Australia's new cybercrime law

29 April 2013

Australia's new cybercrime law, which came into force on 1 March 2013, establishes the legislative framework for Australia's accession to the Council of Europe Convention on Cybercrime (Convention). The cybercrime law has been effected by the amendment of a number of existing Commonwealth statutes, including the Mutual Assistance in Criminal Matters Act 1987 (Cth), the Criminal Code Act 1995 (Cth), the Telecommunications (Interception and Access) Act 1979 (Cth) and the Telecommunications Act 1997 (Cth).

The essence of the new cybercrime law is to empower Australia's law enforcement and intelligence agencies to compel carriers to preserve the communication records of persons suspected of cyber-based crimes. The new law also expands the Commonwealth cybercrime offences and facilitates international cooperation between State parties to the Convention through the cross-border sharing of communication records.

Data preservation

Under the cybercrime law, Australian law enforcement agencies, including the Federal and State police, and the Australian Security Intelligence Organisation (the ASIO), may require carriers to preserve communications about specified persons or telecommunication services in relation to domestic or foreign criminal investigations. There are two categories of preservation notices: domestic and foreign.

Domestic preservation notices

A domestic preservation notice can be issued if there are reasonable grounds for suspecting there to be communications which may assist in connection with the investigation (by the issuing agency) of a serious contravention of Australian law, or assist in obtaining intelligence relating to security by the ASIO, and which relates to the person or service specified in the notice. A 'serious contravention' is an offence that carries three years imprisonment or a $19,800 fine for an individual or a $99,000 fine for non-individuals.

A domestic preservation notice may be historical or ongoing:

  • An historical preservation notice may be issued by a law enforcement agency or the ASIO. It is to preserve communications held by carriers on the day the notice is received for up to 90 days.
  • An ongoing preservation notice may be issued by the ASIO for the preservation of stored communications held by the carrier during the 29 day period following the receipt of the notice for up to 90 days.

Foreign preservation notices

A foreign preservation notice may be issued by the Australian Federal Police upon request by a foreign country to require carriers to preserve all stored communications that relate to a specified person or service, and which are relevant to an investigation or investigative proceeding of a serious foreign contravention. A 'serious foreign contravention' is a criminal offence punishable by a maximum penalty of 3 or more years imprisonment, life imprisonment or the death penalty, or a fine of $126,800. The notice preserves communication held by a carrier on the day the notice is received for up to 180 days.

Following the receipt of a domestic or foreign preservation notice, the carrier must ensure that communication records that may otherwise have been deleted in accordance with its internal data management policies and practices are preserved. Compliance with a preservation notice is also a condition of its carrier licence.

Accessing stored communications

A stored communications warrant must be obtained before an agency can access preserved communications. The warrant is valid for 5 days or until the day it is first executed. In deciding whether or not to issue the warrant, the issuing authority must have regard to:

  • the privacy of any person or persons that would likely be interfered with as a result of allowing access to the stored communications;
  • the gravity of the conduct constituting the serious contravention;
  • how much the information would assist the investigation; and
  • in the case of a domestic preservation notice, the extent to which alternative methods of investigation are available and have been utilised.

An issuing authority can be a magistrate or judge, or any other person appointed by a Minister in the case of a domestic preservation notice, and is the Attorney-General in the case of a foreign preservation notice.

International co-operation

The cybercrime law is intended to facilitate Australia’s ability to provide mutual assistance to other State parties and to receive such assistance in return in respect of the investigation and prosecution of criminal offences under the Convention. This has been effected by increasing the range of law enforcement tools available for Australian agencies to assist foreign investigations, and by providing them with greater access to information stored overseas in the investigation of cybercrimes.

Cybercrime offences

Computer crimes in Australia are set out in Commonwealth as well as State and Territory law. The cybercrime law expands the application of the Commonwealth offences under the Criminal Code 1995 (Cth) – for consistency with the Convention – by removing the requirement that a Commonwealth computer or Commonwealth data be involved or affected, or that a carriage service be used, in the commission of the offence. The cybercrime law also extends the geographic reach of the provisions to conduct which occurs wholly or partly in Australia, on board an Australian aircraft or ship, and to the conduct of Australian nationals abroad in certain circumstances.

Future developments

In July 2012, the Parliamentary Joint Committee on Intelligence and Security commenced an inquiry into further potential changes to national security legislation, including Australian telecommunications legislation.

The Committee was instructed by the Attorney-General to provide, amongst other things, recommendations on a data retention scheme with retention periods of up to two years. The terms of reference of the inquiry also included the protection of privacy and the preservation of investigative data in face of changes to the business and internal procedures of carriers.

Over 230 submissions were received by the Committee. As at the date of this article, the Committee is yet to table its report.

This article is from Privacy Update May 2013.

Author(s) Paul Kallenbach and Solina Sam