Today the Australian government introduced its much anticipated bill to amend telecommunications laws to require providers of certain communications services to retain so-called “metadata” about the communications they carry. The government clearly anticipates that the proposals will be controversial – the Explanatory Memorandum accompanying the bill includes a detailed “Statement of Compatibility with Human Rights” of 144 paragraphs. Amongst other things, the statement considers whether the bill satisfies the criteria identified by the Court of Justice of the European Union in its decision of April 2014 as necessary for a data retention scheme to be compatible with human rights norms.
The Explanatory Memorandum also notes that the bill will have financial impacts on service providers who will be required to meet the new minimum data retention requirements. The government has not attempted in the EM to identify the quantum of that impact, nor does it discuss whether or not affected service providers are likely to pass those increased costs on to their customers. The document simply states that “a sample of affected service providers … were consulted on the development of the policy and the regulatory impacts of the bill”. It is well known that a number of affected service providers are very concerned about the potential costs associated with complying with the regime.
Reports suggest that the bill will be referred to the parliamentary joint committee on intelligence and security for review. Members of that committee are all senior politicians – 5 from the Liberal party, 5 from the Labor party and 1 from the National party. The Liberal/National coalition does not control the Senate, so if the bill is to pass both houses the government will either need the support of the Labor party or from the cross bench Senators. Given vocal opposition from a number of cross-bench Senators, the government may prefer to convince the Labor party to adopt a bi-partisan position on the bill. The deputy leader of the Labor party (who has the shadow foreign affairs portfolio and is a member of the joint committee on intelligence and security), Tanya Plibersek, has previously given in-principle support for a mandatory data retention scheme – see, for example, this radio interview. If the major parties adopt a bi-partisan approach, the campaign against the scheme led by Senator Ludlam from the Greens party will likely fail.
In related news, yesterday the Senate deferred the reporting date for a report by the Senate Legal and Constitutional Affairs Committee on proposals for a comprehensive revision of the Telecommunications (Interception and Access) Act (chaired by Senator Ludlam). That report had been due to be finalised on 29 October 2014 but has now been extended to 3 December 2014 (in the final sitting week for 2014). The tabling of that report may coincide with the Senate’s consideration of the data retention bill.
Predicting the outcome of political deliberations is a risky business for a lawyer to engage in. But I will go out on a limb and say that I will be surprised if a version of this bill has not been passed by Christmas. If I am right, Australia’s data retention regime would come into effect in about mid 2015 (see below for an explanation of the transitional provisions).
Which services and service providers would be affected?
If enacted, the regime would apply to services for carrying communications. This requirement rules out a range of cloud services, such as infrastructure as a service, platform as a service, online storage services and content services. The carriage service must be operated by either:
- a “carrier” (within the meaning of the Telecommunications (Interception and Access) Act, which is defined – somewhat confusingly - to include both a “carrier” and a “carriage service provider” within the meaning of the Telecommunications Act. In other words, resellers who use, directly or indirectly, the infrastructure owned by carriers, are caught);
- an ISP (within the meaning of schedule 5 of the Broadcasting Services Act); or
- a person of a kind specified in regulations (the details of which are not yet known)
The final requirement is that the service provider must either own or operate in Australia infrastructure that enables the provision of the relevant service. Without this geographic nexus, the regime would apply to international operators with no presence or assets in Australia, since it is possible for such persons to be carriage service providers.
The bill contains mechanisms to allow particular services or service providers to be exempted from the regime.
What data would need to be retained?
The public discourse in relation to these proposals has suffered from confusion as to the kind of data that service providers would be required to retain. In recognition of the highly technical task of identifying the kinds of data to be retained, the bill provides that the precise kind of data will be specified in regulations (details of which are not yet known and will likely vary from time to time). But the regulations may only specify data falling into one of the following categories:
- subscriber/service details, consisting of characteristics of any of the following:
- the subscriber to the service;
- an account relating to the service;
- a telecommunications device relating to the service; or
- another communications service that relates to the service in issue;
- the source of a communication;
- the destination of a communication;
- the date, time and duration of a communication, or of its connection to the service;
- the type of a communication, or type of service used in connection with a communication; and
- the location of equipment or a line used in connection with a communication.
And the bill provides that it would be impermissible for the regulations to specify that any of the following kinds of data must be retained:
- the contents or substance of a communication;
- the address to which a communication was sent on the internet using an internet access service provided by the service provider which is known to the service provider only as a result of providing the service (this is intended to exclude a person’s web browsing history from the regime);
- information about the location of a telecommunications device that is not information used by the service provider in relation to the service to which the device is connected.
For how long would the data need to be retained?
Subscriber/service details would need to be retained from the date of collection until 2 years after the closure of the relevant account. All other data would need to be retained for 2 years from the date it comes into existence.
Tailoring the regime to particular services or service providers
The bill provides for the approval of “data retention implementation plans”, which can vary the basic operation of the regime for particular services or service providers. Any such plans need to be approved by the Communications Access Co-ordinator (an official within the Attorney-General’s Department), and the Co-ordinator must go through a process of consulting with law enforcement agencies before approving such a plan. The intention appears to be to use these plans as a transitional method of securing substantial compliance with the regime by the major service providers.
Controlling access to retained metadata
Concerns have been expressed about the breadth of government agencies who are presently entitled to obtain warrantless access to communications metadata. For example, the Victorian Taxi Directorate, the RSPCA and some local councils have obtained such access in the past. The suspicion is that they were not using the metadata to investigate serious crimes. In response to these concerns, the bill proposes to narrow the categories of agencies to whom communications service providers must provide metadata. The core criminal law enforcement agencies will continue to have the ability to “authorise” the disclosure of metadata (noting that carriage service providers are required by s313 of the Telecommunications Act to co-operate with such requests). Other kinds of enforcement agencies must be declared by the Minister, by way of a legislative instrument (which could be disallowed by parliament) as an enforcement agency. The Minister retains a broad discretion as to whether or not to declare a particular agency as an enforcement agency to whom service providers would be required to provide metadata, but the Minister is required to consider a range of matters, including the measures the agency would put in place to protect personal information obtained in this manner (and the legal rights of affected individuals if those protections were breached).
The bill seeks to amend s314 of the Telecommunications Act so as to put it beyond doubt that service providers are not entitled to recover their costs of complying with the data retention regime from the Commonwealth. Rather, all that is proposed is that the Australian Communications and Media Authority monitor such compliance costs and report annually to the Minister. Accordingly, service providers who incur significant compliance costs will be forced to decide whether or not to absorb those costs or to pass them on to their customers in the form of increased fees.
The substantive obligations would commence 6 months after assent is given to the legislation. However, the provisions in relation to considering and approving data retention implementation plans would commence on assent, giving the government and service providers a 6 month window in which to develop and finalise plans that would result in substantial compliance with the regime.
Wait – there’s more to come
The Statement of Compatibility with Human Rights in the Explanatory Memorandum flags the government’s intention to introduce another bill, to be known as the Telecommunications and Other Legislation Amendment Bill 2014, to implement “Telecommunications Sector Security Reforms”. This bill, in combination with the existing Privacy Act, is said to have the intention of requiring service providers “to do their best to prevent unauthorised access to and unauthorised interference with retained communications data”. As with the requirement to retain the data, service providers will undoubtedly be concerned about the financial impact of any incremental information security measures they may be required to take as a result of holding metadata for future access by law enforcement agencies.