Australia Looks To Pass Second Part of Cyber Infrastructure Bill
DPC announces €17 million fine on Facebook; EDPS weighs in on targeted advertising
The Wavelength is now a subscription newsletter, so if you want access to all the content, join those who have already subscribed.
And, it bears mention that content on technology policy, politics, and law that preceded the Wavelength can be found on my blog.
The Australian government is again moving forward on new obligations for critical infrastructure owners and operators. Last November, the Parliament passed a bill requiring the owners of so-called critical infrastructure assets to report cyber incidents and giving the government powers to step in and take over from some owners in the event of a major attack. Before passage of this bill, a key parliamentary committee had recommended splitting a larger package into two discrete bills, the first of which needed to be enacted posthaste, and so it was. Now Australia’s Parliament is back to pass the second bill, but it remains to be seen if this can occur before the 2022 federal elections under which all of the House and half the Senate will stand for reelection. Nonetheless, the second bill would impose even more requirements on critical infrastructure asset owners, including the performance of critical infrastructure risk management programs. Moreover, there are heightened responsibilities for a subset that will be deemed systems of national significance. As a result, among the so-called western democracies, Australia is again taking the lead in new technology policy.
In late November 2021, the Australian Senate passed the “Security Legislation Amendment (Critical Infrastructure) Bill 2021,” and shortly thereafter the bill received the Royal Assent that makes the bill law (see here for more detail and analysis). This legislation would make Australia one of the first nations in the world that would allow the government to step in and take action on the systems and networks of critical cyber infrastructure in the event of significant cyber incidents. The government took pains to explain that such action would be rare or in emergency circumstances and only if the owner or operator was not cooperating fully. Canberra is reasoning that since cyber infrastructure is of critical importance to the well-being of Australia, the government should have the authority to step in and act if private sector entities cannot or will not. Still, this is one of the first instances where a national government is asserting such a broadly gauged right, The bill would also impose “positive” security obligations on critical infrastructure owners and operators, some of which are to be developed in follow on legislation the government of Prime Minister Scott Morrison is pledging to draft and introduce in the future.