Cybersec and beyond! The digital rights battles Australia can win

At the end of October, the Australian Parliamentary Joint Committee on Intelligence and Security (PJCIS – it rolls off the tongue!) shut down the government’s plans to implement the Identity Matching Bill because the legislation was found to be devoid of appropriate safeguards. Critics had pointed out that the bill would facilitate large-scale surveillance. It was the first time that the PJCIS flexed its muscles, a welcome sight to rights organizations that have been following the committee’s work on the infamous Assistance and Access Act, which undermines encryption and digital security in pursuit of greater law enforcement powers.

While this victory does not necessarily mean that Australia will now get a full digital rights overhaul, it is encouraging. We thought this would be a good time to take stock of the work the government has been doing and see where any other opportunities for progress may yet be hiding!

ACCC Digital Platforms inquiry

After two years of investigation, this September interested readers finally got their hands on the Australian Competition & Consumer Commission (ACCC) report on Digital Platforms. The report, taking stock of international and regional developments, makes bold suggestions to legislators on platform regulation and antitrust, as well as advancing a broad array of proposals for strengthening privacy and data protection. In September, the Treasury, which is now in charge of combing through and deciding on the recommendations, opened the report for public input. In our submission to the Treasury’s call, we zeroed in on recommendations 15, 16, 17, and 19, which are focused on content monitoring and data protection/privacy, given their particular relevance for the advancement of individuals’ rights.

One of the more interesting recommendations is to establish a statutory tort for invasions of privacy which would greatly extend individuals’ ability to exercise their rights and keep companies accountable for their actions. The Australian Law Reform Commission had already recommended the creation of a tort for serious invasions of privacy in 2014, but the need for such an avenue has only increased since that time, as data harvesting practices have skyrocketed in Australia.

Another key opportunity could be the creation of a data protection and privacy framework through the reform of the Privacy Act — which is long overdue! We further recommend that the government perform an audit of existing legislation that involves the processing of individuals’ data, and consider amendments to ensure that privacy protections are harmonized across the board. For instance, the PJCIS is currently undertaking a review of  the data retention requirements imposed on telecommunications and internet providers. In order to ensure the privacy of individuals, this requirement should be reviewed in line with international standards, including the necessary and proportionate principles. Following the rejection of the Identity Match bill, this is potentially another area where the PJCIS and its members could shine. 

2020 Cybersecurity Strategy

While a strategy document may not be the most salient for determining future action on an issue, it does set the government’s tone and intention. With that in mind, it should be noted that the most striking change in the 2020 Cybersecurity Strategy is its departure from the commitment in 2016 to championing an “open and secure internet.” This change in language, paired with an emphasis throughout on government’s role and authority over domestic networks and cybersecurity products and services, is a shift to the detriment of Australian consumers. In fact, at NetThing, an annual forum to strengthen Australia’s Internet governance community, it emerged as a theme of concern in the cybersecurity panel Access Now participated in.

The language of the 2020 strategy should not be based on the premise that the commitments made in 2016 plan have been met and therefore do not need to be reiterated. An open and secure internet remains a worthy goal. Further, there is a lot more the government can do to strengthen Australia’s cybersecurity going forward. In our 2018 report Human Rights in the Digital Era: An International Perspective on Australia, in which we welcomed the Australian government’s commitment to engage further internationally on global cybersecurity, we offered these four key recommendations:

  1. Commit to building cybersecurity policies and practices around central tenets of human rights, including the right to privacy. This includes compliance with the government’s own Cyber Engagement Strategy commitments on human rights and democracy;
  2. Evaluate government hacking law and practice with the goal of either ending the practice or, at minimum, codifying statutory safeguards to protect human rights;
  3. Ensure representatives from civil society and the public are meaningfully included in cybersecurity policy-making, including the ability to participate in drafting key documents; and
  4. Strengthen data breach notification in Australia to ensure full compliance by the public and private sectors.

Job not yet done, but there is plenty of time and space to ensure that the 2020 Cybersecurity Strategy protects the rights of Australian users! See more of our recommendations in our submission to the 2020 strategy.

Assistance and Access Act review(s)

We have been actively engaged in the consultation on the Assistance and Access Act (with the neighborhood-friendly acronym “TOLA”) since early 2018, before the full text of the bill was introduced. In an atmosphere of intense political pressure, the bill was hastily passed into law without due consultation, and we have been promised amendments to fix it ever since.

While we advocate for a full repeal, we do appreciate that there are two reviews currently under way, one by the PJCIS and one by an independent monitor, the Independent National Security Legislation Monitor (INSLM). Memorable acronyms, right? The output from these two reviews is slated for March 2020, although there are reports that INSLM may need a few more months.

We are cautiously optimistic, especially given that the focus of these reviews is on the necessity and proportionality of TOLA, as well as the rights of individuals. Encryption is central to the protection of human rights, the digital economy, and the preservation of cybersecurity — all of which could use a digital rights hero right about now.