Commonwealth of Australia Explanatory Memoranda Commonwealth of Australia Explanatory Memoranda[Index] [Search] [Download] [Bill] [Help]
2019-2020-2021-2022
THE PARLIAMENT OF THE COMMONWEALTH OF AUSTRALIA
HOUSE OF REPRESENTATIVES
CRIMES LEGISLATION AMENDMENT (RANSOMWARE ACTION PLAN) BILL 2022
EXPLANATORY MEMORANDUM
(Circulated by authority of the Minister for Home Affairs,
the Honourable Karen Andrews MP)
CRIMES LEGISLATION AMENDMENT (RANSOMWARE ACTION PLAN)
BILL 2022
GENERAL OUTLINE
1. The Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022 (the Bill) amends the
Criminal Code Act 1995, the Crimes Act 1914 and the Proceeds of Crime Act 2002 to modernise
criminal offences and procedures to respond to the threat of ransomware.
2. This Bill implements key aspects of the Ransomware Action Plan, announced on 13 October 2021,
which sets out the policy, operational, and legislative response to this growing threat. It introduces
the Government's plan to protect Australia and Australian's against ransomware, build strengthened
response and recovery mechanisms for ransomware victims, and disrupt and deter the perpetrators
of ransomware attacks.
3. The Bill targets the increasing trend of data theft and encryption, cyber extortion, and Ransomware-
as-a-Service (RaaS). Individuals and crime syndicates, including transnational syndicates, have
modernised their cybercrime tradecraft by 'locking' or encrypting computers through ransomware or
by stealing and threatening to release sensitive information contained on a computer publicly. Once
files are stolen or encrypted, criminals demand a ransom (often in the form of hard-to-trace
cryptocurrencies) from the system owner in return for the decryption keys. Malware developers also
provide ransomware for payment (ie, RaaS) which represents the increasing commercialisation and
sophistication of the ransomware business model.
4. Australia's relative wealth, high levels of online connectivity and increasing delivery of services
through online channels make it attractive and profitable for cybercriminals to engage in these
tactics. As new entrants to the criminal marketplace gain access to ransomware, the threat to
Australia will only grow.
5. Detailed notes on the clauses of the Bill are included at Attachment A.
FINANCIAL IMPACT
6. There is no financial impact.
STATEMENT OF COMPATIBILITY WITH HUMAN RIGHTS
7. A Statement of Compatibility with Human Rights has been completed in relation to the Bill. It has
been assessed that the amendments are compatible with Australia's human rights obligations. A
copy of the Statement of Compatibility with Human Rights is at Attachment B.
2
ATTACHMENT A
Crimes Legislation Amendment (Ransomware Action Plan) Act 2022
NOTES ON CLAUSES
Section 1 Short title
1. Section 1 of the Bill provides that the short title of the Act is the Crimes Legislation Amendment
(Ransomware Action Plan) Act 2022.
Section 2 Commencement
2. Section 2 of the Bill sets out the times at which the Act commences once passed by the Parliament.
3. Subsection (1) provides that each provision of the Bill specified in column 1 of the table commences,
or is taken to have commenced, in accordance with column 2 of the table. Any other statement in
column 2 has effect according to its terms.
• The whole of this Bill commences the day after this Bill receives the Royal Asset (Item 1).
4. Subsection (2) provides that any information in column 3 of the table is not part of this Bill.
Information may be inserted in this column, or information in it may be edited, in any published
version of this bill.
Section 3 Schedules
5. Section 3 of the Bill provides that legislation that is specified in a Schedule of the Bill is amended or
repealed as set out in the applicable items in the Schedule concerned, and any other item in a
Schedule to this Act has effect according to its terms.
6. There are three schedules to the Bill. Schedule 1 to the Bill will make amendments to the Criminal
Code Act 1995 (Criminal Code) to:
• Amend the geographical jurisdiction provision under s 476.3;
• Insert an extortion offence into Division 477;
• Amend penalties under Division 478;
• Insert an offence for Dealing with data obtained by unauthorised access or modification
under Division 478;
• Insert new Division 479 dealing with aggravated offences;
• Insert an aggravated offence for persons who target critical infrastructure into Division 479;
• Insert an aggravated offence for persons who produce, supply or obtain data for payment
into Division 479.
7. Schedule 2 to the Bill will make amendments to the Proceeds of Crime Act 2002 (POCA) to:
• Ensure that law enforcement can continue to monitor and freeze criminals' ill-gotten gains
by extending current investigative and freezing powers that cover financial institutions to
certain digital currency exchanges.
8. Schedule 3 to the Bill will make amendments to the Crimes Act 1914 and the POCA to:
• Ensure that the powers available to law enforcement to seize digital assets (including
cryptocurrency) under warrant reflect the operational environment and are suitably adapted,
and extended to prevent the dissipation of proceeds of crime so that it is available for
subsequent restraint and forfeiture action under the POCA.
3
Schedule 1--Amendments of the Criminal Code
Criminal Code Act 1995
Item 1 Section 476.3 of the Criminal Code
9. Item 1 repeals section 476.3 of the Criminal Code and substitutes it with an amended specialised
geographical jurisdiction provision for computer offences under Part 10.7 of the Criminal Code.
10. Amending the geographical jurisdiction provision in this section is necessary to ensure law
enforcement agencies and prosecutorial bodies have the legal authority to investigate and prosecute
offences under Part 10.7 of the Criminal Code where the conduct occurs outside of Australia but
impacts persons in Australia.
11. The amended geographical jurisdiction provision reflects the borderless nature of cybercrime,
changes in criminal methodology, and the evolving landscape of electronic communication and data
storage. In particular, the data of individuals and bodies corporate based in Australia is often hosted
or held within computers (e.g. data storage centres) outside of Australia. For example, this provision
will capture conduct involving individuals who set up personal email accounts or Australian
companies who engage with offshore companies for the purposing of managing their data needs.
Often the location of specific data is indeterminate due to the globalisation of information technology
infrastructure and data storage practices.
12. Cybercriminal activity now effortlessly targets victims across the globe. Often criminals targeting
Australians are not located within Australia. Given the remote means of storing data, cybercriminals
can now identify and target vulnerabilities in foreign data processing centres and networks, thereby
causing harm to Australians through illicit use, possession and control of their data.
13. New paragraphs 476.3(1)(a), (b), (c) and (e) insert provisions designed to replicate the Category A
extended jurisdictional provisions under s 15.1 of the Criminal Code.
14. New paragraph 476.3(1)(d) provides an additional basis for jurisdiction. This provision allows
conduct that occurs wholly offshore which may comprise an offence against Part 10.7 to be
investigated by law enforcement and prosecuted. It has the effect that a person can commit an
offence against Part 10.7 if the conduct occurs wholly outside of Australia and at the time of the
alleged offence, the condition in new subsection 476.3(2) is satisfied.
15. New subsection 476.3(2) establishes a condition which will be satisfied where paragraphs (a), (b)
and (c) are satisfied.
16. New paragraph 476.3(2)(a) identifies relevant conduct and will allow law enforcement and
prosecutorial agencies to investigate and prosecute alleged Part 10.7 Criminal Code offences
provided jurisdictional thresholds are satisfied, and the conduct constituting the alleged offence
relates to:
• unauthorised access to data held in a computer outside Australia
• unauthorised modification of data held in a computer outside Australia
• unauthorised impairment of electronic communication of data to or from a computer outside
Australia, or
• unauthorised impairment of the reliability, security or operation of any data held outside
Australia on a computer disk, credit card or other device used to store data by electronic
means.
17. New paragraph 476.3(2)(b), provides that at the time of the unauthorised access, modification or
impairment mentioned in paragraph 476.3(2)(a), that data is under the control of, or owned by a
4
person, regardless of whether the computer or device is in the person's possession, and the person
is:
• an individual who is resident of Australia and is physically present in Australia; or
• a body corporate incorporated by or under a law of the Commonwealth, or of a State or
Territory.
18. Under new paragraph 476.3(2)(b), control adopts its ordinary meaning. Control of data includes
circumstances where a person exercises authority over data, including under an arrangement (for
example, an agreement, contract or licence, however described) with an entity, that holds that data
on behalf of the person or provides services in relation to that data.
19. Under new paragraph 476.3(2)(b), data that is owned by a person includes data for which a person
has assignable legal rights including copyright or intellectual property rights.
20. Under new subparagraph 476.3(2)(b)(i) the data must be under the control of, or owned by, a
resident of Australia who is physically present in Australia. An individual who is a resident of
Australia is an individual who lives in Australia for a sufficient period of time with some degree of
permanence. For example, this:
• includes individuals who live in Australia and have organised their affairs (economic,
professional or personal) in relation to being in Australia. This is intended to include
Australian citizens, permanent residents, visa holders and unlawful non-citizens residing in
Australia.
• does not include individuals who are transiting temporarily through Australia (such as
persons who travel from another country to an Australian international airport for purposes
of travelling to another country).
21. Under new paragraph 476.3(2)(b), a computer or device mentioned under paragraph 476.3(2)(a)
does not need to be in the person's possession. This provision recognises the nature of data and its
relationship with computers or devices. For example:
• a body corporate uses a data processing centre in a foreign country to manage that body
corporate's data needs. The body corporate does not possess the computer or device on
which the body corporate's data is stored, however the data can be characterised as being
in the control of the body corporate.
• an individual uses a data storage device to store their data, over which they exercise legal
rights, in an account which is hosted on a computer located outside of Australia. The
individual owns their data within this account regardless of whether the person knows the
data will be stored outside of Australia.
22. New paragraph 476.3(2)(c) provides that the data must be reasonably capable of being accessed
within Australia. This establishes a link to Australia and limits the application of the extended
jurisdiction provision.
23. New subsection 476.3(3) provides that for the purposes of paragraphs (2)(b) and (c), any effect on
the control or accessibility of data caused by the unauthorised access, modification or impairment is
to be disregarded. This provision ensures the condition may be satisfied where a person no longer
exercises control or is unable to access their data as a result of the alleged offending. For example,
where data is stored on a computer located outside of Australia and is subject to a ransomware
attack resulting in the data's encryption, which prevents the person's access.
24. New subsection 476.3(8) provides that section 16.1 of the Criminal Code applies, with the exception
of paragraph 16.1(1)(a), therefore requiring the Attorney-General's consent for prosecution of an
offence if the alleged conduct occurred wholly in a foreign country and at the time of the offence, the
person alleged to have committed the offence is neither an Australian citizen nor a body corporate
incorporated by or under a law of the Commonwealth, a State or Territory. Paragraph 16.1(1)(a)
5
does not apply because it refers to consent only being required where certain geographical
jurisdiction provisions apply, and these provisions do not apply to Part 10.7 offences.
25. This provision provides for a further level of safeguard and oversight where a prosecution is sought
against a person. This provision does not require the Attorney-General's consent for the
commencement of an investigation by law enforcement.
Item 2 At the end of Division 477
26. New section 477.4 adds an offence for a person who engages in extortion in relation to unauthorised
access or modification of data held in a computer, or unauthorised impairment of electronic
communication to or from a computer, or unauthorised impairment of the reliability, security or
operation of any data held on a computer disk, credit card, or other device used to store data by
electronic means.
27. This new offence criminalises all forms of extortion in relation to a victim of a computer offence. The
offence captures conduct which involves the computer or data in the possession or control of, or
owned by another person (the victim), and at or after the time of the unauthorised access,
modification or impairment, the person makes a threat to the victim with the intention of compelling
the victim to do or omit to do an act.
28. New paragraph 477.4(1)(a) provides that a person is guilty of this offence whether or not the person
has caused the unauthorised access, modification or impairment of data. This ensures that groups of
individuals or criminal syndicates face criminal liability where individuals comprising the group
perform specific roles.
• For example, a perpetrator may commit an underlying offence that compromises a
computer system, which allows them to install malware (including ransomware) on the
victim's computer. Another perpetrator, as part of the same criminal syndicate group, may
then seek to encrypt the victim's data contained in the computer and threaten to
permanently deprive the victim of their data contained in that computer.
29. Paragraph 477.4(1)(b) identifies that the unauthorised access, modification or impairment involves a
computer in the possession of, or data under the control of, or owned by, a victim.
30. Paragraph 477.4(1)(c) provides that the person must make a threat to the victim in relation to the
victim's computer or data. A threat is taken to be any threat which is unreasonable. For example, this
includes, a demand for payment that is related to the unauthorised access, modification or
impairment of data. The offence is not intended to criminalise conduct which would comprise a
reasonable threat, such as a threat to take legal action or exercise legal rights.
31. Paragraph 477.4(1)(d) provides that the threat must be made using a carriage service.
32. Subparagraph 477.4(1)(e) provides that the person makes the threat with the intention of compelling
the victim to do or omit to do an act. This provision reflects the circumstances and conduct
comprising extortion.
33. This offence is punishable by a maximum penalty of 10 years' imprisonment. This conduct carries
significant risk to the wellbeing of Australians and the viability of Australian businesses. A single
ransomware attack can have devastating long term personal and financial impacts. This punishment
therefore reflects the severity of the conduct and the impact it has on victims, and will punish and
deter cybercriminals who engage in extortion.
34. The penalty also reflects that this conduct is as serious as the conduct comprising the offences
under sections 477.1, 477.2, 477.3. The combination of unauthorised access or modification of data,
or unauthorised impairment, in conjunction with threatening or extorting payment (or some other
gain) represents egregious criminal conduct.
6
35. Subsection 477.4(2) provides that for the purposes of paragraph (1)(b), any effect on the control of
data caused by conduct constituting unauthorised access, modification or impairment, is to be
disregarded. This provision ensures the element of the offence may be satisfied where a person no
longer exercises control of data as a result of the conduct.
36. Subsection 477.4(4) provides that it is not necessary for a prosecution agency to prove that a victim
was actually compelled to do or omit to do the act identified in paragraph 477.4(1)(e).
37. Subsection 477.4(5) provides that for this offence provision, a reference to data under the control of
a person, includes a reference to data under the control of the person that is held in a computer in
the possession of another person.
38. For the purposes of this offence, a victim means a person, which is taken to be either a body
corporate or natural person consistent with Part 2.5 of the Criminal Code.
Item 3 Subsection 478.1 of the Criminal Code (penalty)
39. Item 3 repeals the penalty of 2 years imprisonment under subsection 478.1(1) of the Criminal Code,
substituting it with a penalty of imprisonment for 5 years.
40. Increasing penalties within Part 10.7 of the Criminal Code appropriately reflects the criticality of data
and the need to maintain its availability, integrity, reliability and confidentiality. These penalties have
not been amended since the introduction of the Cybercrime Bill 2001. The conduct captured by
these offences is increasingly prevalent and serious in nature. The increased penalty is intended to
appropriately punish and deter persons engaging in conduct that results in unauthorised access to,
or modification of, restricted data.
41. This amendment also aligns with existing offences under the Criminal Code such as, section 471.3 -
Taking or concealing mail-receptacles, articles or postal messages which carries a penalty of 5
years' imprisonment. Given how data is used by Australians and Australian businesses, including in
relation to communicating by email, this penalty should align with s 471.3 as it criminalises like
conduct.
42. Courts will ultimately have discretion to determine appropriate sentences, up to the maximum
penalty, based on the seriousness of the offending.
Item 4 Section 478.2 of the Criminal Code (penalty)
43. Item 4 repeals the penalty of 2 years imprisonment under subsection 478.2 of the Criminal Code,
substituting it with a penalty of imprisonment for 5 years.
44. Increasing penalties within Part 10.7 of the Criminal Code appropriately reflects the criticality of data
and the need to maintain its availability, integrity, reliability and confidentiality. These penalties have
not been amended since the introduction of the Cybercrime Bill 2001. The conduct captured by
these offences is increasingly prevalent and serious in nature. The increased penalty is intended to
appropriately punish and deter persons engaging in conduct that results in unauthorised impairment
of data held in a computer disk.
45. This amendment also aligns with existing offences under the Criminal Code, including section 471.3
- Taking or concealing mail-receptacles, articles or postal messages which carries a penalty of 5
years' imprisonment. Given how data is used by Australians and Australian businesses, including in
relation to communicating by email, this penalty should align with s 471.3 as it criminalises like
conduct.
46. Courts will ultimately have discretion to determine appropriate sentences, up to the maximum
penalty, based on the seriousness of the offending in question.
7
Item 5 Subparagraph 478.3(1)(b)(i) of the Criminal Code
47. Item 5 inserts "or section 478.1 or 478.2" after "Division 477" in subparagraph 478.3(1)(b)(i) of the
Criminal Code.
48. Currently, s 478.3 criminalises the conduct of possessing or controlling data with intent to commit a
serious computer offence under Division 477 of the Criminal Code. Division 477 offences target
conduct that impairs the security, integrity and reliability of computer data and electronic
communications. Sections 478.1 and 478.2 are also related to the security, integrity and reliability of
data, as they concern unauthorised access or modification of restricted data, and the unauthorised
impairment of data. This amendment expands the range of computer offences that a person may
intend to commit when they possess or control data to include sections 478.1 and 478.2.
49. This amendment will criminalise conduct where a person is in possession of a program designed to
allow unauthorised access to a victim's computer (without modifying the data to cause an
impairment or impairing the electronic communication of that computer) and that person intends to
use the software to access and observe the victim's restricted information.
Item 6 Subsection 478.3(1) of the Criminal Code (penalty)
50. Item 6 repeals the penalty of 3 years' imprisonment under subsection 478.3(1) of the Criminal Code,
substituting it with a penalty of imprisonment for 5 years.
51. Increasing penalties within Part 10.7 of the Criminal Code appropriately reflects the seriousness of
persons who possess or control programs or technology (including ransomware) that enable them to
engage in other computer offences. This penalty has not been amended since the introduction of the
Cybercrime Bill 2001. The conduct captured by these offences is increasingly prevalent and serious
in nature as technology has evolved.
Item 7 Subsection 478.3(2) of the Criminal Code
52. Item 7 omits "against Division 477," substituting it for "mentioned in subparagraph (1)(b)(i)," for
subsection 478.3(2) of the Criminal Code - in line with amendments in Item 5.
53. This is a technical amendment to ensure consistency with the amendment under Item 5.
Item 8 Paragraph 478.4(1)(a) of the Criminal Code
54. Item 8 inserts "or solicits the production, supply or obtaining of data." after "obtains data" in
paragraph 478.4(1)(a) of the Criminal Code.
55. Current section 478.4 criminalises the conduct of producing, suppling or obtaining data (including
malware) with intent to commit a computer offence. This amendment criminalises the conduct of
malware developers where they endeavour to produce, supply or obtain malware.
56. The term 'solicits' takes its ordinary meaning and is intended to capture conduct that involves
endeavouring to obtain, provide or produce data, whether or not the person is successful. For
example:
• a person may be found to have solicited the obtaining of data where they have made
enquiries to obtain data by contacting a ransomware developer, but has failed to
successfully obtain the data due to interception by law enforcement.
• a person may be found to have solicited the production and supply of data where they have
agreed to produce and supply data after being contacted by a prospective buyer of that
data, however, the person fails to successfully supply that data due to the failure of a
payment method by the prospective buyer.
• a person may be found to have solicited the obtaining of data where they have made
enquiries to obtain data by contacting a ransomware developer, but has failed to
successfully obtain the data as the transaction failed due to technical issues with the
banking service or digital currency exchange.
8
Item 9 Subparagraph 478.4(1)(b)(i) of the Criminal Code
57. Item 9 inserts after "Division 477," "or section 478.1 or 478.2," for subsection 478.4(1)(b)(i) of the
Criminal Code.
58. Currently, section 478.4 only applies to conduct where a person produces, supplies or obtains data,
with the intent to commit a serious computer offence under Division 477. Division 477 offences
target conduct that impairs the security, integrity and reliability of computer data and electronic
communications. Sections 478.1 and 478.2 are also related to the security, integrity and reliability of
data, as they concern unauthorised access or modification of restricted data, and the unauthorised
impairment of data.
59. This amendment expands the range of computer offences that a person may intend to commit when
they produce, supply or obtain data to include sections 478.1 and 478.2.
Item 10 Subsection 478.4(1) of the Criminal Code (penalty)
60. Item 10 repeals the penalty of 2 years imprisonment under subsection 478.4(1) of the Criminal
Code, substituting it with a penalty of imprisonment for 5 years.
61. Increasing penalties within Part 10.7 of the Criminal Code reflects the serious of persons who
produce, supply or obtain data (including, malware such as ransomware) which is intended for use in
the commission of an offence. This penalty has not been amended since the introduction of the
Cybercrime Bill 2001. The conduct captured by these offences is increasingly prevalent and serious
in nature.
62. For example, this offence captures increasingly common conduct such as developing ransomware
software and uploading it online for access by any individual, who may go on to commit an offence
using that ransomware software. The increased penalty is intended to appropriately punish and
deter this conduct.
63. Courts will ultimately have discretion to determine appropriate sentences, up to the maximum
penalty, based on the seriousness of the offending in question.
Item 11 At the end of Division 478
64. Item 11 adds new section 478.5 which creates a new offence of dealing with data obtained by
unauthorised access or modification.
65. The offence criminalises conduct that involves obtaining, releasing or modifying (for example,
deleting) data of a victim that has been obtained by unauthorised access or modification. For
example, a cybercriminal may combine the encryption of a person's computer, or the act of
exfiltrating the victim's data, with threats to release or on-sell stolen sensitive data for the purpose
damaging the victim's reputation or financial gain. This tactic is effective even if victims have
adopted robust digital backups because it leverages the value of the private information rather than
the tactic of encrypting a computer system alone.
66. Additionally, this offence criminalises the conduct of third parties who obtain, release or modify
stolen data. For example, a person may dishonestly gain access to a large volume of stolen emails
and release that information online to publicly reveal commercial-in-confidence information
contained in those emails. Ensuring this aspect of the cybercriminal business model is criminalised
is critical to deterring third parties from recklessly obtaining data to either gain an advantage over, or
cause further harm to, a victim.
9
67. New paragraph 478.5(1)(a) provides that the person must dishonestly obtain, cause any access,
cause any modification, or cause any release of data held in a computer.
68. New paragraph 478.5(1)(b) provides that the person commits this offence by using a carriage
service.
69. New paragraph 478.5(1)(c) provides that the data mentioned in paragraph 478.5(1)(a) must be data
that has been obtained through unauthorised access or unauthorised modification, whether or not by
the person. This provision is structured such that it applies to persons who directly and dishonestly
obtain data held in a computer as well as person who dishonestly obtain data by virtue of another
person.
70. This offence imposes a maximum penalty of imprisonment for 5 years. This penalty appropriately
reflects the criticality of data and the need to maintain its confidentiality within Australia's modern
digital economy. This penalty is also consistent with other amended penalty provisions as part of this
Bill.
71. New subsection 478.5(3) defines dishonest as dishonest according to the standards of ordinary
people and known by the defendant to be dishonest according to the standards of ordinary people.
This requires the prosecution to prove that a person has knowledge that they, or through another
person, have recklessly obtained data and they have released or modified that data and the conduct
was dishonest according to the standards of ordinary people.
72. The element of dishonesty recognises the need for certain persons or entities to obtain, release or
modify data for legitimate purposes in limited circumstances, and distinguishes between innocent
third parties from persons who have nefarious reasons for dealing with the data.
73. Conduct that is not intended to result in criminal liability under this offence includes the following:
• a cyber security firm is engaged and authorised to conduct incident response on behalf of a
client in relation to a ransomware or cyber security incident and, in the course of doing so,
obtains data online relating to their victim client or other persons or entities;
• a cyber security firm obtains stolen data for the purposes of advising clients or the public on
incident response or on cyber security controls;
• a person obtains information in the public interest, such as a journalist conducting research
in a professional capacity. As community expectations in relation to public interest may
change over time, the element of dishonesty will ensure that the application of this offence
is able to adapt with community expectations in relation to this offence and determine
whether the data that is obtained or released is on legitimate public interest grounds;
• a company that engages in open source intelligence gathering on breached or stolen data
and provides reports to industry or law enforcement either voluntarily or as part of a paid
service.
74. Conduct that is intended to result in criminal liability under this offence includes the following:
• a person gains unauthorised access to a victim's computer using malware and that person
conducts a ransomware attack or engages in cyber extortion comprising unauthorised
access or modification of data. The person obtains the victim's data, releases it to others
via an online forum and deletes the victim's data on the victim's computer. The person is
criminally liable under this offence as they have recklessly obtained stolen data, and
dishonestly released and modified the victim's data, and the release or modification was
dishonest according to the standards of ordinary people, as the person did not have
authority from the victim to engage in that conduct.
10
• A body corporate became aware through news reports that a competitor was subject to a
cyber incident in which information was released in an online forum. A representative of the
body corporate conducts online web searches of the incident before identifying a website
that purports to have the commercial-in-confidence information. The representative of the
body corporate downloads the purported competitor's commercial-in-confidence
information. The representative uses that commercial-in-confidence information for the
benefit of the body corporate. The representative and the body corporate may be criminally
liable under this offence as they have recklessly obtained the competitor's data and that
conduct was dishonest according to the standards of ordinary people, as the representative
and the body corporate did not have authority from the victim competitor to obtain that data.
75. New subsection 478.5(4) provides that in a prosecution for this offence, the trier of fact determines
whether the conduct of obtaining, releasing or modifying the relevant data was dishonest.
Item 12 At the end of Part 10.7 of the Criminal Code
76. Item 12 adds a new "Division 479--Aggravated offences" at the end of Part 10.7 of the Criminal
Code. Division 479 contains new offences that will apply to persons committing a Part 10.7 computer
offence in relation to a critical infrastructure asset and, persons who engage in an arrangement for
the purposes of propagating malware, including ransomware.
Division 479-Aggravated offences
Division 479.1 Aggravated offence--critical infrastructure
77. New section 479.1 creates an aggravated offence for a person who commits an offence against
sections 477.2, 477.3, 478.1 or 478.2 (the underlying offences) and that offence relates to a critical
infrastructure asset.
78. This new aggravated offence ensures that any computer offence against Australia's critical
infrastructure carries an appropriate penalty and deters would be offenders. A significant disruption
or attack on Australia's critical infrastructure could have significant consequences for Australia's
economy, security and sovereignty. The offence captures conduct where a person commits an
underlying offence, and intends to cause an impact, whether direct or indirect, on the availability,
integrity or reliability of a critical infrastructure asset or on the confidentiality of information about or
stored in, or confidentiality of the critical infrastructure asset.
79. Subparagraph 479.1(1)(a) identifies underlying offences which must be committed together with the
conduct in relation to a critical infrastructure asset. These underlying offences are:
• Section 477.2 - Unauthorised modification of data to cause impairment
• Section 477.3 - Unauthorised impairment of electronic communication
• Section 478.1 - Unauthorised access to, or modification of, restricted data
• Section 478.2 - Unauthorised impairment of data held on a computer disk etc
80. For example, a perpetrator may commit an underlying offence that compromises a critical
infrastructure's computer system, which allows them to install malware on the computer. They may
then seek to use ransomware to encrypt the data contained in the computer and threaten to disrupt
the availability of the critical infrastructure asset unless a ransom is paid.
81. Specific examples of conduct may include:
• A person gains unauthorised access to a telecommunications provider's computer system,
which allows them to install malware (including ransomware) on the computer. They then
seek to use that ransomware to encrypt the data contained in the computer, such as the
11
personal details of clients of the telecommunications provider, and threatens to disrupt the
availability of the telecommunications provider unless a ransom is paid to decrypt that data.
• A person uses malware and gains unauthorised access to a bank's data. The person
modifies that data to cause an impairment to the bank's ability to communicate with
customers. This disrupts the essential services provided by the bank such that customers
are unable to gain access to or use their banking accounts.
• A person uses malware and gains unauthorised access to an electricity asset's computer
network and modifies confidential information and other data contained within that network.
This disrupts the supply of electricity to the general public as well as compromises the
integrity of the confidentiality of customer data sets.
82. Subparagraph 479.1(1)(b) provides that the person must have intended to cause a direct or indirect
impact on the availability, integrity or reliability of the critical infrastructure asset. An impact also
relates to the confidentiality of information about or stored in, or of, the critical infrastructure asset.
This definition is intended to align with the definition of relevant impact in section 8G of the Security
of Critical Infrastructure Act 2018.
83. In accordance with this definition, a relevant impact may be direct or indirect to ensure the focus of
the conduct is on the result of the cyber security incident rather than its source.
84. A relevant impact includes an impact to a critical infrastructure asset's availability. For example, a
cyber attack on a critical infrastructure asset which results in that asset being unable to provide
essential services, such that a significant population does not have access to those essential
services or, the supply is unreliable, is a relevant impact in relation to availability.
85. A relevant impact includes an impact to a critical infrastructure asset's integrity. For example,
unauthorised access to a critical infrastructure asset may result in an impact on business' ability to
trust the integrity of the data held by that asset and is a relevant impact in relation to integrity.
86. A relevant impact includes an impact to a critical infrastructure asset's reliability. For example, a
cyber attack on a critical infrastructure asset which results in that asset being able to provide its
essential services intermittently to a significant population, is a relevant impact.
87. A relevant impact includes an impact to the confidentiality of information about or stored in, or the
confidentiality of, a critical infrastructure asset. For example, a cyber attack on a critical infrastructure
asset in which a person gains unauthorised access to the critical infrastructure asset's computer
system, could result in a compromise to the confidentiality of that information. This is a relevant
impact.
88. However, a relevant impact must be more serious than a reduction in the quality of the essential
services being provided.
89. This offence is punishable by a maximum penalty of 25 years' imprisonment. This will ensure that
perpetrators face punishment commensurate with the severity of their conduct and the risk of harm it
has to critical infrastructure, Australia's national security and economy, and the Australian
community.
90. This penalty is consistent with other serious offences under the Criminal Code, including section
82.3 - Offence of sabotage involving foreign principal with intention as to national security - which
carries a term of imprisonment of 25 years. This offence involves a person engaging in conduct that
results in damage to public infrastructure (infrastructure owned by the Commonwealth) with the
intention that the conduct prejudices Australia's national security.
91. This penalty appropriately reflects the catastrophic risk posed by cyber attacks that utilise
ransomware or malware to cause harm to critical infrastructure, and therefore Australia's national
12
security, economic interests, and the Australian community. It also appropriately punishes and
deters perpetrators in relation to that conduct.
92. New subsection 479.1(7) clarifies that a reference to critical infrastructure in this section, is a
reference to a critical infrastructure asset within the meaning of the Security of Critical Infrastructure
Act 2018.
Division 479.2 Aggravated offence--producing, supplying or obtaining data under arrangement for
payment
93. New section 479.1 creates an aggravated offence for a person who produces, supplies or obtains
data for payment and commits an offence against section 478.4(1) (the underlying offence).
94. Section 478.4(1) makes it an offence for producing, supplying or obtaining data with intent to commit
a computer offence.
95. This offence seeks to criminalise the ransomware business model, including sale, purchase, lease or
commission arrangements in relation to data that is used in the commission of an offence against
section 478.4(1). It captures conduct such as ransomware-as-a-service, whereby a person produces
data with the intent that the data be used in the commission of an offence against Division 477 or
sections 478.1 or 478.2, and that person supplies the data to another person for payment.
96. For example, it criminalises the conduct by a crime syndicate that develops ransomware and solicits
to supply it to other less sophisticated criminals for payment (whether or not they are successful in
supplying the ransomware). It also criminalises conduct by individuals who obtain ransomware with
the intent it be used to modify data to cause impairment, and obtains that ransomware under an
arrangement for payment.
97. Subparagraph 479.2(1)(a) identifies section 478.4(1) - producing, supplying or obtaining data with
intent to commit a computer offence - as the underlying offence.
98. Subparagraph 479.2(1)(b) identifies the circumstances in which a person produces, supplies or
obtains data (malware, including ransomware) involving an arrangement to receive or make a
payment. This includes circumstances where a person produces, supplies or obtains or, solicits the
production, supply or obtaining of, data under an arrangement for the person to receive or make a
payment.
99. This offence is punishable by a maximum penalty of 10 years' imprisonment. This will ensure that
the developers, sellers and buyers of malware face punishment commensurate with the severity of
their conduct in supporting the cybercriminal business model.
100. This penalty is consistent with penalties for existing offences in the Criminal Code, including:
• Section 131.1 - Theft. This offence criminalises conduct of a person who engages in
conduct where a person dishonestly appropriates property belonging to another with the
intention of permanently depriving the other of that property. This offence punishable by a
maximum of 10 years' imprisonment. This offence is analogous to the conduct which
malware, including ransomware, facilitates in relation to computers.
• Division 477 - Serious computer offences. This aggravated offence aligns to penalties
already contained under Division 477 of the Criminal Code in relation to serious computer
offences. Given the enabling nature of the commercialisation and propagation of malware,
including ransomware, is similarly serious, alignment to the penalty provisions under
Division 477 is appropriate and required.
13
101. Subparagraph 479.2(6) defines payment as including a reference to giving or being given property.
Reference to property includes all types of property, including fiat currency and cryptocurrency,
provided as consideration as part of the transaction for the data.
14
Schedule 2--Cryptocurrency exchanges
Proceeds of Crime Act 2002
Overview
102. The Proceeds of Crime Act 2002 (POCA) provides law enforcement agencies with wide-reaching
powers to monitor, freeze, restrain and confiscate proceeds and instruments of crime.
103. The POCA currently enables certain orders and notices to be given or made in relation to 'financial
institutions':
• Freezing orders (section 15B POCA)
• Notices to financial institutions (section 213 POCA), and
• Monitoring orders (section 219 POCA).
104. This measure will ensure that the current regime applies to digital currency exchanges and the
accounts they administer, at a time where there is the rapid adoption of digital currencies. In October
2021, the Select Committee on Australia as a Technology and Financial Centre released its Final
Report, which commented that:
• the total cryptocurrency and digital assets market now totals in the trillion of dollars, and
• around 25 per cent of Australians either currently have, or have previously held
cryptocurrencies, making Australia one of the biggest adopters of cryptocurrencies on a per
capita basis.
105. The amendments will ensure that existing information gathering powers and freezing orders available
in relation to financial institutions can also be exercised in relation to digital currency exchanges.
106. These reforms will enhance law enforcement agencies' investigative powers to ensure they can
identify where digital currencies may be associated with criminal offending and then freeze relevant
accounts to prevent that digital currency from being dissipated (and potentially reinvested in further
criminal activity) before restraint action can be taken under the POCA. This measure is part of a suite
of measures the Government intends on introducing to modernise law enforcement powers and legal
frameworks to ensure that law enforcement agencies can continue to deprive criminals of the benefits
of their crime.
Item 1 Paragraph 7(aa)
107. Item 1 is a consequential change to the outline of the POCA to reflect the amendments made by this
Schedule.
Item 2 Subsection 15B(1)
108. Item 2 expands the scope of the existing freezing order provisions to ensure a freezing order limits
withdrawals and other transactions involving accounts with digital currency exchanges (which will fall
within the definition of 'financial institution'). The use of the word 'transaction' is intended to capture
the broader range of dealings that can occur in relation to digital currencies when compared to fiat
currency, so that law enforcement agencies have the capabilities required to prevent account holders
taking actions that could result in a reduction in the account's balance. For example, some digital
currency exchanges include the ability to swap or trade one type of cryptocurrency held for another,
which could result in a change of the value of the cryptocurrency connected with the account. For the
avoidance of doubt, 'transaction' should be interpreted broadly to include any dealings with digital
currencies held in an account, including dealing with it as a gift, exchanging digital currency for fiat
currency, or transferring digital currency from the digital currency exchange to a private wallet.
109. The rationale for making freezing orders is to prevent the risk of account balances being reduced, and
the criteria in existing section 15B(1) ensures that freezing orders will only be made in situations where
it is necessary to ensure funds (including digital currency) are not moved or dissipated. It follows then
that the freezing order provisions do not operate in a manner that precludes additional deposits to
frozen accounts, and the amendments do not change this fact.
15
Items 3 and 4 Section 15K
110. Current section 15K ensures that withdrawals mandated by law are not affected by the making of a
freezing order. Item 4 reflects that digital currency exchanges will be able to undertake relevant
transactions from an account holding digital currencies where those transactions are required by law.
Items 5 and 6 Section 15L(a) and (c)
111. Current section 15L supports the enforcement of freezing orders by making it an offence for a financial
institution to allow a withdrawal from an account, which is subject to a freezing order, where the
withdrawal contravenes the terms of the orders.
112. Items 5 and 6 align the offence provisions with the amendments inserted through Item 2 by making it
clear a financial institution will also commit an offence if it allows a withdrawal from or transaction
involving an account, which is subject to a freezing order, where the withdrawal or transaction
contravenes the order.
Items 7 and 8 Section 15Q(1)
113. Current section 15Q(1) confers a magistrate with the power to vary a freezing order to enable a
financial institution to allow a withdrawal from the account to meet one or more of the circumstances
in subsections (a) - (d). Allowing for a freezing order to be varied recognises that in certain situations
it will be necessary to allow for withdrawals from a frozen account, such as to allow a person to provide
food and other necessities for their family.
114. Item 8 is intended to ensure that these provisions apply to accounts held with digital currency
exchanges. There is no change to the statutory criteria a magistrate should consider when determining
whether to vary a freezing order.
Items 9 - 11 Definition of 'account'
115. Items 9, 10 and 11 collectively:
• amend the existing definition of 'account' to specifically capture accounts provided by digital
currency exchanges, and
• clarify that the balance of an account that relates to digital cryptocurrency can be expressed
as either the amount of digital currency, Australian currency, or any other currency.
116. Digital currency exchanges adopt a variety of different operational structures and processes through
which they provide a registrable digital currency exchange service. For example, a user may deposit
$10,000 to an account held with a digital currency exchange, and use those funds to interact (or
'purchase') digital currencies controlled by the exchange. A user could invest half of those funds to
acquire 0.5 Ether and 0.25 Bitcoin (an example of digital currencies offered by a digital currency
exchange). Their account balance would then show that they have $5,000 in fiat currency, 0.5 Ether
and 0.25 Bitcoin.
117. Item 10 inserts subsection (ea)(i) and (ii), which provides that the definition of 'account' extends to an
account relating to digital currency that includes:
• an account representing the holding of an amount of digital currency, and
• an account provided as part of a digital currency exchange.
118. These new definitions of 'account' are intended to capture an account holding fiat currency and any
sub-accounts or related accounts that contain different digital currency balances a user holds. The
'account' 'provided as part of a digital currency exchange' definition is intended to operate as a catch-
all to ensure that different operating structures to the one described above do not circumvent the
Government's clear policy intention to capture any fiat currency and digital currency balances e.g., the
$5,000, 0.5 Ether and 0.25 Bitcoin in the above example.
16
119. However, the accounts described in (ea)(i) and (ea)(ii) are not intended to be an exhaustive list of the
types of accounts that might be held with digital currency exchanges and subject to a freezing order,
as denoted by the phrase 'and includes' in the introductory component of that definition.
Item 12 Definition of 'digital currency' and 'digital currency exchange'
120. Item 12 inserts a new definition of 'digital currency' and 'digital currency exchange' in section 338 of
the POCA. The definition of 'digital currency' adopts the same definition as in the Anti-Money
Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act). Under the AML/CTF Act,
digital currency means either: a representation of value that:
• functions as a medium of exchange, a store of economic value, or a unit of account and
• is not issued by or under the authority of a government body and
• is interchangeable with money (including through the crediting of an account) and may be
used as consideration for the supply of goods or services and
• is generally available to members of the public without any restriction on its use as
consideration.
OR
• it means a means of exchange or digital process or crediting declared to be digital currency
by the AML/CTF Rules.
121. However, 'digital currency', as per the definition in the AML/CTF Act does not include any right or thing
that, under the AML/CTF Rules, is taken not to be digital currency for the purposes of that Act.
122. The definition of 'digital currency exchange' means a 'registrable digital currency exchange service'
within the meaning of the AML/CTF Act. Under the AML/CTF Act, registrable digital currency exchange
service means designated services covered by item 50A of table 1 in section 6 of the AML/CTF Act
but not those that are of a kind specified in the AML/CTF Rules.
123. This definition does not require a digital currency exchange to be registered under the AML/CTF Act
before a freezing order can be made. This is to ensure that a digital currency exchange cannot
circumvent the scope of the new regime by failing to enrol with the Australian Transaction Reports and
Analysis Centre in breach of its obligations under the AML/CTF.
Item 13 Definition of 'financial institution'
124. Item 13 expands the definition of 'financial institution' to include a corporation to which paragraph
51(xx) of the Constitution applies that provides a digital currency exchange. This definition expands
the scope of the proceeds of crime regime so that orders that can currently be sought against financial
institutions, or notices that can be given to them, can also be sought or given against a digital currency
exchange.
125. Expanding this definition will also amend the scope of the following provisions by reference:
• Schedule 1 of the POCA as it relates to Schedule 1 - Information gathering by participating
States and self-governing territories, and
• other Acts that rely on the concept of 'financial institution' and related concepts from the
POCA: see for example the International Criminal Court Act 2002, International War Crimes
Tribunals Act 1995 and the Mutual Assistance in Criminal Matters Act 1987.
Item 14 - Amendments to Schedule 2
126. Item 14 clarifies that the amendments made by this Schedule apply in relation to a notice given under
clause 12 of Schedule 1 to this Act on or after the commencement of this clause:
• whether currency, property or a thing to which the notice relates was acquired before, on or
after that commencement; and
• whether conduct or a crime to which the notice relates happened before, on or after that
commencement.
127. The reasons for this application is the same as set out in paragraph 130 below.
17
Item 15 Application of amendments
128. Item 15 clarifies that the amendments made by this Schedule, to the extent that they relate to an order
under Part 2-1A or 3-4 of the POCA, or a notice given under section 213 of the POCA, apply in relation
to an application or notice made under the abovementioned provisions made on or after the
commencement of this item:
• whether currency, property or a thing to which the application or notice relates was acquired
before, on or after that commencement, and
• whether conduct or a crime to which the application or notice relates happened before, on or
after that commencement.
129. In effect, this provision is intended to ensure that a freezing order, monitoring order, or notice to
financial institution can be made in relation to currency, property, conduct or crime to which the order
or notice relates, but which occurred before, on or after commencement. These amendments do not
have the effect of permitting orders to be made retrospectively.
130. The application of these amendments is consistent with previous amendments to POCA. It is also
necessary to ensure all relevant criminal conduct is captured, as the offending leading to POCA action
may be historic or occur over a period of time. Further, at the time of requesting information, such as
through a notice to a financial institution, there will often limited information as to which accounts exist
and when they were opened. Accounts may also be opened significantly prior to the suspected
offending. As such, by providing express provisions in relation to the application of these amendments,
these issues are put beyond doubt and prevent the potential frustration of POCA investigations and
proceedings through arguments about when criminal conduct occurred or specific accounts were
opened.
18
Schedule 3 --seizing digital assets
Crimes Act 1914 and Proceeds of Crime Act 2002
Overview
131. The ability for law enforcement agencies to seize evidential material and tainted property represents
a vital capability in their ability to effectively disrupt the criminal business model by depriving criminals
of the benefits of their crime and prosecuting those who engage in activities that threaten the interests
of all Australians.
132. The Crimes Act 1914 (Crimes Act) and Proceeds of Crime Act 2002 (POCA) establishes the legal
basis upon which law enforcement agencies can seize:
• in relation to the Crimes Act, evidential material in relation to an offence to which the warrant
relates or another offence that is an indictable offence, evidential material (within the meaning
of the POCA), or tainted property (within the meaning of the POCA), and
• in relation to the POCA, tainted property to which the warrant relates, evidential material in
relation to property to which the warrant relates, or evidential material (within the meaning of
the Crimes Act) relating to an indictable offence (as defined in the POCA).
133. Law enforcement agencies are seeing an increase in criminals' use of digital assets to facilitate their
offending and as a means to hold and distribute the benefits derived from their offending, including in
the context of ransomware, money-laundering and other predicate offending. The provisions will
complement existing search and seizure powers by including provisions that specifically address some
of the unique issues and complexities that arise in search for and seizure of digital assets. This will
ensure that the powers available to law enforcement reflect the operational environment and are
suitably adapted and extended to prevent the dissipation of proceeds of crime so that it is available
for subsequent restraint and forfeiture action under the POCA.
134. This measure is part of a suite of measures the Government intends on introducing to modernise law
enforcement powers and legal frameworks to ensure that law enforcement agencies can continue to
deprive criminals of the benefit of their offending.
Item 1 Definition of 'digital asset'
135. Item 1 inserts a new definition of 'digital asset' and 'seize' into subsection 3C(1).
136. A 'digital asset' means:
• a digital representation of value or rights (including rights to property), the ownership of which
is evidenced cryptographically and that is held and transferred electronically by a type of
distributed ledger technology or another distributed cryptographically verifiable data
structure, or
• a right or thing prescribed by the regulations, but does not include any right or thing that,
under the regulations, is taken not to be a digital asset for the purposes of this Part.
137. The first limb of the definition is cast broadly to capture a range of digital assets that could hold value
and be capable of restraint or forfeiture action under the POCA. Without limitation, it is intended to
capture a broad range of assets such as 'coins', 'stablecoins' and 'tokens' as those terms are used by
the crypto-asset industry. However, recognising the evolving nature of digital assets, the second limb
of the definition is designed to provide flexibility to tailor the definition as technology changes and in
the use of digital assets in criminal offending changes.
19
138. This definition is broader than that in relation to the measure in Schedule 2. This difference is
intentional, recognising that:
• for the definition of 'digital currency' in relation to the measure in Schedule 2, the intention is
to capture digital currencies in accounts administered by financial institutions (now defined
to include digital currency exchanges) noting that the institutional arrangements that support
the administration and facilitation of these accounts is capable of supporting the freezing
order and notice to financial institution regimes under the POCA, and
• for the definition of 'digital assets' in relation to this measure, the intention is not to limit the
search and seizure powers to digital currency which is administered or facilitated by a digital
currency exchange, but to confirm the ability of law enforcement agencies to seize digital
assets that are capable of having a value and could be subject to restraint and confiscation
under the POCA .
139. In that way, 'digital currency' as will be defined in the POCA, can be viewed as a subset of 'digital
assets' as will be defined in the Crimes Act and the POCA (see paragraphs 135, 136 and 173).
140. The new definition of 'seize' clarifies that, in relation to a digital asset, the meaning is affected by
subsection 3FA(3).
Items 2 - 5 When search warrants can be issued
141. Items 2 - 5 collectively ensure that the warrant, when issued, expressly includes reference to law
enforcements' ability to seize digital assets under the terms of that warrant.
142. The intention is for this provision to include the broadest range of things that may relate to a digital
asset, recognising that this is an emerging and evolving area of property. For example, this could
include (amongst other things) anything from a digital wallet, digital asset account or app, information
on a computer hard drive or even the digital asset itself.
Items 6 and 7 Things authorised by a search warrant - additional things for digital assets
143. Item 6 repeals and substitutes the heading of section 3F to 'The things authorised by a search
warrant - general'. This amendment is consequential to the amendments made by item 7.
144. Item 7 inserts new provisions into the Crimes Act that:
• establish the circumstances in which digital assets can be seized, both in relation to warrants
over premises or in relation to warrants over persons
• establish the thresholds required for the seizure of digital assets and the matters the
executing officer or constable assisting must be satisfied of prior to effecting the seizure
• sets out a non-exhaustive list of ways digital assets can be seized
• clarifies the time limit for seizing digital assets, and
• clarifies that a digital asset can be seized at the premises to which the warrant relates, in the
presence of a person to which the warrant relates, or at any other place.
145. These new provisions are intended to complement existing search and seizure powers by specifically
addressing some of the unique issues and complexities that arise in search for and seizure of digital
assets. This includes only requiring that the executing officer or constable assisting finds one or more
things that suggest the existence of the digital asset' before seizure of that digital asset can be
effected.
146. New subsections 3FA(1)(a) to (c) collectively authorises the executing officer or a constable assisting
to seize a digital asset (including as described in subsection (3)) under a warrant in force in relation to
premises if the following three requirements are met:
• the existence of a digital asset: an executing officer or constable assisting is able to seize
a digital asset if in the course of exercising powers under this Part, the executing officer or
constable assisting finds one or more things that suggest the existence of the digital asset.
20
. For example, law enforcement agencies may locate evidence on a person of interest's
(POI) electronic device that they control cryptocurrency (such as via a digital wallet
application), may locate seed phrases written down or stored electronically, or may
locate a cold storage wallet at the premises.
i. Other examples of where a thing suggesting the existence of a digital asset may not be
found at the premises includes where it is located during examination of items that have
been moved under subsection 3K(2) or during the examination of items that have been
seized under the search warrant.
• nature of the digital asset: the executing officer or constable assisting must suspect on
reasonable grounds that the digital asset is 'evidential material' in relation to an offence to
which the warrant relates or another offence that is an indictable offence, or 'evidential
material' or 'tainted property' within the meaning of the POCA. These three conditions
replicate the existing three bases upon which things (other than the evidential material
specified in the warrant) can be seized under paragraph 3F(1)(d), subject to a change to the
threshold required from 'believes on reasonable grounds' to 'reasonably suspects'. This
change:
. reflects the fact that the existing threshold is often difficult to meet in relation to digital
assets because it is not always as clear whether digital assets are linked to a crime as it
may be other forms of property. For example, the existence of large sums of cash at a
premises is quite unusual in the broader community. Where large sums of cash are
found during a search warrant, the "believes on reasonable grounds" threshold may be
satisfied, due to this being so uncommon. The holding of digital assets is becoming more
ubiquitous within the community, so the mere fact that a person holds a digital asset may
not necessarily, on its own, be sufficient to meet a reasonable belief threshold. To seize
a digital asset under the reasonable suspicion threshold, any suspicion that the digital
asset is evidential material or tainted property must be reasonably held. This means
there will need to be other information available to the relevant officer which objectively
indicates a connection between the digital asset and criminal activity, before seizure is
able to occur, and
i. is not intended to apply to the existing search warrant provisions in subsections 3F(1) or
(2) - the lower threshold applies only to the seizure of digital assets, and
• reasons for seizure: the executing officer or the constable assisting reasonably suspects
that seizing the digital asset is necessary to prevent the digital asset's concealment, loss or
destruction or its use in committing an offence.
147. For the avoidance of doubt, the phrase 'concealment, loss or destruction' includes 'dissipation' of the
digital asset, including by transferring it in whole or in part to another entity, digital wallet etc.. This
covers situations where there is a reduction in the value or balance of the digital asset, such as in
circumstances where a person moves or sells most (but not all) of the digital asset.
148. The note in that section is intended to clarify that:
• the digital asset need not be found at the premises
• the new powers to seize digital assets is not intended to limit existing powers in relation to
accessing data. These new powers are also exercisable in relation to digital assets, as set
out in the example.
149. New subsections 3FA(2)(a) to (c) collectively authorises the executing officer or a constable assisting
to seize a digital asset (including as described in subsection (3)) under a warrant in force in relation to
persons if the same requirements in paragraph 146 are met. Importantly, the inclusion of the note after
section 3FA(2)(c) is intended to clarify that the digital asset need not be found in the person's
possession.
21
150. Subsection 3FA(3) is intended to clarify some of the ways in which digital assets can be seized under
subsection 3FA(1) or (2). This includes:
• transferring the digital asset from an existing digital wallet (or some other thing) to a digital
wallet (or other thing) controlled by the Australian Federal Police or a police force or police
service of a State or Territory
• transferring the digital asset from a digital wallet (or some other thing) recreated or
recovered by a police force or police service using things found in the course of the search
authorised by the warrant; and to a digital wallet (or other thing) controlled by the Australian
Federal Police or a police force or police service of a State or Territory, and
. The recreation or recovery of a digital wallet would involve the use of information
including, but not limited to, private keys and seed phrases located during the execution
of the warrant to obtain access to the digital asset. Access to individual digital assets
are secured using a private key, and these keys are often held in digital wallets that allow
a user to manage the digital asset. These wallets generally provide a recovery
mechanism through the use of a seed phrase which is generated during the wallet
creation process. Seed phrases are typically a list of words that contain all the information
required to recover the digital assets held in a deterministic digital wallet. Possession of
this seed phrase, therefore allows access to the digital assets controlled by the digital
wallet when the pin number, password or other access method has not been provided.
• transferring the digital asset in circumstances prescribed by regulations made for the
purposes of this paragraph.
151. Subsection (c) is designed to provide flexibility to expressly prescribe other ways in which digital assets
can be seized, such as to correspond to changes to the definition of 'digital assets'.
152. Subsection 3FA(4) provides that the power to seize a digital asset under the warrant may only be
exercised, to the extent that the exercise of power relates to a thing referred to in paragraphs 3FA(1)(a)
or 3FA(2)(a) for the warrant during the period starting when the warrant is issued and ending when a
particular event occurs.
153. Subsection 3FA(4) is intended to clarify that law enforcement agencies are able to exercise their
powers under subsection 3FA(1) and (2)) at different times depending on the circumstances they
became aware that there was a thing that suggests the existence of a digital asset. The period ends:
• for a thing moved to another place under subsection 3K(2)-- the time applicable under
subsection 3K(3A) or that time as previously extended as described in subsection 3K(3B)
• for a thing seized under this Division--any time that the thing must be returned as described
in Subdivision B of Division 4C of this Part,
• if the thing is data that is copied under subsection 3L(1A) or 3LAA(2)--the time the
Commissioner is satisfied the data is not required (or is no longer required) as described in
paragraph 3L(1B)(b) or subsection 3LAA(3), or
• otherwise - the end of the period of 30 days starting on the day the warrant is issued.
154. Notes 1 and 2 clarify that:
• the power to seize the digital asset may be exercised at different times if there is more than
one thing referred to in paragraph (1)(a) or (2)(a) that suggests the existence of the digital
asset, and
• if 2 or more things referred to in paragraph (1)(a) or (2)(a) suggest the existence of the digital
asset, seizure of the digital asset may occur during the longest period that applies to the
digital asset as a result of the application of this subsection in relation each of those things.
155. This is intended to capture that these powers may need to be exercised at different times:
• the existence of digital assets may be located during searches for evidential material under
subsection 3FA(1) (premises warrant), during searches for evidential material under
subsection 3FA(2) (person warrant), or in the case of a premises warrant, examination of
electronic equipment at the premises for data that is evidential material (section 3L).
22
• the existence of digital assets may be located during examination of items that have been
moved under subsection 3K(2) (note section 3LAA allows examination of electronic
equipment moved under subsection 3K(2) to find data that is evidential material). For
example, law enforcement officers may locate evidence of digital assets, such as seed
phrases to recreate a digital wallet, when examining a laptop under section 3LAA following it
having been moved under subsection 3K(2), and
• the existence of digital assets may be located during examination of items that have been
seized under the search warrant. Section 3ZQU allows use of seized items in investigations,
and section 3ZQV covers examination of seized electronic equipment to access data that
may be evidential material.
156. To illustrate the application of the above section, assume that:
• a laptop computer is moved under section 3K, and a mobile phone is seized under section
3F. the laptop that is moved contains a text file containing a seed phrase for a digital wallet,
and the mobile phone contains the wallet password. Both of these things are capable of
suggesting the existence of cryptocurrency and, provided that the requirements in
paragraphs 3FA(1)(a) - (c) are satisfied, can trigger the exercise of the powers in subsection
(1
• the exercise of these powers can take place within the period that a law enforcement agency
is permitted to retain possession of the mobile phone. This is despite the fact that the laptop
computer may need to be returned after 30 days if not extended.
157. Subsections 4(a) and (b) are subject to existing safeguards in existing subsections. 3K(3A) and
Subdivision B of Division 4C of this Part. That is, the intent of these provisions is that the powers in
subsection (1) and (2) are exercisable:
• for a thing moved to another place under subsection 3K(2)-- a period of 30 days if the thing
is a computer or data storage device, unless otherwise extended. For the avoidance of doubt,
any extension granted in relation to a thing under subsections 3K(3B) - (3D) will automatically
extend the time in which the powers in subsection 3FA(3) can be exercised, and
• for a thing seized under this Division, until such time as the Commissioner is satisfied that
the thing is no longer required.
158. However, in all of the above circumstances, the powers in subsection (1) and (2)) can only be
exercised if the thresholds in paragraphs. 3FA(1)(a) - (c) or 3FA(2)(a) - (c) are satisfied.
159. Although not expressly addressed through this Bill, the expectation is that a law enforcement agency,
after having seized a digital asset, will provide a receipt under section 3Q.
160. Subsections 3FA(5) and (6) are intended to clarify that the new powers in subsection 3FA((1) and (2)
should be exercisable from any location (which for the avoidance of doubt should include the remote
exercise of these powers), and should not have to occur in the presence of the occupant (where a
premises warrant) or person (where a person warrant). These provisions would also extend to:
• providing remote assistance to an officer who is at the premises during the execution of the
warrant, and
• seizure by an officer located at law enforcement agencies' offices or elsewhere following the
moving or seizure of items under the search warrant.
161. Items 8 - 13 are intended to make similar amendments to the POCA to ensure that the legal
frameworks in both Acts remain broadly consistent.
Items 8 - 9 Contents of warrants
162. Items 8 - 9 collectively:
• amend the matters that a search warrant must state to include that the warrant authorises
the seizure of a digital asset if in the course of exercising powers under this Part, the
executing officer or constable assisting finds one or more things that suggest the existence
of the digital asset, and
• require that the warrant reproduce the content of paragraph 228A(1)(a) to (c).
23
163. These provisions are intended to ensure that the warrant, when issued, expressly includes reference
to the ability of law enforcement to seize digital assets under the terms of that warrant.
Items 10-11 - Things authorised by a search warrant additional things for digital assets
164. Item 10 repeals and substitutes the heading of section 228 to 'The things authorised by a search
warrant - general'. This amendment is consequential to the amendments made by item 12.
165. Item 11 inserts new provisions into the POCA that:
• establish the circumstances in which digital assets can be seized
• establish the threshold required for the seizure of digital assets and the matters the executing
officer or constable assisting must be satisfied of prior to effecting the seizure
• sets out a non-exhaustive list of ways digital assets can be seized
• clarifies the time limit for seizing digital assets, and
• clarifies that a digital asset can be seized at the premises to which the warrant relates, in the
presence of a person to which the warrant relates, or at any other place.
166. As these provisions are intended to broadly operate in the same manner as set out in the Crimes Act,
an explanation of these provisions is set out in paragraphs 143 to 161. The key differences reflect the
slightly different structure under the POCA to the Crimes Act, and include:
• Subsection 228A(1)(b) requires that the executing officer or a person assisting must
reasonably suspect the digital asset to be tainted property to which the warrant relates,
evidential material in relation to property to which the warrant relates, or evidential material
(within the meaning of the Crimes Act) relating to an indictable offence (as that term is defined
in the POCA)
• transferring the digital asset from a digital wallet (or some other thing) recreated or
recovered by an enforcement agency using things found in the course of the search
authorised by the warrant; and to a digital wallet (or other thing) controlled by an enforcement
agency, and
• transferring the digital asset in circumstances prescribed by regulations made for the
purposes of this paragraph.
167. Subsections 228A(3)(a) - (c) are intended to capture that these powers may need to be actioned at
different times (see paragraph 153 above), and that subsections 228A(3)(a) and (b) are subject to
existing safeguards in existing subsections 244(2) and (3) and Subdivision B or C of Division 3 of this
Part.
168. The intent of these provisions is that the powers in subsection 228A(1are exercisable during the period
starting when the warrant is issued and ending at:
• for a thing moved to another place under subsection 244(2) and (3)-- a period of 72 hours
unless otherwise extended. For the avoidance of doubt, any extension granted in relation to
a thing under subsection 244(3) will automatically extend the time in which the powers in
subsection ((1) can be exercised, and
• for a thing seized under this Division, until such time as the Court orders that the thing be
returned to the person, or
• -otherwise the end of the period of 30 days starting when the warrant is issued.
169. However, in all of the above circumstances, the powers in 228A (1)) can only be exercised if thresholds
in paragraphs 228(1)(a) - (c) are satisfied.
170. The amendments to the POCA do not include a provision similar to that in subsection 3FA(4)(c) of the
Crimes Act. This is because section 256 sets out the process time limits for returning things seized.
While section 245 does not expressly use the word 'seized' in relation to data, paragraph 249(3)(a)
clarifies that actions taken under subsections 245(2) or (3)(b) constitute a 'seizure' for the purposes of
the POCA.
24
171. Although not expressly addressed through this Bill, the expectation is that a law enforcement agency,
after having seized a digital asset, will provide a receipt under section 253.
Item 12 Definition of 'digital asset'
172. Item 13 inserts a new definition of 'digital asset' into section 338. The scope of this definition is the
same as set out in paragraphs 135 and 136.
Item 13 Application of amendments
173. Item 14 clarifies that the amendments made by this Schedule, to the extent that they apply in relation
to an application for a search warrant under Division 2 of Part IAA of the Crimes Act or Part 3-5 of the
POCA on or after the commencement of this item:
• whether property or a thing to which the application relates was acquired before, on or after
that commencement, and
• whether conduct or a crime to which the application relates occurred before, on or after that
commencement.
174. These amendments only apply to search warrants made on or after commencement in recognition
that the threshold of seizing cryptocurrency has been reduced from reasonable belief to reasonable
suspicion and to reflect the introduction of specific powers relating to digital assets.
175. In effect, this provision is intended to ensure that a search warrant can be issued regardless of whether
the criminal conduct to which it relates occurred before on or after commencement or whether the
property of thing to which the application relates was acquired before, on or after commencement.
These amendments do not have the effect of permitting warrants to be made retrospectively.
176. The application of these amendments is consistent with previous amendments to POCA. It is also
necessary to ensure all relevant criminal conduct is captured, as the offending leading to POCA action
may be historic or occur over a period of time. Further, at the time of executing a warrant there may
be limited information as to the full extent and duration of offending or when tainted property may have
been acquired. As such, by providing express provisions in relation to the application of these
amendments, these issues are put beyond doubt and prevent the potential frustration of POCA
investigations and proceedings through arguments about when criminal conduct occurred or things
acquired. Applying the amendment to criminal conduct that has occurred or things that have been
acquired prior to the amendments commencing is also more broadly justified on the grounds that the
seizure of digital assets is already available under warrants and these provisions merely seek to
provide a more specific set of powers in relation to this category of asset.
25
Attachment B
Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Crimes Legislation Amendment (Ransomware Action Plan) Bill 2022
This Bill is compatible with the human rights and freedoms recognised or declared in
the international instruments listed in section 3 of the Human Rights (Parliamentary
Scrutiny) Act 2011.
Overview of the Bill
This Bill proposes amendments to the Criminal Code Act 1995 (Criminal Code Act), the Crimes Act
1914 (Crimes Act) and the Proceeds of Crime Act 2002 (POCA) to modernise criminal offences and
procedures to ensure Australian law enforcement agencies can investigate and prosecute
cybercriminals, as well as modernise law enforcement powers to ensure that law enforcement
agencies can continue to take the profit out of crime.
Geographical Jurisdiction
The Bill amends the extraterritoriality provisions under s 476.3 of the Criminal Code Act to provide
Australian law enforcement with clear legal authority to investigate and prosecute ransomware crimes
and offences as they apply under Part 10.7 of the Criminal Code Act.
The amendments will ensure Part 10.7 of the Criminal Code Act sufficiently criminalises conduct
which occurs in foreign countries to allow law enforcement agencies to effectively investigate and
prosecute offshore cybercriminals, where the crime impacts on a person in Australia.
Existing Category A extended jurisdiction thresholds (under section 15.1 of the Criminal Code Act)
may not be sufficient to meet the above objectives. Consequently, the Bill will amend paragraphs
476.3(1)(a), (b), and (c) of the Criminal Code Act, to replicate Category A extended jurisdictional
provisions under s 15.1 of the Criminal Code Act, for offences that occur in foreign countries.
New paragraph 476.3(1)(d) and (e) and new subsection 476.3(2) provides extended geographical
jurisdiction to enable law enforcement authorities to investigate and prosecute where:
• an alleged Part 10.7 offence occurs wholly outside Australia and the condition in subsection
(2) is satisfied, or
• the alleged offence is an ancillary offence of which the conduct constituting the alleged
offence occurs wholly outside Australia, and the conduct constituting the primary offence to
which the ancillary offence relates, or a result of that conduct, occurs, or is intended by the
person to occur, wholly or partly in Australia or wholly or partly on board an Australian ship.
The condition under subsection (2) is satisfied if:
• the conduct constituting the alleged offence relates to unauthorised access to data held in a
computer; or unauthorised modification of data held in a computer; or unauthorised
impairment of electronic communication of data to or from a computer; or unauthorised
impairment of the reliability, security or operation of any data held on a computer disk, credit
card or other device used to store data by electronic means
• at the time of the unauthorised access, modification or impairment, that data is under the
control of, or owned by, a person who is a resident of Australia and who is physically in
Australia or a body corporate incorporated by or under a law of the Commonwealth or of a
State or Territory regardless of whether the computer or device is in the person's possession,
and
• at the time of the unauthorised access, modification or impairment, that data is reasonably
capable of being accessed within Australia.
Individuals and bodies corporate based in Australia often engage in arrangements in which their data is
being hosted or held within computers (for example data processing centres) outside of Australia. These
arrangements include individuals who set up personal email accounts through Australian companies
entering into contractual arrangements with foreign companies for the purposes of managing their data
needs.
In step with this modern approach to managing data, cybercriminals are identifying and targeting
vulnerabilities in these foreign data processing centres and networks for the purpose of gaining
unauthorised access to, or engaging in unauthorised modification of, data.
The application of extended geographical jurisdiction reflects the increasingly transnational and
borderless nature of cybercrime, which often involves multiple participants in multiple countries.
For example, where:
• an Australian company has a contractual arrangement with an offshore data processing centre
to host that Australian company's data
• the data processing centre's servers are infiltrated by a person or body corporate not authorised
to access that Australian company's data, and the Australian company's data is accessed,
modified or stolen by that person or body corporate, and
• Australian law enforcement agencies suspect that the person or body corporate who has gained
unauthorised access to the data processing centre is also based offshore.
The amendments will allow law enforcement agencies to consider this conduct as potentially
constituting an offence under Part 10.7 of the Criminal Code Act and to investigate accordingly.
The object of the new provisions is to provide law enforcement agencies with the legal authority to
investigate and prosecute crimes that take place in a foreign country but which impact on persons who
are a resident of Australia. This may include Australian citizens, permanent residents, visa holders and
unlawful non-citizens residing in Australia. The provisions are not intended to cover persons who are
only temporarily in Australia, such as those transiting through. Residents of Australia who are the
victims of a ransomware attack should be able to expect that Australian law enforcement agencies can
take action on their behalf to investigate and prosecute these crimes.
Standalone offence of cyber extortion
The Bill introduces a standalone cyber extortion offence which will criminalise the extortive
conduct associated with ransomware: specifically, the conduct of a person making a threat with the
intention of compelling another person to do or omit to do an act.
The Cyber extortion, through ransomware, is an increasingly prevalent incident which impacts all
Australians. Cyber extortion is rising in prevalence because it is an effective means of exercising
power over a victim which may result in a financial gain or some other outcome such as causing a
disruption.
Cybercriminals extort victims (including through ransomware) because it is an effective means to
exercise power over a victim. Through ransomware, cybercriminals are able to extort victims by
'locking' a computer by removing the victim's access to their data through encryption. This
empowers cybercriminals to seek a ransom from victims. Cybercriminals also engage in extortive
conduct where they successfully gain unauthorised access to a victim's data without locking a
computer through ransomware. In this case, the cybercriminals then ransom the victim by threatening
to release the victim's data in an online forum. Through these methods, cybercriminals are
empowered to either coerce money from a victim, permanently deprive the victim of their data, or
release the victim's data publicly.
New section 477.4 creates an offence for a person if:
• Any of the following (whether or not caused by the first person) is occurring or has occurred:
• Any unauthorised access to data held in a computer
• Any authorised modification of data held in a computer
• Any unauthorised impairment for electronic communication of data or from a
computer
• Any unauthorised impairment of the reliability, security or operation of any data held
on a computer disk, credit card or other device used to store data be electronic means,
and
• that unauthorised access, modification or impairment involves a computer in the
possession of, or data under the control of, another person (the victim) and
• the first person makes a threat to the victim in relation to that computer or
data, and
• the first person makes the threat with the intention of compelling the victim
to do or omit to do an act.
The prosecution will need to prove beyond reasonable doubt, all physical and fault elements as part of
the underlying offence in addition to all physical elements of the offence. The new offence does not
remove the requirement for the prosecution to prove intent (which is the fault element for Part 10.7
offences). Further, the penalty for this offence carries a maximum term of 10 years' imprisonment.
This new offence is designed to ensure that all forms of cyber extortion are criminalised. The offence
is designed to take into account the fact that cyber extortion takes place after a computer system is
compromised by a cybercriminal - that is, unauthorised access or impairment of data takes place
which allows the cybercriminal to install malware (including ransomware) on the victim's computer
or, steal that victim's data. This first step empowers the cybercriminal to subsequently activate the
malware (including ransomware) on the victim's computer or, make threats to release the victim's
data - both of these tactics are criminalised by this offence. This offence will enable law enforcement
agencies to conduct investigations and prosecutorial agencies to prosecute under a dedicated offence
provision criminalising cyber extortion.
Aggravated offence relating to cyber attacks on critical infrastructure
The Bill introduces an aggravated offence relating to cyber attacks on critical infrastructure
assets as defined under the Security of Critical Infrastructure Act 2018.
New section 479.1 creates an aggravated offence for a person who commits an offence against
sections 477.2, 477.3, 478.1 or 478.2 (the underlying offences) and the conduct relates to a person
intending to cause a direct or indirect impact on the availability, integrity or reliability of a critical
infrastructure asset or on the confidentiality of information about or stored in, or the confidentiality of,
a critical infrastructure asset.
There is no fault element for the physical elements in this offence, other than the fault elements
(however described) for the underlying offence, which is consistent with other aggravated offences in
the Criminal Code Act.
The prosecution will need to prove beyond reasonable doubt all physical and fault elements as part of
the underlying offence in addition to all physical elements of the aggravated offence. The new offence
does not remove the requirement for the prosecution to prove intent (which is the fault element for
Part 10.7 offences). The penalty for this offence carries a maximum term of 25 years' imprisonment.
This aggravated offence recognises the severe disruption that would be caused by the deployment of
malware (including ransomware) on critical infrastructure assets' computer systems. In some cases,
these cyber security incidents have resulted in sensitive personal and medical information being
encrypted so that it could no longer be used. This conduct directly threatens the operation of essential
facilities and significantly risks the safety of the community. These incidents demonstrate the
importance of deterring cybercriminals from targeting critical infrastructure with ransomware.
A high priority is placed on protecting Australia's critical infrastructure to secure the essential goods
and services all Australians rely on - everything from electricity and water, to healthcare and banking.
A significant disruption or attack on Australia's critical infrastructure could have catastrophic
consequences to Australia's economy, security and sovereignty. Australia's threat environment has
evolved rapidly, including through the proliferation of low cost-high impact malware (particularly,
ransomware). This is supported by the Australian Cyber Security Centre's (ACSC) Annual Cyber
Threat Report 2020-21 which provides that individuals who attack critical infrastructure are engaging
in tactics to hunt 'big game' - that is, those entities in society which cybercriminals perceive as high
profile, high value and/or those that provide critical services. Through ransomware, disruptions to
critical infrastructure may have rapid and serious consequences for the Australian community.
International cyber incidents, such as the ransomware attack on US company Colonial Pipeline, which
affected the distribution of fuel to customers on the east coast of the United States, demonstrate the
potential for attacks to cause devastating harm. Australia is facing increasing cyber security threats to
essential services, businesses and all levels of government, and in the past two years there have been
cyber attacks on federal Parliamentary networks, logistics, the medical sector and universities.
Internationally, there have been disruptive cyber attacks on critical infrastructure including water
services and airports. On 19 June 2020, the Prime Minister advised the Australian Government was
aware that Australia's critical infrastructure was being targeted by a sophisticated state-based actor.
Accordingly, the Government will hold cybercriminals to account if they target Australia's critical
infrastructure. While existing offences under the Criminal Code Act may criminalise certain cyber
attacks (such as attacks on public infrastructure under Division 82 or those attacks which prejudice
Australia's national security), other types of attacks involving privately owned infrastructure may not
be covered.
Therefore, cybercriminals who engage in conduct with the intention of disrupting or impacting critical
infrastructure must face harsh penalties which appropriately reflect the severity of harm or potential
harm they cause to the community. A single attack may cause a cascading disruption to
interdependent critical infrastructure assets which provide several other essential services. The risk of
harm arising from these attacks is nationally significant as they may impact a much wider number of
entities or individuals and/or may disrupt or destroy the targeted critical infrastructure asset's ability
to provide essential services. Through ransomware and big game tactics, cybercriminals attack a
single critical infrastructure asset knowing that this is a critical choke point and dependency for other
critical infrastructure assets.
Dealing with Stolen Data
The Bill introduces a stand-alone offence of dealing with data obtained by unauthorised access or
modification at section 478.5.
This offence criminalises the conduct of a person dealing with data obtained by unauthorised access
or modification if:
• a person dishonestly obtains data, or causes any access to data, or causes any modification to
data, or causes any release of data to one or more persons,
• the person does so using a carriage service, and
• the data has been obtained (whether or not by the person) by any unauthorised access to data
or modification of data held in a computer.
The offence will only apply to persons whose conduct is deemed to be dishonest according to a trier
of fact applying the standards of ordinary people. The trier of fact (or jury) is empowered to make a
determination on whether the conduct was dishonest, and defendants are afforded a fair hearing and
fair trial rights.
As community expectations in relation to public interest may change over time, the element of
dishonesty will ensure that the application of this offence is able to adapt with community
expectations in relation to this offence and determine whether the data that is obtained or released is
on legitimate public interest grounds.
Criminal liability for this offence is strictly determined within the parameters of new section 478.5.
This offence imposes a maximum penalty of imprisonment for 5 years. This penalty appropriately
reflects the criticality of protecting personal information or information that is commercial-in-
confidence and the need to maintain its confidentiality within Australia's modern digital economy.
This new offence represents a key aspect of the tradecraft used by cybercriminals. Cybercriminals
combine the encryption of the victim's network or the act of exfiltrating the victim's data, together
with threats to release or on-sell stolen sensitive data for the purpose damaging the victim's reputation
or financial gain. This tactic is effective even if victims have adopted robust digital backups because it
leverages the value of the private information rather than the tactic of locking a computer system
alone.
Additionally, this offence criminalises the conduct of certain third parties who obtain stolen data.
Ensuring this aspect of the cybercriminal business model is criminalised is critical to deterring third
parties from knowingly accessing stolen data to either gain an advantage over, or cause further harm
to, a victim. This will also help reduce the effectiveness of online cyber extortion on victims. Persons
who knowingly access data taken from a victim's system through cybercrime may have different
motivations. Accordingly, the offence criminalises the conduct of knowingly accessing a company's
stolen data to undermine that business or, to access a victim's personal information to further extort or
harm that person.
The offence is not intended to apply to innocent third parties, including, for example, where:
• a cyber security firm is engaged and authorised to conduct incident response on behalf of a
client in relation to a ransomware or cyber security incident and, in the course of doing so,
obtains data online relating to their victim client or other persons or entities
• a cyber security firm obtains stolen data for the purposes of advising clients or the public on
incident response or on cyber security controls
• a person obtains information in the public interest, such as a journalist conducting research in
a professional capacity, or
• a company engages in open source intelligence gathering on breached or stolen data and
provides reports to industry or law enforcement either voluntarily or as part of a paid service.
Aggravated offence producing, supplying or obtaining data under arrangement for payment
The Bill introduces an aggravated offence criminalising producing, supplying or obtaining data
under arrangement for payment under section 479.2.
This new section creates an aggravated offence for a person who produces, supplies or obtains data
(malware) for payment and commits an offence against section 478.4(1) (the underlying offence).
There is no fault element for the physical elements in this offence, other than the fault elements
(however described) for the underlying offence, which is consistent with other aggravated offences in
the Criminal Code Act.
The prosecution will need to prove beyond reasonable doubt, all physical and fault elements as part of
the underlying offence in addition to all physical elements of the aggravated offence. The new offence
does not remove the requirement for the prosecution to prove intent (which is the fault element for
Part 10.7 offences). Further, the penalty for this offence carries a maximum term of 10 years'
imprisonment.
This offence targets the commercialisation of ransomware, including the increasing use of
Ransomware-as-a-Service (RaaS), which has enabled less-sophisticated actors to gain access to highly
disruptive and readily deployable ransomware.
RaaS is conduct whereby ransomware is developed by one person or entity and sold to other, less
sophisticated criminals. This empowers less sophisticated criminals who would otherwise be unable to
engage in cybercrime. RaaS suppliers often require a percentage of the profits made after a successful
ransomware attack. In some cases, the developers and suppliers of RaaS will operate hotlines and call
centres to assist their cybercriminal 'clients' with technical issues they may have in deploying the
package.
Accordingly, this offence targets the conduct of developers, sellers and buyers engaging in
commercial transactions as part of the ransomware business model. This offence will ensure that the
ransomware business model (through conduct comprising either a sale, purchase, lease or commission
based arrangement) is appropriately criminalised and punished.
Amendments to s 478.4
The Bill amends the offence in section 478.4 of producing, supplying or obtaining data with the
intention to commit a computer Criminal Code Act by criminalising the conduct of persons who
engage in conduct of soliciting, but ultimately failing to produce, supply or obtain data (malware).
This amendment ensures that conduct in seeking to produce, supply or obtain malware, which
ultimately fails, still carries criminal culpability. Existing subsection 478.4(3) removes attempt as an
extension of criminal liability to this offence given its intended application to preparatory conduct.
Penalties
The Bill amends relevant penalty provisions for all Division 478 offences under the Criminal Code
Act such that the maximum penalties for each offence carries at least a maximum term of 5 years'
imprisonment - increasing the maximum term of imprisonment for offences which currently carry a
maximum term of 2 or 3 years' imprisonment.
These increases appropriately reflect the severity of harm or potential harm they cause to the
community.
Digital currency
The Bill amends the POCA to ensure that existing information gathering powers and freezing orders
available in relation to financial institutions can also be exercised in relation to digital currency
exchanges. These reforms will enhance law enforcement agencies' investigative powers to ensure
they can identify where digital currencies may be associated with criminal offending and then freeze
relevant accounts to prevent that digital currency from being dissipated (and potentially reinvested in
further criminal activity) before restraint action can be taken under the POCA.
In October 2021, the Select Committee on Australia as a Technology and Financial Centre handed down
its final report, which considered, among other things, the emergence of cryptocurrency (a type of
digital currency) and other digital assets. That report found that:
[t]he scale and speed with which cryptocurrencies and other digital assets have progressed
in recent years has surprised governments, regulators and policy makers. With a global
market now totalling in the trillions of dollars, the tremendous potential of blockchain
technology and decentralised finance is becoming recognised by mainstream institutions
and investors. Recent survey data shows that 25 per cent of Australians either currently or
have previously held cryptocurrencies, making Australia one of the biggest adopters of
cryptocurrencies on a per capita basis.
Anecdotally, as the mainstream adoption of digital currency increases, so does its criminal use.
Investigations involving digital assets (including digital currency) have been associated with a variety
of crime types including purchase of drugs, child exploitation material and firearm purchasing
through dark-web markets; ransomware and cyber related offences; money laundering; scams and
financing terrorist organisations.
It is therefore imperative that law enforcement agencies have the appropriate capabilities to
investigate the use of digital assets to facilitate criminal activities, including where it becomes the
proceeds of crime, and where necessary, to be able to track, monitor, freeze and seize those digital
assets as a pre-cursor to other restraint actions that can be taken.
The Bill introduces measures to address these challenges in order to:
1 ensure that that criminals are deprived of the benefits of their crimes and are deterred from
further criminal activity
2 disrupt and combat serious and organised crime, and
3 ensure that freezing orders, notices to financial institutions, and monitoring orders can be
made in relation to digital currency exchanges.
The definition of 'digital currency' adopts the same definition as in the Anti-Money Laundering and
Counter-Terrorism Financing Act 2006 (AML/CTF Act), but does not capture any right or thing that,
under the Anti-Money Laundering/Counter-Terrorism Financing Rules (AML/CTF Rules), is taken
not to be digital currency for the purposes of that Act.
The definition of 'digital currency exchange' means a registrable digital currency exchange service
within the meaning of the AML/CTF Act, but does not include designated services covered by
item 50A of table 1 in section 6 of the AML/CTF Act that are of a kind specified in the AML/CTF
Rules.
Search and seizure
The Bill amends the Crimes Act and POCA to ensure the powers available to law enforcement to seize
digital assets (including cryptocurrency) under warrant reflect the operational environment, and are
suitably adapted and extended to prevent the dissipation of proceeds of crime so that it is available for
subsequent restraint and forfeiture action under the POCA.
The objectives sought to be achieved by this measure include to:
4 ensure that criminals are deprived of the benefits of their crimes and are deterred from further
criminal activity, and
5 disrupt and combat serious and organised crime.
A 'digital asset' means:
6 a digital representation of value or rights (including rights to property), the ownership of
which is evidenced cryptographically and that is held and transferred electronically by a type
of distributed ledger technology or another distributed cryptographically verifiable data
structure, or
7 a right or thing prescribed by the regulations, but does not include any right or thing that,
under the regulations, is taken not to be a digital asset for the purposes of Part 1AA of the
Crimes Act.
Human rights implications
The Bill engages the following human rights:
• The right to freedom from discrimination in Article 26 of the International Covenant on Civil
and Political Rights (ICCPR).
• The right to freedom from arbitrary detention in Article 9 of the ICCPR.
• The right to a fair trial and fair hearing in Article 14 of the ICCPR.
• The right to privacy in Article 17 of the ICCPR.
• The right to an adequate standard of living, including the right to adequate food in Article 11
of the International Covenant on Economic, Social and Cultural Rights (ICESCR).
• The right to the enjoyment of the highest attainable standard of physical and mental health,
including medical service and attention in the event of sickness in Article 12 of the ICESCR.
The right of freedom from discrimination
Article 26 of the ICCPR provides that:
All persons are equal before the law and are entitled without any discrimination to the equal
protection of the law. In this respect, the law shall prohibit any discrimination and guarantee
to all persons equal and effective protection against discrimination on any ground such as race,
colour, sex, language, religion, political or other opinions, national or social origin, property,
birth or other status.
This means that laws, policies and programs should not be discriminatory, and also that public
authorities should not apply or enforce laws, policies and programs in a discriminatory or arbitrary
manner.
Discrimination is impermissible differential treatment among persons or groups that result in a person
or a group being treated less favourably than others, based on one of the prohibited grounds for
discrimination.
Amendments to the geographical jurisdiction provisions captured under proposed section 476.3(2)(b)
apply to 'a person who is a resident of Australia.' This could have the effect of excluding certain cohorts
of persons subject to a ransomware attack, for example those merely transiting through Australia.
The phrase 'resident of Australia' includes all those who reside in Australia, requiring a certain degree
of permanence.
The object of this provision is to provide law enforcement with the legal authority to investigate and
prosecute crimes that take place in a foreign country but which impact on persons who reside in
Australia. This may include Australian citizens, permanent residents, visa holders and unlawful non-
citizens residing in Australia.
Although the measure limits the right to non-discrimination, as it does not extend to persons who do
not reside in Australia, the limitation is reasonable, necessary and proportionate, as it enables law
enforcement authorities to investigate and prosecute offences under Part 10.7 of the Criminal Code Act,
to deal with criminal conduct that occurs outside of Australia but ultimately impacts victims in
Australia.
The right to freedom from arbitrary detention
Article 9(1) of the ICCPR provides that:
Everyone has the right to liberty and security of person. No one shall be subjected to
arbitrary arrest or detention. No one shall be deprived of liberty except on such grounds and
in accordance with such procedure as are established by law.
This right applies to all forms of detention where people are deprived of their liberty.
Increasing penalties in the Criminal Code Act
Certain existing computer offences in Part 10.7 of the Criminal Code Act provide adequate maximum
penalties for offences relating to unauthorised access to restricted data. For example, unauthorised
modification of data to cause impairment under section 477.2 and unauthorised impairment of
electronic communication under section 477.3 both carry a maximum of sentence 10 years'
imprisonment.
However, some existing computer offences only carry a maximum sentence of 2 years' imprisonment,
such as the unauthorised access to, or modification of, restricted data under section 478.1 or
unauthorised impairment of data under section 478.2. Other existing computer offences only carry a
maximum sentence of 3 years' imprisonment, such as possession or control of data with intent to
commit a computer offence under section 478.3 or producing, supplying or obtaining data with intent
to commit a computer offence under section 478.3.
These lower maximum penalties do not reflect the seriousness of the offence with reference to the
criticality of data to Australian businesses and individuals or the harm that could be caused by
ransomware or cybercrime on the thousands of individuals whose data could be impacted through
unauthorised access or modification of restricted data or through unauthorised impairment of data
held on a computer disk.
The Bill will amend sections 478.1, 478.2, 478.3 and 478.4 of the Criminal Code Act by increasing
the maximum penalty for these offences to 5 years. Such increases reflect the increasing seriousness
of harm that may be caused by cybercrime and ransomware attacks. The increased penalties do not
amount to arbitrary detention, as they are reasonable and necessary to reflect the seriousness of these
crimes. While five years will be the maximum penalty available for these offences, the penalty is
reasonable given that the penalties will only be applied by a court if a person is convicted of an
offence following a fair trial in accordance with the criminal procedures as established by law.
Maximum penalties are set to adequately deter and punish a worst case offender, while supporting
judicial discretion and independence. The measures are also proportionate to the seriousness of the
offence. The amended penalties are consistent with other like offences. For example, postal offences
under Division 471 of the Criminal Code which similarly address unauthorised access to, disruption
of, or interference with postal items, carry a maximum penalty of 10 years' imprisonment.
As such, existing penalties in the Criminal Code Act do not adequately reflect the severity of
cybercrime offences.
The Online Safety (Transitional Provisions and Consequential Amendments) Act 2021 increased
penalties for offences under section 474.17 of the Criminal Code Act (using a carriage service in a
way that is menacing, harassing or offensive). The maximum penalty was increased from 3 years to 5
years imprisonment to ensure that the seriousness of the offence is matched by a proportionate
punishment. Increasing 2 year penalties to 5 years for section 478 computer offences aligns these
penalties with similar offences.
Aggravated offence for targeting critical infrastructure assets
For the aggravated offence of targeting critical infrastructure assets, the Australian Government
considers that penalties should reflect the seriousness of introducing a vulnerability into, or disrupting
the availability, integrity, relatability or confidentiality of, a critical infrastructure asset.
Like offences, such as sabotage of a public infrastructure asset under section 82.3 of the Criminal
Code Act, carry maximum penalties of 25 years imprisonment. This offence imposes a significant
penalty as the conduct is serious and may seriously prejudice national security, cause loss of life or
significant economic damage. The new aggravated offence introduced in section 479.1 and the
corresponding maximum penalty of 25 years imprisonment reflects the potential for serious disruption
to the availability, integrity, reliability, and confidentially of critical infrastructure assets of vital
importance to Australia and Australian communities. A disruption to a critical infrastructure asset also
carries a significant risk to human life and economic damage, which is reflected by the significant
penalty available under section 479.1. The penalty does not amount to arbitrary detention, as it is
reasonable and necessary to reflect the seriousness of this offence. While 25 years imprisonment will
be the maximum penalty for these offences, the penalty is reasonable given that the penalties will only
be applied by a court if a person is convicted of an offence following a fair trial in accordance with
the criminal procedures as established by law. Maximum penalties are set to adequately deter and
punish a worst case offender, while supporting judicial discretion and independence.
Cyber extortion
New section 477.4 creates a stand-alone cyber extortion offence which will criminalise the extortive
conduct associated with ransomware: specifically, the conduct of a person making a threat with the
intention of compelling another person to do or omit to do an act. This new offence criminalises all
forms of extortion in relation to a victim of a computer offence. The offence captures conduct which
involves the computer or data in the possession or control of, or owned by, another person (the
victim), and at or after the time of the unauthorised access, modification or impairment, the person
makes a threat to the victim with the intention of compelling the victim to do or omit to do an act. The
new offence carries a maximum penalty of 10 years imprisonment. The penalty does not amount to
arbitrary detention, as it is reasonable and necessary to reflect the seriousness of this offence. While
10 years imprisonment will be the maximum penalty for these offences, the penalty is reasonable
given that the penalties will only be applied by a court if a person is convicted of an offence following
a fair trial in accordance with the criminal procedures as established by law. Maximum penalties are
set to adequately deter and punish a worst case offender, while supporting judicial discretion and
independence.
Dealing with stolen data
New section 478.5 creates a stand-alone offence of dealing with data obtained by unauthorised access
or modification. The offence criminalises conduct that involves obtaining, releasing or modifying (for
example, deleting) data of a victim that has been obtained by unauthorised access or modification.
For example, a cybercriminal may combine the encryption of a person's computer, or the act of
exfiltrating the victim's data, with threats to release or on-sell stolen sensitive data for the purpose
damaging the victim's reputation or financial gain. This tactic is effective even if victims have
adopted robust digital backups because it leverages the value of the private information rather than the
tactic of encrypting a computer system alone.
Additionally, this offence criminalises the conduct of third parties who obtain, release or modify
stolen data. For example, a person may dishonestly gain access to a large volume of stolen emails and
release that information online to publicly reveal commercial-in-confidence information contained in
those emails. Ensuring this aspect of the cybercriminal business model is criminalised is critical to
deterring third parties from recklessly obtaining data to either gain an advantage over, or cause further
harm to, a victim.
This offence imposes a maximum penalty of imprisonment for 5 years. This penalty appropriately
reflects the criticality of data and the need to maintain its confidentiality within Australia's modern
digital economy. This penalty is also consistent with other amended penalty provisions as part of this
Bill.
The penalty does not amount to arbitrary detention, as it is reasonable and necessary to reflect the
seriousness of this offence. While 5 years imprisonment will be the maximum penalty for these
offences, the penalty is reasonable given that the penalties will only be applied by a court if a person
is convicted of an offence following a fair trial in accordance with the criminal procedures as
established by law. Maximum penalties are set to adequately deter and punish a worst case offender,
while supporting judicial discretion and independence.
The measure is also proportionate. It is not intended to apply to innocent third parties such as cyber
security firms which obtain information in the course of their duties in acting for a client, or persons
who obtain information in the public interest, such as a journalist conducting research in a
professional capacity. However, as community expectations in relation to the public interest may
change over time, the requirement that the person dishonesty obtain the information will ensure that
the application of this offence is able to adapt with community expectations in relation to this offence
and determine whether the data that is obtained or released is on legitimate public interest grounds. It
is also not intended to apply to companies that engages in open source intelligence gathering on
breached or stolen data and provides reports to industry or law enforcement either voluntarily or as
part of a paid service. These measures help to ensure that criminalisation of this conduct does not
amount to arbitrary detention.
Aggravated offence of producing, supplying, or obtaining data under arrangement for payment
New section 479.2 introduces an aggravated offence criminalising producing, supplying or obtaining
data under arrangement for payment. This new section creates an aggravated offence for a person who
produces, supplies or obtains data (malware) for payment and commits an offence against section
478.4(1) (the underlying offence).
This offence seeks to criminalise the ransomware business model, including sale, purchase, lease or
commission arrangements in relation to data that is used in the commission of an offence against
section 478.4(1). It captures conduct such as RaaS, whereby a person produces data with the intent
that the data be used in the commission of an offence against Division 477 or sections 478.1 or 478.2,
and that person supplies the data to another person for payment.
For example, it criminalises the conduct by a crime syndicate that develops ransomware and solicits
to supply it to other less sophisticated criminals for payment (whether or not they are successful in
supplying the ransomware). It also criminalises conduct by individuals who obtain ransomware with
the intent it be used to modify data to cause impairment, and obtains that ransomware under an
arrangement for payment.
This offence is punishable by a maximum penalty of 10 years' imprisonment. This will ensure that the
developers, sellers and buyers of malware face punishment commensurate with the severity of their
conduct in supporting the cybercriminal business model. The penalty does not amount to arbitrary
detention, as it is reasonable and necessary to reflect the seriousness of this offence. While 10 years
imprisonment will be the maximum penalty for these offences, the penalty is reasonable given that the
penalties will only be applied by a court if a person is convicted of an offence following a fair trial in
accordance with the criminal procedures as established by law. Maximum penalties are set to
adequately deter and punish a worst case offender, while supporting judicial discretion and
independence.
Amendments to section 478.4
The Bill amends the section 478.4 offence by criminalising the conduct of persons who engage in
conduct in soliciting but ultimately failing to produce, supply or obtain data (malware). Currently,
section 478.4 only applies to conduct where a person produces, supplies or obtains data, with the
intent to commit a serious computer offence under Division 477. Division 477 offences target conduct
that impairs the security, integrity and reliability of computer data and electronic communications.
This amendment ensures that conduct in seeking to produce, supply or obtain malware, which
ultimately fails, still carries criminal culpability. Existing subsection 478.4(3) removes attempt as an
extension of criminal liability to this offence given its intended application to preparatory conduct.
The offence is punishable by a maximum of 5 years imprisonment. The amendments will ensure that,
even where someone fails in an attempt to produce, supply or maintain malware, they still face
criminal liability. While 5 years imprisonment will be the maximum penalty for these offences, the
penalty is reasonable given that the penalties will only be applied by a court if a person is convicted of
an offence following a fair trial in accordance with the criminal procedures as established by law.
Maximum penalties are set to adequately deter and punish a worst case offender, while supporting
judicial discretion and independence.
The ACSC's Annual Cyber Threat Report contains an overview of cyber threats affecting Australia,
how the ACSC is responding, and vital advice on how all Australians and Australian organisations
can protect themselves against those threats. In the 2020-21 financial year, the ACSC received over
67,500 cybercrime reports, an average of one every eight minutes, representing an increase of nearly
13 per cent from the previous financial year. Cybercrime reports submitted via ReportCyber (through
cyber.gov.au) recorded total self-reported financial losses of more than $33 billion (AUD). To
increase the likelihood of ransoms being paid, cybercriminals are encrypting networks and also
exfiltrating data, then threatening to publish stolen information on the internet. These shifts in
targeting and tactics have intensified the ransomware threat to Australian organisations across all
sectors, including critical infrastructure. The threat faced by cybercriminals has real personal,
financial, and disruptive impacts to Australians and Australian businesses.
Increasing penalties and imposing offences for cyber extortion, dealing with stolen data, and soliciting
but ultimately failing to produce, supply or maintain malware, and new aggravated offences for
targeting critical infrastructure assets and for producing, supplying or obtaining data under
arrangement for payment, is required to reflect the severity of harm caused by ransomware and
Australia's reliance on internet-enabled devices to communicate data. The measures which increase
the penalties are not arbitrary, as they are reasonable, necessary and proportionate in achieving the
legitimate objective of protecting Australia and Australians from the increasingly disruptive nature of
cyber threats.
The right to privacy
Article 17(1) of the ICCPR provides that:
No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home
or correspondence, nor to unlawful attacks on his honour and reputation.
The use of the term 'arbitrary' means that any interference with privacy must be in accordance with
the provisions, aims and objectives of the ICCPR and should be reasonable in the particular
circumstances. The United Nations Human Rights Committee has interpreted 'reasonableness' to
imply that any limitation must be proportionate and necessary in the circumstances.
A limitation on the right to privacy will be permissible under international human rights law where it
addresses a legitimate objective, is rationally connected to that objective and is a reasonable and
proportionate means of achieving that objective.
The POCA and Crimes Act measures in the Bill may engage the right to privacy because they may:
• require a financial institution to disclose to law enforcement agencies a person's personal
information related to an account held with a Digital Currency Exchange (DCE), such as details
of what accounts a person holds, details of transactions made from particular accounts for up
to six months, and the current balance of the account, and
• require a financial institution to disclose to law enforcement agencies details of transactions a
person makes over a period set out in a monitoring order.
The measures confer on law enforcement agencies the ability to obtain further information on
accounts held with digital currency exchanges (as they will be brought within the definition of
financial institutions), monitor transactions from particular accounts, and if necessary, undertake
additional law enforcement action such as freezing accounts to prevent withdrawals or transactions
from them. These capabilities will enhance law enforcement investigations by providing credible
actionable intelligence and prevent the dissipation of digital currency in circumstances where it could
be used to facilitate criminal activity or where it could be considered the proceeds of crime.
To the extent that these measures limit the rights protected under Article 17 of the ICCPR, these
limitations are not arbitrary, and are reasonable, necessary and proportionate to achieve legitimate
objectives.
The expansion of the regime to include digital currency exchanges retains existing safeguards,
including that:
• these measures are subject to appropriate oversight which takes into account the need to
preserve an individual's rights and interests:
• freezing orders and monitoring orders are subject to independent oversight, such that the
relevant orders must be made by a magistrate after considering whether the legislative
requirements for making the order have been met, and
• notices to financial institutions can only be made by those officers prescribed in the
legislation.
• the orders only operate for a set period of time and need to be reviewed by a magistrate if they
are to be extended. The types of orders that will be able to be sought under these measures
initially operate in relation to:
• freezing orders, a period of three working days
• notices to financial institutions, six months in relation to the requirement to provide
ongoing details about transactions on an account, and
• monitoring orders, three months in relation to the requirement to provide notice of
transactions from a particular account.
As a result of the above, these measures do not operate in a blanket manner and there is sufficient
flexibility to consider individual circumstances and treat different cases differently when deciding
whether particular orders should be made.
Although the amendments will result in the collection and storage of personal information, Australian
Public Service agencies (including law enforcement agencies) are required to comply with the
Australian Privacy Principles which protects the unauthorised disclosure of personal information.
While the measures extend the POCA freezing and monitoring orders to digital currencies held by
financial institutions, limiting the right to privacy, the measures are reasonable, proportionate and
necessary to support the functioning of Australia's proceeds of crime regime and help prevent the use
of digital currency in criminal activity.
The introduction of the search and seizure measure is intended to ensure the powers available to law
enforcement to seize digital assets (including cryptocurrency) under warrant reflect the operational
environment, and are suitably adapted and extended to prevent the dissipation of proceeds of crime so
that it is available for subsequent restraint and forfeiture action under the POCA. This measure
reflects changes in the way criminals are using digital assets as part of their criminal activities. As
Australia has evolved into a modern digital economy, law enforcement agencies are seeing an
increase in criminals' use of digital assets to facilitate their offending and as a means to hold and
distribute the benefits derived from their offending, including in the context of ransomware, money-
laundering and predicate offences. This measure ensures that law enforcement agencies are able to
effectively disrupt and combat serious and organised crime, and that criminals are to be deprived of
the benefits of their crimes and are deterred from further criminal activity.
The search and seizure measures will engage the right to privacy by enabling law enforcement
agencies to conduct a search of a person, or to conduct a search at or in relation to a person's premises
or conveyance, and seize a digital asset identified in the course of those searches. The measures allow
the executing officer to access the person's digital wallet to transfer the contents to a law enforcement
digital wallet as a means of seizing the digital asset. The executing officer needs to reasonably suspect
that the seizure of the digital asset is necessary to prevent the digital asset's concealment, loss or
destruction or its use in committing an offence.
To the extent that these measures limit the right to privacy under Article 17 of the ICCPR, these
limitations are not arbitrary, and are reasonable, necessary and proportionate to meet the increase in
criminals' use of digital assets to facilitate serious offending and ensure law enforcement agencies are
able to continue to effectively detect, disrupt and deter activities harmful to Australians.
The safeguards that currently exist in the legislation, including timeframes which govern how long
law enforcement can retain things moved or seized under warrant will apply to the amendment. For
example, in relation to the amendments to the Crimes Act:
• for a thing moved to another place under subsection 3K(2), the thing can only be retained for
a period of 30 days if the thing is a computer or data storage device, unless otherwise
extended by the issuing officer, and
• for a thing seized under Division 2, until such time as the Commissioner is satisfied that the
thing is no longer required.
The Bill provides that these safeguards will apply to the seizure measures.
This demonstrates that the existing provisions are intended to balance criminal justice outcomes with
the effects depriving a person of their property may have. For that reason, the limitation on privacy is
reasonable, proportionate and necessary to support the functioning of Australia's proceeds of crime
regime and help prevent the use of digital assets in criminal activity.
The right to an adequate standard of living, and highest attainable standard of health
Article 11 of the ICESCR provides that:
(1) The States Parties to the present Covenant recognize the right of everyone to an adequate
standard of living for himself and his family, including adequate food, clothing and
housing, and to the continuous improvement of living conditions ...
It commits States Parties to improve methods of production, conservation and distribution of food.
Article 12 of the ICESCR provides that:
(1) The States Parties to the present Covenant recognize the right of everyone to the
enjoyment of the highest attainable standard of physical and mental health ...
including the creation of conditions which would assure to all medical service and medical attention
in the event of sickness.
The Bill's introduction of an aggravated offence for targeting critical infrastructure assets supports
these rights by recognising the role critical infrastructure plays, in particular critical food and grocery
assets, in ensuring Australia's food security which maintains and sustains life. The introduction of an
aggravated offence is designed to deter cybercriminals from conducting malicious cyber activity
which can disrupt distribution networks and other key operations of Australia's major supermarkets,
which could impact the availability of food and groceries.
Similarly, health care and medical facilities are crucial to Australia's ability to fulfil this obligation as
they provide critical care to patients with a variety of medical, surgical and trauma conditions. The
impact of a successful ransomware attack against health care and medical facilities significantly risks
the standard of physical and mental health available to Australians. An aggravated offence will help
reduce this risk by deterring would be offenders from targeting Australian health care and medical
facilities.
The Bill's POCA and Crimes Act measures may also limit these rights to the extent that the operation
of the freezing order or the seizure of digital assets impacts a person's ability to use their assets to
access relevant goods or services. To the extent that these measures limit the rights protected under
Articles 11 and 12 of the ICESCR, these limitations are not arbitrary, and are reasonable, necessary
and proportionate to achieve legitimate objectives for the same reasons outlined above.
Current section 15Q(1) of POCA confers a magistrate with the power to vary a freezing order to
enable a financial institution to allow a withdrawal from the account to meet the reasonable living
expenses of the person, dependents of the person, business expenses of the person, or a specified debt
incurred in good faith by the person. Allowing for a freezing order to be varied recognises that in
certain situations, such as where all of a person's property is frozen or restrained, it may be
appropriate to allow for withdrawals from a frozen account, particularly noting that a freezing order
can be extended until a restraining order application is determined. Amendments in the Bill ensure
that these provisions apply to accounts held with digital currency exchanges, so that freezing orders
can be varied in relation to digital currency subject to a freezing order.
Consistent with existing search warrant provisions in the POCA and the Crimes Act, a person is not
able to seek a variation when digital assets are seized during the execution of a search warrant under
the POCA or Crimes Act amendments in the Bill. While this may limit a person's ability to use their
digital assets to access relevant goods or services consistent with their rights under Articles 11 and 12
of the ICESCR, these limitations are proportionate as digital assets subject to a seizure warrant are:
• unlikely to form the entirety of a person's income, and
• not commonly exchangeable for goods and services in the same way standard currency
currently is.
This means that a person would ordinarily be expected to retain some level of standard currency to
meet day to day expenses.
Therefore, any limitation on the rights under Articles 11 and 12 of the ICESCR by the POCA
measures are reasonable, necessary and proportionate to support the functioning of Australia's
proceeds of crime and search and seizure regimes and help prevent the use of digital currency and
digital assets in criminal activity.
The right to a fair trial and fair hearing
Article 14 of the ICCPR provides in part that:
All persons shall be equal before the courts and tribunals. In the determination of any
criminal charge against him, or of his rights and obligations in a suit at law, everyone shall
be entitled to a fair and public hearing by a competent, independent and impartial tribunal
established by law.
Section 478.5 criminalises the conduct of unlawfully dealing (with (that is, obtaining, deleting or
releasing) data. This offence includes an element of dishonesty.
New subsection 478.5(2) defines dishonest as being dishonest according to the standards of ordinary
people and known by the defendant to be dishonest according to the standards of ordinary people.
This requires the prosecution to prove that a person have knowingly, or through another person have
recklessly, obtained data and they have released or modified that data, and that the conduct was
dishonest according to the standards of ordinary people. The element of dishonesty recognises the
need for certain persons or entities to obtain, release or modify data for legitimate purposes in limited
circumstances, and distinguishes between innocent third parties and persons who have nefarious
reasons for dealing with the data.
In the determination of this criminal charge, a person will have the right to a public hearing that is
conducted by an independent and impartial body. Penalties will only be applied by a court if a person
is convicted of an offence following a fair trial in accordance with the criminal procedures as established
by law. This ensures that the measures do not limit the rights under Article 14 of the ICCPR.
Conclusion
The Bill is compatible with human rights because it promotes the protection of human rights and to
the extent that it may limit human rights, those limitations are reasonable, necessary and
proportionate.
The Hon Karen Andrews, MP
Minister for Home Affairs