Uncapping the new data retention laws

As of 26 March 2015 the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (the Bill) passed both houses of Parliament and will in due course be enacted into Australian law.  

MEETING THE NEW BILL

First a quick look into some of the jargon used in the Bill: ‘telecommunication data’ or ‘data’ is a whole topic dealt with later on, ‘service providers’ and ‘relevant services’ are effectively the telecommunication corporations and their various phone and data networks respectfully but not broadcast and a ‘telecommunication device’ would of course be a phone or smartphone device. 

As the Bill’s name plainly suggests it revolves around the collecting and storage of people’s telecommunication data. Fans of Orwell may have raised eyebrows at this point as it is easy to see why people may be apprehensive or concerned with the idea that the Government is actively seeking methods to amass their data history.  

This article will provide a quick overview of what the changes to the telecommunications law actually involve and will attempt to dispel common concerns, but at the same time draw attention some aspects you may be unaware of. 

 

THE BILL’S OBJECTIVE

First of all, the whole thrust of the Bill is standardisation. Previously there were no statutory guidelines or requirements as to what information service providers should retain and for how long. The Bill now stipulates that applicable service providers must maintain telecommunication data for a minimum of two years. The overall purpose of having retained data is for the protection of society from various criminal activities and, believe it or not, the protection of individuals’ right to privacy.  

How does collecting vast amounts of telecommunication data assist in protecting the rights of people’s privacy? To answer, one evokes the notion of a cop movie drama, the cops are conducting investigations into those who may have criminal organisation connections. The name of a potential suspect comes up, they employee the classic cop movie trope of wiretapping the suspect’s phones to gather potential condemning evidence against them - highly effective but incredibly invasive. The theory behind the Bill’s initiatives is that by having a standard baseline of basic recorded data, police and crime investigators could effectively and efficiently rule out those unlikely to be suspects by comparing the already retained data with indicators or characteristics of those they are looking for. So back to the cop movie example, if the cops could have access to basic historical data they could determine whether or not there had been calls, emails or other forms of correspondence made between the known criminal organisations and the suspect. If the suspect comes up clean it’s far easier for police to rule them out from further investigations. Not only does this increase efficiency, helps fight crime but it protects privacy by avoiding the need to subject what may be a perfectly innocent person to a police wiretap or further surveillance.    

 

WHAT IS DATA?

Now to deal with what most likely has the biggest question mark over it: what does the Bill consider data and what specifically is going to be retained? Going back to the above situation and looking at it in the extreme, surely the police would be better served if service providers were required to maintain records of every word spoken over a phone, the content of every text message sent and information of any website accessed; as the police would only have to search said databases to find the exact evidence they were looking for. Many criminal investigations could be opened and closed without effectively leaving a computer and despite the obvious major breach of the public’s privacy and the huge potential for misuse, the improved efficiency of police investigations would be impressive. However, the Bill does not allow such levels of data retention; rather, whether cognisant of such issues or not, those responsible for drafting the Bill and its explanatory memorandum have expressly mentioned numerous times that the definition of data, whilst not exhaustive, does not and will not include content. This means one’s web browsing history, email body text or phone conversations will not be retained. In saying that, the Bill introduces s187AA which sets out the kind of things service providers will retain from service users in relation to the relevant services:

  • Names;
  • Usernames;
  • Address information;
  •  Other identification information;
  •  Billing and payment information;
  •  Contact information;
  •   Email addresses;
  •  Phone numbers;
  • Phone numbers called and received;
  •  IP addresses, and
  •  Quantitative information about a relevant service such as talk minutes and upload/download volumes.

Note: passwords, PINs and secret answers are not required to be retained nor is GPS data or real time tracking data.

 

WHO HAS ACCESS TO THE DATA RETAINED?

Previously any authority or body that enforces a criminal law, a law imposing a pecuniary penalty or a law protecting the public revenue could effectively seek access to telecommunication data. Fortunately, the Bill now seeks to limit those who have access to it. The Bill requires that bodies that are not criminal law enforcement agencies must be authorised by the Minister before access can be obtained. That access is determined on a consideration of the necessity of the intrusion, that procedures are in place to minimise any intrusion and that it is in the interest of the public to allow such an intrusion; though one would like to think that in the past any access to telecommunication data satisfied those requirements outright. Nevertheless, The Bill, through its introduction of s151 and 186A-186J, establishes the Ombudsman as the oversight authority, power is granted to the Ombudsman to review and inspect the records of those seeking access to telecommunication data and weight is given to such powers by incorporating criminal sanctions for failure to abide by the Ombudsman’s requests.     

Despite the fact that there are costs associated with these new requirements which will have to be worn by the service providers, in brief that is what we can expect from the introduction of the Bill.

 

FURTHER PROTECTION?

Unsurprisingly, attitudes to the Bill are varied, ranging from indifference to outrage. But whether one is comfortable with the data that will be retained by the Bill or not it is important to consider what does happen to one’s data content, for example who does have access to your website browsing history. At present there are a number of other statutes that dictate the use of and access to data and personal information, namely the Privacy Act 1988 (Cth) and the Privacy and Personal Information Protection Act 1999 (NSW). This article won’t go into depth on what specifically can and cannot be collected and to what extent one’s privacy can be protected legally from both public and private entities. The best rule of thumb is to simply be aware of your actions on the internet, where and what you browse and who and how you interact with people. If you have further issues or concerns with privacy do seek professional legal advice.

 

 

 No part of this post is to be considered or constitutes legal advice in any way, any opinions or information provided is for either entertainment or educational purposes only, contact Alex via phone, email or through the CONTACT page if you require legal assistance.