The Singtel Optus Pty Ltd (Optus) network outage of 8 November 2023 was a firm reminder of the critical role that telecommunications services have in our interconnected economy. More than 10 million customers were left without access to both fixed and mobile services, and reports abound of effects on public transport, businesses and emergency calling.
While network disruptions happen from time to time, the unprecedented scale of Optus’s outage has brought into focus the role of Australia’s telecommunications regulatory framework in circumstances such as this. The purpose of this article is to summarise some of the key legal issues that carriers and carriage service providers (C/CSPs) will need to think about in situations where the availability of their telecommunications services or infrastructure assets is impaired. It also considers prospective regulatory reforms that have been the subject of attention following the Optus outage.
A disruption to a telecommunications network may have an innocent explanation: it could be caused by a power or hardware failure or perhaps simple human error, and early indications are that this was the case in the context of the Optus outage. But it’s increasingly foreseeable that a cyber attack executed by a malicious actor could bring a network to its knees.
It was for this reason that Australia’s critical infrastructure laws were expanded by the Commonwealth Government in 2022 to capture assets in the telecommunications sector. This was achieved by the registration of two legislative instruments that require C/CSPs to:
We have previously explored the background to and operation of the instruments in more detail.
The obligations under the instruments broadly mirror those set out in the Security of Critical Infrastructure Act 2018 (SOCI Act). The introduction of this parallel regime was intended to avoid regulatory duplication by keeping C/CSPs within the regulatory ambit of the Telecommunications Act 1997.
However, in the wake of the Optus network outage and following several other high profile cyber security incidents, the Commonwealth Government has announced that it now intends to bring telecommunications providers within the scope of the SOCI Act. It also appears that the Government is prepared to take its time rather than rushing through any amendments to the SOCI Act, as it has launched a consultation to extend the sunset of the current instruments from January 2024 to July 2025.
C/CSPs should be aware that in comparison to the existing instruments, the SOCI Act (in its current form) would impose more comprehensive positive security obligations on C/CSPs, including the preparation of critical infrastructure risk management plans (commonly referred to as CIRMPs). Unlike the instruments, under which asset reporting obligations only apply to C/CSPs, the SOCI Act would also impose reporting obligations on all entities that hold a direct interest in a critical infrastructure asset. We will provide an update once more detail is provided by the Government on how the SOCI Act will be amended to incorporate the telecommunications sector.
The SOCI Act obligations will presumably supplement existing cyber security obligations under Part 14 of the Telecommunications Act 1997, which is commonly referred to as the Telecommunications Sector Security Reforms or ‘TSSR’. In particular, s 313(1A) already requires C/CSPs to “do their best” to protect their networks and facilities from unauthorised access or interference to ensure both the confidentiality of communications and the availability and integrity of networks and facilities.
The existence of this obligation had, up to now, been widely considered to negate the need to bring C/CSPs within the scope of the full suite of cyber security obligations under the SOCI Act. However, the Government’s announcement is a clear indication that attitudes on the appropriate level of cyber security regulation have shifted.
The provision of emergency calling services is regulated by the Telecommunications (Emergency Call Service) Determination 2019 (ECS Determination), a determination made by the Australian Communications and Media Authority (ACMA) under Part 8 of the Telecommunications (Consumer Protection and Service Standards) Act 1999 (TCPSS Act).
The ECS Determination imposes rules on C/CSPs regarding the carriage and handling of emergency calls. Key obligations that should be considered in relation to emergency calling and network availability include the following:
Non-compliance with the requirements of the ECS Determination contravenes the TCPSS Act and may be subject to enforcement action by the ACMA.
C/CSPs should therefore make sure that they have arrangements in place to comply with their emergency calling obligations, including in circumstances where networks are degraded or out of action altogether.
C/CSPs should also consider how service disruptions may impact their obligations to retail and small business consumers under Australian law. In particular, the Australian Consumer Law (ACL) includes certain consumer guarantees that cannot be excluded by the terms of customer contracts.
CSPs may face some risk of liability under the ACL, particularly if an outage is severe and/or lengthy. The remedy that a consumer is entitled to will depend on the nature of the issue and the specific consumer guarantee that has been breached, but may include refunds, compensation, or contract termination.
A number of other service guarantees are imposed by the TCPSS Act in relation to certain services that are covered by the Customer Service Guarantee Standard (CSG Standard).
Consumer complaints, including complaints about breaches of the ACL or CSG Standard, are handled by the Telecommunication Industry Ombudsman (TIO) under the TIO scheme. The TCPSS Act requires that all carriers and eligible CSPs join and comply with the TIO scheme.
The Optus outage has also coincided the recent release of the Australian Competition and Consumer Commission’s (ACCC) Final Report from its Regional Mobile Infrastructure Inquiry (Report). Among other issues, the Report examines the feasibility of temporary mobile roaming during natural disasters or other emergencies.
The Report cites concerns around end users losing connectivity during natural disasters because of damage to network equipment, for example as a result of bushfire or flood. While emergency calls must be carried to 000 using the network of another carrier (as discussed above), there is currently no ability for an end user’s device to roam onto a surviving mobile network operated by a different carrier for non-emergency communications.
The Report found that temporary mobile roaming during natural disasters is technically feasible, though Government agencies and industry would need to develop frameworks to resolve technical and commercial complexities prior to its implementation. The telecommunications regulatory framework will also need to be considered, including potential impacts on competition.
The Commonwealth Government has instructed the Department of Infrastructure, Transport, Regional Development, Communications and the Arts and the National Emergency Management Agency to progress work in designing and developing a mobile roaming capability, reporting back to the Government in March 2024.
We expect that any proposed rules or regulations to implement emergency roaming will be subject to industry consultation in due course.