Australian Privacy Foundation Submission on the Data Retention Bill 2014
36 Pages Posted: 22 Jan 2015 Last revised: 18 Jul 2015
Date Written: January 19, 2015
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the Bill) would amend the Telecommunications (Interception and Access) Act 1979 (the TIA Act) to require service providers to retain certain types of telecommunications data for a two year period and to introduce certain reforms to the regimes applying to access to stored communications and telecommunications data under the TIA Act.
The following submissions were made by the Australian Privacy Foundation on 19 January 2015, to the Parliamentary Joint Committee on Intelligence and Security, concerning the Committee’s Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014:
1. The APF opposes mandatory blanket data retention schemes, such as that proposed in the Bill, as they impose a high level of interference that is not necessary nor proportionate to the objectives of law enforcement and national security. The conclusion that blanket data retention breaches human rights, and especially the right to privacy, has been reached by every court and human rights body that has examined the issue.
2. Mandatory data retention is not necessary nor proportionate because it entails the indiscriminate collection and retention of all forms of data about all persons, where there is no necessary link to investigations of serious crimes or threats to national security. The aims of the Bill can be achieved by measures that are less intrusive and more highly targeted than blanket retention of telecommunications data.
3. Claims that ‘metadata’ (or non-content telecommunications data) are less intrusive than communications content are misleading, as metadata reveals highly personal information about communications users. Especially when combined with contemporary data analytics, telecommunications data may reveal more about people than communications content. Therefore legal safeguards on the collection of, and access to, telecommunications data should be at least as strong as those that apply to communications content.
4. While access to telecommunications data can clearly be helpful to investigations conducted by law enforcement and security agencies, the evidence indicates that claims that mass collection and retention of metadata is essential are often over-stated. Independent analyses suggest that serious crime and terrorism may be just as effectively investigated by more targeted investigation techniques, which do not rely on mass data retention and which, accordingly, are less privacy-intrusive.
5. The ready availability of techniques for masking metadata to users with no more than average sophistication suggests that blanket data retention regimes may be counter-productive, as they create an incentive for users to conceal their communications.
6. Blanket data retention regimes pose a range of risks, which do not seem to have been taken into account by proponents of the Bill. In particular, the Bill will result in the collection and retention of much more data about users than would otherwise be the case, with the attendant risks associated with such large data sets. These risks include: risks associated with unanticipated uses of the data by service providers; risks associated with disclosures to third parties; and risks associated with the difficulties of adequately ensuring the security of large data sets. The APF submits that the current legal controls on the use, disclosure and security of such data, including those established under the Privacy Act 1988 (Cth) and Part 13 of the Telecommunications Act 1997 (Cth), are inadequate.
7. Further risks posed by the mass collection and retention of telecommunications data include risks arising from Australians feeling they may be subject to constant mass surveillance and the potential for scope creep, including the use of such data in litigation unrelated to crime prevention and national security.
8. The APF submits that there are a number of problems with the way in which the proposed data set is dealt with in the Bill. In particular, the data set is not appropriately limited to that which is necessary and proportionate for law enforcement and national security and the statutory categories in the Bill are too broad and uncertain, leaving too much detail to the regulations.
9. The APF recommends the introduction of a definition of ‘telecommunications data’ for the purposes of the access regime in Chapter 4 of the TIA Act. Such a definition is required to remove uncertainty about the data that can be accessed under that regime.
10. The APF submits that there are serious problems with the way in which browsing history is dealt with in the Bill, including in proposed s 187A(4(b). In particular, as there is no prohibition on service providers collecting and retaining Internet browsing history, which may be accessed as telecommunications data under Chapter 4 of the TIA Act, claims that the exclusion of browsing history from the data set means that the Bill is not privacy-intrusive are disingenuous. Moreover, as some technologies currently deployed by service providers require the logging of destination IP addresses in order to determine the source of a communication, the collection and retention of some browsing history data may be required in order for service providers to comply with their data retention obligations. The APF therefore recommends that the ‘browsing history’ exclusion be revisited with a view to addressing these problems.
11. APF submits that the two year retention period is excessive in relation to the objectives of the Bill, and recommends that this be reduced to six months.
12. The APF submits that too much discretion is given to the Attorney-General to declare bodies or authorities to be a ‘criminal law-enforcement agency’ for the purposes of the stored communications regime in Chapter 3 of the TIA Act. The APF recommends that the ability to seek a stored communications warrant, or authorise access to historical telecommunications data, should be confined to authorities or bodies responsible for investigating serious criminal offences, serious allegations of public corruption, or serious threats to national security. The APF further recommends that, in exercising the determination-making power, the Attorney-General be specifically required to take into account the effect of a determination on the right to privacy.
13. The APF submits that, given the highly privacy-intrusive nature of metadata, the definition of an ‘enforcement agency’ for the purposes of access to historical telecommunications data is too broad. The APF therefore recommends that access to telecommunications data for the purposes of Chapter 4 of the TIA Act should be confined to authorities or bodies responsible for investigating serious criminal offences, serious allegations of public corruption, or serious threats to national security.
14. The APF submits that the thresholds for access to stored communications and telecommunications data under the TIA Act are too low. The APF recommends that the threshold for access to stored communications should be brought into line with the threshold for interceptions of real-time communications such that access must relate to investigations of offences punishable by imprisonment for at least 7 years. The APF further recommends that the same thresholds should apply to access to telecommunications data under Chapter 4 of the TIA Act.
15. The APF submits that, given the highly privacy-intrusive nature of metadata, the procedural safeguards for access to telecommunications data under Chapter 4 of the TIA At are inadequate. The APF therefore recommends that procedural safeguards be introduced to regulate access to non-content telecommunications data, which involve a decision of an independent body required to balance the objectives of access against the intrusion on the right to privacy. The safeguards should involve a process analogous to applications for a warrant for access to real-time communications and stored communications.
16. The APF welcomes the enhancement to the oversight and accountability mechanisms for access to stored communications and telecommunications data, including the enhanced role of the Commonwealth Ombudsman, contained in Schedule 3 of the Bill. Especially given the highly privacy-intrusive nature of both stored communications and metadata, the APF recommends that consideration be given to establishing a Commonwealth Public Interest Monitor (PIM), who would be empowered to appear and make submissions on applications for warrants and access.
17. The APF submits that, in proposing a mandatory blanket data retention regime, the government has given insufficient consideration to the potential benefits of a targeted data preservation regime, in which relevant agencies may selectively require the preservation of telecommunications data, provided that satisfactory procedural safeguards are met. The APF therefore recommends that: (a) The mandatory blanket data retention regime embodied in the Bill be abandoned, on the basis that it is neither necessary nor proportionate, and its effectiveness is questionable, at least in the light of the very high level of interference with privacy entailed by such a regime; and (b) Consideration be given to the introduction of a more targeted and circumscribed data preservation regime, which may include a modified version of the preservation notice regime established under Chapter 3 of the TIA Act.
Keywords: Australia, data protection, privacy, data retention, human rights
Suggested Citation: Suggested Citation