Joe Ludwig (Queensland, Australian Labor Party, Minister for Agriculture, Fisheries and Forestry) Share this | Hansard source

I would like to thank those senators that contributed to the debate on the Cybercrime Legislation Amendment Bill 2011. Senator Brandis asked about the government's response to the report of the Joint Select Committee on Cybersafety and the committee's recommendation 13 about industry costs. The government intends to respond to the committee's report before the Senate today. Regarding recommendation 13, the Attorney-General's Department has been in ongoing discussions with industry who will, as I understand it, support the amendments.

Senator Ludlam did ask a few questions in his contribution that I am happy to address through the second reading debate. This will not diminish the opportunity for the senator to raise questions during the committee stage. The senator spoke at some length about why this bill is being debated in the parliament before the Parliamentary Joint Committee on Intelligence Security concludes its report into potential reforms of Australia's national security legislation. As the senator understands, Australia's intention is to accede to the cybercrime convention. It was announced long before the inquiry even commenced. Three inquiries have now been held relating to Australia's accession to the cybercrime convention and all have supported that accession. The focus of this bill is on international cooperation between our law enforcement agencies, whereas the focus of the inquiry by the PJCIS is on domestic capabilities, including data retention, telecommunications sector security reform and ASIO's capabilities. On the topic of data retention, the senator continues to refer to the data retention proposal, which is not included in this bill. This bill allows for preservation of targeted communication to ensure that information relevant to a specific investigation is not lost as a consequence of normal deletion purposes. Those communications can only ever be accessed under a warrant.

Senator Ludlam questioned whether the bill changed the bar for interception warrants from an offence punishable by seven years to an offence punishable by three years, and it does not. The bill does not relate to interception; it is about stored communication and telecommunications data. Finally to the issue of costs, which Senator Ludlam referred to as 'a great big new tax on telecommunications': the fact is that the cost is borne by law enforcement agencies under cost recovery arrangements with telecommunications providers. It is not borne by the user.

As I understand it, Senator Mason commented on the potential privacy impacts of this bill. Importantly, the cybercrime convention includes explicit protections of human rights which will bind Australia after accession. Further, the bill adopts the privacy protections that exist in current legislation.

The government does share Senator Xenophon's concerns about the safety of children online. The Carly Ryan case is truly tragic. While this bill is not the right vehicle for the senator's proposals, it will assist police in Australia and internationally to investigate these heinous crimes. I note that additional matters have been raised in relation to this bill in committee hearings. Many of the obligations in the Council of Europe Convention on Cybercrime are already provided for in Australian law. The bill amends several acts to ensure that Australia fully complies with the convention. Cybercrime has already overtaken the drug trade as the most profitable form of crime in the world. With Australian families, businesses and government conducting more and more activities online, it is necessary that Australia take further action against cybercrime to protect Australians. The cybercrime convention is the only binding international treaty on cybercrime, setting out the procedures that support cooperation amongst its signatories. By acceding to the convention, Australian law enforcement agencies will be able to access and share information necessary to support local and international cybercrime investigations. This will mark a significant step forward in our efforts to address the growing threat to the Australian community posed by cybercrime and the need to protect the community from internet abuses.

For cybercriminals, our accession to the convention will mean that there are fewer places to hide. The bill has been considered by the Joint Select Committee on Cyber-Safety, which reported to parliament on 18 August 2011. I would like to take this opportunity of thanking committee members for their detailed work on this bill. The government, in its response to the committee's report, has closely considered the committee's recommendations. As the bill builds upon existing laws about telecommunications, privacy and cooperation with foreign countries, many of the issues raised in the committee's report have already been addressed. Other areas where the bill can be strengthened will be addressed through the government's amendments that will be moved during the committee stage of the bill.

The government agrees with the committee’s first recommendation—that the threshold for the issue of a stored communications warrant for both foreign and domestic offences should be the same. As the bill already requires that the threshold for both foreign and domestic offences be three years imprisonment or 900 penalty units, no amendment is needed.

Recommendation 2 requires the Attorney-General to investigate whether the proposed new Part IIIA of the Mutual Assistance in Criminal Matters Act 1987 prevents stored communications warrants being available to foreign countries for investigations into child sexual exploitation. The Attorney-General’s Department has not identified any child exploitation offences with a penalty of less than three years imprisonment, meaning no amendments are needed to address this recommendation.

Recommendation 3 is that the Mutual Assistance in Criminal Matters Act be changed to allow Australia to reject a foreign country’s request for information if that country’s laws about protecting personal information are not substantially similar to Australia’s laws.    As the bill retains all of the existing privacy protections in relation to accessing information at the request of a foreign country, no amendment is needed. Where new access procedures are provided, they include their own additional protections.

The government agrees with recommendation 4—that requirements to assess privacy impacts should be clearer and more accessible. The government will move amendments to provide detailed guidance to authorised officers about the particulars of weighing and balancing privacy impacts to ensure that privacy considerations are taken into account for every disclosure of telecommunications data.

Recommendation 5 requires that the bill be amended to ensure that, in determining whether a disclosure of telecommunications data to a foreign country is appropriate in all the circumstances, the authorising officer must give consideration to the grounds for refusal under the Mutual Assistance in Criminal Matters Act. The government accepts this recommendation in principle, but notes that the bill in fact only allows disclosure of historical telecommunications data on a police-to-police basis. Disclosure of stored communications or prospective telecommunications data can only occur in response to a mutual assistance request. This means the provision of historical telecommunications data will be subject to the protections in the bill as well as the AFP’s national guidelines on the disclosure of information. The government believes that this strikes the right balance in providing adequate protection while ensuring that procedures are flexible and responsive.

The government agrees with the committee’s concerns in recommendation 6 that sufficient protection must apply in cases where providing documents or information could relate to a case that may attract the death penalty. The AFP’s existing guidelines address this issue, detailing an accountable process that must be followed when the AFP is considering authorising the provision of police-to-police assistance to foreign countries. In circumstances where a person has been arrested, detained or charged with or convicted of an offence for which the death penalty may be imposed in a foreign country, only the Attorney-General or the Minister for Home Affairs and Minister for Justice may approve the exchange of information on a police-to-police basis. The guidelines also expressly require senior AFP management to consider prescribed factors before providing assistance in any matters which raise death penalty implications.

The committee’s seventh recommendation is that the bill be amended to elaborate the conditions of disclosure of historical and existing telecommunications data to foreign countries, including in relation to retention and destruction of the information and an express prohibition on any secondary use by the foreign country. The government accepts the committee’s recommendation. The bill currently requires that telecommunications data be provided to foreign countries on the condition that the information is only used for the purpose for which it was requested and that documents are destroyed when no longer required for those purposes. The AFP has memoranda of understanding with various foreign law enforcement agencies regarding compliance with caveats placed on disclosed information. However, due to the nature of international relations, Australia cannot criminalise or audit how foreign countries deal with information.

Recommendation 8 is that the Attorney-General investigate the desirability and practicality of a legislative requirement for data subjects to be advised that their communications have been subject to an intercept, stored communications warrant, or telecommunications data disclosure under the Telecommunications (Interception) Act once that advice can be given without prejudice to an investigation. The government notes this recommendation. In May the government referred a package of possible national security reforms to the Parliamentary Joint Committee on Intelligence and Security. The inquiry, which is open to the public, is considering many aspects of the interception regime, including the relevance of the regime’s privacy parameters in the contemporary communications environment.

The committee’s ninth recommendation is that the bill be amended to provide that the Australian Federal Police report to the minister on: (1) the number of authorisations for disclosure of telecommunications data to a foreign country; (2) the specific foreign countries that have received data; (3) the number of disclosures made to each of the identified countries; and (4) any evidence that disclosed data has been passed on to a third party or parties.

The government has closely considered this recommendation and agrees that there is merit in strengthening the reporting requirements. Accordingly, the proposed government amendments will require the head of the AFP to give the minister an annual report that includes the number of disclosures made to each country. Recommendation 10 is that the Attorney-General consult initially with the telecommunications industry and, then, with relevant ministers, statutory bodies, and public interest groups to clarify and agree on the data handling and protection obligations of carriers and carriage service providers.

The government accepts this recommendation in part. Secure management and storage of information is a key component of ensuring that information collected under the interception act is of an evidential standard. The Attorney-General, her department and agencies are in constant dialogue with carriers about maintaining these standards. It should be noted that the carriers who will be served requests to preserve information are all bound by the provisions of the Privacy Act 1998. The public and interest groups will have an opportunity to contribute to the PJCIS inquiry. The terms of reference referred to the PJCIS include the role of the communications industry in relation to both the interception regime and national security more generally.

Recommendation 11 is that the bill be amended to require carriers and carriage service providers to destroy preserved and stored communications and telecommunications data or a record of that information when that information or record is no longer required for a purpose under the interception act, unless it is required for another legitimate business purpose. The government agrees with this recommendation but notes that the Privacy Act already requires private sector organisations to delete information they have collected in the course of their business once that purpose no longer applies.

Recommendation 12 is that the exemption of small internet service providers from the Privacy Act as small businesses be reviewed by the Attorney-General with a view to removing the exemption. The government notes the committee’s concerns about this issue, and notes that it is relevant to the Australian Law Reform Commission’s recommendation in its 2008 report on privacy that the general small business exemption in the Privacy Act be removed. The government will, therefore, consider the committee’s recommendation as part of the response to the ALRC’s recommendation. That will occur in due course after the current reforms in the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 have been progressed.

The committee’s final recommendation is that the Attorney-General’s Department consult widely with carriers and carriage service providers to ensure that the bill, when enacted, can be implemented in a timely and efficient manner. The government consults with industry on a regular basis and recognises the importance of ongoing consultation with carriers regarding legislative obligations under the interception act. Carriers currently assist agencies by preserving stored communications pursuant to general obligations in the Telecommunications Act. This bill makes the current arrangements explicit in order to facilitate accession to the cybercrime convention. The government recognises that, from time to time, new technologies will emerge that may impact on compliance. Where that occurs, agencies will work with industry, as they have in the past, to transition in an orderly, cost-effective and constructive way. To further facilitate implementation, the government will move government amendments to the bill to delay the commencement of the provisions requiring compliance with ongoing preservation notices from 28 days after royal assent to 90 days after royal assent.

The bill as introduced, amends the Telecommunications Act, the Mutual Assistance in Criminal Matters Act and the Criminal Code to provide for Australia’s accession to the cybercrime convention. An important feature of the bill is the preservation of stored communications. Carriers’ business practices often mean that communications are deleted before agencies have the opportunity to exercise a warrant to access stored communications. Whilst carriers have voluntarily provided assistance in the past, the bill amends the interception act so that an agency can formally require a carrier to preserve stored communications by reference to an individual or telecommunications service.

This approach will mean that computer data, SMS messages, emails and other communications stored by the carrier will be available while ensuring the interception act remains technologically neutral. Importantly, access to these communications will continue to be by way of a warrant.

The bill will rely on Australia’s existing mutual assistance frameworks to enable the improved exchange of stored communications and non-content data to assist in the investigation of certain foreign offences. The grounds for refusal in the mutual assistance act, including dual criminality and a ground to refuse assistance where the request relates to a political offence, will apply to requests for access to stored communications and requests for access to prospective telecommunications data.

While not including new offences in the Criminal Code, the bill expands the scope of the Criminal Code so that it can deal with criminal conduct outside of its existing limitations. The Criminal Code already contains savings provisions that have effectively ensured the continuing operation of state laws in a number of areas.

As recent police investigations have taught us, the need for international cooperation is essential in the investigation of cybercrime, particularly child exploitation offences and online fraud. The amendments contained in this bill will ensure Australia’s full compliance with the cybercrime convention and support our effort to counter cybercrime. I commend the bill to the Senate.