Despite concerns from industry groups, digital privacy advocates, cross-bench politicians and even at times the Federal opposition, a joint Parliamentary committee has recommended the Government’s proposed mandatory data retention legislation be passed into law.
However, the committee has made 39 recommendations to limit the scope and implementation of the bill. While the proposed two-year lifespan of retained data was left intact, recommendations were made for a data set to be stipulated in legislation (rather than through regulation), greater oversight of access and the prohibition of civil litigants from accessing metadata “with appropriate exceptions.”
In response to privacy concerns, the committee has recommended ISPs and telcos be required to encrypt data and that data breach laws be brought in by the end of 2015, forcing providers to disclose if data has been hacked or compromised.
In addition, the committee has recommended “strengthening the safeguards around the use of telecommunications data for the purpose of determining the identity of a journalist’s sources.” This activity will require authorisation by Commonwealth Ombudsman or the Inspector-General of Intelligence and Security, with safeguards to be further reviewed by the committee.
Bipartisan support
After months of deliberation and public hearings, the Parliamentary Joint Committee on Intelligence and Security handed down the report today, with committee chair and Liberal MP Dan Tehan saying it was produced in a “spirit of bipartisanship.”
Controversial elements of the bill have passed muster, including the requirement that data be retained for a minimum of two years. According to Mr Tehan, “the evidence was overwhelming that we need a two-year scheme…if we had done anything that was shorter it would have jeopardised [criminal] investigations”.
The Committee has carefully considered the evidence presented on the necessity and proportionality of the proposed mandatory data retention regime, and concluded that it is necessary to support our national security and law enforcement capabilities.
At the same time, the Committee considers that appropriate limits, safeguards and oversight mechanisms must be in place.
Federal Opposition Leader Bill Shorten had previously pushed back against data retention, writing to Prime Minister Tony Abbott to express disappointment that the coalition had “sought to politicise the development and consideration of anti-terrorism legislation” and to raise issues around cost, data set and press freedom.
However, Mr Shorten today said that amendments to the bill in line with the committee’s recommendations would help “get the balance right.”
Following the publication of the PJCIS report, parliament will resume debate on the bill next Tuesday [PDF], meaning mandatory data retention is one step closer to becoming law in Australia.
‘Mass surveillance’ vs must-have: Data retention in Australia
Officially known as the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the legislation was introduced to Parliament in October 2014 and put before the PJCIS a month later.
If passed, the laws will require telcos and ISPs to retain telecommunications data for a period of two years, making it available to law enforcement and national security agencies pursuing criminal investigations.
The metadata timeline
- Aug 2014: Government announces data retention
- Sep 2014: Telstra reveals warrantless metadata requests
- Oct 2014: Bill tabled in parliament with draft data set
- Nov 2014: Industry pushes back on data retention
- Jan 2015: Concerns about hacking
Throughout public consultation conducted by the parliamentary committee, the bill was heavily criticised for not stipulating the finalised data set to be retained under the laws, with legislation only defining a draft data set to be codified through regulation.
Similarly, service providers, industry groups and cross-bench politicians raised concerns about the cost of implementing mandatory data retention. While Prime Minister Tony Abbott said this month it would cost AU$400 million to establish the scheme, this figure does not include the ongoing operational costs for ISPs and telcos. The PJCIS has now recommended that the Government “make a substantial contribution to the upfront capital costs incurred by service providers in implementing their data retention obligations”.
One of the major concerns about retaining a two-year metadata record of every connected Australia is the implications on personal privacy and press freedom.
Civil liberties groups have staunchly opposed the measure as an unnecessary invasion of privacy, iiNet called it “Orwellian” and politicians labelled it as that treats every Australian as a “potential criminal”.
Debate on the bill will continue in the House of Representatives next week.