A new parliamentary report into Australia’s mandatory data-retention regime has called for a number of changes to increase transparency and to prevent non-law enforcement agencies from accessing the metadata of individuals.
In its report tabled in parliament on Wednesday, the Intelligence and Security Committee made 22 recommendations to government that, if implemented, would increase transparency, raise the threshold for when data can be accessed, and reduce the broad access to telecommunications data under the Telecommunications Act, according to committee chair Andrew Hastie.
“Our recommendations are aimed at improving mandatory data retention in a way that does not have a great effect on law enforcement and ASIO’s ability to do their very important work,” he said in a statement.
Under the mandatory data-retention regime, carriers, carriage service providers and internet service providers must retain telecommunications data for two years to ensure it can be accessed during law enforcement and national security investigations.
The committee has decided the existing two year period of data retention should not be changed.
However, it has called for section 280(1)(b) of the Telecommunications Act to be repealed, and recommended amendments be made to ensure that only ASIO and other law enforcement agencies listed in section 110A of the Interception and Access Act can authorise the disclosure of telecommunications data.
“It is the broad language in this subsection that has allowed the access that concerned the committee,” the committee said in a statement.
Currently, a loophole in section 280 allows agencies outside of the data-retention scheme to use their own powers to seek access. Earlier this year, the committee heard that while mandatory data-retention laws permit just 21 agencies to access the metadata, more than 87 other entities — including councils, the Victorian Institute of Education, the RSPCA and the South Australian fisheries department — have used section 280 to gain access.
“The committee was disappointed that the Department of Home Affairs, which was aware of the concerns the committee had with the section, did not seek to assist the committee in finding a way to amend this section,” the report said.
The committee recommended the Department of Home Affairs prepare national guidelines on the operation of the mandatory data-retention scheme that “ensure greater clarity, consistency and security” in the handling of telecommunications data by enforcement agencies.
In doing so, Home Affairs should consult with the Privacy Commissioner, the Commonwealth Ombudsman, law enforcement agencies, industry representatives, the Law Council of Australia, and the Department of Infrastructure, Transport, Regional Development and Communications, with the guidelines to be developed within 18 months.
The report called for additional reporting requirements for enforcement agencies, and provisions to ensure that the Inspector-General of Intelligence and Security and the Commonwealth Ombudsman can perform their oversight functions.
Under the proposed changes, the number of officers and law enforcement officials who can be designated as “authorised officers” would also be reduced.
The Telecommunications Act should also be amended to clearly define “content or substance of a communication” to provide “greater certainty” and enhance privacy protections, the report said.
“In defining the term ‘content or substance of a communication’, Home Affairs should specifically consider whether some information that is currently treated as telecommunications data should now be regarded as content given what that information can reveal about an individual,” it said.
Labor members Anthony Byrne, Mark Dreyfus, Jenny McAllister, Kristina Keneally and Anne Aly said that while the recommendations would lead to “significant improvements” to the mandatory data-retention regime, the committee should have gone further in seeking to “balance the legitimate interests” of law enforcement with the protection of privacy.
“Putting to one side the power to access telecommunications data to locate a missing person, Labor members are concerned that the power to access telecommunications data without a warrant may be used — and is, in fact, currently being used — to access the telecommunications data of individuals who are not themselves suspected of any wrongdoing,” they wrote.
They argued law enforcement agencies should be able to access the telecommunications data of someone who is not suspected of any wrongdoing unless the person gives consent, seeking their consent is “reasonably likely to compromise an investigation”, or if the person’s consent cannot be obtained because, for example, they have been “seriously injured or killed”.
Labor also expressed concern that allowing law enforcement agencies to access the data of those who aren’t suspected of wrongdoing without consent could discourage victims or witnesses from reporting crimes.
“Labor members note that significant intrusions into privacy by law enforcement agencies, such as a search of a person’s home, opening a person’s mail, installing a listening device or obtaining a saliva sample, generally require agencies to obtain a person’s consent or a warrant from an independent issuing authority. Given that context, we consider our proposal to be both modest and sensible,” they said.