The Asia Internet Coalition (AIC) submitted comments on the Exposure Draft of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 to the Department of Home Affairs. We commend the Department of Home Affairs for their efforts on drafting new measures to strengthen cybersecurity protections for critical infrastructure. While we support these efforts, we believe that the bill’s current definition of cloud service providers, as well as overly broad authorities regarding data collection and access, can potentially undermine the Government’s security objectives and conflict with data privacy standards like the European Union’s (EU) General Data Protection Regulation (GDPR).
The proposed legislation would expand coverage of the Security of Critical Infrastructure (SOCI) Act to cover ten new sectors of the Australian economy including financial services, food and grocery, health care and medical, as well as “data storage or processing,” which is defined as “enterprise data centers, managed services data centers, colocation data centres, and cloud data centers,” and “infrastructure as a service (IaaS), software as a service (SaaS), and platform as a service (PaaS).”
The bill also expands the government’s authority over covered entities, including the power to compel production of systems data and direct access to provider systems. For example, the legislation suggests that providers may be required to allow the Australian Signals Directorate (ASD) to remove or alter files and install “host-based sensors” to collect telemetry, to install programs, “access, add, restore, copy, alter or delete data”, alter the “functioning” of hardware or remove hardware entirely from premises.
Without additional clarification, global providers that potentially fall under the data storage or processing definition will face significant uncertainty regarding their status under the legislation, and how such proposed access will be perceived by non-Australian customers and authorities. Moreover, the prospect of compelled access and compelled production of personal data to the ASD may raise questions about compliance with non-Australian privacy laws like the EU’s General Data Protection Regulation (GDPR). Providing direct government access to network systems that may contain the data of non-Australian individuals appears inconsistent with the requirements of those laws.
Given the substantial uncertainty regarding the scope of numerous provisions of the Security Legislation Amendment (Critical Infrastructure) Bill, we respectfully request consideration of the legislation be postponed until the myriad of concerns are addressed. As part of any additional deliberations, we request that the Government specifically address potential conflicts with major data privacy statutes like GDPR.