2019 The Parliament of the Commonwealth of Australia HOUSE OF REPRESENTATIVES Presented and read a first time Securing the Nation's Critical Infrastructure Bill 2019 Written by u/DirtySaiyan A Bill for an Act to create a framework for managing critical infrastructure, and for related purposes Contents Part 1—Preliminary 4 Division 1—Preliminary 4 1 Short title 4 2 Commencement 4 3 Objects 4 Division 2—Definitions 4 4 Definitions 4 5 Meaning of operational information 5 6 Meaning of direct interest holder 5 7 Meaning of influence or control 6 8 Meaning of critical infrastructure asset 6 9 Meaning of critical electricity asset 7 10 Meaning of critical port 7 11 Meaning of critical gas asset 7 Division 3—Constitutional provisions and application of this Act 8 12 Application of this Act 8 13 Extraterritoriality 8 14 This Act binds the Crown 8 Part 2—Register of Critical Infrastructure Assets 8 Division 1—Simplified outline of this Part 8 15 Simplified outline of this Part 8 Division 2—Register of Critical Infrastructure Assets 9 16 Secretary must keep Register 9 17 Secretary may add information to Register 9 18 Secretary may correct or update information in the Register 9 19 Register not to be made public 9 Division 3—Obligation to give information and notify of events 9 20 Initial obligation to give information 9 21 Ongoing obligation to give information and notify of events 10 Part 3—Directions by the Minister 10 Division 1—Simplified outline of this Part 10 22 Simplified outline of this Part 10 Division 2—Directions by the Minister 11 23 Direction if risk of act or omission that would be prejudicial to security 11 24 Requirement to comply with direction 11 Part 4—Declaration of assets by the Minister 12 Division 1—Simplified outline of this Part 12 25 Simplified outline of this Part 12 Division 2—Declaration of assets by the Minister 12 26 Declaration of assets by the Minister 12 Part 5—Secretary’s powers 12 Division 1 — Secretary’s power to obtain information or documents 12 2 27 Secretary may obtain information or documents from entities 12 Division 2—Matters relating to Secretary’s powers 13 28 Additional power of Secretary 13 29 Assets ceasing to be critical infrastructure assets 13 Part 6—Enforcement 13 Division 1—Simplified outline of this Part 13 30 Simplified outline of this Part 13 Division 2 — Civil penalties, enforceable undertakings and injunctions 14 31 Civil penalties, enforceable undertakings and injunctions 14 Part 7—Miscellaneous 15 Division 1—Periodic reports and reviews 15 32 Periodic report 15 33 Review of this Act 15 3 The Parliament of Australia enacts: Part 1—Preliminary Division 1—Preliminary 1 Short title This Act may be cited as the ​Securing the Nation's Critical Infrastructure Act 2019 2 Commencement This Act commences on the day it receives the Royal Assent. 3 Objects The object of this Act is to provide a framework for managing risks to national security relating to critical infrastructure, including by: (a) improving the transparency of the ownership and operational control of critical infrastructure in Australia in order to better understand those risks; and (b) facilitating cooperation and collaboration between all levels of government, and regulators, owners and operators of critical infrastructure, in order to identify and manage those risks. Division 2—Definitions 4 Definitions In this Act, unless the contrary intention appears: National security​ means the same as the definition of ​security​ as given in the ​Australian Security Intelligence Organisation Act 1979​. Register​ means the Register of Critical Infrastructure Assets kept by the Secretary under section 16. ​ ean the minister for the Department of Infrastructure Minster m Regulatory Powers Act​ means the ​Regulatory Powers (Standard Provisions) Act 2014​ . Reporting entity​, for an asset, means either of the following: (a) the responsible entity for the asset; (b) a direct interest holder in relation to the asset. 4 Note: An entity may be both the responsible entity for an asset and a direct interest holder in relation to the asset Secretary​ means the Secretary of the Attorney-General’s Department. 5 Meaning of operational information (1) The following information is ​operational information​ in relation to an asset: (a) the location of the asset; (b) a description of the area the asset services; (c) the following information about each entity that is the responsible entity for, or an operator of, the asset: (i) the name of the entity; (ii) if applicable, the ABN of the entity, or other similar business number (however described) if the entity was incorporated, formed or created (however described) outside Australia; (iii) the address of the entity’s head office or principal place of business; (iv) the country in which the entity was incorporated, formed or created (however described); (d) the following information about the chief executive officer (however described) of the responsible entity for the asset: (i) the full name of the officer; (ii) the country or countries of which the officer is a citizen; 6 Meaning of direct interest holder (1) An entity is a ​direct interest holder​ in relation to an asset if the entity: (a) together with any associates of the entity, holds an interest of at least 10% in the asset (including if any of the interests are held jointly with one or more other entities); or (b) holds an interest in the asset that puts the entity in a position to directly or indirectly influence or control the asset. (2) Subsection (1) does not apply to an interest in an asset held by an entity if: (a) the entity holds the interest in the asset: (i) solely by way of security for the purposes of a moneylending agreement; or (ii) solely as a result of enforcing a security for the purposes of a moneylending agreement; and (iii) the holding of the interest does not put the entity in a position to directly or indirectly influence or control the asset; and (iv) if the entity is holding the interest solely by way of security—enforcing the security would not put the entity in a position to directly or indirectly influence or control the asset. (3) A ​moneylending agreement​ is: 5 (a) an agreement entered into in good faith, on ordinary commercial terms and in the ordinary course of carrying on a business (a ​moneylending business​) of lending money or otherwise providing financial accommodation, except an agreement dealing with any matter unrelated to the carrying on of that business; or (b) if the entity: (i) is carrying on a moneylending business; or is a subsidiary or holding entity of a corporate entity that is carrying on a moneylending business; 7 Meaning of ​influence or control (1) An entity is in a position to directly or indirectly ​influence or control​ an asset if: (a) the entity is in a position to exercise voting or veto rights in relation to the body that governs the asset; or (b) the entity is in a position to make decisions that materially impact on the running of, or strategic direction in relation to, the asset; or (c) the entity has the ability to appoint: (i) persons to the body that governs the asset; or (ii) key personnel involved in running the asset; or (d) the entity is in a position to influence or determine decisions relating to: (i) the business plan, or any other management plan, for the asset; or (ii) major expenditure relating to the asset; or (iii) major contracts or transactions involving the asset; or (iv) major loans involving the asset. 8 Meaning of ​critical infrastructure asset (1) An asset is a ​critical infrastructure asset​ if it is: (a) a critical electricity asset; or (b) a critical port; or (c) a critical water asset; or (d) a critical gas asset; or (e) an asset declared under section 26 to be a critical infrastructure asset; or (f) an asset prescribed by the rules for the purposes of this paragraph. (2) However, the rules may prescribe that a specified: (a) critical electricity asset; or (b) critical port; or (c) critical water asset; or (d) critical gas asset; is not a critical infrastructure asset. Prescribing an asset as a critical infrastructure asset (3) The Minister must not prescribe an asset for the purposes of paragraph (1)(f) unless the Minister is satisfied that: a. the asset is critical to: 6 i. the social or economic stability of Australia or its people; or ii. the defence of Australia; or iii. national security; and b. there is a risk, in relation to the asset, that may be prejudicial to security. 9 Meaning of ​critical electricity asset (1) An asset is a ​critical electricity asset​ if it is: (a) a network, system, or interconnector, for the transmission or distribution of electricity to ultimately service at least 100,000 customers; or (b) an electricity generation station that is critical to ensuring the security and reliability of electricity networks or electricity systems in a State or Territory 10 Meaning of ​critical port An asset is a ​critical port​ if it is land that forms part of any of the following security regulated ports: (a) Broome Port; (b) Port Adelaide; (c) Port of Brisbane; (d) Port of Cairns; (e) Port of Christmas Island; (f) Port of Dampier; (g) Port of Darwin; (h) Port of Eden; (i) Port of Fremantle; (j) Port of Geelong; (k) Port of Gladstone; (l) Port of Hay Point; (m) Port of Hobart; (n) Port of Melbourne; (o) Port of Newcastle; (p) Port of Port Botany; (q) Port of Port Hedland; (r) Port of Rockhampton; (s) Port of Sydney Harbour; (t) Port of Townsville; 11 Meaning of critical gas asset (1) An asset is a ​critical gas asset​ if it is any of the following: (a) a gas processing facility that has a capacity of at least 300 terajoules per day or any other capacity prescribed by the rules; (b) a gas storage facility that has a maximum daily quantity of at least 75 terajoules per day or any other quantity prescribed by the rules; (c) a network or system for the distribution of gas to ultimately service at least 100,000 customers or any other number of customers prescribed by the rules; 7 Note: The rules may prescribe that a specified critical gas asset is not a critical infrastructure asset (see section 8). Division 3—Constitutional provisions and application of this Act 12 Application of this Act (1) This Act applies to the following: (a) an entity that is a corporation (b) an entity that is a reporting entity for, or an operator of, an asset that is: (i) in a Territory; or (ii) used in the course of, or in relation to, trade or commerce with other countries, among the States, between Territories or between a Territory and a State; or (iii) used for the purposes of the defence of Australia; 13 Extraterritoriality This Act applies both within and outside Australia. 14 This Act binds the Crown (1) This Act binds the Crown in each of its capacities. (2) This Act does not make the Crown liable to be prosecuted for an offence. (3) The protection in subsection (2) does not apply to an authority of the Crown. Part 2—Register of Critical Infrastructure Assets Division 1—Simplified outline of this Part 15 Simplified outline of this Part The Secretary must keep a Register of Critical Infrastructure Assets, containing information in relation to those assets. The Register must not be made public. The responsible entity for a critical infrastructure asset must give the Secretary operational information in relation to the asset. An entity that is a direct interest holder in relation to a critical infrastructure asset must give the Secretary interest and control information in relation to the entity and the asset. 8 If particular events occur in relation to the asset, the relevant reporting entity for the asset must notify the Secretary of the event and provide certain information. The rules may provide for exemptions from these requirements. Division 2—Register of Critical Infrastructure Assets 16 Secretary must keep Register The Secretary must keep a Register of Critical Infrastructure Assets, containing: (a) the information obtained by the Secretary under Division 3 (obligation to give information and notify of events); and (b) any information added under section 10; and (c) any corrections or updates of information described in paragraph (a) or (b) that are made under section 18. 17 Secretary may add information to Register The Secretary may add to the Register any of the following that is obtained by the Secretary: (a) operational information in relation to a critical infrastructure asset; (b) interest and control information in relation to a direct interest holder and a critical infrastructure asset. 18 Secretary may correct or update information in the Register The Secretary may correct or update information in the Register. 19 Register not to be made public The Secretary must ensure that the Register is not made public. Division 3—Obligation to give information and notify of events 20 Initial obligation to give information (1) This section applies if an entity is, or will be, a reporting entity for a critical infrastructure asset at the end of the grace period for the asset. (2) The entity must give the Secretary the following information in accordance with subsection (3): 9 (a) if the reporting entity is the responsible entity for the asset, the operational information in relation to the asset; (b) if the reporting entity is a direct interest holder in relation to the asset—the interest and control information in relation to the entity and the asset. Civil penalty: 50 penalty units. (3) The information must be given: (a) in the approved form; and (b) by the earlier of: (i) the end of the grace period for the asset; or (ii) the end of 30 days after the day the entity becomes a reporting entity for the asset. 21 Ongoing obligation to give information and notify of events (1) This section applies to a reporting entity for a critical infrastructure asset if a notifiable event occurs in relation to the asset: (a) after the entity gives information in relation to the asset under section 13; or (b) after the end of the grace period for the asset. (2) If the reporting entity is required to give information, the reporting entity for the asset must give the Secretary that information and notice of the event: (a) in the approved form; and (b) by the end of 30 days after the event occurs. Civil penalty: 50 penalty units. Part 3—Directions by the Minister Division 1—Simplified outline of this Part 22 Simplified outline of this Part The Minister may require a reporting entity for, or an operator of, a critical infrastructure asset to do, or refrain from doing, an act or thing, if the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security. The Minister may give the direction only if particular criteria are met and certain consultation has been undertaken. 10 Division 2—Directions by the Minister 23 Direction if risk of act or omission that would be prejudicial to security (1) This section applies if in connection with the operation of, or the delivery of a service by, a critical infrastructure asset the Minister is satisfied that there is a risk of an act or omission that would be prejudicial to security. Direction to do, or refrain from doing, an act or thing (2) The Minister may, subject to subsections (3) and (4), give an entity that is a reporting entity for, or an operator of, a critical infrastructure asset a written direction requiring the entity to do, or refrain from doing, a specified act or thing within the period specified in the direction (3) The Minister must not give the direction unless: (a) the Minister is satisfied that requiring the entity to do, or to refrain from doing, the specified act or thing is reasonably necessary for purposes relating to eliminating or reducing the mentioned in subsection (1); and (b) the Minister is satisfied that reasonable steps have been taken to negotiate in good faith with the entity to achieve an outcome of eliminating or reducing the risk without a direction being given under subsection (2); and (c) an adverse security assessment in respect of the entity has been given to the Minister for the purposes of this section. (4) Before giving the entity the direction, the Minister must have regard to the following: (a) the adverse security assessment mentioned in paragraph (3)(c); (b) the costs that would be likely to be incurred by the entity in complying with the direction; (c) the potential consequences that the direction may have on competition in the relevant industry for the critical infrastructure asset; (d) the potential consequences that the direction may have on customers of, or services provided by, the entity. 24 Requirement to comply with direction An entity must comply with a direction given to the entity under subsection 16(2). Civil penalty: 250 penalty units. 11 Part 4—Declaration of assets by the Minister Division 1—Simplified outline of this Part 25 Simplified outline of this Part The Minister may privately declare an asset to be a critical infrastructure asset if the Minister is satisfied that: (a) the asset is critical infrastructure that affects national security; and (b) there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security. The Minister must notify each reporting entity for a declared asset. Division 2—Declaration of assets by the Minister 26 Declaration of assets by the Minister (1) The Minister may, in writing, declare a particular asset to be a critical infrastructure asset if: (a) the asset is not otherwise a critical infrastructure asset; and (b) the asset relates to a relevant industry; and (c) the Minister is satisfied that: (i) the asset is critical infrastructure that affects national security; and (ii) there would be a risk to national security if it were publicly known that the asset is critical infrastructure that affects national security (2) The declaration must specify the entity that is the responsible entity for the asset. Part 5—Secretary’s powers Division 1 — Secretary’s power to obtain information or documents 27 Secretary may obtain information or documents from entities (1) This section applies if the Secretary has reason to believe that an entity that is a reporting entity for, or an operator of, a critical infrastructure asset has information or a document that: (a) is relevant to the exercise of a power, or the performance of a duty or function, under this Act in relation to the asset; or 12 (b) may assist with determining whether a power under this Act should be exercised in relation to the asset. (2) The Secretary may, by notice in writing given to the entity, require the entity to: (a) give any such information; or (b) produce any such documents; or (c) make copies of any such documents and to produce those copies to the Secretary within the period, and in the manner, specified in the notice. (3) Before giving the entity the notice, the Secretary: (a) must have regard to the costs that would be likely to be incurred by the entity in complying with the notice; and (b) may have regard to any other matters the Secretary considers relevant. (4) An entity must comply with a notice given to the entity under subsection (2) Civil penalty: 150 penalty units. Division 2—Matters relating to Secretary’s powers 28 Additional power of Secretary Without limiting any other provision of this Act, the Secretary may undertake an assessment of a critical infrastructure asset to determine if there is a risk to national security relating to the asset. 29 Assets ceasing to be critical infrastructure assets The Secretary must, in writing, notify the reporting entity for an asset if the Secretary becomes aware that the asset has ceased to be a critical infrastructure asset. Part 6—Enforcement Division 1—Simplified outline of this Part 30 Simplified outline of this Part Civil penalty orders may be sought under Part 4 of the Regulatory Powers Act in relation to contraventions of civil penalty provisions of this Act. Undertakings to comply with civil penalty provisions of this Act may be accepted and enforced under Part 6 of the Regulatory Powers Act. Injunctions under Part 7 of that Act may be used to restrain a person from contravening a civil penalty provision of this Act or to compel compliance with a civil penalty provision of this Act 13 Division 2 — Civil penalties, enforceable undertakings and injunctions 31 Civil penalties, enforceable undertakings and injunctions Enforceable provisions (1) Each civil penalty provision of this Act is enforceable under: (a) Part 4 of the Regulatory Powers Act (civil penalty provisions); and (b) Part 6 of that Act (enforceable undertakings); and (c) Part 7 of that Act (injunctions). Note 1: Part 4 of the Regulatory Powers Act allows a civil penalty provision to be enforced by obtaining an order for a person to pay a pecuniary penalty for the contravention of the provision. Note 2: Part 6 of that Act creates a framework for accepting and enforcing undertakings relating to compliance with provisions. Note 3: Part 7 of that Act creates a framework for using injunctions to enforce provisions. Authorised applicant (2) For the purposes of Part 4 of the Regulatory Powers Act, as that Part applies in relation to a civil penalty provision of this Act, each of the following is an authorised applicant: (a) the Minister; (b) the Secretary. Authorised person (3) For the purposes of Parts 6 and 7 of the Regulatory Powers Act, as those Parts apply in relation to a civil penalty provision of this Act, each of the following is an authorised person: (a) the Minister; (b) the Secretary. Relevant court (4) For the purposes of Parts 4, 6 and 7 of the Regulatory Powers Act, as those Parts apply in relation to a civil penalty provision of this Act, each of the following is a relevant court: (a) the Federal Court of Australia; (b) the Federal Circuit Court of Australia; 14 (c) a court of a State or Territory that has jurisdiction in relation to matters arising under this Act. Extension outside Australia (5) Parts 4, 6 and 7 of the Regulatory Powers Act, as those Parts apply in relation to a civil penalty provision of this Act, extends outside Australia (including to every external Territory). Part 7—Miscellaneous Division 1—Periodic reports and reviews 32 Periodic report (1) The Secretary must give the Minister, for presentation to the Parliament, a report on the operation of this Act for a financial year. (2) A report under subsection (1) must not include personal information (within the meaning of the Privacy Act 1988 ). 33 Review of this Act (1) ​The Parliamentary Joint Committee on Intelligence and Security must: a. review the operation, effectiveness and implications of this Act; and b. review the circumstances in which any declarations have been made under Part 4 of this Act (declarations of assets by the Minister); and c. report the Committee’s comments and recommendations to each House of the Parliament. (2) The Committee must begin the review before the end of 3 years after this Act receives the Royal Assent. 15 Explanatory memorandum: This bill is intended to strengthen the Australian Government's current and future Government's capacity to manage the national security risks of espionage, sabotage and coercion that arise from foreign involvement in Australia’s critical infrastructure. Critical infrastructure underpins the functioning of Australia’s society and economy and is integral to the prosperity of the nation. It enables the provision of essential services such as food, water, health, energy, communications, transportation and banking. Secure and resilient infrastructure supports productivity and helps to drive the business activity that underpins economic growth. Second reading speech: Mr Speaker, I rise to speak in support of this bill. Critical infrastructure is integral to the prosperity of the nation. Secure and resilient infrastructure underpins the effective functioning of our nation's economy and society. Foreign involvement in Australia's critical infrastructure plays an important and beneficial role in supporting economic growth. It can improve productivity by enabling the development of much-needed infrastructure, introducing new technology, allowing access to global supply chains and markets, and enhancing Australia's skills base. However, while recognising its many benefits, increasing foreign involvement in our national critical infrastructure means that Australia's critical infrastructure is more exposed than ever to sabotage, espionage and coercion. As a result, The bill will establish a register of critical infrastructure assets, which will enhance the capability of the centre to understand who owns, controls and has access to Australia's critical infrastructure. This register will support more proactive management of the risks faced by assets in our high-risk sectors. 16