Australia’s New Cybercrime Law

Cybercrime poses a significant challenge for law enforcement agencies and criminal justice systems across the globe. The borderless nature of the internet makes it easier for cyber attacks to be externally instigated. In response, Australia, together with a number of other nations, has taken steps to harmonise laws intended to combat cyber threats and facilitate greater international cooperation between law enforcement agencies.

Australia’s new cybercrime law, which came into force on March 1, 2013, establishes the legislative framework for Australia’s accession to the Council of Europe Convention on Cybercrime (the Convention) (see WDPR, March 2013, page 40).

The new cybercrime law has been effected by the amendment of a number of existing Commonwealth statutes, including the Mutual Assistance in Criminal Matters Act 1987 (Cth), the Criminal Code Act 1995 (Cth), the Telecommunications (Interception and Access) Act 1979 (Cth) and the Telecommunications Act 1997 (Cth).

The essence of the new law is to empower Australia’s law enforcement and intelligence agencies to compel carriers to preserve the communications records of persons suspected of cyber-based crimes. The new law also expands the Commonwealth cybercrime offences and facilitates international cooperation between State parties to the Convention through the cross-border sharing of communications records.

Australia’s Accession to the Convention

Australia acceded to the Convention on November 30, 2012. It joins 48 other signatories to the Convention, including the United States and Germany.

The Convention is the first international treaty on crime committed via the internet and other computer networks, and deals in particular with computer related fraud, child pornography and violations of network security.

Data Preservation

Under the cybercrime law, Australian law enforcement agencies, including the Federal and State police and the Australian Security Intelligence Organisation (the ASIO), may require carriers to preserve communications about specified persons or telecommunications services in relation to domestic or foreign criminal investigations.

There are two categories of preservation notice: domestic and foreign.

Domestic Preservation Notices

Domestic preservation notices relate to stored communications that might assist in the investigation of a serious contravention of Australian law. A “serious contravention” is an offence that carries three years’ imprisonment or a $19,800 (U.S.$20,373) fine for an individual or a $99,000 (U.S.$101,855) fine for non-individuals.

A domestic preservation notice may be historical or ongoing.

A historical preservation notice may be issued by a law enforcement agency or the ASIO to mandate the preservation of communications held by carriers on the day the notice is received. The notice will be valid for up to 90 days unless revoked by the issuing agency or until the warrant for access to the stored communications ceases to be in force.

An ongoing preservation notice may be issued by the ASIO for the preservation of stored communications held by the carrier during the 29 day period following the receipt of the notice. The notice will be valid for up to 90 days unless revoked by the issuing agency or at the end of five days after the warrant for access to the stored communications is issued.

Domestic preservation notices (whether historical or ongoing) can only be issued if:

• there are reasonable grounds for suspecting there to be stored communications in existence, or that might come into existence, which may assist in connection with the investigation of a serious contravention by the issuing agency, or in obtaining intelligence relating to security by the ASIO, and which relates to the person or service specified in the notice; and

• the issuing agency, or the Director-General of Security on behalf of the ASIO, intends to apply for a warrant to access the stored communications.

Foreign Preservation Notices

A foreign preservation notice may be issued by the Australian Federal Police (AFP) to require carriers to preserve all stored communications held on the day the notice is received. The notice is valid for 180 days unless revoked earlier by the AFP.

A foreign preservation notice may be issued if a request has been made by a foreign country to access stored communications held by the carrier that relates to a specified person or service, and which is relevant to an investigation or investigative proceeding of a serious foreign contravention. A “serious foreign contravention” is a criminal offence punishable by a maximum penalty of three or more years’ imprisonment, life imprisonment or the death penalty, or a fine of $126,800 (U.S.$130,457).

Following the receipt of a domestic or foreign preservation notice, the carrier must ensure that communications records that may otherwise have been deleted in accordance with its internal data management policies and practices are preserved. Compliance with a preservation notice is also a condition of a carrier licence.

Accessing Stored Communications

A stored communications warrant must be obtained before an agency can access preserved communications. The warrant is valid for five days or until the day it is first executed, whichever occurs first.

In deciding whether or not to issue the warrant, the issuing authority must have regard to:

• the privacy of any person or persons that would likely be interfered with as a result of allowing access to the stored communications;

• the gravity of the conduct constituting the serious contravention;

• how much the information would assist the investigation; and

• in the case of a domestic preservation notice, the extent to which alternative methods of investigation are available and have been utilised.

An issuing authority can be a Magistrate or a Judge, or any other person appointed by a Minister, in the case of a domestic preservation notice. In the case of a foreign preservation notice, the issuing authority is the Attorney-General.

International Cooperation

Mutual assistance is the process by which countries provide formal government-to-government assistance in the investigation and prosecution of criminal offences and related proceedings.

The cybercrime law is intended to facilitate Australia’s ability to provide mutual assistance to other State parties and to receive such assistance in return in respect of offences covered under the Convention. This has been effected by increasing the range of law enforcement tools available for Australian agencies to assist foreign investigations, and by providing Australian agencies with greater access to information stored overseas in the investigation of cybercrimes.

Cybercrime Offences

Computer crimes in Australia are set out in Commonwealth as well as State and Territory law. Offences under the Commonwealth Criminal Code 1995 (Cth) include unauthorised access, modification or impairment of data held in a computer with intent to commit a serious offence, unauthorised modification of data to cause impairment, and the unauthorised impairment of electronic communications.

The cybercrime law expands the application of the Commonwealth offences — for compliance with the Convention — by removing the requirement that a Commonwealth computer or Commonwealth data be involved or affected, or that a carriage service be used, in the commission of the offence. The cybercrime law also extends the geographic reach of the provisions to conduct which occurs wholly or partly in Australia, on board an Australian aircraft or ship, and to the conduct of Australian nationals abroad in certain circumstances.

The Cybercrime Law and Privacy

The expanded powers of Australian and foreign law enforcement agencies to access, collect and retain the stored communications of individuals without their consent, and the potential to use those records in the investigation and prosecution of serious offences, raise obvious privacy concerns.

The cybercrime law overrides the protections afforded to individuals under the National Privacy Principles, as well as under the new Australian Privacy Principles, which will replace the National Privacy Principles from March 2014 as part of recently enacted amendments to Australia’s Privacy Act (see analysis at WDPR, December 2012, page 4).

However, proponents of the new cybercrime law contend that the law achieves an appropriate balance between privacy and cybercrime prevention, as a result of the law’s various protections against misuse of information by those who are permitted access.

Firstly, an agency can only access preserved communications records with a warrant. As discussed above, a warrant will only be issued after the issuing authority has considered and balanced the countervailing privacy interests of affected individuals with the need to investigate the serious contravention (or serious foreign contravention) to which the communications records are alleged to relate.

Secondly, a preservation notice is only available for investigations of a “serious contravention” or “serious foreign contravention”. The serious nature of the offences covered by the preservation notices means that privacy rights are unlikely to be interfered with frequently or on a large scale.

Furthermore, and similar to the decision by issuing authorities as to whether to grant a warrant, before an agency can issue a preservation notice, it is required to consider privacy issues and determine whether there are reasonable grounds to suspect that the carrier holds or will hold the relevant communications records and whether the information obtained would likely assist the investigation.

For domestic preservation notices, an additional protection stems from the automatic revocation of the notice after 90 days and the ability of an agency to revoke the notice when the agency is no longer satisfied that grounds exist for issuing the notice. In the case of foreign preservation notices, such notices are only valid for up to 180 days.

Finally, the use of the preservation powers by law enforcement agencies is subject to oversight by the Commonwealth Ombudsman. This is an additional layer of protection by an independent body, with the aim of ensuring that agencies comply with their statutory obligations in the exercise of their powers.

Future Developments

In July 2012, the Parliamentary Joint Committee on Intelligence and Security commenced an inquiry into further potential changes to national security legislation, including Australian telecommunications legislation.

The Committee was instructed by the Attorney-General to provide, amongst other things, recommendations on a data retention scheme with retention periods of up to two years. The terms of reference of the inquiry also included the protection of privacy and the preservation of investigative data in the face of changes to the business and internal procedures of carriers.

Over 230 submissions were received by the Committee. As of mid-April 2013, the Committee had not yet tabled a report.

There seems little doubt that, in the face of the ever-growing scale of cyber attacks being conducted on governments and the private sector in Australia and across the globe, Australia’s cybercrime, data retention and mutual assistance regimes will see further changes.

Paul Kallenbach is a Partner and Solina Sam is a Graduate with Minter Ellison, Melbourne. They may be contacted at paul.kallenbach@minterellison.com and solina.sam@minterellison.com.