Senate Committee warning on ISP data retention

A Senate Committee has raised serious concerns over the Attorney-General's ISP data retention proposal, warning the privacy risks it posed could outweigh any benefits to law enforcement agencies.

The secretive proposal was first raised last year and appeared to mimic the European Directive on Data Retention, which mandated the retention of telecommunications data.

The committee - made up of two Labor, two Liberal, one Nationals and one Greens senator - attacked the Attorney-General's Department's “narrow” consultations and failure to engage with the broader community or public interest and civil liberties organisations.

It also warned the proposal's reach could be at odds with Australia's privacy regime.

 “The proposal has very serious privacy implications, even if one accepts the arguments of the Attorney-General's Department and AFP that the same information is already available for fixed-line telephone records," the committee reported [pdf].

"The fact is that much of the information intended to form part of the scheme does not need to be collected for any other purpose, so the only reason to retain it is the mere possibility that it may prove useful to law enforcement.

"This seems to the committee to be a significant departure from the core principles underpinning Australia's privacy regulation."

 The committee also argued there was “a very real risk that the most serious, tech-savvy criminals—particularly those involved in fraud and child pornography—will be able to evade monitoring in any respect as a result of technological developments.”

Offline thinking

Privacy protections for Australians online generally rated poorly with the Senate Environment and Communications References Committee in its report.

“It seems Australia's current approach to privacy regulation is applying offline thinking to online situations,” the report stated.

“The committee cautions that, as online technology continues to develop and new privacy issues emerge, it will be necessary to continually evaluate Australia's privacy framework to ensure that regulators are  not simply applying old policy values and frameworks, which may be well suited to the offline contexts, to a very different online situation.”

The Committee considered the adequacy of current and prospective privacy laws in the case of online behavioural advertising.

It recommended greater protections for businesses and consumers by strengthening the powers for the Privacy Commissioner, extending the Privacy Act to cover small businesses that had large data assets or introducing a “Do Not Track” model to counter misuse of cookie data by online advertisers.

Though supportive of industry self regulation initiatives, the Committee was reluctant to give them an unqualified tick without some supervisory legal oversight by law or through the Privacy Commissioner.

“The committee also accepts that there are strong incentives for some companies and industries, such as the online advertising industry, to develop strong privacy protection practices in order that customers feel secure in dealing with those organisations. However, the committee is not convinced that this is always the case.

“ The discussion … regarding behavioural advertising demonstrates that it is frequently very lucrative for organisations to sell personal information, which increases the self-interest in having lax privacy protections, or loopholes in privacy policy.

"Accordingly, the committee supports in-principle the government's proposal to strengthen the powers of the [Privacy Commissioner] to develop and enforce industry codes for specific industries which pose risks to the privacy of Australians."

The committee also expressed particular concern that certain small businesses which held significant quantities of personal data were exempt from the Privacy Act and could transfer the personal information of their customers offshore without restriction or oversight.

“In the committee's view, small businesses which hold significant quantities of personal information, or which transfer personal information offshore, ought to be subject to the provisions of the Privacy Act .”