Nick Xenophon (SA, Nick Xenophon Team) Share this | Hansard source

The Telecommunications and Other Legislation Amendment Bill 2016 will amend the Telecommunications Act 1997 and related legislation with the aim of strengthening the security of Australia's telecommunications networks. Australia's telecommunications networks are an absolutely vital part of our national infrastructure, enabling us to conduct business and go about our everyday lives online. Our economic prosperity, our wellbeing and, indeed, our national security are dependent on telecommunications networks and the data that flows across them.

I don't think anyone can question the scale and seriousness of the potential cyberthreats to Australia from serious to highly organised crime, often operating on an industrial scale, to clandestine activity by foreign governments. All the publicly available advice from our security and intelligence agencies suggests— and I quote from the minister's second reading speech:

Espionage and clandestine foreign interference activity against Australian interests is extensive.

This legislation has been developed over a lengthy period of time with extensive consultation with industry and other stakeholders with exposure drafts available for public consultation and, more recently, by an inquiry by the Parliamentary Joint Committee on Intelligence and Security. The bill proposes amendments to the Telecommunications Act 1997 to place an obligation on all carriers, carriage service providers and carriage service intermediaries to do their best to protect telecommunications networks and facilities from unauthorised interference and unauthorised access for the purposes of security. Companies will have to consider national security risks such as espionage, sabotage and foreign interference threats, and the confidentiality of information and communications as well as the availability and integrity of telecommunications network facilities. This obligation will be supported by new notification obligations. Carriers and nominated carriage service providers will be required to notify changes to systems and services if the carrier or the nominated carriage service provider becomes aware that a proposed change is likely to have a materially adverse effect on their ability to meet their security obligations to protect networks and facilities from unauthorised access and interference. Early notification to security agencies should allow those agencies to provide advice at the planning stage and ensure security considerations are factored into the proposed design as early as possible in a cost-effective manner. As the minister put it in introducing the bill:

The scheme relies on a 'light touch' approach to regulation to allow for meaningful collaboration and cooperation with industry to manage risks in a way that is satisfactory to both industry and government, without the government being too prescriptive and retaining flexibility for industry.

Clearly, a close and effective dialogue between our national security agencies—especially ASIO and the Australian Signals Directorate—and industry will be essential if the legislation is to deliver the enhanced security we all seek.

The bill has now been the subject of an extensive inquiry by the Parliamentary Joint Committee on Intelligence and Security, a process that has allowed further comment and input from industry. The joint committee has made a number of recommendations that are broadly reflected in the amendments now proposed by the government. I won't go through all those amendments and recommendations. Suffice to say they all significantly improve the legislation.

I will, however, focus on one matter examined by the joint committee, and that is the question of the location of stored data. This is a very important issue. As the draft administrative guidelines accompanying the bill note, offshore data storage raises significant security issues relating both to the storage of personal information, financial and other sensitive data and, indeed, to national security. The draft administrative guidelines note:

Offshoring raises security concerns because it enables access and control to critical parts of major Australian telecommunications networks outside of Australia, this can facilitate foreign intelligence collection (espionage) and disrupt the network itself (sabotage). Risks arise where control and supervision arrangements have the potential to allow unauthorised actions by third parties, such as theft of customer data or sabotage of the network.

The Attorney-General's Department noted that the bill does not specify where or how data must be stored, but instead supports a risk based approach where companies 'can retain flexibility to support their changing business needs and to minimise any regulatory burden on their ability to conduct business internationally'. The law, as it stands and as is proposed, does not currently compel telecommunications providers to tell the government where data retained is stored. That is something I have concerns about, and I propose to raise them in my usual respected manner with the Attorney because I am concerned about the data being stored overseas. I don't think a risk based approach is adequate here, given the potential for espionage or sabotage.

The joint committee rightly observes:

It is critical that the Australian community can have confidence in the telecommunications sector and especially the security of stored data.

Australia's existing legal framework for the protection of information includes requirements under the Privacy Act and the Telecommunications (Interception and Access) Act, including mandatory encryption for retained telecommunications data as well as a recently introduced mandatory data breach notification scheme. The joint committee notes that the telecommunications sector security framework would apply to carriers and carriage service providers—C/CSPs—irrespective of whether certain parts of a C/CSP's operation are located in Australia or overseas. The location of data is not necessarily determinant of its security, but there are clear risks associated with offshore data storage. The joint committee rightly expressed itself 'greatly concerned that existing laws do not provide government with visibility about where and how data is being stored'. We need that visibility. The notification requirements proposed for the bill will require telecommunications companies to notify the government of any changes they propose to make that are likely to have a material adverse effect on their ability to comply with their security obligations. This requirement must include any decisions to store critical data offshore.

The bill does contain information-gathering powers that could be used, if necessary, to compel companies to provide information that is relevant to assessing compliance with their security obligations. The joint committee has recommended:

… that at the time of the review required to be undertaken by the Parliamentary Joint Committee on Intelligence and Security under section 187N of the Telecommunications (Interception and Access) Act 1979, the scope of the review be expanded to include consideration of the security of off-shored telecommunications data that is retained by a service provider for the purpose of the data retention regime.

The joint committee has further recommended:

… the Bill should be amended to include, in relation to data retained under Part 5-1A of the Telecommunications (Interception and Access) Act 1979, a specific obligation within the notification requirement in proposed section 314A to require—

carriers and nominated carriage service providers to notify the department—

of any new or amended offshoring arrangements.

This seems to be an essential provision, as a minimum, to ensure the security considerations are properly taken into account in any arrangements to store Australians' personal, financial or other sensitive data overseas.

My view is that I don't like it. This, to me, is putting Australians' data at too much risk. Why risk it when we should ensure that the data is stored here, onshore rather than offshore? While recognising the significant costs involved in ensuring adequate data security, I would also raise the likelihood that the so-called light-touch approach of this bill will need to be revisited in the future. Recent revelations in the banking sector suggest that very large and well-resourced companies—yes, Which bank?—can still prove shamefully negligent in failing to comply with regulatory regimes, even those relating to money laundering and terrorist financing. All too often, the pursuit of super profits and directors' bonuses can lead corporations to skate over important regulatory obligations. I suspect that this legislation will be the first in building much stronger measures to ensure the security of our telecommunications infrastructure and the protection of Australians' personal data. For the moment, I and my colleagues will support the bill and the associated proposed amendments, but we do have serious concerns in relation to the offshoring of Australians' data.