George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

by leave—I move all government amendments together:

(1) Schedule 1, item 8, page 6 (line 1), omit "Note", substitute "Note 1".

(2) Schedule 1, item 8, page 6 (after line 4), at the end of subsection 313(1A), add:

Note 2: A person who uses a carriage service to supply various kinds of broadcasting services is not a carriage service provider merely because of that use (and therefore not subject to the duty imposed by this subsection): see subsections 87(1) and (2) and 93(1) and (2).

(3) Schedule 1, item 12, page 8 (line 2), at the end of subsection 314A(2), add:

  ; (f) the carrier or carriage service provider entering into arrangements to have all or some information or documents to which subsection 187A(1) of the Telecommunications (Interception and Access) Act 1979 applies in relation to the carrier or provider kept outside Australia.

(4) Schedule 1, item 12, page 8 (after line 2), after subsection 314A(2), insert:

  (2A) Subsection (1) does not apply to changes to a telecommunications service or a telecommunications system that are changes determined in an instrument under subsection (2B).

  (2B) The Communications Access Co-ordinator may, by legislative instrument, make a determination for the purposes of subsection (2A).

Note: For variation and revocation, see subsection 33(3) of the Acts Interpretation Act 1901.

(5) Schedule 1, item 12, page 8 (after line 19), after subsection 314A(5), insert:

  (5A) The Communications Access Co-ordinator may grant an exemption under subsection (4) or (5) on his or her own initiative or on written application by a carrier or a nominated carriage service provider.

  (5B) If a carrier or a nominated carriage service provider makes such an application, the Communications Access Co-ordinator must, within 60 days of receiving the application, either:

  (a) give the carrier or provider an exemption under subsection (4) or (5); or

  (b) give the carrier or provider a notice in writing refusing the application, including setting out the reasons for the refusal.

  (5C) Applications may be made to the Administrative Appeals Tribunal for review of a decision of the Communications Access Co-ordinator under paragraph (5B)(b) to refuse an application.

(6) Schedule 1, item 12, page 8 (after line 20), after subsection 314A(6), insert:

  (6A) An exemption under subsection (4) or (5) may specify the period during which it is to remain in force. The exemption remains in force for that period unless it is revoked earlier or it ceases to be in force as mentioned in subsection (6B).

  (6B) An exemption under subsection (4) or (5) may be given subject to conditions specified in the exemption. The exemption ceases to be in force if the carrier or nominated carriage service provider breaches a condition.

(7) Schedule 1, item 13, page 21 (after line 15), at the end of subsection 315H(1), add:

Note: The Privacy Act 1988 applies to the disclosure of personal information.

(8) Schedule 1, item 13, page 22 (after line 27), after subsection 315J(1), insert:

  (1A) Without limiting subsection (1), a report under that subsection for a financial year must include the following information for that year:

  (a) the number of directions the Attorney-General gave under subsection 315A(1);

  (b) the number of directions the Attorney-General gave under subsection 315B(2);

(c) the following:

     (i) the number of notifications the Communications Access Co-ordinator received under subsection 314A(3);

     (ii) in response to such notifications, the average number of days taken by the Co-ordinator to give a notice under subsection 314B(3) or (5);

     (iii) in response to such notifications, the percentage of notices given within the period under subsection 314B(6) by the Co-ordinator under subsection 314B(3) or (5);

(d) the following:

     (i) the number of applications the Communications Access Co-ordinator received under subsection 314A(5A);

     (ii) in response to such applications, the average number of days taken by the Co-ordinator to give a notice under subsection 314A(4) or (5) or paragraph 314A(5B)(b);

     (iii) in response to such applications, the percentage of notices given within the period under subsection 314A(5B) by the Co-ordinator under subsection 314A(4) or (5) or paragraph 314A(5B)(b);

(e) the following:

     (i) the number of security capability plans the Communications Access Co-ordinator received under subsection 314C(1);

     (ii) in response to such plans, the average number of days taken by the Co-ordinator to give a notice under subsection 314D(3) or (5);

     (iii) in response to such plans, the percentage of notices given within the period under subsection 314D(6) by the Co-ordinator under subsection 314D(3) or (5);

(f) the number of notices the Attorney-General's Secretary gave under subsection 315C(2);

  (g) details of the information sharing arrangements between the Commonwealth and carriers and carriage service providers in relation to this Part, to the extent that this Part was amended by the Telecommunications and Other Legislation Amendment Act 2017;

(h) a summary of any feedback or complaints made in relation to this Part, to the extent that this Part was amended by that Act;

  (i) trends or issues in relation to the matters covered by paragraphs (a) to (h).

(9) Schedule 1, item 13, page 22 (after line 33), after Division 8, insert:

Division 8A—Review by Parliamentary Joint Committee on Intelligence and Security

315K Review by Parliamentary Joint Committee on Intelligence and Security

(1) The Parliamentary Joint Committee on Intelligence and Security must review the operation of this Part, to the extent that this Part was amended by the Telecommunications and Other Legislation Amendment Act 2017.

(2) The review:

  (a) must start on or before the second anniversary of the commencement of this section; and

  (b) must be concluded on or before the third anniversary of the commencement of this section.

(3) The Committee must give the Attorney-General a written report of the review.

I also table a supplementary explanatory memorandum relating to the government amendments to this bill.

The government amendments give full effect to all of the recommendations of the Parliamentary Joint Committee on Intelligence and Security. The recommendations of the committee provide greater clarity and certainty for industry, encourage information sharing and enhance the transparency of the regime's operation. They include amendments to clarify that subsection 313(1A) of the bill does not apply to broadcasters that are not carriage service providers under section 93 of the Telecommunications Act and to amend section 314A of the bill to outline the application process for a carrier or nominated carriage service provider to seek an exemption from the notification requirements for certain types of changes to their networks, allowing an exemption to be time-limited and subject to conditions, providing the communications access coordinator with the ability to issue class exemptions to the notification requirements in section 314A of the bill and enabling applications to the Administrative Appeals Tribunal for review of a decision to refuse an application for exemption for notification requirements. They amend section 315H(1) of the bill to clarify, for the avoidance of doubt, that existing legislative privacy obligations continue to apply; prescribe specific annual reporting requirements on the operation of the bill under section 315J; amend section 314A(2) of the bill to ensure that a carrier or a nominated carriage service provider entering into a new or changed offshoring arrangement for information retained under the data retention regime can trigger notification requirements in respect of that change; and, finally, require the Parliamentary Joint Committee on Intelligence and Security to review the operation of the bill within three years of the royal assent.

Nick Xenophon (SA, Nick Xenophon Team) Share this | Link to this | Hansard source

I ask a general question which I think goes in a tangential way to the amendments that the Attorney has just moved, and that relates to the matters I raised in my second reading contribution on the bill, and that relates to the potential offshoring of data. What safeguards are there on that, Attorney? Also, is there any requirement for there to be public notification, for all to see, as to whether our data is actually being stored overseas as part of the legislative regime proposed by this legislation?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Thank you, Senator Xenophon. I am glad you asked, because I'm able to give you an answer in some detail. The government is committed to ensuring that all Australians can have confidence in the security of telecommunications data irrespective of where the data is located or stored, and that is one of the most important policy values underlying this legislation.

The key risk in relation to data holdings is the extent to which they are appropriately secured. Unsecured data holdings in Australia are as vulnerable to attack or unauthorised access as data holdings held overseas. Focusing on offshoring disproportionately emphasises the risk proposed by offshoring arrangements above other types of security risks such as outsourcing arrangements, network access arrangements by persons located outside of Australia or the location of equipment. So the offshoring of data is merely one of the variety of considerations to be borne in mind in ensuring the security of data. The assessment of security risks for individual providers should be based on the full suite of risks and information available on a case-by-case basis. Australia's existing legal framework provides strong protections for information, including requirements under the Privacy Act and requirements under the data retention legislation to protect and encrypt data. Any proposal to mandate reporting of all offshoring arrangements would place a significantly greater regulatory burden on the telecommunications industry. There are approximately 280 carriers and nominated carriage service providers.

In addition to the regulatory burden on industry, assessing large datasets of baseline information would divert departmental and agency resources and focus from the more significant national security risks targeted by the reforms, including espionage, sabotage and unauthorised access and interference. This would undermine the intent of the reforms to enable greater collaboration between industry and government to identify national security risks, having regard to the particular circumstances of a provider. Where there are concerns about the extent to which an individual provider was compliant with its protection obligations, the department can use its information-gathering powers to compel the provider to provide information about the location of its data holdings, including on a retrospective basis.

The government has in any event agreed to implement all of the recommendations of the Parliamentary Joint Committee on Intelligence and Security, which includes recommendation 10, which is a recommendation that the bill specify annual reporting requirements including the number of times directions powers have been exercised, the number of industry notifications and security capability plans that have been received, regulatory performance measures, details of the government's information-sharing arrangements with industry and a summary of feedback or complaints, and which also recommended that the annual report indicate any trends or issues. And it includes recommendation 11, which will expand the scope of the review of the data retention regime commencing in 2019 to include examination of security of data that is stored outside Australia.

Nick Xenophon (SA, Nick Xenophon Team) Share this | Link to this | Hansard source

I am grateful to the Attorney for his response, but it still leaves me unclear—perhaps it is my muddle-headedness from the cold I have. Is there a requirement to notify consumers? If I am with a telecommunications provider, I'd like to know whether that telecommunications provider is storing data offshore. I'd imagine that that may be a marketing point of difference for some telecommunications providers—saying, 'We store our data here, only in Australia, not somewhere else.' I think it's a reasonable proposition that consumers and businesses ought to have a right to know where their telecommunications provider stores their data, because I imagine there would be many consumers and many businesses that would feel more comfortable about their data being stored here rather than overseas. My question to the Attorney is: does this legislative framework make it clear whether data is being stored overseas or not, with a particular telecommunications provider? How can consumers establish that fact?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Xenophon, the legislation does not provide for a mandatory obligation on telecommunications service providers to provide that information to consumers. They may, of course, if they choose to do so, and I sought to explain in answer to your initial question the reasons why there are no such mandatory obligations. There are—and I pointed this out a moment ago—very extensive oversight and reporting requirements not merely in relation to data stored offshore but in relation to all data, whether stored offshore or onshore, to protect the security of all data.

Nick Xenophon (SA, Nick Xenophon Team) Share this | Link to this | Hansard source

I think the Attorney has been quite open in the way he has answered this, but it still doesn't deal with the potential problem—that is, whether consumers and businesses ought to have a right to know whether their data is being stored overseas or not. Whilst this is not before the chamber now in the committee stage, is the government sympathetic to, or open to, a future amendment to the bill that would simply require information to be provided as to whether data is being stored overseas or not? I think that is a growing issue that concerns an increasing number of Australians and Australian businesses in that regard. I can foreshadow that, if the government is not interested in that, it is something that I will work with my colleagues on both sides of the chamber to try and bring about.

It would not be an onerous requirement. It doesn't actually mandate the data being here, but it simply mandates details of where that data is being stored, which I don't think, on any reasonable stretch of imagination, would be onerous on telecommunication providers. Surely they either know whether their data is going overseas or not. If it is, they ought to have an obligation to tell consumers that it is, which may, in turn, change the behaviour of some companies to think, 'You know, this is something, from a consumers' point of view, where most Australians would like us storing our data here rather than somewhere else.'

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Just to make it perfectly clear: as I said before, there is no such mandatory obligation imposed upon industry or telecommunications providers by the bill. I'm advised that the matter was considered by the PJCIS. The PJCIS did not make a recommendation to that effect, but what it did recommend—and what the government has accepted among the PJCIS recommendations—is to re-look at the overall issue of offshoring, in 2019. That is recommendation 11 of the PJCIS report, which the government has adopted. Evidently there was not a sufficient level of concern about this issue by the PJCIS to recommend that the bill be amended to stipulate for a mandatory obligation initially. But in the early stages of the operation of the legislation the matter will be kept under review by the government, of course, and, as I said, we have adopted the PJCIS's recommendation to look at the matter again in 2019 with the operational experience of the legislation in operation.

I always welcome your suggestions and if you want to approach me by correspondence perhaps to ask for this matter to be revisited earlier than the PJCIS recommendation of 2019 I, of course, would always consider very carefully and with great respect any recommendation you may wish to make.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Given the Attorney responded in detail to precisely none of the questions that I asked in my speech in the second reading debate, we will have to deal with them one by one in the committee stage. I do want to say, given the Attorney's taken his chance on the second reading to personally criticise my understanding of the legislation—a claim, I hasten to add, I rebut and reject entirely—that the Attorney's response to my speech was supercilious and condescending in the extreme. If they didn't invent the word 'supercilious' just for the Attorney, they could have.

Attorney: with regard to whether or not this is a dragnet surveillance of Australians—a claim that you have rejected—I am going to put some information on the record:

The Bill grants the Office of the Attorney-General (AGD), specifically the Attorney General’s Secretary (AGS), the power to collect any type of information from the TelCo:

a. This power is only overseen in terms of an annual report submitted by the AGD to Parliament.

b. This power may be delegated to the Director-General of the ASIO.

c. The ASIO may in turn share the information gathered with the AFP and third parties.

That's actually not an assertion that I am standing here making off my own bat today. What I've just done is read from a submission from the Australian Centre for Cyber Security at the University of New South Wales to the Parliamentary Joint Committee on Intelligence and Security, the closed shop in this place that the crossbench is not represented on.

It is dated 3 February and entitled Submission: review of the Telecommunications and Other Legislation Amendment Bill 2016. Attorney, in the view of the experts at the Australian Centre for Cyber Security this bill grants, in effect, you the power to collect any type of information from the telco. It is clearly a surveillance dragnet. That is an entirely reasonable description of what you are standing in this place today proposing that we agree to. So I stand by my comments I made in my second reading speech. I stand by my assertion that this government is rampantly stripping away from the Australian people fundamental rights, including the right of privacy and the right to be forgotten—key digital rights. As well, a plethora of legislation has come through this parliament in recent years designed to allow security agencies in this country to deprive Australians of their freedom, of their liberty and of their right to make choices about how they live their lives, all whilst epically failing to make any kind of case for change. I can assure the Australian people that the Australian Greens will stand up for their rights in this place. We will stand up for their right to privacy. We will stand up for the basic human rights that both the coalition and Labor members work together to strip away on a regular basis.

I will put again the first question I asked in my second reading speech that wasn't responded to by the Attorney. Attorney, why did you table the Telecommunications (Interception and Access) Act 1979 2015-16 annual report only minutes prior to this debate commencing today? When can we expect the report for the year 2016-17 to be tabled?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I will turn to that, Senator McKim, but first I will address the broader observation you made. I'm afraid, Senator McKim, once again you've completely misunderstood the nature of the bill. You seem to be intending to refer to section 315C of the bill. What section 315C does is create not a scheme of surveillance but a scheme of compliance. It provides a mechanism whereby the secretary of the Attorney-General's Department or his delegate may be satisfied that telecommunication service providers are compliant with their obligations under the bill. That is what section 315C is all about. Senator McKim, because you've so fundamentally misunderstood what this is about, I'm going to read it to you. Section 315C says:

(1) This section applies to a carrier, carriage service provider or carriage service intermediary if the Attorney-General's Secretary has reason to believe that the carrier, provider or intermediary has information or a document that is relevant to assessing compliance with the duty imposed by subsection 313(1A) or (2A).

The obligations, by the way, Senator McKim, imposed by subsections 313(1A) and 313(2A) are obligations upon carriage service providers. This isn't about the surveillance of citizens. It's about the surveillance of carriage service providers. We have often heard posed rhetorically the question: who will watch the watchers? This is a provision that ensures that there is oversight of the carriage service provider—the bearers of this information—in their compliance with their obligations under the legislation. That is not at all what you suggested it was about, so either you have not read it or, if you have, you have misunderstood it. And then the section goes on to set out the way in which that is to be done.

In relation to your second question: the report was tabled this morning because it was received in time to be tabled this morning. The tabling of the 2016-17 report is some time away because there is a large amount of information to be assessed in preparing the report. When that information is assessed, the report will be tabled in a timely manner.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Firstly, I want to place on the record the frustration of the Australian Greens in having to wait well over a year past the end of the 2015-16 year for the tabling of the 2015-16 report. Having acted for many years as a minister of the crown in Tasmania, I am well aware that annual reports do take some time to compile and to be provided to a minister's office. But I have to say that a delay of some 13 or 14 months is not acceptable to the Australian Greens and ought not to be acceptable to this Senate. This report has been tabled at just a couple of seconds to midnight, a few short minutes before the start of this debate. The timing is highly suspicious. If you want to assuage a small number of the Australian Greens' concerns, you could place on the record, in response to this speech, exactly when that report was received by your office. Either your office has sat on that report or the people compiling the report have taken too long to do so. One or the other of those things must be true. Thirteen to 14 months is too long to wait for a report like that.

In a supercilious and condescending way you have suggested that I either haven't read the bill or don't understand it—neither of which is true. You have again taken exception to my categorisation of this legislation. I will quote again for you from a different section of the Australian Centre for Cyber Security's submission to the Parliamentary Joint Committee on Intelligence and Security's review of the Telecommunications and Other Legislation Amendment Bill 2016. This quote is from page 3

Session Metadata as ‘any information’.

The metadata includes IP (Internet Protocol) source and destination addresses; source and destination port addresses; and protocol numbers. It therefore includes URLs / web browsing history. … This is the session metadata.

Attorney, I stand by my categorisation and the Australian Greens' categorisation of this bill as a surveillance dragnet. I make the point again that your government has got form on surveillance dragnets, specifically the metadata retention scheme.

Attorney, I also wanted to take the opportunity to give you an opportunity to respond to the industry association's explicit concerns that the underlying approach of this bill is flawed and that it is more likely to make Australian telecommunications networks less secure, due to the one-sided, onerous and excessive nature of the obligations contained in this legislation to be imposed on carriers and carrier service providers. Just so that we are clear, I would categorise the submission from the industry association that you are running a very high risk of not only an unintended consequence or unintended consequences that may flow from this legislation but, in fact, that it will be totally counterproductive—that is, it will achieve the very thing that it purports but is failing to address.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Turning to the three observations that have fallen from Senator McKim, first of all, the report was tabled within the time stipulated by the standing orders, which, I understand, is 15 sitting days. So there has been in fact no delay in the tabling of the report at all, so that statement was wrong.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

It was a question, not a statement.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Well, the answer is there has been no delay. Secondly, Senator McKim, once again, I thought by reading the actual provision to you, we would put an end to the false issue that you keep raising that this is about surveillance. The powers in section 315C—just to repeat—are not about surveillance. That is not their purpose and it is their effect. Their purpose and effect is to impose a compliance obligation on carriage service providers.

Senator McKim, you quote from evidence before the PJCIS, which I might say, parenthetically, didn't persuade any members of the PJCIS on either side of politics as to its cogency. But leaving that to one side, what you disregard is that the meaning of the word 'information' in the relevant section, section 315C, which, if you have read, you certainly haven't understood, is qualified, and you made no reference to the qualification. So we are not merely talking about any information or document, but:

… information or a document that is relevant to assessing compliance with the duty imposed by subsection 313(1A) or (2A).

So the information or documents to which section 315C is directed are only information or documents by which compliance with an obligation imposed on the carriage service providers is to be evidenced.

It is absolutely commonplace for there to be a supervisory authority which determines whether or not a compliance obligation imposed on a company, in this case, a telecommunications company, has been met. And the way in this which bill goes about that is to provide a power in the secretary of the Attorney-General's Department, not obviously a political official, to require the provision of documents of the telecommunications company, which will indicate whether or not there has been compliance with their obligations under this bill—nothing whatsoever to do with surveillance of content. That is the answer to the second observation, Senator McKim.

In relation to the third observation, may I merely say, as I said in introducing the amendments and in winding up the second reading debate, there has been a long period of discussion and consultation with industry. You would be familiar, Senator McKim, having been in public life yourself for a long time, that when new obligations are imposed upon industry, sometimes industry resists. I think it is fair to say that in the initial stages of this process—which began, by the way, under the previous government, the Labor government, in 2012—there was some resistance from some parts of the industry. However, through a very long process of consultation and discussion with industry, we have landed at a point at which the government is comfortable that the legitimate interests of industry have been accommodated. Senator McKim, I am surprised to hear you mounting an argument that could have fallen from the lips of Senator Leyonhjelm. You may feel that telecommunications service providers should live in a regulation-free environment. That has never been the case and it's not the government's view. The regulatory burden has been mitigated by the government as a result of those discussions with industry and we are now, I think it's fair to say, on the same page.

I have been given some further information, Senator McKim, on this other false issue you raise about the tabling of the annual report under the TIA Act. It was sent to my office after parliament rose for the winter recess on 29 June. The obligation under the standing orders for the tabling of the report meant that the report was required to be tabled by 14 September—that is, 15 sitting days later. Today is 14 August. So, Senator McKim, perhaps your paranoid fantasies might try to accommodate why, if the government were trying to conceal this report, it tabled the report in advance of the debate on the bill when, in fact, the government would have been entirely within its obligations to withhold the tabling of the report for another month.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

I ask the Attorney-General: why didn't you table it last week so we could have had a reasonable opportunity to go through that report before the start of this debate? Attorney, you just confessed to the Senate that, in fact, you've had this report for somewhere in the region of six weeks. So why wasn't it tabled last week so we could have had a good look through it and an opportunity to use the information and the data in that report to inform this debate? Instead, it was tabled today, two seconds to midnight, just before this debate started. I stand by the criticisms I have made around the timing of this report.

Let's go back to the substantive issue with regard to 315C. We could bat this backwards and forwards all day and the likelihood is, as is so often the case, we would not agree. So I am going to try to shortcut that and ask you a very simple question: is it the case that the secretary of your department can obtain from carriers and carriage service providers, should this legislation pass through the parliament and receive royal assent, information that includes an Australian person's web browsing history?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I am advised that the answer to your question is no.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Thank you. Can the secretary of your department obtain information that includes URLs that are visited by Australian people?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I am advised that the answer to that question is no.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Thank you, Attorney. I appreciate the clarity of your responses. Does the information that can be obtained by the secretary of your department, or that could be obtained if this legislation is successful, include IP source and destination addresses?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

The only information or documents that are able to be obtained by the secretary under section 315C are documents or information that are relevant to assessing compliance by the telecommunications company with the duties imposed by section 3131A or 3132A. In other words, assessing whether the telecommunications companies or carriage service providers have performed their compliance obligation. I'm advised that that does not include customer data.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Okay, thank you, Attorney. You said it does not include customer data, so I am asking you—just so that we are being abundantly clear here—about whether this legislation would provide the capacity for the secretary of your department to access such information. It is not whether it is the intent of you or anyone else that that occur, but just whether this legislation provides a framework that delivers to the secretary of your department the capacity to source that information?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

No, Senator, because, as I am advised and as is plain from reading section 315C with the obligations imposed by section 313, no such information would be relevant and therefore would not fall within the meaning of information or documents as described by section 315C.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Thank you again, Attorney. I have gone through the list of session metadata that was provided to the Parliamentary Joint Committee on Intelligence and Security. I want to be very clear in my understanding of your responses, so I will just ask you, I guess, a broad question: is it your advice to this Senate that there is no capacity, should this legislation become law, for the secretary of your department to source from carriers and carriage service providers IP source and destination addresses; source and destination port addresses; protocol numbers; URLs; or web-browsing history?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I think I have already told you, Senator. I am advised that such information would not answer the description of that provided for by section 315C.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Yes. Is that advice you have just given based on legal advice that you have obtained?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Well, the officers of the Attorney-General's Department who advise me and who are responsible for this legislation have a very thorough knowledge of the legal aspects of this bill.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

I think we'll take that as a no. Attorney, do you accept, in any way, that there is an overlap between this legislation and the metadata retention scheme? That is, will any information able to be sourced and assessed through the metadata retention scheme also able to be sourced under this legislation?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

First of all, I want to chastise you for your very unchivalrous and rude reflection upon those who advise me—as I have tried to point out to you, those who advise me are not only qualified lawyers who work for the Attorney-General's Department but they are specialists in this area of the law, with a specialist knowledge of this bill.

Senator McKim, the purpose of the metadata retention legislation was to impose an obligation to retain metadata for a period and for the purposes set out in that legislation. This legislation, as I have pointed out to you several times now, is concerned with something completely different—that is, creating a system for creating a framework for the protection of telecommunications systems. In order to better protect the security of information carried by telecommunications systems and by carriage service providers, it imposes obligations upon those companies and carriage service providers of the kind that I have described in the second reading speech and in summing up the second reading debate. The issues are completely different.

Nick McKim (Tasmania, Australian Greens) Share this | Link to this | Hansard source

I can assure your departmental officers that I have no reason to believe they are anything other than consummate professionals who take their jobs very seriously. Just so that we can all understand what I meant when I said 'legal advice', I was specifically referring to formal legal advice obtained from either the Solicitor-General or his office or the Australian Government Solicitor or the office of the AGS. Those are the organisations to which I was referring when I said that I think we can take the answer as a no.

Attorney, thanks for your response on the previous question. Can I ask you now about any oversight powers that may exist for the Ombudsman in regard to any information sourced under this legislation. Will the Ombudsman have oversight powers as the Ombudsman does with metadata collected under the metadata creation and retention disclosure scheme?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator McKim, the Ombudsman's jurisdiction is as set out in his act. The operation of that act is not excluded by this legislation.

Jenny McAllister (NSW, Australian Labor Party) Share this | Link to this | Hansard source

I indicate that the opposition will be supporting the government's amendments. As I indicated in my second reading remarks, they do implement the recommendations made by the PJCIS, and it is our view that they will improve the operation of the legislation.

I also indicate, in response to some of the remarks made through the course of the second reading debate and the committee's proceedings, that the opposition does recognise there are grave risks and new risks that arise from having a society so intimately and integrally dependent on digital and that managing telecommunications risks is at the heart of managing against those more general risks. There have been remarks through the course of the debate that indicate that we could expect telecommunications service providers to manage these risks as a commercial imperative. I would submit to the Senate that that I think misunderstands the nature of the risk and the commercial imperative as it applies to these businesses. It is true that in most instances it will be in the commercial interests of a telecommunications service provider to meet national security objectives. Indeed, the experience so far has been that these service providers have engaged constructively with government. However, it is possible to imagine a circumstance where national security objectives do not align with the commercial imperatives of a business. Under those circumstances, the directors of that company would find themselves in a difficult situation. At least one impact of this legislation would be to create comfort for directors who now have an active obligation to manage, as best they can, national security in the operation of their business.

I also wish to remark briefly on the debate that has taken place around offshoring and, in doing so, to note that there is a distinction between security risks to data that is voluntarily provided by a consumer of telecommunications services and security risks to data that is held as a result of government legislation—specifically, retained metadata. That distinction was recognised by the committee and in part is reflected in the recommendations made by the committee that there ought to be special consideration given to security obligations around retained metadata. The government amendments now provide that, where changes to the handling of retained metadata are being contemplated by a telecommunications service provider, they need to notify government that that is the case, and the opposition believes that that is appropriate.

As previously, I indicate that we're supportive of these amendments and commend the bill overall to the chamber.

Cory Bernardi (SA, Australian Conservatives) Share this | Link to this | Hansard source

The question is that amendments (1) to (9) on sheet JC433, standing in the name of the government and moved by Senator Brandis, be agreed to.

Question agreed to.

Bill, as amended, agreed to.

Bill reported with amendments; report adopted.