2.1
This chapter sets out evidence on the operation and effectiveness of the mandatory data retention regime (MDRR). It incorporates evidence on the effectiveness of the regime, costs associated with the regime, regulations and determinations, security and complaints.
Operation
Dataset
2.2
Section 187AA of the TIA Act sets out the ‘kinds of information that a service provider must keep, or cause to be kept.’ This includes the following six datasets:
The subscriber of, and accounts, services, telecommunications devices and other relevant services relating to, the relevant service;
The source of a communication;
The destination of a communication;
The date, time and duration of a communication, or of its connection to a relevant service;
The type of a communication or of a relevant service used in connection with a communication; and,
The location of equipment, or a line, used in connection with a communication.
2.3
Subsection 187AA(4) of the TIA Act ‘puts beyond doubt’ that service providers are not required to keep information about telecommunications content, web browsing history information or documents about communications that pass "over the top" of the underlying service they provide, and that are being carried by means of other services operated by other service providers.
2.4
Section 172 of the TIA Act does not allow the disclosure to an agency of information that is the content or substance of a communication, or a document that contains the content or substance of a communication. The term ‘content or substance of a communication’ is not defined in the TIA Act.
2.5
The Department of Homes Affairs (Home Affairs) sets out, including by using case studies, ways in which each of the datasets ‘play a different, and important, role in investigations.’ Law enforcement and other submitters also pointed to the investigative efficacy of the datasets.
2.6
The Australian Commission for Law Enforcement Integrity (ACLEI) points out that:
Access to telecommunications data covered by the mandatory data retention regime forms an essential component in ACLEI’s investigations, primarily because of the advantage provided by this information, in uncovering complex corruption and serious crime that would otherwise remain hidden.
2.7
Some law enforcement submitters raised concerns with the non-standardised manner in which data is provided to them. The Western Australian Police Force advised that the:
Metadata products supplied by telecommunication providers are not returned in standardised formats or content making interpretation by analysts and investigators difficult. There is no requirement under the TIA Act for carriers to provide advice or instruction on how to ‘read’ or interpret the data.
2.8
Victoria Police stated that
disparate datasets are received from providers including different format and content. This creates an administrative burden for Victoria Police members who spend large amounts of time re-formatting data in order to firstly make sense of the data and then utilise it to develop an accurate depiction of the links between parties involved in the offending.
whether there are undeclared links between a law enforcement officer and a criminal, or to assist in establishing an alibi.
2.9
The Allens Hub for Technology, Law and Innovation sets out one detailed technical argument as to how content and web browsing histories may be blurred with metadata and thereby captured by the scheme:
The evolution of techniques to address developments and limitations in the changing telecommunications data environment means that the implications of telecommunications data retention, and the data set involved, requires review. One example is CG-NAT (Carrier Grade Network Address Translation, which enables re-use of IP numbers behind a carrier’s firewall), and related techniques required during the IPv4 to IPv6 transition. This includes rapid re-use of ‘leases’ for particular device identifiers like IP number, and ‘multiplexing’ enabling simultaneous sharing of scarce IPv4 numbers. To enable identification of a user’s device behind the public facing IP address, the use of CG-NAT requires additional data (including the address of the server at the other end of each request) to be retained. The retention of this type of data can reveal elements of browsing history and make it possible to reconstruct ‘pattern of life’ information about a user including their movements, browsing or communication habits. The Revised Explanatory Memorandum states that NAT records are permitted to be retained under s 187A(4)(b):
does not exclude any provider from retaining information about the identifiers it assigns, on a permanent or transient basis, to an account, device or relevant service, such as network address translation (NAT) information. Such information can be required to be retained by Item 1(d) or Item 2, or both, of the table in 187AA.8
This blurs the boundary between ‘contents’ or ‘web-browsing histories’, and ‘telecommunications data’, permitting or even requiring the retention of data excluded by ss 172 and 187A(4)(a) or (b) of TIA Act.
2.10
Dr Monika Zalnieriute and Genna Churches set out in detail their recommendations around the current dataset. These are
a re-definition of ‘personal information’ under the Privacy Act 1988 (Cth) to include an explicit acknowledgement that metadata is ‘personal information’ and thus should be governed/covered by the same protections as any other personal data;
with respect to the inclusion of location data within the retained dataset and access more generally, re-consider the current ‘non-contents’ status of location data, in line with recent US jurisprudence, and recommend that it be excluded from the dataset, and prohibited from access without a warrant;
with respect to the exclusion of ‘web browsing history’ from the retained dataset, that the Committee consider technologically accurate wording, providing a definition with the inclusion of the acronym ‘URL’ and potentially destination IP addresses to avoid doubt as to what must not be retained;
given the historical acceptance that ‘URLs’ (or ‘web browsing history’) are content and that a warrant should therefore be required to access ‘URLs’, specifically exclude access to URLs and other data revealing ‘web browsing’ without a warrant;
abolishing the content/non-content definition of ‘telecommunications data’ as it is outdated and unworkable. The legislation should be explicit, stating the type of data to be retained, and mandate deletion after the applicable retention period. It should define the terms ‘contents’ and ‘telecommunications data’ and should clearly state what types of data can be accessed without a warrant.
2.11
In relation to location data Dr Monika Zalnieriute and Genna Churches recommended that:
a warrant be required to access location data, similar to the requirement for a warrant required to install a GPS tracker/locator under the Surveillance Devices Act 2004 (Cth), removing the current inconsistency between the TIA Act and the Surveillance Devices Act 2004 (Cth). Alternatively, we recommend that the warrant for access be based upon the requirements of the TIA Act for a Telecommunications Interception warrant.
2.12
Other submitters have recommended that the terms ‘contents’ and ‘substance’ be specifically defined. For example the OAIC stated that
clarifying these terms would create greater certainty and enhance privacy protections by reducing the potential for more personal information to be collected than is necessary for the purposes of the Regime. With this in mind, the OAIC recommends that the Committee consider amending the TIA Act to define the terms ‘contents’ and ‘substance’ where they appear.
2.13
At the Committee’s public hearing on 28 February 2020, the AFP noted that they would be prepared to assist the Committee in further strengthening of the definition of the terms ‘contents’ or ‘substance’ of a communication or document. When asked what might assist them in carrying out their functions under the MDRR the AFP stated that
clarifying even more strongly the nature of what is content verses metadata, in relation to this particular issue around URLs. It would be helpful. Then, that would be a process for us to update our guidelines and procedures to ensure that, where this data was detected, either by a central area or by individual officers receiving the information, they dealt with that information appropriately and in accordance with the act.
Retention period
2.14
Under Section 187C of the TIA Act provides that the ‘information or documents’ must be held for a period of two years. This section sets out the evidence supporting keeping the retention period at two years or extending the retention period.
2.15
Although stating that an increased retention period would assist agencies, ultimately the Department Home Affairs did not favour an increase in the retention period stating that when this assistance is
weighed against changes in public attitudes towards privacy and the need for strong privacy protections, the most appropriate way forward would be to retain the existing scope the legislation.(sic)
2.16
Most law enforcement and anti-corruption agencies supported keeping the minimum two year retention period. The Independent Broad-based anti-corruption Commission (IBAC) stated that:
a data retention period of two years strikes the appropriate balance between the needs of law enforcement agencies and corruption and integrity agencies to protect the community, while minimising privacy intrusions for individuals.
2.17
The Synod of Victoria and Tasmania, Uniting Church in Australia submitted strongly in favour of the two year data retention time and suggested that it could be extended:
There must not be any reduction in the length data needs to be retained, if anything it should be extended. Where an Australian paedophile has engaged in hundreds of sessions of live rape, torture and sexual abuse of children via webcam over a number of years, a court should not be hampered in its sentencing determination by the fact that a profit-driven technology corporation has wiped the evidence of sessions because of an inadequate data retention period exists.
2.18
Some, such as the Australian Commission for Law Enforcement Integrity (ACLEI) did not comment on the retention period specifically preferring to comment on the value of data retention generally:
Telecommunications data assists in developing intelligence pictures, by establishing the existence of links between individuals, and providing an indication of the possible strength of those relationships. It can also help to assess the credibility of other information—for instance, by establishing whether there are undeclared links between a law enforcement officer and a criminal, or to assist in establishing an alibi.
2.19
The Communications Alliance pointed out that the two year retention period in no way restricts access to data outside of the period:
Data retained after completion of the Implementation Phase of the DR Regime is only accessible if it has been retained for purposes other than compliance with the DR Regime. It is important to note that this data will only be accessible in civil proceedings for the period that the data has been retained for such other purposes which may be more or less than the two-year retention period of the DR Regime. As an example, if data required to be retained under the DR Regime for two years has only been retained for six months for other purposes, then the data will not be available for the remaining eighteen months during which it has been retained solely for the purpose of complying with the DR Regime. Equally, if the data is being retained for other purposes for 7 years, then the data would be available for civil proceedings for the entire 7 years.
Access to data
Additional Criminal Law Enforcement Agencies
2.20
The Department of Home Affairs have developed a set of criteria to assist the Minister in evaluating requests from agencies to become a Criminal Law Enforcement Agency (CLEA). These include:
the need for direct access to telecommunications data, including necessity rather than usefulness;
privacy safeguards implemented by the requesting agency;
the viability of the agency gaining adequate access via a joint operation with a law enforcement agency;
the agency’s ability to comply with the obligations of the TIA Act;
whether the declaration is in the public interest; and
other relevant matters such as consistency across jurisdictions.
2.21
Two submitters to the Committee have made cases for their inclusion as CLEAs under the TIA provisions.
Australian Taxation Office
2.22
The Australian Taxation Office has not been declared a CLEA and does not currently have the ability to request data under the auspices of the TIA Act. The ATO submitted that it has currently been relying on the use of the Commissioner’s formal information gathering powers (in accordance with section 353 of the Tax Administration Act 1953 together with section 280 of the Telecommunications Act 1997 to obtain telecommunication data for civil reviews and audits.
2.23
The ATO noted that access to telecommunications data is imperative for its investigation of financial crime:
In an increasingly digital tax environment, TD [telecommunications data] enables ATO investigators to make compelling connections between electronic devices and the commission of an offence. Further evidence gathering is then undertaken to prove the person used the device to commit the offence. This is at the heart of a successful prosecution. Without TD it is extremely difficult to link the device to the offence, and consequently obtain a successful prosecution of the perpetrator/s.
2.24
The ATO noted that, since 2015, a number of reviews have recommended that the ATO’s access to telecommunications data be reinstated, including the Parliamentary Joint Committee on Law Enforcement’s Inquiry into financial related crime, the Treasury’s Black Economy Taskforce’s Final Report, and the Inspector-General of Taxation’s Review into the ATO’s fraud control management.
State and territory corrective services agencies
2.25
The Corrective Services Administrators’ Council submitted to the Committee on behalf of its members in order to provide information on how correctional services agencies’ loss of CLEA status has created obstacles in pursuing avenues of investigation, reduced the likelihood of securing convictions and, in some cases, reduced their ability to identify likely perpetrators.
2.26
The Corrective Services Administrators’ Council emphasised that correctional services agencies are a vital part of Australia’s law enforcement system:
State and Territory CSAs are an integral part of the Australian law enforcement framework. They have an important role in the detection, investigation and prosecution of serious crime and corruption under State and Commonwealth legislation.
2.27
The Corrective Services Administrators’ Council noted that the unlawful use of mobile phones is common in the corrections context and that mobile telephony can be used by inmates to ‘arrange escapes, threaten and intimidate witnesses or victims, traffic contraband, and facilitate communication with offenders outside a correctional centre’. The organisation further noted that, in Victoria, seized phones have been found on occasion to reveal evidence of either actual or planned offending behaviour, including child pornography, planned violent activity or terrorist related propaganda.
Authorisation practices
2.28
The Committee asked law enforcement about the processes and practices involved in the authorisation process for requests made under the metadata regime. NSW Police stated that:
For a criminal investigation, if your detectives are requesting it, they need to go through your crime manager, who's an experienced criminal investigator with 15, 20 or 30 years of experience. So they will know whether they're asking for information frivolously or not, and they'll also know that we have a fiscal responsibility to ensure that we're not making these requests without merit. The other five duty officers who work in a PAC, a police area command, will all be operational police officers. If it's a general-duties officer making a request for a DV matter, they will know what to advise that person. They may eventually expand the request and say, 'You probably need more,' and that's what I would advocate, because this is a great tool.
2.29
With regard to time spent by authorising officers taking to authorise a metadata request NSW Police stated that it
could be 15 or 20 minutes of briefing, going through the investigation to the crime manager. It could be extended. As I say, the person signing this has to sign off certain criteria that they have reasonable cause to believe this is relevant and required. So they have to sign off on it. That commissioned officer has to sign off that this is a function that is required.
2.30
Queensland Police set out that they had a ‘similar authorisation process’ in which a
detective or a senior investigator will make the application through their chain of command—to a detective inspector generally, although all commissioned officers are authorised. They don't generally do them because they're not familiar with them. In the day-to-day routine it's generally the investigative units that do this. That then goes to the relevant area, which actions it. They double-check the forms and make sure all the criteria are met and the significant issues that must be met are all ticked off. Again, it's checked when it comes back to make sure it's exactly what we've requested. Obviously then you have the ombudsman and other internal checking systems that apply in terms of compliance as you would with any normal use of power in a police service.
2.31
The Committee also asked Queensland Police as to what steps or arrangements they have to ensure consistency of decision-making in relation to authorisations. Queensland Police stated that they have
policies and we have detailed instructions on how to go about the actual applications, authorisations and so forth. There have been a number of training programs, and the ombudsman reports back to us. The advice that they give us we roll out as we see fit to try to improve the operation and also the compliance across the organisation. So it's a continual process.
2.32
The Committee also requested information on the training processes from the Australian Federal Police who stated that there was a ‘process to be followed’ which
includes the form going to our online training and investigator toolkit, so our investigators can access at any time information relating to, 'How do I do this?' It's available to them, as well as face-to-face courses that are run for our authorised officers. We have a handbook for authorised officers and also our annual training program that they must complete online to maintain their authorisation.
2.33
On 28 February 2020, the PJCIS held a public hearing for the review into the MDRR, where the Department of Home Affairs provided evidence. After the public hearing, the Committee provided further, detailed questions on notice relating to the functioning of the regime. The Department of Home Affairs provided the Committee with a response to those questions taken on notice during the hearing and subsequent written questions on notice, which the Committee accepted as Submission 21.4. The additional questions relate to the core functions and operating procedures of enforcement agencies in relation to their use of, and access to, telecommunications data under the TIA Act. The Department of Home Affairs sought statistical information from the following law enforcement agencies that are defined as enforcement agencies under the TIA Act:
Australian Commission for Law Enforcement Integrity,
Australian Competition and Consumer Commission,
Australian Criminal Intelligence Commission,
Australian Securities and Investments Commission,
Corruption and Crime Commission (Western Australia),
Independent Broad-based Anti-corruption Commission (Victoria),
Independent Commission Against Corruption (New South Wales),
Independent Commissioner Against Corruption (South Australia),
Law Enforcement Conduct Commission,
New South Wales Crime Commission,
Northern Territory Police,
Queensland Corruption and Crime Commission,
Western Australia Police.
2.34
The Australian Federal Police, the New South Wales Police and the Queensland Police Service provided their own responses independently of the Department of Home Affairs. The responses to the questions are reflected in the table below.
Table 2.1: Questions on Notice
|
|
|
|
|
|
As at 1 March 2020 how many officers were employed by your agency?
|
3,180
|
17,111
|
11,962
|
|
In total, and as at 1 March 2020, how many of your officers are “authorised officers” (i.e. have the powers to authorise the release of telecommunications data)?
|
174
|
862
|
735
|
|
Prior to 1 March 2020, were regular training programs delivered to authorised officers to ensure that decisions were being made appropriately and consistently? If not, why not?
|
Yes. The online Authorising Officer training package was released 17 November 2017, and officers are able to access it via the AFP’s training portal.
|
If Police Commands requested training, Information Services, State Intelligence Command would facilitate this. Other than this, the following is available from the NSW police Intranet:
• Video by D/Supt Kopsias on Data Retention Laws, including Authorised officer considerations. The video is 3min 49sec in duration. Approximately 790 employees across the organisation clicked this training video from 2015 to March 2020
• The iASK Information Request User Guide is available to assist.
|
The QPS did not consider it necessary to deliver regular training programs to authorised officers to ensure that decisions were being made appropriately. This Agency was satisfied that all authorised officers had either received face-to-face training and/or had access to comprehensive guidance documentation hosted on the QPS intranet in order to make an informed decision in accordance with the requirements of Chapter 4 of the Act.
|
|
How many authorisations for historic telecommunications data did your agency make in 2018/19?
|
There were 17146 authorisations for historic telecommunications data made in 2018/19.
|
106,547 historical data authorisations (these include sections 178, 178A, and 179 of the TIA Act).
|
23,527 authorisations for historic telecommunications data along with 368 pre-warrant checks conducted by the Telecommunications Interception Unit.
|
|
How many authorisations for prospective telecommunications data did your agency make in 2018/19?
|
4,633
|
1,062
|
2,790
|
|
How many individuals did the authorisations for prospective telecommunications data made by your agency in 2018/19 relate to? If precise numbers cannot be provided, please provide an estimate with an explanation of how you arrived at the estimate.
|
An estimated 1628 authorisations for prospective telecommunications data in 2018/19 related to specified individuals. This estimation was reached by exporting data for the 2018/19 period and removing duplicate individual names. This figure does not take into account instances where the user of the telecommunication service was unidentified.
|
772 Prospective Data Authorisations were made in 2018/19.
|
2,105 nominated individuals were identified. In addition, on 93 occasions the person of interest in the relevant offence was recorded as ‘unknown’. This may have involved a scenario where the subject telecommunications service was identified as being utilised in a relevant offence, but the identity of the actual user was unknown at the time of making the authorisation.
|
|
Since 13 April 2015, has your agency ever accessed a person’s telecommunications data in reliance on section 280 of the Telecommunications Act in conjunction with another law? If so:
1. On how many occasions?
2. On what dates?
3. In each case, what law did you rely on to authorise the disclosure of telecommunications information (in conjunction with section 280)?
4. In each case, why did you rely on that other law rather than using your powers under the TIA Act?
5. In each case, did you use that information as part of an investigation? If so, please provide details.
6. In each case, did you use that information as evidence in a prosecution? If so, please provide details.
|
No.
|
It does not appear that NSWPF made any requests under the provisions of s280 of the Telecommunications Act 1997 (Cth) since 13 April 2015
|
The QPS does not retain any centralised records which would indicate if telecommunications data was accessed in reliance upon section 280 of the Telecommunications Act 1997 in conjunction with another law. It is possible that such information may have been obtained by an officer of the Agency pursuant to a lawful search warrant issued under the provisions of Chapter 7 of the Police Powers and Responsibilities Act 2000 (Qld).
|
|
In 2017/18, how many of the authorisations for historic telecommunications data that were made by your agency related to innocent parties?
|
Unknown.
|
The NSW Police Force Corporate Request System is unable to generate the requested information. The NSW Police Force is unable to quantify the specific number, as it would require an analysis of each individual authorisation that has been conducted. What is known by this agency is that it is possible to use telecommunication data as a corroborative tool in identification or elimination of a subject person relative to an investigation. That is, the person at or near the scene of the crime which is independent of other potential evidence.
|
It is not possible to quantify an answer to these questions…A victim of an offence and a witness or person of interest is innocent, but as part of the investigation it may be necessary to have authorised access to their telecommunications data. Similarly, no records are kept in a format that identifies individuals ruled out of suspicion.
|
|
As at 1 March 2020, when a person is ruled out from suspicion as a result of your agency’s use of authorisations for telecommunications data (whether historic or prospective) does your agency delete the individual’s telecommunications data from your system? If so:
1. Whose responsibility is it to delete the individual’s telecommunications data from your system?
2. What systems are in place to ensure that this happens?
3. Is there a policy that governs these matters? If so, please provide the Committee with a copy.
|
No, all historic and prospective telecommunications data received by the AFP is routinely retained, except where there is a legislative requirement to delete the data. If data is received that is outside the scope of the authorisation, steps are taken to quarantine the data.
|
As above.
|
No centralised records are kept by the Agency to identify if a person subject of a prospective or historic telecommunications data authorisation has been ruled out from suspicion for an offence. This type of information is not a requirement of the Act.
Furthermore, the provisions of Chapter 4 of the Act do not provide for a destructions process for this type of information, although it is highly desirable for the Agency to delete prospective data information when it is no longer required for an investigation due to the significant storage and retention costs.
In the absence of any overarching legislative provisions, officers of the Agency rely upon the Queensland Police Service Retention and Disposal Schedule which identifies disposal action and retention periods based around offence types.
|
|
As at 1 March 2020, did your agency hold any telecommunications data that related to an individual who had been ruled out from suspicion?
1. If so, why?
2. If not, how did you satisfy yourself that your agency does not hold any of this information? How can you be certain?
|
All telecommunications data received by the AFP is routinely retained, except where there is a legislative requirement to destroy the data. . If data is received that is outside the scope of the authorisation, steps are taken to quarantine the data.
|
As above.
|
Whilst no centralised records are kept by the Agency to identify if a person subject of a prospective or historic telecommunications data authorisation has been ruled out from suspicion for an offence, it would be reasonable to believe that such a scenario would exist. The retention and reporting on this data set however would be problematic when you consider that suspicion can be a subjective proposition based upon the consideration of all available evidence at a particular point in time. The need to report on this information has not been a requirement of the Act.
|
Source: Submissions: 15.3 (AFP), 39.1 (NSW Police) and 38.2 (QLD Police Service)
Thresholds for access to data
Legislative thresholds
2.36
As set out in chapter one, Sections 177 to 180 of the TIA Act outline other circumstances whereby sections 276, 277 and 278 of the Telecommunications Act 1997 do not prevent a disclosure of information by a holder of information or a document. These sections allow for authorisations to be made regarding:
the voluntary disclosure of information or a document if the disclosure is reasonably necessary for the enforcement of the criminal law or the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue (section 177);
the disclosure of existing information or a document for the purpose of enforcing criminal law (section 178) or for the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue (section 179);
the disclosure of information or a document that is reasonably necessary for the purposes of finding a person who the Australian Federal Police, or a police force of a state, has been notified is missing (section 178A); and
prospective access to information or documents, subject to the limitations listed, namely that:
the authorised officer must not make the authorisation unless he or she is satisfied that the disclosure is reasonably necessary for the investigation of:
(a) a serious offence; or
(b) an offence against a law of the Commonwealth, a State or a Territory that is punishable by imprisonment for at least 3 years.
2.37
A number of submitters raise concerns that the threshold for accessing existing information or documents ‘reasonably necessary for the enforcement of the criminal law or the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue’ was set too low.
2.38
As one example the Law Council stated that
for the regime to be proportionate with its aim of assisting in the protection of national security, public safety and addressing crime, access to existing telecommunications data should only be granted to criminal law enforcement and security agencies that investigate specific serious crimes such as serious indictable offences or specific serious threats to national security (as defined by section 4 of the Australian Security and Intelligence Organisation Act 1979 (Cth) (ASIO Act)). A serious indictable offence could be defined in similar terms to section 15GE of the Crimes Act 1914 (Cth) (Crimes Act) as one that involves a range of matters (including, for example, espionage, sabotage or threats to national security, violence, firearms, importation and exportation of prohibited imports, theft, fraud, money laundering, harbouring criminals, forgery) and is punishable by at least three years' imprisonment.
2.39
Dr Monika Zalnieriute and Genna Churches recommended that
the Committee consider implementing similar thresholds for the severity of crime as contained within the TIA Act s 5D ‘Serious Offences’ as per the requirement for obtaining a Telecommunications Interception Warrant.
2.40
Section 5D of the Telecommunications (Interception and Access) Act 1979 is set out in Appendix D of this report.
Privacy concerns
2.41
Data retained by telecommunications providers under the regime is classified as personal information and is protected by the Privacy Act 1988 (Privacy Act) and section 180F of the TIA Act 1979, which stipulates that the use of retained data must be ‘justifiable and proportionate’. Section 187LA of the TIA Act extends the meaning of ‘personal information’ to cover information kept under Part 5-1A of the TIA Act. This section states that information that is retained as part of the MDRR is taken, for the purposes of the Privacy Act, to be personal information about an individual if the information relates to the individual or a communication to which the individual is a party. Agencies are able to collect the personal information of Australians for broad law enforcement purposes under the scheme.
2.42
The Department of Home Affairs noted that the Australian public has strong reservations about the sharing of their personal information and noted the Department’s commitment to managing Australian’s data appropriately:
No organisation, whether government or industry, can afford to be complacent in appropriately managing Australians’ data. The Home Affairs Portfolio acknowledges this and is committed to ensuring the Data Retention Act remains proportionate, only impacting the privacy of Australians where necessary for legitimate law enforcement and national security purposes. Privacy protections in Australian law and the current authorisation framework for telecommunications data already establish robust privacy protections.
2.43
The Office of the Australian Information Commissioner (OAIC) assists and monitors entities with privacy responsibilities and provides guidance for entities on their Privacy Act 1988 obligations. The OAIC also provides ongoing assessments of how telecommunications service providers secure the telecommunications data that they collect and hold under the Regime.
2.44
Additionally, the national data breach scheme came into effect from 22 February 2018. Established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017, this scheme creates an obligation to notify individuals whose personal information is involved in a data that is likely to result in serious harm and to recommend remedies. It applies to entities with existing personal information security obligations under the Privacy Act, including telecommunications operators and government agencies. Any notifiable data breaches must be reported to the OAIC under the scheme.
2.45
Many submitters remained concerned that the scheme did not adequately protect the privacy of Australians. Dr Monika Zalnieriute and Genna Churches submitted that, in their view, the existence of the MDRR was fundamentally incompatible with Australia’s right to privacy:
First, we highlight that Australian data retention legislation permitting indiscriminate retention of metadata by communication service providers is incompatible with the right to privacy and especially the information sub-set of it, widely known as data protection or ‘data privacy’. This is especially in light of international developments, and in particular, the invalidation of Data Retention scheme in the EU.
2.46
The OAIC noted that their previous recommendations regarding privacy safeguards were only partially addressed in the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015:
Some of the issues raised in the OAIC’s previous submission were addressed in the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) (amending Act). However, other key recommendations that sought to establish privacy safeguards to ensure the proportionality of the Regime were not adopted or fully adopted. Those earlier recommendations include:
that the Regime only require service providers to retain telecommunication information for the minimum amount of time necessary to meet law enforcement needs
that clear and narrowly defined language be used in the Regime, particularly to describe the kinds of information that service providers are required to collect and store under the Regime to effectively implement the intentions of the scheme and reduce uncertainty for service providers that collect and retain data
that in the absence of a warrant-based access scheme, the need to limit the purpose for which an authorisation to disclose telecommunications data can be made to where it is reasonably necessary to prevent or detect a serious offence and safeguard national security, and
recognising the important safeguards in limiting access to agencies involved in the detection of a serious offence and safeguarding national security, that any expansion of the definition of ‘enforcement agency’ be made by amendment to the TIA Act itself.
2.47
The OAIC further noted that the acts and practices of intelligence agencies are not subject to particular aspects of the Privacy Act:
The acts and practices of intelligence agencies are not subject to the Privacy Act. Enforcement bodies, as defined in s 6 of the Privacy Act, are broadly subject to the Privacy Act, however there are limitations to the extent to which the APPs in the Privacy Act apply to the operations of these bodies. For example, the limitation on using or disclosing information collected for a particular purpose other than the primary purpose does not apply where authorised by law or where the entity reasonably believes it necessary for an enforcement related activity.
2.48
The Law Council submitted that what precisely constitutes ‘personal information’ under section 187LA of the TIA Act remains ambiguous, especially following recent judicial developments:
However, despite section 187LA of the TIA Act stating that retained data is ‘personal information’ for the purposes of the Privacy Act, which would have the effect of engaging the protections of the Australian Privacy Principles, this is not a settled point of law as illustrated by the decision in Privacy Commissioner v Telstra Corporation Ltd. In this decision, it was held that telecommunications data, specifically relating to the operation of mobile telephone services, is not regarded as ‘personal information’ for the purpose of section 6 of the Privacy Act as it not information ‘about an individual’ for the purpose of that section. The Law Council suggests that clarification in this area is needed.
2.49
Dr Monika Zalnieriute and Genna Churches also put to the Committee that the Privacy Act ought to be amended to acknowledge that metadata is ‘personal information’ and ought to be subject to more stringent privacy protections, as metadata may be capable of identifying an individual:
… we recommend the Privacy Act 1988 (Cth) be amended to include an explicit acknowledgement that metadata is ‘personal information’ and thus should be governed/covered by the same protection as any other personal data. Similar to CJEU in Tele 2 Sverige, the status of metadata was recently interrogated by the European Court of Human Rights in Big Brother Watch v UK where it held that metadata is just as important as the actual communications content in relation to the right for privacy. As explained by International Association of Privacy Professionals, metadata can be used to identify a person their location and other identifying information.
2.50
La Trobe University’s Optus Cybersecurity Research Hub also raised security concerns with regard to location information, and proposed that the TIA Act ought to state clearly that location information is personal information, as a matter of law:
The better means of protecting privacy is to state clearly in the TIA Act 1979 and the Privacy Act 1988 that location information is personal information, as a matter of law (as is already done on a narrower basis in section 187LA of the TIA Act 1979). Location information that is personal information should include, and be described as:
i. the velocity, altitude, latitude about a mobile telecommunications device and the identity of a base station (cell tower);
ii. whether a data point is accurate or estimated;
iii. whether it is used for billing or not; and
iv. whether generated prior to, at the start, during, at the end of, or after a telecommunications service; and
v. when linked with other information, that is able to identify an individual and reveal personal information about the individual, whether aided by or not, the use of data analytics software.
2.51
The Inspector-General of Intelligence and Security (IGIS) raised privacy issues that were unique to ASIO’s powers under the MDRR, as the Australian Security Intelligence Organisation (ASIO) is not required to take privacy into account when seeking access to data under the scheme:
IGIS further notes that, unlike enforcement agencies, there is no requirement in the TIA Act for ASIO to consider privacy before making a Chapter 4 authorisation. In contrast, the authorised officer of an enforcement agency must be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use of information is justifiable and proportionate, having regard to certain specified matters.
2.52
The IGIS recommended that the Committee consider whether the current threshold for ASIO to access telecommunications data is appropriate and whether existing requirements provide for adequate consideration of individual privacy.
2.53
Not all submitters were in agreement regarding their concerns around privacy. The Synod of Victoria and Tasmania, a part of the Uniting Church in Australia, submitted that there was a strong social need for the scheme to functioning as it was, regardless of the impact on privacy:
… it is clear the number of Australians engaged in online child sexual abuse activities far outweighs the resources of law enforcement agencies to deal with them all. This combined with the egregious nature of child sexual abuse more than justifies data retention, as outlined in the Act, of all Australians for at least two years to maintain the capability of law enforcement to combat online child sexual abuse to the extent that their resourcing allows for. The demonstrated likelihood that without data retention hundreds, if not thousands, of offenders engaged in online child sexual abuse offences will escape detection and prosecution over time, should outweigh any concerns about the impact of data retention on the right to privacy.
2.54
The Department of Home Affairs noted that it was satisfied with that the scheme appropriately balanced privacy concerns with the needs of law-enforcement.
Notification of access to retained metadata
2.55
Some submitters also found it concerning that the subject of a data request would not be notified that their metadata had been accessed. In practice, this means that individuals who have had their metadata accessed would not have the opportunity to make complaints to oversight bodies about the validity of such a request.
2.56
Indeed, some submitters proposed that the current regime ought to be amended to the notification of all persons whose telecommunications metadata has been accessed by criminal law enforcement agencies, enforcement agencies or ASIO.
2.57
The Human Rights Law Centre, Access Now and Digital Rights Watch raised in their submission that:
Notification is a basic safeguard that allows people to know when their privacy has been intruded upon, or for a journalist, where the confidentiality of their source has been compromised. The European Court of Justice has held that a person should be notified where their metadata has been accessed.
2.58
Additionally, the submitters raised that the lack of notification system in Australia, when combined with the fact that it is an offence for a person to disclose information about the existence of a journalist information warrant or related warrant application process, created a distinct lack of transparency. As was also noted by the Joint Councils of Civil Liberties, the absence of any notification requirements leaves individuals with the uncertainty that their private metadata may have been accessed.
Journalist Information Warrants
2.59
While a warrant is not generally necessary for a Criminal Law-Enforcement Agency (CLEA) to request access to data under the TIA Act, there are specified protections in relation to journalists. Division 4C of Part 4-1 of the TIA Act permits a relevant law enforcement agency or ASIO to access telecommunications data under a Journalist Information Warrant (JIW). This kind of warrant enables an agency to make an authorisation for the use or disclosure of telecommunications data relating to the communications of a person working in a professional capacity as a journalist, or the employer of such a person, where the purpose of the authorisation would be to identify another person known or reasonably believed to be a source.
2.60
The warrant may specify conditions or restrictions related to the making of authorisations under the warrant. The issue of a warrant generates an obligation on the enforcement agency to notify the respective oversight body. A journalist in relation to whom such a warrant has been issued is not notified of the existence of the warrant.
2.61
Numerous submitters were concerned about the current functioning of the JIW regime. Australia’s Right to Know, a coalition of representatives from leading media agencies within Australia, did not believe that the current regime was functioning adequately in this area:
While the intention of JIW Scheme may have been well-meaning, as it currently stands it does little to meaningfully deliver its stated aims. The JIW Scheme is poorly drafted, cloaked in secrecy and does nothing to address concerns relating to identification of journalists’ sources. In our view the JIW Scheme and related legislation relating to access to journalists’ records more broadly require fundamental reconsideration and immediate amendments.
2.62
Australia’s Right to Know recommended that accessing the metadata and/or content of journalists’ communications for any reason or purpose associated with undertaking professional journalistic activity should not be the subject of any authorisation for disclosure, including any warrant issued under the TIA Act. The organisation also suggested that, should the previous recommendation not be adopted, the scheme be overhauled to include:
A Journalist Information Warrant (JIW) is required for all warrants sought under the TIA Act when the subject of the warrant is a journalist, media organisation or similar;
an application for a JIW must be contestable and authorised only if the public interest in accessing the metadata and/or content of a journalist’s communication outweighs the public interest in not granting access;
the JIW Scheme must apply consistently to ASIO and enforcement agencies; and
transparency across all elements of the JIW Scheme is required.
2.63
The Law Council also held concerns regarding the current functioning of the JIW regime. The Law Council noted that the Australian Federal Police (AFP) had previously disclosed a breach of the TIA Act had occurred within the AFP, wherein there were four discreet authorisations associated with this breach. The Commonwealth Ombudsman investigated the breach and found that the breach occurred due to failing to apply for a journalist information warrant and that the reasons for the breach occurring were due to insufficient awareness surrounding the JIW requirements and a lack of understanding of the officers’ responsibilities under the metadata regime.
2.64
The Law Council further noted that there was ‘practical difficulty’ in the current scheme, as without first accessing and examining the telecommunications data it may not be possible to identify if the data is that of the journalist, their employer or is capable of being used to identify a journalist’s source. The Law Council suggested an amendment of section 180H of the TIA Act to remedy this situation:
Section 180H of the TIA Act should be amended to include a paragraph so that a journalist information warrant is required for the authorisation of access to the telecommunications data of any person that may reasonably be believed as being used to identify a journalist’s source.
2.65
The Commonwealth Ombudsman also raised that section 180H of the TIA Act may require redrafting, as it appears to unintentionally limit the application of journalist information warrant requirements. This is due to the possibility that, under the current drafting of the section, it is possible for agencies to seek access to telecommunications data for the purposes of confirming whether the person disclosed information to a journalist and therefore whether they are a journalist’s source.
Judicial warrants
2.66
Some submitters raised that any access to metadata under the TIA Act should require a judicial warrant or warrant issued by an independent authority. The Joint Councils of Civil Liberties submitted that a judicial warrant regime for all access under the TIA Act was necessary due to the significant invasion of privacy that could occur under the scheme:
It is increasingly clear that access to two years of retained telecommunications metadata does constitute a very significant invasion of privacy for effected individuals with significant flow-on implications. Prior warrant approval is therefore essential in ensuring that the access to this data is not only lawful but proportionate and necessary.
2.67
The Law Council also supported the introduction of a wider warrant process in order to provide further oversight of the regime:
At present, apart from the journalist information warrant provisions, all of the current oversight mechanisms in the TIA Act are directed at reviewing telecommunications data access powers after they have been exercised. The Law Council considers that while these are necessary oversight mechanisms, they are not sufficient and should be enhanced by the introduction of a warrant process, which would provide prior review by a court or independent administrative body to determine the necessity of the request for the purposes of preventing or detecting serious crime.
2.68
The Law Council subsequently recommended that access to retained telecommunications data should be authorised by a warrant issued by an independent court or tribunal. The council suggested an exception for emergency situations, where there is a real and reasonable belief that there is a serious and immediate risk to public safety or health. In such a case, the Law Council recommended that access ought to be authorised via a non-delegable Ministerial warrant that is subject to factors outlined in legislation.
2.69
The Australian Human Rights Commission proposed a similar scheme, whereby a warrant or authorisation system by a court or independent administrative body, such as a tribunal, be implemented for access to retained communications data.
Costs
2.70
The Australian Communications and Media Authority (ACMA) set out the industry reported cost of complying with the data retention obligations as published in the ACMA’s Communications report 2016–171 and Communications report 2017–18:
Table 2.2: Industry reported cost of complying with data retention obligations
|
|
|
|
|
2014-15
|
$11,972,288.15
|
$7,316,341.41
|
|
2015-16
|
$44,426,132.06
|
$9,412,132.06
|
|
2016-17
|
$119,793,739.83
|
$9,829,783.17
|
|
2017-18
|
$35,355,577
|
$12,515,681
|
|
Total
|
$211,547,737.04
|
$39,073,9370.64
|
Source: Australian Communications and Media Authority, Submission 3, p. 2.
2.71
The Independent Broad Based Anti-corruption Commission (IBAC) described the cost of requesting data for periods longer than 12 months as ‘prohibitive’ and suggested a need for consistency between service providers and
standardised processes and costs between service providers, as well as greater oversight and regulation of this aspect of the data retention regime.
2.72
The Department of Home Affairs, reflecting the views of law enforcement agencies, agreed with the IBAC:
Agencies have reported that, contrary to expectations, the unit cost of information within the now mandatorily retained data sets has not dropped since the conclusion of the grants program. They further expressed concern that though data retention has increased the availability of information, the agencies harbour concern that the high cost of some datasets (especially data over 12 months old) may adversely impact agency demand for them.
2.73
The Department also provided detailed figures that showed the disparity in charges for comparable datasets.
2.74
Victoria Police pointed out that whilst section 314(2) of the Telecommunications Act stipulates that carriers should not profit from assisting law enforcement agencies access to telecommunications data by law enforcement agencies comes at a financial impost. They opined that
It is not sufficiently transparent if carriers are meeting these obligations. Consideration should be given to incorporating regulations in the legislation to ensure that carriers charge agencies on a cost recovery basis only. Cost considerations are taken into account by authorised officers before approving requests for data and this can occur to the detriment of the investigation.
2.75
The Allens Hub for Technology, Law and Innovation raised specific concerns about the ‘cost per convictions’ in relation to the MDRR. They argued that:
More critical scrutiny needs to be applied to claims about costs, and to whether these are proportionate to benefits obtained. One calculation compared costs against convictions: ‘In 2015-2016, the 63 agencies allowed to request access to retained metadata made nearly 334,000 requests, nearly all of which were for criminal investigations. Those 334,000 requests and $200 million cost yielded 366 arrests and 195 convictions – a unit cost of more than $500k per arrest, and more than $1 million per conviction.’
Regulations and determinations
2.76
The Department of Home Affairs informed the Committee that:
Since the introduction of the Data Retention Act, no regulations or determinations have been made. However, a number of agencies have sought to be determined as law enforcement agencies, with others likely to do so in the future.
Security
2.77
Section 187BA of the TIA Act requires service providers to protect the confidentiality of information that, or information in a document that, the service provider must keep, or cause to be kept, under section 187A by:
(a) encrypting the information; and
(b) protecting the information from unauthorised interference or unauthorised access.
2.78
Section 187LA of the TIA Act deems telecommunications data to be personal information for the purposes of the Privacy Act. All entities that collect, use and disclose telecommunications data are therefore regulated by the Office of the Australian Information Commissioner (OAIC) , to the extent that they undertake activities that relate to telecommunications data.
2.79
Telstra raised a concern that
agencies and bodies not listed in s.110A of the TIA Act may not have sufficiently strong security measures to protect received data. Accordingly, we believe there is a need for the introduction of appropriate oversight mechanisms to ensure measures are in place to securely protect disclosed data and to control who can/can’t access the data.
Data destruction
2.80
There are currently no provisions within the TIA Act that require retained data to be destroyed after a period of time. There is currently no framework under the scheme for agencies’ destruction of telecommunications data. Agencies may destroy this information at their discretion and are not required to keep records of the process.
2.81
Submitters raised that not destroying data retained under the regime when it is no longer required for an identifiable purpose may increase privacy and information security risks.
2.82
The Office of the Victorian Information Commissioner recommended introducing an express requirement that metadata retained by service providers under this regime, that is older than two years and is not needed for any lawful purpose, be permanently destroyed.
2.83
The OAIC made a similar point when it stated that:
The potential consequences of data and security breaches increase with the quantities of personal information retained. The OAIC considers that privacy protection of individuals would be improved if the Regime were to incorporate an express obligation on both service providers and enforcement bodies to destroy or de-identify telecommunications data after a specifically defined period.
2.84
The IGIS raised concerns in relation to the absence of a legislative requirement for ASIO to delete telecommunications data that is no longer needed. Section 31 of the ASIO Act and section 14 of the TIA Act require ASIO to destroy records of material obtained under a warrant if the Director-General is satisfied that the records are not required for the purposes of the performance by the Organisation of its functions or exercise of its powers. However, for data obtained under a Chapter 4 authorisation, in contrast, there is no such requirement.
2.85
In relation to ASIO the IGIS explained that:
There's no obligation for ASIO to destroy data—leaving aside data that's been erroneously collected. For data that is lawfully collected there's nothing in the act, the guidelines or the archives rules which requires destruction. So there's no noncompliance if it's kept indefinitely. What there is in the ASIO guidelines is a general statement saying that ASIO may keep a large reference dataset.
2.86
On how the destruction of data could be best implemented, the IGIS stated that:
Any obligation like that imposed on ASIO would need to be overseen by us, and that oversight is greatly enhanced if the terms on which it's to be destroyed are very clear. With generalities, for instance, under the ASIO Act, there is a provision relating to warranted interception, I think, that relates to destruction, where the director-general is satisfied that the material is no longer relevant to issues of security. It may well be that in the Attorney-General's guidelines more specificity can be given than that. But it's very difficult for us to take issue with the director-general's view of satisfaction and, moreover, if the director-general isn't mandated to address that issue then it's very difficult for effective oversight. So our concerns would be not with the policy but with the wording of the provision, to make sure it allows for sensible and efficient oversight.
2.87
The Commonwealth Ombudsman noted that the legislative inconsistency in this area was creating instances of non-compliance:
Chapters 2 and 3 of the TIA Act prescribe strict frameworks for the destruction of telecommunications interception and stored communications information, respectively. However, these destruction frameworks place inconsistent obligations on agencies. During our inspections under the TIA Act, we routinely identify instances of non-compliance with destruction requirements, which arises largely as a result of these legislative inconsistencies.
2.88
The Commonwealth Ombudsman further noted that, despite the use of telecommunications interception being a similarly intrusive covert power, the destruction of those records is subject to less stringent requirements than those required for stored communications and that these inconsistencies are creating difficulties for agencies:
For telecommunications interception records, agencies are only required to destroy the original record of the telecommunications interception and not any copies subsequently made. Conversely, for stored communications records agencies must destroy the original record as well as all copies.
Under both frameworks, the chief officer must cause the destruction of the records ‘forthwith’ but this term is not defined in the TIA Act. There is also no provision allowing the chief officer to delegate this obligation.
Agencies have expressed frustration with these inconsistencies, the ambiguity surrounding the timeframe of ‘forthwith’ and the onus placed on chief officers to personally cause each destruction.
2.89
The Commonwealth Ombudsman expressly recommended the alignment of the destruction frameworks under the TIA Act, particularly that:
term ‘forthwith’ being defined to clarify what timeframe agencies are expected to destroy records within;
either destruction requirements for Chapter 2 being extended to copies of information or the destruction requirements for Chapter 3 records being limited to original records; and
the destruction frameworks including a provision to allow the chief officer to delegate their obligation to cause each destruction.
2.90
The Commonwealth Ombudsman gave evidence as to a different but related problem around premature destruction of data. The issue around this was
in contrast to but not in contradiction of the IGIS's point, is that, if an authorisation is given and data is accessed and we come along six months later and do an inspection—bearing in mind that we do our inspections retrospectively, essentially so that we don't disturb or prejudice ongoing investigations—if the data has already been destroyed, then we can't make an assessment about whether or not the data that was accessed and used in some way was in accordance with the authorisation.
2.91
The Ombudsman expressed a need for clarity around destruction requirements and noted that other regimes such as the surveillance devices regime and the telecommunication intercepts regime provide such clarity. Further the Ombudsman stated that:
There needs to be an appropriate framework to determine what data is accessed and that it's appropriately authorised and then how long it is retained and for what purposes and then what the regime is for its deletion. In some of the other regimes where we have an oversight role, this has been made more clear. There is greater clarity around the requirements.
Complaints
2.92
Under the terms of reference, the Committee must review the number of complaints about the scheme to relevant bodies, including the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security.
2.93
The Commonwealth Ombudsman is the primary body that provides a level of oversight over law enforcement agencies’ use of the scheme and assesses compliance once agencies have used their relevant access powers. Under the Ombudsman Act, the Ombudsman can receive complaints about the actions of Australian Government agencies and certain prescribed private sector organisations. Ombudsman’s office may investigate the complaint if they consider those actions to be wrong, unjust, unlawful, discriminatory or unfair.
2.94
The Commonwealth Ombudsman noted these difficulties and, accordingly, the very small number of complaints that had been received about the scheme:
Under the mandatory data retention scheme, an agency’s actions are covert so a person is typically unaware that an agency has accessed their telecommunications data. As a result, it is unlikely that the Office will receive a complaint about an agency’s actions to access telecommunications data under the scheme. The Ombudsman’s jurisdiction under the Ombudsman Act extends only to the actions of Commonwealth agencies (and certain prescribed private sector agencies), and the Office is unable to investigate complaints about the actions of State and Territory agencies. For these reasons, the Ombudsman has received only a small number of complaints about the scheme.
Since the commencement of the scheme on 13 October 2015, the Ombudsman has received two complaints relevant to the Committee’s review. The first complaint (ref 2016-502150) alleged that a local council in NSW had accessed the complainant’s telecommunications data. This complaint was outside of the Ombudsman’s jurisdiction and the complainant was referred to the NSW Ombudsman.
The second complaint (ref 2017-505262) alleged ‘abuse’, generally, by the AFP of the mandatory data retention scheme. The Office referred the complainant to the Professional Standards Unit, the complaint handling area within the AFP.
2.95
The IGIS does not receive complaints concerning the retention of telecommunications data by service providers under the data retention regime, as these matters are outside of the IGIS’s jurisdiction. However, the IGIS does have the capacity to consider complaints regarding ASIO’s use of the scheme:
IGIS could consider any complaints received from service providers, employees or members of the public concerning ASIO’s access to, use of or sharing of data retained under the scheme. No such complaints have been received in the period since the introduction of the mandatory data retention regime.
2.96
However, as noted by the Law Council, subjects who have been impacted by these powers are not in a position to make a direct complaint about the use of such powers, as they are almost always unaware that any intrusion has occurred.
Oversight and data sharing
2.97
Established via the Inspector-General of Intelligence and Security Act 1986, the Inspector-General of Intelligence and Security (IGIS) is independent statutory office holder that is responsible for viewing the activities of the agencies that collectively comprise the Australian Intelligence Community. The IGIS does not provide oversight regarding private sector service providers or the data retained by them. The IGIS’s oversight capacity is limited to ASIO’s access to retained telecommunications data, including under Chapter 4 of the TIA Act.
2.98
Under the Ombudsman Act 1976 (Ombudsman Act), the Commonwealth Ombudsman receives complaints about the actions of Australian Government agencies and specified prescribed private sector organisations. This includes federal agencies that are determined to be CLEAs under the TIA Act. The Ombudsman may investigate the complaint if they consider the actions of agencies to be wrong, unjust, unlawful, discriminatory and/or unfair. As the Ombudsman Act extends only to the actions of Commonwealth agencies, the Ombudsman cannot investigate complaints relating to the actions of State and Territory Agencies.
2.99
While the Commonwealth Ombudsman has oversight of the MDRR, that oversight only applies to enforcement agencies. Service providers are subject to the Privacy Act, as administered by the Office of the Australian Information Commissioner, to the extent that their activities relate to data retained under this regime.
2.100
On 24 January 2020, the AFP self-reported compliance issues to the Commonwealth Ombudsman dating back to 2007. According to the AFP, those issues related to record-keeping, authorisations and reporting of requests under section 180(2) of the TIA Act, as undertaken by ACT Policing.
2.101
The Committee requested an explanation of why the AFP had not notified the Committee of these compliance breaches in a written submission to the inquiry. The AFP noted that the Ombudsman was yet to commence an inquiry and that, given the ongoing nature of the process, it was not appropriate to raise the issue at the hearing of 28 February:
… given the extent and scope of the issue had not yet been determined and that the Ombudsman had not yet made a decision to commence an investigation, the AFP was not in a position to provide any reliable information in a written submission.
2.102
The AFP further explained their rationale for not raising this issue:
Having regard to:
the expected focus of the Committee based on the terms of reference of the inquiry determined by the PJCIS under s187N of the TIA Act;
the uncertainty as to the extent and nature of the record keeping and reporting compliance issues; and,
discussions with the Ombudsman to determine the appropriate way to proceed, including the terms of reference and scope of an audit, were ongoing,
the AFP did not proactively inform the Committee at this point.
2.103
The Communications Alliance noted its ‘dismay and objection’ to the delay in the tabling of the past annual reports:
we wish to record our dismay and objection to the fact that for the past two reporting periods (the periods during which the new DR Regime was in force) it took thirteen and a half months from the end of the relevant financial year to table these important reports in the House of Representatives (14 August 2017 for the 2015-16 report, 15 August 2018 for the 2016-17 report).
We are even more perplexed that the report for the 2017-18 reporting period – the only full reporting period outside the Implementation Phase – has (as at 12 July 2019) still not been tabled and published, even though the PJCIS was due to commence its statutory review by 13 April 2019 (note the caretaker period) and, indeed, has requested submissions be made prior to the report being published. We expressly note that this is not a criticism of the PJCIS nor its timing of the inquiry process.
2.104
The Communications Alliance subsequently recommended that the legislation be revised to require that the reports, pursuant to s186 and 187P of the TIA Act, as this would add to transparency around the scheme and increase public confidence in the functioning of the regime.
2.105
The sections referred to by the Communications Alliance are a little more nuanced than their suggested recommendation proposes. The Committee notes the following:
Section 186(1) requires that as soon as practicable, and in any event within 3 months, after each 30 June, the head (however described) of an enforcement agency must give the Minister a written report that relates to the year ending on that 30 June;
Section 186(2) provides that the Minister must prepare a report that contains the information set out in each report under subsection (1), other than the information referred to in paragraph (1)(cb). The report may contain any other information the Minister considers appropriate.
Section 186(3) provides that the Minister must cause a copy of a report under subsection (2) to be laid before each House of the Parliament within 15 sitting days of that House after the day on which the report was completed.
Section 187(P) requires that the Minister must, as soon as practicable after each 30 June, cause to be prepared a written report on the operation of this Part during the year ending on that 30 June.
2.106
This matter is discussed further in chapter 5.
2.107
Several submitters have suggested that the regime ought to be the subject of greater oversight and greater record keeping. The Inspector-General of Intelligence and Security (IGIS) specifically recommended an expansion of the record keeping regime. The IGIS proposed that it may be necessary for there to be legislative requirement for the relevant ASIO officer to record, in each instance, the reasons for which an authorisation was given under Chapter 4 of the TIA Act.
2.108
Additionally, the IGIS noted that ASIO is not required to apply or report to Ministers on individual data access authorisations under Chapter 4 of the TIA Act, which differs from warranted intrusions into personal privacy such as the interception of telecommunications, interception of mail, search activities, or computer access activities:
The Committee may wish to consider whether reporting requirements should be strengthened, or whether reporting on data accessed outside the Chapter 4 framework, if any, should be required. This could be achieved, for example, by enhancing the existing annual reporting requirements and/or by requiring periodic (for example, six-monthly) reports to the Minister on ASIO’s access to telecommunications data during the preceding period.
2.109
The IGIS suggested that it may be desirable to mandate some public reporting mechanisms in relation to journalist information warrants, in addition to ASIO’s classified annual reporting. The IGIS suggested that it may be appropriate to require ASIO to provide a report to the Attorney-General on each journalist information warrant that is issued, consistent with other types of warrants issued under the ASIO Act and TIA Act and noted that reporting requirements could require ASIO to advise whether the data enabled ASIO to identify the journalist’s source(s), and whether the information was shared or will be shared with other domestic or foreign agencies.
2.110
The Commonwealth Ombudsman also has a role in overseeing Commonwealth agencies’ use of the telecommunications interception powers under Chapter 2 of the TIA Act. The Commonwealth Ombudsman noted that agencies’ use of the telecommunications interception powers, which authorise the interception of a person’s live communications, involves greater privacy intrusion than the accessing of their stored communications and telecommunications data and that, accordingly, the TIA has higher thresholds placed on agencies’ use of the telecommunications interception powers.
2.111
However, the Commonwealth Ombudsman noted that the Ombudsman’s oversight of Chapter 2 is comparatively narrower than that provided under Chapter 4A of the TIA Act:
Under s 83, the Ombudsman’s oversight of telecommunications interceptions is limited to assessing compliance by Commonwealth agencies only in relation to their record-keeping and destruction obligations. Our Office does not provide a public report to the Minister under Chapter 2,18 which we consider is critical to our ability to influence improvements in agency compliance and to provide assurance to the public and Parliament on the use of the powers.
2.112
To increase accountability and transparency by agencies when conducting telecommunications interception, the Commonwealth Ombudsman proposed an alignment of the oversight framework under Chapter 2 with the comprehensive model provided for by Chapter 4A of the TIA Act.
2.113
Furthermore, agencies are not currently required to retain stored communications obtained under a warrant for the purpose of an Ombudsman inspection. The Ombudsman recommended that record-keeping requirements under section 151 of the TIA Act to be expanded to require that agencies retain the stored communications they obtain under a warrant for the purposes of an Ombudsman inspection.
2.114
The Office of the Australian Information Commissioner (OAIC) noted that all service providers with obligations under the regime are covered by the Privacy Act 1988 (‘Privacy Act’), and therefore also the Notifiable Data Breaches scheme, by virtue of section 187LA of the TIA Act. However, State and Territory enforcement agencies are not subject to the Privacy Act and there is no equivalent scheme for data breach notification in the States and Territories with privacy legislation. They therefore have no obligation to report Notifiable Data Breaches to the OAIC.
2.115
Such agencies could be brought within the jurisdiction of the Privacy Act in relation to their collection and use of telecommunications data for the purposes of the regime via utilising section 6F of the Privacy Act, which allows a State or Territory agency to be prescribed as an ‘organisation’ in relation to specific acts or practices. The OAIC stated that this would be of sufficient benefit to the oversight of the scheme:
This would assist in providing an enhanced and consistent level of privacy protection in relation to telecommunications data that is handled across Australia, noting that any currently exempted bodies such as intelligence agencies and exceptions in relation to ‘enforcement’ bodies and ‘enforcement related activity’ would not be affected.
2.116
In addition the OAIC submitted to the Committee that:
oversight of the mandatory data retention regime would be improved if the oversight agencies involved were authorised to share intelligence on matters of regulatory concern where there is a public interest to do so. To that end, the OAIC asks that the Committee consider addressing this issue by amendments to s 29 of the AIC Act, and any other statutes that apply similar constraints on information sharing.
2.117
In addition to the data sharing issues specifically related to oversight of the MDRRR the Law Enforcement Conduct Commission (LECC) also on a matter related to data in the course of them carrying out their duties.
2.118
The LECC submitted that they are heavily reliant on telecommunications data to investigation police misconduct including criminal conduct. The LECC noted that the communication of misconduct information to the New South Wales Police Force, which may allow police to take disciplinary action, is an important function of the LECC and allows both agencies to ensure the integrity of policing within NSW.
2.119
The LECC noted the following:
Under section 182 of the TIA Act, the current regime allows the LECC to communicate telecommunications data information for the enforcement of the criminal law. Notably, section 68 of the TIA Act allows the LECC to communicate lawfully intercepted information for the purposes of a police disciplinary hearing, for a decision by the police Commissioner to terminate the appointment of an officer and/or for the misbehaviour or improper conduct of an officer.
2.120
The LECC noted that
the lawfully intercepted information that can be communicated under section 68 includes not only the metadata, but also the content, meaning it is significantly more intrusive than telecommunications data alone.
2.121
The LECC requested that telecommunications data disclosures also be made lawful for this purpose.
ASIO Guidelines
2.122
Under section 8A of the Australian Security Intelligence Organisation Act 1979, ASIO is subject to a set of ministerial guidelines that govern its operation. The Inspector-General of Intelligence and Security (IGIS) also raised that, as ASIO is exempt from the Privacy Act 1988 and is not subject to the requirements of the Australian Privacy Principles, ASIO’s Guidelines did not appropriate address the range of powers that ASIO had gained since the Guidelines issuance in 2007. The IGIS stated that the ASIO Guidelines are currently being reviewed and reissued as a matter of priority, but noted that the review of the Guidelines out to address the issue of telecommunications access:
IGIS suggests that the question of the relative intrusiveness of access to the different types of telecommunications data available under the regime, and broader questions surrounding ASIO’s access to and retention of personal information, should be examined as part of the review process. IGIS suggests that a range of other matters, outside the scope of the Committee’s current inquiry, should form part of this review.
2.123
At the Committee’s public hearing on 14 May 2020 for its inquiry into the Telecommunications Legislation Amendment (International Production Orders) Bill 2020, Home Affairs in relation to the Guidelines advise that they had been
reviewing them for some time and going through quite a deal of consultation with both ASIO and IGIS to make sure we get them absolutely right. So, as you heard from ASIO, that process is very near its conclusion. We're hopeful that we will see revised guidelines in the near future.
Effectiveness of the regime
2.124
The Department of Home Affairs linked effectiveness of the MDRR to the fact that data had been accessed in volume consistently:
While the rate of use of telecommunications data has not significantly altered since the introduction of the Data Retention Act, the consistent volume of use demonstrates that this data remains a highly valued tool for law enforcement and intelligence agencies in their efforts to provide a safe and secure environment.
2.125
All law enforcement agencies which submitted to the Committee made strong claims regarding the effectiveness of the MDRR. As one particular example Victoria Police stated that
Telecommunications data is a vital investigative tool used by Victoria Police to support its capability to detect and investigate serious and organised crime. It is widely used by Victoria Police, as evidenced by the volume of requests carried out each year and reflected in annual reporting…This data can provide key evidence and/or intelligence and is frequently used to refine an investigation. Access to this data is also used in lieu of more intrusive investigation methods, such as telecommunications interception.
As technology continues to evolve and is increasingly used in the commission of crime, Victoria Police stresses the importance of access to telecommunications data to effectively investigate crime and keep the community safe.
2.126
In the public hearing the Director-General of ASIO set out how effective the regime is when he stated that
access to retained data is absolutely critical in enabling ASIO to identify areas where terrorism, foreign interference or espionage is occurring. In terms of leads generation, it is absolutely critical for us as we go about our work to identify those security threats. It is a significant part of that. Without that, we would be considerably hamstrung.
2.127
Similarly the AFP Commissioner stated that in relation to lead generation and for development of criminal networks and historical patterns the regime is one of the AFP’s ‘most valuable tools’.
2.128
After setting out the reasons for the MDRR in particular those related to serious crime and terrorism, the Law Council analysed some of the access data provided by Home Affairs and the AFP. The Law Council concluded that:
It is clear that the majority of offences for which the data is being obtained are drug related offences, rather than offences relating to national security or child exploitation, and it is difficult to assess whether the offences investigated would be considered as serious crime without further information.
2.129
Mr Isaac Kfir argued that the MDRR was not effective as terrorists and violent extremists use other platforms and messaging applications. Mr Kfir stated:
In sum, there is evidence that terrorists and violent extremists are recognising the ability of the state to collect their data, which is why they are adapting to the new environment by using applications and system that makes data collection hard, if not impossible. Consequently, we are collecting information that has little value for securing Australians, Australia and Australian interests.
2.130
In opposition to Mr Kfir’s point on ‘adaption’ the Synod of Victoria and Tasmania, Uniting Church in Australia stated that:
The argument put forward by those opposed to data retention would appear to be that because some offenders may adapt their behaviour in response to the maintenance of law enforcement capability and escape capture, then the capacity of law enforcement should be permitted to be eroded.
Technological impacts
2.131
Technological change, particularly in the area of telecommunications, is fast moving. This has the ability to impact on the MDRR, the effectiveness of the powers utilised by law enforcement and intelligence agencies and, as potentially more data than first envisaged is captured, the impact on the Australian public of the MDRR.
2.132
Professor Rick Sarre outlined the issues in relation to the MDRR when he stated that
the key fear was that the strategy, for its enormous cost — $740 million over 10 years— was not future-proof. For technologies that can hide from metadata collection are readily available and widely used. Any encrypted messaging app — such as Wickr, Phantom Secure, Blackberry, WhatsApp, Tango, Threema and Viber — can circumvent data retention. Moreover, any secure drop system based on Tor is capable of evading metadata scrutiny too.
2.133
The Western Australia Police Force submitted on the impacts of technological change in relation to the ‘products’ available to law enforcement from telecommunication carriers/providers stating that
products are not consistent or standardised across carriers. Providers are not obliged to update law enforcement with new products that become available, with jurisdictions discovering new services via inter-agency liaison. The advancement of technology (such as 5G) may result in metadata not covered under the retention scheme. Telecommunication providers may not retain or provide that metadata to law enforcement which will create losses in lines of enquiry which would otherwise be available.
2.134
Optus submitted that it was critical that the data retention regime should be reviewed and calibrated to deal with technologies that have emerged since the regime was initially designed:
The vast volumes of what is likely to be classified as 'carriage service communication events' which are expected to be generated by wide-spread adoption of low latency machine-to machine 5G applications and IoT [internet of things] networks and subnets will challenge existing data storage capacities and data retrieval techniques if the current regime is applied to these technologies in on unmodified form. It will also have substantial implications for the overall cost and complexity of the data retention regime. It is not clear that there is law enforcement or national security imperative for large quantities of information to be retained about potentially vast numbers of routine machine to machine communications which IoT and 5G M2M [machine-to-machine] will facilitate. The data retention regime should be reviewed and calibrated to deal with these technologies which have emerged since the regime was initially designed.
2.135
Optus recommended that a report be commissioned from departmental officials on whether data retention obligations should be modified as they apply to low-latency 5G machine to machine services and applications and the emerging range of Internet of Things cases and devices.
2.136
The Australian Securities and Investments Commission (ASIC) continued to be confronted with advancements in the use of technology that are not covered by the provisions of the TIA Act and the mandatory data retention regime, as the datasets that are required to be retained by the TIA Act remain limited. ASIC cited in particular the difficulties posed by the use of Virtual Private Networks (VPNs) administered by overseas Internet Service Providers (ISPs) or Virtual Private Server Providers (VPSs) that are not subject to the TIA Act, as well as the use of Direct Inward Dialling (DID) providers, which allows persons from a foreign jurisdiction to call from what appears to be an Australian number.
2.137
The Australian Commission for Law Enforcement Integrity (ACLEI) also noted that the current datasets retained under the TIA Act were becoming obsolete:
As technological advances have changed the way in which people communicate, the way in which telecommunication providers charge customers has changed, as has the form of data (including transactional information, or metadata, the type of information that has proven to be of such value to law enforcement) which the providers need to collect. The datasets which are required to be kept under data retention legislation are, by and large, no longer required by telecommunications providers.