Jason Clare (Blaxland, Australian Labor Party, Shadow Minister for Communications) Share this | Hansard source

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 is controversial legislation, and I can understand why some people are very concerned about it. Even senior members of the government have previously expressed concerns about the retention of telecommunications data for the purposes of law enforcement. The minister who introduced this bill, Malcolm Turnbull, said in 2012:

I must record my very grave misgivings about the proposal.

In 2012, he said that a data retention regime would have a:

… chilling effect on free speech …

The Deputy Leader of the Liberal Party, Julie Bishop, said in 2012:

The idea that the Government should collect and retain the online records of all Australians for a period of two years I think is disturbing. It appears to go too far and I would have to be persuaded that this was a reasonable request.

These concerns are not restricted to one side of politics. People in all political parties have concerns about the mandatory retention of telecommunications data. Legislation like this raises legitimate and serious privacy issues and it is important that they are addressed.

This is all so complex. It is not easy to get your head around. We saw a compelling example of that last year when the Attorney-General could not explain to David Speers on Sky News what metadata is or whether telecommunications companies would be forced to keep a record of the websites people visit. That is why, when the government introduced this legislation into parliament just before Christmas, we said that it should not be rushed through; it should be subject to a proper inquiry by the Parliamentary Joint Standing Committee on Intelligence and Security. And that is what has happened. I am privileged to have been a member of that committee as part of its work.

The work that this committee has done has made clear to me that this legislation in its current form—in its original form—is not good enough. The committee received more than 200 written submissions and held three days of public hearings. It also held a number of private hearings. The weight of evidence that we received made very clear that the legislation in its current form puts too much power in the hands of the Attorney-General

It also does not sufficiently address legitimate concerns about privacy and the protection and security of the data that will be retained. It also does not have the oversight powers and resources that are really needed here to make sure that the use or misuse of people's telecommunications data can be properly investigated. That is why as a committee we recommended a lot of changes to this bill—38 in all. I will go through some of those in a moment and why I think they are important. But first I want to explain what is happening now in Australia.

Right now telecommunications companies keep a lot of data about us—metadata. They do not all keep the same data and they do not all keep it for the same period of time. Some data is held by companies for a couple of weeks. Some data is held for up to seven years. Police and other law enforcement agencies access this data right now, and a lot of it. Last year there were more than half a million applications by law enforcement to telecommunications companies to access metadata. It is part of most investigations. It does not always solve crimes, but it is an important investigation tool. For example, police turn up to a crime scene. There is a dead body and there are no witnesses. One of the first things they do is seek the phone records of the person who has died to see who the last people were that they were speaking to. Sometimes it provides the evidence that is critical to a conviction. We saw evidence of that in the case in the murder of Jill Meagher in 2012. In that case it was telecommunications data that led to the conviction of Adrian Bayley. This data is being accessed now, not just by police but by 80 different organisations, including councils and the RSPCA. There are very few rules around it, there is very little oversight and, therefore, there is very little evidence about how it is used or misused.

The argument that the government has used is that this legislation is required because telecommunications companies are not holding our data for as long as they used to, that they are going to hold less and less in the future, and that, therefore, law enforcement agencies will not be able to do their job. This is sometimes called 'going dark'. The Prime Minister said recently that if this legislation is not passed there will be 'an explosion of unsolved crime'. This is not right. It is true that some telcos have reduced the amount of data they hold. But it is also true that the major telcos—Telstra, Optus and Vodafone—all told the committee in public hearings that they have no intention of reducing the amount of data they currently retain.

In my view the real purpose of this legislation is not to stop law enforcement going dark. It is more about consistency. lt will require all telcos to keep the same type of data and hold it all for the same period of time. That will invariably mean that law enforcement agencies will have access to more data—data that is not currently being held by some telcos for two years. The real reason to support this legislation is this: law enforcement agencies access our telecommunications data right now, with very few rules and very little oversight. If the recommendations of the joint standing committee are adopted, tighter rules will be put in place, and for the first time there will be oversight of the agencies that access our data and their use or misuse of it.

I want to focus now on some of the committee's key recommendations: first, the controversial issue of what metadata is. The bill in its current form leaves it to regulations. In other words, it leaves it to the Attorney-General to decide. The committee rejected this approach. It puts too much power in the hands of the Attorney-General and creates too much uncertainty. We therefore recommended that the dataset that the telcos have to keep be embedded in legislation. Second, who can access this data? Again, the bill leaves that question to the Attorney-General to decide. And, again, the committee rejected that approach. The committee recommended that the parliament, not the Attorney-General, should decide what data has to be kept and who can access it.

Third, at the moment it is doubtful whether individuals have access to their own telecommunications data. The legislation deals with law enforcement access to data but does not address individuals' rights to their own telecommunications data. The committee's recommendations will fix this problem. The committee recommended that telcos be required to provide their customers with access to their own telecommunications data upon request for a fee. And I am glad to see that, in the wake of this recommendation, Telstra recently announced that that will put this into place for their own customers effective from 1 April.

Fourth, the security of the data kept under this legislation is also a real issue. The last time the committee looked at this issue in 2013, it recommended that the data be encrypted. This legislation in its original form says nothing about this. In 2013 former Attorney-General Mark Dreyfus also introduced legislation to create a data breach notification scheme. In other words, if your data is hacked, you are notified. This legislation was introduced into this place but lapsed after the last election. The committee has recommended that this data be encrypted and that a data breach notification system be created.

The committee also looked at the important issue of where this data should be held. We made no recommendation about this, but this is an important issue. There are good arguments to say that it should be held in Australia. The former head of ASIO, David Irvine, made that argument as recently as yesterday in Australian newspapers. The committee looked at this issue and will look at this further when it examines the forthcoming telecommunications security sector reforms.

Fifth, how will this data be used by other people and other organisations in civil litigation? This was the subject of a lot of confusion when this legislation was introduced. The AFP Commissioner said that it could be used to track down people who illegally download movies and TV series like Game of Thrones. On Q&A in November, George Brandis said that was not right:

TONY JONES: Okay. Well, can I put something to you and that is that I think that a lot of Australians are probably quite surprised to hear Commission Colvin suggest that these metadata or the metadata gathered could be used in a whole range, beyond terrorism, of different prosecutions, possibly even against Internet pirates …

GEORGE BRANDIS: Well, they can't be and they won't be …

But that is not right either. There is nothing in the bill that prevents the use of this data to pursue in a civil court people illegally downloading movies. The recommendations by the committee help fix this problem. We have recommended a prohibition on the use of data retained under this legislation from civil litigation.

Sixth is the issue of costs. This is very expensive: the capital cost of setting up this system has been estimated by PWC as between $188 million and $319 million. We all pay for that in one way or another. A substantial proportion will be paid for through our taxes, and the rest through our telco bills. It is a capital cost, not an annual operational cost, but it is still expensive. I am particularly concerned about the impact that this might have on small telcos. Competition in this sector is extremely important, and I am worried about the risk of this pushing small telcos out of the market. The committee recommended that the government ensure that the funding they provide to telcos to set up this scheme is tailored in a way to help particularly small providers who may not have the capital budgets or operating cash flow to implement this legislation without upfront assistance. The government has committed to do this. I thank them for it; it is important that this happens.

Seventh, the sort of powers that law enforcement agencies already have to access our data should be subject to real oversight. As I said, at the moment they are not. The original bill gets one thing right: it gives the Commonwealth Ombudsman oversight and investigative powers over the use or misuse of telecommunications data. This includes full investigative powers, the power to compel officers to answer questions and access to all records and premises. This applies to federal and state law enforcement agencies. But what is not done and what we do not see in the original legislation is the necessary resources that the Ombudsman needs to do this job. In evidence to the committee, the Ombudsman, Mr Colin Neave, said he lacked the resources to do this and that he would need an additional 12 staff and $2.3million in the first year and $1.65 million per annum thereafter. The committee, in our report, recommended that these resources be provided, and it is important this happens.

It also recommends, for the first time, real parliamentary oversight. At the moment the Parliamentary Joint Standing Committee on Intelligence and Security is not allowed to examine operational matters. This will also now change: the committee will have the power to examine the use of this legislation by the AFP and ASIO. This is important, because it will give the parliament, for the first time, the power to examine the operational activities of law enforcement and security agencies. This is the first step for this parliament—it gives the parliament the power to oversight the operational use or misuse of this legislation. But it is just the first step. The next step is to do what John Faulkner proposed in a private member's, or senator's, bill last year—and that is to give the Parliamentary Joint Standing Committee on Intelligence and Security a general power to review the operational activities of our law enforcement and security agencies. This will give the parliament the same sort of oversight powers that the US Congress and the UK Parliament have.

There are a lot of other important recommendations that I do not have time to mention in this debate, but I do want to say something about the issue of press freedom and how this legislation should apply to journalists. This is an area where agreement was not reached in the committee. In my view, though, if law enforcement agencies want to get access to a journalist's telecommunications data to get their sources, they should have to get a warrant from a court. There is a simple reason for this: journalists are different. The privacy of their sources is integral to freedom of the press; it is why journalist shield laws exist. It is also important because sometimes it is journalists who are investigating law enforcement. The UK Parliament has recognised this, and two weeks ago it passed initial legislation that requires law enforcement agencies to get a warrant to access a journalist's metadata. I am glad the Prime Minister has finally backed down and agreed to amend this bill to require law enforcement agencies to get a warrant. The government now needs to work with us, the crossbench and Australian media organisations to get that amendment right.

Deputy Speaker, let me go back to where I started. This is complex and controversial legislation. I understand why many people are concerned about it. The government has not explained why these laws are needed very well. No-one should be under the illusion that this legislation will somehow stop terrorism—it will not. It would not have stopped what happened at the Lindt cafe in Sydney. ASIO and the New South Wales Police both admitted that in the public hearings, but metadata was useful during the siege and after. The fact is less than two per cent of current requests for metadata are about terrorism or paedophile cases. The rest is about a whole range of other criminal offences, big and small. But remember this: there are half a million applications a year by 80 different organisations with very few rules and very little oversight. The committee's recommendations to this parliament will help fix that. They will mean tighter rules and, for the first time ever, real oversight of the use and misuse of this data.

See this speech in context