An exposure draft outlining proposed changes to Australia's electronic surveillance regime will be made public soon. The proposed changes are meant to harmonise current laws to provide a unified governance framework, adapt to technological developments, and increase the number of government agencies with the authority to conduct electronic surveillance.
Many are concerned as to whether the enhanced powers will be balanced with a justification framework for the intrusion of privacy.
There are four different acts (Acts) that govern government agencies' electronic surveillance powers, and these Acts have different thresholds and requirements. Current laws, some of which were written with technological assumptions and definitions from the 1970s, are lagging behind the pace of technological change. In December 2021, the government released a discussion paper highlighting these issues, and by the end of 2022, they planned to release a public comment exposure draught of the proposed electronic surveillance legislation.
Below, we go over the major revisions proposed in the discussion paper and the industry reactions that may influence the forthcoming legislation.
Major proposed changes
The proposed changes expand the scope of what counts as a "communication" that can be intercepted or accessed to include:
communications stored on a person's device or personal network (such as draft emails and messages which have not been sent);
the person's online activities;
interactions between a person and a machine (such as through the use of a chat-bot or other automated system); and
communications between machines (such as between 'Internet of Things' devices, or data generated by such devices).
The Australian Taxation Office can now access telecommunications data in order to protect public revenue from serious financial crimes, and the Australian Transaction Reports and Analysis Centre (AUSTRAC) can now access telecommunications data in order to prevent money laundering and terrorism financing, all thanks to the expansion of agencies with the authority to engage in electronic surveillance.
Can anyone be under surveillance for little to no reason?
The proposed changes aim to give organisations and individuals under electronic surveillance more clarity over when and how surveillance can occur, as well as what information can be accessed.
There is increasing feedback to the government on restrictions on when and how agencies can use their electronic surveillance powers to ensure that:
the intrusion on privacy is not outweighed by the benefits gained from using the powers; and
the powers are only used by agencies to the extent necessary for them to carry out their responsibilities.
What will the ATO put under surveillance?
Defining what constitutes the "content and substance" of a communication helps bring more clarity to the mechanisms and thresholds for lawful access to information.
"Content" refers to the meat and potatoes of a conversation (the actual words exchanged during a call), while "non-content" refers to the surrounding context in which that conversation takes place (e.g. the time of the call).
Only "content" information is protected from government access without a warrant. There is currently no clear distinction in the Acts between "content" information and "non-content" information (such as whether the URL of a website would be considered "content" information or "non-content" information, or both, given that it may reveal both the address of a communication and the content a person could view on a website).
Additionally, the proposed changes are eliminating the distinction between "live" communications (such as a phone call in progress) and "stored" communications (e.g. an email held on a server). If a communication is intercepted while it is being transmitted over a network, a different warrant was previously needed than if the same communication is accessed at a later time from a storage device. This will no longer be the case now.
When will the ATO have the enhanced surveillance powers proposed?
The bill's exposure draft will be made public in late 2022, and comments from the business community will be solicited and considered before the bill is finalised in early 2023. When the proposed law is made public. In the meantime, businesses should get ready to revise their own policies and procedures regarding the information they will share with authorities and the extent to which they will collaborate with them.
For more information on how to be audit ready and developing a strategic tax information governance plan, please contact us on email@example.com.