Offshoring put on notice under proposed telco security law changes

George Brandis - Australian Attorney General (picture courtsey of Neil Duncan & Deutsche Messe via Flickr)

The offshoring of data held by telcos and internet service providers (ISPs) is set to come under scrutiny amid recommended changes to the Government’s proposed telecommunications security legislation.

The Federal Government revealed on 9 August it had accepted several recommendations made by the Committee reviewing its controversial Telecommunications and Other Legislation Amendment Bill 2016, which was introduced into Parliament late last year.

The Bill is aimed at amending the Telecommunications Act 1997 to introduce a regulatory framework that is intended to better manage national security risks of unauthorised access to, and interference with, telecommunications networks and facilities.

Among the 13 recommendations made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) accepted by the Government was the recommendation that the proposed legislation be amended to include a specific obligation compelling telco carriers or carriage service providers to notify the Communications Access Co-ordinator (CAC) of any new or amended offshoring arrangements.

This requirement relates to data retained under Part 5-1A of the Telecommunications (Interception and Access) Act 1979.

In its response, the Government agreed to amend the Bill to include a specific obligation within the notification requirements for carriers and carriage service providers to notify the CAC if they “enter into any arrangements to have information or documents to which subsection 187A(1) of the Telecommunications (Interception and Access) Act 1979 applies kept outside Australia”.

The Government accepted several other recommendations, including the call for the proposed laws to be revised to provide comprehensive information, clarity and certainty to industry in a greater range of circumstances.

In particular, the revised administrative guidelines should provide further clarity regarding a company’s security obligation in circumstances where a company is providing or reselling an over the top service, telecommunications infrastructure is used (but not necessarily owned or operated) by the company.

It should also apply to circumstances where telecommunications infrastructure is used, but not necessarily owned or operated, by the service provider in question.

Likewise, the additional clarity should also apply where a company’s infrastructure is located in a foreign country, and used to provide services and carry or store information from Australian customers, and where a company provides cloud computing and cloud storage solutions.

The Government said in its response that revised guidance will be developed within the 12 month implementation period.

“The proposed reforms create an obligation on carriers and carriage service providers to do their best to protect their networks from unauthorised access and interference,” a joint release by the Minister for Communications, Mitch Fifield, and the Attorney-General, George Brandis, stated.

“This includes providing early advice to Government of any changes to their network that may be of security concern, so that agencies  can assess risks and cooperate with industry on mitigation strategies,” the statement said.