From 11 January 2019, owners and operators of Australia’s critical infrastructure (ports, electricity, water and gas infrastructure) will have their assets more closely scrutinised by the Commonwealth Government. Entities will be required to disclose information about their corporate structure and asset operations, and may be subject to direction by the Minister.
The Security of Critical Infrastructure Act 2018 (Cth) (Act) seeks to improve the Commonwealth’s understanding of the ownership and operational control of critical infrastructure in Australia.
The Act complements the Critical Infrastructure Centre, which was established in January 2017. The Centre notes that foreign investment can grant access and control to ‘malicious actors’ who would ‘facilitate espionage, sabotage or exert coercive influence’. For example, a foreign actor may seek to disrupt energy supply or obtain confidential data.
The Centre and the Act are apparently responses to an increase in foreign investment, particularly by China. In debating the new law, parliamentarians (including government representatives and members of the Joint Committee on Intelligence and Security) expressed concerns as to the Chinese ownership of the Ports of Darwin and Newcastle. They also noted the ‘deficiencies’ in existing processes, revealed by the proposed sale of electricity distributor Ausgrid to Chinese or Hong Kong buyers.
What is critical infrastructure?
The Act applies to electricity, water and gas assets, and ports, that are ‘critical’ to Australia.
Whether an asset is critical depends on criteria set out in the Act. In addition, the Minister is empowered to declare, in secret, an asset to be critical infrastructure.
By way of example, a gas asset will be critical in the circumstances set out in the table below.
|Type of asset||Threshold for ‘critical’|
|Gas processing facility||Capacity of at least 300 terajoules per day|
|Gas storage facility||Maximum daily quantity of at least 75 terajoules|
|Gas distribution network or system||Distributes gas to at least 100,000 customers|
|Gas transmission pipeline||Tasmanian Gas Pipeline
A pipeline with a nameplate rating of:
In the eastern gas market, at least 200 terajoules per day
In the western gas market, at least 150 terajoules per day
In the northern gas market, at least 80 terajoules per day
Who is subject to the reporting obligations?
The Act requires disclosure by a ‘responsible entity’ and a ‘direct interest holder’ in respect of an asset, which are described together as ‘reporting entities’.
A responsible entity is, broadly, the entity that holds the licence, approval or authorisation to operate the asset in order to provide the service delivered by the asset.
A direct interest holder is an entity which:
together with associated entities, owns at least 10% of the asset; or
holds an interest that allows it to directly or indirectly influence or control the asset. Influence or control includes, for example, the ability to materially affect the running of the asset.
What must be reported?
A responsible entity must give the operational information. This includes, for example:
- the location of the asset and the area it serves;
- information about the each responsible entity or ‘operator’, including their name, business number, head office location and country of incorporation (in this context, an operator is an entity that is authorised to operate the asset or part of the asset, whether or not the entity is a responsible entity);
- information about the entity’s chief executive officer, including their name and citizenship details;
- details of the asset’s operating arrangements; and
- details about the storage of particular data, including information relating to research and development and consumer consumption.
A direct interest holder must give the interest and control information. This includes, for example:
- the entity’s name, business number, head office location and country of incorporation;
- the type and level of the entity’s interest in the asset;
- information about the influence or control that the entity can exercise;
- information about the ability of a member of the entity’s governing body to access systems that control the asset; and
- information about other entities that can influence or control the direct interest holder.
When must reports be submitted?
Initial reporting must be made to the Secretary of the Department of Home Affairs by 11 January 2019.
Where an event occurs that would render the initial reporting incorrect or incomplete, or if a new entity becomes a reporting entity for the asset, the reporting entity must give updated information within 30 days.
If an entity fails to make the initial report or provide updated information, it faces a penalty of up to 50 penalty units ($10,500).
What else does the Act provide?
The Minister may direct a reporting entity or operator of a critical infrastructure asset to do or refrain from doing something where there is a risk to security. This is a considerable power which can only be exercised after consultation and negotiation, and only where the Minister has been given an adverse security assessment in respect of the entity.
The Secretary may require an entity to give documents that are relevant to powers or obligations under the Act, including the Minister’s power to issue a direction.
Will the Secretary maintain confidentiality of information?
The Secretary must ensure that the Register, which contains the information collected under the Act, is not made public.
However, the Secretary may disclose such information to various Commonwealth and state ministers to assist them to exercise their functions. Information may also be disclosed where authorised by Commonwealth law, but is not required to be disclosed to a court, tribunal or authority except in connection with the Act.
What should owners and operators do next?
Owners and operators of critical infrastructure must investigate their corporate structures and the manner in which their assets operate. Reports are to be submitted to the Secretary by 11 January 2019. At any time, the Minister is empowered to make a direction requiring an entity to do something in order to preserve security.