The Committee’s terms of reference stipulate that this review consider developments in international jurisdictions since the passage of the Bill. Since the Committee’s Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, tabled on 27 February 2015, there have been substantial developments in the international domain, notably following determinations by the Court of Justice of the European Union. This chapter considers the general principles that apply in this area in the international jurisdiction, before discussing area-specific developments regarding the European Union, United Kingdom and United States.
While the state of international jurisdictions is, of course, not binding upon Australia, the Office of the Australian Information Commissioner (OAIC) notes that such evidence does nonetheless indicate how other jurisdictions have sought to balance the proportionality of law enforcement objectives and human rights obligations and is thus worthy of consideration. Given that the area of data retention is particularly fast-moving, due to the nature of subject technologies, the international environment has developed significantly since the passage of the bill in 2015.
Some submitters noted that Australia’s international position with regard to its data retention scheme is an outlier. Monika Zalnieriute and Genna Churches have described Australia’s position thus:
Australia’s current data retention regime does not sit comfortably with recent developments in other jurisdictions, such as the EU and USA, and has been described as being ‘off with international precedent’.
Within its submission, the Department of Home Affairs outlines comparable international jurisdictions, primarily in the EU. The only country with a regime longer than two years is Italy, which extends the retention period to six years for both telephone and internet traffic data (excluding the content of the communications). Only Poland and Ireland, as listed by the Department, have a comparable length of two years, and each country’s respective scheme is currently under judicial challenge.
The vast majority of listed schemes retain data for a period of 12 months or less. Additionally, ten of the countries listed have schemes that are currently under legal challenge and/or review, while five have schemes that have been declared unconstitutional or been otherwise ceased. Twelve countries have schemes that are implemented and not subject to serious review, as at the time of the Department’s submission.
Some submitters were concerned with the Australian scheme’s interaction with international human rights, privacy and freedom of expression obligations, particularly with regard to 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR). The Australian Human Rights Commission raised that the right to privacy as outlined in article 19 of the ICCPR was particularly pertinent, as it encompasses a right against unlawful or arbitrary collection of personal information by others, including government, and that any limitation of this right must be proportionate and necessary to achieve a legitimate objective.
As noted by the Department of Home Affairs, it is the prerogative of each country to legislate on collection of telecommunications data to ensure ‘an appropriate balance between its citizens’ expectations of privacy and the requirements of law enforcement and intelligence agencies’. The Department also noted that
While it is useful to monitor international trends in data protection and retention, it is expected that each country will seek to adopt measures that are necessary and proportionate to their own unique circumstances. In comparing international models for data retention, the vast differences in domestic agencies’ functions, investigative behaviours and the threat environment in which they operate should be considered.
Furthermore, the Department raised Australia’s international obligations under Article 14(2) of the Convention on Cybercrime of the Council of Europe, which requires parties to ensure that telecommunications data (and other evidence in electronic form, other than the content of communications and prospective or future telecommunications data) is available for the investigation of any criminal offence.
As noted in the submission from La Trobe University’s Optus Cybersecurity Research Hub, Australia has no substantively established common law right to privacy and no constitutional protection of privacy, whereas the European Union’s member states operate under the Charter of Fundamental Rights of the European Union.
The European Union’s Data Retention Directive (Directive 2006/24/EC) was passed in 2006 and required that telecommunications providers retain traffic and location data belonging to individuals or legal entities, with a retention period of between six months and two years. The limit placed on this power was that such access must be necessary, appropriate and proportionate, within a democratic society for specific public order purposes. The Directive’s purpose was to assist member states in preventing, investigating, detecting and prosecuting serious crime, such as organised crime and terrorism. Significantly, Australia’s Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 was substantially based on this directive.
In 2014, before the passage of the bill, the Directive was challenged on the grounds of an infringement to the right to private life, and the right to the protection of personal data of individuals, as reflected in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
The Directive was found invalid by the Court of Justice of the European Union (CJEU) on the grounds that the general and indefinite retention of various categories of data ‘exceeds the limits of what is strictly necessary and cannot be considered to be justified’. Notably, as raised by the Joint Councils for Civil Liberties in their submission, the European Court of Justice was troubled by the potential for data, when taken as a whole, to ‘allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained,’ adding to the determination that the scheme was disproportionate.
As noted by the Australian Human Rights Commission, the (CJEU) identified three aspects of the Directive that were particularly problematic:
the collection of personal data was indiscriminate, in that it applied to data of all people regardless of whether or not there was any evidence ‘capable of suggesting that their conduct might have a link, even an indirect or remote one, with serious crime’
the Directive failed to lay down any objective criterion by which to determine the limits of access and use of the data by authorities, to ensure that the data was only accessed and used in relation to the investigation of offences of sufficient gravity to justify the interference with the right to privacy
the retention period failed to distinguish between categories of data based on their potential usefulness in investigating criminal offences.
This case, Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources (‘Digital Rights Ireland’), was followed by subsequent legal challenges to legislation that sought to introduce data retention schemes, which have been ruled invalid due to their inconsistency with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.
While the CJEU did not rule on the validity of national laws implementing the invalidated directive in the Digital Rights Ireland case, some member states invalidated their domestic rules and others have amended or introduced new data retention laws, while others kept their current schemes in situ.
In 2016, through Tele2 Sverige AB v Post-Och Telestyrelsen and Secretary of State for the Home Department v Watson (‘Tele2 Sverige’) (C‑203/15 and C‑698/15), the CJEU built on previous judgements in Digital Rights Ireland and, as well as constitutional orders from member states to forge a consensus on data retention. It ruled that member states could adopt legislation that reflected a proportionate approach to data retention:
… permitting, as a preventative measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary.
In Tele2 Sverige, the CJEU again affirmed that access to traffic and location data can allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained. As raised by the Law Council, the Court of Justice of the European Union found that telecommunications data may provide a means ‘of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications’.
Additionally, the Law Council of Australia raise that, in both Digital Rights Ireland and Tele2 Sverige, the CJEU accepted that the objective of the Data Retention Directive—namely, to assist in the fight against serious crime and terrorism in order to ensure public security—was a legitimate objective.
The European Union further strengthened the privacy rights for individual citizens of its member states by enacting the General Data Protection Regulation, which came into effect on 25 May 2018. This regulation aims to protect individuals over their personal data, including some forms of metadata, and to simplify the regulatory environment for international business by unifying the regulation within the European Union. As noted by the Law Council of Australia:
The regulation requires controllers of personal data to put in place appropriate technical and organisational measures to implement the data protection principles. This includes the requirement of a processor of personal telecommunications data to clearly disclose any data collection and declare the lawful basis and purpose for data processing (for example if for law enforcement purposes, the clear basis for this purpose), and state how long the data is being retained.
This series of case law developments, focused on creating the boundaries within which member states’ data retention schemes can operate without infringing on the European Union’s laws, are indicative of the high level of activity and reform occurring in this area on a worldwide scale.
The United Kingdom is, as at this writing, still a part of the European Union. While this is due to change in the very near future, the United Kingdom (UK) is still subject to the European Union’s associated regulations (see above). This section considers elements that have occurred in the UK context, largely in response to the developments in the European Union (discussed above).
As noted by the Australian Privacy Foundation, the United Kingdom’s legal environment is distinct to Australia’s, as the UK is currently subject to the General Data Protection Regulation and has a designated human rights act with specified protections. Despite these differences, looking at the UK context is still informative.
The basis of the UK’s data retention regime is the Data Retention and Investigatory Powers Act 2014 (DRIPA), which provides that a telecommunications company may be required to retain relevant communications data. The data may be retained based on the standard that the data is ‘necessary and proportionate’.
Despite numerous legal challenges to its data retention legislation, the United Kingdom has persisted in efforts to maintain access to communications data. Following the previous ruling by the European Court of Justice in Digital Rights Ireland, in April 2014, the United Kingdom’s High Court ruled against their regime on the basis that it exceeded the limits created by the Charter of Fundamental Rights of the European Union. In response, the UK introduced the Investigatory Powers Act 2016, which provided an updated framework for security and intelligence agencies, law enforcement and other public authorities to obtain communications and telecommunications data.
In January 2018, in Secretary of State for the Home Department v Watson, the UK Court of Appeal decided that if the retained data is used for minor offences, DRIPA violates European Union (EU) law. As a result, the Investigatory Powers Act 2016 was further amended to make the legislation consistent with EU law, to introduce independent administrative or judicial authorisation for most communications data applications, and to restrict requests to the investigation of serious crime.
In September 2018, Big Brother Watch v The United Kingdom (58170/13, 62322/14 and 24960/15), the European Court of Human Rights (ECHR) considered whether certain aspects of a mass surveillance regime being applied in the United Kingdom were unlawful due to their inconsistency with the right to privacy and the right to freedom of expression under the European Convention on Human Rights. The Court held that the scheme in this regard was incompatible with the Convention because its use was not limited to combatting ‘serious crime’ and its use was not subject to prior review by a national authority. The Court ultimately held that the scheme violated the Convention due to the ‘absence of robust independent oversight’.
As noted by the Department of Home Affairs, the United States currently has no ‘blanket’ data retention law or scheme. Government agencies obtain access to any communications or communications records stored by providers under the Stored Communications Act, which also establishes that providers must preserve stored data for up to 180 days upon request by government. Access to data can also occur where access is compelled by a court order.
In the United States, the National Security Agency (NSA) has extensive powers to collect telephone records and telecommunications data, within the remit of the Privacy Act 1974. While the Privacy Act 1974 does impose certain standards on federal agencies when collecting, maintaining and using personal information, it does not apply to records created or held by intelligence agencies, meaning a number of sources of information do not fall within the ambit of the Act.
As with comparable international jurisdictions, the United States’ data retention regime (or lack thereof) is currently in a state of legal flux. La Trobe University posited that, like the United Kingdom, the United States is in the process of affirming the judiciary’s oversight role regarding the statutory powers of the security and law enforcement agencies to collect and use telecommunications data—namely, that oversight occur prior to the collection of said data. Submitters from the University of New South Wales’ Allens Hub for Technology, Law and Innovation broadly agreed with this assessment, noting that
the USA appears to be in the process of abandoning its section 215 call data retention scheme because the logistical and legal burdens of keeping it outweigh its intelligence benefits, but it is also creating precedent to protect sensitive information such as location data outside of retention schemes.
The Law Council noted that the United States Congress has since enacted legislation to try and restore some protection to the right to privacy afforded to American citizens by the Freedom Act 2015, which imposed some new limits on the bulk collection of telecommunications data on United States citizens by American intelligence agencies. The Freedom Act 2015 does prevent the mandatory retention and collection of telecommunications data by telecommunications carriers for the use of United States government agencies, although government agencies can access the voluntary retention of telecommunications data by commercial telecommunications companies is by seeking access through the Electronic Communications Privacy Act 1986. This Act enables law enforcement to obtain information on telephone calling patterns without a warrant to investigate particular offences prescribed in the Electronic Communications Privacy Act 1986.
A notable development in the United States since the passing of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill in 2015 is the decision in Carpenter v United States. The Supreme Court of the United States (SCOTUS), in determining whether the use of location data was based on ‘reasonable grounds’ with regard to a series of robberies, considered whether the warrantless seizure and search of historical cell phone records that reveal the location and movements of a cell phone user for over 127 days was permitted by the Fourth Amendment
The SCOTUS determined that access to location information under the US’ Stored Communications Act must generally be accompanied by a warrant issued under the ‘probable cause’ standard and that ‘law enforcement agency access to location data requires a warrant as it is a Fourth Amendment search’, which effectively grants location data the same levels of protection as content in the United States.
Furthermore, it has been noted in the United States that mobile phone metadata can effectively reveal many personal details—including an individual’s age, gender, religion and/or sexual preferences—in a potentially invasive manner. The Office of the Victorian Information Commissioner noted former National Security Agency General Counsel Stewart Baker’s comments that ‘metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content’.
Currently, case law in the United States is in the process of further defining the judiciary’s oversight role regarding the statutory powers of the security and law enforcement agencies to collect and use telecommunications data. While the judiciary is in the process of further defining and potentially limiting the remit of agencies to collect data, this process is occurring due to the need to counterbalance the current regime with further constitutional and privacy protections that are afforded to United States citizens.