Senate

Scams Prevention Framework Bill 2024

Revised Explanatory Memorandum

(Circulated by authority of the Assistant Treasurer and Minister for Financial Services, the Hon Stephen Jones MP and Minister for Communications the Hon Michelle Rowland MP)
THIS MEMORANDUM TAKES ACCOUNT OF AMENDMENTS MADE BY THE HOUSE OF REPRESENTATIVES TO THE BILL AS INTRODUCED

Chapter 2: Statement of Compatibility with Human Rights

Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Scams Prevention Framework Bill 2024

Overview

2.1 The Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

Scams Prevention Framework

Right to privacy

2.2 Article 17 of the International Covenant on Civil and Political Rights (ICCPR) provides:

1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.

2.3 Article 17 may be subject to permissible limitations where those limitations are provided by law and non-arbitrary. In order for limitations not to be arbitrary, they must be aimed at a legitimate objective and be reasonable, necessary and proportionate to that objective.

2.4 The object of the Bill is to prevent and respond to scams impacting the Australian community. It does so by establishing a whole-of-economy Scams Prevention Framework (SPF) that requires regulated entities to develop and implement processes, procedures and systems to take action to prevent and combat scams. The SPF also includes an enforcement regime to allow regulators to take action against regulated entities where appropriate.

2.5 For the purposes of the SPF, the definition of 'scam' includes a direct or indirect attempt to engage an SPF consumer of a regulated service where it would be reasonable to conclude that the attempt involves deception, and would if successful, cause loss or harm including obtaining SPF personal information of the SPF consumer or their associates. SPF personal information is subsequently defined to include personal information, within the meaning of the Privacy Act 1988 (Privacy Act) or information relating to a person that may be used to access a service or an account, or funds, credited or other financial benefits.

2.6 Regulated entities will be required to take steps under the SPF to prevent and combat scams involving the loss of the personal information. In this regard, the Bill engages the right to protection against unlawful and arbitrary interference with privacy by promoting that right, as it is likely to have a positive and beneficial impact on the privacy of consumers.

2.7 A key aim of the SPF is to prevent and disrupt scams before a consumer is impacted. This aim is supported in the SPF by enabling prompt and dynamic sharing of information relating to scams. This information may include personal information, and may need to be collected, used and disclosed promptly to enable entities to carry out effective disruption activities to protect consumers from scam harms.

2.8 To achieve this aim, the Bill authorises the use and disclosure of personal information by regulated entities, SPF regulators, operators of authorised third party data gateways, portals or websites, and the operator of an SPF EDR scheme in certain circumstances. The key information sharing provisions:

require regulated entities to report actionable scam intelligence to the SPF general regulator - see section 58BR;
require regulated entities to share scam reports with an SPF regulator upon request - see section 58BS;
require regulated entities to report the outcomes of investigations of actionable scam intelligence to the SPF general regulator - see section 58BY;
enable the SPF rules to prescribe a scheme for authorising third parties to operate data gateways, portals that give access to reports - see section 58BT;
enable the SPF general regulator to disclose information about scams to a range of listed entities, including regulated entities, domestic law enforcement agencies, foreign law enforcement and regulatory agencies, and Commonwealth agencies with policy responsibility for scams - see section 58BV; and
enable SPF regulators to disclose information to each other, either on request or on its own initiative - see section 58EG.

2.9 Any personal information that is used, shared or collected in these instances is expected to relate to the person suspected of being involved in the commission of a scam, or the scam victim.

2.10 For example, it may include a phone number a scammer is using to contact consumers, information about a social media account being used to create fraudulent advertisements or otherwise deceive consumers, or information about a bank account used to receive scam funds. The prompt use and disclosure of this information is critical to enable the SPF regulators, law enforcement agencies and regulated entities to take action to disrupt scams and protect consumers from scam harms (including minimising scam harms).

2.11 If a scam victim's personal information is disclosed, it will be done to support a regulated entity, regulator or law enforcement agency to disrupt the relevant scam, including by identifying and notifying particular consumers that are at risk about how they can take action to prevent loss or harm (including further loss or harm). It may also be done to allow an SPF regulator to seek the scam victim's consent to make a claim for loss or damages on their behalf - see subsection 58FZC(2). This may be done alongside the SPF regulator initiating proceedings against the regulated entity for a contravention of a civil penalty, and allows for the remediation of loss or damage to be streamlined to save scams victims the time and cost of pursuing a matter in court or through a dispute resolution process.

2.12 There are also a range of safeguards that apply to the collection, use and disclosure of personal information under the SPF.

2.13 The entities that are expected to receive and disclose personal information under the SPF will generally be subject to the Privacy Act obligations about handling personal information. This includes the SPF regulators, authorised third party operators of data gateways, portals or gateways, and regulated entities (noting the Government has committed to initially designating providers of telecommunications services, banking services and certain digital platform services to be regulated entities).

2.14 Accordingly, these entities can only use or disclose personal information for the purpose for which it was collected, which safeguards against the personal information being handled, used or disclosed in a way that is beyond the scope of the disclosure or otherwise contrary to the right to privacy. It will also ensure that consumers are able to access the complaints mechanism under the Privacy Act if they are concerned that there has been an interference with their privacy.

2.15 Relatedly, while the Bill provides a safe harbour for regulated entities to take disruptive action while investigating whether an activity is a scam, this safe harbour only applies if certain conditions are met. This includes that the action is taken in good faith, taken in compliance with the SPF provisions, is reasonably proportionate to the activity, and promptly reversed if the activity is later recognised to not be a scam. Accordingly, where a regulated entity is considering taking disruptive action that may interfere with an individual's privacy, the entity must ensure that doing so is appropriate in the circumstances, otherwise the safe harbour may not be available to the entity. This includes weighing up the potential benefits of taking the disruptive action, such as preventing or combating a scam to protect consumers (including the consumer to whom the personal information relates).

2.16 Further, the Bill protects against arbitrary interference with privacy by including requirements that personal information is de-identified prior to being shared in certain circumstances, unless doing so would not achieve the object of the SPF. This safeguard applies when:

regulated entities are requested to share scam reports with an SPF regulator - see subsection 58BS(5);
the SPF general regulator shares any information with a Commonwealth agency or authority involved in developing Government policy relating to scams - see subsection 58BV(4);
the operator of an SPF EDR scheme gives information to an SPF regulator (including about contraventions and systemic issues) - see subsection 58DD(3);
when an SPF regulator discloses information to the operator of an SPF EDR scheme - see subsection 58DE(3); and
when an SPF regulator discloses information to another SPF regulator, whether on request or on its own initiative - see section 58EH.

2.17 This safeguard requires the relevant party to form a view that the use or disclosure of personal information is necessary to prevent and respond to scams impacting consumers, thereby limiting the handling of personal information unless necessary.

2.18 This safeguard does not apply to other instances of information sharing under the SPF as in those instances, it is critical that information can be shared quickly to support the disruption of scams and minimise the harms to consumers. The Privacy Act protections are intended to be the primary safeguard for the handling of personal information in those cases.

2.19 As the transnational nature of scams requires a coordinated international approach to minimise scam harms, the Bill enables the disclosure of scams-related information, including personal information, by the SPF general regulator to a foreign law enforcement or regulatory agency. Additional safeguards are included in the Bill with respect to these disclosures, given these foreign agencies may not be subject to an equivalent of the Privacy Act. Specifically, the foreign agency is required to give the SPF general regulator an undertaking about controlling the storage, handling and the use of the information to be shared, and the SPF general regulator must consider that it is appropriate in all circumstances to disclose the information. These safeguards are designed to ensure that any information, including personal information, is appropriately handled by an agency of a foreign country.

2.20 Therefore, to the extent that the information sharing provisions in the SPF constitute a limitation of a person's right to be protected from interference with his or her privacy, the limitation is reasonable and proportionate to the objectives of protecting consumers from scam harms. The provisions are prescribed by law and are in pursuit of the legitimate objective of preventing and responding to scams impacting the Australian community.

Right to fair trial

Civil penalties are not 'criminal'

2.21 Civil penalty provisions may engage criminal process rights under Articles 14 and 15 of the ICCPR regardless of the distinction between criminal and civil penalties in domestic law. This is because the word 'criminal' has an autonomous meaning in international human rights law. When a provision imposes a civil penalty, an assessment is required as to whether it amounts to a 'criminal' penalty for the purposes of Articles 14 and 15 of the ICCPR.

2.22 The Bill expressly describes the requirements to be complied with as 'civil penalty provisions' and creates a regime for their enforcement. This triggers the application of the Regulatory Powers Act and its standard provisions. The penalties to be imposed are appropriate and tailored to the purpose of the SPF, which aims to prevent and respond to scams impacting consumers.

2.23 The civil penalty orders provided for in the Bill are pecuniary in nature and operate to create a debt to the Commonwealth. They do not apply to individual members of the public, but to a cohort of businesses operating within a regulated sector.

2.24 There are two tiers for contraventions under the SPF, with different penalties for each tier. The maximum quantum for a tier 1 contravention is higher as these are reserved for conduct that contravenes certain, fundamental obligations of the SPF principles. The provisions set an amount as the maximum penalty that should apply in the most egregious instances of non-compliance with the Bill.

2.25 A tier 1 contravention is a contravention of a civil penalty provision set out in Table 2.1.

Table 2.1 Tier 1 civil penalty provisions

Provision Description of civil penalty
58BJ Entity fails to take reasonable steps to prevent scams
58BM Entity fails to take reasonable steps to detect scams
58BN Entity has actionable scam intelligence and fails to take reasonable steps to investigate
58BO Entity has actionable scam intelligence and fails to take reasonable steps within reasonable time to identify consumer
58BX Entity has actionable scam intelligence and fails to take reasonable steps within reasonable time to disrupt the activity or prevent loss or harm arising from the activity
58BY Entity has actionable scam intelligence and fails to give a report about actionable scam intelligence to the SPF general regulator
58BZC Entity does not have accessible mechanism for person to report activity that is or may be a scam
58BZD Entity does not have accessible and transparent IDR mechanism
58BZDA Entity undertakes IDR and fails to provide a statement of compliance
58BZE Entity undertakes IDR and fails to have regard to prescribed process and guidelines
58BZF Entity fails to make publicly accessible information about rights of SPF consumers under reporting and IDR mechanisms and EDR scheme
58BZG Entity is not a member of an authorised EDR scheme or fails to give reasonable assistance to or cooperate with the EDR operator or fails to comply with obligation under SPF code for sector that relates to scheme.

2.26 The maximum penalty amount for a tier 1 contravention by a body corporate is the greater of the following:

159,745 penalty units (which is currently $50,000,185);
if the relevant court can determine the total value of the benefit that the body corporate and any body corporate related to that body corporate have obtained directly or indirectly and is reasonably attributable to the contravention - three times that total value;
if the court cannot determine that total value - 30 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

2.27 The maximum penalty amount for a tier 1 contravention by a person other than a body corporate is 7,990 penalty units (which is currently $2,500,870).

2.28 A tier 2 contravention is a contravention of a civil penalty provision of an SPF code or a civil penalty provision set out in Table 2.2.

Table 2.2 Tier 2 civil penalty provisions

Provision Description of civil penalty
58BD Entity fails to document and implement governance policies and procedures relating to scams, and develop and implement performance metrics and targets to measure the effectiveness of those policies and procedures.
58BE Entity fails to provide annual certification about its governance policies, procedures, metrics and targets.
58BF Entity fails to meet the record keeping obligations relating to governance
58BG Entity fails to provide a report about its governance arrangements upon request by an SPF regulator
58BR Entity fails to report actionable scam intelligence to SPF regulators
58BS Entity fails to report scams to SPF regulators upon request by an SPF regulator

2.29 The maximum penalty amount for a tier 2 contravention by a body corporate is the greater of the following:

31,950 penalty units (which is currently $10,000,350);
if the relevant court can determine the total value of the benefit that the body corporate and any body corporate related to that body corporate have obtained directly or indirectly and is reasonably attributable to the contravention - three times that total value;
if the court cannot determine that total value - 10 per cent of the adjusted turnover of the body corporate during the breach turnover period for the contravention.

2.30 The maximum penalty amount for a tier 2 contravention by a person other than a body corporate is 1,600 penalty units (which is currently $500,800).

2.31 The judiciary continues to have discretion to consider the seriousness of the contravention and impose a penalty that is appropriate in the circumstances. The civil courts are experienced in making civil penalty orders at appropriate levels having regard to the maximum penalty amount, considering a range of factors including the nature of the contravening conduct and the size of the entity involved.

2.32 Further, while the civil penalty provisions in the Bill are intended to deter people from non-compliance with the SPF, none of the civil penalty provisions carry a penalty of imprisonment and there is no sanction of imprisonment for non-payment of any penalty.

2.33 Therefore, the civil penalty provisions introduced by the Bill should not be considered 'criminal' for the purposes of Articles 14 and 15 of the ICCCPR.

Reverse evidential burden

2.34 There SPF rules may contain exceptions to the requirement to report actionable scam intelligence to the SPF general regulator under section 58BR. For example, the rules may specify that entities are not required to report actionable scam intelligence it received from the SPF general regulator to avoid duplication. The SPF rules may also specify an entity is not required to share information where doing so would be inconsistent with an overseas privacy law which also applies to the actionable scam intelligence.

2.35 Where such an exception applies, the defendant bears an evidential burden in relation to establishing those matters because this operates as an exception to general obligation of the SPF. This refers to the burden of adducing or pointing to evidence that suggests a reasonable possibility that the exception in the SPF rules apply.

2.36 This is consistent with the operation of the Regulatory Powers Act and is appropriate as the information relating to this matter is peculiarly within the knowledge of the defendant. This limitation is also necessary to avoid costly and difficult investigations by an SPF regulator to enforce the reporting requirement, which play a critical role in achieving the object of the SPF.

Infringement notices

2.37 The Bill also engages the right to a fair and public hearing through the creation of an infringement notice scheme. An infringement notice can be issued by an inspector of an SPF regulator for a contravention of a civil penalty provision that is enforceable under the Bill. Section 58FS operates so that the alleged contravention of the civil penalty provision will be heard by a court where:

the person does not pay the penalty specified;
within the compliance period;
in accordance with the notice; and
in circumstances where the notice has not been withdrawn by the regulator.

2.38 This ensures the right of a person to a fair and public hearing by a competent, independent and impartial tribunal is preserved by the Bill.

2.39 Additionally, the Bill outlines that the operation of section 58FS must be explained in an infringement notice issued to a person.

2.40 Under section 58FR, neither criminal nor civil proceedings may be brought against a person who has been issued an SPF infringement notice where the person pays the specified penalty in accordance with that notice and within the compliance period. As well as in circumstances in which the infringement notice has not been withdrawn. Further, the contravention alleged in the infringement notice is not proved by the payment of that penalty.

2.41 The ACCC has an existing investigation power under section 155 of the CCA. Section 155 confers power on the ACCC to obtain information, documents and evidence about conduct that constitutes or may constitute a contravention of the CCA. This power may be delegated under new section 58EC to a sector regulator or a member, SES employee, or other employee of the sector regulator acting at an SES level, and the sector regulator has agreed to the delegation in writing.

2.42 In addition, the Bill provides for the regulators to have certain other enforcement powers relating to monitoring or investigating compliance with an SPF code. Generally, regulated entities are to be subject to monitoring and investigation under Part 2 of the Regulatory Powers Act, except where: either the ACCC, ASIC or ACMA is the sector regulator; or a declaration is in force under subsection 58FI(2) (which declares that particular monitoring powers are to apply). Within Part 2 of the Regulatory Powers Act, sections 24 and 54 make it an offence to fail to answer questions of an authorised officer. Conduct constituting an offence under either provision is subject to a penalty of 30 penalty units. Sections 17 and 47 of the Regulatory Powers Act affirm that the privilege against self-incrimination and legal professional privilege are not abrogated. These protections guarantee the fair trial rights protected in Articles 14(3)(d) and (g) of the ICCPR by limiting the operation of the questioning powers provided by the Regulatory Powers Act.

2.43 To the extent the Bill engages Article 14 of the ICCPR, it does so appropriately. It is regulatory and disciplinary in nature and limited to achieving the measure's purpose. A higher penalty may be imposed on individuals amounting to a criminal penalty if their value exceeds the maximum amount allowed by the civil penalty law.

Conclusion

2.44 The Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011. Where the Bill may limit human rights, including where the provisions of the Regulatory Powers Act have been triggered, those limitations are reasonable, necessary and proportionate for the regulators to carry out their functions and to achieve the object of the SPF, which is to prevent and respond to scams impacting the Australian community.


View full documentView full documentBack to top