Data retention bill over the top, committee finds

A parliamentary committee tasked with applying the Human Rights Act to new legislation has criticised the Government’s data retention bill for limiting free speech, being open to misuse, and going beyond what is necessary to fight crime, recommending agencies should need to get a warrant to access the stored data.

The Coalition Government introduced its bill governing the forced retention of Australian citizens’ metadata for two years late last month.

The bill prescribes that telecommunications service providers retain a dataset on each customer for two years, to be made available to law enforcement agencies without a warrant. No detail on the specific dataset to be retained was provided, with parameters set to be outlined in “future supporting regulations”.

The parliamentary joint committee on human rights - which examined legislation introduced between the 20th and 30th of October in relation to the Human Rights Act - today handed down its findings on the bill, reporting that the proposal was disproportionate to what was needed to fight crime.

The report, tabled today, criticised the bill as “very intrusive of privacy” and expressed strong concern about the lack of detail provided on the specific dataset to be retained.

The committee - made up of five Coalition MPs, four Labor MPs and one member of the Greens - said metadata had the ability to reveal very personal information about an individual even without actual content of communications being made available.

“This in turn may reveal the person’s political opinions, sexual habits, religion or medical concerns,” the committee reported.

“As the European Court of Justice has stated in its recent ruling that held that blanket retention of metadata was disproportionate, such data 'taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

“As such, the proposed scheme clearly limits the right to privacy.”

The MPs called on the Government to include its definition of metadata within the current bill rather than through “future regulations”, or at the minimum release an exposure draft of the future regulations.

“Given such potential use of metadata, the committee is concerned that the types of data to be collected remain unspecified until such time as the relevant regulation is made.”

The committee said its concerns were compounded by the fact that the Government had not specifically excluded content data from the legislation.

“[This] could see data retained that does include aspects of content. For instance, meta-tags are used by website developers to provide search engines with information about their sites, and may contain significant information about a website including aspects of its content,” the MPs said.

“However, it is unclear whether it is intended that meta-tags will be prescribed in the regulations as data to be retained for the purposes of the scheme.”

Get a warrant

The Government’s failure to limit access to serious crime investigations only, coupled with the potential for the data to be misused, would result in a “disproportionate limitation on the right to privacy”, the committee reported.

“The committee considers that to ensure a proportionate limitation on the right to privacy, an appropriate threshold should be established to restrict access to retained data to investigations of specified threatened or actual crimes that are serious, or to categories of serious crimes such as major indictable offences (as is the current threshold for requiring the option of trial by jury).”

Such concerns were coupled by the insufficient oversight currently proposed under the draft legislation, the MPs reported.

Under the bill, the Commonwealth Ombudsman will oversee the scheme and the use of the accompanying powers by law enforcement agencies, and the Parliamentary Joint Committee on Intelligence and Security (PJCIS) would review the scheme three years after its commencement.

While the committee reported its satisfaction with these specific oversight mechanisms, the “very intrusive nature” of the bill raised concerns that access powers would only be reviewed after they had already been used.

The committee recommended that the Government amend the bill to force law enforcement agencies to go through the courts or an independent administrative tribunal to access the metadata.

“The committee considers that requirements for prior review would more effectively ensure that the grant of access to metadata under the scheme would be consistent with the right to privacy.”

The MPs also suggested the Government establish an oversight mechanism for the warrant process - such as through the Independent National Security Legislation Monitor - to ensure applications were impartially assessed.

“The committee is of the view that this may be an important safeguard where warrant applications occur ex parte (that is, without the individual whose data is to be accessed being present).”

Two years too long

Forcing telecommunications service providers to store their customers’ metadata for two years went far beyond the period necessary to aid criminal investigations, the committee added.

Given that law enforcement agencies under other similar data retention regimes predominantly accessed data that was less than six months old, the proposal for two years is excessive disproportionate, the MPs reported.

“Despite the acknowledged low frequency of use of data that is more than six months old, and the stated requirement for older data for national security and complex criminal offences, the scheme does not limit access to data which is older than six months to the investigation of national security and complex criminal offences.”

The committee asked Attorney-General George Brandis to provide advice on whether the two-year period was in fact necessary for law enforcement agencies.

“It would be impossible for an individual to seek redress for breach of their right to privacy if they did not know that data pertaining to them had been subject to an access authorisation.”

The Attorney-General's office has been contacted for comment.