It has been described as a mass data retention policy, a justified expansion of rules on data or a breach of privacy and civil liberties. Whatever it is, or your views about it, Australia's expanded data retention laws are now operative.
The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Act) was passed by both Houses of Parliament on 26 March 2015, and came into effect on 13 October 2015. Under the new Act, telecommunications companies (Telcos) and internet ISPs (ISPs) are required to retain certain telecommunications data (Metadata) for a period of at least two years. We previously reported on this development in March 2015 (see our previous paper - Proposed New Data Retention Laws in Australia - Essential Change or a Step Too Far?).
What obligations does the Act impose?
The new data retention laws task ISPs with the responsibility of storing and encrypting communications Metadata, that is, information about the communication. Under the Act, the data that must be retained by an ISP in respect of the service that these companies provide, falls broadly into six categories:
- Information about the identity of the subscriber of, and accounts, telecommunications devices and other services relating to, the relevant service provided;
- The source of a communication;
- . The destination of a communication;
- The date, time and duration of a communication;
- The type of communication; and
- The location of the equipment or line used in connection with a communication.1
Generally, while this data does not extend to the content of the communication, the obligations under the Act mean that all electronic data collected and stored from mobile phones, landline voice calls, text messages and emails, including download volumes and locational information, must be retained by the Australian Telcos and ISPs. Failure to comply with these retention obligations may see the ISP facing infringement notices and penalties of $10,800 per contravention2 , or hefty pecuniary penalties of up to $10 million if the Federal Court views that the ISP has breached its licence conditions.3
The Metadata is protected as ‘personal information’ for the purpose of the Privacy Act 1988 (Cth) and the Australian Privacy Principles, and ISPs are required to encrypt the information and protect it from unauthorised interference and access.
Who has access?
As noted in our previous focus paper4, the Act has amended the types of government and law enforcement agencies that will be able to access the Metadata information retained by the ISPs. While previously, all "enforcement agencies" were generally able to request access, the Act now restricts access to "criminal lawenforcement agencies", and defines "criminal lawenforcement agencies" to include expressly, the following bodies:
- The Australian Federal Police;
- A Police Force of a State;
- The Australian Commission for Law Enforcement Integrity;
- The Australian Crime Commission;
- The Australian Customs and Border Protection Service;
- The Australian Securities and Investments Commission;
- The Australian Competition and Consumer Commission;
- The Independent Commission Against Corruption;
- The Police Integrity Commission;
- The Independent Broad-based Anti-Corruption Commission;
- The Crime and Corruption Commission of Queensland;
- The Corruption and Crime Commission; and
- The Independent Commissioner Against Corruption.
Access to data retained under the Act is limited to the agencies listed above, although the Act gives the Minister of Communications the authority to, at their discretion, declare further agencies to fall within the scope of a "criminal law-enforcement agency".
Under the Act, criminal law-enforcement agencies can request access to the information that has been retained for the purposes of investigating offences punishable by two years’ imprisonment or more. This means that the Metadata could be accessed for minor offences, rather than the serious crimes and matters of national security that were the initial justification for amending the legislation.
What is required of ISPs?
The new regime came into effect on 13 October 2015, and ISPs were generally required to comply with the Act by that date. However, given the Act involves substantial changes to data retention practices in many cases, ISPs were given the option of applying to the Communication Access Co-ordinator for approval of a data retention implementation plan. This would allow an extension of up to 18 months before strict compliance with the Act is required, provided that the measures proposed by the ISPs under a data retention implementation plan to apply in the interim, are approved and move towards compliance.
Further, ISPs may apply for an exemption from or variation of their obligations.5 This could be in respect of either all of their obligations or obligations regarding a particular service specified in the application. In considering an application for exemption or variation, the Communications Access Co-ordinator takes into account the ISP’s compliance history, the alternative data arrangements they have in place, and the cost of compliance with obligations under the Act. However, the Act requires that all exemptions and variations must be kept confidential.
Despite the intention to facilitate a smooth transition evident in these provisions, it appears progress towards compliance among ISPs will be slow. According to a survey of ISPs conducted by the Communications Alliance6, only 16% of ISPs covered by the Act were in a position to comply by October 2015, and less than half the applications for data retention implementation plans were decided on when the Act came into force. Further, only one third were at least reasonably confident they understood what data they were required to retain and encrypt.
The difficulties and delays encountered by ISPs in order to comply is the basis for much of the Act’s criticism. Additionally, government funding for the regime of $131 million (down to $128 million with administration costs) is now to be split over three years, despite ISPs having to pay upfront costs that exceed this figure, leading to Internet Australia calling on the Australian government to bring forward the review of the Act, currently scheduled for 2018.
An Exception for Journalists
Another key point of contention that has been the subject of much discussion since our last update is the generality of the Act’s application, particularly, its application to investigative journalists. Concerns were raised within the media industry that access to this kind of Metadata may lead to an uncovering of the identity of journalists' sources. As a result of these concerns, the original Bill was amended so that the Act now requires enforcement agencies to apply to the Minister for a warrant before they are able to access the data on the communications of journalists. Such a warrant will only be issued where "the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the identity of the source". 7
A "public interest advocate"8 appointed by the Prime Minister will make submissions to the Minister concerning the issuing of a journalist information warrant and any conditions or restrictions to be specified in that warrant. This amendment is intended to safeguard the integrity of the warrant process and to ensure that warrants are not issued simply as a matter of course.
Concerns have, however, been raised as to the efficacy of these provisions in several respects. For example, a journalist information warrant may be applied for in order to access the data of a professional journalist. However, beyond specifying that the person must be professionally employed as a journalist (or the employer)9, "journalist" is not defined clearly in the Act. Further, whilst the data of journalists’ communications cannot be obtained without a warrant to discover their sources, there are no restrictions to accessing data of suspected sources themselves to confirm their communications with journalists.
Aside from this exception, no obligations to obtain a warrant is required of enforcement agencies seeking to access Metadata retained under the Act, as access to Metadata information is not considered an "intrusive" power.10 Questions have been raised as to why this warrant process will only be implemented with respect to journalists, rather than extending it to other professions with privileged communications, or indeed as a compulsory step before accessing this Metadata generally.
Watch this space
It is clear that the Act and its implementation has continued to be contentious issue, causing much discussion across a number of industries and in particular, for journalists and the ISPs responsible for carrying out the requirements of the Act. Now only two months into an 18 month implementation period, the data retention regime is still in its early days, and both the efficacy of the change and the ability of ISPs to comply, remain to be seen.