In March 2020, the Australian Federal Government introduced the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Telecommunications Bill). The Telecommunications Bill expands Australia’s current national security laws by amending the current Telecommunications (Interception and Access) Act 1979 (Cth) to create a new framework that enables certain Australian agencies to access overseas communications data to assist international crime cooperation efforts.

However, a recent parliamentary inquiry conducted by the  Parliamentary Joint Committee on Intelligence and Security (Committee) has called for additional safeguards to be  incorporated into the Bill.

  1. Summary of the Telecommunications Bill

The policy objectives of the Telecommunications Bill are to streamline cross border and reciprocal access to electronic information and communications data to combat serious crime and terrorism. On that basis, the Telecommunications Bill enables relevant Australian agencies, such as law enforcement and national security agencies to seek orders for:

  • domestic interception;
  • stored communications; and/or
  • telecommunications data.

In order to access data held overseas, an Australian agency is required to first request an ‘international production order’ (IPO) from an ‘issuing authority’, who for the purposes of the Bill is any person appointed by the Attorney General such as a judge or magistrate. Importantly, IPOs must only be made:

  • for the purposes of enforcing the criminal law, to monitor a person subject to a control order, or to uphold Australia’s national security; and
  • where a ‘designated international agreement’ is in place. A designated international agreement is an agreement which Australia is a party to, and which is specifically listed in regulations made under the Bill.

If the issuing authority is satisfied that the IPO meets the relevant criteria in the Telecommunications Bill , it issues the IPO. The Attorney General’s Department (ADG) must then consider whether the IPO complies with the terms of the designated international agreement nominated in the IPO. If it is satisfied that the order complies, the ADG then gives a copy of the order to the foreign based communications provider which holds the requested data.

The Telecommunications Bill also enables a competent authority of a foreign country with which Australia has a designated international agreement to issue an IPO or make a request for access to data directly to an Australian service provider.

  1. Summary of Recommendations

The Committee has made a total of 24 recommendations in relation to the Telecommunications Bill . The recommendations include:

  • that the Bill stipulate that designated international agreements must, amongst a series of other requirements, prohibit the counter party foreign government from intentionally targeting:
    • an Australian citizen or permanent resident; and
    • a non- Australian person located outside of Australia if the purpose is to obtain information about an Australian citizen or permanent resident.
  • That the Bill clearly stipulates that an incoming international production order i.e. from a foreign entity, must only be issued for the purpose of obtaining information relating to the prevention, detection, investigation or prosecution of serious crime, including terrorism.
  • That the Bill be amended to ensure that a country seeking to enter into a designated international agreement with Australia must:
    • demonstrate respect for the rule of law and the principles of equality and non-discrimination;
    • demonstrate respect for applicable international human rights obligations and commitments; and
    • have clear legal procedures and restrictions governing the use of electronic surveillance investigatory powers.
  1. International Implications

While the Telecommunications Bill intends to enhance Australian law enforcement operations, if implemented, it may have consequences for any decision made by the European (EU) Commission as to whether Australia has an adequate level of data protection comparable to the EU General Data Protection Regulation (GDPR).

The recent decision of the Court of Justice of the European Union (CJEU) in Case C-311/18 (Schrems II) led to a ruling that the EU-US Privacy Shield framework which governed data transfers between the EU and US was invalid, largely due to the lack of safeguards around the personal data of EU subjects once it was transferred to the US, and the lack of judicial protection against US surveillance programs. The decision ultimately means it is unclear what level of national security surveillance is compatible with the GDPR, meaning that if adopted, the Bill itself may potentially push Australia further away from an ‘adequacy’ decision.

In addition, the adoption of the Telecommunications Bill could potentially affect the ability of Australian organisations to rely on the EU’s Standard Contractual Clauses (SCCs), which are commonly used to facilitate cross-border data transfers pursuant to the GDPR. On 4 June 2021, the EU Commission introduced new SCCs, which impose a series of obligations on both the ‘controller’ and ‘processor’ of personal information when such personal information is accessed by public authorities. Importantly, the new SCCs cannot be adopted where a third party country outside the EU is involved in the processing of data and its laws and practices prevent the data importer from complying with its obligations under the SCCs.

  1. What’s next?

Adopting the 24 recommendations made by the Committee would ensure that the Telecommunications Bill appropriately achieves its intended aims of providing significant assistance to agencies to investigate and prosecute serious crimes, monitor compliance with control orders, and to maintain Australia’s overall national security. However, the Telecommunications Bill is likely to affect any determination made by the EU Commission as to whether or not Australia has an adequate level of data protection on par with the GDPR, and it may also affect the ability of Australian organisations to comply with the newly introduced SCCs. We anticipate that the Government will continue to work closely with community, industry and law enforcement stakeholders as it considers whether or not to implement the Committee’s recommendations.

For more information, get in touch with us today.

This article was originally published on OneTrust and is available here