Commonwealth Numbered Regulations - Explanatory Statements
[Index] [Search] [Download] [Related Items] [Help]
TELECOMMUNICATIONS AMENDMENT (DISCLOSURE OF INFORMATION FOR THE PURPOSE OF CYBER SECURITY) REGULATIONS 2023 (F2023L01340)
EXPLANATORY STATEMENT
Approved by Authority of the Minister for Communications
Telecommunications Act 1997
Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023
Purpose and operation of the Instrument
The purpose of the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023 (the Instrument) is twofold.
The first purpose is to amend the Telecommunications Regulations 2021 (the Regulations) to extend the sunset date of two prescribed circumstances for the purposes of section 292 of the Telecommunications Act 1997 (the Act) until 12 October 2024. This extension is intended to provide the Government additional time to assess the ongoing appropriateness of the regulations and implement a more permanent solution in primary legislation, whilst mitigating the harms of any future data breach events.
The second purpose is to change the form by which the Minister may specify additional types of disclosable information or disclosable documents from a notifiable instrument form to legislative instrument form.
The affected provisions (s.15A and s.15B) were introduced by amendment as the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2022 (the Previous Amendments).
The Instrument is made by the Governor-General under section 594 of the Act, which allows the Governor-General to make regulations prescribing matters required or permitted to be prescribed by the Act, or necessary or convenient to be prescribed for carrying out or giving effect to the Act.
Subsection 33(3) of the Acts Interpretation Act 1901 relevantly provides that where an Act confers a power to make an instrument of a legislative character (including regulations) the power shall be construed as including a power exercisable in the like manner and subject to the like conditions to repeal, rescind, revoke, amend, or vary any such instrument.
Section 276 of the Act provides a general prohibition on carriers and carriage service providers disclosing customer information to third parties. Subsection 292(1) empowers regulations to be made that create exceptions from the section 276 prohibition.
Additionally, the circumstances in which new or different types of disclosable information may be specified through section 15A and 15B will be tightened by the Instrument - requiring specification through legislative instrument, rather than notifiable instrument. This is intended to address concerns previously raised by the Scrutiny of Delegated Legislation Committee (The Committee) (see Delegated Legislation Monitors 1-3 of 2023). To-date, no notifiable instruments have been made under the Regulations.
Sections 15A and 15B, as inserted into the Regulations by the previous Amendments, permits carriers and carriage service providers to disclose government identifiers such as driver licence and passport numbers to financial services entities (covering entitles like Australian banks) and government agencies.
Without further amendment to the Regulations, the Previous Amendments enabling disclosures will sunset on 12 October 2023, which would mean that carriers and carriage service providers would continue to be subject to the general prohibition on disclosing the information in accordance with section 276 of the Act and unless another secondary disclosure exception under Part 13 of the Act was applicable, would no longer be permitted to disclose certain personal information to financial services entities, Commonwealth entities and State authorities for the purposes of preventing, responding to, or responding to the consequences of cyber security incidents, frauds, scams, instances of identity theft or malicious cyber activity. This could lead to a significantly greater degree of harm for affected customers than they would otherwise be subject to. This is due to a diminished capacity for consumers or their financial institutions to take precautionary or preventative actions on being notified of impacted by the breach.
A Statement of Compatibility with Human Rights for the Instrument is set out at Attachment A.
A provision-by-provision description of the Instrument is set out in the notes at Attachment B.
The Instrument is a disallowable legislative instrument for the purposes of the Legislation Act 2003.
Consultation
Given the urgent and sensitive nature of the proposed amendment to the Regulations, the Department of Infrastructure, Transport, Regional Development, Communications and the Arts did not conduct a public consultation. A range of relevant stakeholders have been consulted including the Department of Prime Minister and Cabinet, Treasury, the Department of Home Affairs, the Attorney Generals Department, the Australian Communications and Media Authority, and Optus.
Regulatory impact assessment
The Office of Best Practice Regulation has advised a RIS is not required (OBPR22-03455).
ATTACHMENT A
Statement of compatibility with human rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023
The purpose of the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023 (the Instrument) is to twofold.
Firstly, the Instrument would to extend the effect of regulations allowing carriers and carriage service providers to disclose certain limited kinds of personal information to financial services entities (including via entities approved by the Minister), Commonwealth entities and State authorities (which includes by definition various Territory entities) and other financial services entities approved by the Minister for the purposes of preventing, responding to, or responding to the consequences of cyber security incidents, frauds, scams, instances of identity theft or malicious cyber activity.
A further purpose of the Instrument is to require that specification of new or additional types of information or documents which may be disclosed is to be by making of a legislative, rather than notifiable instrument. This is intended to address concerns previously raised by the Scrutiny of Delegated Legislation Committee. Requiring that this be accomplished by making of a legislative instrument will ensure such instruments are subject to the parliamentary processes of tabling, disallowance, and sunsetting.
The Instrument is temporary, and the existing provisions of the regulations to which it applies will be automatically repealed on 12 October 2024.
Human rights implications
The Instrument engages the Right to Privacy in Article 17 of the International Covenant on Civil and Political Rights. Article 17 provides for the right to protection against arbitrary and unlawful interferences with privacy.
Article 17 prohibits arbitrary or unlawful interference with an individual's privacy, family, home or correspondence. Non-arbitrary interference, and some limitations provided by law, are permissible. In order for limitations to be deemed non-arbitrary, there must be a legitimate objective and it must be reasonable, necessary and proportionate.
Conclusion
The Instrument is compatible with human rights. To the extent that it may limit human rights, those limitations are reasonable, necessary and proportionate.
Attachment B
Notes to the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023
1 - Name
The section provides that the name of the Instrument is the Telecommunications Amendment (Disclosure of Information for the Purpose of Cyber Security) Regulations 2023.
2 - Commencement
The section provides for the Instrument to commence on the day after the Instrument is registered.
3 - Authority
The section provides that the Instrument is made under the Telecommunications Act 1997 (the Act).
4 - Schedules
The section provides that each instrument that is specified in a Schedule to the Instrument is amended or repealed as set out in the applicable items in the Schedule concerned, and any other item in a Schedule to the Instrument has effect according to its terms.
There is only one Schedule to the Instrument.
Schedule 1 - Amendments
This schedule amends the Telecommunications Regulations 2021.
Item 1 - Subsection 15A(5)
Subsection 15A(1) creates an exception to the general prohibition under section 276 of the Act to enable carriers and carriage service providers to disclose certain information and documents to financial service entities, if all circumstances in subsection 15A(2) are met.
This item modifies the manner by which the Minister may specify one or more kinds of information for the purposes of the definitions of "specified document" or "specified information" as defined in subsection 15A(6). As a result of the change the form of such instruments must be legislative instruments rather than notifiable instruments.
Item 2 - Subsection 15A(6) (paragraph (b) of the definition of specified document)
Item 3 - Subsection 15A(6) (paragraph (b) of the definition of specified information)
These two items omit the term "notifiable" and substitutes "legislative". They represent changes that are consequential to Item 1.
Item 4 - Subsection 15A(8)
This item extends the date at which section 15A is to be repealed by one year. The new sunset date will be 12 October 2024.
Item 5 - Subparagraph 15B(2)(d)(ii)
Subsection 15B(1) creates an exception to the general prohibition under section 276 of the Act and enable carriers and carriage service providers to disclose information and documents to government entities if all circumstances in subsection 15B(2) are met.
This item modifies the manner by which the Minister may under Subparagraph 15B(2)(d)(ii) specify one or more kinds of information that may be disclosed by a carrier or carriage service provider for the purposes of the circumstance set out in section 15AB to a legislative instrument form rather than a notifiable instrument form.
Item 6 - Subsection 15B(3)
These items omit the term "notifiable" and substitutes "legislative". They represent changes that are consequential to Item 5.
Item 7 - Subsection 15B(6)
This item extends the date for when section 15B is to be repealed by one year. The new sunset date will be 12 October 2024.