The Federal Government’s proposed data retention laws run counter to the spirit and letter of the national privacy principles.
If enacted, the data retention laws will make it mandatory for all Australian telcos and ISPs to store the non-content usage records of all individuals for up to two years without the consent of the individuals involved.
But they appear to contradict the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which, if passed, will prohibit the use of all personal information for direct marketing, unless exemptions apply.
The proposed privacy amendments are consistent with the "consent-based" approach that generally underpins Western thinking about privacy.
By contrast, the national security reform proposals seek to significantly extend government's surveillance powers.
If one was to apply the principles enshrined in the Privacy Act – including the direct marketing reform proposals – on the data retention proposal, one would ask:
- Is the information that will be collected under the data retention proposal personal in nature? Clearly it is.
- Are the affected persons aware the information is being collected? They are not.
- Would most people reasonably expect the information will be collected? We suggest they would not.
- Can individuals ask that this information not be collected? They cannot.
- Do persons consent to this information being used for any purpose? They do not.
On almost every measure then, the data retention laws do not meet the basic community expectation on of privacy which finds expression in the Privacy Act and its reforms.
Both the proposed laws – direct marketing and data retention – shift the burden of compliance to private industry, resulting in likelihood of the costs being passed through to consumers.
Ultimately, it is the responsibility of the government to demonstrate the benefits of the proposed laws through fact-based evidence, in order to prove that the proposed laws are justified.
Weighing up law reform
In assessing the merits of new laws, we believe that two questions must be rigorously considered:
- What is the risk or problem which the new regulation seeks to overcome, and why cannot this be addressed by existing rules?
- What is the cost of the new regulation and who should bear this?
According to Attorney General Nicola Roxon, the proposed data retention reform "is to allow law enforcement agencies to continue investigating crime in light of new technologies".
But where is the evidence that criminal or illegal behavior remains undetected in the absence of such laws?
Currently, law enforcement agencies already have the power to issue a warrant which allows its officers to monitor and intercept a person's communications. The proposed laws will vastly enhance these existing powers to monitor and intercept personal information.
As to the question of cost, telco industry groups have estimated a mandatory data retention regime to cost in the vicinity of $500-$700 million.
The Australian Federal Police, which support the proposals as being necessary to safeguard existing law enforcement against changing technology, has conceded that the volume of data that is required to be retained under the proposal and the burden of its storage by telcos and ISPs will be a "challenge".
However in this case cost is not only measured in financial terms. Advocates of the proposed laws would say that only those with guilty consciences need be concerned.
Yet the potential for misuse of the system is enormous and the proposal runs counter to the principles of Western liberal democracy, which ironically are given expression in the proposed direct marketing reforms.
Victoria’s Acting Privacy Commissioner, Anthony Bendall has labelled the proposals "characteristic of a police state", because they assume all citizens should be monitored, remove the presumption of innocence, and "go against the human rights and privacy law promise of freedom from surveillance and arbitrary intrusions into a person’s life".
Although the exact detail of the plan has not been released, some definitions — which ISPs have been granted access to via a dataset controlled by the federal Attorney-General's department —have been described by iiNet's chief regulatory officer Steve Dalby as "scary".
It appears that the current definition of what data must be retained is extremely broad, with the wide scope causing concern that the privacy of individuals risks being encroached.
Benjamin Franklin once said, “They who can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
Franklin's thoughts remain as relevant today as in his lifetime.
James Halliday is a partner and Sylvia Li is an associate at international law firm Baker & McKenzie. The views expressed in this article do not necessarily represent the views of the firm or any of its clients, which include a number of major ICT suppliers and vendors in Australia and overseas.