Systematic Government Access to Private-Sector Data in Australia
Systematic Government Access to Private-Sector Data in Australia
Abstract and Keywords
The chapter provides a summary of Australian privacy law including the Privacy Act and the Australian Privacy Principles. After describing the national legal context and fundamental principles governing Australia’s federal system of government with power distributed among six states, two territories, and the federal government, it describes laws separately governing law enforcement and intelligence agencies, including the Australian Security Intelligence Organisation (ASIO). The authors suggest that, although the Australian government has a range of powers to obtain private-sector data, those powers appear primarily aimed at obtaining specific data for specific purposes. Little was found by way of direct unmediated access by the government to private-sector data or government access to private-sector data in bulk.
This study of systematic government access to private-sector data in Australia suggests that, although the Australian government has a range of powers to obtain such data, those powers appear primarily aimed at obtaining specific data for specific purposes. Little was found by way of direct unmediated access by the government to private-sector data or government access to private-sector data in bulk.
II. National Legal Context and Fundamental Principles
Australia has a federal system of government with power distributed among six states, two territories, and the federal government. The Australian Constitution provides the federal government with the exclusive power to make laws on matters such as trade and commerce, taxation, defense, external affairs, and immigration and citizenship. It also outlines concurrent powers where both tiers of government are able to enact laws. The states and territories have independent legislative power in all matters not specifically assigned to the federal government.1 Both state/territory law and federal law affect the issues examined here. However, the most significant legislative initiatives are found on the federal level.
(p.222) Discussions2 have taken place aimed at the possible introduction of a federal Bill of Rights, but Australia currently lacks such an instrument. The Australian Human Rights Commission is responsible for promoting and encouraging protection of human rights in Australia. However, although Australia is a signatory to international instruments, such as the International Covenant on Economic, Social and Cultural Rights and the International Covenant on Civil and Political Rights with its Optional Protocol 2, there are no binding human rights principles on a federal level. Nevertheless, a Statement of Compatibility with Human Rights is required to accompany any new legislation proposed at the federal level and is considered by the Joint Parliamentary Committee on Human Rights.3 Due to these protections and the ongoing debate about the role of a charter or bill of human rights in Australia, the Australian Human Rights Commissioner has indicated that there is currently no intention to pursue a charter at the federal level.4 If we turn to the state/territory level, the Australian Capital Territory introduced its Human Rights Act in 2004. Section 12 of that Act specifically protects privacy.5 Similarly, the Charter of Human Rights and Responsibilities Act 2006 (Vic) of Victoria contains such protection.6 Further, other states also, for example New South Wales, have considered implementing such human rights protection.
Australian privacy law underwent a major overhaul in 2014 following the release of a 2,694 page report, in 2008, by the Australian Law Reform Commission (ALRC).7 That report made a number of recommendations, which the government implemented in part in amendments to the Privacy Act 1988 (Cth) and the introduction of the Australian Privacy Principles (APPs), which came into force in March 2014. In addition to establishing the APPs, which apply to both federal government agencies and some private sector organizations, the amended Privacy Act established more comprehensive credit reporting obligations on credit providers and provided the Privacy Commissioner with enhanced powers to deal with privacy complaints.
As part of its 2008 report the ALRC recommended that Australia introduce a statutory cause of action for serious invasions of privacy.8 This recommendation (p.223) was not adopted as part of the Privacy Act reform, and was renewed by the ALRC in a subsequent report in 2014 with the specific suggestion that the statutory cause of action be contained in a tort in Commonwealth legislation, separate to the Privacy Act. The recommendation was for the tort to apply only to intentional or reckless invasions of privacy and to be available to people who have a reasonable expectation of privacy.9 The government has not indicated a willingness to adopt the recommendations to date, and commentators have suggested that “uncertainty and inconclusiveness is destined to continue for some time yet” in relation to this issue.10
III. Statutory and Regulatory Overview
In addition to the key areas of data access focused on below, other examples of more or less systematic government access to private-sector data can be found, such as in the context of government use of private entity CCTV footage,11 ID scanning at clubs,12 special reporting duties placed on selected healthcare providers,13 private, or semiprivate operators of toll roads and public transport smartcards.14 More recently, health information is collected by the newly developed Australian Digital Health Agency when individuals register for an eHealth record.15
A. Laws Requiring, Explicitly Authorizing, or Restricting Governmental Access to Private-Sector Data
The Privacy Act 1988 (Cth) contains 13 APPs that regulate, in general terms, the use of personal information by federal “agencies,” a term used to include, for example, Ministers, Departments, bodies and tribunals established or appointed for a public purpose, persons holding or performing the duties of a government office, federal courts, and the Australian Federal Police.16 State, territory, and (p.224) local government bodies are not covered and are instead regulated in state or territory law.17 The Privacy Act also does not apply to Australian intelligence agencies.
Agencies regulated by this scheme shall not collect personal information (other than “sensitive information,” which has additional protections) unless the information is reasonably necessary for, or directly related to, one or more of the “entity’s functions or activities.”18 Further, the collector must collect personal information only by lawful and fair means19 and take reasonable steps to ensure that the personal information collected is “accurate, up to date and complete.”20 Similar regulation can be found on the state level in some states.
Sensitive information, which includes information or opinion about an individual’s racial or ethnic origin; political opinions; membership in a political, professional or trade association or trade union; religious beliefs or affiliations; philosophical beliefs; sexual orientation or practices; criminal record; or health, genetic, or biometric information,21 can only be collected by an agency if the individual consents to the collection and “the information is reasonably necessary for, or directly related to, one or more of the agency’s functions or activities” or if there is a relevant exception.22 Those exceptions include if:
(a) the collection of the information is required or authorized by or under an Australian law or a court/tribunal order; or
(b) a “permitted general situation” exists, which includes where it is unreasonable or impracticable to obtain the individual’s consent to the collection and the agency reasonably believes the collection is necessary to lessen or prevent a serious threat to life, health, or safety of an individual, or to public health and safety;23 or
(c) the agency is a prescribed “enforcement body” and the agency reasonably believes that “the collection of the information is reasonably necessary for, or directly related to, one or more of the [agency’s] functions or activities.”24
(p.225) The impact of this regulation on systematic government access to private-sector data is interesting. On the one hand, it clearly sets boundaries for how governmental access to private-sector data may be had, and its broad scope of application means that it affects a wide range of government functions. On the other hand, this regulation is significantly undermined by the ease by which it can be circumvented. For example, AusCheck—a branch of the National Security Law and Policy Division of the Attorney-General’s Department—has the role of undertaking background checking for persons to hold certain identification cards. The AusCheck Act 2007 (Cth) explicitly authorizes AusCheck to collect, use, and disclose personal information for AusCheck purposes. Importantly for the discussion here, such collection, use, and disclosure is “taken to be authorised by law for the purposes of the Privacy Act 1988.” 25 Thus, specific legislation can be used to nominate data use practices as being authorized by law so as to fit within the regulation discussed above.
On a more general level, it is worth noting how one expert has observed that:
Government agencies generally appear to consider any information lawfully obtained as “fair game” for any subsequent lawful function. Moreover, the cumulative effect of the various statutory disclosure provisions is that information obtained by one agency for a specific purpose becomes at least potentially available to a range of other agencies for quite different purposes.
Information privacy laws, in those Australian jurisdictions which have them, purport to limit use and disclosure to the purpose for which information is obtained, but this principle is substantially undermined by the many exceptions, including where “required or authorised by law” and “where reasonably necessary for [a range of public purposes].”26
B. Separate Laws for Law Enforcement Access, Regulatory Access, and/or National Security Access
Under current law, the Privacy Act 1988 (Cth) does not apply to some Australian government agencies “involved in law enforcement, intelligence gathering and national security” such as intelligence and defense intelligence agencies,27 and there are special rules regulating access by prescribed enforcement bodies for “enforcement related activities” broadly referring to activities such as the “prevention, detection, investigation, prosecution or punishment of criminal offences (p.226) or breaches of a law imposing a penalty or sanction” and also surveillance, intelligence gathering and monitoring activities, among others.28
The Crimes Act 1914 (Cth), Part 1AA, Division 4B, gives the Australian Federal Police (AFP) “notice to produce powers.” For example, section 3ZQM provides power to request information or documents about terrorist acts from operators of aircraft or ships. That section allows an authorized AFP officer, who believes on reasonable grounds that an operator of an aircraft or ship has information or documents (including in electronic form) that are relevant to a matter that relates to the doing of a terrorist act (whether or not a terrorist act has occurred or will occur), to “ask the operator questions relating to the aircraft or ship, or its cargo, crew, passengers, stores or voyage, that are relevant to the matter”29 and to “request the operator to produce documents relating to the aircraft or ship, or its cargo, crew, passengers, stores or voyage: (i) that are relevant to the matter; and (ii) that are in the possession or under the control of the operator.”30
Section 3ZQN provides similar powers where “an authorised AFP officer considers on reasonable grounds that a person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious terrorism offence.”31 No prior court approval is required for these categories of requests. In contrast, where an AFP officer considers, on reasonable grounds, that the person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious offense, an application can be made to a judge of the Federal Circuit Court for a “notice to produce” order. To grant such an order, the Judge must be satisfied, on the balance of probabilities, by information on oath or by affirmation, that: “(a) the person has documents (including in electronic form) that are relevant to, and will assist, the investigation of a serious offence; and (b) giving the person a notice under this section is reasonably necessary, and reasonably appropriate and adapted, for the purpose of investigating the offence.”32 On state-level, most jurisdictions require warrants issued either by judges or magistrates.33
(p.227) Special rules apply to data gathering by the Australian Security Intelligence Organisation (ASIO). ASIO’s data collection powers, particularly relating to computer and data access and surveillance devices, were modernized and broadened in 2014 following the passing of the National Security Legislation Amendment Act 2014 (Cth).
Part III, Division 2 of the Australian Security Intelligence Organisation Act 1979 (Cth) provides ASIO with a range of special powers relating to matters such as search warrants,34 requesting information or documents from operators of aircraft or vessels,35 inspection of postal articles and delivery service articles,36 the use of surveillance devices,37 the use of tracking devices,38 and the collection of foreign intelligence within Australia.39 Most important here, section 25A grants computer access powers. The Director-General may request the Minister to issue a warrant for computer access. The Minister must only issue such a warrant if: “satisfied that there are reasonable grounds for believing that access by the Organisation to data held in a computer (the target computer) will substantially assist the collection of intelligence in accordance with this Act in respect of a matter (the security matter) that is important in relation to security.”40
Prior to recent amendments, this provision referred to access to data held in “a particular computer.” A submission in May 2011 cautioned against the use of the phrase “data held in a particular computer” and suggested that with an increasing uptake in cloud computing, it may be difficult for ASIO to accurately predict in advance whether a person has stored relevant data locally on the “target computer” or “in the cloud.”41 It also noted that, under the previous wording, ASIO would appear restricted from accessing data stored in the cloud where a warrant has been granted for access to a target computer, even if, for example, the suspect in question has stored his/her login details for the cloud storage on that computer.42
(p.228) In 2014, the definition of “computer” was broadened to include multiple computers, computer systems, or networks, and to enable the target computer of a computer access warrant to extend to all computers at a particular premises or operating in a network, and all computers associated with, used by or likely to be used by, a person (whose identity may or may not be known).43 The effect of this is that ASIO now has broadened powers to “use the computers of innocent third parties to gain access to a computer used by a suspected terrorist or criminal” and to “target information stored in the cloud or to intercept information flows between computers.”44
It is also worth noting that, the Attorney-General has issued guidelines for the operation of ASIO. Under those Guidelines, information is to be obtained by ASIO in a lawful, timely, and efficient way. Further, the obtaining of information must take place in accordance with the following: (1) any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence, and (2) inquiries and investigations into individuals and groups should be undertaken using as little intrusion into individual privacy as is possible. Further, the more intrusive the investigative technique, the higher the level of officer that should be required to approve its use, and wherever possible, the least intrusive techniques of information collection should be used before more intrusive techniques.45 Finally, the Director-General “shall take all reasonable steps to ensure that personal information shall not be collected, used, handled, or disclosed by ASIO unless that collection, use, handling, or disclosure is reasonably necessary for the performance of its statutory functions (or as otherwise authorised, or required, by law).”46
(p.229) If we look specifically at the legislative powers to access communications data, section 313 of the Telecommunications Act 1997 (Cth) imposes obligations on all carriers47 and carriage service providers48 “to provide assistance to officers and authorities of the Commonwealth, states and territories as is reasonably necessary for enforcing the criminal law and laws imposing pecuniary penalties, assisting the enforcement of the criminal laws in force in a foreign country, protecting revenue or safeguarding national security.”49 Significantly, this includes, amongst other obligations, providing assistance to agencies in relation to the interception of communications and access to stored communications.50
Further, although sections 276–278 of the Telecommunications Act 1997 (Cth) place restrictions on the use and disclosure of telecommunications data, special exemptions apply for law enforcement and national security agencies. There are also different powers available for access to telecommunications “data,” generally considered to be metadata, as opposed to the content of the communications themselves.
When dealing with telecommunications data, a distinction is drawn between “voluntary disclosure” on the one hand and “authorised disclosure” on the other. Voluntary disclosure of information or a document to ASIO is allowed provided the disclosure is in connection with the performance by ASIO of its functions.51 Similarly, section 177 allows such voluntary disclosure to “an enforcement agency if the disclosure is reasonably necessary for the enforcement of the criminal law, or a law imposing a pecuniary penalty, or for the protection of the public revenue.”52 In the context of such disclosure, there is a risk of “oversupply” in that telecommunications employees might disclose more than what is necessary.53
Authorized disclosure can relate to data held by the telecommunications operator, or so-called prospective information or documents. ASIO54 and enforcement (p.230) agencies55 may authorize the disclosure of specific information or documents held by a telecommunications operator without a warrant. More interestingly, they can also authorize disclosure of prospective data on an ongoing basis, such as specific web browsing activities or the real-time location of phones or other devices,56 excluding the content or substance of communications.57 As far as enforcement agencies are concerned, authorization must not be made unless the disclosure is reasonably necessary for the investigation of an offense punishable by imprisonment for at least three years.58 Further, before making the authorization, the authorized officer “must be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate” having regard to certain matters, including the gravity of any conduct in relation to which the authorization is sought, the likely relevance and usefulness of the information or documents, and the reason the disclosure or use is proposed to be authorized.59 Notably, these rules do not apply to ASIO.60
Although the ability of certain government agencies to access telecommunications data has been in place for some time, there were previously no requirements on service providers to retain the data for any particular period of time or to specify the types of data that were to be retained. Mandatory retention requirements were implemented in the Telecommunications (Interception and Access) Act 1979 (Cth) from October 2015 and rationalized on the basis that the value of the tools previously available to national security and law enforcement agencies to access telecommunications data were being “undermined by the level of change in the telecommunications environment,”61 including the development of new technologies and the globalization of the telecommunications industry. The (p.231) changes also recognize the government’s view of the importance of telecommunications data in the investigation of serious criminal investigations including “counter-terrorism, organized crime, counter-espionage and cyber security … murder, rape and kidnapping.”62 There is now a statutory obligation on telecommunications and Internet service providers to retain certain prescribed telecommunications data, including identification and contact information; the source and destination of a communication; the date, time, and duration of a communication; and the type of communication, for a period of two years.63 That data is then available for access by certain enforcement agencies.
Of note, the retention requirements do not require service providers to retain the content or substance of a communication,64 such as the content of emails or telephone calls, or web browsing history,65 and the service provider must protect the confidentiality of the information by encrypting it and protecting it from unauthorized interference or unauthorized access.66
Certain national security and law enforcement agencies still have the ability to access or intercept the content or substance of a communication (for example the content of an email or SMS) by obtaining an interception warrant67 or stored communications warrant68 for certain purposes or in a life threatening emergency.69 In relation to both interception and stored communication warrants the issuing authority must have regard to certain matters including how much the privacy of any person would be likely to be interfered with, the gravity of the conduct constituting the serious offense or contravention, how much the information would be likely to assist in connection with the investigation, and to (p.232) what extent other investigative methods have been used by or are available to the agency.70 These powers were not increased by the Amendment Act.
Taken together, this provides Australian law enforcement and national security agencies with broad access to private-sector data. At the same time, it appears that, on most occasions, the regulatory framework outlined in this section would be used for “small scale” access to data in individual cases as the requirements imposed, for example by the Attorney-General Guidelines, ought to ensure that, typically only specific data for specific purposes is collected rather than data in bulk. Having said that, one can of course imagine scenarios where access is sought to larger volumes of for example, airline cargo or crew data, or indeed, systematic access in the sense of repeated access is being sought. Further, the powers granted to ASIO could be used for systematic, direct and unmediated, access to private-sector data.
C. Laws Requiring Broad Reporting of Personal Data by Private-Sector Entities
There are some examples of Australian law requiring broad reporting of personal data by private-sector entities, such as the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), the Income Tax Assessment Act 1997 (Cth), and the Customs Act 1901 (Cth).
1. Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
On December 12, 2007, Australia introduced its Anti-Money Laundering and Counter-Terrorism Financing programs. The programs are regulated in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). These programs—which apply to private entities such as banks, non-bank financial services, remittance (money transfer) services, bullion dealers, and gambling businesses71—explicitly require broad reporting of personal data by private-sector entities. More specifically, the aim is for reporting entities to help identify, mitigate, and manage the risk of their products or services facilitating money laundering or terrorism financing.72 The scheme is overseen by Australian Transaction Reports and Analysis Centre (AUSTRAC).73
Where a private entity provides a “designated service,” it is classed as a reporting entity and must adopt, maintain, and comply with an AML/CTF program.74 (p.233) Such a program includes several obligations (e.g., relating to the training and screening of staff, ensuring that an adequate monitoring system is in place, etc.) but most important for our purposes, it includes an obligation to submit three different types of reports.
• Suspicious Matter Reports (SMRs)75—where a reporting entity suspects that a matter may be related to an offense, tax evasion, or the proceeds of crime, it must submit a SMR within three business days, or where the suspicion relates to the financing of terrorism, within 24 hours. Such a report is to include all details known about the suspicious matter, the person/organization(s) to which the matter relates, and any transactions related to the matter.76
• Threshold Transaction Reports (TTRs) (where applicable)77—where a reporting entity provides or commences to provide a designated service to a customer that involves the transfer of physical currency or e-currency of AUD10,000 or more it must complete a TTR within 10 business days. The information to be provided within a TTR includes details of the customer of the designated service, the individual conducting the transaction (if different from the customer), the recipient of the proceeds of the transaction (if different from the customer), and the transaction, including cash and other components.78
• International Funds Transfer Instruction (IFTI) reports (where applicable)79—where a reporting entity sends or receives a funds transfer instruction to or from a foreign country, it must complete an IFTI report within 10 business days. The information to be provided within a IFTI includes details of the transfer instruction, the parties involved in the transaction, or details of the ordering and beneficiary customers for the remittance, the originating and destination country’s remittance service providers (if applicable), and any additional information relating to the instruction.80
The AML/CTF Act contains a set of tables in section 6 that outlines in detail what constitutes a “designated service.” Examples include where the service is (p.234) provided in the course of carrying on a business: opening an account, accepting deposits or allowing withdrawals, making a loan, issuing a debit or credit card, supplying goods through a finance lease, supplying goods by way of hire purchase, issuing traveler’s checks, providing remittance services that transfer money or property, dealing with certain superannuation-related transactions or services, issuing or accepting liability under life insurance policies, issuing or selling securities and derivatives, exchanging foreign currency, receiving or accepting a bet, placing or making a bet, allowing a person to play a game on an electronic gaming machine, paying out winnings on bets, and exchanging money for gaming chips or tokens and vice versa.
2. Customs Act 1901 (Cth)
The Australian government collects passenger data, and where an operator of an international passenger air service fails to provide ongoing access to that data in a manner and form requested by the government, that operator commits an offense.81 The Act makes clear that: “The obligation to provide access must be complied with even if the information concerned is personal information (as defined in the Privacy Act 1988).”82
3. Taxation and Employment
The Australian Taxation Office (ATO) collects private-sector data systematically in a range of ways. For example, upon hiring a new employee, the employer must collect, and report to the ATO, the employee’s tax file number (a unique identifier allocated by the ATO).83 Systematic reporting is also required under the Income Tax Assessment Act 1997 (Cth), which requires all employers and financial institutions in Australia to report all earned and unearned (investment) income to the ATO.84
In Australia, providers of higher education (some of which, such as Bond University, are private entities) must report certain data to the government. In particular, systematic reporting requirements relate to the personal information of students on student visas (international students), and students who have access to government benefits.85
(p.235) D. Laws Permitting or Restricting Private-Sector Entities from Providing Government Officials with Voluntary Broad Access to Data
The APPs in the Privacy Act 1988 (Cth) also regulate when private-sector entities may provide government officials with voluntary broad access to data, as well as the disclosure of specific data. However, due to a range of significant exemptions (e.g., the Act does not apply to some organizations with an annual turnover of AUS $3 million86 or less), that Act is only applicable to a small proportion of Australian private-sector entities. Thus, the majority of Australian private-sector entities are unregulated in their voluntary provision of data to the government.87
Entities that do fall under the Privacy Act’s regulation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless the individual has consented to the use or disclosure or one of the following relevant exceptions applies:
(a) the individual would reasonably expect the information to be used or disclosed for the secondary purpose and the secondary purpose is:
(i) if the information is sensitive information—directly related to the primary purpose; or
(ii) if the information is not sensitive information—related to the primary purpose; or
(b) “the use or disclosure of the information is required or authorised by or under an Australian law or a court/tribunal order;” or
(c) a “permitted general situation” exists in relation to the use or disclosure of the information which includes (subject to certain conditions) where the entity reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of an individual or to public health or safety, where the entity has reason to suspect that unlawful activity or misconduct of a serious nature that relates to the entity’s functions or activities has been, is being or may be engaged in, or the entity reasonably believes that the use or disclosure is reasonably necessary to assist an entity to locate a person who has been reported as missing; or
(d) the disclosure is by an organization and a “permitted health situation” exists in relation to the use or disclosure of the information, which includes where the disclosure of health information is necessary for research or the compilation or analysis of statistics, relevant to (p.236) public health or public safety where it is impracticable to obtain the individual’s consent, the disclosure is conducted in accordance with approved guidelines and the organisation reasonably believes that the recipient will not disclose the information; or
(e) the entity reasonably believes that the use or disclosure of the information is reasonably necessary for an “enforcement related activity” conducted by, or on behalf of, a prescribed enforcement body, including:
(i) the prevention, detection, investigation, prosecution or punishment of criminal offences or breaches of a law imposing a penalty or sanction; or
(ii) the conduct of surveillance activities, intelligence gathering activities or monitoring activities; or
(iii) the conduct of protective or custodial activities; or
(iv) the enforcement of laws relating to the confiscation of the proceeds of crime; or
(v) the protection of the public revenue; or
(vi) the prevention, detection, investigation, or remedying of misconduct of a serious nature, or other conduct prescribed by the regulations; or
(vii) the preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of a court or tribunal.88
E. Judicial Authorization Requirements for Major Categories of Data
As noted throughout, warrants issued by judges play a major role in Australia. However, exceptions can be found, such as in relation to the Telecommunications (Interception and Access) Act 1979 (Cth) that, for example, allows an authorized officer of a criminal law-enforcement agency to authorize data disclosure.
F. Standards for Use Once the Government Acquires Data
The Privacy Act 1988 (Cth)’s APPs also regulate how the federal government agencies may use data once it has been acquired. Importantly, the regulations referred to above (contained in APP6) similarly apply to the use and disclosure of personal information that is collected by a government agency.
In addition to these obligations, the APPs impose obligations on both agencies and organizations to take reasonable steps to ensure that the personal information collected is accurate, up to date, and complete;89 to check the accuracy and (p.237) relevancy of personal information before it is used or disclosed;90 to provide access to the information it holds on an individual to that individual on request (subject to some exceptions such as those under the Freedom of Information Act 1982 (Cth) for example);91 to provide information about the data it holds;92 and to take reasonable steps to protect the information from misuse, interference, and loss and from unauthorized access, modification or disclosure.93
Examples of similar legislation can be found on state-level.
G. Cross-Border and Multi-jurisdictional Issues
Section 5B of the Privacy Act 1988 (Cth) regulates the extraterritorial reach of the Act. That section extends the application of the Privacy Act 1988 (Cth) to acts done, or practice engaged in, outside Australia and the external territories by an organization or small business operator provided that: (1) the overseas act was not required by an applicable foreign law, and (2) the relevant organization meet one of the following two tests, described as the “Australian link.”
The first test, found in section 5B(2) is met where the organization in question is: (1) an Australian citizen, (2) a person whose continued presence in Australia is not subject to a limitation as to time imposed by law, (3) a partnership formed in Australia or an external Territory, (4) a trust created in Australia or an external Territory, (5) a body corporate incorporated in Australia or an external Territory, or (6) an unincorporated association that has its central management and control in Australia or an external Territory.
The second test, outlined in section 5B(3) is met where the organization in question: (1) is not described in subsection (2) (i.e., does not meet the first test), (2) carries on business in Australia or an external Territory, and (3) “the personal information was collected or held by the organisation or operator in Australia or an external Territory, either before or at the time of the act or practice.”
Section 5B has not been subject to any extensive judicial interpretation and several aspects of its application (particularly in relation to the second test mentioned above) must be seen as unclear. For example, it is not clear under which circumstances an organization is held to be “carrying on business in Australia or an external Territory.”94 The APP Guidelines issued by the Office of the Australian Information Commissioner (APP Guidelines) acknowledge that the phrase “carries on business in Australia” is not defined in the Privacy Act 1988 (Cth), but note that guidance can be drawn from judicial consideration of this phrase in (p.238) corporations and consumer law, whilst stressing that these concepts must be assessed in the context of the Privacy Act 1988 (Cth).95 The APP Guidelines provide the following factors that may be considered in assessing whether an entity is carrying on a business in Australia:
(a) the entity has a place of business in Australia;
(b) people who undertake business acts for the entity are located in Australia—for example, an entity may carry on business in Australia where an agent acting on its behalf carries on its business from some fixed place in Australia;
(c) the entity has a website that offers goods or services to countries including Australia;
(d) Australia is one of the countries on the drop-down menu appearing on the entity’s website;
(e) web content that forms part of carrying on the business, was uploaded by or on behalf of the entity, in Australia;
(f) business or purchase orders are assessed or acted upon in Australia; or
(g) the entity is the registered proprietor of trademarks in Australia.96
However, the APP Guidelines caution that the presence or absence of one of these factors will not be determinative, and provides the example that an entity will not generally be regarded as carrying on business in Australia solely on the basis that a purchase order can be placed in Australia.97
Further, APP8 (and section 16C of the Privacy Act 1988 (Cth)) deal specifically with cross border disclosures of personal information. That framework requires the relevant entity to ensure that an overseas recipient will handle the personal information in accordance with the APPs. There are however, exceptions, including where the overseas recipient is subject to a similar protection regime as the APPs, where the disclosure is required or authorized by or under an international agreement relating to information sharing (noting that this does not apply to organizations98), or where the entity is an agency and that agency reasonably believes that the disclosure is reasonably necessary for an enforcement related (p.239) activity by an (Australian) enforcement body and the recipient performs functions or exercises powers that are similar to those of an enforcement body.
H. Impacts of Snowden Leaks on Australia
The amendments to national security legislation by the National Security Legislation Amendment Act 2014 (Cth) also attempted to address potential shortfalls in the provisions addressing the protection of intelligence-related information arising from the leaks of documents revealing surveillance matters by Edward Snowden, a former National Security Agency (NSA) contractor in the United States.99 While working as a computer analyst, Snowden collected and later leaked to journalists thousands of documents allegedly describing the surveillance activities of the NSA.
The impact on Australia from those leaks is reported to be:
Australian intelligence agencies are understood to have scoped the potential damage for future leaks from the Snowden affair and have assessed that between 15,000 and 20,000 secret Australian intelligence files could have been accessed by Snowden through his computer at NSA, although it is unknown how many of these he actually stole before seeking refuge in Russia.
The majority of the stolen reports are likely to discuss political, economic and military intelligence gleaned by Australian agencies, especially the Australian Signals Directorate (formerly the Defence Signals Directorate, DSD), in the Asia-Pacific region.100
The Australian Signals Directorate is an intelligence agency within the Australian Department of Defence, responsible for collecting and analyzing foreign signals intelligence to support military and strategic decision-making.101
Most significantly from an Australian perspective, the documents leaked by Snowden reportedly revealed:102
(a) that Australian diplomatic facilities throughout the Asia-Pacific region were involved in an NSA-led covert signals intelligence (p.240) program codenamed STATEROOM in which surveillance collection units operated within embassies and diplomatic missions to monitor certain signals (microwave, Wi-Fi and satellite signals for example). The documents reportedly demonstrate that data intercepted by STATEROOM in Australian embassies was automatically shared with the NSA.
(b) that the NSA and the DSD conducted a surveillance operation on Indonesia during the United Nations climate change conference in Bali in 2007.
(c) that the DSD monitored and intercepted the 3G cell phone calls of Indonesian president Susilo Bambang Yudhoyono, his wife, and inner circle of advisers. The relevant documents were DSD Powerpoint slides held by the NSA explaining the DSD’s achievements in monitoring and intercepting activities in relation to Indonesian leadership targets.
The reported impact of these leaks was not only the revelation of the types of activities the Australian intelligence agencies conduct but also the technical capacities of the ASD and the extent of the collaboration with the US NSA, and caused significant damage to Australia’s relationship with Indonesia.103 The Australian foreign minister responded to the Snowden affair by condemning his actions, seeking to “manage the impact of [our] relationships with others targeted by the Snowden allegations,” and commenting that the Australian government is “satisfied with the robust oversight and collection management arrangements that apply to Australia’s intelligence activities.”104
(*) The opinions expressed in this chapter are the authors’ own and do not reflect the view of any particular entity. The authors are grateful for the valuable feedback provided by Nigel Waters.
(1.) Australian Government, “How Government Works,” http://www.australia.gov.au/about-government/how-government-works (last visited April 25, 2017).
(2.) https://www.humanrights.gov.au/our-work/rights-and-freedoms/projects/lets-talk-about-rights-human-rights-act-australia (last visited July 22, 2016).
(3.) Human Rights (Parliamentary Scrutiny) Act 2011 (Cth), § 8.
(4.) Australian Human Rights Commission, Rights and Responsibilities Consultation Report (2015) 49, https://www.humanrights.gov.au/sites/default/files/document/publication/rights-and-responsibilities-report-2015.pdf.
(5.) Human Rights Act 2004 (ACT).
(6.) Charter of Human Rights and Responsibilities Act 2006 (Vic), § 13.
(9.) ALRC, Serious Invasions of Privacy in the Digital Era: Final Report (2014) ALRC 123, http://www.alrc.gov.au/sites/default/files/pdfs/publications/final_report_123_whole_report.pdf.
(10.) Margaret Jackson and Gordon Hughes, Private Life in a Digital World (2015) at 191.
(11.) See for example: Victorian Law Reform Commission, Surveillance in Public Places: Final Report (2010) VLRC 18, http://www.austlii.edu.au/cgi-bin/disp.pl/au/other/lawreform/VLRC/2010/18.html?stem=0&synonyms=0&query=CCTV.
(13.) See, for example Health Insurance Act 1973 (Cth), § 23DS.
(14.) See further: Nigel Waters, Government Surveillance in Australia (August 2006), http://www.pacificprivacy.com.au/Government%20Surveillance%20in%20Australia%20v6.pdf.
(16.) Privacy Act 1988 (Cth), § 6.
(17.) Privacy and Personal Information Protection Act 1998 (NSW), Privacy and Data Protection Act 2014 (Vic), Information Privacy Act 2009 (Qld), Personal Information Protection Act 2004 (Tas), Information Act 2002 (NT) and Information Privacy Act 2014 (ACT).
(18.) Australian Privacy Principle 3.1.
(19.) Australian Privacy Principle 3.5.
(20.) Australian Privacy Principle 10.1.
(21.) Privacy Act 1988 (Cth), § 6.
(22.) Australian Privacy Principle 3.3.
(23.) Privacy Act 1988 (Cth), § 16A.
(24.) Australian Privacy Principle 3.4.
(25.) AusCheck Act 2007 (Cth), § 13(1).
(26.) Nigel Waters, Government Surveillance in Australia (August 2006), http://www.pacificprivacy.com.au/Government%20Surveillance%20in%20Australia%20v6.pdf (internal footnote omitted).
(27.) Office of the Australian Information Commissioner, “Which Law Enforcement Agencies Are Covered by the Privacy Act?” https://www.oaic.gov.au/individuals/faqs-for-individuals/law-enforcement-surveillance-photos/resources-on-law-enforcement (last visited April 25, 2017). See for example Privacy Act 1988 (Cth), § 7. The term “intelligence agency” is defined in § 6(1) of the Privacy Act 1988 (Cth).
(28.) Privacy Act 1988 (Cth), § 6(1), definition of “enforcement related activity.” This definition also includes the conduct of protective or custodial activities; the enforcement of laws relating to the confiscation of the proceeds of crime; the protection of the public revenue; the prevention, detection, investigation, or remedying of misconduct of a serious nature; or the preparation for, or conduct of, proceedings before any court or tribunal; or the implementation of court/tribunal orders.
(29.) Crimes Act 1914 (Cth), § 3ZQM.
(30.) Crimes Act 1914 (Cth), § 3ZQM.
(31.) Crimes Act 1914 (Cth), § 3ZQN.
(32.) Crimes Act 1914 (Cth), § 3ZQO.
(33.) Nigel Waters, Government Surveillance in Australia (August 2006), http://www.pacificprivacy.com.au/Government%20Surveillance%20in%20Australia%20v6.pdf, p. 4. See, for example, Law Enforcement (Powers and Responsibilities) Act 2002 (NSW), Victoria Police Act 2013 (Vic).
(34.) Australian Security Intelligence Organisation Act 1979 (Cth), § 25.
(35.) Australian Security Intelligence Organisation Act 1979 (Cth), § 23.
(36.) Australian Security Intelligence Organisation Act 1979 (Cth), §§ 27 & 27AA.
(37.) Australian Security Intelligence Organisation Act 1979 (Cth), § 26, 26A, 26B, 26C and 26D.
(38.) Australian Security Intelligence Organisation Act 1979 (Cth), §§ 26E.
(39.) Australian Security Intelligence Organisation Act 1979 (Cth), §27A.
(40.) Australian Security Intelligence Organisation Act 1979 (Cth), § 25A(2).
(41.) Dan Svantesson, “Submission in relation to the Legal and Constitutional Affairs Legislation Committee’s inquiry into the Intelligence Services Legislation Amendment Bill 2011” (May 26, 2011), http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Legal_and_Constitutional_Affairs/Completed_inquiries/2010-13/intelligenceservices/submissions.
(42.) Dan Svantesson, “Submission in relation to the Legal and Constitutional Affairs Legislation Committee’s Inquiry into the Intelligence Services Legislation Amendment Bill 2011” (May 26, 2011), http://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Legal_and_Constitutional_Affairs/Completed_inquiries/2010-13/intelligenceservices/submissions.
(43.) Australian Security Intelligence Organisation Act 1979 (Cth), §§ 22 and 25A(3) as amended by National Security Amendment Act 2014 (Cth).
(44.) K. Lachmayer and N. Witzleb, “The Challenge to Privacy from Ever Increasing State Surveillance: A Comparative Perspective,” 37(2) UNSWLawJl 770 (2014), http://www.austlii.edu.au/cgi-bin/download.cgi/cgi-bin/download.cgi/download/au/journals/UNSWLawJl/2014/28.pdf.
(45.) Australian Security Intelligence Organisation, Attorney-General’s Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), https://www.asio.gov.au/sites/default/files/Attorney-General’s%20Guidelines.pdf (last visited April 27, 2017), Guideline 10.4.
(46.) Australian Security Intelligence Organisation, Attorney-General’s Guidelines in relation to the performance by the Australian Security Intelligence Organisation of its function of obtaining, correlating, evaluating and communicating intelligence relevant to security (including politically motivated violence), https://www.asio.gov.au/sites/default/files/Attorney-General’s%20Guidelines.pdf (last visited April 27, 2017), Guideline 13.2.
(47.) That is, somewhat simplified, the holder of a carrier license. See further Telecommunications Act 1997 (Cth), § 7.
(48.) That is, somewhat simplified, a person who supplies, or proposes to supply, a listed carriage service to the public. See further Telecommunications Act 1997 (Cth), § 87.
(49.) Australian Government, “Overview of legislation: The Telecommunications Act 1997,” https://www.ag.gov.au/NationalSecurity/TelecommunicationsSurveillance/Pages/Overviewoflegislation.aspx (last visited July 17, 2016).
(50.) Telecommunications Act 1997 (Cth), § 313(7).
(51.) Telecommunications (Interception and Access) Act 1979 (Cth), § 174(1).
(54.) Telecommunications (Interception and Access) Act 1979 (Cth), § 175.
(55.) Telecommunications (Interception and Access) Act 1979 (Cth), §§. 178, 178A & 179. Recent amendments restricted the types of agencies that are able to access data under the TIA Act. By § 176A, the Telecommunications (Interception and Access) Act 1979 (Cth), now applies to certain “criminal law enforcement agencies” or an agency declared by the Minister to be an “enforcement agency” for the purposes of the Act.
(56.) For ASIO, see Telecommunications (Interception and Access) Act 1979 (Cth), § 176, and for enforcement agencies, refer to Telecommunications (Interception and Access) Act 1979 (Cth), § 180. See further, Sharon Rodrick, “Accessing Telecommunications Data for National Security and Law Enforcement Purposes,” 2009 UMonashLRS 15 http://www.austlii.edu.au/au/journals/UMonashLRS/2009/15.html, pp. 31–35.
(57.) Telecommunications (Interception and Access) Act 1979 (Cth), § 172.
(58.) Telecommunications (Interception and Access) Act 1979 (Cth), § 180(4).
(59.) Ibid., § 180F.
(60.) Sharon Rodrick, “Accessing Telecommunications Data for National Security and Law Enforcement Purposes,” 2009 UMonashLRS 15, http://www.austlii.edu.au/au/journals/UMonashLRS/2009/15.html, p. 34.
(61.) Parliament of Australia, Explanatory Memorandum to Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, paragraph 1.
(62.) Ibid., paragraph 5.
(63.) Telecommunications (Interception and Access) Act 1979 (Cth), Part 5.1A.
(64.) Ibid., § 187A(4)(a).
(65.) Ibid., § 187A(4)(b).
(66.) Ibid., § 187BA.
(67.) For example, under § 9 of Telecommunications (Interception and Access) Act 1979 (Cth), the Attorney-General may issue a warrant on request by the Director General to assist ASIO in carrying out its function of obtaining intelligence relating to security. Part 2.5 allows certain agencies to apply for interception warrants where the information is likely to assist in connection with the investigation of a serious offense (which is defined in § 5D as including murder, kidnapping, acts of terrorism, people smuggling/trafficking etc.).
(68.) Telecommunications (Interception and Access) Act 1979 (Cth), Part 3.3. Section 116(1) sets out when an issuing authority can issue a stored communications warrant that includes where the information would be likely to assist in connection with an investigation by the agency or a foreign country of a serious contravention in which the person is involved (including as a victim). A serious contravention is defined in section 5E as including an offense punishable by imprisonment of at least three years or a fine of at least 180 penalty units for an individual.
(69.) Telecommunications (Interception and Access) Act 1979 (Cth), § 30.
(70.) Ibid., § 46(2), § 116(2).
(74.) Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), § 5.
(75.) Ibid., §§ 41–42.
(76.) Australian Government, “Reporting requirements,” http://www.austrac.gov.au/files/reporting-requirements_dec2010.pdf (last visited April 25, 2017).
(77.) Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), §§ 43–44.
(78.) “Reporting requirements,” http://www.austrac.gov.au/files/reporting-requirements_dec2010.pdf.
(79.) Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), §§ 45–46.
(80.) “Reporting requirements,” http://www.austrac.gov.au/files/reporting-requirements_dec2010.pdf.
(81.) Customs Act 1901 (Cth), § 64AF(1).
(83.) Taxation Administration Act 1953 (Cth).
(84.) Nigel Waters, Government Surveillance in Australia (August 2006), http://www.pacificprivacy.com.au/Government%20Surveillance%20in%20Australia%20v6.pdf, p. 15.
(85.) See further, Higher Education Support Act 2003 (Cth). That Act contains specific provisions dealing with privacy protection. See, Part 5-4, Division 179.
(86.) Roughly equal to US $3 million.
(87.) Nigel Waters, Government Surveillance in Australia (August 2006), http://www.pacificprivacy.com.au/Government%20Surveillance%20in%20Australia%20v6.pdf, p. 3.
(88.) Australian Privacy Principle 6; Privacy Act 1988 (Cth), §§ 6, 16A and 16B.
(89.) Australian Privacy Principle 10.
(90.) Australian Privacy Principle 10.
(91.) Australian Privacy Principle 12.
(92.) Australian Privacy Principle 1.
(93.) Australian Privacy Principle 11.1.
(94.) See further, Dan Svantesson. “Protecting Privacy on the ‘Borderless’ Internet—Some Thoughts on Extraterritoriality and Transborder Data Flow” (2007) Bond Law Review 19.1, http://works.bepress.com/dan_svantesson/3.
(95.) Office of the Australian Information Commissioner, Australian Privacy Principle Guidelines, B13 (internal footnotes omitted), available at https://www.oaic.gov.au/resources/agencies-and-organisations/app-guidelines/APP_guidelines_complete_version_1_April_2015.pdf (last visited July 15, 2016).
(98.) Office of the Australian Information Commissioner, Australian Privacy Principle Guidelines, 8.47, available at https://www.oaic.gov.au/resources/agencies-and-organisations/app-guidelines/APP_guidelines_complete_version_1_April_2015.pdf (last visited July 15, 2016).
(99.) Department of Parliamentary Services, National Security Legislation Amendment Bill (No.1) 2014 Bills Digest (2014–2015) 19 http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd1415a/15bd019.
(100.) P. Maley and C. Stewart, “Snowden Stole up to 20,000 Aussie Files,” The Australian (December 5, 2013), p. 1 http://www.theaustralian.com.au/national-affairs/foreign-affairs/edward-snowden-stole-up-to-20000-aussie-files/story-fn59nm2j-1226775491490, and as reported in Department of Parliamentary Services, National Security Legislation Amendment Bill (No.1) 2014 Bills Digest (2014–2015) 19, http://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd1415a/15bd019.
(104.) J. Bishop, “US-Australia: The Alliance in an Emerging Asia” (2014), http://foreignminister.gov.au/speeches/Pages/2014/jb_sp_140122.aspx?ministerid=4.