Member Portal
Categories

Internet Association of Australia concerned that Privacy Legislation Amendment will not effectively address privacy concerns

7 November 2022

The Internet Association of Australia Ltd (IAA) today raised concerns that the Privacy Legislation Amendment Bill will not address Australia’s urgent need for data security and privacy protection.

IAA asserts that more so than enforcement measures, the government should focus on encouraging compliance by both increasing its education efforts and mitigating the harm to individuals in the case of a data breach by reviewing its data retention laws so that companies don’t hold unnecessary personal information in the first place.

“Legislative reform is obviously necessary to improve Australian businesses’ security posture and we support the government in this, but we need to really consider what that should entail,” said IAA CEO Narelle Clark. “In today’s context of ever increasing sophisticated online attacks, do stronger enforcement measures effectively address the actual data security issues that we are currently facing? Where is the focus on proper training, consumer redress and harm-mitigation measures? Where’s the guarantee that the revenue from the proposed hefty fines will actually go to redress or training?”

IAA’s submission to the proposed Bill particularly points to the disproportionate effect the increased penalties would have on smaller companies, and the potential to fail in achieving its intended outcome to create incentives for compliance.

“The increased penalties, while reflective of the serious nature of data breaches, suggests that companies are being wilfully negligent of their privacy compliance obligations,” said Clark. “What we see more often is that companies, especially smaller entities, struggle with the complexity of legislative and regulatory obligations. What we don’t want to see is more effort placed in the paperwork associated with privacy, than in actually improving data security. We need incentives to change the culture of data hoarding.”

“We look forward to continue working with government, industry and other stakeholders to ensure a privacy and data security framework that is genuinely effective and best serves all Australians,” said Clark.

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill is currently with the Senate Legal and Constitutional Affairs Committee for review and closed its submission due date on 7 November.

 

October’s Advocacy Corner Update

October continued to be a busy month for IAA’s policy team, keeping up to date with industry news and legislative reforms on the horizon while attending meetings and regulatory information sessions. We expect we will continue to be busy, particularly responding to consultations surrounding privacy in the wake of the Optus data breach.

IAA’s Policy Officer also moderated a NetThing panel discussion on 28 October on ‘Defamation for ISPs and Other Internet Intermediaries’. Read more about it here.

As always, if you would like to discuss any of the below reforms or if there are any other policy areas/issues of concern, please feel free to shoot us an email.

Open Submissions

Telecommunications Numbering Plan Variation 2022 (No. 1) | ACMA | 4 November 2022
ACMA is proposing changes to the Telecommunications Numbering Plan 2015. Changes include CSPs requiring registration before being assigned numbers, decreasing the size of the standard unit for premium rate and mobile numbers from 100,000 to 10,000 and removal of the Location Independent Communications Services.

Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 | Attorney General | 7 November 2022
In response to the Optus data breach, the government is looking to increase penalties for serious or repeated privacy interferences, expand the Australian Information Commissioner’s enforcement powers, and provide the Commissioner and ACMA greater information sharing powers.

Draft SOCI Risk Management Rules 2022 | Department of Home Affairs | 18 November 2022
Following the recent amendment of the Security of Critical Infrastructure Act earlier this year, one of the new obligations is for critical infrastructure assets to have and comply with a critical infrastructure Risk Management Program. These draft rules will set out the specific requirements of this new obligation.

Completed Submissions

5 Year Productivity Inquiry – Australia’s Data and Digital Dividend Interim Report | Productivity Commission
The Productivity Commission’s interim report for its 5 Year Productivity Inquiry sought feedback and insight into data and digital technology in Australia. Our submission primarily raised concerns about the lack of transparency and genuine consultation by government when it comes to collaborating with industry to improve the data and digital landscape. Focusing on areas including government investment, the tech skilled workforce, cyber security and the policy landscape, we called for more comprehensive planning and multistakeholder input in future works involving the Internet and telecommunications industry to ensure the accelerated growth of data and digital technology for Australia’s future.

Industry Codes of Practice for the Online Industry (Class 1A and Class 1B Material) | Online Safety
IAA submitted to Industry Codes of Practice for the Online Industry (class 1A and class 1B Material). Our response made recommendations on the reporting requirement in recognition of the limited role ISPs play on the content layer. We also made recommendations to the proposed requirement that would see ISPs responsible for notifying host providers of harmful material being posted via their servers. This requirement would see ISPs having to take reasonable steps to identify the host provider, and would not be limited to providers with whom ISPs have a partnership or other relationship, thereby being too broad and burdensome for ISPs.

TIO 2022 Independent Review (disappointing) findings released…

The findings from the Telecommunications Industry Ombudsman (TIO) Independent Review were released earlier this month. After consultation held in May this year, the review looked into the TIO’s compliance with the Australian Government’s benchmarks for industry-based customer dispute resolution.  

The TIO has accepted the majority of the 26 recommendations made by the review. However, it did not accept Recommendation 4 which suggested the removal of the refer-back process within the complaints handling model. IAA supports the refer-back step remaining as part of the scheme. In the absence of sufficient efforts by the TIO to guide consumers on the requirement to not only raise their complaint with the telecommunications provider first, but also give the provider a reasonable time to respond prior to raising a complaint with the TIO, it is crucial that, at the least, the TIO is able to refer consumers back to providers where it is clear that the complaint can be handled more easily and quickly directly, without TIO assistance. 

Although the review did consider the concerns raised by IAA and other industry representatives regarding this point that consumers were raising complaints with the TIO without first trying to resolve the complaint directly with the provider, it is disappointing that they seem to have missed the point. While the TIO Terms of Reference explicitly states providers must be given a ‘reasonable opportunity to consider the issues’, IAA raised in our submission that this is not always happening. Nowhere else on the TIO’s website or complaints form is there a reference to this illustrious ‘reasonable opportunity’. The review suggests that consumers making a complaint, formal or not, is sufficient, but where does the opportunity come into play for providers to consider and respond so the issue does not have to be referred to the TIO? 

If there is a gap in how industry, consumers and the TIO interpret what is a ‘reasonable opportunity’, then this is something that should be addressed so that everyone understands and uses the same process.  

We are hopeful that other recommendations made (and accepted) including the call for the TIO casework staff to collect more relevant information at the commencement of a case, increased systematic investigation and increased publication about the performance of the TIO will mean that the overall operation of the TIO will improve. Other concerns that IAA heard from our members during the consultation period to inform our submission centred on the lack of efficiency and a recurring issue where RSPs were being held accountable for network failures outside of the RSP’s control.   

IAA recognises the importance of an industry ombudsman and believes it to be a critical role in our industry. However, with the review suggesting that the TIO should play a greater function in the industry, taking on a more regulatory role instead of being primarily responsible for dispute resolution, it seems there is a need for a broader discussion within industry regarding the future of the TIO.  

You can read the review, TIO’s response and submissions on the TIO website 

ACCC Industry Guidance

The Australian Competition & Consumer Commission has published guidance material regarding the carrier separation rules. The explanatory guide has been prepared following industry consultation – to which IAA responded – and is aimed to assist industry’s understanding of the superfast fixed-line broadband network carrier separation obligations.  

Read the guidance material here 

Whose responsibility is it anyway?

While the review of the amendments to the Model Defamation Provisions is still ongoing, the recently closed consultation into the liability of Internet intermediaries for online defamatory material has indicated that Internet Service Providers will likely be granted a statutory exemption from liability. This comes off the back of the work IAA did, along with other industry representatives, in the last round of consultations regarding this matter. IAA has consistently argued that since ISPs merely providing access do not deal with content, the law should recognise this. While there was some opposition to the proposed exemption during an industry workshop, with suggestions that ISPs should rely on available defences instead, IAA has maintained in its submission that the exemption is necessary to provide ISPs with greater clarity and assurance when it comes to defamation law.  We have also asked that those involved in the mechanics and operation of other infrastructure services, such as DNS, should similarly be exempt. 

Words from our Public Policy frontier

IAA’s Public Policy Advisory Panel met for its third quarter meeting on 7 September. While two panellists were unfortunately unable to attend, the Panel had a very spirited meeting, getting into the nitty gritty of telco legislation and the policy context. Sophia (IAA Policy Officer) gave an update on the consultations IAA have responded to since the last meeting (no less than 9!), as well as an overview of other work the policy team have been up to, including meetings with regulatory bodies and NBN Co, forums the team have participated in and publications that have been released. The Panel then discussed upcoming consultations and provided much guidance; sharing their knowledge on the various policy areas that will be of relevance in the coming months, and perspectives on where IAA should devote its focus.  

IAA is extremely grateful to the Panel members who dedicate their time to guide IAA’s advocacy work.  

Have you submitted your asset information?

The last chance to complete your asset registration under the new carrier licence condition and determination for eligible CSPs is 8 October 2022. Under this new determination, telcos must provide the Department of Home Affairs’ Cyber and Infrastructure Security Centre (CISC) with operational information in relation to their telecommunications assets. Where an entity holds a direct interest of at least 10% or a controlling stake in the asset, information about the interest and control in the asset must also be reported.   

An ‘asset’ is defined to be a tangible asset owned or operated by a carrier/eligible carriage service provider and is used to supply a carriage service. It does not refer to typical termination equipment on customer premises. An asset can be thought of by way of an analogy – the entire car as opposed to the individual components that make up the motor vehicle. Please visit the CISC website for further information. We have also created this helpful guide to assist you.  

September’s Advocacy Corner Update

IAA’s policy team have had another busy month, meeting with regulatory bodies and NBN Co mostly to reinforce IAA’s position within Australia’s Internet industry landscape. We’ve also engaged in consultations that are of relevance to our members, and prepared an educational guide to assist members in complying with new critical infrastructure obligations.

Recent submissions:

Discussion Paper – NBN Co Revised SAU Variation Proposal | NBN Co
The IAA policy team continued its involvement in the revised Special Access Undertaking after the NBN Co’s withdrawal of its previous proposal in late July. In this process, we participated in the industry forum, as well as met with the ACCC and NBN Co to express our concerns and seek greater clarity on the proposed SAU. In our response, we noted that although the Discussion Paper suggested the SAU was stepping in the right direction, lack of transparency seems to be a key issue. In particular, as NBN Co indicates that trade-offs will be necessary between service standards, and price to RSPs, we emphasised that NBN Co must be transparent in these decisions and seek industry collaboration to better inform their decisions. We will continue to be involved in this process as NBN Co seeks to lodge its revised SAU to ACCC by the end of the year.

Stage 2 Review of the Model Defamation Provisions – Part A | COAG
We also continued to be involved in the review of the model defamation provisions, with Stage 2 reflecting perspectives and suggestions made by IAA during the Stage 1 consultations held last year. IAA continued to argue for a statutory exemption to apply to ISPs, recognising that telcos are not involved in the content layer of the Internet and therefore should have assurance that they will not be liable for defamatory material published online. We’ve also argued that DNS registries, registrars and DNS cache operators should not be liable for the domain names people (registrants) register. 

Open submissions:

Exposure Draft—Telecommunications Legislation Amendment (Statutory Infrastructure Providers and Other Measures) Bill 2022 | DITRDCA | 30 September 2022
The Department of Communications is seeking feedback on proposed amendments to the Statutory Infrastructure Provider regime. The Bill indicates changes to various telecommunications laws to enhance the operation of the SIP regime. Overall, IAA approves of the principles and objectives guiding the amendments and will seek greater clarity on areas that require further explanation.

Industry Codes of Practice for the Online Industry (Class 1A and Class 1B Material) | 2 October 2022
Industry representatives have collaborated to draft the Industry Codes relating to Online Safety for the different sections of the Internet sector. This approach recognises the unique functions and roles of the various sections and thus the different responsibilities that should apply. IAA will predominately respond to Schedule 7 for Internet Carriage Services and make recommendations that will better ensure an appropriate balance between protecting end-user safety online, cost and limiting unnecessary burdens for ISPs.

5 Year Productivity Inquiry: Australia’s Data and Digital Dividend | Productivity Commission | 7 October 2022
The second interim report for the Productivity Inquiry has been released, focusing on data and the digital economy in Australia. The Commission has made various recommendations, including changes to government funding allocations for telecommunications services such as those within the Universal Service Obligation and Mobile Black Spot funding.

August’s Advocacy Corner Update

The Public Policy team has continued to be busy this past month. From participating in a panel on Lawful Interception to attending an industry forum on the revised Special Access Undertaking from NBN Co, while also keeping on top of the various consultations that are currently underway.

Shortly after the IAA event regarding Open LI, which included the IAA Policy Officer’s brief introduction to Australian lawful interception obligations, there have been some changes made, meaning the Telecommunications (Interception and Access) Act will now be overseen by the Attorney-General’s Department. The Department of Home Affairs will now only oversee the use of interception powers by ASIO.

The Department of Home Affairs has been asked by the new Labor government to revisit the 2020 Cyber Security Strategy in the context of the contemporary growing threat landscape. One of the criticisms of the previous strategy was that it failed to take on industry recommendations and lacked wider industry collaboration, and this is said to be a focus of the revamped approach. A timeline for the update has not yet been announced, but we look forward to participating in the consultations once they begin, as developments in cyber security and critical infrastructure have increasingly been focused on the telecommunications sector.

The Minister for Home Affairs also recently designated 82 of the nation’s most critical infrastructure assets as ‘systems of national significance’ (SONS), activating powers that were granted to the Minister under recent critical infrastructure legislation. The designated assets, including some from the communications sector, may now be subject to heavier obligations. Under law, these assets also cannot be publicly named as being a SONS.

On that note about critical infrastructure, remember that as a carrier or CSP, you will need to report operational information to the Register of Critical Infrastructure by 7 October 2022!

Check out our work from the past month as well as responses we are working on for the month(s) ahead.

Recent Submissions:
Treasury Laws Amendment (Competition and Consumer Reforms No. 1) Bill 2022 | Treasury | 25 August 2022

The Treasury has fast-tracked draft amendment to legislation that would see greater penalties for telecommunications providers who engage in anti-competitive conduct. Increased penalties could be as high as 30% of a telco’s revenue, and the maximum penalty amount could rise from $10 million to $50 million. The explanatory note claims the increases are to ensure they are a sufficient deterrent to larger telco providers.

In our response, IAA supported the commitment to ensuring providers do not engage in behaviour that is anti-competitive, but raised our concerns with the extremely short notice and consultation period (only 1 week!), as well as the lack of explanatory justification provided for an amendment of this scale.

 

Open Submissions

Revised NBN Co SAU Variation | NBN Co | 2 September 2022
Following its withdrawal of the Special Access Undertaking Variation proposal in July, NBN Co has released its revised SAU and is seeking feedback. Many changes have been made, such as to pricing structure, service standards and the ACCC’s powers, reflecting feedback on its previous proposal and the last SAU. The ACCC also held a two-day industry forum which IAA attended, and the team is committed to continuing to engage in this area of importance to our members.

Stage 2 Review of the Model Defamation Provisions | COAG | 9 September 2022
This stage of the review of the Model Defamation Provisions will focus on Internet intermediaries and what level of liability intermediaries should have for third-party publication of defamatory material online. A workshop will be held in early September by the NSW Department of Communities and Justice which is coordinating the consultation. We will continue our strong advocacy that ISPs providing vanilla internet access should not be liable for defamation by users.

5-year Productivity Inquiry: Australia’s Data and Digital Dividend | Productivity Commission | 7 October 2022
The second interim report for the Productivity Inquiry has been released, focusing on data and the digital economy in Australia. The Commission has made various recommendations, including changes to the government’s funding allocations for telecommunications services, such as those within the Universal Service Obligation and Mobile Black Spot funding.

 

 

Sign up to IAA's mailing list

Complete this form to receive all our latest news, events and updates.