The Parliamentary Joint Committee on Intelligence and Security has just released its report into the government’s controversial proposed data retention scheme, which is likely to pass through into legislation as Labor lends its support. Here’s what it has to say.
Mobile phone image via Shutterstock
The PJCIS has held hearings for some time on the proposed data retention legislation, and is made up of members from both sides of government. Here are a few of the most important recommendations (out of the 39 total) in the committee’s report:
Recommendation 9
The Committee recommends that the two-year retention period specified in section 187C of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be maintained.
No-one from either side of politics is suggesting data be retained for any more than two years, but similarly no-one is arguing for any less.
Recommendation 10
The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 clarify the requirements for service providers with regard to the retention, de-identification or destruction of data once the two year retention period has expired
This is an important recommendation because it suggests the bill lay out clearly what happens to data after the two-year retention period ends, whether it is further kept or deleted, and the details of that potential destruction and the security measures around it.
Recommendation 5
The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are not required to collect and retain customer passwords, PINs or other like information.
At least your passwords are safe. It’s just the other information you transmit that’ll be stored and catalogued for agencies to peruse.
Recommendation 7
The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are not required to keep web-browsing histories or other destination information, for either incoming or outgoing traffic.
Similarly, your Web browsing history won’t be stored — not specifically, at least. Instead, an IP address record of the sites you visit, as well as other data, will be retained (the “address on the envelope” data).
Recommendation 2
The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to include the proposed data set in primary legislation.
The proposed data set is key to understanding exactly what metadata the legislation will cover, and the extent to which your phone and internet communications will be monitored. Seeing this recommended to be included is hugely important.
Recommendation 16
The Committee recommends that the Government make a substantial contribution to the upfront capital costs of service providers implementing their data retention obligations. When designing the funding arrangements to give effect to this recommendation, the Government should ensure that an appropriate balance is achieved that accounts for the significant variations between the services, business models, sizes and financial positions of different companies within the telecommunications industry.
The government, then, will make a “substantial contribution” to the cost of data retention, but will not pay for it completely. The rest of the recommendation suggests that government assist smaller service providers with funds to set up their data retention systems, but larger telcos and ISPs will bear the cost themselves.
Recommendation 17
The Committee recommends that criminal law-enforcement agencies, which are agencies that can obtain a stored communications warrant, be specifically listed in the Telecommunications (Interception and Access) Act 1979.
This recommendation ensures only the listed agencies will be able access metadata information, after obtaining “a stored communications warrant”. This should prevent unnamed, unlisted agencies or other government parties from accessing the stored data without going through an additional emergency approval process.
Recommendation 20
The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to list the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC) as criminal law-enforcement agencies under proposed section 110A of the Telecommunications (Interception and Access) Act 1979.
It looks like ASIC and ACCC will be added to the list of approved agencies, using their powers to monitor metadata supposedly related to their regulation of the stocks and securities markets and business and corporation entities respectively. Both groups lobbied the PJCIS for access after being intially excluded.
Recommendation 23
The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to prohibit civil litigants from being able to access telecommunications data that is held by a service provider solely for the purpose of complying with the mandatory data retention regime.
Civil litigants in this sense refers to private entities like individuals, companies and corporations. This is a big one — if the recommendation is included in the legislation, it could prevent metadata being used in civil cases including copyright infringement.
Recommendation 38
The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015.
If the server on which your metadata is stored is hacked or otherwise illegally accessed, you should be notified. This notification scheme should extend to any data breach online, too, going by the wording.
Recommendation 24
The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that individuals have the right to access their personal telecommunications data retained by a service provider under the data retention regime. Telecommunications service providers should be able to recover their costs in providing such access, consistent with the model applying under the Privacy Act in respect of giving access to personal information.
This is a very interesting inclusion. If this comes off, you’ll be able to see exactly what metadata your ISP and, by extension, the government, is retaining on you — but you’ll have to pay for the privilege.
Recommendation 25
The Committee recommends that section 180F of the Telecommunications (Interception and Access) Act 1979 be replaced with a requirement that, before making an authorisation under Division 4 or 4A of Part 4-1 of the Act, the authorised officer making the authorisation must be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate.
The recommendation here is that any officer that wants to access your metadata information must prove that they have a legitimate, “justifiable” interest in accessing it. This recommendation, if set out clearly, should prevent this kind of over-reach.
You can read the PJCIS report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 right here.
More to come… [APH]