The Reform of Australia’s electronic surveillance framework Discussion Paper from Home Affairs - over 110 pages of detail - identifies a large-scale "reform project" that
aims to repeal the TIA Act, SD Act and relevant parts of the ASIO Act, and replace the current patchwork of laws with a single, streamlined and technology- neutral Act.3 Developing the new framework will be the most significant reform to Australia’s national security laws in more than four decades.
The paper doesn't refer to the Office of the Australian Information Commissioner. It features the following questions, picking up the Richardson inquiry into national security noted elsewhere in this blog.
Part 1: Who can access information under the new framework?
1. Do the existing prohibitions and offences against unlawful access to information and data adequately protect privacy in the modern day?
a) If so, which aspects are working well?
b) If not, which aspects are not working well and how could the new prohibition and/ or offences be crafted to ensure that information and data is adequately protected?
2. Do the existing prohibitions and offences against unlawful access to information and data adequately allow the pursuit of other objectives of societal benefit, e.g. cyber security of networks, online safety, scam protection/reduction?
3. Are there any additional agencies you consider should have powers to access particular information and data to perform their functions? If so, which agencies, and why?
4. Do you agree with the proposed considerations for determining whether additional agencies should be permitted to access peoples’ information and data? Are there any additional considerations that have not been outlined above?
Part 2: What information can be accessed?
5. Are there other kinds of information that should be captured by the new definition of ‘communication’? If so, what are they?
6. Are there other key concepts in the existing framework that require updating to improve clarity? If so, what are they?
7. How could the framework best account for emerging technologies, such as artificial intelligence and information derived from quantum computing?
8. What kinds of information should be defined as ‘content’ information? What kinds of information should be defined as ‘non-content’ information? Is there a quantity at which non-content information becomes content information and what kinds of information would this apply to?
9. Would adopting a definition of ‘content’ similar to the UK be appropriate, or have any other countries adopted definitions which achieve the desired outcome?
10. Are there benefits to distinguishing between different kinds of non-content information? Are there particular kinds of non-content information that are more or less sensitive than others?
11. Should the distinction between ‘live’ and ‘stored’ communications be maintained in the new framework?
12. Do each of these kinds of information involve the same intrusion into privacy? Or should the impact of each be considered differently?
13. What type of Australian communications providers should have obligations to protect and retain information, and comply with warrants, authorisations and assistance orders under the new framework?
14. What are your thoughts on the above proposed approach? In particular, how do you think the information captured by surveillance and tracking devices could be explained or defined?
Part 3: How can information be accessed?
15. How could the current warrant framework be simplified to reflect the functional equivalency of many of the existing warrants while ensuring appropriate privacy protections are maintained?
16. What other options could be pursued to simplify the warrant framework for agencies and oversight bodies, while also enabling the framework to withstand rapid technological change?
Part 4: When will information be accessed?
17. Is it appropriate to harmonise legislative thresholds (as outlinedabove)forcovert access to private communications, content data and surveillance information where existing warrants are functionally equivalent?
18. Are there any other changes that should be made to the framework for accessing this type of data?
19. What are your views on the proposed thresholds in relation to access to information about a person’s location or movements?
20. What are your views on the proposed framework requiring warrants and authorisations to be targeted at a person in the first instance (with exceptions for objects and premises where required)?
21. Is the proposed additional warrant threshold for third parties appropriate?
22. Is the proposed additional threshold for group warrants appropriate?
23. What are your views on the above proposed approach? And are there any other matters that should be considered by an issuing authority when considering necessity and proportionality?
24. Should magistrates, judges and/or AAT members continue to issue warrants for law enforcement agencies seeking access to this information?
25. What are your thoughts on the proposed principles-based, tiered approach to use and disclosure?
26. When should agencies be required to destroy information obtained under a warrant?
27. What are your thoughts on the proposed approach to emergency authorisations?
Part 5: Safeguards and oversight
28. Are there any additional safeguards that should be considered in the new framework?
29. Is there a need for statutory protections for legally privileged information (and possibly other sensitive information, such as health information)?
30. What are the expectations of the public and industry in relation to oversight of these powers, and how can a new oversight framework be designed to meet those expectations?
31. What, if any, changes are required to the scope, role and powers of the Commonwealth Ombudsman to ensure effective oversight of law enforcement agencies’ use of powers in the new framework?
32. How could the new framework streamline the existing record-keeping and reporting obligations to ensure effective and meaningful oversight?
33. Are there any additional reporting or record-keeping requirements should agencies have to improve transparency, accountability and oversight?
Part 6: Working together: Industry and Government
34. How workable is the current framework for providers, including the ability to comply with Government requests?
35. How could the new framework reduce the burden on industry while also ensuring agencies are able to effectively execute warrants to obtain electronic surveillance information?
36. How could the new framework be designed to ensure that agencies and industry are able to work together in a more streamlined way?
Part 7: Interaction with existing and recent legislation and reviews
37. Do you have views on how the framework could best implement the recommendations of these reviews? In particular:
a) What data generated by ‘Internet of Things’ and other devices should or should not be retained by providers?
b) Are there additional records that agencies should be required to keep or matters that agencies should be required to report on in relation to data retention and to warrants obtained in relation to journalists or media organisations? How can any new reporting requirements be balanced against the need to ensure sensitive law enforcement or security investigations and capabilities are not compromised or revealed?
c) Is it appropriate that the Public Interest Advocate framework is expanded only in relation to journalists and media organisations?
d) What would be the impact on reducing the number of officers who may be designated as ‘authorised officers’ for the purposes of authorising the disclosure of telecommunications data?