Last Friday, I stumbled across a new section of the Attorney-General Department’s website “explaining” the government’s controversial data retention Bill.
And I found a few things missing …
Data retention does not provide new powers for agencies to access metadata. It simply obliges telecommunications companies to retain a limited set of records for two years
- There is little “simple” or “limited” about this proposal for mass surveillance of all Australians. Just a few weeks ago, the Parliamentary Human Rights Committee was scathing in its criticism of the Bill.
- It is not helpful to say the Bill proposes a “limited” set of data when the data is yet to be defined and will only be defined in Regulations. Indeed, the Scrutiny of Bills Committee recommended the data set be defined in primary legislation itself and not left to Regulations.
- The obligation is not simple or limited when there is an express requirement in the Bill to create data when the service provider does not already capture data that falls within the (yet to be defined) data set. (See proposed section 187A(6) of the Bill).
More than 25 countries around the world have implemented data retention laws similar to those proposed by the Australian government
- Any mention of the fact that the EU Court of Justice ruled in April this year that the EU Data Retention Directive was invalid and …
entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary
- As Stilgherrian reported last week Australia’s data retention plans are looking increasingly out of touch. “To say that the West is going the way of data retention is a serious misrepresentation.” (As I set out in a recent blog post)
- Silicon Valley has been damaged by the Snowden revelations. Senator Wyden has made the case that the spying has hurt the American economy.
- United Nations human rights expert concluded in a recent report that mandatory data retention “amounts to a systematic interference with the right to respect for the privacy of communications”, and therefore “it is incompatible with existing concepts of privacy for states to collect all communications or metadata all the time indiscriminately”.
International experience indicates that the cost of mandatory data retention schemes is small
- Well, any evidence … In the UK, an impact assessment estimated that the cost of retaining IP addresses (not the whole data set) at nearly $50 million (AUD)
- In 2010, Digital Rights Ireland reported:
Several network operators said the need to invest in retention infrastructure had caused them to delay or abandon improvements to national networks.
Deutsche Telekom claimed it had spent €5.2 million on implementation of retention infrastructure and €3.7 million a year to facilitate about 13,000 call data requests and 6,500 internet data requests. Other operators said they had spent in excess of €4 million setting up systems for providing access to stored data.
Warrants are typically reserved for the most intrusive powers, such as the power to use force to enter a home, to intercept phone calls, or to arrest a person. Many powers, including access to metadata, simply do not rise to that level.
- If “metadata” is not intrusive, why, as Josh Taylor has reported, won’t Senator Brandis provide access to his own communications data?
- 11 countries in the EU require some form of judicial authorisation before access to “metadata” is provided.
- Earlier this month, the Human Rights Committee recommended that a warrant should be required for “metadata” access.
Law enforcement and national security agencies suggest that a data retention period of two years is necessary to maintain our agencies’ investigative capabilities
- Retention periods typically are between 6 months and 12 months in the EU.
- In the UK, for example, a 2011 report revealed that, over a 4 year period, 74%+ of disclosures to law enforcement agencies, where the age of data being sought was known, related to data that was less than 3 months old.
The government will reduce the number of agencies permitted to access metadata. Only agencies that have a clear need for such access and well-developed internal systems for protecting privacy, such as law enforcement and intelligence agencies will be able to access the data. Data must be reasonably necessary for the purposes of investigating criminal offences and other permitted purposes.
- The Bill only limits the agencies that can automatically access metadata. It does not significantly limit the very broad range of agencies that can apply to access metadata (see proposed new clause s 176A). Proposed section 176A will allow a broad range of agencies ranging from ASIC to local councils and the RSPCA to apply for access to data.
- There is no definition in the legislation about “well-developed internal systems for protecting privacy”. The Minister is simply to have regard to whether the agency who wants access to metadata is required to comply with the Australian Privacy Principles or a comparable scheme. Just this week, the Attorney-General Department itself asked for return of improperly redacted submissions which revealed individual’s personal information.
Will data retention be used for copyright enforcement? The Telecommunications (Interception and Access) Act 1979 only allows access for limited purposes, such as criminal law enforcement matters. Breach of copyright is generally a civil law wrong. The proposed data retention regime does not change this in any way.
- If data is in the possession of a party it can be compelled to provide it to a litigant by coercive court processes such as discovery or subpoenas. As Ben Grubb has reported, data retention would be a “boon for private investigators” and lawyers acting for clients in a range of disputes.
- The Australian Federal Police admitted that legislation for new mandatory data retention obligations on Australian telecommunications companies could be used to fight online copyright infringement.
- The government will need ISPs to retain (source) IP addresses if it wants to introduce a notice scheme where ISPs are forced to police online copyright infringement. Josh Taylor has reported on how film studios want to use data retention to crack down on piracy.
- In 2010, Digital Rights Ireland reported:
many member states have implemented the EU data retention directive by widening its scope and retaining data that was not retained in the past, often allowing it to be used for more purposes than outlined in the directive, such as for civil litigation on copyright in the UK. Such expansion is referred to as “mission creep” by privacy advocates.
Note: the above italicised extracts from the government’s new “explainer” on data retention can be found on the following pages:
Further resources: commentary and analysis on Australia’s controversial data retention bill: http://bit.ly/104A4XJ