Australia's new data retention laws
Data retention laws have passed through the Senate and House of Representatives with bi-partisan support. In essence, the laws require Australian telcos and ISPs to retain metadata for 2 years, unless they obtain an exemption. This article considers the reforms and their implications.
What are the key changes?
Under the former Telecommunications (Interception and Access) Act 1979 (Cth) (theTIA Act) authorised 'enforcement agencies' could access telecommunications data with a warrant. However, the TIA Act did not prescribe the type of information required to be retained, nor any minimum period of time for which it was required to be retained.
The changes to the TIA, pursuant to the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Amending Act), require Australian telcos and ISPs to retain 'metadata' for a period of two years. Metadata is 'data about data' – it is, figuratively, the 'envelope', as opposed to the contents of a communication (the 'letter'). The information that the Amending Act prescribes must be retained (called the ‘data set’) includes the time, location and duration, as well as the target and source, of a communication. Failure to comply with the data retention requirements can attract substantial civil penalties.
The Amending Act also:
- confines the 'criminal law enforcement agencies' that can access this data to a restricted subset of agencies;
- requires that a warrant be obtained before accessing journalists' metadata (following the public and political furore over the potential for metadata to disclose journalists' confidential sources);
- allows the Government (in the form of the Communications Access Coordinator) to make exemptions to the operation of the regime;
- imposes privacy obligations on operators under the regime – the Privacy Act 1988(Cth) will apply to all service providers that retain data, and service providers must encrypt data and protect it from unauthorised interference and access; and
- introduces an independent oversight for the use of and access to telecommunications data through the role of the Commonwealth Ombudsman.
When will the changes take place?
There is effectively a 2 year window for telcos and ISPs to implement the changes. Over the next 6 months, telcos and ISPs must apply to the Communications Access Co-ordinator to obtain approval for their 'data retention implementation plan'. This plan must explain the current practices of the organisation, details of the interim arrangements, and the expected date when the organisation will comply with the data retention requirements.
Why have the changes been made?
The Amending Act is the culmination of years of debate around a mandatory data retention scheme. The Attorney-General's Department and various law enforcement agencies advocated that such a scheme would combat the rising threat of organised crime and terrorism and the inadequacy of current investigative abilities. According to the Explanatory Memorandum to the to the Amending Act:
[d]ata is often the first source of lead information for further investigations, helping to eliminate potential suspects and to support applications for more privacy intrusive investigative tools including search warrants and interception warrants.
How have the changes progressed?
In May 2012, following the Boston bombings and the murder of a British soldier on the streets of London, the Attorney General asked the Parliamentary Joint Committee on Intelligence and Security (the Committee) to advise on national security reforms, including mandatory data retention. But without the benefit of draft legislation, the Committee found it difficult to comment fulsomely on the reforms. The Bill was introduced by Malcolm Turnbull on 30 October 2014 and was again referred to the Committee.
The Committee subsequently made 39 recommendations, including that the Amending Act be passed. The Committee also recommended that:
- the Amending Act, as primary legislation, include the proposed data set;
- the Amending Act contain a two year retention period, based on enforcement agencies' operational needs;
- the Amending Act list the agencies with access to the data and specify criteria for agencies to consider before obtaining access;
- to enable effective oversight, funding be increased to the chief regulator (the Commonwealth Ombudsman), the Committee revisit the program in two years’ time, and a mandatory data breach notification system be introduced by the end of 2015 to alert the public of large scale data breaches;
- all organisations that retain this data be subject to the Privacy Act 1988 (Cth) (rather than only organisations that have annual financial turnover of greater than $3 million); and
- the Government make substantial contributions to help shoulder the anticipated $189 to $319 million indicative upfront costs imposed on industry to comply with the Amending Act.
On 3 March 2015, the Government announced it would support all of the Committee's recommendations. The House of Representatives agreed to amend the Bill and also agreed to introduce additional protections for journalists in the form of a 'journalist information warrant'. Although some Senators sought further amendments to the Bill, the Bill passed the Senate without further amendment.
What are the key issues with the Amending Act?
There are various issues with the Amending Act:
- The Minister has broad powers to make declarations that can affect the services covered by the scheme, the type of data retained, and the authorities and bodies that can access the data. This is all the more concerning when one considers that decisions under the TIA Act are not reviewable under the Administrative Decisions (Judicial Review) Act 1977 (Cth). Although decisions may be judicially reviewable under the 'prerogative writs' of mandamus, certiorari and prohibition, the procedures for doing so are more procedurally complex.
- It is unclear that the warrant regime provides sufficient protection to journalists because:
- the definition of 'journalist' does not cover modern day digital media, which extends far beyond employees of newspapers and television stations;
- there is little independence of the decision making process. The decision whether or not to grant a warrant is made by the Minister or a 'Part 4-1 issuing authority' or by the Director General of Security in emergency situations. Persons eligible to be a 'Part 4-1 issuing authority' are judges and magistrates who have consented to be appointed, or an appointee to the Administrative Appeals Tribunal who has been enrolled as a legal practitioner for at least 5 years. However, a 'Part 4-1 issuing authority' is ultimately appointed by the Minister;
- the detail of the role of the Public Interest Advocate, an individual who can make submissions on whether or not the warrant should be granted, has been left to regulations. For example, it is not clear how a Public Interest Advocate will be notified of a request for a journalist information warrant, or if the Public Interest Advocate must always make submissions; and
- the secret operation of the regime will make it difficult for a Public Interest Advocate to obtain instructions on the impact of the disclosure. In particular, the Public Interest Advocate cannot obtain instructions from the journalist whose interests are affected, without committing a criminal offence punishable with up to 2 years imprisonment.
- Some have questioned whether the cost of the Amending Act is likely to outweigh its practical benefit because:
- the Amending Act places heavy obligations on service operators, not only to retain the information but to protect the information by encrypting it and protecting it from unauthorised interference or access. Some service providers have already suggested that they will pass these additional costs on to their customers;
- the Amending Act indicates that Commonwealth may make a grant of financial assistance to a service provider to assist them comply with its obligations, but the Amending Act does not explain when such a grant will be provided or the terms and conditions of such a grant;
- with services such as Wickr and iMessage that offer end-to-end encryption of messages, the scheme is unlikely to practically capture intelligent operators; and
- the data retention scheme potentially increases the security threat posed by a data breach, as hackers could be attracted to a 'honey pot' of retained data in order to obtain access to a greater volume of personal information. Notably, the Amending Act does not introduce a mandatory data breach notification scheme. Without such a scheme, individuals may not even be notified when their personal information has been compromised.
- The Amending Act is complex, and contains a number of distinctions that are not particularly clear. For example, section 187A(4)(c) appears intended to exempt from the operation of the regime any communications that pass 'over the top' of the underlying carriage service (such as, presumably, iMessage, Facebook and Gmail). However, does this mean (for example) that the date and time of the initial connection to that over the top service (such as Gmail) is required to be captured and stored (but not the date and time of the subsequent communications that may transit via that service)? This is potentially a challenging distinction to draw.
Some critics of the Amending Act have also suggested that judicial officers and lawyers who agree to participate as a 'Part 4-1 issuing authority' will assist in eroding the separation of powers between the judiciary and executive. However, if there had been any threat that judicial officers acting in this capacity had eroded the 'separation of powers', this issue has already occurred to some extent under the TIA Act. Specifically, the TIA Act already allows for judicial officers to be an 'issuing authority' that determines whether or not to grant a warrant to access telecommunications data under other provisions of the TIA Act. In Grollo v Palmer, Commissioner of the Australian Federal Police (1995) 184 CLR 348, the High Court (Brennan CJ, Deane, Dawson, Toohey and Gummow JJ; McHugh J dissenting) held that the appointment of judges to determine such warrants was not inconsistent with their appointment as judicial officers, as they were appointed in their private capacity.
There had also been a concern voiced that, following the changes, civil litigants could obtain access to the retained data to pursue actions, such as in the Dallas Buyerscopyright infringement proceedings currently before the courts. Obtaining access to ISP subscribers' details would assist in the pursuit of copyright infringement proceedings. However, section 280(1B) of the amended TIA Act clarifies that civil litigants cannot access telecommunications data that has been collected and retained only for the purposes of complying with the data retention regime, unless in circumstances prescribed by regulation.
The Amending Act is expected to receive Royal Assent over the next week. After this occurs, the primary data retention obligations will not take effect for most telcos and ISPs for a further 18 months, provided the organisation has a 'data retention implementation plan' approved.
Even though the Amending Act introduced additional safeguards for journalists, the Attorney General has asked the Committee to conduct a separate review into access to journalists’ metadata in the coming months into the question of ‘how to deal with the authorisation of a disclosure or use of telecommunications data for the purpose of determining the identity of a journalist’s source’. The Committee is receiving submissions until 4 June 2015. Following this inquiry, it may be that further amendments are required to the legislation.
Finally, in light of the new Government's support that a mandatory data breach notification scheme be introduced by the end of 2015, we expect that this will also be on the legislative agenda in the coming months.