Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I might start with a couple of quick general questions that relate to cost since that was the second reading vote that just went down. My first question to the honourable Attorney-General is to ask him to give a sense of how the government sees a couple of issues that I suspect are related. One is the location of storage. We suspect other crossbench senators also have an amendment that relates to where this data will be stored. Is there is a requirement—and I do not believe there is—in the bill that it be stored here in Australia? I would expect on advice from the sector that that would potentially raise costs. I understand that where the material should be stored is something that the government is giving some consideration to as well as how the costs should be apportioned—such as directly funding telecommunications providers as opposed to letting costs wash through and there being potentially increased data charges or potentially not.

I am interested to know, firstly—and the Attorney-General is welcome to take these questions together, if he wishes—how the government proposes to resolve issues of cost as relayed in the letter from the Communications Alliance and obviously representative of concerns of the CEOs of major and minor telecommunications companies. Secondly, how does the Attorney-General see the issue of where the data is to be hosted and how that may affect considerations of cost?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

In relation to the issue of cost, as I said in my contribution on the second reading of the bill, there have been long discussions between government and industry. The government has indicated that it will make a substantial contribution to capital cost. I refer you to the estimate in the PricewaterhouseCoopers report as to the likely average cost per customer per annum. Those discussions have not been finalised. Ultimately, this is a matter that will be determined in the budget process.

In relation to the locality of hosting the storage of data, the bill does not mandate a particular locality. It casts, as you know, an obligation on the ISPs to retain metadata. It is really quite a simple requirement. How they retain the metadata and where they retain the metadata is a matter for them; it is not mandated by the bill. The only thing that is mandated is the type of metadata that is to be retained and the duration of the retention obligation. One would expect that the ISPs would retain metadata in a manner and at a locality which was least costly to them.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I thank the Attorney-General for his concise answers. I refer to comments that were made quite recently by somebody the Attorney quoted a couple of times during his second reading contribution, Mr David Irvine, the former director-general of ASIO. He declared himself a 'data nationalist'—I think that was the phrase he used. He said that it was his concern that the material be hosted in Australia precisely so that we are not exposed to data-privacy regimes or otherwise of other countries. For example, if smaller service providers choose a Chinese cloud-hosting provider because they offer, as you observe, the lowest costs, that is something that concerns many people. It certainly concerns me, and it appears to also concern Mr Irvine.

I wonder whether you think that issue has any validity. In the course of the various reviews that are occurring into the way that this bill is going to operate, I wonder whether the government's mind is closed to a requirement, as Mr Irvine proposes in his comments, to adopt a position of data nationalism. It is not one that sits comfortably with me, but I am interested to know whether or not the government has a fixed view on this.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Ludlam, I start by pointing out to you that Mr Irvine's views about the location of cloud storages have been misrepresented. There is no more enthusiastic supporter of the bill in its current form than Mr David Irvine. I do not think he would mind me telling you that, when the bill passed the House of Representatives last week, I received a message from Mr Irvine expressing his happiness and satisfaction with the fact that the bill was through the House of Representatives and looking forward to its passage through the Senate this week. I am not accusing you of misrepresenting him, but I think a remark that Mr Irvine made has been rather taken out of context and exaggerated. Mr Irvine wants legislators, senators, to know that he supports this bill in its current form and is very happy with it.

On the broader issue, the government does not have a closed mind. Australian law currently permits companies to store personal information in the cloud or offshore, provided that the appropriate risk-management strategies are in place. But they are subject—as I imagine you would know, Senator Ludlam—to some obligations, particularly under the Privacy Act. That act requires them to take reasonable steps to notify consumers if their information will be disclosed to an overseas recipient and the countries where the information will be held, and to ensure that any overseas recipient of personal information does not breach the Australian privacy principles.

As well, Senator Ludlam, you would be familiar with recommendation 36 of the 2015 PJCIS report, which recommends that the government introduce the telecommunications sector security reforms promptly. In the latter part of this year, that legislation will be introduced. The telecommunications sector security reforms will contain protections. It would, in particular, operate to provide a statutory framework for security agencies to work with industry to identify and mitigate security risks. Carriers and carriage-service providers would be required to manage security risks, including outsourcing and offshoring, by demonstrating effective control and competent supervision of their networks, the data on them and their facilities. The security framework would be based on a government and industry partnership to effectively manage national security risks and protect data stored and carried across telecommunications networks. So that is the answer to your question. There are, at the moment, under the Privacy Act, obligations, and there is in prospect, later this year, under the telecommunications sector security reforms, additional safeguards.

Christine Milne (Tasmania, Australian Greens) Share this | Link to this | Hansard source

Just to follow up on the answer from the Attorney-General, it interests me that you are bringing in legislation that deals with the security issues, after the fact. Why did we not do that first, before you brought that in as it currently stands? I particularly want to go to what you have just said: that the companies will be required to give an undertaking that, if they store the data offshore, it would be compliant with Australia's privacy requirements. I am interested to know what auditing or enforcement of compliance there will be. A company could easily say, 'Yes, we undertake to be in compliance with Australia's privacy laws,' but store the data offshore. Who is going to audit it? Who is going to enforce it? Where is the compliance?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Milne, you should read the bill. If you want to participate in this debate, it would really be helpful if you read the bill. If you had read the bill, you would be aware that there is an 18-month implementation period for this metadata-storage regime. Well before that 18-month implementation period has run its course, the telecommunications sector security reform legislation will have been enacted—subject, of course, to the will of the Senate—because it will be introduced and deliberated upon before the end of this calendar year. That is the answer to your first question. In relation to the second question, I do not understand that there is an audit function or obligation under the Privacy Act but, in preparing the TSSR legislation, I will bear in mind the observation that you have made.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

On this issue that has been raised by Senator Ludlam and Senator Milne, I accept what the Attorney has said—that Mr Irvine, a former director-general of ASIO, welcomes this legislation and congratulated the Attorney for its passing. But Mr Irvine did say in the media that he is a cybernationalist when it comes to where you position the cloud. In fact, I asked the Attorney questions about this in question time last week. I appreciate the context that there will be further legislation to deal with these issues, in terms of the implementation of metadata. I ask the Attorney this particular question: does he broadly agree with the concerns of Mr Irvine—someone that he and many others in the committee have enormous respect for—that it is preferable for the cloud, in a sense, to be hovering over Sydney, Melbourne or Adelaide rather than over Shanghai or Bangalore?

As a general principle can the Attorney-General indicate at this stage whether there will be a preference, from a policy point of view, that any storage should be controlled here in Australia, by Australian providers, rather than being offshore?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I do not want to give any credence to the suggestion in your question that Mr Irvine has some misgivings about the way in which the matter is dealt with by this legislation because I can tell you he does not. I know that Mr Irvine is unhappy that the remarks to which you have referred that are attributed to him have been interpreted wrongly to suggest that he does. In relation to the broader issue, I really cannot add to what I said in response to Senator Ludlam's intervention. Australian telecommunications companies are subject to Australian law, wherever the data is stored, as you would be aware.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

In a story by Mark Eggleton in TheAustralian Financial Review, Mr Irvine essentially said that the would feel much more comfortable if data were governed by Australian law rather than law by some other country. I will not take it any further than that. I accept what the attorney has said. I think it is important that any metadata that is stored is stored with very much Australian control, by Australian entities and under Australian law. I do not want to take it any further than that. I do look forward to the next tranche of this legislation, or consequential legislation, so that the unmisrepresented concerns of Mr Irvine can at least be addressed.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I am sure we would all as Australian legislators be most comfortable if the obligations which are imposed are obligations imposed by Australian law. The point I made to Senator Ludlam, and which I would make to you, is that the obligations under the Privacy Act and under the telecommunications sector security reform legislation which is in prospect will be obligations arising under Australian law binding companies carrying on business in Australia, wherever the metadata may be stored.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Senator Brandis, I am just wondering if you could explain the thinking behind requiring a warrant for journalists metadata but not the metadata of others who have particular concerns about the privacy of their relationships. I refer in particular to lawyers, and their clients, and medical professionals. I have received representations from quite a range of legal professionals, including the Law Society of New South Wales, expressing concern that their metadata will be exposed to this regime without the protection provided to journalists via a warrant system.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

The blunt answer to your question is that the government did not consider that it was necessary to have a special regime for journalists because this law is not about journalists. As I said in an interview with a media organisation early last week, this is a law about terrorists, organised criminals, paedophiles and people who are likely to be the subject of investigation by the police. Frankly, I am not acquainted with any journalists who are terrorists, organised criminals or paedophiles—and I do not think there are any; I am sure there are none. The 20 pages that have been introduced into this bill have been introduced really to put to rest what I consider to have been a false issue. But people, in good faith, were troubled by this—including your good self—in my view unnecessarily and unwarrantedly. Nevertheless, we have introduced this into the legislation.

In relation to members of the legal professional, there is a pretty clear answer to your question. This is a bill about metadata; it is not about the content of a communication. I can understand the argument that the metadata of, for argument's sake, a telephone connection between a journalist and a telephone number could identify a source. But what the law regarding lawyer-client privilege protects is legal advice, which is, of its very nature, content. The law relating to lawyer-client privilege does not protect or prevent a person from being asked, for example, whether he had engaged a lawyer or whether he had had a communication with a lawyer. The interest, the confidential information that that legal principle protects, is what the lawyer advised the client or what the client may have told the lawyer in the course of seeking advice and representation. So the whole basis of this legislation, which excludes content, means that legal advice or what passes between a lawyer and his client could never be captured by it.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

I will frame the question a little differently in the context of something that I hesitate to say I know more about—in theory at least—than lawyer-client confidentiality, and that is medical professional confidentiality. Yes, you are right in saying that the content is not the subject of this legislation; it is the metadata. But the metadata includes the heading, for example, in an email. Suppose a doctor emailed somebody, stating, 'Your venereal disease test results'—they did not state what those results were, just simply, 'Your venereal disease test results'—how could it not be a serious imposition on both the doctor and particularly the patient to have that kind of information available without a warrant?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Leyonhjelm, the answer to your question is that your premise is wrong, because that would be content. And it is not correct to say that the heading line on an email would be caught by this legislation. It is not, because that is content. So that is the simple answer to your question. More broadly, except where the states and territories may have made specific statutory provision, of which I am unaware, the relationship between doctor and patient is not protected in the way that the relationship between lawyer and client has traditionally been protected. So, for example, a doctor called to give evidence in the witness box could be required to disclose matters about a patient, which he only knew by reason of a professional consultation, whereas a lawyer could not be asked a question obliging him to disclose information provided to him by a client. The conceptual bases of lawyer-client privilege are quite different from the reasons the law does or, in this case, does not protect other relationships which, in the public arena, are regarded as confidential. Bear in mind also of course, Senator Leyonhjelm, that lawyer-client privilege is really an aspect of the rules of evidence. It is an aspect of the admissibility or exclusion of evidence in a proceeding before a court.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

Perhaps if I could follow up on that issue around lawyer-client privilege, which has been raised very firmly by various legal commentators in Australia, including the Law Council. I would just like to ask the Attorney-General to respond in a bit more detail about issues that have specifically been raised by Mr Duncan McConnel, President of the Australian Law Council, who says that some of this information in relation to lawyer-client communications may, potentially, be caught under the bill. Firstly, I will quote from Mr McConnell. He says:

It is not difficult to envisage situations where client/lawyer telecommunications data would reveal a range of information that could compromise confidentiality and even legal professional privilege.

For example, what would happen if a whistle-blower seeks legal advice prior to, or during communication with a journalist? Under the proposed amendments, the journalist’s communication may be confidential, but what of the communications between a journalist or the journalist’s source and the lawyer?

Data could allow inferences to be drawn from whether a lawyer has been contacted; the identity and location of the client, lawyer and witnesses; the number of communications and type of communications between a lawyer and a client, witnesses and the duration of these communications …

So they may not go to content, as we understand it at this point in time, but they certainly go to the relationship, the manner, the occurrence, the time, the length and the number of communications that have occurred. He goes on to say:

The Law Council’s position is simple—lawyer communications deserve the same level of protection to that afforded to journalists …

I suppose my question is: is that a concern that has been consistently raised? There are really good policy reasons for protecting lawyer-client communications. Why is it, Attorney, that lawyer communications do not deserve the same level of protection as that afforded to journalists?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Because, Senator, there is no possibility that the principles governing lawyer-client privilege could be violated by a bill that may not access or cause the disclosure of content. That which is protected is the lawyer-client relationship and what passes between a lawyer and the client in the course of that professional relationship. What the client tells his lawyer and the advice that the lawyer gives his client is content.

This bill, ex hypothesi, does not deal with content. It is defined specifically to ensure that it does not deal with content. So the mischief to which you refer could never arise. And, as I said to Senator Leyonhjelm, it is conceivable that a journalist's source could be disclosed by metadata. It is, at least theoretically, conceivable. Let me give you an example. Let us say a journalist's metadata was accessed and it appeared that the day before the journalist published a particular scoop, the journalist was ringing a particular telephone number and that was the telephone number of a person who was leaking confidential information to the journalist. That person could be identified and, by a process of inference, it might be concluded that the telephone communication between the journalist and the particular telephone number identified the source of the leak and therefore identified the source. This is the difference you have to understand, Senator Wright. Where we protect journalists' sources, we protect their identity. Where we protect lawyer-client confidentiality, we protect what passes between the lawyer and the client—not the identity of the lawyer or the client but what the client says to the lawyer and what advice the lawyer gives to the client. That is the difference.

Penny Wright (SA, Australian Greens) Share this | Link to this | Hansard source

I am trying to work out the potential implications of that. If, for instance, a government was minded to raid a lawyer's offices on the basis that it had suspicion that that lawyer had information that the government might be wishing to gain access to and the reason that the government might have that information might be related to identification of communications between that lawyer and a particular client, whether that particular client might also be considered to possibly be a whistleblower because they have talked to a journalist or had some other interest, that would not necessarily be in relation to the content of the communication between the client and the lawyer. But certainly that information about the contact, the number of contacts, the time of contact and the fact that communication was occurring would be relevant and could indeed be useful information for a government that was intending to do that kind of investigation such as visiting lawyers' premises and looking at their files and their records.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Wright, I love this topic and I could talk to you about it for hours. Let me point out why the example you have given is not germane. In order to attract lawyer-client privilege, the relevant information has to be information arising during the course of the lawyer-client relationship. It has to be information arising or exchanged in the course of the lawyer's retainer. If a person happens to be a friend of a lawyer and visits them at their home for a barbecue, let us say, and they have a conversation, obviously what passes between the lawyer and the client during that social conversation is not protected by lawyer-client privilege merely because one of the interlocutors happens to be a lawyer and the other happens to be a client of his for other purposes.

With the example you have given, if a particular lawyer's client was a whistleblower, well, he was a whistleblower—it has nothing to do with the lawyer-client relationship, the terms of the retainer; the scope of that which is protected is confidential information arising in the course of that relationship.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

One of my concerns is the definition of 'journalist'. It would appear that freelance journalists, bloggers, amateur journalists and so forth will not enjoy the protections of the warrant process that professional journalists will enjoy. Attorney, can you please advise me on that?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator Leyonhjelm, I think you have some amendments in relation to this. The government is of the view that this limitation on the ordinary scope of the legislation should be confined to journalists working in the professional capacity of a journalist. That is a straightforward test currently used in division 119 of the Criminal Code. As we have the not unmixed pleasure of dealing with journalists ourselves in the course of our working day, we know there has been a debate about what are the metes and bounds of journalism, particularly in the era of so-called citizen journalism when there is a huge multiplicity of blogs written by people who would like to be protected by the privileges that protect journalists, but the decision the government has made has been to confine the definition of journalist to the narrow and traditional notion of a person engaged in the profession of journalism—or, to use a vernacular expression, a working journalist.

As my colleague the Minister for Communications, of course a former journalist himself, said in the other place when dealing with this issue, a journalist is a person who is engaged in the collection and dissemination to the public of material in the form of news, current affairs or a documentary, or in commentary or an analysis of such material—and the bill is drafted to reflect that traditional and orthodox understanding of what the profession of journalism consists of.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

I participated in some of the hearings of the Senate committee inquiring into revisions to the Telecommunications (Interception and Access) Act. Some of the witnesses described how they were voluntarily retaining information about their customers in order to benefit those customers who made subsequent inquiries as to their data usage, essentially. It was not all of them—some of them were doing it. The maximum period that anyone was doing it for was three months. It would seem logical that if you are going to solve a crime three months of metadata would be fairly handy to have. I am just wondering whether consideration might have been given to having the retention period for three months and on what basis did the government decide not to limit it to that period?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Before I turn to that, Senator Leyonhjelm, let me add some information to my answer to your last question. I should point out to you that this issue of the definition of a journalist is also dealt with in the explanatory memorandum. I refer you to paragraph 443. It basically says what I just told you, but it sets it out a little more fully.

The selection of two years as the retention period was the conclusion to which the Parliamentary Joint Committee on Intelligence and Security unanimously came. Of course, one must always make a judgement. The purpose for which this metadata is being retained is to facilitate and assist investigations. It is entirely possible that the retention of metadata for a longer period than two years might assist some investigations which would not be helped if the metadata is destroyed after two years. On the other hand, of course, there will be many investigations in which the relevant acts or events which might be disclosed by the metadata will have occurred much less than two years after the investigator seeks access to them. There is a degree of an arbitrary time limit here. All I can say to you is that two years was the period chosen by the PJCIS, on the advice of the agencies, as a reasonable period within which their investigative needs were—in most, though not necessarily all, cases—likely to be met.

In relation to the metadata-retention practices of ISPs, there is no common standard. It is one of the problems here—there is no common standard. I do not say they all retain metadata for precisely two years; some retain it for less; some retain it for longer, as a matter of fact. After long discussion, which I well remember, in particular with the intelligence agencies, it seemed in all the circumstances to be the right period to reconcile the need not to hold onto this material indefinitely with the need for it to be retained sufficiently long to be serviceable and useful to an investigation.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Attorney, the publicly stated justification for the data-retention system and obligation to retain data is to deal with terrorism and paedophilia. I acknowledge that the number of law-enforcement agencies with access to the data will be, thankfully, substantially reduced. I think that is commendable. But what will prevent them from using this for the quite wide range of relatively trivial offences that similar data retention involved in the United Kingdom?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I think you have to take a practical view of this. The resources of agencies, and police agencies in particular, are concentrated naturally on the most serious crime. The particular motive or reason or purpose of the government and the opposition—which at the time of the first PJCIS inquiry were, of course, themselves the government—in bringing this forward was to deal with terrorism. I make no apology for saying that. It is also true that access to metadata is not just useful for investigating terrorist networks. It is useful for investigating other, particularly networked, criminal groups: paedophilia, notoriously, which we know from investigations operates through networks and often over the internet; organised crime. Common or garden crime is less likely to involve reliance upon networks perhaps of people in different countries.

So it is a question of judgement by the law-enforcement agencies. It is a question of how they allocate their resources. But we do know that some types of crime—terrorist related crime is one of them, organised transnational crime and transnational crime is another of them, and paedophilia is another of them—in which the modus operandi, as it were, of those involved peculiarly involves reliance upon networks. It is the mapping of those networks which is particularly important in locating and identifying the actors, and that is something that is facilitated by access to metadata.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Thank you, Attorney. I acknowledge that ASIO, AFP and ASIS will only be focusing on serious crime, the kind that you mentioned. But I also note that ASIC and the ACCC are to be included among the list of law-enforcement agencies. My experience with ASIC is that if you do not lodge your annual return they are relentless—relentless—in pursuit of you. The ACCC recently took an egg producer to the Federal Court for not producing their eggs under what they thought were acceptable free-range conditions. In other words, they did not think they had enough space to be justifiably called free range. Can you give me a guarantee that the retained metadata will not be used by ASIC and ACCC and others of the less significant agencies for such types of infractions?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Let me say three things to you, Senator Leyonhjelm. First of all, I really admire your commitment to economic liberty. I really admire it, and I admire your scepticism about economic regulatory agencies and the risk of over-reach of their powers, so let me put that on the record. I am much of your mind. The second point I would make to you is that in the original draft of this bill, as it was introduced on 30 October last year, the ACCC and ASIC were not included in the list in section 110A of agencies that would have a right to access metadata. But the PJCIS, in recommendation 20 of its report, recommended that they be included. I think we do have to acknowledge that ASIC and the ACCC are the two most important economic regulators in this country. We have to acknowledge that there is a great deal of conduct, including criminal conduct, conduct such as cartel conduct and conduct such as market manipulation and other forms of commercial fraud, which it is the remit of the ACCC or ASIC, respectively, to investigate and to police. Although the primary target of this legislation is terrorism, organised crime and paedophilia networks, there will be circumstances in which it will be useful for ASIC and the ACCC to have access to metadata for those purposes. Although I cannot give you the guarantee you seek, I can tell you that under the existing law there is no limitation either. At worst, from your point of view, this law does not change anything for the worse. It does not change anything at all in relation to the capacity of the ACCC and ASIC to have access to this information.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

I heard your closing speech in the second reading debate from my office. I noted that in your remarks you said that in many respects this tightens up access to metadata and that many agencies do not have any restrictions on their access to metadata, which they will have under this legislation. The difference, of course, is that the ISPs in many cases do not store the metadata for those agencies to access. Under this legislation they will be required to store it for two years, as you know. What I would like from you is to explain whether that changes anything. What you are suggesting is that the situation will not be any worse. There will be two years of metadata available. If ASIC, the ACCC or one of the other agencies with lesser status, if you like, to ASIO, the AFP and so forth, who are chasing terrorists and paedophiles, have a mind to use it for trivial offences, and there is precedent for that overseas, is there anything actually to prevent them from doing so?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I would have hoped you might be rejoicing, libertarian as you are, that the number of agencies and entities which would access the metadata has been reduced from 85 to 21. That is a reduction by more than three-quarters. At the moment, as a result of this legislation, only the core law enforcement agencies—and the two main economic regulators, I will acknowledge—will have access. I think you need to be realistic, Senator Leyonhjelm. Police forces, but particularly the economic regulatory agencies, are resource constrained. They make judgements about the allocation of their own resources. I for many years used to act for the ACCC on a regular basis. I know them very well and I know that the enforcement committee, as it used to be called, makes judgements about which particular matters to pursue and which particular matters to let go. Those are a function, of course, of the severity and unlawfulness of the conduct involved, but they are also a function of the available resources. You would not expect, as a matter of common sense, an economic regulator to devote limited resources in the pursuit of trivial matters. I think it is that practical common-sense consideration, rather than any statutory guarantees, which should put your mind at ease.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I have just a couple of questions tonight. I will save most of mine until we get to the clause by clause, because they relate to specific amendments. By way of confirming and maybe closing that thread from Senator Leyonhjelm, is it the case that there is no essential gravity of conduct threshold? We have narrowed the range of agencies which is appropriate—I commend the government for doing that; I do not think I have heard a critical work from any stakeholder about that step—but there is no actual threshold of gravity of conduct below which it would be unlawful or outside the ambit of the act?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

No.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I would like to know what the government's process is for establishing the overall start-up costs. You gave us earlier some rough calculations relating to operating costs, once the infrastructure is up and running, both of new storage capacity and whatever other infrastructure the ISPs and telcos need to install. Firstly, Senator Brandis, are you in a position to provide the Senate with the source documents that you are quoting from? It is my understanding that this parliament has not seen either of the two consultancies that were undertaken by PwC. It is good that you are reading from them; I had not heard those numbers before. Can you provide us with those documents or a summary of them, please?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

In relation to the capital cost, there has been, as I said earlier in the debate, a quite long negotiation between government and industry, and there are very diverse estimates of the capital cost—I see you nodding—as I think you know. As to which of those within that diverse range the government will settle upon as a reasonable estimate of the capital cost across industry and as to the percentage contribution the government will make to that figure as its substantial contribution, as promised, to the capital cost, those are matters currently before the government. They are a matter of deliberation as part of the budget process, because there will be an outlay here, of course. Those matters, because they are part of the budget deliberations at the moment and are cabinet in confidence, I am not at liberty to share with you.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

Perhaps the Attorney cares to also address the direct question that I put as to whether he is able to share the PwC documentation with us, because I do not think the parliament has seen either the documents or a summary of them.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator, I have told you as much as I feel able to. That is also a cabinet-in-confidence document and I am not in a position to release it to you.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

With the greatest respect—and the Attorney-General has been here longer than I have—I cannot recall in my experience a government bringing forward a bill with support from the opposition that it did not know how much it would cost. You do not know to within the nearest $100 million what it is going to cost. That is remarkable.

Senator Brandis interjecting—

I can finish, Senator Brandis; I am still going. It is remarkable that you would bring forward a bill without knowing how much it is going to cost or how you are going to evaluate the costs. A specific question: unless you are going to be walking something of a tightrope, the government are going to be facing claims by industry at very different scales, operating very different kinds of back-end systems, who are going to be putting all kinds of claims to you. Without casting aspersions on the telecommunications sector, you are going to be in a position of having to judge whether these are ambit claims or whether they are reasonable. Presumably, industry is not going to put cost claims to you that do not cover their costs. I understand it is going to have to be case by case, and maybe that is why you cannot give us an aggregate figure. What is your process going to be for assessing the fairness or otherwise of these cost claims by different providers?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

To deal first with your first observation, I did not say that the government does not know what figure it is dealing with. I said there are a range of estimates and the government, as part of this process, will select what it considers to be the most reasonable and credible estimate and contribute a substantial proportion of that as its contribution to the capital costs of industry.

In relation to the other matters that you raise, a lot of the considerations that you have adverted to are, I think, very pertinent considerations. I do not cast aspersions on the telecommunications industry either, but the hazards that you identify in a negotiation of that kind are undoubtedly present and they are something that the government is seeking to guard against. That is why we have had the long consultation with industry, by the way. So that is the process. The process is the consultation with industry to satisfy ourselves—I think you would acknowledge that it can only be an estimate—what is the most reliable and credible estimate to use as our base figure for the proportionate contribution that we have promised to make. In that regard, I will not read it into the record because I do not want to prolong things, but recommendation 16 of the PJCIS report also specifically addresses the issue you raise and was adopted by the government.

David Leyonhjelm (NSW, Liberal Democratic Party) Share this | Link to this | Hansard source

Attorney, one of my concerns, I suppose, is that this bill has, like the previous national security legislation, had very limited scrutiny by anyone other than the Parliamentary Joint Committee on Intelligence and Security. As a consequence, I and the other crossbench senators have struggled, I suppose, to address its implications and, as a result, these committee phases of the bill's consideration by the Senate have been protracted and difficult and, I know, frustrating to you. I wonder whether you have any views as to what the process might be for when this bill is reviewed and whether or not that process might be broadened to include those who currently have had no opportunity to comment on this prior to seeing it in the Senate.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

You are right when you say that the principal committee consideration of this bill has been by the Parliamentary Joint Committee on Intelligence and Security. The first report—that is, the report of the previous parliament—was prepared after there had been nine full hearing days, which is, by anyone's measure, a very long committee hearing process. The report of the PJCIS that was tabled on 27 February was also the subject of extensive hearings—in fact, public hearings.

Senator Leyonhjelm, it is the case that the PJCIS does not at the moment contain any members of the Senate crossbench. It is not a committee that excludes independent members of parliament. For instance, Mr Andrew Wilkie was a member of the PJCIS throughout the course of the entire inquiry during the last parliament, which was the genesis of this legislation. The composition of the PJCIS, like the composition of all parliamentary committees, whether joint or committees of either chamber, are a matter of deliberation between government, opposition and independents and crossbenchers. I do not, with respect, think it reflects poorly on the process that the members of the committee on this occasion did not include any of the Senate crossbenchers. As you rightly point out, we look like we are having a very long committee stage debate, in which I am available to you to respond to any questions you may have. But the composition of any parliamentary committee cannot guarantee that any individual minor party or independent member will be a member of that committee, and I think you understand that.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

I will just put a general question to the Attorney-General, as this appears to be the appropriate time. There is a long piece on security issues called 'The whole haystack' by Mattathias Schwartz in the 26 January edition this year of The New Yorker. I know the Attorney-General has limited time to indulge in reading The New Yorker,but I will send it to him. He may find it of some interest. Essentially, the point made is that almost every major terrorist attack on Western soil in the past 15 years has been committed by people who are already known to law enforcement. A whole range of examples were given, such as that one of the gunmen in the attack on Charlie Hebdo in Paris had been sent to prison for recruiting jihadist fighters. He goes on and refers to the men who planned the Mumbai attacks in 2008, saying they were under electronic surveillance by the United States, the United Kingdom and India.

The point made is that, in each of these cases, the authorities were not wanting for data. What they failed to do was appreciate the significance of the data they already had. I appreciate what the Attorney-General said in his summing up speech about what he considers to be the breadth of this legislation. My question to the Attorney-General is: with this ability to access metadata, will there be a different approach to assessing that information to avoid the mistakes of intelligence agencies referred to overseas, where they failed to appreciate the significance of that data? General Keith Alexander, the former head of the National Security Agency, has called all this digital information 'the whole haystack'. How do we find the needles when the haystack seems to be so much bigger? I hope he understands the spirit in which I ask this question. It is not being provocative. How do we ensure that intelligence agencies are not swamped with so much information that they do not make a good analysis as to where the threats are?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I do not think you are being provocative, Senator Xenophon. I hope nothing I have said causes you to be fearful that I think you are being provocative. I think you are asking constructive questions in a genuine spirit of inquiry, if I may say so. I do not have much time to read The New Yorker. What little time I have to read magazines I devote to reading The Spectator. Therefore, I have not read the article to which you have referred in your question and I cannot comment on it.

You seem to be making two points, as I understand you. The first point is whether the fact that, in most terrorist outrages in recent years, the perpetrators were known to authorities means that access to metadata is not of utility. The answer to that question is that, although in some cases what you say is true, in other cases it is not true. For example, in the outrage that we suffered in Australia in Martin Place last December, Man Haron Monis was known to the authorities, but he was not known to the authorities as a terrorism suspect. He was not considered to be assessed by the authorities to be somebody who they appreciated was likely to commit a crime of the kind that he committed. So, although he was on their radar, it was not in that capacity, which is why he was not on a so-called watch list.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

But he was previously.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

He was not on a so-called watch list at the time. The main point about metadata is it is primarily an investigative not a surveillance tool. It cannot be a surveillance tool, and I think, with respect, Senator Xenophon, you are confusing the American experience with the Australian experience. As I tried to explain to you before, in America the agencies collect the metadata, and I daresay some of the metadata held by the agencies in the United States are used for surveillance purposes. But in Australia no government agency collects metadata. It does not today and it will not as a result of this bill.

This is, as I say, a retention obligation imposed on the private sector, not an obligation to surrender that to a government agency. In a way, you can regard this bill as being as prosaic as a bill about business records. Just as, under the Taxation Administration Act, we oblige people to retain their tax records for five years, so we are obliging telcos to retain metadata for two years. This is a bill essentially about the retention of business records. But they are business records which potentially have a usefulness in an investigation. For that reason, ordinarily, the utility of this will be ex post facto for investigative purposes, rather than, as I said before, for surveillance purposes, which is not why it exists.

Coming to the second point I understand you to be making, I think we should leave it to the agencies to judge what information is useful to them because it is not the agencies that collect or hold this information. It is the agencies that seek the information, that require it to be provided to them by the ISPs that hold it. In making that request, as they do now, the agencies make a professional judgement as to what particular items of metadata are useful to an investigation.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

I am grateful to the Attorney-General for his response, but I want to go back earlier to the issue of the PJCIS—the Parliamentary Joint Committee on Intelligence and Security. Reference was made to my friend and fellow independent Andrew Wilkie, the member for Denison. I want to put on the record that there is a big difference between the PJCIS and the United States Senate Select Committee on Intelligence. In the United States, the members of the Intelligence Committee are briefed on operational details. My understanding is that the PJCIS is banned from anything other than administration and the financing of agencies. It is much more circumscribed in terms of what it can look at than in the United States. So I worry that the charter of the PJCIS, compared to the United States committee, is much more limited. I will not labour the fact but I think that that distinction needs to be made.

My final question—and I am grateful to the Attorney for his response—is: when you have obtained the whole haystack, does the fact that there is all this additional information in any way fetter the work of intelligence agencies, in that they are looking at that rather than focusing on risk assessment?

I take issue in relation to Man Haron Manis. He was on a watch list and he dropped off that watch list; and I know the Attorney has acknowledged that. I am not privy to the information, of course, that others would be, other than what I read in the media about this, but I still cannot understand to this day why that man, both madman and terrorist, was on the streets, given his extensive history. The issue is one of assessment by intelligence agencies. Whilst he was not regarded as a terrorist threat at the time of the Martin Place siege and the tragedy that unfolded, that it resulted in, I wonder whether that raises the issue of a failure of our intelligence services to appropriately assess him as a terrorist threat and the fact that, in my view and, I think, the view of many others, this man, with his extensive history, should not have been on the streets.

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I do not want to revisit that, Senator Xenophon, other than to remind you that this matter was looked at very closely and promptly by the Thawley-Comley review, which was conducted by, respectively, the Secretary of the Department of the Prime Minister and Cabinet and the secretary of the Premier's department in New South Wales.

Senator Xenophon, you are right when you say that the Senate intelligence committee of the United States and the House of Representatives intelligence committee of the United States have more extensive oversight powers over the intelligence agencies in that country than does the PJCIS . When I was in Washington last year, I actually met with the then respective chairs of those committees, Senator Feinstein and Congressman Rogers. But I do not think we should fall into the trap, Senator Xenophon, of assuming that, just because the Americans do it in a particular way, that therefore represents some kind of gold standard. We in Australia have an office of Inspector-General of Intelligence and Security, which does not exist in the American system, who has a very wide ranging statutory charter to investigate the conduct of the intelligence agencies, including a power to investigate the way in which they have conducted particular intelligence operations. Now, that is a function located in that official in the Australian system that does not exist in the American system.

Lastly, having served for a term during the term of the last parliament as a member of the PJCIS, I have to tell you, Senator Xenophon, your understanding of the scope of its capacity to inquire is too limited. The PJCIS, although it does not examine operational matters in granular detail, does nevertheless receive briefings—for example, from the director-general of ASIO or the Commissioner of the Australian Federal Police—which are more than, as it were, auditing exercises. It is informed by the heads of the respective intelligence and policing agencies, in the broad, of the work they undertake, their assessment of risks and threats and where those risks and threats lie, and how the agencies are responding to them.

Nick Xenophon (SA, Independent) Share this | Link to this | Hansard source

I appreciate the Attorney's response. Very briefly, in respect of IGIS I think it is fair to say that, whilst IGIS has extensive powers, very little information can be forthcoming, even through a Senate estimates process, which I think is quite unsatisfactory. But can the Attorney indicate whether, given these metadata laws or the regime that will be passed, along with other laws that have been passed in relation to counter-terrorism, the government has considered, is considering or will consider supporting a broadening of the powers of the Parliamentary Joint Committee on Intelligence and Security to look more broadly at operational matters, similar to what the US Senate and US House of Representatives intelligence committees do? Is that on the radar for the government—considering giving them these broader powers?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

This was looked by the PJCIS, actually, in considering this bill. Can I refer you, Senator Xenophon, to committee recommendation 34, which provides:

The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to provide that the Committee may inquire into any matter raised in the annual report prepared under proposed section 187P, including where this goes to a review of operational matters.

Legislative change to the Intelligence Services Act 2001 should be implemented to reflect this changed function.

The Committee further recommends that the Commonwealth Ombudsman and Inspector-General of Intelligence and Security provide notice to the Committee should either of them hold serious concerns about the purpose for, or the manner in which, retained data is being accessed.

The government responded positively to that recommendation. The government's response—let me read it to you—is this:

The Government considers there is benefit in conferring an appropriate function on the Committee for the purposes of establishing a further oversight mechanism for the operation of the data retention scheme.

Consistent with the focus of the PJCIS on non-operational matters concerning security and intelligence, the new function would enable the PJCIS to inquire into the effectiveness of the operation of the data retention scheme, with respect to the purpose and manner of access by ASIO and AFP (to the extent those agencies are the subject of PJCIS oversight).

So, that recommendation was adopted, at least in part, by conferring an additional power, and that is reflected in one of the clauses of the bill before the chamber. But the government has not gone the further step, for reasons that I have indicated, of modelling or remodelling the PJCIS along the lines of the US Senate or House intelligence committees.

Scott Ludlam (WA, Australian Greens) Share this | Link to this | Hansard source

I will put a really quick question to the Attorney. It is my last question tonight on costs. It is about the process the government intends to go through and how much we will know by budget night. I am interested in the formal mechanism, if there is one, for assessing costs from individual telecommunications companies. Are you standing a working group? Will it be done by way of a consultancy? How will it be done?

George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

Senator, all I can say to you is that the funding model, which the government has developed, will be approved through the budget process. When the budget is published, you will know.

Progress reported.