On 3 September 2021, the Identify and Disrupt Law received Royal Assent. This law primarily amends the Surveillance Devices Act 2004 (Cth) and the Crimes Act 1914 (Cth) by introducing additional powers for the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to covertly access and 'disrupt' data held on computers, for purposes associated with combatting serious online crime.
These amendments enhance the range of powers granted to law enforcement agencies under the 'decryption laws' passed in late 2018.
What does the Identify and Disrupt Law do?
The Identify and Disrupt Law creates three new classes of warrants for which the AFP and the ACIC may apply when conducting investigations in connection with online activity.
A warrant may be granted where a law enforcement officer reasonably suspects that one or more relevant offences are being, are about to be, or are likely to be, committed. The new warrants are:
- Data disruption warrants: enable access to data held on a computer(s) to undertake 'disruption activities' to frustrate the commission of criminal activity;
- Network activity warrants: enable the collection of intelligence on serious criminal activity being conducted by criminal networks operating online;
- Account takeover warrants: enable the takeover of a person's online account to gather evidence of criminal activity.
The warrants enable the AFP and the ACIC to (amongst other things) add to, copy, delete or alter other data in the target computer or account, and to intercept a communication passing over a telecommunications system, if the interception is for the purposes of doing anything specified in the warrant.
Law enforcement officers may also take any reasonably necessary steps to conceal the fact that any action has been taken pursuant to the warrant.
The relevant offences, which must be the subject of a warrant, must be 'serious' in nature and carry a maximum sentence of three or more years’ imprisonment.
Potential impacts for the telecommunications and IT sector
Law enforcement officers executing one of the new warrants can access and use a range of technologies, including:
- the target computer;
- a telecommunications facility operated or provided by the Commonwealth or a carrier;
- any other electronic equipment; or
- a data storage device.
Most relevantly for those operating in the telecommunications or digital sectors, the new laws also enable law enforcement officers to apply to a Court for order requiring a specified person to provide any information or assistance that is reasonable and necessary to allow the law enforcement officer to carry out one of these new warrants. This means organisations that operate a carriage service, data storage service or other cloud-based service could find themselves on the receiving end of an order to assist officers in the execution of one of these warrants.
However, in the proceeding, a person may object to disclosing information on the ground that the information, if disclosed, could reasonably be expected to reveal details of data disruption, network activity or account takeover technologies or methods – in other words, the information could reveal vulnerabilities in that person’s (or organisation’s) systems or technologies that could be exploited by others.
The new law creates offences against the unauthorised use or disclosure of protected information. If the use or disclosure of protected information prejudices the effective conduct of an investigation or endangers the health or safety of any person, the offence is punishable by ten years' imprisonment. Therefore, recipients of orders requiring assistance should be careful to maintain the confidentiality of the relevant information obtained through the use of a warrant.
Strengthening existing law enforcement surveillance powers
The Identify and Disrupt Law further enhances the ability of Commonwealth law enforcement agencies to undertake covert computer surveillance, which was initially strengthened by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), colloquially called the 'decryption laws'.
The decryption laws – which were first of its kind legislation – enables law enforcement bodies to serve a notice on Australian and foreign telecommunications, internet and device providers, requiring them to (amongst other things) decrypt online communications. Read more about decryption laws in Decryption laws update - what's the latest?
Although the Australian Labor party had expressed concerns about the 'decryption laws' and had flagged an intention to wind back parts of the laws had it won the 2019 election, the Identify and Disrupt Law passed through Parliament with support of the Labor party following a review undertaken by the Parliamentary Joint Committee on Intelligence and Security.
What the critics say
Critics of the Identify and Disrupt Law argue that it enables the Federal government to spy on individuals, and concerns have been raised about the further erosion of the public's privacy, particularly when viewed in the broader context of law enforcement powers in investigating online activity.
There are also concerns that targets of the new law could be broader than organised criminal networks, and extend to civil and political activists.
Opponents also argue that only weak protections are provided for journalists and their sources, given that the Judge, AAT Member or Magistrate granting the warrant can weigh the journalists' and their sources' interests with the public's interest. However, the bipartisan support shown for this law appears to indicate this new law and the decryption laws are here to stay.
MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Our team can assist you in understanding your obligations if you receive a notice under the Identify and Disrupt Law or the Decryption laws.
Contact us for more information.
