National legislation seeks to regulate how telecommunications service providers operate and maintain their networks and services. This area of law is subject to frequent amendments that seek to address developments in telecommunications technology and security threats.
Background
On 18 September 2018, the Telecommunications and Other Legislation Amendment Act 2017 (known as the Telecommunication Sector Security Reforms) took effect with the intended purpose of better managing national security risks of espionage, sabotage and foreign interference to Australia’s telecommunications networks and facilities. The reforms made significant changes to the Telecommunications Act 1997 (Cth), amending the existing section 313, and minor consequential changes to the Telecommunications (Interception and Access) Act 1979 (Cth), Administrative Decisions (Judicial Review) Act 1977 (Cth) and Australian Security Intelligence Organisation Act 1979 (Cth).
Under Part 14 of the Telecommunications Act 1997(Cth), carriers and carriage service providers must do their best to prevent telecommunications networks and facilities from being used to commit offences and provide help as is reasonably necessary to authorities and officers of Commonwealth and state agencies for the purposes set out in section 313(3).
Following the TSSR amendments, carriers and carriage service providers also have security and notification obligations. The security obligation is a risk-based obligation to do their best to protect telecommunications networks and facilities from unauthorised interference, or unauthorised access, for the purposes of security. This duty requires ‘competent supervision’ and ‘effective control over’ the telecommunications networks or facilities that a provider owns or operates.
Carriers and certain carriage service providers must notify changes to telecommunications services or systems that are likely to have a material adverse effect on their capacity to comply with the security obligation.
The Home Affairs Minister may give directions to a carrier or a carriage service provider in certain circumstances, such as a direction to not supply a service where it would be prejudicial to security to do so, or a direction where there is a risk of unauthorised interference or access concerning telecommunications networks or facilities.
The Act also prescribes exceptions that enable law enforcement, anti-corruption and national security agencies (e.g. ASIO) to apply for warrants to intercept or access stored communications when investigating serious crimes and threats to national security. The warrant regime provides these agencies with lawful access to telecommunications content.
Chapter 2 regulates the interception of 'live' communications that pass over a telecommunications system, which includes telephone and internet communications.
Chapter 3 regulates the interception of communications stored within the apparatus of a telecommunications provider (e.g. email, text and voicemail).
Part 5-1A requires telecommunications and internet service providers to retain and encrypt telecommunications data for a period of two years for the purposes of access by national security authorities, criminal law-enforcement agencies and enforcement agencies.
Telecommunications data retained under this Part 5-1A is 'personal information' for the purposes of the Privacy Act 1988 (Cth).
See Privacy Commissioner v Telstra Corporation Limited[2017] FCAFC 4.
Cloud service providers use telecommunications networks and services to deliver their services. They may operate in the telecommunications sector and have telecommunications clients. In addition, some carriers offer cloud storage and other cloud services.
Besides rules applying to carriers, carriage service providers and content service providers generally, the Telecommunications Sector Security Reforms imposed a set of security obligations on telecommunications service providers that may be applicable to certain cloud service providers. This framework has the potential to impact cloud providers who fall within the definition of carriage service provider or content service provider.
Whether a cloud service provider is captured by the definitions in the Telecommunications Act 1997 (Cth) will depend on the products and services it offers. For example, cloud providers offering data storage will not be considered a carriage service provider (depending on the service, the cloud provider could be a content service provider). In contrast, webmail service providers may be considered a carriage service provider if they enable end-users to access the internet.
On 6 July 2022, the Minister for Communication made security information obligations for carriers and eligible carriage service providers, requiring carriers and service providers to undertake asset registration and cyber incident reporting.