31 October 2020

Schmitt and Pezzullo

From 'The most powerful mandarin in our 'extended' security state' by Brian Toohey in the Brisbane Times 

Michael Pezzullo is by far the most powerful public servant in Australia. He created and runs the ever-expanding Home Affairs Department, he oversees a ceaseless avalanche of draconian new laws and he gives public speeches about what he sees as the global “duality of good and evil”. 

Home Affairs already includes ASIO, the Australian Federal Police, Border Force, the Criminal Intelligence Commission, the Transactions and Analysis Centre, Immigration, and many other bodies. New laws make it a criminal offence to cause “intangible” damage to Australia's international relations, without explaining how anyone could know they were having an “intangible” effect. Another new criminal offence is to receive "inherently harmful information", regardless of whether it’s classified. 

In a speech in Canberra this month that sparked remarkably little alarm, Pezzullo said responding to the problems created by global forces required “nothing less than the transformation of the state itself, and the state’s relationship with society”. 

He wanted what he called an “extended state” consisting of the “entire apparatus” of all Australian governments, the business sector, the scientific and industrial research establishment, not-for-profit and community organisations including charities, and households as required for security and other purposes. Pezzullo wanted a “closer integration of security, economic and social policy”.

That speech featured

At one level, security dilemmas reduce logically to human difference and alterity, whether one reads Hobbes, Foucault, Schmitt or Heidegger, or for that matter Hegel, Marx, Nietzsche or Derrida, to name a few of the relevant thinkers.

An unimpressed Toohey comments "Sartre and Kierkegaard crack a mention elsewhere in the speech".

Pezzullo concluded

Public institutions have to be designed to operate at the intersection of prosperity, security and unity. Security has to be subordinated to the greater end of an open, prosperous and unified society. Security is an array of effects which support resilience and which are generated through a cycle of practices – namely threat scanning, risk management, planning, preparation and exercising, and operations, including first response, emergency management and, as necessary, disaster recovery and reconstruction. 

Security focuses on the logical anticipation of dangers to come, and is best informed by a realistic (as distinct from a neurotic) ‘anxiety’ which is centred on defined dangers – or at least imaginable dangers. I do not therefore deny a link of sorts to fear and anxiety – but nor would I start there. 

The operational state: within government, departments and agencies have to be designed to be operational – able to plan, to prepare, and to undertake operational missions as directed. The age of the programmatic or regulatory agency (the 1980s-2010s) is passing. While of course they have their place, even in wartime, departmental operations which are focused on the pursuit of purposive outcomes as distinct from the supervision of arms-length processes are back in vogue, and not before time. 

While much has been done in recent years to better link law enforcement, security intelligence, countering foreign interference, countering terrorism, immigration, citizenship, social cohesion, customs, border protection, maritime security, critical infrastructure protection, aviation and port security, supply chain security, cybersecurity, emergency management, disaster recovery, biosecurity and public health management and so on, governments will always be mindful of opportunities to achieve yet more scale and more agility in the generation of operational effects. 

While national security effects will typically continue to be delivered by the principal departments of state – Foreign Affairs and Trade, Defence, and Home Affairs, working alone, or in combination – security effects are also being delivered through other combinations, such as through the partnerships that Home Affairs has with Treasury (in foreign investment screening); Agriculture (biosecurity); Transport (aviation and maritime security); Communications (telecommunications security, for instance in relation to 5G technology); Industry (supply chains and scientific research); Energy (energy security); Health (pandemic response) and Education (foreign interference in universities). 

The extended state: perhaps the time has come to speak of the ‘extended state’ where public institutions in the executive remain the vital centre, as they possess convening power, threat intelligence, regulatory powers (for instance in the creation and enforcement of security obligations), emergency powers (as laid down in law), and the operational capabilities and capacities of which I spoke earlier. The ‘extended state’ for the purposes of security as I have defined it, which is a networked and dynamic conception of security which comprehends sectors across society and the economy, consists of the entire apparatus of the Australian Government, which convenes and coordinates; along with State, Territory and municipal governments; as well as the business sector, including finance and banking, food and groceries, health and medical services, transport, freight and logistics, water supply and sanitation, utilities, energy, fuel, telecommunications; the scientific and industrial research establishment; as well as non-for-profit and community organisations, including charities; and households as might be required.

30 October 2020

Trading

'Online Behavioral Targeting: Are Knowledgeable Consumers Willing to Sell Their Privacy?' by H. Li and A. Nill in (2020) 43 Journal of Consumer Policy 723–745 comments 

 Unbeknownst to many online consumers, their personal information is being traded on a flourishing and rapidly increasing market for privacy data. In a process often labeled online behavioral targeting (OBT), data mining companies and online brokers collect, analyze, buy, and sell consumers’ personal data in an effort to enable online and offline marketers to deliver personalized, highly relevant, and ultimately profitable advertisements. For the most part, consumers have not yet been afforded the opportunity to meaningfully participate in this market for privacy data. The purpose of this article is to explore more deeply the impact of knowledge on consumers’ potential willingness to keep versus trade their private information. Using survey data methodology, we find that those consumers who are more knowledgeable about OBT are willing to pay more for keeping their data private and, at the same time, are willing to sell their data for less money than less informed consumers.

The authors argue 

Dan Abate could not explain why he received so many advertisements about diabetes-related medications--online and via regular mail---until he discovered that his name showed up in a database of millions of people with “diabetes interest.” Acxiom Corp., one of the world’s biggest data mining companies, sells this list to advertisers and data brokers. One of Acxiom Corp’s customers, the data reseller Exact Data, posted Dan’s full name and his physical address online, along with 100 others, under the header “Sample Diabetes Mailing List.” This is just one of hundreds of medical databases up for sale to marketers (Pettypiece and Robertson 2014). A data broker such as Exact Data typically buys those lists wholesale for a mere 20 cents per name and breaks the data down into sub-categories, including income level, sex, profession, geography, and ethnicity. These customized lists are sold to marketers such as pharmaceutical companies who in turn can send customers highly relevant advertisements. Dan’s story is an example of online behavioral targeting (OBT) and its potential consequences in the physical world. While Dan’s personal information has been bought and sold several times, he has not been afforded the opportunity to meaningfully participate in this market for privacy data. He had no control over how his data were being used, and, in fact, he was not even aware that his personal data had been traded. 

OBT potentially enables marketers to deliver personalized, highly relevant, and ultimately profitable advertisements. While the revenue of those advertisements allows “free” access to most of the content provided on the Internet, consumers---often without their knowledge---“pay” for it by allowing online marketers access to their private information. For example, Dan Abate from the example above likely filled out a website registration form that asked for his health information in order to grant him “free” access to the site. One such site is Primehealthsolutions.com, which provides basic health information on a variety of conditions. The site makes money by collecting data on users and their diseases and reselling this information to data brokers. 

An analysis of the main marketing publications dealing with digital, social media, and mobile marketing over the last 15 years revealed a lack of comprehensive answers to some of the fundamental questions concerning the use of big data from a consumer privacy perspective (Lamberton and Stephen 2016). Little research addresses the question how consumers are or can potentially control their private information to their own benefit in a world where this information---knowingly or unknowingly, consented, or unconsented---is already widely accessible and available to a host of marketers and other interested parties (Ferrell 2016; Martin and Murphy 2017; Martin 2016). Accordingly, our overarching research interest is no longer if consumers are willing to disclose their private data---it is too late to put the genie back in the bottle---but are consumers able and willing to actively gain more control over their personal information, if they were provided with the opportunity to do so? Senator Ron Johnson pointedly asked Mark Zuckerberg this question in the senate hearing April 2018: “Have you thought about that model, where the user data is actually monetized by the actual user” (Washington Post 2018)? Would consumers be interested in such a model? 

The main theoretical contribution of our analysis is to show that knowledge has a significant impact on consumers’ ability and willingness to actively control their data. The main public policy implication is that knowledgeable consumers are much more likely to perceive their personal data as a tradable good. In other words, educating and informing consumers about OBT are necessary before a market-based solution for private data. Consumers who lack knowledge about OBT have often unrealistic expectations about the market value of their personal information, are oblivious of the current tradeoff between free online content and collection of personal data, and would neither be willing nor capable of participating in a market for online data in a meaningful wa

Privacy Act Inquiry

It's that time of of the year, where governments - in what one of my more mordant friends describes as 'take out the trash' mode - announce short consultations on matters that are important but politically inconvenient. The national Government has today announced an inquiry into the Privacy Act 1988 (Cth), with responses to the issues paper due by 29 November. 

The Review reflects the Attorney-General's 12 December 2019 announcement that the Government would conduct a review of the Act to 'ensure privacy settings empower consumers, protect their data and best serve the Australian economy'. The announcement was part of the Government's response to the Australian Competition and Consumer Commission's Digital Platforms Inquiry. 

A-G's has hopefully dusted off the various ALRC reports from George Brandis's famous mahogany bookshelves (ignoring Brandis' unsuccessful attempt to euthanase the OAIC on the grounds that neither FOI nor privacy protection were really necessary). 

A-G's states 

We will draw on a range of sources for the review and invite submissions on matters for consideration. We will also meet with stakeholders on specific issues and consider research and reports on privacy issues. 

Those sources include

  • ACCC Digital Services Advertising Inquiry 
  • ACCC Digital Platforms Inquiry Final Report, 2019 
  • Data Availability and Use, Productivity Commission Inquiry Report, 2017 
  • Serious Invasions of Privacy in the Digital Era, ALRC Final Report 123, 2014 
  • For Your Information: Australian Privacy Law and Practice, ALRC Report 108, 2008

The Terms of Reference are -

  •  the scope and application of the Privacy Act
  • whether the Privacy Act effectively protects personal information and provides a practical and proportionate framework for promoting good privacy practices 
  • whether individuals should have direct rights of action to enforce privacy obligations under the Privacy Act 
  • whether a statutory tort for serious invasions of privacy should be introduced into Australian law
  •  the impact of the notifiable data breach scheme and its effectiveness in meeting its objectives
  •  the effectiveness of enforcement powers and mechanisms under the Privacy Act and how they interact with other Commonwealth regulatory frameworks 
  • the desirability and feasibility of an independent certification scheme to monitor and demonstrate compliance with Australian privacy laws.
The questions in the 89 page issues paper are 
 
Objectives of the Privacy Act 
1. Should the objects outlined in section 2A of the Act be changed? If so, what changes should be made and why? 
 
Definition of personal information 
2. What approaches should be considered to ensure the Act protects an appropriate range of technical information? 
3. Should the definition of personal information be updated to expressly include inferred personal information? 
4. Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be? 
5. Are any other changes required to the Act to provide greater clarity around what information is ‘personal information’? 
 
Flexibility of the APPs in regulating and protecting privacy 
6. Is the framework of the Act effective in providing flexibility to cater for a wide variety of entities, acts and practices, while ensuring sufficient clarity about protections and obligations? 
 
Exemptions Small business exemption 
7. Does the small business exemption in its current form strike the right balance between protecting the privacy rights of individuals and avoid imposing unneccessary compliance costs on small business? 
8. Is the current threshold appropriately pitched or should the definition of small business be amended? a. If so, should it be amended by changing the annual turnover threshold from $3 million to another amount, replacing the threshold with another factor such as number of employees or value of assets or should the definition be amended in another way? 
9. Are there businesses or acts and practices that should or should not be covered by the small business exemption? 
10. Would it be appropriate for small businesses to be required to comply with some but not all of the APPs? a. If so, what obligations should be placed on small businesses? b. What would be the financial implications for small business? 
11. Would there be benefits to small business if they were required to comply with some or all of the APPs? 
12. Should small businesses that trade in personal information continue to be exempt from the Act if they have the consent of individuals to collect or disclose their personal information?   
 
Employee records exemption 
13. Is the personal information of employees adequately protected by the current scope of the employee records exemption? 
14. If enhanced protections are required, how should concerns about employees’ ability to freely consent to employers’ collection of their personal information be addressed? 
15. Should some but not all of the APPs apply to employee records, or certain types of employee records? 
 
Political parties exemption 
16. Should political acts and practices continue to be exempted from the operation of some or all of the APPs? 
 
Journalism exemption 
17. Does the journalism exemption appropriately balance freedom of the media to report on matters of public interest with individuals’ interests in protecting their privacy? 
18. Should the scope of organisations covered by the journalism exemption be altered? 
19. Should any acts and practices of media organisations be covered by the operation of some or all 
 of the APPs? 
 
Notice of Collection of Personal Information Improving awareness of relevant matters 
20. Does notice help people to understand and manage their personal information? 
21. What matters should be considered to balance providing adequate information to individuals and minimising any regulatory burden? 
22. What sort of requirements should be put in place to ensure that notification is accessible; can be easily understood; and informs an individual of all relevant uses and disclosures? 
 
Third party collections 
23. Where an entity collects an individual’s personal information and is unable to notify the individual of the collection, should additional requirements or limitations be placed on the use or disclosure of that information? 
 
Limiting information burden 
24. What measures could be used to ensure individuals receive adequate notice without being subject to information overload? 
25. Would a standardised framework of notice, such as standard words or icons, be effective in assisting consumers to understand how entities are using their personal information? 
 
Consent to collection, use and disclosure of personal information  
26. Is consent an effective way for people to manage their personal information? 
27. What approaches should be considered to ensure that consent to the collection, use and disclosure of information is freely given and informed? 
28. Should individuals be required to separately consent to each purpose for which an entity collects, uses and discloses information? What would be the benefits or disadvantages of requiring individual consents for each primary purpose? 
29. Are the existing protections effective to stop the unnecessary collection of personal information? a. If an individual refuses to consent to their personal information being collected, used or disclosed for a purpose that is not necessary for providing the relevant product or service, should that be grounds to deny them access to that product or service? 
30. What requirements should be considered to manage ‘consent fatigue’ of individuals? 
 
Exceptions to the requirement to obtain consent 
31. Are the current general permitted situations and general health situations appropriate and fit-for-purpose? Should any additional situations be included? 
 
Pro-consumer defaults 
32. Should entities collecting, using and disclosing personal information be required to implement pro-privacy defaults for certain uses and disclosures of personal information?   
 
Obtaining consent from children 
33. Should specific requirements be introduced in relation to how entities seek consent from children? 
 
The role of consent for IoT devices and emerging technologies 
34. How can the personal information of individuals be protected where IoT devices collect personal information from multiple individuals? 
 
Inferred sensitive information 
35. Does the Act adequately protect sensitive information? If not, what safeguards should be put in place to protect against the misuse of sensitive information? 
36. Does the definition of ‘collection’ need updating to reflect that an entity could infer sensitive information? 
 
Direct marketing 
37. Does the Act strike the right balance between the use of personal information in relation to direct marketing? If not, how could protections for individuals be improved? 
 
Withdrawal of consent 
38. Should entities be required to refresh an individual’s consent on a regular basis? If so, how would this best be achieved? 
39. Should entities be required to expressly provide individuals with the option of withdrawing consent? 
40. Should there be some acts or practices that are prohibited regardless of consent? 
 
Emergency declarations 
41. Is an emergency declaration appropriately framed to facilitate the sharing of information in response to an emergency or disaster and protect the privacy of individuals? 
 
Regulating use and disclosure 
42. Should reforms be considered to restrict uses and disclosures of personal information? If so, how should any reforms be balanced to ensure that they do not have an undue impact on the legitimate uses of personal information by entities? 
 
Control and security of personal information  
 
Security and retention 
43. Are the security requirements under the Act reasonable and appropriate to protect the personal information of individuals? 
44. Should there be greater requirements placed on entities to destroy or de-identify personal information that they hold? 
 
Access, quality and correction 
45. Should amendments be made to the Act to enhance: a. transparency to individuals about what personal information is being collected and used by entities? b. the ability for personal information to be kept up to date or corrected? 
 
Right to erasure 
46. Should a ‘right to erasure’ be introduced into the Act? If so, what should be the key features of such a right? What would be the financial impact on entities? 
47. What considerations are necessary to achieve greater consumer control through a ‘right to erasure’ without negatively impacting other public interests? 
 
Overseas data flows and third party certification 
48. What are the benefits and disadvantages of the current accountability approach to cross-border disclosures of personal information? a. Are APP 8 and section 16C still appropriately framed? 
49. Is the exception to extraterritorial application of the Act in relation to acts or practices required by an applicable foreign law still appropriate? 
50. What (if any) are the challenges of implementing the CBPR system in Australia? 
51. What would be the benefits of developing a domestic privacy certification scheme, in addition to implementing the CBPR system? 
52. What would be the benefits or disadvantages of Australia seeking adequacy under the GDPR? 
 
Enforcement powers under the Privacy Act and role of the OAIC 
53. Is the current enforcement framework for interferences with privacy working effectively? 
54. Does the current enforcement approach achieve the right balance between conciliating complaints, investigating systemic issues, and taking punitive action for serious non-compliance? 
55. Are the remedies available to the Commissioner sufficient or do the enforcement mechanisms available to the Commissioner require expansion? a. If so, what should these enforcement mechanisms look like? 
 
Direct right of action 
56. How should any direct right of action under the Act be framed so as to give individuals greater control over their personal information and provide additional incentive for APP entities to comply with their obligations while balancing the need to appropriately direct court resources?  
 
Statutory tort 
57. Is a statutory tort for invasion of privacy needed? 
58. Should serious invasions of privacy be addressed through the criminal law or through a statutory tort? 
59. What types of invasions of privacy should be covered by a statutory tort? 60. Should a statutory tort of privacy apply only to intentional, reckless invasions of privacy or should it also apply to breaches of privacy as a result of negligence or gross negligence? 
61. How should a statutory tort for serious invasions of privacy be balanced with competing public interests? 
62. If a statutory tort for the invasion of privacy was not enacted, what other changes could be made to existing laws to provide redress for serious invasions of privacy? 
 
Notifiable Data Breaches scheme – impact and effectiveness 
63. Have entities’ practices, including data security practices, changed due to the commencement of the NDB Scheme? 
64. Has the NDB Scheme raised awareness about the importance of effective data security? 65. Have there been any challenges complying with the data breach notification requirements of other frameworks (including other domestic and international frameworks) in addition to the NDB Scheme? 
 
Interaction between the Act and other regulatory schemes 
66. Should there continue to be separate privacy protections to address specific privacy risks and concerns? 
67. Is there a need for greater harmonisation of privacy protections under Commonwealth law? a. If so, is this need specific to certain types of personal information? 
68. Are the compliance obligations in certain sectors proportionate and appropriate to public expectations?

29 October 2020

Repair Right Inquiry

The Productivity Commission has today been tasked with an inquiry into the Right to Repair in Australia, something that impinges on consumer protection, patent and other law. 

The media release regarding the inquiry states 

 Background 

The term right to repair describes a consumer's ability to repair faulty goods, or access repair services, at a competitive price. This can relate to a range of product faults, including those for which the consumer is responsible. It may include a repair by a manufacturer, a third-party, or a self-repair option through available replacement parts and repair information. 

The Competition and Consumer Act 2010 (CCA) prohibits anti-competitive behaviour such as exclusive dealing (section 47); however, many right to repair issues are the result of conduct that is not being captured by the prohibition. In many cases, suppliers do not impose any such restrictions on consumers with respect to the repair of products they supply. Instead, consumers or third parties are prevented from being able to repair the products due to a lack of access to necessary tools, parts or diagnostic software. 

For these reasons; existing provisions amount to some limited rights or protections in relation to repair facilities in Australia, but do not amount to a full 'right to repair'. As such, premature product obsolescence and a lack of competition in repair markets remain. The expense of repair and product design accelerate the transfer of consumer goods into waste. 

Scope of the inquiry 

The Productivity Commission should examine the potential benefits and costs associated with 'right to repair' in the Australian context, including current and potential legislative, regulatory and non-regulatory frameworks and their impact on consumers' ability to repair products that develop faults or require maintenance. In examining the Australian context, the Productivity Commission should identify evidence of the impact of relevant international approaches. 

In undertaking the inquiry, the Commission should consider:

  • The legislative arrangements that govern repairs of goods and services, and whether regulatory barriers exist that prevent consumers from sourcing competitive repairs; 

  • The barriers and enablers to competition in repair markets, including analysing any manufacturer-imposed barriers, and the costs and benefits associated with broader application of regulated approaches to right of repair and facilitating legal access to embedded software in consumer and other goods; 

  • The impact of digital rights management on third-party repairers and consumers, and how intellectual property rights or commercially-sensitive knowledge would interact with a right to repair; 

  • The effectiveness of current arrangements for preventing premature or planned product obsolescence and the proliferation of e‑waste, and further means of reducing e‑waste through improved access to repairs and increased competition in repair markets; and 

  • The impact on market offerings, should firms have their control over repair removed.

Process 

In undertaking this inquiry, the Commission should consult broadly, including with state and territory consumer affairs regulators. The Commission should undertake an appropriate public consultation process including by holding public hearings, inviting public submissions and releasing a draft report to the public. A final report should be provided to the Government within 12 months of the receipt of these terms of reference.

Metadata Retention

The Parliamentary Joint Committee on Intelligence and Security report on metadata retention makes the following recommendations. The Committee is required by Section 187N of the Telecommunications (Interception and Access) Act 1979 (Cth) to review the mandatory data retention regime prescribed by Part 5-1A of that Act. 

R 1 Within 18 months from the date of the Committee’s report, the Committee recommends that the Department of Home Affairs prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies. In general terms, the purpose of the national guidelines would be to ensure greater clarity, consistency and security in respect of requests for – and the collection and management of – telecommunications data by enforcement agencies across Australia.  

To that end, the national guidelines must be: consistent with the requirements of the Telecommunications (Interception and Access) Act 1979 and other relevant Commonwealth legislation (as amended in accordance with the other recommendations made by the Committee in this report); and adopted and followed by each enforcement agency. 

In developing the national guidelines, the Department of Home Affairs should meet and consult with (at a minimum):

  • the Privacy Commissioner; 

  • the Commonwealth Ombudsman; 

  • each criminal law-enforcement agency; 

  • industry representatives; 

  • the Law Council of Australia; and 

  • the Department of Infrastructure, Transport, Regional Development and Communications.

 Meeting is of course not the same as taking on board and giving effect to concerns.

The national guidelines should be made public (except to the extent they contain classified information, if any). 

R 2  The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended to clearly define the term “content or substance of a communication” for the purpose of providing greater certainty and enhancing privacy protections. 

The Department of Home Affairs should, at a minimum, meet and consult with the following in seeking to develop this definition: the Communications Alliance and other industry representatives; the Commonwealth Ombudsman; the Inspector-General of Intelligence and Security; the Law Council of Australia; and the Privacy Commissioner. 

Moreover, in defining the term “content or substance of a communication”, Home Affairs should specifically consider whether some information that is currently treated as telecommunications data should now be regarded as content given what that information can reveal about an individual. 

R 3 The Committee recommends that Telecommunications (Interception and Access) Act 1979 be amended so that, if a provider discloses any of the information referred to in section 187A(4) of the Telecommunications (Interception and Access) Act to ASIO or a criminal law-enforcement agency, ASIO or the enforcement agency (as applicable) must: not use the information; immediately quarantine the information; notify the Commonwealth Ombudsman or the IGIS (as applicable) of the disclosure; and following consultation with the Ombudsman or the IGIS (as applicable), destroy the information. 

R 4  The Committee recommends that the data retention period be kept at two years. 

R 5  The Committee recommends that section 187A of the Telecommunication (Interception and Access) Act 1979 be amended to clarify that service providers are not required to store information generated by Internet of Things devices. 

R 6  The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended to include the following additional reporting requirements:

  • the number of authorised officers in each enforcement agency and ASIO; 

  • the number of authorisations made by each authorised officer; 

  • the number of individuals that the authorisations by each enforcement agency and ASIO related to; and 

  • in respect of authorisations in relation to criminal investigations, the specific offence – or offences – that the authorisations related to. 

R 7 The Committee recommends that, in consultation with other stakeholders (agencies with access to the Mandatory Data Retention Regime, the Inspector General of Intelligence and Security, the Commonwealth Ombudsman and the Commonwealth Privacy Commissioner), the Department of Home Affairs should within 18 months of this report develop guidelines for data collection to be applied across the Mandatory Data Retention Regime and the most cost effective way to achieve the intended outcome of facilitating better oversight, including an ability for enforcement agencies and Home Affairs to produce reports to oversight agencies or Parliament when requested. As a minimum, any such report should include the following information (in respect of each occasion on which the powers in Chapter 4 of the Telecommunication (Interception and Access) Act 1979 were used):

  • the section of the Telecommunication (Interception and Access) Act 1979 used to access the data; the case number associated with the authorisation; 

  • the specific offence – or offences – that the investigation related to; 

  • if the authorisation related to a missing person case, the name of the missing person brief reasons why the authorised officer was satisfied that the disclosure was reasonably necessary; 

  • where the data related to a person who did not have an obvious relationship to a suspect in an investigation, brief reasons why the authorised officer was satisfied that any interference with the privacy of the person that may have resulted from the disclosure or use of the telecommunications data was justifiable and proportionate; 

  • the name(s) of the officers involved in the case; the name and appointment of the authorising officer; 

  • if the agency became aware that the carrier disclosed any of the information referred to in section 187A(4) and action taken.

Where practicable, the report should also include:

  • whether or not the data was used to rule someone out from an investigation; 

  • whether or not the person whose data was accessed was eventually charged, prosecuted and/or convicted of a crime; 

  • whether or not the data accessed eventually led to the charge, prosecution and/or conviction of another person for a crime; and 

  • the cost of the disclosure. 

For the Australian Security Intelligence Organisation, the additional record-keeping requirements should include:

  • the nature of the national security risk that led to the authorisation being given; and 

  • brief reasons why the authorised officer is satisfied that any interference with the privacy of the person that may result from the disclosure or use of the telecommunications data is justifiable and proportionate. 

R 8  The Committee recommends that section 306(5) of the Telecommunications Act 1997 be amended to require telecommunications service providers to keep detailed records of the kinds of information included in each disclosure of telecommunications data, including the types of telecommunications data that were disclosed. 

R 9  The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended so that:

  • ASIO and enforcement agencies are required to retain telecommunications data for a prescribed minimum period to ensure that the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman (as applicable) are able to perform their oversight functions; and 

  • Having satisfied the requirements of the Inspector-General of Intelligence and Security or the Commonwealth Ombudsman (as applicable) ASIO and enforcement agencies are required to delete telecommunications data as soon as practicable after the telecommunications data is no longer needed (e.g. in the case of an enforcement agency, after an investigation has concluded). 

R 10 The Committee recommends that the Telecommunication (Interception and Access) Act 1979 be amended so that: authorised officers may only make verbal authorisations for the disclosure of telecommunications data in emergency situations; and the record-keeping obligations that apply to written authorisations also apply to verbal authorisations except that: the written record must be made as soon as practicable after the making of the verbal authorisation; and for each verbal authorisation, the authorised officer must make a record of the reasons why the authorisation had to be made verbally. 

R 11  The Committee recommends that section 5AB of the Telecommunications (Interception and Access) Act 1979 be amended with a view to reducing the number of officers and officials of criminal law-enforcement agencies who may be designated as “authorised officers” and the circumstances in which those designations may be made. At a minimum:

  • only officers or officials who hold a supervisory role in the functional command chain should normally be capable of being designated as ‘authorised officers’; 

  • although other individuals who hold specific appointments – rather than entire classes of officers or officials – may be capable of being designated as ‘authorised officers’; 

  • in order to authorise an individual to be an authorised officer, the head of an enforcement agency must be satisfied that it is necessary for the individual to be an ‘authorised officer’ in order for the individual to carry out his or her normal duties; 

  • and prior to the head of an enforcement agency authorising an individual to be an ‘authorised officer’: the relevant senior officer or official must complete a compulsory training program in relation to Chapter 4 of the Telecommunications (Interception and Access) Act 1979

  • and the head of the enforcement agency must be satisfied that the senior or official has the requisite experience, knowledge and skills to exercise the powers under Chapter 4 of the Telecommunications (Interception and Access) Act 1979

R 12  The Committee recommends that section 180 of the Telecommunications (Interception and Access) Act be amended to specify when a revocation of an authorisation takes effect. 

R 13  The Committee recommends that section 178 amended and section 179 be repealed so that an authorised officer cannot make an authorisation for access to existing information or documents unless he or she is satisfied that the disclosure is reasonably necessary for: the investigation of: a serious offence; or an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years. For the avoidance of doubt ‘serious offence’ is as defined in section 5D of the Telecommunications (Interception and Access) Act 1979

R 14  The Committee recommends that Division 3 of Part 4–1 of the Telecommunication (Interception and Access) Act 1979 be amended to: increase the threshold for ASIO to authorise the disclosure of telecommunications data so that it is consistent with the threshold for ASIO to intercept telecommunications or access stored communications under a telecommunications service warrant issued under Part 2-2 of the Act; and introduce a new provision, modelled on section 180F of the Telecommunications (Interception and Access) Act, requiring ASIO to consider privacy before making an authorisation. 

R 15  The Committee recommends that section 280(1)(b) of the Telecommunications Act 1997 be repealed. Moreover, the Committee recommends that the Government introduce any additional amendments to Commonwealth legislation that are necessary to ensure that: only ASIO and the agencies listed in section 110A of the Telecommunications (Interception and Access) Act 1979 be permitted to authorise the disclosure of telecommunications data; and those agencies can only access telecommunications data through Part 4–1 of the Telecommunications (Interception and Access) Act 1979 and through no other legal mechanism. 

R 16  The Committee recommends that sections 186 and 187P of the Telecommunication (Interception and Access) Act 1979 be amended so that: the Minister must complete the report(s) referred to in section 186(2) and 187P as soon as practicable and, in any event, within 3 months after each 30 June; and the Minister must cause a copy of the report(s) to be tabled in each House of the Parliament as soon as practicable and, in any event, within 15 sitting days after the date on which the report is completed. 

R 17  The Committee recommends that state and territory criminal law-enforcement agencies under section 110A be prescribed as ‘organisations’ under section 6F of the Privacy Act 1988  in relation to their collection and use of telecommunications data for the purposes of the Notifiable Data Breach regime. 

R 18  The Committee recommends that section182(2) of the Telecommunications (Interception and Access) Act 1979 Act be amended in line with section 68(d) for the consideration of the communication of telecommunications data for disciplinary action and termination of employment. 

R 19  The Committee recommends that section 29 of the Australian Information Commissioner Act, and any other statutes that apply similar constraints on information sharing by relevant oversight agencies, be amended so that agencies that have an oversight function in respect of the mandatory data retention regime are able to share intelligence on matters of regulatory concern where there is a public interest in doing so. 

R 20  The Committee recommends that the Intelligence Services Act 2001 and the Telecommunications (Interception and Access) Act 1979 be amended so that the Committee may commence a review of the mandatory data retention scheme by June 2025.  

R 21 The Committee recommends that Division 1 of Part 5-1A of the Telecommunications (Interception and Access) Act 1979 be amended to require service providers to store information of the kind specified in or under section 187AA, or documents containing information of that kind, on servers located in Australia unless specifically exempted. 

R 22  The Committee recommends that: agencies that have access to telecommunications data should develop minimum standards for the security of telecommunications data held within their control or premises; and, entities subject to telecommunications data retention requirements under the Telecommunications (Interception and Access) Act should be required to demonstrate to the Australian Communications and Media Authority that they have met minimum standards for ensuring the security of retained data: these minimum standards, applying to entities subject to telecommunications data retention requirements should be developed by the Australian Communications and Media Authority.

Interference

Third Oxford Statement on International Law Protections Against Foreign Electoral Interference through Digital Means articulates 

a short list of consensus protections that apply under existing international law to foreign cyberoperations with adverse consequences on electoral processes, such as balloting, verifying, and providing electorates with procedural information about how to participate in an electoral process and substantive information related to that process. The Statement enumerates a range of duties of states: negative duties – to refrain from conducting cyber operations that have adverse consequences for electoral processes in other states, and not to render assistance to such operations, – as well as positive requirements of due diligence, and duties to protect and ensure the integrity of their own electoral processes from interference by other states.   ... 

Use of digital means to disrupt or undermine elections and to interfere with a population’s right to govern itself strikes at the very core of democracy. This Statement makes clear that international law addresses and forbids such brazen assaults on the rule of law, and states should refer explicitly to such law when speaking about election interference. 

The Statement reads

 We, the undersigned public international lawyers, have watched with growing concern reports of cyber incidents targeting electoral processes around the world, including allegations of foreign state and state-sponsored interference. We also note that the COVID-19 pandemic raises additional challenges to ensuring the integrity of such processes. 

Whereas: 

Two prior Oxford Statements have described the rules and principles of international law governing cyber operations that threaten two areas of pressing global importance, namely the safeguarding of the health care sector and global vaccine research; 

International law protects electoral processes, and efforts to interfere, including by digital means, with a state’s choice of its political leaders or other matters on which it has free choice contravene basic principles of the international order; 

The Charter of the United Nations (UN) establishes sovereign equality and each state’s political independence as bedrock elements of the international system; the UN General Assembly has affirmed that no state “has the right to intervene directly or indirectly, for any reason whatever, in the internal or external affairs of any other state”; and the International Court of Justice has held that every sovereign State has the right “to conduct its affairs without outside interference”; 

Article 25 of the International Covenant on Civil and Political Rights declares that “[e]very citizen shall have the right and the opportunity, without … unreasonable restrictions [t]o take part in the conduct of public affairs, directly or through freely chosen representatives; [t]o vote and to be elected at genuine periodic elections which shall be by universal and equal suffrage and shall be held by secret ballot, guaranteeing the free expression of the will of the electors”; electoral interference can infringe human rights protected under the International Covenant on Civil and Political Rights, the African Charter on Human and Peoples’ Rights, the American Convention on Human Rights, and the European Convention on Human Rights; 

Other international instruments, such as the Paris Call for Trust and Security in Cyberspace (2018), have called on all stakeholders to “[s]trengthen their capacity to prevent malign interference by foreign actors aimed at undermining electoral processes through malicious cyber activities”; 

All efforts by states and others to prevent such malign interferences should be consistent with international law; 

The International Law Commission’s 2001 Articles on State Responsibility establish that a state is responsible for the conduct of its organs or officials, as well as for conduct carried out by persons or groups acting on the instructions of, or under the direction or control of, the state; 

In line with the UN Guiding Principles on Business and Human Rights, online intermediaries and digital media companies should “conduct due diligence to ensure that their products, policies and practices … do not interfere with human rights”, as recognised in the April 2020 Joint Declaration on Freedom of Expression and Elections in the Digital Age, adopted by the UN Special Rapporteur on Freedom of Opinion and Expression, the OSCE Representative on Freedom of the Media, and OAS Special Rapporteur on Freedom of Expression. 

As states and other stakeholders learn more about the ways in which foreign cyber actions can adversely affect domestic electoral processes and how best to address such harms, international law can be further clarified and strengthened by state practice that becomes accepted as customary international law. 

We affirm that all states are bound to act in accordance with the rules and principles identified below. 

Applicability 

1. International law applies to cyber operations by states, including those that have adverse consequences for the electoral processes of other states. 

a. “Electoral processes” refer but are not limited to processes for selecting or electing individuals for public office, referenda, and plebiscites. These include:

i. Balloting: registering, casting, tabulating, or assuring the integrity of a ballot including voter registries, ballot security and integrity protocols, voting machines, and paper ballots; 

ii. Verifying: systems used for reporting, recording, verifying and auditing votes and results of an election; 

iii. Informing: public or private systems that provide an electorate with procedural information about how to participate in an electoral process, as well as substantive information, of whatever origin, related to an electoral process, including information on individuals or groups participating in electoral processes, such as candidates for elective office, political parties, or organizations. 

b. Adverse consequences, in the electoral context, include actions, processes or events that intervene in the conduct of an electoral process or undermine public confidence in the official results or the process itself. These actions include but are not limited to intrusions into digital systems or networks that cast doubt on the integrity of election data, such as votes and voter registers, as well as cyber operations against individuals and entities involved in the election. 

Duty to Refrain 

2. A state must refrain from conducting, authorising or endorsing cyber operations that have adverse consequences for electoral processes in other states. States must refrain from, inter alia

a. Interfering, by digital or other means, with electoral processes with respect to balloting or verifying the results of an election; 

b. Conducting cyber operations that adversely impact the electorate’s ability to participate in electoral processes, to obtain public, accurate and timely information thereon, or that undermine public confidence in the integrity of electoral processes. 

c. Conducting operations that violate the right to privacy, freedom of expression, thought, association, and participation in electoral processes. 

Duty Not to Render Assistance 

3. A state must not render assistance to cyber operations that it knows will likely have adverse consequences for electoral processes in other states. 

Due Diligence 

4 a. When a state is or should be aware of a cyber operation that emanates from its territory or infrastructure under its jurisdiction or control, and which may have adverse consequences for electoral processes abroad, that state must take all feasible measures to prevent, stop and mitigate any harms threatened or generated by the operation. 

b. To discharge this obligation, states may, to the extent feasible, be required to, inter alia, investigate, prosecute or sanction those responsible, take measures to prevent or thwart operations spreading misleading or inaccurate information, and/or assist and cooperate with other states in preventing, ending, or mitigating the adverse consequences of foreign cyber operations affecting electoral processes. 

c. The measures taken to discharge a state’s obligations should be carried out in full compliance with other rules of international law. 

Obligation to Protect Against Foreign Electoral Interference 

5. States have an obligation to protect and ensure the integrity of their own electoral processes against interference by other states. To discharge this obligation, states may be required to put in place electoral security measures, such as legislation and backup systems, as well as to secure the availability of public, timely and accurate information on electoral processes. Any restrictive measures taken by states that interfere with human rights must be in accordance with applicable legal requirements, such as legitimate purpose, legality, necessity, proportionality and non-discrimination. 

6. These rules and principles are without prejudice to other applicable international rules and ongoing processes. 

27 October 2020

Legal Privilege

In Commissioner of Police v Barbaro [2020] QCA 230  Sofronoff P and Philippides and Mullins JJA have found, in the specific circumstances, that an assertion that some communications on a mobile phone are protected by legal privilege constitutes a reasonable excuse not to comply with a search warrant requiring the subject to give the PIN to police. 

The judgment states 

[1]  On 22 May 2018 police obtained a warrant from a magistrate to search certain premises on the Gold Coast. The warrant asserted the commission of certain offences by the respondent authorised a police officer to “seize a thing found at the relevant place ... that the police officer reasonably suspects may be warrant evidence or property to which the warrant relates”, which included “mobile phones”. The warrant also expressly required the specified person to allow a police officer to “examine the stored information to find out whether it may be evidence of the commission of an offence” and to copy such information. 

[2] Section 154(1) of the Police Powers and Responsibilities Act 2000 (Qld) provides that a magistrate who issues a search warrant may order a “specified person” to “give a police officer access to ... the access information ... necessary for the police officer to be able to use the storage device to gain access to stored information that is accessible only by using the access information”. Section 150AA of the Act defines the term “storage device” to include a “device on which information may be stored electronically”. A mobile phone is such a device. The same section defines “access information” to mean information that is necessary for a person to access and read information stored electronically on a storage device. That definition applies to a password that permits access to the content of a mobile phone. Section 156(3) of the Act provides that a warrant that contains an order to furnish access information must state that a failure, without reasonable excuse, to comply with the order may be dealt with under s 205A of the Criminal Code (Qld). That provision of the Code makes it an offence for a person to contravene an order made under s 154(1) of the Act. 

[3] The two parts of the warrant, namely the express order to give access information and the warning that a failure to give the information without a reasonable excuse may result in a charge being laid alleging the commission of an offence against s 205A of the Code, have to be read together. The result of such a reading is that the order is one which requires a person to furnish access information unless the person has a reasonable excuse to refuse to do so. 

[4] Police executed the warrant at the relevant premises on 24 May 2018 and found a mobile phone that belonged to the respondent. A police officer ordered the respondent to reveal the PIN that would unlock it. It is common ground that the respondent was a “specified person” to whom such an order could be given and that the respondent was obliged to give the information unless he had a reasonable excuse for refusing and that, if he refused without a reasonable excuse, he would be guilty of an offence under s 205A of the Code. The respondent refused to give the information and, accordingly, he was charged. 

[5] At the trial in the Magistrates Court, the prosecution led evidence to prove the facts set out above, none of which was disputed. The respondent gave evidence. He said that the reason he had refused to reveal the password was that he had been in the habit of using the phone to communicate with his solicitor by using various text messaging systems on his phone. The phone contained numerous privileged written communications between the respondent and his solicitor and he did not wish police to read these messages. This evidence was not challenged. The respondent claimed at his trial that his right to protect privileged information constituted a reasonable excuse for his refusal. For reasons that it is unnecessary to detail, the learned Magistrate rejected this defence and found the respondent guilty. 

[6] The respondent appealed to the District Court and Kent QC DCJ upheld his appeal. In substance the respondent submitted, and Kent QC DCJ accepted, that he was entitled to maintain his privilege against disclosure of certain of the information even if other information contained on the phone was not privileged and this claim constituted a reasonable excuse for his refusal. His Honour set aside the conviction. 

[7] The Commissioner of Police has applied for leave to appeal against that decision. She submitted that leave to appeal should be granted because the appeal would raise an important question of law. That submission should be accepted and leave to appeal should be granted. 

[8] As the appellant has framed her case, the question in this appeal is whether, as a matter of law, the respondent’s asserted reason for refusing to give up his password was capable of constituting a reasonable excuse. The Commissioner submitted that Kent QC DCJ failed to take into account that legal professional privilege could not have attached to all the information stored on the phone. In her written submissions, the Commissioner submitted that unless the respondent was able to claim that all of the information on the phone was privileged, “the dominant purpose test cannot be satisfied and the privilege cannot be relied on to prevent a compulsory process for the obtaining of evidence” (italics in the original). The Commissioner pointed out, correctly, that the respondent’s claim did not go so far as to assert that all the information on the phone was privileged nor did his evidence identify the documents over which he claimed privilege.  ... It was submitted that because privilege could not attach to all of the documents on the phone it followed that a claim of privilege could not be relied upon as a reasonable excuse to refuse to disclose the password. 

The QCA did not accept those submissions, stating 

[10] It has been established that legal professional privilege is a rule of substantive law which may be availed of by a person to resist the giving of information or the production of documents which would reveal communications between a client and his or her lawyer made for the dominant purpose of giving or obtaining legal advice. The right to refuse to disclose information extends to a right to resist giving information required by a search warrant. 

[11] Three things can be said about the expression “reasonable excuse”. First, the word “reasonable” connotes that the excuse must be objectively reasonable. Second, whether something is “reasonable” will depend not only upon the particular facts of the case but also upon the statutory context in which the word appears. Third, although it need not be the only reason, the asserted reasonable excuse must actually be a person’s reason for withholding the access information. 

[12] In this case the word appears in a search warrant pursuant to which police were endeavouring to obtain evidence, including in the form of written information, that might tend to prove the commission of offences by the respondent. The mobile phone in this case was one of the kinds of things expressly referred to in the warrant as a “storage device” that might contain “stored information” and the warrant expressly empowered a police officer to look at that information “to find out whether it may be evidence of the commission of an offence”. In this way, the service of the warrant upon the respondent, the seizure of his phone and the demand for the password that would unlock the phone constituted an unmistakeable assertion by police that they intended to read the information contained on the phone including any privileged information as soon as that was practicable. ... 

[14] In this case the demand made of the respondent to reveal the password that would unlock his phone was made in terms that did not suggest that police accepted any limitation upon their powers of inspection of documents that they found on the phone. Police were asserting a right to read every document on the phone. 

[15] The context in which the words “reasonable excuse” appear in this case is of significance to the result of the appeal. The words appear in the warrant because a statute required that they be used to qualify the otherwise absolute terms of the obligation of disclosure that the warrant imposed upon the respondent. This search warrant was part of the investigative pre-trial process of the criminal law, the function of which is to authorise the seizure of material that will implicate a person in the commission of an offence. This is a process that is intended to yield evidence which can be tendered by the prosecution to obtain a conviction. Undoubtedly, some of the best evidence of that kind might well be found in what an alleged offender has confided to a lawyer. Yet such material is held to be immune from disclosure because the ability of a client to confide freely in a lawyer is regarded by the law as indispensable to the functioning of our legal system. It is in the public interest that candid communications be permitted between lawyers and their clients and it is for this reason that privileged communications are protected against disclosure. Indeed, so important is this principle that the improper disclosure of communications that are the subject of privilege might even result in criminal proceedings being stayed. 

[16] The appellant’s submissions, that the respondent did not go so far as to claim that every piece of information on the phone was privileged, thereby failing to satisfy the dominant purpose test, and that the respondent failed to identify the privileged documents, are beside the point. 

[17] The dominant purpose test established by Esso Australia Resources Ltd v Federal Commissioner of Taxation is concerned with the question whether legal professional privilege attaches or does not attach to a particular piece of information. It is irrelevant to this case because the existence of privilege over at least some of the documents on the phone has been accepted. .... 

[18] In this case, for the reasons given, the respondent was faced with an apparent demand by police for access to the contents of his phone, which, so far as one could tell by their actions, the police officers intended to read as soon as was practicable. Disclosure of the password would have meant putting police officers in an immediate position to read the privileged information. The only way to protect the confidentiality of the privileged information was for the respondent to deny access to the phone. The warrant was sufficient authority for police to take the phone away in order to preserve any evidence that might be on the phone so there was no risk that evidence might be lost. There were no extraneous factors that might have rendered his refusal, at that time, unreasonable.

Importantly 

[19] That is not to say that the result will always be the same when police require access information to enable them to examine the contents of a mobile phone. It will not always be a reasonable excuse to refuse to disclose access information just because the phone contains privileged information. Everything will depend upon the circumstances. Police remain free to seize a phone, provided the warrant authorises such seizure, and the presence of privileged information on a phone may cease to constitute a reasonable excuse if circumstances change, such as the making of adequate arrangements to ensure that their search of the phone is done in a way that does not involve breaching privilege. In any case, it will be for the person claiming the excuse to establish the claim for privilege if the claim is contested. The respondent did so here.