This chapter sets out the evidence on the operation of access to telecommunications data as set out in sections 280 and 313(3) of the Telecommunications Act 1997 (Telecommunications Act). The operation of the Telecommunications Act is listed in this inquiry’s terms of reference as a relevant factor to the operation of the metadata retention scheme, as outlined in the Telecommunication (Interception and Access) Act 1979 (TIA Act). These sections are actively used by law enforcement bodies and periphery organisations in the course of undertaking their law-enforcement duties.
Sections 280 and 313(3) of the Telecommunications Act 1997 are set out in Appendix E of this report.
In brief, section 280 of the Telecommunications Act provides for the disclosure of information or a document in a case where the disclosure or use is in connection with the operation of an enforcement agency. Section 313(3) provides that a carrier or carriage service provider must give officers and authorities of the Commonwealth and of the States and Territories such help as is reasonably necessary for enforcing the criminal law and laws imposing pecuniary penalties, along with other law-enforcement purposes as determined in the Act.
Operation and access
Section 280 of the Telecommunications Act provides an exemption to the general prohibition on the disclosure of telecommunications within sections 276, 277 and 278 of that Act, allowing agencies outside of the data retention scheme to use their own powers to seek access to this if the disclosure ‘if required or authorised under law’. Requests under section 280(1)(b) are facilitated by industry obligations under section 313(3) of the Telecommunications Act, which requires carriers and carriage service providers to give authorities ‘such help as is reasonable necessary’.
Due to this, many organisations that fall outside of the listed Criminal-Law Enforcement Agencies (CLEAs) in section 110A of the TIA Act—which primarily includes federal and state policing and investigative bodies—are able to lawfully access telecommunications data under section 280 of the Telecommunications Act, provided the request falls within their legislated powers. As noted by the Department of Home Affairs, agencies outside of the TIA Act’s designated CLEAs are utilising section 280 of the Telecommunications Act ‘regularly to request telecommunications data’.
The Communications Alliance, which is the peak body that represents the vast majority of the carriers and carriage service providers that are tasked with heeding requests for data under both the TIA Act and the Telecommunications Act, provided compelling evidence to the Committee that sections 280 and 313(3) of the Telecommunications Act were functionally operating in a manner that went beyond what the Committee had anticipated in its Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.
The Communications Alliance noted in their first submission to the inquiry that industry had previous raised concerns on a number of occasions with various government departments and the PJCIS regarding the circumvention of the section 110A restrictions in the TIA Act by bodies and agencies that continued to seek access to telecommunications data outside the framework of the TIA Act, by requesting disclosure of such data via section 280 of the Telecommunications Act.
The Communications Alliance detailed the wide variety of organisations that were currently utilising the Telecommunications Act in such a manner:
Several bodies/agencies that were excluded from the list of Criminal Law-Enforcement Agencies with the introduction of the data retention regime are now simply relying on powers in their own statutes to request data. Such bodies/agencies include local councils (who request access to data to, among other things, manage traffic offences, unlawful removal of trees, illegal rubbish dumping and billposters). The RSPCA, the Environment Protection Authority and state coroners are other examples of entities that have managed to subvert the intended scope of the legislation.
The Communications Alliance provided an attachment in their submission (Attachment A), which is a non-exhaustive list of over 80 non-CLEA agencies that their carrier members have reported as seeking access to data via the Telecommunications Act. This list includes a diverse range of bodies, which includes organisations representing veterinarians, the fishing industry, mining industry, child protection interests, regulators, local councils and more. The Communications Alliance also reported that this list is ‘a serious and persistent phenomenon’ that ‘continues to grow in magnitude’.
When the Communications Alliance appeared at the Committee’s public hearing on 14 February 2020, the Communications Alliance’s representative reported that many of these organisations are unclear about precisely what data they are requesting:
One of the difficulties they say that they often encounter when agencies outside the 22 CLEAs make data requests is that those requests can be imprecise. Sometimes these don't know exactly what they're looking for or what they're trying to find. Often they also have difficulty interpreting the data that they receive, come back to the service provider and try to work their way through it.
Telstra supported the Communications Alliance’s view, stating that the agencies that have relied on section 280 of the Telecommunications Act are ‘circumventing the intended restriction and avoiding assessment of whether disclosure is justifiable and proportionate’. Telstra also noted that the current state of affairs could impact public confidence in the data retention regime more broadly:
There is a risk this type of access to telecommunications data could erode public trust in the Regime and undermine the relationship we have with our customers in relation to protection of their privacy. In some cases, these agencies and bodies are also not contributing to the cost recovery of the Regime.
Furthermore, as the regime stands, the Law Council raised that it was hypothetically possible for sections 280 and 281 of the Telecommunications Act to be used for low-level civil offences, such as digital piracy offences. The Law Council also raised that Subsection 313(1A) of the Act lack specificity and was contributing to the overly broad access that was occurring under the Telecommunications Act:
Subsection 313(1A) of the Telecommunications Act now imposes a statutory obligation on a carrier or provider of carriage services to ‘protect telecommunications networks and facilities’ so as to ensure the confidentiality of communication and information contained on those networks and facilities. However, the phrase ‘do the carrier’s best’ lacks precision or definition as to what the minimum objective standards are to be considered acceptable to achieve the aims of the TSSR.
With regard to how often these provisions in the Telecommunications Act are currently being utilised, the Australian Communications and Media Authority (ACMA) is required under paragraph 57(f) of the Australian Communications and Media Authority Act 2005 to include in its annual report certain information on disclosures, including disclosures of customer information, made by carriers and carriage service providers during the reporting year.
ACMA reported that in 2017-18, 11,976 disclosures were reported under section 280 of the Telecommunications Act, while 563,670 disclosures were made under all TIA Act provisions. In 2018-19, ACMA reported that 8,432 of the 2,775,961 disclosures reported to it were made under section 280 of the Act.
The Department of Home Affairs rebutted the Communications Alliances’ construction of the operating of section 280 of the Telecommunications Act, noting that it could not operate independently to allow access to telecommunications data:
Section 280 is not a ‘loop-hole’ to the framework governing access to telecommunications data in the TIA Act. Under no circumstances is it possible for enforcement agencies or non-enforcement agencies to rely solely upon section 280 to obtain access to telecommunications data.
The Department submitted that it supported the relevant provisions of the Telecommunications Act continuing to operate in their current form:
It is important to note that section 280 itself does not authorise the disclosure of data. Rather, the section works in connection with existing laws, passed by Commonwealth or State and Territory legislative bodies, which set out their own thresholds and safeguards for access to personal information by relevant authorities. Section 280 enables these underlying laws to function as intended by relaxing the prohibition against disclosing telecommunications data if it is in response to a lawful request. Removing this exception would have serious implications to a range of entities across Australia.
The Department also noted that some Commonwealth, state and territory bodies, which are not CLEAs under the TIA Act, may have authority to access telecommunications data under other Commonwealth, State or Territory laws.
The Australian Local Government Association (AGLA) agreed with the Department’s view and expressed its support for the current functioning of section 280 of the Telecommunications Act, submitting that:
ALGA’s view is that if metadata is required by council to pursue a breach of the law, council should be able to access the data to pursue criminal activities such as illegal dumping, removal of trees, traffic offences etc., if it is lawfully within their legislated powers.
The South Australian Attorney General’s Department also wrote to the Committee in support of the Telecommunications Act continuing on in its current form, noting the wide usage of the Act’s provisions in South Australia:
I am aware that a number of State-based Government entities in South Australia rely on notice to produce powers and section 280(1)(b) of the Telecommunications Act to access telecommunications data. These entities include South Australia Police, the South Australian Independent Commissioner Against Corruption, Consumer and Business Services South Australia, and Primary Industry and Regions South Australia. I am aware that one of the reasons for an entity's access to telecommunications data, includes the ability to investigate and prosecute criminal offences, including historical 'cold case' matters.
To remove or restrict the ability of law enforcement and other relevant agencies from access to and use of telecommunication data would curtail such activities and may reduce the safety to the community.
However, the Office of the Australian Information Commissioner was concerned by the lack of safeguards that the Telecommunications Act was functioning under, noting that the current functioning of the Act reduced the effectiveness of safeguards in the TIA Act by allowing non-CLEA organisations to make requests for data outside of the TIA Act. The OAIC ultimately recommended that the Committee restrict the agencies that are permitted to access telecommunications data so that agencies able to access telecommunications data are limited to those covered by safeguards in the TIA Act .
Usage by Criminal Law-Enforcement Agencies
Utilising the provisions of the Telecommunications Act, as discussed above, are technically an option that is legally open to agencies that are designated Criminal Law-Enforcement Agencies (CLEAs) under the TIA Act. However, organisations that are designated CLEAs under the TIA Act do not ordinarily make requests for data via the Telecommunications Act, as adequate measures for such organisations to access necessary data already exist under the TIA Act’s metadata framework.
Submissions to the Committee indicate that certain CLEA agencies did not utilise section 280 of the Telecommunications Act at all, such as the Australian Federal Police, which has not used this provision since the introduction of the TIA Act’s metadata regime in 13 April 2015. Similarly, the New South Wales Police Force and the Queensland Police Service indicated that, as per their internal records, they had not made any requests under the section 280 since 13 April 2015.
The Australian Communications and Media Authority actively sought information from Commonwealth and selected state and territory agencies on whether they had used subsection 313(3) in the 2017-18 financial year. However, none reported utilising the provision, likely because many (if not all) were operating as CLEAs under the TIA Act framework. Indeed, the Department of Home Affairs confirmed that the Department was not aware of any instances where an agency, when acting in their capacity as an enforcement agency, has authorised access to telecommunications data under a law other than the TIA Act.
The only exception to this preference of the TIA Act over the Telecommunications Act was the Western Australia Police Force, which submitted that they currently also use some provisions of the Telecommunications Act where necessary, in conjunction with their general usage of the TIA Act’s metadata regime:
The WA Police Force accesses 000 audio recordings from Telstra under section 286 of the Telecommunications Act 1997. Call charge records from 000 calls are still requested under the TIA Act. The WA Police Force also accesses metadata under a warrant provided by s33(3) of the Coroners Act 1996 (WA) as the TIA Act does not make any provisions for access to data by police officers acting as Officers of the Coroner.
There is difficulty in any agency providing oversight of sections 280 and 313 of the Telecommunications Act, as in the current environment requests made through the use of section 280 go unreported. Unlike requests for data under the TIA Act, there is no designated body supervising the use of sections 280 and 313 of the Telecommunications Act.
As noted by the Commonwealth Ombudsman, it is beyond its role to examine agencies’ access to telecommunications data outside of the TIA Act. The Ombudsman stated, however, that agencies have generally been forthcoming in providing information about their access to data outside of the TIA Act:
During our inspections, we ask agencies whether they have sought access to telecommunications data under legislation other than the TIA Act. Agencies have typically been forthcoming in providing this information, which has revealed that some agencies have sought access to telecommunications data under the following legislation:
Telecommunications Act 1997
Migration Act 1958,14 and
The Ombudsman subsequently recommended that the Committee consider whether there should be external oversight of access to telecommunications data outside the TIA Act. This is a view that is supported by the Australian Privacy Foundation, which reflected on the lack of record keeping that is currently occurring in this area:
There is no public report (and no requirement to report) on how the data collected is used in sufficient detail for proper review of claims of necessity. … This applies especially to the scope for ‘voluntary’ collection and ‘voluntary’ provision of access under the TIA Act outside the mandatary regime which escape even the keeping of records for inspection in that regime; and collection and access done under s 280 of the Telecommunications Act 1997, which escape the oversight of the Ombudsman.
The Office of the Australian Information Commissioner (OAIC), which is responsible for monitoring compliance by service providers with those record keeping requirements under both the Telecommunications Act and the TIA Act, noted that, under both Acts, service providers were required to keep records of disclosures:
If service providers disclose information under certain provisions of the Telecommunications Act or the TIA Act, they must create and keep a record of the disclosure. Part 13 Division 5 of the Telecommunications Act authorises the OAIC to monitor compliance by service providers with those record keeping requirements. Provisions of the TIA Act expressly confer powers of oversight on the Commonwealth Ombudsman over enforcement agencies’ access to telecommunications data under the TIA Act.
The OAIC has also conducted assessments of service providers’ record keeping obligations when disclosing personal information to law enforcement under the Telecommunications Act. The OAIC stated that the records kept by service providers, as outlined in section 306 of the Telecommunications Act, include:
the name of the person making the disclosure;
the date of the disclosure;
the grounds for the disclosure (such as the legislative provision under which the disclosure is authorised);
any applicable authorisation under the TIA Act;
any other bodies involved in the request; and
the telecommunications service used.
However, the Department of Home Affairs noted that there are no legislative requirement for carriers and carriage service providers to report which agencies they disclose this data to:
… the disclosure of data under section 280 is largely regulated by industry. Further, there is currently no legislative requirement for carriers and carriage service providers to report which agencies they disclose this data to, as had previously been released through the TIA Act annual reports.
Service providers are also not required to keep records of information relating to the kinds of information included in a disclosure, such as the types of telecommunications data that were disclosed. The OAIC noted that this effectively limited their oversight role in this area, and subsequently recommended that section 306(5) of the Telecommunications Act be amended to include greater detail in record keeping in order to increase the OAIC’s oversight role:
This means that the OAIC’s inspections under section s 309 of the Telecommunications Act do not allow officers to consider whether only necessary personal information is being disclosed by service providers when responding to information requests from enforcement agencies.
Accordingly, the OAIC recommends that the Committee consider an amendment to s 306(5) of the Telecommunications Act that requires service providers to keep records relating to the kinds of information included in disclosures. Such an amendment could, for example, require service providers to itemise the types of telecommunications data set out in s 187AA of the TIA Act that were disclosed.
The OAIC could then oversee the extent to which service providers comply with such a requirement, utilising the monitoring functions conferred by s 309 of the Telecommunications Act.
At the Committee’s public hearing on 7 February 2020, the OAIC emphasised the limited record keeping currently available and the limitations this created for the OAIC’s ability to inspect such content, and also raised the difficulties associated with section 29 of the Australian Information Commissioner Act 2010, which currently limits what information the OAIC can share with the Commonwealth Ombudsman. This subsequently limits the level of detail that the two organisations can exchange when working collaboratively.
Need for reform
Several submitters called for reform of sections 280 and 313 of the Telecommunications Act, including submitters from civil society, private enterprise, academia and oversight agencies. The Human Rights Law Centre, Access Now and Digital Rights Watch were particularly stringent in calling for these sections of the Act to be amended to limit access to organisations that are Criminal Law-Enforcement Agencies (CLEAs) under the TIA Act:
… it is clear that this safeguard is insufficient to protect Australians’ right to privacy and freedom of expression and opinion. We recommend, first, that sections 280 and 313 of the Telecommunications Act 1997 (Cth) be immediately amended so that access to metadata is restricted to the law enforcement agencies listed in the TIA Act, in accordance with the Government’s commitment.
Notably, the Office of the Victorian Information Commissioner was also concerned by the ‘scope creep’ caused by this interaction between the Telecommunications Act 1997 and the TIA Act and recommended that there be a legislative restriction to ensure that information retained under the TIA Act only be disclosed under provisions in the TIA Act, in so far as possible.
The OAIC also called for reform of the Telecommunications Act’s interactions with related provisions of the TIA Act. The OAIC noted the use of the Telecommunications Act as an alternate method of accessing data for agencies that were not eligible to do so under the TIA Act, and subsequently firmly recommended that such access by limited to agencies covered by the safeguards within the TIA Act
The OAIC recommends that the Committee consider implementing an enforceable restriction on the agencies that are permitted to access telecommunications data, noting this was a safeguard that provided privacy protections in the absence of more formal mechanisms such as a warrant-based access regime. As the law currently stands, there appears to be mechanisms for accessing telecommunications data outside of the TIA Act that, while permitted, have the practical impact of reducing the effectiveness of safeguards in the TIA Act.
The OAIC recommends that the Committee implement measures to restrict the agencies that are permitted to access telecommunications data so that agencies able to access telecommunications data are limited to those covered by safeguards in the TIA Act.
This view was also supported by Telstra, which is tasked with practically executing the metadata regime. Telstra called for the TIA Act to be the only Act via which CLEAs, as determined by the TIA Act itself, can request data:
Our proposed solution is for all organisations accessing telecommunications data (even if they are not an identified law enforcement agency) to be required to follow the process set out for enforcement agencies in Division 4 of Chapter 4 of the TIA Act. While this approach would not limit the non-law enforcement agencies from accessing telecommunications data, it would have three benefits:
It would mean carriers and carriage service providers would not bear the burden to check and verify the coercive powers of every State, Territory or Commonwealth agency/department requesting data.
It would require the authorising officer to consider whether access to the data is justifiable and proportionate, etc.
It would provide clarity that all entities seeking telecommunications data are captured under the standard cost recovery system of the Regime, which may also encourage them to carefully consider the amount and scope of data required.
Telstra’s argument that all agencies must be required to follow the same process and be subject to the same obligations and constraints (such as the test of proportionality) is a proposition that is supported by the telecommunications industry more generally, as represented via the Communications Alliance’s submission. The Communications Alliance firmly outlined its support for such a reform:
Communications Alliance believes that the current TIA Act and Telco Act would benefit significantly from the elimination of loopholes and a tightening of requirements and limitations to ensure that the DR [data retention] Regime, while being fit for purpose and effective, does not unnecessarily restrict civil liberties, infringes onto the privacy of individual and creates unintended and unnecessary complexities for Industry.
In direct response to the concerns raised by the Communications Alliance and Telstra, the Department of Home Affairs stated that, they believed section 280 of the Telecommunications Act was ‘operating effectively and as intended’, and recommended that, in lieu of reform, stakeholders ought to be provided with more information about the provision:
… after assessing the concerns raised by submitters to this review, Communications and Home Affairs see merit in developing further guidance for stakeholders on section 280 and other related elements in the Telecommunications Act. This guidance material will further clarify the types of telecommunications data that may be accessed outside the framework in the TIA Act, and the operation of existing cost recovery mechanisms, and will explain the important role section 280 plays in facilitating investigations into matters of concern to the public.