Cyber Law – What You Need To Know About The Relevant Legislation

The Office of the Australian Information Commissioner and the Department of Home Affairs are shortly due to release reports summarising data arising from Australia’s privacy and telecommunications legislation.

Whilst we await the Office of the Australian Information Commissioner’s bi-annual report on notifiable data breaches, and the Department of Home Affairs’ annual reports on the use of telecommunications interception and surveillance devices by Australian agencies it is apt for us to review some key legislature protecting Australians from the interception of their electronic communications and unwanted access to private information:

• Telecommunications Act 1997 (Cth) (Telecommunications Act);
• Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act);
• Surveillance Devices Act 1998 (WA) (Surveillance Devices Act); and
• Privacy Act 1988 (Cth) (Privacy Act).

Telecommunications Act 1997 (Cth)

The Telecommunications Act provides a foundation for the regulation of Australia’s telecommunications industry, and its compliance with certain international conventions. This foundation includes, among other things, the regulation of ‘carriers’ and ‘service providers’, which are defined under the Telecommunications Act as follows:

• Carriers: The holder of a carrier licence granted under the Telecommunications Act.
• Service providers: Carriage service providers and content service providers, who use a carrier’s network to provide telecommunications services to the public.

Carriers and carriage service providers are both obliged by the Telecommunications Act to protect the confidentiality of electronic communications by doing their best to prevent telecommunications networks and facilities from being used to commit offences. This includes an obligation upon carriers and carriage service providers to protect these networks and facilities from unauthorised interference or access.

The Telecommunications Act makes further provision to facilitate information gathering exercises, search, entry and seizure of property, review of decisions and injunctions. Each year, the Australian Communications and Media Authority (ACMA) monitors and reports to the Minister on significant matters relating to the performance of carriers and carriage service providers in upholding their obligations.

Telecommunications (Interception and Access) Act 1979 (Cth)

The TIA Act, read together with the Telecommunications Act, makes it a criminal offence to intercept, access or deal with private telecommunications in certain circumstances where the person is not the sender or intended recipient of the communication.

As a general rule, carriage service providers and licensed telecommunications carriers are required to establish and maintain systems by which the interception of communications is allowed to facilitate access to information as permitted by the TIA Act, for example by criminal law-enforcement agencies. 

The TIA Act sets out a framework by which telecommunications data held by a carrier is preserved. This prevents the communications from being destroyed prior to any warrant being issued to a criminal law-enforcement agency under the TIA Act, and allows agencies to access the telecommunications data for the purpose of their investigations.

The Minister must produce an annual report which includes information about, among other things, how many warrants were issued during that year, how many arrests were made during that year on the basis of lawfully accessed information, and how many proceedings ended during that year in which lawfully accessed information was relied upon as evidence. 

Surveillance Devices Act 1998 (WA)

The Surveillance Devices Act regulates the installation and use of surveillance devices, and places restrictions upon the publication or communication of private conversations and activities.

Except in certain circumstances, a person or company may be criminally liable for an offence contrary to the Surveillance Devices Act, and be liable to a maximum penalty of $5,000 fine or 12 months imprisonment if they are an individual, or a $50,000 fine for if they are a body corporate, if they:

• install, use or maintain (or cause to be installed, used or maintained) a listening device to record, monitor or listen to a private conversation;
• install, use or maintain (or cause to be installed, used or maintained) an optical surveillance device to record visually or observe a private activity;
• attach, install, use or maintain (or cause to be attached, installed, used or maintained) a tracking device to determine the geographical location of a person or object without the consent of that person; or
• knowingly publish or communicate a private conversation, or a report or record of a private conversation, or a record of a private activity that has come to the person’s knowledge as a direct or indirect result of the use of a listening device or an optical surveillance device.

The Surveillance Devices Act plays an important role in the protection of private communications and activities, being those communications or activities held in circumstances that may reasonably be taken to indicate that the people involved desired them to be observed only be themselves. 

Privacy Act 1988 (Cth)

The Privacy Act was introduced in 1988 to promote the consistent protection of individuals’ privacy Australia-wide, recognise the required balance between individual protections and the interests of entities in carrying out their functions or activities, and establish a means by which individuals may complain about any alleged interference with their privacy.

The Privacy Act includes 13 ‘Australian Privacy Principles’, which apply to some private sector organisations as well as most Australian Government Agencies. These principles provide the foundation of the privacy protection framework in the Privacy Act, including by governing rights, standards and obligations relating to:

• the collection, use and disclosure of personal information;
• an organisation or agency’s governance and accountability practices;
• the integrity and correction of personal information; and
• the rights of individuals to access their personal information.

Pursuant to the Privacy Act, certain entities must notify affected individuals and report ‘eligible data breaches’ to the Office of Australian Information Commission (OAIC) where such breach is likely to result in serious harm to an individual whose personal information is involved.

The OAIC then releases bi-annual reports setting out its key findings in relation to notifiable data breaches during the relevant period. These reports typically provide a variety of information, including but not limited to the following:

• periodic trends for eligible data breach;
• whether eligible data breaches are a result of criminal attack, human error or system fault;
• the type of personal information involved in any eligible data breach;
• the time taken to identify eligible data breaches by entities; and
• the time taken for entities to notify the OAIC of eligible data breaches.

Lavan Comment

The OAIC’s bi-annual report on notifiable data breaches pursuant to the Privacy Act and the Department of Home Affairs’ annual report on the TIA Act are both important sources of information in terms of transparency, and for the purpose of critically analysing vulnerabilities for businesses and individuals who are susceptible to having their private information and communications accessed by unwanted third parties. This assists in the development of new strategies to safeguard against the threat of unwanted attacks on private information, human error and system faults, which should not be overlooked in an ever-changing technological world.

If you have any questions arising from this update, please do not hesitate to contact Iain Freeman, Partner in Lavan’s Litigation and Dispute Resolution Team, and keep an eye out for Lavan’s next Cyber & Data Protection Update in relation to the OAIC’s report on notifiable data breaches for the period from January to June 2022.