Yesterday the Senate passed the Cybercrime Legislation Amendment Bill (CB). The CB details a range of legislative amendments to implement Australia’s accession to the Council of Europe Convention on Cybercrime.
Most notably, Australia will now have a data preservation scheme following amendments to the Telecommunications (Interception and Access) Act 1979 (Cth). The data preservation scheme supplements the existing ‘reasonable assistance’ requirements, that have been increasingly and intensively used by law enforcement agencies to obtain access to information about communications such as geo-location information, data and time of particular communications by nominated individuals and other non-core content data.
Law enforcement agencies will be able to issue three types of preservation notices:
- historic domestic preservation notices (which require a preservation of communications held by the carrier or carriage service provider (C/CSP) on the day the notice is received that might assist in an investigation relating to security or a contravention of certain Australian laws for up to 90 days);
- ongoing domestic preservation notices (which require a preservation of communications held by the C/CSP during a 29 day period after the notice is received that might assist in an investigation relating to security or a contravention of certain Australian laws for up to 90 days); and
- foreign preservation notices (which cover stored communications held by the C/CSP on the day the notice is received that might assist in an investigation relating to a contravention of certain foreign laws).
Law enforcement agencies will only be able to access the information under a warrant. The scheme addresses the concern that law enforcement agencies are not able to respond quickly enough to investigate criminal activity online, whilst seeking to balance privacy concerns about the ability of government to monitor online activity of its citizens.
The CB also amends the extraterritorial operation the Criminal Code by imposing criminal liability on Australian citizens where certain conduct occurs outside of Australia.
This update primarily considers domestic preservation notices under the CB.
Who may issue a data preservation notice?
A large number of government bodies are either ‘enforcement agencies’ or ‘interception agencies’ who may issue a data preservation notice. This includes police bodies such as the Australian Federal Police or state police agencies.
When may a data preservation notice be given?
A data preservation notice may be issued by a relevant agency if the agency is investigating a ‘serious contravention’ and considers that there are reasonable grounds for suspecting that in the relevant period of the notice, there are stored communications that might assist in connection with the investigation.
A serious contravention includes offences with an imprisonment term of at least three years.
Who has to comply with a data preservation notice?
The CB applies C/CSPs. This means that both network operators and service providers will be required to comply with data preservation notices. The relevant definition of “carriage service provider” takes its meaning from the Telecommunications Act 1997 (Cth) and has the potential to apply to a range of traditional and non-traditional players alike.
Responding to data preservation notices
C/CSPs are required to preserve communications including speech, data, text, visual images or signals during the notice period. C/CSPs need to ensure that they have systems in place to respond to and comply with a data preservation notice.
A key issue for C/CSPs is ensuring that the C/CSP preserves relevant communications by withdrawing them from automatic delete or purge cycles that they may have in place. From the time a data preservation notice is in place C/CSPs will have to be ready to protect communications from those cycles. In some cases, C/CSPs may already have processes in place to deal with the requirements of actual or prospective litigation. However, for those C/CSPs that have dealt with litigation and other requirements on an ad hoc basis implementing processes to respond to any data preservation notice may impose significant costs and burdens.
The data preservation amendments in the CB come into effect 28 days after receiving royal assent. Late amendments to CB will prevent a relevant agency from issuing a domestic preservation notice until 90 days after royal assent; however, it appears that a foreign data preservation notice may still be issued in the interim.
The data preservation model in the CB is in stark contrast to the data retention model proposed by the Parliamentary Committee on Intelligence and Security inquiry into potential reforms of national security legislation in their discussion paper of 9 July 2012. The discussion paper moots a 24 month data retention scheme proposing a regime where the default position would be for all C/CSPs (and potentially applications providers) to retain communications of its users for 24 months regardless of any suspicion or actual wrongdoing. Many commentators lambasted this proposal on privacy, cost and technical feasibility grounds. The government appears to have now distanced itself from this proposal and it is likely that the data preservation regime will remain for some time.
Detailed information including the text of the CB, late amendments and the explanatory memorandum is available here.