The ACCC will extend the expiry date of the wholesale ADSL (WADSL) service until 30 June 2024. IAA commented on this consultation in September 2021. We advocated for the WADSL to be extended as it is still used in regional areas where competition remains weak and Telstra operates its copper network without much alternative. The ACCC referenced IAA’s submission in their Final Decision paper.

SBAS Access Determination Inquiry | ACCC
IAA responded to the Superfast broadband access services (SBAS) access determination inquiry Discussion Paper in December. In our submission, we advocated that the Regional Broadband Scheme levy should be absorbed by SBAS providers instead of being passed through to RSPs and users. We also argued that SBAS and FAB providers should disclose key network service quality/reliability metrics to RSPs.

Telecommunications Draft Determination – Consumer Data Rights | The Treasury
After conducting a Telecommunications Sectoral Assessment last year, the Department of Treasury decided to recommend the telco sector be designated for the CDR. In December, we commented on the Draft Designation, wherein we pointed out that the cost of implementing and running the CDR, especially for smaller telecommunications providers, is excessively high in comparison to the benefits. We also flagged the importance of a clear demarcation point of the threshold for telco providers captured by CDR, as this can provide certainty for industry.

Customer Identity Verification Determination (CIV) 2021 | ACMA
ACMA introduced a determination which seeks to impose multi-factor authentication (MFA) requirements on CSPs for all customer interactions at high-risk of fraud. We responded to this determination in December. A code released by Comms Alliance covered similar ground to the Determination, but provides CSPs with much more flexibility on how to meet the requirements. In our submission, we extended our support to measures CSPs can implement that reduce customer fraud, however, argued that for smaller CSPs, some MFA and reporting requirements may be difficult to meet.

Privacy Act Review | Attorney General’s Department
The Attorney General’s Department is conducting a review of the Privacy Act 1988 which seeks to expand the scope and application of the Act and how it is regulated and enforced. As part of its review, the Department released a Discussion Paper looking at the expansion of definitions to include greater types of technical data, consider the appropriateness of exemptions including for small businesses, and the introduction of a direct cause of action and statutory tort. We advocated for the development of an effective and practical privacy regime which balances the legitimate commercial need of businesses to monetize the data they collect whilst also protecting the rights of individuals to maintain privacy and control over their data.

Draft Rules Register of Critical Infrastructure & Mandatory Reporting Scheme | 1 February 2022
Following the amendment of the Security of Critical Infrastructure Act 2018 (SOCI Act) in December 2021, the Minister is proposing to apply additional security obligations, including requiring certain new assets to provide operational and ownership information to the Register of Critical Infrastructure Assets, and the introduction of mandatory cyber incident reporting. The telecommunications sector will not be deemed subject to these obligations, as opposed to the initial recommendations and proposals. However, the Rules will apply to asset classes including broadcasting, domain name, and data storage or processing.

Exposure Draft Security Legislation Amendment (Critical Infrastructure Protection) Bill | 1 February 2022
The Exposure Draft proposes further amendments to the SOCI Act. This Bill is part two of the Security Legislation Amendment (Critical Infrastructure) Act enacted in December 2021. It will introduce a Risk Management Program and enhanced security obligations. IAA will respond regarding concerns about the expanded powers that would give the Minister the ability to privately declare an asset as of national interest which would increase the requirements and burdens on deemed businesses.

Electronic Surveillance Framework Discussion Paper | 11 February 2022
The Department of Home Affairs is embarking on an overhaul of Australia’s electronic surveillance framework. This review would repeal the various legislation which currently contains powers to create a comprehensive framework. Whilst IAA supports the harmonization of regulations to replace the current complex and inconsistent regime; there are concerns that the new framework will be overreaching and excessive.

Privacy Act Review | Attorney General’s Department | 10 January 2021

The AGD is consulting on proposals for reform and questions on the Privacy Act 1988 Discussion Paper. This will focus on aspects including on the scope and application of the Privacy Act, whether a statutory tort should be introduced for privacy invasions, the effectiveness of enforcement powers and mechanisms under the Privacy Act and the feasibility of an independent certification scheme to monitor compliance.

Superfast Broadband Access Service Access (SBAS) Determination Inquiry Discussion Paper | ACCC | 10 December 2021

The ACCC is in the process of confirming a final access determination for SBAS, following which a provider needs to ensure access to a declared service on the request of an access seeker. The inquiry will consult on price and non-price terms and conditions of access to the service, whether the Regional Broadband Levy should be absorbed by SBAS providers or passed onto RSPs and users and whether network providers should disclose network service quality and reliability indicators to RSPs. It also inquires about exemptions from the access determination applying to small scale operators (with less than 12,000 end users) and competition-based exemptions.

Consumer Data Right – Telecommunications Draft Designation Instrument | Treasury | 13 December 2021

The Treasury is seeking feedback on the Draft Designation, which outlines the datasets and data holders to be covered by the CDR.

Telecommunications Service Provider (Customer Identity Verification) (CIV) Determination 2021 | ACMA | 15 December

The CIV Determination imposes carriage service providers (CSPs) to introduce two-factor authentication for all customer interactions at high-risk of fraud. Although Communications Alliance released a Code covering similar ground earlier, this Determination is more specific on definitions (of high-risk interaction) and the process for identity verification. It also requires CSPs to collect information to show their compliance.

NBN SIO Record Keeping Rules | ACCC

IAA responded to the ACCC’s Proposed Changes to the NBN Services in Operation Record Keeping and Reporting Rules (NBN SIO RKR) Consultation Paper. We conveyed our support for the publishing of high-level CVC overage and utilisation data, but opposed the publication of data disaggregated by access seekers as this should be considered confidential information. We also supported reporting metrics include NBN Co performance against service levels and performance objectives.

Basic Online Safety Expectations (BOSE) | Department of Communications

In collaboration with 10 associations, IAA made a submission to the Basic Online Safety Expectations. Here, we raised our concerns about the extensive and vague nature of the scope of services discussed, which in its current form could incorporate website, app or communication services accessible to Australian users. We also raised the potential impact BOSE could have on over-cautious censorship and surveillance.

Policy News

The Critical Infrastructure Bill 2020 passed both House of Representatives and the Senate last week. The legislation expands the number of sectors classified as critical infrastructure, including the communications and data storage and processing sector. It also enforces mandatory reporting requirements and provides Home Affairs with the ability to issue information gathering, intervention and action direction requests.

In August, IAA responded to the Treasury’s Consumer Data Rights (CDR) Sectoral Assessment for telecommunications, where we argued the CDR could add to existing compliance requirements for ISPs and inhibit competition within the sector. Last week, the Treasury released their Sectoral Assessment wherein they recommend the telco sector be designated for the CDR. Now, the Treasury is finalising the classes of information and who is required to share it as a data holder to be covered by the CDR. They have recommended that carriers and CSPs be designated as data holders who should provide access to generic and publicly available product data, product data that relates to particular products used by consumers and basic consumers and account data.