After much debate, the Australian government's controversial mandatory data retention law has been passed. Telecommunications companies will now be required to retain a defined subset of their customers' telecommunications data records for two years and allow national security agencies to access these records. Irrespective of certain safeguards which have been implemented, the practical effect of these new laws is that vast amounts of data on the movements and habits of ordinary Australian citizens will be collected by Australian telecommunications companies, involving substantial costs for data retention and the potential for an increased level of surveillance of Australians.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (Cth) (the Bill) does not define "metadata". Instead, it amends the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA Act) to specify the kinds of information that telecommunications companies will be required to keep under the new section; 187AA of the TIA Act. This will include metadata for phone and computer use, such as:
- Subscriber or account holder details
- Source and destination of the communication
- Date, time, duration and location of the communication
- Type of services used (eg voice, SMS, email, social media)
- Type of delivery services (eg ADSL, Wi-Fi, VoIP, cable)
Telecommunications companies will only be required to retain the metadata rather than the content of phone calls, emails and web browsing history, all of which are specifically excluded in the legislation. According to the Explanatory Memorandum to the Bill, this is because access to metadata infringes less on personal privacy than on access to content.
Although the Bill is part of a suite of counter-terrorism measures against home-grown terrorists, privacy advocates have raised concerns about the new law due to the risk of security agencies misusing the personal information of Australians. Legal and media advisors have raised concerns as to the long-term effects the new law could have on journalistic or legal privilege. The additional responsibilities placed on telecommunication sector entities to capture and retain data and information can arguably increase their liability exposure and that of their insurers.
The Australian government has tried to ease these privacy concerns by including what it sees as appropriate safeguards, such as, requiring national security agencies to make a case that access to the data is "reasonably necessary" to an investigation. There is also an independent oversight mechanism allowing the Commonwealth Ombudsman access to agency records and allowing the Parliamentary Joint Committee on Intelligence and Security oversight of the use of metadata by the AFP and ASIO.
Telecommunications companies are now required to encrypt the retained information and protect it from unauthorised interference or unauthorised access, which is in line with the principles under the Privacy Act 1988 (Cth) for the handling of personal information.
Further, national security agencies accessing phone and computer records pursuant to the new laws, will now be subject to the Australian Privacy Principles for the handling of that information, to the extent that the information constitutes "personal information" for the purposes of the Privacy Act.
Is this appropriate and reasonable, considering the intrinsically personal details that will be held?
The safeguards provide only a level of comfort that the information being retained will be held and used only within defined parameters.
It is important to remember that all systems are subject to breaches, even those maintained by the telecommunications industry and by national security agencies - this is particularly relevant with regard to the current regulatory focus on data breach and privacy related issues and exposures.
It remains to be seen how the implementation of the new laws will unfold and as to whether the intended national security benefits outweigh the financial cost of implementing the regime and the long term effect, which the retention of data might have on the personal privacy of Australians.