All agencies that have permission to access telecommunications metadata should be “exhaustively listed in the primary legislation” to avoid continued scope creep, the Law Council of Australia says.
The comments, made to a joint parliamentary committee reviewing Australia’s data retention laws, come after it emerged that a further 27 bodies - including councils, “illegal dumping” authorities and industry overseers - made requests for stored data since November last year.
The Communications Alliance, which represents telco interests, keeps track of the types of organisations requesting access to metadata under the data retention scheme.
It said last week that 87 different bodies nationwide that have made requests for telecommunications metadata, though even it noted that might not be exhaustive.
“There needs to be greater precision in the legislation as to who is permitted to access the data and in what circumstances, particularly as the scheme operates in such a way that person is not informed when their telecommunications data is being accessed,” the Law Council of Australia stated.
“Consequently, the Law Council considers that those agencies which can access data should be listed in the primary legislation.”
The Law Council said that the law is currently being used well beyond its stated aims.
“For the regime to be proportionate with its aim of assisting in the protection of national security, public safety and addressing crime, access to existing telecommunications data should only be granted to criminal law enforcement and security agencies that investigate specific serious crimes such as serious indictable offences or specific serious threats to national security,” the council said.
Citing Home Affairs numbers, the Law Council noted a large discrepancy between metadata requests and successful convictions.
“Internally-authorised access to data [within Home Affairs] is widespread and common, however it is difficult to assess the extent it is proving to be effective, or indeed truly necessary as an investigative tool, especially in the area of the ‘protection of national security’,” the council stated.
“The available evidence shows that the proportion of convictions in 2016-2017, being 442 as compared to the number of times data was accessed, for criminal law enforcement alone, being 293,069, serves to illustrate that the scheme as it presently operates is not necessarily being used to obtain specific evidence that can result in a criminal conviction.
“However, the Law Council concedes that there can be numerous authorisations to access data which can relate to one individual and it is difficult to discern the extent to which the authorisations correlate with the specific convictions.”
The Law Council called for an overall tightening of access to data under the scheme, arguing it should only be warrantless where “access is strictly necessary due to an emergency situation”.
It defined emergency situation as “where there is a real and reasonable belief that there is a serious and immediate risk to public safety or health”.
In all other circumstances, it argued, “Access to retained telecommunications data should be authorised by a warrant issued by an independent court or tribunal.”
The Law Council of Australia is also pushing to close another potential loophole that could result in future “function creep” in terms of the way that data retention legislation is used.
“There remains the potential for telecommunications data retained under the scheme to be used in matters of online piracy as telecommunications data may provide an irrefutable download history,” the council stated.
“Former Attorney-General Brandis and the former AFP Commissioner have stated that the regime will not be used to tackle digital piracy, but should digital piracy offences of individual consumers become criminalised in the future (currently piracy is only a criminal offence when at a commercial scale) it is possible that this position would be reassessed by the government of the day.”
The Law Council cited the online piracy suit waged against ISP iiNet as an example of “customer account information” being turned over to litigants in civil proceedings.
“In 2015, the Federal Court ordered that the applicant in Dallas Buyers Club LCC v iiNet Ltd was permitted to request that iiNet provide the names and contact details of 4,726 customers whose IP addresses improperly shared a digital film file,” the council said.
“The court ordered that, what could be considered to be a category of telecommunications data being subscriber information, be disclosed to the applicant to assist in the claim for breach of copyright.
“This is despite the protection afforded to data retained under the regime to not being used in civil proceedings contained in subsection 280(1B) of the Telecommunications Act.”