Australia’s mandatory data retention regime came into being back in 2015. Essentially, the metadata laws force telecommunications companies to retain customer data for two years for warrantless access by law enforcement.
To break that down a little, warrantless means that they don’t need a warrant, they can just…get it, providing the threshold has been met to justify it.
Since its inception, the regime has come under fire for many things, not limited to the fact the legislation just didn’t appear to be that thoroughly thought out.
One such concern points back to this whole ‘warrantless access’ bit. It was revealed in 2016 that 61 agencies had asked for access to telecommunications metadata stored on Australian residents without a warrant. While these 61 agencies included the likes of the ATO, which you can kind of wrap your head around why they’d need it for high-level investigations, it also included the Victorian RSPCA, Australia Post and a number of racing entities.
Back in 2020, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) started probing the data retention regime. During this time, the PJCIS received a tonne of submissions and heard testimony from a number of stakeholders/experts/law enforcement agencies.
One of the submissions I remember reading at the time was the Australian Human Rights Commission, who asked for the data retention legislation to be modified to being very targeted in combating serious crimes and serious crimes only.
In October 2020, the PJCIS handed down its report, recommending 22 fairly urgent amendments to make the data retention regime tighter and less open to exploitation.
This week, a government response to this 2020 report was finally tabled.
Of the 22 recommendations made by the PJCIS, 20 were accepted by the new government, with one part accepted and the other ‘noted’.
One of the recommendations addresses the access the likes of RSPCA, AusPost and those racing orgs managed to have by closing a loophole in the data retention regime.
The Committee recommends that section 280(1)(b) of the Telecommunications Act 1997 be repealed. Moreover, the Committee recommends that the Government introduce any additional amendments to Commonwealth legislation that are necessary to ensure that:
-
Only ASIO and the agencies listed in section 110A of the Telecommunications (Interception and Access) Act 1979 be permitted to authorise the disclosure of telecommunications data; and
-
Those agencies can only access telecommunications data through Part 4–1 of the Telecommunications (Interception and Access) Act 1979 and through no other legal mechanism.
In agreeing to this recommendation, the government accepts that, yes, as it stands, that specific part of the data retention legislation can operate as an inappropriate means to access telecommunications data without appropriate oversight and safeguards.
“The government will introduce legislation to repeal this provision and replace it with one that limits access to data (including personal information of subscribers) to specified entities in situations where that access is necessary and proportionate to achieving an allowable purpose,” the government wrote.
“This will include consideration of reforms to other relevant provisions of the Telecommunications Act 1997 as required.
“These reforms will address the need to protect the personal information of subscribers and manage regulatory costs to industry.”
Further, the government said it will ensure there’s better recordkeeping around the metadata requests and that training for those making requests will be done. It will also aim to create a set of consistent national guidelines for law enforcement and other agencies, to more clearly define what constitutes the “content or substance of a communication”.