Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015

Background

The Australian Government’s interest in establishing a telecommunications data retention scheme can be dated back to at least June 2010, when media outlets including the Sydney Morning Herald and ZD Net reported that the government was considering such a proposal. On 4 May 2012, the Government then led by Julia Gillard announced plans to review via public consultation a range of national security legislation, including that which is covered "lawful access to telecommunications… to ensure that vital investigative tools are not lost as telecommunications providers change their business practices and begin to delete data more regularly."

In July 2012, the Attorney- General’s Department released, "Equipping Australia against Emerging and Evolving Threats," a discussion paper focused on the proposed national security reforms. The first chapter of this paper outlined the terms of reference for an inquiry to be conducted by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the potential reform of National Security legislation, specifically the four following Acts:

The Discussion paper grouped these proposals into three different categories: those that the Government wished to progress, that the Government was considering and those on which the Government was seeking the opinion of the Committee. Despite the paper containing eighteen proposals and forty-one individual reforms, the suggestion that carriage service providers (CSPs) be required to retain information on the way in which Australians use the Internet and their mobile telephones, elicited much consternation and comment from the community. This was a point that the Parliamentary Committee highlighted in its final report to the Government:

"The potential data retention regime attracted a large amount of criticism and comment from organizations and concerned individuals. These organizations and individuals generally considered any potential data retention regime a significant risk to both the security of their privacy. In addition to these general comments, the Committee received a large volume of form letter correspondence."

On 24 June 2013, the Committee issued its report and put the decision on whether to progress with a mandatory data retention scheme back in the hands of the Government. On same day that the report was released, former Attorney General Mark Dreyfus announced that the Government would not be pursuing its proposal.

On 30 October 2014, the Australian Government, led by Tony Abbott, introduced the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 into the House of Representatives. On 21 November 2014, the Attorney- General, Senator George Brandis, wrote to the Parliamentary Joint Committee on Intelligence and Security, referring the provisions of the Bill for inquiry. Chaired by Dan Tehan, the Member for Wannon, the Committee received 204 submissions, 31 supplementary submissions and held three public hearings. On 27 February 2015, the Committee presented their report, containing 39 recommendations to the Government. On 3 March 2015, the Government announced that it would be accepting all the recommendations of the Committee. This however, was not sufficient to satisfy the concerns of the opposition Labor Party, who only agreed to support the passage of the Bill through the Senate after amendments were made to protect journalistic sources. On 26 March 2015, the Senate voted in favour of the Bill. On 13 April 2015, the Governor-General gave his royal ascent and the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 entered into law.

Access to Telecommunications Data under the Telecommunications (Interception and Access) Act 1979

Under the previous regime set down under the Telecommunications (Interception and Access) Act 1979, commonly referred as the TIA Act, ‘enforcement agencies’ and the Australian Security and Intelligence Organization (ASIO) could access telecommunications data through the issuing of an internal, or intra-organization, authorization.

During the 2012- 2013 inquiry into Australia’s national security legislation conducted by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), the Attorney General’s Department issued a document detailing what it considered to be telecommunications data. This included "information that allowed a communication to occur", such as the date, time and duration of the communication, the devices involved in the communication and the location of those devices such as mobile phone tower and "information about the parties to the communication", such as their names and addresses.

Section 5 of the Act defines an enforcement agency to include the Australian Federal Police (AFP), the police force of a State or Territory, the Australian Customs and Border Protection Service, crime commissions, anti-corruption bodies and the CrimTrac Agency. The definition also includes an allowance enabling organizations whose remit either involves the administration of law involving a financial penalty or the administration of a law to protect taxation revenue to access telecommunications data.

The head of an enforcement agency, the deputy head of an agency or a management level officer or employee of an agency, given permission in writing by the head of the agency, have the power to authorize access to telecommunications data. For ASIO, authorizations for access to telecommunications data can only be made when individual making that authorization is "satisfied that the disclosure would be in connection with the performance by the Organization of its functions. ASIO must also comply with guidelines issued under Section 8A of the Australian Security Intelligence Organisation Act 1979. These guidelines demand that the initiation and continuation of investigations shall only be authorized by the Director General, or an officer at or above Executive Level 2 authorised by the Director-General for that purpose; and that any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence.

In 2012-13, more than 80 Commonwealth, State and Territory enforcement agencies accessed telecommunications data under the Telecommunications (Interception and Access) Act 1979. In that same time period, more than 330,640 authorizations were dispensed allowing access to data. These authorizations resulted in 546,500 disclosures.

Purpose

The purpose of the Act is to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) and the Telecommunications Act 1997(The Telecommunications Act) in order to require service providers to retain a strictly defined subset of telecommunications data (the data set) produced in the course of providing telecommunications services. Before the Act was enacted, the TIA did not specify the types of data the telecommunications industry should retain for law enforcement and national security purposes or how long that information should be held. In lieu of standardisation, individual carriers were retaining information based on business, taxation, and marketing requirements. As a result, there was significant variations across the telecommunications industry in the types of data that were available to national law enforcement agencies and national security agencies and the period of time information was available. The lack of available data, was identified by agencies as a central impediment to their ability to investigate and prosecute both national security related offences, including counter-terrorism, counter-espionage and cyber-security and serious criminal offences, such as murder, rape and kidnapping.

Parliamentary Joint Committee on Intelligence and Security Recommendations on Data Retention – 2013 and 2015 Reports

In response to the need for available telecommunications data and growing national security threats, the Attorney-General, Senator George Brandis, asked the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to inquire into and report on the Act. The Committee handed down its report entitled Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation (the 2013 PJCIS Report) on 24 June 2013, in which it made the following main recommendations:

The Act was again referred to the PJCIS for inquiry on 21 November 2014, where the Committee tabled its Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2014 (the 2015 PJCIS Report) on 25 February 2015. The PJCIS made the following additional recommendations:

On 3 March 2015, the Abbott Government announced that it would accept all of the above recommendations, and on 19 March 2015, the House of Representatives agreed to the amendments to the Act and to the Intelligence Services Act 2001, the Telecommunication Act 1997, and the Privacy Act 1988 and the Australia Security Intelligence Organisations Act 1979 to give effect to the 2015 PJCIS Report. The House of Representatives also agreed to amendments to implement the ‘journalist information warrant’ scheme.

Overview of the Schedules

The proposed amendments are contained in three schedules to the Act:

Division 1 of Part 5-1A - Obligation to Keep Information or Documents

Information and Documents to be Kept

Section 187A provides that relevant telecommunications service providers are required to retain communications data associated with a communication specified in subsection 187AA, for a period of two years. The purpose of the data retention obligations is to create a consistent minimum retention obligation across the telecommunications industry in relation to a limited range of investigations. Similarly, the Revised Explanatory Memorandum (2013-2014-2015) (Memorandum) explains that the retention period of two years is necessary having regard to the requirements of national security and law enforcement agencies to have telecommunications data available for investigations. Section 187AA, lists the ‘kinds of information’ that service providers must collect and retain in relation to each relevant service that they provide. According to the Memorandum, the detailed technologically-neutral table in subsection 187AA (below), is designed to ensure that the ‘legislative framework gives service providers sufficient technical detail about their data retention obligations while remaining flexible enough to adapt to future changes in communication technology’.

In response to the innovative nature and capacity of telecommunications technology, subsection 187AA (2) permits the Attorney-General to amend the dataset on a temporary basis by issuing a declaration. This is designed to cover a situation in which future technologies or changing telecommunications practices require amendments to the data set to ensure the data retention scheme continues to meets its underlying purpose. This power, however, is subject to subsection 187AA (3)(a), which specifies that the declaration ceases to be in force after 40 sitting days of either House of Parliament after the declaration comes into force.

Information Excluded from the Data Retention Regime

A highly contentious aspect of the Act, is the requirement that service providers must create information or documents, if they are not created by the operation of the relevant service. In other words, if telecommunication providers do not have in operation services which create the information or documents, as provided by s187AA, then subsection 187A (6) requires providers to use other means to create the information.

Furthermore, s 187BA provides that a service provider must protect the confidentiality of information that the service provider must keep by encrypting the information and protecting the information from unauthorised interference or unauthorised access. The section does not prescribe a particular type of encryption. Section 187LA of the amended TIA Act supplements the obligations service providers under the Australian Privacy Principle (APP) 11.1 to 'take such steps as are reasonable in the circumstances to protect (personal) information from misuse, interference and loss and from unauthorised access, modification and disclosure'. These privacy safeguards are in addition to pre-existing obligations, pursuant to clause 4.6.3 of the Telecommunications Consumer Protection Code (C628:2012), which stipulate that service providers must 'robust procedures to keep its Customers' Personal Information in its possession secure and restrict access to personnel who are authorised by the Supplier'.

These obligations are subject to variation and exemption, however. Under Division 2 of Part 5-1A, a service provider may seek approval of a data retention implementation plan that replaces a provider's obligations under s 187BA. This may be appropriate where the cost of encrypting a legacy system that was not designed to be encrypted would be unduly onerous and the provider has identified an alternative information security measure that could be employed.

Whilst service providers are not prevented from retaining telecommunications data for longer than two years for their own lawful purposes, the Act still requires service providers that hold ‘personal information’, to take reasonable steps to destroy that information or to ensure that the information is de-identified where the entity no longer needs the information for a reason set out in the APPs. In other words, when the retention period for the telecommunications data under Part 5-1A of the TIA Act expires, entities may be required to destroy or de-identify such information if it constitutes personal information.

Application of Part 5-1A to Telecommunication Service Providers

Data retention obligations only apply to services that satisfy the paragraphs 187A (3)(a), (b) and (c), which includes services for carrying communication, or that enable communications to be carried, by guided or unguided electromagnetic energy or both. Accordingly, data retention obligations will apply to relevant services that operate ‘over the top’ (OTP) of, or in conjunction with, other services that carry communications and may, presumably, extend to internet service providers (ISP’s) and Australian telecommunication companies, such as Telstra, Vodafone and Optus. This list is not exhaustive, however, as the Attorney-General is granted the power under subsection 187A (3A) to declare a service to be within the data retention regime. Section 187B operates to exclude certain service providers from complying with the data retention obligations, and ensure that entities such as the government, universities and corporations are not required to retain telecommunications data in relation to their own internal networks (provided they are not offered to the public). Similarly, s 187B extends to providers of communication services in a single place, such as free Wi-Fi access in cafés and restaurants.

The exemption of a service is, however, subject to the discretion of the Communications Access Co-ordinator (CAC), who pursuant to subsection 187B (2A), can declare that a service provider is nevertheless required to retain telecommunications data. Subsection 187B (3) provides that in making such a declaration, the CAC must have regard to the interests of law enforcement and security, the objects of the Telecommunications Act and the Privacy Act, along with any submissions made by the Privacy Commissioner.

Division 2 of Part 5-1A

Data Retention Implementation Plans

Division 2 of Part 5-1A of the TIA Act supports the development of data retention implementation plans. Data retention implementation plans are intended to allow the telecommunications industry to design a pathway to full compliance with the data retention and security obligations within 18 months of the commencement of those obligations . Accordingly, there is a 2-year window for telecommunication service providers and ISPs to implement the changes made by the Act, and over the next 6 months, service providers and ISPs must apply to the Communications Access Co-ordinator (CAC) to obtain approval for their ‘data retention implementation plan’. This plan must explain the current practices of the organisation, details of the interim arrangements, and the expected date when the organisation will comply with the data retention requirements . Subsection 187F sets out the process for the CAC to consider and approve data retention implementation plans. In particular, s 187F (2) sets out a list of factors that the CAC must take into account when considering the approval of a submitted plan. These factors include, but are not limited to:

There is also an extensive consultation process with the Australian Communications and Media Authority (ACMA), under s 187G. Additionally, data retention implementation plans complement the availability of exemptions under Division 3 of Part 5-1A, where a service provider is able to seek an exemption for some of its services under Division 3 whilst at the same time submit an implementation plan for some or all of its other services under Division 2. In particular, s 187K provides the CAC with the power to exempt a service provider from data retention and information security obligations. The intention of this exemption framework, is to permit variations in service providers obligations in a range of circumstances, including whether imposing data retention obligations would be of limited utility for law enforcement and national security purposes. The decision of the CAC to grant exemption or variations is open to judicial review under s 75(v) of the Constitution and s 39B of the Judiciary Act 1901 (Cth).

Amendments to the Australian Security Intelligence Organisation Act 1979 and Intelligence Services Act 2001

Apart from the data retention obligations introduced by the Act, the reporting requirements under s 94 (2A) of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) have also been amended to include additional information. Accordingly, annual reports by ASIO, will need to include the following: the number or types of purposes of authorisations to access retained data under s 175 and s 176 (3) of the TIA Act, including ‘journalist information’ warrants, the length of time for which relevant documents covered by the authorisations were held, and the number of authorisations that related to retained subscriber data and communications traffic data as contained in Item 1, s 187AA Table.

Similarly, the Act also amends the Intelligence Services Act 2001 (ISA), principally to confer upon the PJCIS a statutory function, under s 29 of the ISA, enabling it to review the overall effectiveness of the operation of the data retention scheme, with specific focus on the data access activities of ASIO and the Australian Federal Police.

Journalist Information Warrants

The Act also introduces the highly contentious ‘journalist information’ warrant scheme under Division 4C. This scheme, requires ASIO and other law enforcement agencies to obtain a warrant prior to authorising the disclosure of telecommunications data, for the purposes of identifying the journalist’s confidential source. The Attorney-General or an issuing authority (including ‘eligible persons’ within ASIO and AFP) under s 180L and s 180T, respectively, must consider several factors when deciding whether to issue an information warrant. In particular, they must be satisfied that the warrant is ‘reasonably necessary’ to, enforce the criminal law, locate a person reporting missing to the AFP or State Police, enforce a law that imposes a pecuniary penalty or protects the public revenue and investigate series offences, including offences against the Commonwealth, State or Territory law, punishable by a 3-year imprisonment term. Additionally, the Attorney-General or the issuing authority must not issue a warrant unless they are satisfied that the public interest is issuing the warrant outweighs public interest in protecting the confidentiality of the identity of the source. Submissions by the newly created Public Interest Advocate, must also be considered when deciding to issue a warrant.

An enforcement agency may use or disclose the issuing of a warrant or information about such a warrant to a third party only for specified purposes, pursuant to s 182B. Such purposes include enabling a person to comply with their notification obligations under s 185D or s 185E, in relation to journalist information warrants, enabling ASIO to perform its functions, or to enforce the criminal law, the enforcement of a law imposing a pecuniary penalty, or the protection of the public revenue.

Public Interest Advocate

Section 180X creates the new role of a Public Interest Advocate, who considers and evaluates journalist information warrants made by ASIO and law enforcement agencies pursuant to s 180L and s 180T, respectively. The advocate can make independent submissions to the Minister, and to the issuing authority in case of the law enforcement agencies, regarding the granting of a journalists information warrant.

Schedule Two

Restricting Access to Stored Communications and Telecommunications Data

Schedule 2 amends the TIA Act, to limit the types of agencies that can apply for stored communications warrants under Part 3-3 of Chapter 3 of the TIA Act, and the types of authorities and bodies that can authorise the disclosure of telecommunications data under Division 4, Part 4-1 of Chapter 4 of the TIA Act. Under the current access regime, the TIA Act provides that ‘enforcement agencies’, are able to access both stored communications (such as content of emails or SMS messages), and data about communications (metadata). The former requires a warrant for access, under s 110 and s 116, whereas the latter does not. ‘Enforcement agencies’ are broadly defined to include all interception agencies as well as a body whose function includes administering a law imposing a pecuniary penalty or the protection of public revenue. As a result, the range of agencies that have access to stored communications and telecommunications data, is wide and includes local government, councils and Commonwealth and State Departments and Agencies.

Schedule 2 creates two categories of authorised organisations – ‘criminal law enforcement agencies’ and ‘enforcement agencies’ (which incorporate the former).

Criminal Law Enforcement Agencies

The Act removes reference to an ‘enforcement agency’ in subsection 110(1) of the Act and substitutes the new definition of a ‘criminal law-enforcement agency’, in s 110A of the Act. According to the Memorandum, the definition reduces the number of agencies that can apply for stored communication warrants from all enforcement agencies that investigate serious contraventions to those authorities and bodies that are recognised under section 110A of the Act as being a ‘criminal law enforcement agency’.

Under new section 110A, ‘criminal law-enforcement agency’, is defined as including, the Australian Federal Police, a State Police force, the Australian Commission for Law Enforcement Integrity, Australian Crime Commission, Australia Customs and Border Protection Service, the Australian Competition and Consumer Commission, the Crime Commission, the Police Integrity Commission, the Crime and Corruption Commission of Queensland, the Corruption and Crime Commission and the Independent Commissioner Against Corruption.

This list is not exhaustive as s 110A (3) enables the Attorney-General to declare, upon request, authorities or bodies to be ‘criminal law-enforcement’ agencies, for the purposes of s 110A. In making such a declaration, the Attorney-General must consider a range of factors, including whether the authority is involved in ‘investigating serious contraventions’. This wording suggests that only organisations involved in investigating serious breaches of the criminal law will be declared under the provision. However, it is not a limiting factor. The Attorney-General could declare any authority or body as a criminal law-enforcement agency, so long he or she considers the specified range of factors in doing so. In particular, the Attorney-General may consider ‘any other matter’ that he or she considers relevant. It is therefore possible that agencies involved in enforcing fines and protecting the public revenue – including the Australian Taxation Office or local councils – could be reinstated with the power to apply for stored communication warrants. The discretion of the Attorney-General is widened by subsection 110A (8), which enables him or her to revoke a declaration made under s 110A (3)(a), if they are no longer satisfied that the circumstances justify the declaration remaining in force.

Enforcement Agency

Section 176A replaces the current definition of ‘enforcement agency’ in subsection 5(1) of the TIA Act, with a definition that limits the authorities and bodies that can access telecommunications data (metadata) to criminal law-enforcement agencies and authorities and bodies declared under s 176A to be an ‘enforcement agency’.

In declaring an authority or body an enforcement body, the Attorney-General must consider a range of facts, including whether the agency enforces the criminal law, imposes pecuniary penalties, or protects the public revenue. Subsection 176A (3B) provides that the Attorney-General may not declare an authority or body to be an ‘enforcement agency’, unless they are satisfied on ‘reasonable’ grounds that the authority or body has these aforementioned functions. The Attorney-General is able to revoke a declaration under s 176A (8) if they are no longer satisfied that the circumstances justify the declaration remaining in force. According to the Memorandum, this section operates to ensure that only bodies or authorities with a demonstrated need to have access to telecommunications data are able to authorise service providers to disclose this information.

Schedule Three

Oversight by the Commonwealth Ombudsman

In a welcome addition, Schedule 3 amends the TIA Act by inserting obligations to keep records in relation to the access to stored communications (Chapter 3 of the TIA Act) and telecommunications data (Chapter 4 of the TIA Act). The Act inserts Chapter 4A to implement a comprehensive record-keeping, inspection and oversight regime in relation to:

The record keeping regime requires all Commonwealth, State and Territory enforcement agencies to keep prescribed information and documents necessary to demonstrate that they have exercised their powers under Chapters 3 and 4 in accordance with their statutory obligations under the TIA Act. On the other hand, the inspection and oversight regime requires the Ombudsman to inspect and oversight records of Commonwealth, State and Territory agencies in order to access compliance against the exercise of their powers under Chapters 3 and 4 of the TIA Act.

Obligation to Keep Records

Section 186A sets out the information or documents that an enforcement agency must retain to ensure that the Ombudsman is able to inspect the agency’s records to determine the extent of the agency’s compliance with Chapter 4 of the TIA Act. Subsection 186A (2), allows the Attorney-General to prescribe the kinds of documents and other materials that enforcement agencies must keep in addition to those specified under s 186A(1). The types of documents or information required to be kept in the agency’s records, includes the authorisations made by an officer of the agency, under sections 178, 178A, 179 or 180, documents or materials that indicate whether the authorisation was made properly.

Oversight by Ombudsman

Section 186B establishes an inspection regime, to enable the Ombudsman to inspect the records kept by enforcement agencies with the use of, and access to telecommunications data and stored communications. The role of the Ombudsman is to determine whether an agency is compliant with its obligations relating to the issue of preservation notices, access to stored communications under Chapter 3 and access to telecommunications data under Chapter 4 of the TIA Act.

Section 186J implements a new public reporting regime in relation to the Ombudsman oversight functions set out under s 186B. Under this new regime, the Ombudsman is required to report on the results of its oversight functions relating to compliance by agencies generally with the requirements of Chapter 3 and 4 of the TIA Act. One of the purposes of s 186J is to ensure that the Ombudsman is able to make public the results of its inspections under Chapter 4A. Public reporting is a key element in providing public accountability and transparency in relation to the use by agencies of their powers under the respective chapters. It is also designed to reassure the public that agencies are using their powers under Chapters 3 and 4, lawfully and appropriately.

Compatibility with Human Rights and the Human Rights (Parliamentary Scrutiny) Act 2011

In accordance with its statutory obligations, pursuant to the Human Rights (Parliamentary Scrutiny) Act 2011, the Australian Government is required to provide statements of compatibility of all new Bills with that of Australia’s broader human rights obligations under international instruments, including the International Covenant on Civil and Political Rights (ICCPR). These human rights scrutiny processes are designed to encourage early and ongoing consideration of human rights issues in policy and legislative development and is particularly important in the context of the mandatory data retention debate. The Revised Explanatory Memorandum (2013-2014-2015)(Memorandum) provides a detailed exposition of the Act and its engagement with human rights and an in-depth analysis regarding the Act’s compatibility with the ICCPR. In this respect, the Memorandum claims that the Act is compatible with the human rights and freedoms recognised and declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011 (HRPS Act).

In particular, the Act engages the ICCPR in the following ways:

Right to Protection against Arbitrary or Unlawful Interferences with Privacy – Article 17 (ICCPR)

Article 17 of the ICCPR, provides that no one shall be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence. The use of the term ‘arbitrary’ means that any interference with privacy must be in accordance with the provision, aims and objectives of the ICCPR and should be ‘reasonable’ in the particular circumstances. The United Nations Human Rights Committee, has interpreted ‘reasonable’ to imply that any limitation must be both proportionate to a legitimate end and necessary in the circumstances of a particular case.

Schedule one - The Specified Dataset

According to the Revised Explanatory Memorandum, the legislative requirement for providers to store telecommunications data in relation to its services engages the right to protection against arbitrary and unlawful interference with privacy. In particular, the specification of the types of data that may be retained, under s 187AA, minimises the privacy impacts associated with the storage of telecommunications data, ensuring that only narrow categories of telecommunications data necessary, for the investigation of serious criminal offences and national security threats, are retained. In other words, the retention of specified dataset under s 187AA, according to the Memorandum, is reasonable, proportionate and necessary in fulfilment of the legitimate aim of ensuring law enforcement and intelligence agencies have the investigative tools to safeguard national security and prevent or detect serious and organised crime. Each Item (1-6) in s 187AA was then assessed for its compatibility with Article 17 of the ICCPR.

For example, in the absence of the information provided for by Item 1 of s 187AA, the Memorandum claims that agencies may be unable to commence an investigation, as it can otherwise be impossible to link a suspect communication to a particular subscriber. Item 4 (date, time and duration of a communication), was also considered crucial as it constitutes information that can help inculpate or exculpate an individual associated with a communication, and is also valuable in tracing the steps of a missing person who has been using a communications service before or during the time they are missing . Similar reasoning was extended to the other Items (2, 3, 5 and 6) under s 187AA, and were all considered reasonable, proportionate and necessary to criminal and national security investigations.

CAC Exemption Regime

Similarly, the exemption framework established by s 187B along with the introduction of the CAC, indirectly strengthens the right to privacy of individual customers in that it provides a method of reducing data retention obligations, in circumstances where the volume of data to be retained is disproportionate to the interest of law enforcement and national security.

Security and Destruction of Retained Data

According to the Memorandum, the Act contains a range of important safeguards to ensure that the rights of individuals in particular the privacy rights of individual telecommunications users, are protected. In particular, the Act provides that the Australian Privacy Principles (APPs) in the Privacy Act 1988, applies to all data retained under the retention regime. Specifically, the APPs impose an obligation on service providers to ensure the quality and/or correctness of any personal information (APP 10), and to keep personal information secure (APP 11). This is important, as it introduces an oversight mechanism according to which the Privacy Commissioner can review and assess service providers collection, storing and use of data. An additional layer of privacy and security protection for consumer data, provided by the Act, is the requirement that service providers protect retained data through encryption and introduces the Telecommunications Sector Security Reforms (TSSR), which will require service providers to do their best to prevent unauthorised access and interference. These safeguards are supplemented by the already existing obligations under the Telecommunications Consumer Protection Code.

Comparative Frameworks – EU Data Retention Directive

In 2014, the Court of Justice of the European Union (CJEU) assessed the legality of the EU Data Retention Directive in two seminal decisions, namely, Digital Rights Ireland Ltd and Ors(C-293/12) and Karntner Landesregierung and Ors (C-594/12). In these cases, the CJEU enunciated a set of criteria that a potential data retention regime must meet in order to be compatible with human rights principles. In also stated that proposed legislation ‘must lay down clear and precise rules governing the scope and application of the measures in question, ‘imposing minimum safeguards so that the persons who data have been retained have sufficient guarantees to effectively protect their personal data against risk of abuse and unlawful access and use of that data’. Whilst the EU Directive’s proposed objective was considered as legitimate, the extent of interference proposed was disproportionate and more broadly, was not compatible with the applicable human rights instruments. Whilst the similarity between the EU Directive and the Data Retention Act is undeniable, the Memorandum, states that the Act, is nonetheless consistent with all the criteria established by the CJEU.

Schedule Two – Agency use of preservation notices, access to stored communications and access to telecommunications data

The collective amendments in Schedule 2 reinforce the privacy protections established under Schedule 1. According to the Memorandum, the amendments regarding the limitation of agencies that can apply for access to stored communications warrants, and the types of authorities and bodies that can authorise the disclosure of telecommunications data under Division 4 of the TIA Act, contribute to ensuring that access is reasonable, proportionate and necessary.

It supports this proposition by claiming that the amendment of the definition of ‘enforcement agency’, to clearly circumscribe the agencies who may access telecommunications data, effectively ensures that access is limited to those agencies who have a clear and scrutinised need for access to telecommunications data in the performance of their functions. Furthermore, in order to reinforce the privacy protections associated with a user’s telecommunications data contained within the TIA Act, Schedule 2 of the Act introduces limitations upon the type of agencies that are permitted to authorise the disclosure of telecommunications data for an agency’s investigation. In this respect, the Act increases the threshold requirement in s 180F, by requiring that the authorising officer be, ‘satisfied on reasonable grounds’, that a particular disclosure or use of telecommunication data, being proposed is proportionate to the intrusion into privacy. According to the Memorandum, this amendment bolsters privacy safeguards by ensuring agencies weigh the proportionality of the intrusion into privacy against the value of the evidence and the assistance to be provided to the investigation. Agencies such as ASIO, are also subject to strict privacy and proportionality obligations under the Attorney-General’s Guidelines, made under s 8 (1)(a) of the ASIO Act, which requires, inter alia, that the means used for obtaining the information must be proportionate to the gravity of the threat posed and investigations and inquiries into individuals and groups should be undertaken with as little intrusion into personal privacy as possible.

These amendments continue to ensure that any abrogation on the privacy right in Article 17 is limited to the legitimate purpose articulated in the TIA Act.

Schedule Three – Oversight and Accountability Provisions

The oversight model contained in Schedule 3, extends the remit of the Ombudsman to comprehensively assess agency compliance with all of the enforcement agency’s obligations under Chapter 3 and 4 of the TIA Act, including the use and access to telecommunications data. According to the Memorandum, this oversight model promotes the right to privacy by confirming the Ombudsman ability to audit an agency’s use of its powers to access stored communications and telecommunications data under the TIA Act. This helps ensure that an agency’s access to the telecommunications information of interest to an investigation, and the interaction with the privacy right under Article 17 in that regard, is reasonable, necessary and proportionate limitation on that right to privacy. Furthermore, a comprehensive oversight model assisting in ensuring that use, access to or disclosure of telecommunications data, is subject to independent compliance assessment. It also services to provide an important level of public accountability and scrutiny of agency practice by virtue of the Ombudsman public reporting regime being implemented in Chapter 4A.

According to the Memorandum, the oversight model promotes the Conventions rights, by virtue of several key features of the regime, including a higher level of specificity and transparency in terms of the precise reporting obligations imposed on law enforcement agencies, consistency in inspection methodology by virtue of non-fragmentary model involving oversight of all agencies that apply the powers under Chapters 3 and 4 and clearly defining reporting obligations, which engender a higher level of compliance by agencies, and greater acuity in statistical output to measure compliance for annual reporting and cross-agency compliance.

Right to Freedom of Expression – Article 19 of the ICCPR

Article 19 of the ICCPR provides that all persons shall have the right to freedom of expression. This right includes the freedom to seek, receive and impart information and ideas of all kinds, through any media of a person’s choice. Article 19(3) provides that the freedom of expression may be subject to limitations for specified purposes provided in the right, including the protection of national security or public order (otherwise referred to as ordre public) where such restrictions are provided by law and are necessary for attaining one of these purposes.

According to the Memorandum, the Act could potentially restrict the right to freedom of expression, as some persons may be more reluctant to use telecommunications services to seek, receive and impart information if they know that data about their communication is stored and may be subject to lawful access . However, the limitation imposed by the data retention regime is in pursuit of the legitimate objective of protecting public order and further limits the abrogation of the right to freedom of expression by ensuring that only the minimum necessary types and amounts of telecommunications data are retained, and by limiting the range of agencies that may access the data.

Journalist Information Warrant Regime

According to the Memorandum, the Bill promotes the freedom of expression and the right to privacy by providing a higher threshold for access through ex ante judicial review of a warrant for data authorisations request and ensuring that data access for the purposes of identifying a source receives specific and dedicated independent attention. Independent oversight, through the creation of the warrant scheme, minimises the potential for deterring sources from actively assisting the press to inform the public on matters of public interest and ensures that the media is not adversely affected by the measures. Furthermore, this measure ensures that access is only permitted in circumstances where the public interest in issue of the warrant outweighs the public interest in maintaining the confidentiality of the source.

The additional protection afforded to these data authorisations complements journalist’s limited privilege not to be compelled to identify their sources where they have given an undertaking of confidentiality. The amendments add a further warrant threshold, providing a significant additional and unique protection in relation to the identification of confidential journalist sources. Additionally, the statutory criteria to which issuing authorities must have regard in considering a journalist information warrant application, including the gravity of conduct in relation to which the warrant is sought and the potential investigative utility of the information, ensures that privacy and public interest considerations are always taken into account before a warrant is granted.

Right to Life and Security of the Person – Articles 6 and 9 of the ICCPR

Pursuant to Article 9 of the ICCPR, the State is to provide reasonable and appropriate measures, within the scope of those available to public authorities, to protect a person’s physical security. Similarly, the right to life, under Article 6 of the ICCPR, imposes a positive obligation to protect life. The Explanatory Memorandum points out that European jurisprudence has established that the obligation to protect life also requires the police and other protective authorities to take, in certain well-defined circumstances, preventative operational measures to protect an individual whose life is at risk from the acts of a third party . The statutory obligation which the Act places on service providers to retain a limited subset of telecommunications data, buttresses the right to life in Article 6 of the ICCPR. According to the Explanatory Memorandum, if such data is not retained, and law enforcement investigations are resultantly compromised, the ability of police to protect the physical security of potential victims of a crime is critically undermined.

The Modernisation of Legislation

Prior to the introduction of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, access to telecommunications data in Australia was governed by two different pieces of legislation: the Telecommunications (Interception and Access) Act 1979, commonly referred to as the TIA, and the Telecommunications Act 1997. Since they were enacted, communication technologies have undergone a transformation. Online communication is an integral part of life of people living in developed economies. On a daily basis, Australians use a variety of devices to communicate, including fixed line telephones, mobile phones, personal computers and tablets. In the course of day -to -day life, Australians also utilize of variety of applications in which to communicate, including email, instant messaging and social media platforms.

Telecommunications service providers have responded to the increasing use of these devices and applications by introducing new business practices, selling their services to customers on the basis of monthly data volumes. As a direct consequence, they no longer need to store the information that surrounds individual communications to accurately bill their customers. In sum, telecommunications providers only need to know in the moment where to send a communication and to whom it should be sent; some providers only retain the details of the amount of data sent for their billing purposes.

In the current business environment, the retention period for IP-based data is volatile; data is typically stored for only a number of weeks or months. As technology evolves all historical telecommunications data will be based on Internet Protocols as providers of telephony services increasingly use IP based technologies.

In its 2013 report, summarizing the results of its inquiry into potential reforms of Australia’s national security laws, the Parliamentary Joint Committee on Intelligence and Security (PJCIS), concluded that the increasing of the adoption of these practices and the failure to retain data had "resulted in an actual degradation in the investigative capabilities of national security agencies, a process that is likely to accelerate in the future."

Telecommunications data is critical to investigations of most types of criminal activity, serious or otherwise. When a crime is committed, perpetrators are a number of steps ahead of law enforcement officials. Telecommunications data accessed during the initial stage of an inquiry assists law enforcement officials, to understand the lives of victims, identify potential perpetrators and to construct pictures of their networks. Access to telecommunications also enables law enforcement agencies to collect and assess critical information and other evidence that could not be acquired through the use of other methods. For example, the physical surveillance of suspected perpetrators cannot reveal historical information about a crime that is often required by investigators.

Furthermore, access to telecommunications data is in some instances, the only in way in which some categories can be understood, perpetrators identified and punished. Cyber-crime is one such category. Through their very nature, cyber-crimes both simple and complex in nature leave behind a limited physical footprint. Sifting through telecommunications data is only method available to investigators to reach across electronic networks and identify real world offenders.

Conversely, the inability of the police and other law enforcement agencies to access telecommunications data can hamper criminal investigations. In their submission to the inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) 2014, conducted by Parliamentary Joint Committee on Intelligence and Security, the South Australian Police Force, described such one such instance:

"A stalled murder investigation was reviewed about 14 months after the victim’s death. Fresh information received during the review identified a suspect who was a known drug dealer. The victim, a regular drug user, had been in contact with the suspect and investigators suspect the victim may have been killed over a drug deal. Historical telecommunications data was sought for the suspect’s mobile service for around the time of the murder but it was no longer available. The unavailability of the telecommunications data has been detrimental to the investigation and the case remains unsolved." Supporters of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, argue that its introduction will ensure the continued availability of telecommunications data and the resultant to prevent and solve crime.

High-risk operational environment

The current high-risk operational environment within which Australia’s law enforcement and security agencies are functioning is another of the arguments that has been advanced in support of a mandatory telecommunications data retention regime. In September 2014, on the advice of the Australian Security Intelligence Agency (ASIO), the Australian government elected to raise the National Terrorism Public Alert level from medium to high. ASIO dispensed its recommendation on a number of factors including the increasing number of Australians working with or inspired by the acts of a number of different terrorist organizations including the Islamic State, Jabhat-al-Nusrah and Al- Qai’da.

Australia’s law enforcement agencies are also operating within an environment characterized by the presence of espionage. In its 2014 submission to the Parliamentary Joint inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, ASIO stated that hostile powers pose a threat to computer systems operated by both the state and business. Motivated by the desire to view privileged political, military, economic, trade, business and government information, they are prepared to launch cyber attacks.

Proponents of mandatory data retention argue that in such a high-risk environment its introduction is imperative. This is an argument that was made by the Attorney General’s Department in its submission to the aforementioned parliamentary inquiry:

"In an increased threat environment characterized by a higher operational tempo, there is a narrower margin for error in law enforcement and national security investigations. The narrower margin is particularly evident in relation to lone wolf threats: such persons have limited, if any, contact with other known extremists, giving authorities fewer opportunities to detect their activities and intentions. As such, any missed opportunity to identify and prevent these attacks represents a significant risk."

In its submission the Department also noted that the non-retention of telecommunications data can lead to opportunities to combat crime being missed:

"In the best case, agencies may be able to progress investigations by using more resource intensive methods, limiting their capacity to investigate other matters, or more intrusive investigative techniques. In the worst case, crime or threat to security will not be adequately investigated."

Case against data retention

The introduction of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill in 2014 signaled a period of extensive debate and consultation. In particular, submissions made by key privacy, human rights and legal bodies, including the Australian Human Rights Commission (AHRC), Australian Lawyers for Human Rights (ALHR), Australian Privacy Foundation (APF), Law Council of Australia (LCA), the Council of Civil Liberties across Australia (CCLS) and the NSW and Victorian Privacy Commissioner, to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) were highly critical of the proposed mandatory data retention scheme. The following headings represent the main arguments and criticisms forwarded in several key submissions to the PJCIS.

Mandatory data retention breaches of human rights

The ‘statement of compatibility’ contained in the Revised Explanatory Memorandum, claimed that the proposed regime did not breach Australia’s human rights obligations under the ICCPR. Nevertheless, in several submissions made to the PJCIS, the proposed Bill’s compatibility with several human rights principles was questioned. In its 2014 submission, the Australian Privacy Foundation, found that contrary to the claims made in the Memorandum, the Bill was incompatible with fundamental human rights and freedoms, and especially the right to privacy. It pointed out that a considerable body of legal opinion has concluded that laws mandating blanket retention of ‘metadata’, are in breach of international human rights law. Taking this into consideration, it was submitted that the proposed Bill, breached the fundamental right to privacy, in that it was neither necessary, nor proportionate to legitimate national security and law enforcements objectives. According to the APF, blanket data retention regimes are disproportionate because they ‘indiscriminately mandate the retention of data relating to entire populations, irrespective of the nature of the data or of whether or not there is a reasonable suspicions of a serious threat posed by those to whom the data relates’.

The APF supported this contention by referring to several key international law decisions, including the UN High Commissioner for Human Rights, and the Human Rights Council report presented in June 2014, which all found that metadata retention regimes breached human rights, especially the right to privacy. A similar position was taken by the Law Institute of Victoria (LIV), which submitted that, quoting the UN High Commissioner for Human Rights, ‘even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association’. As a result, the LIV submitted that mandatory third party data retention regimes are neither necessary nor proportionate, irrespective of increased concerns regarding national security threats.

Australian Lawyers for Human Rights (ALHR) also submitted concerns that the Bill failed in both practical and legal terms, and in particular, the serious and unreasonable impingement upon the rights of law-abiding Australians. According to the ALHR, the Bill amounted to an ‘indiscriminate, society wide’ invasion of privacy, which rebuts the presumption of innocence. Additionally, the ALHR contended that the Bill negatively impacts upon other human rights, which were not acknowledged in the Memorandum. In particular, the right to be treated with dignity (Article 1, Universal Declaration of Human Rights), freedom from arbitrary interference with privacy, family, home or correspondence (Article 12, Universal Declaration of Human Rights) and is likely to chill, freedom of association (Articles 21 and 22, ICCPR and Article 20, Universal Declaration of Human Rights), the right to free development of one’s personality (Article 22, Universal Declaration of Human Rights), the right to take part in the conduct of public affairs (Article 25, ICCPR) and press freedoms. According to ALHR, the culmination of such breaches will inevitably lead to restriction of free speech, as Australians will not know what information about them, including information about their contacts, might be shared amongst government (and non-government) bodies. Similarly, the Parliamentary Joint Committee on Human Rights argued that, although the data retention regime pursues a legitimate objective, the schemes' proportionality is questionable and may have a ‘chilling’ effect on people’s freedom and willingness to communicate via telecommunications services because retention and undisclosed use of telecommunications data could lead people to ‘self-censor’ their views expressed via telecommunications services. This view is also supported by the Law Council of Australia (LCA) and the Councils for Civil Liberties Australia (CCLA) .

Problems with the definition of the data set

A major concern forwarded in several submissions was that the Bill did not seek to define the relevant data set, leaving the precise definition to be prescribed by regulations. The justification posed by the government for the failure to define ‘telecommunications data’, is that it the approach is consistent with the technology-neutral approach of the Privacy Act 1988 and Part 13 of the TIA Act. However, the APF considered that the way in which the data set is defined in the Bill was deeply problematic, for several reasons. Firstly, the data set is not appropriately limited to that which is necessary and proportionate for law enforcement and national security and submitted that the blanket collection and retention of telecommunications data is analogous to that of the EU Directive. It proposed that the Government consider adopting a more circumscribed and targeted data preservation regime, which ‘incorporates adequate thresholds and procedural safeguards so as to ensure that the data are sufficiently relevant to specific investigations’ .

Similarly, the APF submitted that just as there is a need for the scope of retained or preserved data to be defined in the legislation, there is a need for the scope of data which may be lawfully accessed to be appropriately defined, under Chapter 4. Furthermore, it claimed that there was serious problems with the way in which browsing history is dealt with in the Bill, including in proposed s 187A (4)(b). In particular, as there is no prohibition on service providers collecting and retaining Internet browsing history, which must be accessed as data under Chapter 4, claims that the exclusions of browsing history from the data set means that the Bill is not privacy intrusive as disingenuous.

Australian Lawyers for Human Rights (ALHR) also submitted that the lack of certainty regarding the prescribed data set, was bad legislative practice and likely to result in legislative ‘creep’, with individuals privacy rights being increasingly attacked through expansion of the data set. This contention was supported by reference to several commentators including the Parliamentary Joint Committee on Human Rights, and the Senate Standing Committee for the Scrutiny of Bills. Furthermore, the Law Council of Australia (LCA), recommended that the power to prescribe by way of regulation the mandatory data set should be removed from the Bill and the Bill should clearly define the types of telecommunications data and the specific data set to be retained .

Importantly, the proposed Bill was redrafted in 2015 to include amendments, which took into consideration these concerns. The 2015 PJCIS Report also recommended that the Bill be redrafted to prescribe the data set in the primary legislation. This was accepted by the Government and the data to be retained is now detailed within the primary legislation, under s 187AA. Whilst this was a welcome addition to the revised Bill, there was still a significant amount of criticisms regarding the broader scheme.

Distinction between content and metadata

One of the persistent arguments that have been forwarded, is with regards to the apparently false distinction between content and ‘metadata’. In its 2014 submission, the Council for Civil Liberties across Australia and the APF, claimed that whilst the explicit exclusion of ‘content’ from the categories of prescribed data is a welcome concept, the presumably clear distinction between ‘content’ and ‘metadata’ is mistaken. The reason forwarded for this concern is that the purported distinction completely overlooks how much ‘meta’ data can reveal about a person, especially when combined with contemporary data analytics. The APF, quoting the decision of the Court of Justice of the European Union in Digital Rights Ireland, stated that metadata, ‘taken as a whole may allow very precise conclusions to be drawn concerning the private lives of the persons who data has been retained’.

Similarly, the UN High Commissioner for Human Rights pointed out that ‘the aggregation of information commonly referred to as ‘metadata’, may give an insight into an individual’s behaviour, social relationships, private preference and identity that go beyond even that conveyed by access the context of a private communication’. The APF also referred to a statement by Steward Baker, the former general counsel of the NSA, who claimed that ‘Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content’. As a result, the APF considered the claim by the Government that telecommunications data is less intrusive than communications content, completely misleading and recommended that the legal safeguards on the collection of, and access to, telecommunications data should be at least as strong as those that apply to communications content.

The Law Council of Australia (LCA) was also concerned that there was uncertainty about whether some types of telecommunications data would be considered as ‘content’ (and thus excluded from collection), including whether meta-tags would be captured. Further, whilst the Memorandum to the Bill recognised that ‘text messages and e-mails stored on a phone or other communications device are more akin to context than data’, the LCA claims that it did not adequately explain how this is so. The LCA also argued that despite the exclusion of content from the prescribed data set, the categories of telecommunications data which may be prescribed are nonetheless broadly defined and may provide information about crucial matters such as people’s associations and their whereabouts. It provided several examples of personal information that could be determined from the prescribed data set, including, medical connections, use of mental health services, use of suicide hotlines, use of domestic violence crisis support, use of child abuse support, family associations, friendship groups, financial connections, legal connections, religious associations, political affiliations, sexual association, commercial preferences, location and movement.

Similarly, the LCA and the LIV also criticised s 187A (6), which introduces the requirement that telecommunication service providers create data that is not currently being captured through their services. In particular, the LCA was concerned regarding the methodology for separating and filtering the content and substance from the non-content of communications by service providers in the course of meeting their data retention obligations, as this was unclear in the Memorandum and proposed Bill.

Duration of Data Retention Obligation

Another major criticism of the data retention regime was the proposed duration/data retention period, specified under s 187C. The CCLS strongly urged the Government to reconsider the data retention period as the 2 year time frame, is at the high end of the spectrum across jurisdictions with mass data retention regimes. The CCLS supported its position by submitting statistics which showed that most of the data accessed for investigations including terrorism and complex criminal offences, is that which is captured for 6 months and that following this period, the percentage of data used decreases significantly. The submission made by the Communications Alliance and AMTA, also noted that the majority of requests made by the agencies to access telecommunications data held by ISPs relate to data that is less than 6 months old. Similarly, the APF was concerned that the proposed two-year extension period may be excessive and disproportionate in relation to the objectives of the Bill, and that is may impose disproportionate costs on carriers and ISPs. Taking this into consideration, the APF recommended that an initial retention period of 1 year by trialed for the first 3 years of the scheme’s operation.

A similar criticism was forwarded by the Australian Human Rights Commission (AHRC) in its 2014 submission, where it drew attention to the Evaluation Report on the EU Data Retention Direction in 2011, which considered that the shortening of mandatory retention would improve the proportionality of the scheme. The Report also found that 67% of accessed data was under 3 months old and only 2% of requested data was over 1 year old across the EU. The AHRC also pointed to the decision of the CJEU in Digital Rights Ireland, in which a similar retention period of no less than 6 months and up to a limit of 2 years, was assessed. In its decision to invalidate the EU Data Retention Directive, the CJEU held that the data retention period was arbitrary and not limited to what was 'reasonably necessary' in relation to the objective pursued. Accordingly, the AHRC considered the proposed 2 year retention period as unreasonable and disproportionate. The LCA also considered the two year retention period as unusually long by international standards and was not satisfactorily justified. Despite such widespread concern and statistical evidence to support the submission, the retention period in the final Bill was not reduced and remains two-years under s 187C.

Security of Retained Data

The security of the retained data was also a point of contention in the LCA, CCLS, APF and the AHRC. The issue of ‘security’ can be understood in two ways. Firstly, the LCA forwarded concerns regarding the actual storage of the communications data and claimed that there did not appear to be a minimum set of standards for government agencies and service providers to ensure security of retained telecommunications data. It drew attention to the recent experience of the Australian Federal Police (AFP), which mistakenly published sensitive information, including telecommunications data, connected to criminal investigations, demonstrating the important of high levels of data security. It also submitted that the implementation plan process would encourage service providers to seek the lowest possible cost solutions to data security and supported its position by referring to the CJEU’s invalidation of the EU Data Directive on the basis that it permitted providers to have regard to economic considerations when determining the level of security which they applied.

Both the LCA and the ALHR submissions, expressed concern about s 187C (3), which allows a service provider to keep information or a document for a period that is longer than the two year data retention period. Furthermore, once data is accessed by a law enforcement agency, there is no obligation upon it to destroy in a timely manner data containing personal information which is irrelevant to the agency or no longer needed. The LCA made two recommendations. Firstly that the views of the Office of the Australian Information Commissioner should be obtained to determine whether the current APPs and the proposed Telecommunications Service Sector Security Reform (TSSR) relating to the destruction of telecommunications data by service providers is sufficient to safeguard personal information and that the Bill should be amended to require law enforcement and security agencies to de-identify or put beyond use in a timely manner, data containing ‘personal’ information which is no longer relevant or needed for the agencies purposes.

Access to Stored Communications

The second aspect of the ‘security’ debate, centers on the access thresholds that are applicable to stored communications data, with particular concern regarding the agencies that can access communications data. Many submissions welcomed the legislative circumscription of agencies that can access stored communications data under Schedule 2. The LCA, however, argued that these amendments allow the Government to expand the list of agencies that can access the retained data without parliamentary scrutiny and that this is an example of another inappropriate delegation of power in the Bill. Further, the LCA, CCLS and the APF, all submitted that the Bill left open the critical question of what authorities or bodies will be listed as an ‘enforcement agency’, and therefore be able to access data. As the CCLS pointed out, the issue of who will have access to stored telecommunications data is of great significance in the determination of the proportionality of this intrusion into the privacy rights of a person.

Similarly, the APF submitted that too much discretion is given to the Attorney-General in declaring bodies or authorities to be a criminal law enforcement agency and whilst the Bill provides that the AG must consider a range of factors, this is not an effective limitation on the Attorney-General’s discretion, and could potentially mean that the scope of the definition could be extended to bodies administering laws imposing pecuniary penalties or revenue laws. In its submission, the LIV considered these functions as incredibly broad and a reflection of the pre-existing and problematic situation under the TIA Act, where an unknown number of diverse federal, state and even local government entities can access telecommunications data. Accordingly, it seems unlikely that the Act will significantly limit the range of agencies permitted to access stored telecommunications data, despite the assurances of the Government that data retention would be strictly circumscribed.

The applicable thresholds for access were also a central feature of several submissions. As discussed above, once the Attorney-General declares an agency as an enforcement agency, that agency will be able to access metadata retained by a service providers. The agency would do so by requesting and authorising the service provider to disclose that information. Such authorisations could be made in relation to retrospective data (historical) where doing so would be ‘reasonably necessary’ for the enforcement of the criminal law, a law imposing a pecuniary penalty, or a law protecting the public revenue. In relation to prospective data, such authorisations could be made where ‘reasonably necessary’ for the investigation of a serious criminal offence. This differs from the process relating to stored communications (content), which can only be accessed by criminal law enforcement agencies through a warrant process.

The CCLS, LCA and the APF, all submitted that both thresholds for access was too low, for several reasons. Firstly, ‘reasonably necessary’, was not defined in the Bill and according to the CCLS, this could be interpreted in several ways and given the serious privacy implications of the Bill, proportionality and necessity would be better service by a stronger provisions, such as ‘necessary’. Similarly, the APF recommended that a higher threshold be applied to access of both real-time communications and stored content, and require that such access relate to investigations of serious criminal offences, punishable by an imprisonment term of at least 7 years. Additionally, the APF submitted that the procedural safeguards for access to data under Chapter 4 of the TIA Act, were also inadequate. It recommended that such safeguards be introduced to regulate access to non-content telecommunications data, which could involve a decision of an independent body required to balance the objectives of access against the intrusion of privacy.

Similarly, the CCLS also argued that it is clearly unacceptable for the ‘enforcement agencies’ to be their own authorisers of access to such personal information. Accordingly, it submitted that access to both retrospective and prospective data under the proposed scheme should only be on the basis of a prior warrant authorisation from a judicial authority. The LIV also submitted that access to telecommunications data must require judicial oversight. Gilbert + Tobin, in their 2014 submission, were also concerned regarding the prospect that enforcement agencies will effectively be able to access metadata on a ‘self-serve’ basis and given that metadata can reveal a significant amount of personal information about an individual, believed that greater procedural protections for accessing metadata should apply, and could be achieved through a warrant process along the lines of that allowing access to stored communications.

Blanket Data Retention is Neither Essential nor Effective

The most concerning aspect of the submissions forwarded to the PJCIS inquiry, is that the data retention regime is neither essential nor effective, and that the scheme’s necessity has not been sufficiently established by the Government. In its submission, the CCLS, drew attention to the trite and well acknowledged justification posed by the Government for the blanket data retention regime, which claimed that ‘telecommunications data is central to virtually every counter-terrorism, organised crime, counter-espionage and cyber-security investigation, as well as almost every serious criminal investigation, such as murder, rape and kidnapping’.

Whilst the CCLS accepted that telecommunications data is an important investigative tool and that law enforcement and security agencies should have appropriate access to it, it did not accept that appropriate access should extend to compulsory collection and retention of mass metadata of virtually the whole population. The primary reason for this is the well shared scepticism of many experts, parliamentarians and legal and civil society groups that ‘mass collection and retention of telecommunications data of non-suspect citizens for retrospective access will significant increase Australia’s (or any nations) safety from terrorism or serious crime’. They pointed to the recent tragedies in Sydney and Paris, which generated reasonable comment, around the fact the perpetrators were already well known to police and intelligence agencies but had been allowed to drop from active intelligence. This evidence leads to questions of the regime’s effectiveness.

Furthermore, the APF and the CCLS both drew attention to the recent US debate, which has intensified in response to the Snowden revelations in 2013, where the Privacy and Civil Liberties Oversight Board (PCOB), an independent agency established to advise the US executive on anti-terrorism law, was asked to investigate relevant NSA programs, including that of mass collection of telecommunications metadata. In its 2014 report, the PCOB concluded that the program had shown ‘minimal value’, in preventing terrorism. The APF reprinted the following statement:

"We are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist pilot or the disruption of a terrorist attack…we believe that only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorist suspect"

Similarly, the APF drew attention to the Klayman v Obama (2013) decision where Judge Leon concluded as there was no single instance where the collection of mass metadata either stopped an imminent terrorist threat or otherwise assisted in achieving time-sensitive objective, there were ‘serious doubts as to the efficacy of the metadata collection program’. As a result of the criticism of the NSA program, the US Freedom Act was introduced in 2013 and designed to end mass collection of metadata. In supporting the end of blanket data retention, the co-sponsors of the Bill, Representative Sensenbrenner, and Democrat Patrick Leahy, stated that ‘it is simply not accurate to say that the bulk of collection of phone records has prevented dozens of terrorists’ plots’ and that their position was bi-partisan.

The Law Council of Australia also submitted that the justification posed by the Government in the 'Statement of Compatibility with Human Rights', namely, ‘a pressing social need’, had not been adequately demonstrated for several reasons. Firstly, the ability of access to telecommunications data is not limited to national security or serious crime, there is little evidence from comparable jurisdictions that have previously had mandatory data retention schemes to suggest that they are actually assist in reducing crime rate, for example, in Germany, research indicates that the retention scheme led to an increase in the number of convictions only by 0.006%. Furthermore, there is a lack of Australian statistical quantitative and qualitative data to indicate the necessity of telecommunications data securing convictions. The LCA suggested that if the proposed scheme was introduced, statistical reporting should indicate the times when access to retained data has resulted in a conviction, whether it has assisted in detecting serious criminal activity or assisted security agencies against threats to Australia’s national security.

The CCLS and the APF concluded that the available, evidenced-based research suggests a high degree of uncertainty as to the effectives and legitimacy of mass telecommunications data retention regimes in preventing terrorism and other serious crimes. As a result, they submitted that this lack of evidence balanced against the schemes’ cost to privacy, civil liberties and democratic values, would be too great to justify the a proposal and stressed the need for the Government and Intelligence/police agencies to demonstrate effectiveness, necessity and legitimacy.

Journalists and their Sources

Journalists and media organizations have long expressed their concern over the introduction of a data retention scheme in Australia. This criticism, however, reached its peak at the beginning of March 2015, after the Government agreed to accept amendments to the Bill, amendments outlined in a report by the Joint Parliamentary Committee on Intelligence and Security. On 9 March, the chair of the Australian Press Council, Professor David Weisbort, told the Australian edition of the Guardian newspaper, that if the Bill was passed into law as it stood the field of journalism would be adversely effected as whistleblowers would no longer be willing to come forward:

"I have very, very, grave concerns about how this will affect investigative journalism."

"I tend to think that it will crush it frankly. I think that whistleblowers will definitely not come forward because their anonymity will not be guaranteed. If they come forward a journalist would have to say to them, ‘I have to give you some elaborate instructions to avoid detection: don’t drive to our meeting, don’t carry your cell phone, don’t put this on your computer, handwrite whatever you’re going to give me.’ I think that will scare people off."

Alarmed by the growing chorus of criticism from the media, and committed to having the Bill pass before both Houses of Parliament before the scheduled Easter recess, the Government assembled a team of high-ranking public servants including national security adviser, Andrew Shearer and Australian Federal Police Commissioner, Andrew Colvin, to meet with executives from News Corporation, Fairfax, the Australian Broadcasting Corporation (ABC) and representatives from the Media, Entertainment and Arts Alliance (MEAA) to discuss their concerns.

During a 16 March doorstop media interview, Opposition Leader, Bill Shorten, revealed that he had written to the Prime Minister, Tony Abbott, stating that the Labor Party had great concerns that the freedom of the press and the ability for journalists to protect their sources not be compromised through the passing of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. In the doorstop interview, Mr Shorten, also stated that if the Government did not initiate changes to the Bill to protect journalistic sources that the Labor Party would move an amendment to the Bill when it arrived in the Senate.

Following negotiations with the Labor Party, the Government agreed to amend the Bill and to the introduction of a warrant system. Law enforcement and other agencies seeking to view the metadata of journalists can only do so where are a judicial officer or a legal member of the Administrative Appeals Tribunal has issued a warrant. This warrant can only be granted after arguments from both the Agency seeking the metadata and a public interest advocate are heard.

The introduction of the warrant system, has however, been heavily criticized. Critics have highlighted the fact that the public interest advocate, appointed by the Government, will not be able to contact the journalist whose metadata would be the subject of that warrant and would not be able to receive instructions from that journalist, as is customary in other legal proceedings. It has also been pointed out that anyone who discloses information about a journalist information warrant, about whether one has been applied for, or has been granted, or not granted, can be punished through two years imprisonment.

Others, including Dr Adam Henschke, an academic working at the Australian National University have criticized the metadata retention scheme, arguing that in the world of Wikileaks, that whistleblowers may not wish to risk detection by working with journalists, and simply choose to engage in the "wholesale dump" of information on the Internet.

Cost of the Scheme

As is typical of any new government initiative the cost of a data retention scheme to both taxpayers and to the telecommunications industry has been both debated and discussed. On the same day that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 was introduced into Parliament, the Government announced the establishment of a joint government- industry Implementation Working Group (IWG).

Tasked with supporting the effective implementation of the data retention obligations, including compiling an initial report for the Government on its cost, the Group is co-chaired by the Secretary of the Department of the Attorney General, the Director- General of the Australian Security Intelligence Organisation (ASIO) and the Commissioner of the Australian Federal Police (AFP).

Other members of the IWG includes the Secretary of the Department of Communications, the Chief Executive Officer of the Australian Crime Commission, senior executives from telecommunication service providers Telstra and Optus, and the Chief Executive Officer of the Communications Alliance, an industry body that represents more than 150 Australian telecommunications companies. To meet its remit, the Attorney General’s Department, working as part of the IWG, commissioned consulting firm, Price Waterhouse Coopers (PWC), to provide high level costs for the initial implementation of the data retention scheme. Price Waterhouse Coopers (PWC) was selected for this task as they had previously completed the foundations of this work, when they had been engaged in September 2014, before the introduction of the Bill in Parliament, to develop a cost analysis of the scheme. Price Waterhouse Coopers (PWC) provided a report to the Attorney General’s Department on 11 December 2014.

Initially claiming that the report was to be viewed only by the Cabinet, the Attorney General’s Department was forced to provide a confidential briefing to the Joint Parliamentary Committee on Intelligence and Security (PJCIS), which was holding an inquiry into the proposed data retention scheme, on its content on 9 February 2015. In its final report summarizing the findings of its inquiry, the Committee revealed that based on this briefing that the upfront capital costs of implementing data retention would be between approximately $188.8 million and $319.1 million. After receiving submissions and hearing evidence on the issue of the cost from a number of different stakeholders, including telecommunications providers Optus and Vodafone, and the Australian Communications Consumer Action Network (ACCAN) the Committee made a number of recommendations:

"The Committee recommends that the Government make a substantial contribution to the upfront capital costs of service providers implementing their data retention obligations." "When designing the funding arrangements to give effect to this recommendation, the Government should ensure that an appropriate balance is achieved that accounts for the significant variations between the services, business models, sizes and financial positions of different companies within the telecommunications industry."

That the model for funding service providers provides sufficient support for smaller service providers, who may not have sufficient capital budgets or operating cash flow to implement data retention, and privacy and security controls; without upfront assistance; incentives timely compliance with their data retention obligations; and does not result in service providers receiving windfall payments to operate and maintain existing legacy systems."

On 12 May 2015 Federal Treasurer Joe Hockey announced that the Government would commit $131 million to assist telecommunications service providers with the cost of the scheme. This amount has drawn criticism from some in the telecommunications community. Laurie Patton, the Chief Executive Officer of the Internet Society has been quoted in the media suggesting that this amount is simply not enough and that costs will be passed onto consumers in form of higher Internet fees.

"The Government’s original cost estimate was not based on widespread industry consultation and the Internet Society is concerned that the costs have been significantly underestimated, especially in respect of small to medium sized ISPs (Internet Service Providers) that don’t have the resources to undertake the work in-house and therefore will be required to pay for external assistance."

Lawfully Circumventing the Data Retention Scheme

Debate over the establishment of a mandatory data retention scheme in Australia and the entry into law of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, has led to commentary from both the media and politicians on the way in which the scheme may be lawfully circumvented. Writing in the Australian Financial Review, Walkley award winning journalist, Laura Tingle, identified a number of methods for circumvention including the use of phone me via a provider Skype, advertising supported email services such as Google’s Gmail and instant messaging service, Facebook Messenger.

In an interview with the Sky News, later reported by a number of news outlets, including the Australian, online edition of the Guardian newspaper, Federal Communications Minister Malcolm Turnbull suggested that journalists could avoid leaving a data trail through the use of the over-the-top applications: "If you have a device, a smartphone and if I call you through the mobile phone network then there will be a record at Telstra that I called your number."

"If on the other hand, I communicate via Skype, for a voice call, or Viber, or I send you a message on Whatsapp or Wickr or Threema or Signal or Telegram – there’s a gazillion of them – or indeed if we have a Facetime call, then all that the telco can see insofar as they can see anything is that my device had a connection with the, say, the Skype server or the Whatsapp server…. it doesn’t see anything happen with you…. It’s important I think for journalists to remember."

Senator Scott Ludlam, a member of the Australian Greens and one of the most outspoken opponents of the data retention scheme, used his position within the Senate to deliver a speech encouraging Australians to utilize virtual private networks (VPNs) and free services such as The Onion Router (Tor), to anonymously access the Internet. Senator Ludlam has also taken to organizing events, cryptoparties, teaching constituents on the ways in which they can avoid having their telecommunications data retained.

The accuracy of this advice has, however, been questioned by technology experts. Swinburne University academic Philip Branch has pointed out that whilst the content of Skype calls is encrypted, that the IP addresses, the metadata, of participants may be collected and traced back to individuals. Branch has also argued that many offshore email services are based in the United States, and as such Australian enforcement agencies may be able to access information, through the "Five Eyes" agreement, under which Australia, the United States, the United Kingdom, New Zealand and Canada have committed to share intelligence.