclusion highlights broader implications for the field of (American) political economy.

05 July 2020

Privacy and the Qld Law Reform Commission Surveillance Report

'A New Compact for Sexual Privacy' by Danielle Keats Citron in (2020) William and Mary Law Review comments
 Intimate life is under constant surveillance. Firms track people’s periods, hot flashes, abortions, sexual assaults, sex toy use, sexual fantasies, and nude photos. Individuals hardly appreciate the extent of the monitoring, and even if they did, little can be done to curtail it. What is big business for firms is a big risk for individuals. Corporate intimate surveillance undermines sexual privacy—the social norms that manage access to, and information about, human bodies, sex, sexuality, gender, and sexual and reproductive health. At stake is sexual autonomy, self-expression, dignity, intimacy, and equality. So are people’s jobs, housing, insurance, and other life opportunities. Women and minorities shoulder a disproportionate amount of that burden. Privacy law is failing us. Not only is the private-sector’s handling of intimate information largely unrestrained by American consumer protection law, but it is treated as inevitable and valuable. This Article offers a new compact for sexual privacy. It draws upon the lessons of civil rights law in moving beyond procedural protections and in authorizing injunctive relief. Reform efforts should focus on stemming the tidal wave of collection, restricting uses of intimate data, and expanding the remedies available in court to include orders to stop processing intimate data.
The much awaited report by the Queensland Law Reform Commission on Review of Queensland’s laws relating to civil surveillance and the protection of privacy in the context of current and emerging technologies states
 
[1] The Commission was asked to recommend whether Queensland should consider legislation to appropriately protect the privacy of individuals in the context of civil surveillance technologies.
 
[2] Over time, surveillance device technologies have become increasingly sophisticated, accessible and affordable. Different surveillance devices capture different types of information, and may be used for different purposes. Whatever the purpose of their use, surveillance devices have the potential to impact on individual privacy.
 
[3] In Queensland, there is limited regulation of the use of surveillance devices. The Invasion of Privacy Act 1971 regulates the use of a listening device to overhear, listen to, monitor or record private conversations, and the communication or publication of information obtained from such use. However, it does not extend to other types of surveillance devices. In contrast, in most other Australian jurisdictions, surveillance devices legislation regulates the use of listening devices, optical surveillance devices, tracking devices and, in some jurisdictions, data surveillance devices.
 
[4] In addition, surveillance devices legislation in Queensland and other jurisdictions does not provide a civil response to an unjustified interference with an individual’s privacy caused by the use of a surveillance device.
 
[5] Other general laws, including information privacy legislation, the criminal law and some civil causes of action, offer only piecemeal and limited protection for the privacy of individuals in this context.
 
THE COMMISSION’S APPROACH
 
[6] In view of the gaps and uncertainties in the current laws in Queensland that regulate the use of surveillance devices, there is a need for a more comprehensive legislative response to appropriately protect the privacy of individuals in relation to the use of surveillance devices in civil society.
 
[7] The Commission therefore recommends that the Invasion of Privacy Act 1971 be repealed and replaced by new legislation which implements the Commission’s recommendations in the form of the draft Surveillance Devices Bill 2020 (the ‘draft Bill’) in Appendix F.
 
[8] In developing its recommendations for the draft Bill, the Commission has been informed by a number of principles and considerations, including:
 
• the importance of community expectations;
 
• the need to balance the protection of an individual’s privacy and the justified use of surveillance devices;
 
• the importance of consent as an authorising concept: − if there is consent, the use of a surveillance device, or the communication or publication of information obtained from the use of a surveillance device, should be lawful; − in the absence of consent, the use, communication or publication should be unlawful unless an exception applies;
 
• that objective standards should form the basis for the justified use of surveillance devices in the absence of consent;
 
• that the regulation of surveillance devices should be practical, and include: − a criminal law response where the seriousness of a person’s conduct in using a surveillance device justifies the intervention of the State in imposing criminal sanctions; and − a civil law response to promote the responsible use of surveillance devices in everyday contexts and to empower individuals whose privacy is affected to seek civil redress in appropriate circumstances;
 
• the desirability of reasonable consistency with surveillance devices legislation in other Australian jurisdictions; and
 
• that the operation of other laws regulating the use of surveillance devices should not be affected.
 
[9] The Commission also recognises that surveillance devices legislation may overlap with but has a different focus from legislation that regulates information privacy and data protection.
 
[10] An overview of the Commission’s principal recommendations and corresponding provisions of the draft Bill is set out below.
 
THE SCOPE AND PURPOSE OF THE DRAFT BILL
 
[11] The main purpose of the draft Bill is to provide for an individual’s privacy to be protected from unjustified interference from the use, or the communication or publication of information obtained from the use, of surveillance devices (cl 2(1)).
 
[12] Consistently with the surveillance devices legislation in other Australian jurisdictions, the draft Bill adopts a ‘recognised categories’ approach to regulating surveillance devices. This approach takes into account that different types of devices give rise to different privacy concerns and considerations.
 
[13] For the purposes of the draft Bill, a ‘surveillance device’ is defined as a listening device, an optical surveillance device, a tracking device, a data surveillance device or a device that is a combination of two or more of those devices (cl 6).
 
CRIMINAL PROHIBITIONS
 
The use prohibitions
 
[14] The draft Bill contains four prohibitions on the use of a surveillance device (‘the use prohibitions’). Specifically, it provides that a person must not use, install or maintain: • a listening device to listen to, monitor or record a private conversation, without the consent of each party to the conversation (cl 18); • an optical surveillance device to observe, monitor or visually record a private activity, without the consent of each party to the activity (cl 19); • a tracking device to find, monitor or record the geographical location of: − an individual, without the consent of the individual (cl 20(1)); or − a vehicle or other thing, without the consent of each person who owns, or is in lawful control of, the vehicle or thing (cl 20(2)); or • a data surveillance device to access, monitor or record information that is input into, output from or stored in a computer, without the consent of each person who owns, or is in lawful control of, the computer (cl 21).
 
[15] There are exceptions to the use prohibitions. It is not an offence for a person to use, install or maintain a surveillance device if: • use of the device is reasonably necessary to protect the lawful interests of that person, or of another person who has authorised the person to use the surveillance device on their behalf (cl 22); • use of the device is reasonably necessary in the public interest (cl 23); • it is to obtain evidence of, or information about, a serious threat to the life, health safety or wellbeing of an individual, or a serious threat of substantial damage to property, if the person believes, on reasonable grounds, it is necessary for the device to be used immediately to obtain the evidence or information (cl 24); or • the use, installation or maintenance is authorised under another Act of the State or an Act of the Commonwealth, or in circumstances prescribed by regulation (cl 26).
 
[16] There is an additional exception for the use of a surveillance device to locate a lost or stolen vehicle or other thing (cl 25).
 
[17] In contrast to the Invasion of Privacy Act 1971, the draft Bill does not generally permit participant monitoring; in the absence of consent, the use of surveillance device should be unlawful unless an exception (for a specific purpose which justifies the use) applies.
 
The communication or publication prohibitions
 
[18] The draft Bill contains three prohibitions on the communication or publication of information obtained from the use of a surveillance device (‘the communication or publication prohibitions’).
 
[19] Specifically, it prohibits a person from communicating or publishing surveillance information about: • a private conversation or a private activity if the person knows, or ought reasonably to know, the information is surveillance information, and the person does not have the consent of each party to the conversation or activity to communicate or publish the information (cl 28); • the geographical location of an individual, a vehicle or another thing if the person knows, or ought reasonably to know, the information is surveillance information, and the person does not have the consent of the following person or persons to communicate or publish the information: − for information about the location of an individual—that individual; − for information about the location of a vehicle or other thing—each person who owns, or is in lawful control of, the vehicle or thing (cl 29); or • information that is input into, output from or stored in a computer, if the person knows, or ought reasonably to know, the information is surveillance information, and the person does not have the consent of each person who owns, or is in lawful control of, the computer to communicate or publish the information (cl 30).
 
[19] There are exceptions to the communication or publication prohibitions. It is not an offence for a person to communicate or publish surveillance information if the communication or publication is: • in a legal proceeding (cl 31(1)(a)); • reasonably necessary to protect the lawful interests of the person, or of another person who has authorised the person to communicate or publish the information on their behalf (cl 31(1)(b)); • reasonably necessary in the public interest (cl 31(1)(c)); • reasonably necessary to lessen or prevent a serious threat to the life, health, safety or wellbeing of an individual, or of substantial damage to property (cl 31(1)(d)); or • authorised under another Act of the State or an Act of the Commonwealth, or in circumstances prescribed by regulation (cl 31(1)(e), (f)).
 
[20] In addition, a person does not contravene the communication or publication prohibitions if the use of a surveillance device to obtain the surveillance information the subject of the communication or publication was authorised under another Act (cl 31(2)).
 
[21] The maximum penalty for a contravention of the use prohibitions or the communication or publication prohibitions is 60 penalty units ($8007) or three years imprisonment.
 
Prohibition on possessing surveillance information
 
[22] The draft Bill also makes it an offence for a person, without the consent of each relevant person, to possess information that the person knows is surveillance information obtained in contravention of a use prohibition (cl 27(1)).
 
[23] This offence does not apply if the person possesses the information in relation to proceedings for an offence against the draft Bill, or because the information was communicated to the person or published in a way that does not contravene the draft Bill (cl 27(2)). The maximum penalty for a contravention of the prohibition on possessing surveillance information is 20 penalty units ($2669) or one year’s imprisonment.
 
Ancillary orders relating to the criminal prohibitions
 
[24] The court is empowered to make ancillary orders relating to proceedings for a contravention of the criminal prohibitions: • in a proceeding for an offence against Part 2 of the legislation, the court may, at any time during the proceeding and if it considers it necessary in the interests of justice, make an order prohibiting the publication of evidence before the court, other than in the way and to the persons stated in the order (cl 32); • if a person is convicted of an offence against the legislation, the court may order that: − a surveillance device used in connection with the commission of the offence, or a document, device or other thing that contains or stores related information (that is, information to which the offence relates, or obtained using a surveillance device to which the offence relates) is forfeited to the State; or − related information be destroyed (cl 33).
 
GENERAL OBLIGATIONS NOT TO INTERFERE WITH SURVEILLANCE PRIVACY OF INDIVIDUALS
 
[25] To address situations where a person’s conduct interferes with an individual’s surveillance privacy, the draft Bill imposes a general obligation on a user of a surveillance device not to use the device in a way that interferes with an individual’s surveillance privacy (where the individual has a reasonable expectation of surveillance privacy and has not consented to such use) (cl 36). A similar general obligation applies in relation to the communication or publication of surveillance information (cl 37). In this context, ‘surveillance privacy’, of an individual, means: in relation to a particular use of a surveillance device—the individual is not the subject of surveillance from that use of a surveillance device; or in relation to surveillance information obtained when the individual was the subject of surveillance—the surveillance information is not communicated or published (cl 34).
 
[26] A 'reasonable expectation' of surveillance privacy for an individual means that the individual is reasonably entitled to expect surveillance privacy in relation to a particular use of a surveillance device, or in relation to surveillance information obtained when the individual was the subject of surveillance (cl 34). Only those expectations that are reasonable in the circumstances will fall within the scope of the general obligations.
 
[28] The matters that are relevant for deciding whether an individual has a reasonable expectation of surveillance privacy include, but are not limited to: • the individual’s location when the surveillance device is used; • the subject matter of the use, or of the surveillance information; • the type of device used; • the nature and purpose of the use, communication or publication; • the nature and extent of any notice given about the use; • whether the individual has an opportunity to avoid the surveillance; and • the individual’s attributes and conduct (cl 35).
 
[29] There are exceptions to the general obligation provisions. A person does not contravene a general obligation if the use, communication or publication is: • authorised or required by law, or by an order or process of a court or tribunal; • incidental to, and reasonably necessary for, the exercise of a lawful right to defend a person or property, including to prosecute or defend a civil or criminal proceeding; or • reasonably necessary in the public interest and the relevant public interest outweighs the interference with the individual’s surveillance privacy (cl 38).
 
CIVIL COMPLAINTS PROCESS AND REMEDIES
 
[30] The draft Bill provides a civil mechanism for the resolution of a complaint about an alleged contravention of a general obligation made by or for an individual who is the subject of the alleged contravention (a ‘surveillance device complaint’) (cl 39).
 
[31] The Commission recommends a three-stage approach for the resolution of a surveillance device complaint (cll 39–65): • a complaint may be made to the Surveillance Devices Commissioner (established under the legislation) for mediation; • an unresolved complaint may be referred to QCAT for hearing and decision; and, • if appropriate, QCAT may order remedial relief (including an order that the respondent must not repeat or continue a stated act or practice, or must compensate the complainant for loss or damage suffered because of the respondent’s act or practice by engaging in a stated act or practice or paying an amount of not more than $100 000).
 
[32] These provisions have been generally modelled on the mechanism for resolving privacy complaints under the Information Privacy Act 2009, with appropriate modifications.
 
A NEW REGULATOR
 
[33] The Commission recommends the establishment of a new independent regulator—the Surveillance Devices Commissioner—and a Surveillance Devices Commission.
 
[34] In addition to dealing with surveillance device complaints, the Surveillance Devices Commissioner will provide an avenue for education, expert advice and monitoring and best practice guidance to promote community understanding and encourage compliance with the legislation.
 
[35] Accordingly, the Surveillance Devices Commissioner’s functions include: • receiving surveillance device complaints and dealing with them under the legislation (cl 72); • providing guidance (including, promoting understanding of and compliance with the general obligations and the operation of the legislation, and providing best practice for the use of surveillance devices and the communication or publication of surveillance information, in a way that respects individuals’ privacy) (cl 73); • undertaking research, providing advice and monitoring particular matters, including research about whether the legislation is achieving its purpose, how surveillance devices and surveillance device technologies are used in civil society and developments in surveillance device technology, and identifying and commenting on any issues arising in relation to those matters (cl 74); • examining the practices of relevant entities (including local and State government agencies and other entities performing functions of a public nature, and private sector organisations or individuals who regularly or routinely use or publish information from surveillance devices) to monitor their compliance with the legislation (cl 75).
 
 [36] The Commission also recommends reporting requirements relating to theSurveillance Device Commissioner’s functions to ensure transparency, integrity and accountability (cll 84–85).
 
PROTECTIONS AND OFFENCES
 
[37] To ensure the effective operation of the Surveillance Devices Commissioner’s functions, the Commission recommends a small number of standard protective provisions (including protection from civil liability) and offences relating to the actions of and dealings with the Surveillance Devices Commissioner (cll 88–92).
 
GENERAL MATTERS
 
[38] The Commission recommends that the Minister be required to complete a review of the effectiveness of the legislation within 5 years after its commencement. The review must consider: • whether the legislation is achieving its purpose; • how surveillance devices and surveillance device technologies are used in civil society; • developments in surveillance device technology; and • whether the legislation should be amended to provide for new types of surveillance devices or new uses of surveillance devices and surveillance devices technologies in civil society (cl 95).

The Commission's recommendations are
 
CHAPTER 3: A NEW APPROACH TO REGULATING THE USE OF SURVEILLANCE DEVICES
 
3-1 The Invasion of Privacy Act 1971 should be repealed, and replaced by new legislation which implements the Commission’s recommendations in the form of the draft Bill. [See Surveillance Devices Bill 2020 cl 96]
 
CHAPTER 4: PRELIMINARY MATTERS
 
Application of the Act
 
4-1 The draft Bill should provide that the legislation binds all persons, including the State. The provision should also make it clear that the State cannot be prosecuted for an offence against the legislation. [See Surveillance Devices Bill 2020 cl 3]
 
4-2 The draft Bill should not affect— (a) the operation of the Information Privacy Act 2009; or (b) the operation of another law regulating the use of surveillance devices. [See Surveillance Devices Bill 2020 cl 4(a), (b)]
 
Definition of ‘surveillance device’ and related definitions
 
4-3 The draft Bill should define ‘surveillance device’ as: (a) a listening device, an optical surveillance device, a tracking device, a data surveillance device; or (b) a device that is a combination of any two or more of those devices. [See Surveillance Devices Bill 2020 cl 6]
 
4-4 The draft Bill should define ‘listening device’ as a device that is capable of being used to listen to, monitor or record words spoken to, or by, an individual in a conversation. However, it should expressly exclude a hearing aid or a similar device used by an individual with impaired hearing. [See Surveillance Devices Bill 2020 cl 7]
 
4-5 The draft Bill should define ‘optical surveillance device’ as a device capable of being used to observe, monitor or visually record an activity. However, it should expressly exclude spectacles, contact lenses or a similar device used by an individual with impaired vision. [See Surveillance Devices Bill 2020 cl 8]
 
4-6 The draft Bill should define ‘tracking device’ as a device capable of being used to find, monitor or record the geographical location of an individual, vehicle or other thing. [See Surveillance Devices Bill 2020 cl 9]
 
4-7 The draft Bill should define ‘data surveillance device’ as a device or program capable of being used to access, monitor or record information that is input into, output from, or stored in a computer. [See Surveillance Devices Bill 2020 cl 10]
 
4-8 The draft Bill should define ‘computer’ as an electronic device for storing and processing information. [See Surveillance Devices Bill 2020 sch 1 (definition of ‘computer’)]
 
4-9 The draft Bill should define ‘surveillance information’ as information obtained, directly or indirectly, using a surveillance device. [See Surveillance Devices Bill 2020 cl 14]
 
4-10 The draft Bill should define ‘information’ to include: (a) a record in any form; and (b) a document. [See Surveillance Devices Bill 2020 sch 1 (definition of ‘information’)] Definition of consent 4-11 The draft Bill should define ‘consent’ as express or implied consent. [See Surveillance Devices Bill 2020 sch 1 (definition of ‘consent’)]
 
CHAPTER 5: CRIMINAL PROHIBITIONS ON THE USE OF SURVEILLANCE DEVICES
 
Definitions
 
5-1 The draft Bill should define ‘private conversation’ as: (a) Words spoken by an individual are a private conversation if the words are spoken in circumstances that may reasonably be taken to indicate that— (i) for words not spoken to anyone else—the individual does not want anyone else to listen to the words; or (ii) for words spoken to another individual, or other individuals—the individual, or at least one of the individuals to whom the words are spoken, does not want the words to be listened to by anyone other than— (A) the individual speaking the words; and (B) the individuals to whom the words are spoken; and (C) any other individual who has the consent of all of the individuals mentioned in subparagraphs (A) and (B). (b) However, a private conversation does not include words spoken by an individual in circumstances in which the individual, and all of the individuals to whom the words are spoken, ought reasonably to expect that someone else may listen to, monitor or record the words. [See Surveillance Devices Bill 2020 cl 11]
 
5-2 The draft Bill should define ‘private activity’ as: (a) An activity is a private activity if it is carried out in circumstances that may reasonably be taken to indicate that— (i) for an activity carried out by one individual—the individual does not want anyone else to observe the activity; or (ii) for an activity carried out by two or more individuals—at least one of the individuals does not want the activity to be observed by anyone other than— (A) the individuals carrying out the activity; and (B) any other individual who has the consent of all of the individuals carrying out the activity. (b) However, a private activity does not include an activity carried out by one or more individuals in circumstances in which all of the individuals carrying out the activity ought reasonably to expect that someone else may observe, monitor or visually record the activity. [See Surveillance Devices Bill 2020 cl 12]
 
5-3 The draft Bill should define ‘party’ as: (a) Each of the following is a party to a private conversation— (i) an individual who speaks, or is spoken to, during the conversation; (ii) an individual who listens to the conversation with the consent of all of the individuals mentioned in paragraph (i). (b) Each of the following is a party to a private activity— (i) an individual carrying out the activity; (ii) an individual who observes the activity with the consent of all of the individuals mentioned in paragraph (i). [See Surveillance Devices Bill 2020 cl 13]
 
5-4 The draft Bill should explain that, in the legislation, a reference to installing a surveillance device includes doing anything to, or in relation to, a device to enable it to be used as a surveillance device. [See Surveillance Devices Bill 2020 cl 15]
 
5-5 The draft Bill should define ‘maintain’, in relation to a surveillance device, to include: (a) adjust, relocate, repair or service the device; and (b) replace a faulty device. [See Surveillance Devices Bill 2020 sch 1 (definition of ‘maintain’)]
 
5-6 The draft Bill should explain that a reference to a person who owns a vehicle, computer or other thing does not include a person (an ‘excluded owner’) who owns the vehicle, computer or other thing if: (a) another person has the use or control of the vehicle, computer or other thing under a credit agreement, hiring agreement, hire-purchase agreement, leasing agreement or another similar agreement; and (b) under the agreement, the excluded owner is not entitled to immediate possession of the vehicle, computer or other thing. [See Surveillance Devices Bill 2020 cl 16]
 
Prohibitions on the use, installation or maintenance of surveillance devices
 
5-7 The draft Bill provide that a person must not use, install or maintain a listening device to listen to, monitor or record a private conversation without the consent of each party to the conversation. [See Surveillance Devices Bill 2020 cl 18]
 
5-8 The draft Bill should provide that a person must not use, install or maintain an optical surveillance device to observe, monitor or visually record a private activity without the consent of each party to the activity. [See Surveillance Devices Bill 2020 cl 19]
 
5-9 The draft Bill should provide that a person must not use, install or maintain a tracking device to find, monitor or record the geographical location of: (a) an individual without the consent of the individual; or (b) a vehicle or other thing without the consent of each person who owns, or is in lawful control of, the vehicle or thing. [See Surveillance Devices Bill 2020 cl 20]
 
5-10 The draft Bill should provide that a person must not use, install or maintain a data surveillance device to access, monitor or record information that is input into, output from or stored in a computer without the consent of each person who owns, or is in lawful control of, the computer. [See Surveillance Devices Bill 2020 cl 21]
 
5-11 The draft Bill should provide that a person who contravenes a prohibition in Recommendations 5-7 to 5-10 commits an offence, which is punishable by a maximum penalty of 60 penalty units or three years imprisonment. [See Surveillance Devices Bill 2020 cll 18, 19, 20, 21]
 
Exceptions to the prohibitions on the use, installation or maintenance of surveillance devices
 
5-12 The draft Bill should provide that a person who uses, installs or maintains a surveillance device does not commit an offence against the prohibitions in Recommendations 5-7 to 5-10 if use of the device is reasonably necessary to protect the lawful interests of: (a) the person; or (b) if another person has authorised the person to use the surveillance device on the other person’s behalf—the other person. [See Surveillance Devices Bill 2020 cl 22]
 
5-13 The draft Bill should provide that a person who uses, installs or maintains a surveillance device does not commit an offence against the prohibitions in Recommendations 5-7 to 5-10 if use of the device is reasonably necessary in the public interest. [See Surveillance Devices Bill 2020 cl 23(1)]
 
5-14 For the purposes of Recommendation 5-13, in deciding whether the use of a surveillance device is reasonably necessary in the public interest, a court must consider the following matters as they existed when the person used, installed or maintained the device: (a) the subject matter of the use of the device; (b) the information that the person reasonably expected would be obtained from the use of the device; (c) the purpose for which the person intended to use information that the person reasonably expected would be obtained from the use of the device; (d) the nature of the public interest that arose in the circumstances; (e) whether the public interest could have been served in another reasonable way; (f) the extent to which the use, installation or maintenance of the device affected, or was likely to affect, the privacy of an individual; (g) whether, on balance in the circumstances, the public interest justified the interference with the privacy of an individual. [See Surveillance Devices Bill 2020 cl 23(2)]
 
5-15 The draft Bill should provide that a person who uses, installs or maintains a surveillance device to obtain evidence of, or information about, a serious threat does not commit an offence against the prohibitions in Recommendations 5-7 to 5-10 if the person believes, on reasonable grounds, it is necessary for the device to be used immediately to obtain the evidence or information. [See Surveillance Devices Bill 2020 cl 24(1)]
 
5-16 For the purposes of Recommendation 5-15, the draft Bill should define the term ‘serious threat’ to mean: (a) a serious threat to the life, health, safety or wellbeing of an individual; or (b) a serious threat of substantial damage to property. [See Surveillance Devices Bill 2020 cl 24(2)]
 
5-17 The draft Bill should provide that a person who uses a surveillance device to locate a vehicle or other thing does not commit an offence against the prohibitions in Recommendations 5-7 to 5-10 if the person: (a) is not in possession or control of the vehicle or thing; and (b) believes, on reasonable grounds, that the vehicle or thing is lost or stolen; and (c) is an owner of the vehicle or thing or, before the vehicle or thing was lost or stolen, was in lawful control of it. [See Surveillance Devices Bill 2020 cl 25]
 
5-18 The draft Bill should provide that a person who uses, installs or maintains a surveillance device does not commit an offence against the prohibitions in Recommendations 5-7 to 5-10 if the use, installation or maintenance is: (a) authorised under another Act of the State or an Act of the Commonwealth; or (b) in circumstances prescribed by regulation. [See Surveillance Devices Bill 2020 cl 26]
 
CHAPTER 6: CRIMINAL PROHIBITIONS ON THE COMMUNICATION OR PUBLICATION OF SURVEILLANCE INFORMATION
 
Communicating or publishing surveillance information
 
6-1 The draft Bill should provide that a person must not communicate or publish surveillance information about a private conversation or private activity if the person: (a) knows, or ought reasonably to know, the information is surveillance information; and (b) the person does not have the consent of each party to the conversation or activity to communicate or publish the information. [See Surveillance Devices Bill 2020 cl 28]
 
6-2 The draft Bill should provide that a person must not communicate or publish surveillance information about the geographical location of an individual, a vehicle or another thing if the person: (a) knows, or ought reasonably to know, the information is surveillance information; and (b) the person does not have the consent of the following person or persons to communicate or publish the location: (i) for information about the location of an individual—that individual; (ii) for information about the location of the vehicle or other thing—each person who owns, or is in lawful control of, the vehicle or thing. [See Surveillance Devices Bill 2020 cl 29]
 
6-3 The draft Bill should provide that a person must not communicate or publish surveillance information about information that is input into, output from or stored in a computer, if the person: (a) knows, or ought reasonably to know, the information is surveillance information; and (b) the person does not have the consent of each person who owns, or is in lawful control of, the computer to communicate or publish the information. [See Surveillance Devices Bill 2020 cl 30]
 
6-4 The draft Bill should provide that a person who contravenes a prohibition in Recommendations 6-1 to 6-3 above commits an offence, which is punishable by a maximum penalty of 60 penalty units or three years imprisonment. [See Surveillance Devices Bill 2020 cll 28, 29 and 30]
 
Exceptions to the communication or publication prohibitions
 
6-5 The draft Bill should provide that a person does not commit an offence against the prohibitions in Recommendations 6-1 to 6-3 above if the communication or publication of surveillance information is: (a) in a legal proceeding; or (b) reasonably necessary to protect the lawful interests of: (i) the person who is making the communication or publication; or (ii) another person who has authorised the person making the communication or publication to do so on their behalf; or (c) reasonably necessary in the public interest; or (d) reasonably necessary to lessen or prevent a serious threat: (i) to the life, health, safety or wellbeing of an individual; or (ii) of substantial damage to property; or (e) authorised under another Act of the State or an Act of the Commonwealth; or (f) in circumstances prescribed by regulation. [See Surveillance Devices Bill 2020 cl 31(1)]
 
6-6 The draft Bill should provide that a person does not commit an offence against the prohibitions in Recommendations 6-1 to 6-3 above if the use of a surveillance device to obtain the surveillance information the subject of the communication or publication was authorised under another Act of the State or an Act of the Commonwealth. [See Surveillance Devices Bill 2020 cl 31(2)]
 
6-7 The draft Bill should provide that, for deciding whether the communication or publication of surveillance information is ‘reasonably necessary in the public interest’ for Recommendation 6-5(c) above, a court must consider the following matters as they existed when the person communicated or published the information: (a) the subject matter of the surveillance information; (b) the scope of the communication or publication; (c) the nature of the public interest that arose in the circumstances; (d) whether the public interest could have been served in another reasonable way; (e) the extent to which the communication or publication affected, or was likely to affect, the privacy of an individual; and (f) whether, on balance in the circumstances, the public interest justified the interference with the privacy of an individual. [See Surveillance Devices Bill 2020 cl 31(3)]
 
CHAPTER 7: ANCILLARY MATTERS
 
Possessing surveillance information
 
7-1 The draft Bill should provide that a person must not, without the consent of each relevant person, possess information that the person knows is surveillance information obtained in contravention of the use prohibitions in the legislation. [See Surveillance Devices Bill 2020 cl 27(1)]
 
7-2 For the purposes of the offence in Recommendation 7-1 above, a ‘relevant person’, in relation to surveillance information, means— (a) if the surveillance information is about a private conversation obtained using a listening device—each party to the conversation; (b) if the surveillance information is about a private activity obtained using an optical surveillance device—each party to the activity; (c) if the surveillance information is about the geographical location of an individual obtained using a tracking device—the individual; (d) if the surveillance information is about the geographical location of a vehicle or other thing obtained using a tracking device—each person who owns, or is in lawful control of, the vehicle or thing; or (e) if the surveillance information is about the information input into, output from or stored in a computer obtained using a data surveillance device—each person who owns, or is in lawful control of, the computer. [See Surveillance Devices Bill 2020 cl 27(3)]
 
7-3 However, for the purposes of the offence in Recommendation 7-1 above, a person does not commit an offence if the person possesses the information: (a) in relation to proceedings for an offence against the legislation; or (b) because it was communicated to the person, or published, in a way that does not contravene the legislation. [See Surveillance Devices Bill 2020 cl 27(2)]
 
7-4 The draft Bill should provide that the maximum penalty for the offence in Recommendation 7-1 above is 20 penalty units or one year’s imprisonment. [See Surveillance Devices Bill 2020 cl 27(1)]
 
Admissibility of evidence obtained from the use of a surveillance device
 
7-5 The draft Bill should expressly state that it does not affect the power of a court to make a decision about the admissibility of information obtained using a surveillance device as evidence in a proceeding. [See Surveillance Devices Bill 2020 cl 4(c)]
 
Non-publication orders
 
7-6 The draft Bill should provide that, in proceedings for an offence against Part 2 of the legislation (which deals with the criminal prohibitions), the court may, at any time during the proceeding and only if it considers it necessary in the interests of justice, make an order prohibiting the publication of evidence given before the court, other than in the way and to the persons stated in the order. [See Surveillance Devices Bill 2020 cl 32(1)–(4)]
 
7-7 The draft Bill should provide that a person must not contravene an order made under the provision in Recommendation 7-6 above, unless the person has a reasonable excuse. The maximum penalty for such a contravention is 60 penalty units or three years imprisonment. [See Surveillance Devices Bill 2020 cl 32(5)]
 
Forfeiture or destruction of surveillance device or information
 
7-8 The draft Bill should provide that: (1) if a person is convicted of an offence against the legislation, the court before which the person is convicted may make an order that: (a) a surveillance device used in connection with the commission of the offence is forfeited to the State; (b) a document, device or other thing that contains related information, or on which related information is stored, is forfeited to the State; or (c) related information be destroyed; (2) before making an order for forfeiture or destruction, the court may require notice to be given to, and hear from, a person the court considers appropriate; (3) the power to order forfeiture or destruction should apply whether or not the surveillance device, document, device or thing to be forfeited, or related information to be destroyed, has been seized; (4) the court may also make any order that it considers appropriate to enforce the forfeiture; (5) the provision in Recommendation 7-8(1) above does not limit the court’s powers under the Penalties and Sentences Act 1992, the Criminal Proceeds Confiscation Act 2002 or another law; (6) when forfeited to the State, the surveillance device, document, device or thing becomes the State’s property and may be dealt with as directed by the chief executive. [See Surveillance Devices Bill 2020 cl 33(1)–(6)]
 
7-9 For the purposes of Recommendation 7-8 above, ‘related information’, for an offence, should be defined to mean ‘information to which the offence relates, or obtained using a surveillance device to which the offence relates’. [See Surveillance Devices Bill 2020 cl 33(7)]
 
CHAPTER 8: GENERAL OBLIGATIONS NOT IN INTERFERE WITH SURVEILLANCE PRIVACY OF INDIVIDUALS
 
General obligations not to interfere with surveillance privacy of individuals
 
8-1 The draft Bill should include civil provisions, separate from the criminal prohibitions in the legislation, that: (a) impose obligations on the use of, or the communication or publication of information obtained from the use of, a surveillance device, within the meaning of the draft Bill, to avoid interference with an individual’s surveillance privacy; and (b) form the basis for the complaints mechanism in Recommendations 9-1 to 9-32 below. The civil provisions should have the features set out below. [See Surveillance Devices Bill 2020 pts 3 and 4]
 
Statement and scope of the general obligations
 
8-2 The draft Bill should provide that, if an individual has a reasonable expectation of surveillance privacy: (a) a person must not use a surveillance device in a way that interferes with the individual’s surveillance privacy; and (b) a person must not communicate or publish the surveillance information in a way that interferes with the individual’s surveillance privacy. [See Surveillance Devices Bill 2020 cll 36(1)–(2) and 37(1)–(2)]
 
8-3 However, a person does not contravene a general obligation in Recommendation 8-2 above if: (a) the individual concerned has consented to the surveillance device being used in that way or, relevantly, to the communication or publication; or (b) the person did not know, and ought not reasonably to have known, that the particular use of the surveillance device or, relevantly, the communication or publication would interfere with the individual’s surveillance privacy. [See Surveillance Devices Bill 2020 cll 36(3) and 37(3)]
 
8-4 The draft Bill should provide that, for the purpose of this part of the draft Bill: (a) ‘surveillance privacy’, of an individual, means: (i) in relation to a particular use of a surveillance device—the individual is not the subject of surveillance from that use of a surveillance device; or (ii) in relation to surveillance information obtained when the individual was the subject of surveillance—the surveillance information is not communicated or published; and (b) ‘reasonable expectation’, of surveillance privacy for an individual, means the individual is reasonably entitled to expect surveillance privacy— (i) in relation to a particular use of a surveillance device; or, (ii) in relation to surveillance information obtained when the individual was the subject of surveillance. [See Surveillance Devices Bill 2020 cl 34]
 
8-5 The draft Bill should provide that the matters that are relevant for deciding whether an individual has a reasonable expectation of surveillance privacy include (but are not limited to) the following: (a) the individual’s location when the surveillance device is used; (b) the subject matter of the use, or of the surveillance information, including whether it is of an intimate, familial, health-related or financial nature; (c) the type of device used; (d) the nature and purpose of the use, communication or publication, including: (i) the extent to which the use, communication or publication targets the individual; (ii) whether the use is covert; (iii) in relation to the communication or publication, how the information is communicated or published; and (iv) whether the use, communication or publication contravenes a provision of an Act; (e) the nature and extent of any notice given about the use; (f) whether the individual has an opportunity to avoid the surveillance; (g) the attributes and conduct of the individual, including: (i) the extent to which the individual has a public profile, invites or encourages publicity or shows a wish for privacy; (ii) the extent to which the individual is in a position of vulnerability; (iii) the nature of any relationship between the individual and the person using the surveillance device, or making the communication or publication; and (iv) the effect that the use, communication or publication is reasonably likely to have on the individual’s health, safety or wellbeing. [See Surveillance Devices Bill 2020 cl 35]
 
Exceptions to the general obligations
 
8-6 A person does not contravene a general obligation in Recommendation 8-2 above if the person’s use of a surveillance device or, relevantly, communication or publication of surveillance information: (a) is authorised or required by law or by an order or process of a court or tribunal; (b) is incidental to, and reasonably necessary for, the exercise of a lawful right to defend a person or property, including to prosecute or defend a criminal or civil proceeding; or (c) is reasonably necessary in the public interest and the public interest outweighs the interference with the individual’s surveillance privacy. [See Surveillance Devices Bill 2020 cl 38]
 
CHAPTER 9: CIVIL COMPLAINTS PROCESS AND REMEDIES
 
A complaints mechanism
 
9-1 The draft Bill should provide a mechanism for complaints about alleged contraventions of the general obligations in Recommendation 8-2 above (‘surveillance device complaints’) to the effect that: (a) complaints may be made to the Surveillance Devices Commissioner (the ‘commissioner’) established under Recommendation 10-2(b) below for mediation; (b) complaints not resolved by mediation may be referred to QCAT for hearing and decision; and (c) if appropriate, the tribunal may order remedial relief. The complaints mechanism should have the features set out below. [See Surveillance Devices Bill 2020 pt 4, cl 39]
 
Making and referring complaints to the commissioner
 
9-2 A complaint under Recommendation 9-1 above: (a) may be made to the commissioner: (i) by an individual who is the subject of the alleged contravention; (ii) by an agent of the individual; or (iii) by a person authorised by the commissioner in writing to make the complaint for the individual; and (b) may be made under paragraph (a) jointly by or for two or more individuals. [See Surveillance Devices Bill 2020 cl 40]
 
9-3 A complaint may be referred to the commissioner by any of the following entities, if they consider that the complaint may also be a complaint under this legislation: (a) the Information Commissioner, in relation to a complaint received under the Information Privacy Act 2009; (b) the Human Rights Commissioner, in relation to a complaint received under the Human Rights Act 2019; (c) the Ombudsman, in relation to a complaint received under the Ombudsman Act 2001; (d) the Health Ombudsman, in relation to a complaint received under the Health Ombudsman Act 2013; or (e) any other entity that has received the complaint in performing its functions under a law [including a law of another State or the Commonwealth]. [See Surveillance Devices Bill 2020 cl 41, sch 1 (definitions of ‘referral Act’ and ‘referral entity’)]
 
9-4 A complaint made or referred to the commissioner under Recommendation 9-2 or 9-3 above must be in writing, state the complainant’s name and contact details (including, for example, the complainant’s postal or email address), state the respondent’s name, address or other contact details if they are known, and include enough information to identify the alleged contravention to which the complaint relates. [See Surveillance Devices Bill 2020 cl 42(1)]
 
9-5 A complaint made or referred to the commissioner under Recommendation 9-2 or 9-3 above must be made or referred within six months after the alleged contravention that is the subject of the complaint came to the complainant’s knowledge, or within a further period that the commissioner considers is reasonable in all the circumstances. [See Surveillance Devices Bill 2020 cl 43]
 
9-6 For a complaint made to the commissioner by an individual under Recommendation 9-2 above, the commissioner must give reasonable help to the complainant to put the complaint in writing. [See Surveillance Devices Bill 2020 cl 42(2)]
 
Dealing with complaints
 
9-7 The draft Bill should set out the way in which the commissioner is to deal with a complaint made or referred to the commissioner under Recommendation 9-2 or 9-3 above. [See Surveillance Devices Bill 2020 cl 44]
 
Preliminary notice and inquiries
 
9-8 As soon as practicable after receiving a complaint made or referred to the commissioner under Recommendation 9-2 or 9-3 above, the commissioner must give a notice to the complainant and respondent stating: (a) the substance of the complaint; (b) the role of the commissioner in dealing with the complaint; and (c) that the commissioner may seek information or documents from the complainant or respondent in relation to the complaint. The notice to the respondent must also require the respondent to advise the commissioner of the respondent’s contact details, including, for example, the respondent’s postal or email address. [See Surveillance Devices Bill 2020 cl 46]
 
9-9 Where a complaint is made or referred to the commissioner under Recommendation 9-2 or 9-3 above, the commissioner may make preliminary inquiries about the complaint to decide how to deal with the complaint and, if the complaint does not include enough information to do so, to identify the respondent to the complaint. [See Surveillance Devices Bill 2020 cl 45]
 
9-10 The Queensland Government should take steps to facilitate a memorandum of understanding between CASA and the commissioner about the sharing of information by CASA about registered owners and accredited flyers of drones for the purpose of complaints under the legislation.
 
Direction to protect privacy of complainant or respondent
 
9-11 In dealing with a complaint, the commissioner may, by notice, direct a person not to communicate or publish information that identifies, or is likely to identify, the complainant or respondent to a complaint if the commissioner is satisfied on reasonable grounds that it is necessary to do so to protect the privacy of the complainant or respondent. Non-compliance with a direction, without reasonable excuse, should be an offence with a maximum penalty of 10 penalty units. [See Surveillance Devices Bill 2020 cl 47]
 
Refusing to deal with a complaint
 
9-12 The commissioner may refuse to deal with a complaint, or part of a complaint, if: (a) the commissioner considers that: (i) the complaint does not comply with the requirements at Recommendation 9-4 above about the matters that must be stated in the complaint; (ii) there is a more appropriate course of action available under another law to deal with the subject of the complaint or part; (iii) the subject of the complaint or part has been appropriately dealt with by another entity; or (b) the complaint or part was not made or referred to the commissioner within the time stated at Recommendation 9-5 above; or (c) the complaint or part is frivolous, trivial, vexatious, misconceived or lacking in substance; [See Surveillance Devices Bill 2020 cll 17, 48(1)]
 
9-13 The commissioner may refuse to continue to deal with a complaint, or part of a complaint, under any of the grounds in Recommendation 9-12 above or if: (a) the complainant does not comply with a reasonable request made by the commissioner in dealing with the complaint or part; (b) the commissioner is satisfied on reasonable grounds that the complainant, without a reasonable excuse, has not cooperated in the commissioner’s dealing with the complaint or part; or (c) the commissioner can not make contact with the complainant. [See Surveillance Devices Bill 2020 cll 17, 48(2)]
 
9-14 If the commissioner refuses to deal with a complaint or to continue dealing with a complaint under Recommendation 9-12 or 9-13 above: (a) the commissioner must give notice of the refusal, with reasons, to the complainant and, unless the commissioner considers it is not necessary to do so in the circumstances, to the respondent; and (b) the complaint lapses, and the complainant cannot make a further complaint under this legislation about the same alleged contravention. [See Surveillance Devices Bill 2020 cll 49 and 50]
 
Referral of complaints to other entities
 
9-15 The commissioner may refer a complaint to another entity as follows, if it considers the complaint would be more appropriately dealt with by the other entity and if the complainant consents: (a) if the subject of the complaint could be the subject of a privacy complaint under the Information Privacy Act 2009, the commissioner may refer the complaint to the Information Commissioner; (b) if the subject of the complaint could be the subject of a human rights complaint under the Human Rights Act 2019, the commissioner may refer the complaint to the Human Rights Commissioner; (c) if the subject of the complaint could be the subject of a complaint under the Ombudsman Act 2001, the commissioner may refer the complaint to the Ombudsman; (d) if the subject of the complaint could be the subject of a health service complaint under the Health Ombudsman Act 2013, the commissioner may refer the complaint to the Health Ombudsman. [See Surveillance Devices Bill 2020 cl 51(1)–(2)]
 
9-16 If the commissioner refers a complaint under Recommendation 9-15 above to another entity, the commissioner: (a) may, with the complainant’s consent, give the entity information about the complaint obtained by the commissioner; and (b) must give notice of the referral, with reasons, to the complainant and, unless the commissioner considers it is not necessary to do so in the circumstances, to the respondent. [See Surveillance Devices Bill 2020 cl 51(3)–(4)]
 
Arrangements with other entities
 
9-17 The commissioner may enter into an arrangement with the Information Commissioner, the Human Rights Commissioner, the Ombudsman or the Health Ombudsman (a ‘referral entity’) to provide for: (a) the types of complaint under the legislation that the commissioner should refer to the referral entity (under Recommendation 9-15 above), and how the referral is made; (b) the types of complaint made under a referral Act that the referral entity should refer to the commissioner (under Recommendation 9-3 above), and how the referral is made; (c) dealing with a complaint or other matter under a referral Act that could also form the basis of a complaint under the legislation; or (d) cooperating in the performance by the commissioner and the referral entity in their respective functions to ensure the effective operation of the legislation and the referral entity’s legislation. [See Surveillance Devices Bill 2020 cl 52, sch 1 (definitions of ‘referral Act’ and ‘referral entity’)]
 
Mediation of complaints
 
9-18 The draft Bill should specify that the purpose of mediation is to identify and clarify the issues in the complaint and to promote the resolution of the complaint in a way that is informal, quick and efficient. [See Surveillance Devices Bill 2020 cl 53]
 
9-19 The commissioner must try to mediate the complaint if: (a) in the commissioner’s opinion, it is reasonably likely the complaint could be resolved by mediation; and (b) the commissioner does not: (i) refuse to deal with, or to continue to deal with, the complaint, under Recommendation 9-12 or 9-13 above; or (ii) refer the complaint to another entity under Recommendation 9-15 above. [See Surveillance Devices Bill 2020 cl 54(1)]
 
9-20 Where Recommendation 9-19 applies, the commissioner must give notice of the mediation to the complainant and respondent stating: (a) the substance of the complaint; (b) the powers the commissioner may exercise in trying to resolve the complaint by mediation; and (c) that the commissioner may seek information or documents from the complainant or respondent in relation to the complaint. The notice to the respondent must also state that the respondent will have an opportunity to respond to the complaint in writing. [See Surveillance Devices Bill 2020 cl 55]
 
9-21 The commissioner may take the reasonable action the commissioner considers appropriate to try to resolve the complaint by mediation. Without limiting the steps the commissioner may take, the commissioner may: (a) ask the respondent to respond in writing to the complaint; (b) give the complainant a copy of the respondent’s written response; (c) ask or direct the complainant or respondent to give the commissioner information relevant to the complaint, including by notice given under Recommendation 10-8(c) below; (d) make enquiries of, and discuss the complaint with, the complainant and respondent; (e) provide information to the complainant and respondent about the legislation and how it applies to the complaint; or (f) facilitate a meeting between the complainant and respondent. [See Surveillance Devices Bill 2020 cl 54(2)–(3), sch 1 (definition of ‘information’)]
 
Confidentiality of mediation
 
9-22 A person who is or has been the commissioner or a staff member of the commission must not disclose information coming to their knowledge during a mediation. However, this does not apply if the disclosure is made: (a) with the consent of the complainant and respondent to the complaint; (b) for the purpose of giving effect to the commissioner’s complaints handling or reporting functions under the legislation; (c) for statistical purposes without identifying a person to whom the information relates; (d) for an inquiry or proceeding about an offence happening during the mediation; (e) for a proceeding founded on fraud alleged to be connected with, or to have happened during, the mediation; or (f) under a requirement imposed by an Act. [See Surveillance Devices Bill 2020 cl 56]
 
9-23 Evidence of anything said or done, or an admission made, in the course of the mediation of a complaint is admissible in a civil proceeding only if the complainant and respondent agree. However: (a) This provision does not apply to a mediated agreement filed with QCAT under Recommendation 9-25 below; and (b) A ‘civil proceeding’ for this provision does not include a civil proceeding founded on fraud alleged to be connected with, or to have happened, during the mediation. [See Surveillance Devices Bill 2020 cl 57]
 
Mediated agreement
 
9-24 If, after mediation, the complainant and respondent agree to resolve the complaint: (a) the agreement is not binding, as a ‘mediated agreement’, until it is written down, signed by the complainant and respondent and certified by the commissioner as the agreement signed by the parties in accordance with these requirements; (b) the commissioner must keep a copy of the mediated agreement. [See Surveillance Devices Bill 2020 cl 58]
 
9-25 The complainant or respondent may file a copy of the mediated agreement prepared under Recommendation 9-24 above with QCAT. [See Surveillance Devices Bill 2020 cl 59(1)]
 
9-26 If a mediated agreement is filed with QCAT under Recommendation 9-25 above, the tribunal may make orders necessary to give effect to the agreement if the tribunal is satisfied that: (a) the order is consistent with an order the tribunal may make under Recommendation 9-31 below or the QCAT Act; and (b) it is practicable to implement the order. An order made by the tribunal under this provision is, and may be enforced as, an order of the tribunal under the QCAT Act. [See Surveillance Devices Bill 2020 cl 59(2)–(3)]
 
Referral of complaints to tribunal
 
9-27 The draft Bill should provide that, if: (a) the commissioner does not: (i) refuse to deal with, or to continue to deal with, the complaint, under Recommendation 9-12 or 9-13 above; or (ii) refer the complaint to another entity under Recommendation 9-15 above; and (b) in the commissioner’s opinion, the complaint is unlikely to be resolved: (i) by mediation of the complaint; or (ii) despite attempts to mediate the complaint the commissioner must give notice to the complainant and respondent that these provisions apply and that the commissioner will, if asked to do so by the complainant, refer the complaint to QCAT to decide. [See Surveillance Devices Bill 2020 cll 60 and 61]
 
9-28 The complainant may, in writing to the commissioner, ask for the referral of the complaint to QCAT within 20 business days after receiving notice under Recommendation 9-27 above. [See Surveillance Devices Bill 2020 cl 62(1)]
 
9-29 The commissioner must refer the complaint to QCAT within 20 business days after receiving a request made under Recommendation 9-28 above. [See Surveillance Devices Bill 2020 cl 62(2)]
 
Tribunal’s jurisdiction and procedure
 
9-30 Where a complaint is referred to QCAT under Recommendation 9-29 above: (a) the tribunal must exercise its original jurisdiction under the QCAT Act to hear and decide the complaint; (b) the complainant and respondent to the complaint are both parties to the proceeding; (c) the complainant is taken to be the applicant for the proceeding; (d) the respondent is taken to be the respondent for the proceeding; (e) subject to para (f) below, the rules and procedures applying to QCAT under the QCAT Act apply to the proceeding; and (f) for a hearing conducted by the tribunal in relation to the complaint, the tribunal is to be constituted by at least one legally qualified member. [See Surveillance Devices Bill 2020 cll 62(3), 63 and 64]
 
9-31 After the hearing of a complaint referred to QCAT under Recommendation 9-29 above, the tribunal may make one or more of the following final decisions to decide the complaint: (a) an order that declares the respondent’s use, communication or publication contravened a general obligation in Recommendation 8-2(a) or (b) above in relation to the complainant and, if QCAT considers appropriate, includes one or more of the following— (i) an order that the respondent must not repeat or continue a stated act or practice; (ii) an order that the respondent must compensate the complainant for loss or damage (including for injury to the complainant’s feelings or humiliation) suffered because of the respondent’s act or practice by: (A) engaging in a stated act or practice; or (B) paying the complainant a stated amount of not more than $100 000; (b) an order dismissing the complaint, or part of the complaint; (c) an order that the complainant be reimbursed for expenses reasonably incurred in connection with making the complaint. [See Surveillance Devices Bill 2020 cll 17, 65(1)–(2)]
 
9-32 An order made by the tribunal under Recommendation 9-31(a)(ii) above must state the reasonable time within which the relevant action must be taken. [See Surveillance Devices Bill 2020 cl 65(3)] Resourcing 9-33 QCAT should be provided with any additional resources necessary to ensure the effective operation of the new jurisdiction conferred on the tribunal by the legislation.
 
CHAPTER 10: A NEW REGULATOR
 
A new independent regulator
 
10-1 There should be an independent regulator. For the purpose of the draft Bill, the independent regulator is established as a separate entity under Recommendation 10-2 below. If the independent regulator’s functions were instead to be conferred on an existing entity, some of the recommended provisions would need appropriate modification. Whichever way the independent regulator is established, it should have the functions, powers and main features set out below. [See Surveillance Devices Bill 2020 pt 5]
 
Establishment of the regulator
 
10-2 There should be a Surveillance Devices Commission (the ‘commission’). The commission: (a) is a statutory body for the Financial Accountability Act 2009 and the Statutory Bodies Financial Arrangements Act 1982; and (b) consists of the Surveillance Devices Commissioner appointed under Recommendation 10-3 below, and the staff of the commission employed under Recommendation 10-7 below. [See Surveillance Devices Bill 2020 cll 66, 67]
 
10-3 The Surveillance Devices Commissioner (the ‘commissioner’): (a) is appointed by, and holds office on the terms and conditions decided by, the Governor in Council; (b) holds office for a term of not more than five years stated in the instrument of appointment and, if a person is reappointed as commissioner, may hold office for not more than ten years continuously; and (c) controls the commission. [See Surveillance Devices Bill 2020 cll 71, 77, 78(1)–(3)]
 
10-4 The draft Bill should also include standard provisions dealing with leave of absence as commissioner, vacancy in office, the grounds on which a person may be removed from office as commissioner, and the preservation of certain rights of public service employees. Other relevant provisions of general application in the Acts Interpretation Act 1954 will also apply. [See Surveillance Devices Bill 2020 cll 78(4), 79, 80, 81, 82]
 
10-5 The draft Bill should ensure the independence of the commissioner by providing that: (a) in performing the commissioner’s functions, the commissioner must act independently, impartially and in the public interest; and (b) the commissioner is not subject to direction by any person about how the commissioner performs the commissioner’s functions. Under Recommendation 10-12(d), (e), (f) and 10-16(b) below, the Minister may, however, request advice, assistance or an examination, and may require a report, about particular matters. [See Surveillance Devices Bill 2020 cll 69 and 70]
 
10-6 The commissioner may delegate to an appropriately qualified staff member of the commission the commissioner’s functions or powers under the legislation or another Act. Provisions of general application in the Acts Interpretation Act 1954 will apply to the delegation. [See Surveillance Devices Bill 2020 cl 93] 1
 
10-7 Staff of the commission: (a) are employed under the Public Service Act 2008; and (b) are not subject to direction, other than from the commissioner or a person authorised by the commissioner, about how the commissioner’s functions are to be performed. [See Surveillance Devices Bill 2020 cl 83]
 
Functions and powers
 
10-8 The draft Bill should provide the following in relation to the commissioner’s general functions and powers: (a) The commissioner has the functions and powers given by the legislation; (b) The commissioner has power to do all things that are necessary or convenient to be done to perform the commissioner’s functions under the legislation; and (c) If the commissioner believes on reasonable grounds that a person may have information relevant to a complaint being dealt with by the commissioner or to another function being performed by the commissioner, the commissioner may, by written notice, ask or direct the person to give the information to the commissioner within a reasonable period. [See Surveillance Devices Bill 2020 cll 68 and 76(1)–(4)]
 
10-9 The commissioner’s functions include receiving and dealing with complaints under Recommendations 9-1 to 9-29 above. There should be a clear administrative division, supported by formal policies and procedures, between the commissioner’s complaints handling and mediation functions and the other functions of the commissioner. [See Surveillance Devices Bill 2020 cl 72]
 
10-10 The commissioner’s guidance functions include: (a) promoting understanding of and compliance with the legislation, including the general obligations in Recommendation 8-2 above; (b) providing information and guidance about the operation of the legislation; (c) providing education and training about the legislation, including the general obligations in Recommendation 8-2 above and the lawful use of surveillance devices; (d) issuing guidelines about any matter related to the commissioner’s functions, including guidelines on any of the following matters: (i) how the legislation applies; (ii) how an exception in Recommendation 5-12 to 5-18 or 6-5 to 6-7 above applies, including examples; (iii) best practice for the use of surveillance devices, and the communication or publication of surveillance information, in a way that respects individuals’ privacy; and (iv) making, referring and dealing with complaints under Recommendation 9-1 above; and (e) giving information and reasonable help to complainants and respondents in relation to their complaints and the processes under the legislation. [See Surveillance Devices Bill 2020 cl 73(1)]
 
10-11 The draft Bill should additionally provide that the guidelines issued under Recommendation 10-10(d) above must be published on the commissioner’s website. [See Surveillance Devices Bill 2020 cl 73(2)]
 
10-12 The commissioner’s research, advice and monitoring functions include: (a) undertaking or commissioning research to monitor: (i) whether the legislation is achieving its purpose; (ii) how surveillance devices and surveillance device technologies are used in civil society; (iii) developments in surveillance device technology; (b) identifying and commenting on any issues relating to the use of surveillance devices in civil society, and the communication or publication of surveillance information; (c) identifying and commenting on legislative and administrative changes that would improve the operation of the legislation; (d) on request of the Minister or on the commissioner’s own initiative, advising the Minister about matters relevant to the operation and administration of the legislation; (e) on request of the Minister, assisting the Minister to review the legislation under Recommendation 11-2 below; and (f) on request of the Minister, examining other Acts and proposed legislation to determine whether they are, or would be, consistent with the purpose of the legislation and the general obligations in Recommendation 8-2 above. [See Surveillance Devices Bill 2020 cl 74]
 
10-13 The commissioner’s compliance monitoring functions include examining—on the commissioner’s own initiative or otherwise—the practices of relevant entities, in relation to the following matters, to monitor whether the practices comply with the legislation: (a) how the entities use surveillance devices, and communicate or publish surveillance information; (b) the surveillance device, and communication or publication, technologies used by the entities; and (c) the programs, policies and procedures of the entities in relation to each of the matters in paragraphs (a) and (b). [See Surveillance Devices Bill 2020 cl 75(1)]
 
10-14 For the purpose of Recommendation 10-13 above: (a) ‘relevant entity’ means: (i) a ‘public entity’ within the meaning of the Human Rights Act 2019; (ii) an entity with an annual turnover of more than $5 million for the current or previous financial year; (iii) an entity that regularly or routinely uses a surveillance device, or communicates or publishes surveillance information; (iv) an entity that uses a surveillance device to monitor crowds in places that are open to or used by the public, whether or not on the payment of a fee; and (v) another entity prescribed by regulation. (b) ‘relevant entity’ does not include an entity to the extent its practices relate to enforcing a law of the State, including, for example, the Queensland Police Service or the Crime and Corruption Commission.
 
Reporting requirements
 
10-15 In addition to the annual financial reporting requirements that will apply under the Financial Accountability Act 2009, the draft Bill should provide that: (a) as soon as practicable after the end of each financial year, the commissioner must give the Minister an annual report about the operation of the legislation; (b) without limiting paragraph (a), the annual report must include information for the financial year about the following matters: (i) the number of complaints made or referred to the commissioner; (ii) the types of complaints made or referred to the commissioner, including: (A) the categories of entities to which the complaints relate; (B) the uses of surveillance devices to which the complaints relate; (C) the provisions of Recommendation 8-2 ff above to which the complaints relate; (iii) the outcome of complaints made or referred to the commissioner, including: (A) the number of complaints the commissioner refused to deal with, or to continue to deal with, and the grounds for refusing under Recommendations 9-12 and 9-13 above; (B) the number and type of complaints referred to another entity under Recommendation 9-15 above; (C) the number and type of complaints resolved by the commissioner by mediation under Recommendation 9-19 above; (D) the number and type of complaints referred to QCAT under Recommendation 9-29 above; (iv) the outcome of complaints referred to QCAT; (v) another matter prescribed by regulation. (c) the Minister must table a copy of the annual report in the Legislative Assembly within 14 sitting days after receiving the report. [See Surveillance Devices Bill 2020 cl 84]
 
10-16 The draft Bill should also provide that: (a) the commissioner may at any time prepare a report about a matter relevant to the performance of the commissioner’s functions under the legislation and give the report to the Minister; (b) the commissioner must, if asked by the Minister, prepare a report about a matter mentioned in paragraph (a) and give the report to the Minister as soon as practicable after it is prepared; and (c) the Minister must table a copy of a report given to the Minister under paragraph (a) or (b) in the Legislative Assembly within 14 sitting days after receiving the report. [See Surveillance Devices Bill 2020 cl 85]
 
10-17 The draft Bill should also provide the following safeguards in relation to a report of the commissioner prepared under Recommendation 10-15 or 10-16 above: (a) the report must not include personal information about an individual unless the individual has previously published the information, or gave the information for the purpose of publication; and (b) the report must not make an adverse comment about a person unless the commissioner has given the person an opportunity to respond, in writing, to the proposed comment and any response from the person is fairly stated in the report. For paragraph (a), ‘personal information’ has the same meaning as under the Information Privacy Act 2009, section 12. For paragraph (b), ‘adverse comment’ does not include a statement that a person did not participate in resolving a complaint under the legislation. [See Surveillance Devices Bill 2020 cll 86 and 87]
 
Protections and offences
 
10-18 The draft Bill should include the following protective provisions and offences relating to the actions of and dealings with the commissioner, to ensure the effective operation of the commissioner’s functions: (a) The commissioner is protected from civil liability for acts done or omissions made honestly and without negligence under the legislation. (b) Where a person, acting honestly, gives information or a written response to the commissioner under a provision of the legislation: (i) the person is not liable (civilly, criminally or under an administrative process) because the person gave the information or written response; and (ii) the person cannot be held to have breached a code of professional etiquette or ethics or departed from accepted standards of professional conduct because the person gave the information or written response. (c) A person who is or has been the commissioner or a staff member of the commission and who, in that capacity, acquires or has access to or custody of confidential information must not make a record of or disclose the information to another person. This does not apply if the record is made or the information is disclosed with the consent of each person to whom the record or information relates, in performing a function under the legislation, or as required or permitted under another Act. ‘Confidential information’ means any information that: (i) relates to a complaint made under the legislation; (i) is personal information about a complainant, respondent or another individual; (iii) is about a person’s financial position or background; or (iv) if disclosed, would be likely to damage the commercial activities of a person to whom the information relates. This does not include information that is publicly available or to statistical or other information that is not likely to identify the person to whom it relates. (d) A person who is or has been the commissioner, or a staff member of the commission, cannot be required to give information related to the performance of functions under the legislation to a court. This does not apply if the information is given in performing a function under the legislation, or as required or permitted by another Act. (e) It is an offence, with a maximum penalty of 10 penalty units: (i) for a person, in the administration of the legislation, to give information to the commissioner or a staff member of the commission that the person knows is false or misleading in a material particular; or (ii) for a person to fail, without reasonable excuse, to comply with a direction of the commissioner, given in a notice, requiring the person to give information to the commissioner. It is a reasonable excuse for this provision if compliance would require disclosure of information that is the subject of legal professional privilege, or information that might tend to incriminate the individual. [See Surveillance Devices Bill 2020 cll 76(5)–(6), 88, 89, 90, 91 and 92, sch 1 (definition of ‘information’)]
 
CHAPTER 11: GENERAL MATTERS
 
Regulation-making power
 
11-1 The draft Bill should provide that the Governor in Council may make regulations under the legislation. [See Surveillance Devices Bill 2020 cl 94]
 
Review of Act
 
11-2 The draft Bill should provide that the Minister must complete a review of the effectiveness of the legislation within five years after the commencement. In completing the review, the Minister must consider: (a) whether the legislation is achieving its purpose; and (b) how surveillance devices and surveillance device technologies are used in civil society; and (c) developments in surveillance device technology; and (d) whether the legislation should be amended to provide for: (i) new types of surveillance devices; or (ii) new uses of surveillance devices and surveillance device technologies in civil society. In addition, the Minister must table in the Legislative Assembly a report on the outcome of the review as soon as practicable after the review is completed. [See Surveillance Devices Bill 2020 cl 95]
 
Consequential provisions
 
11-3 If legislation based on the draft Bill is enacted, the references to the ‘Invasion of Privacy Act 1971’ in the following Acts should be omitted and replaced by references to the legislation, as appropriate: (a) the Commissions of Inquiry Act 1950; (b) the Fisheries Act 1994; (c) the Police Powers and Responsibilities Act 2000; (d) the Public Safety Preservation Act 1986; and (e) the Youth Justice Act 1992.