Paul Fletcher (Bradfield, Liberal Party, Parliamentary Secretary to the Minister for Communications) Share this | Hansard source

I am pleased to rise to speak on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, a bill which amends the Telecommunications (Interception and Access) Act and the Telecommunications Act. It contains a package of reforms to ensure the continuing investigative capabilities of Australia's law enforcement and national security agencies.

This bill has generated a fair amount of community debate. In the time available to me, I would like to make three points. Firstly, I would like to emphasise what this bill is not about. Secondly, I would like to cover what the bill does. Thirdly, I would like to respond to some of the concerns that have been raised as part of the debate and address the measures that are included in response to those concerns.

Let me come, firstly, to the question of what this bill does not do. I should say that I bring to this debate a perspective from having worked in these areas for quite a number of years. In a previous life I was director of corporate and regulatory affairs at Optus, the second largest telecommunications company in Australia, and dealt regularly with the kind of matters that this bill addresses. At Optus, as is the case at the other large telecommunications companies, there is a law enforcement liaison unit which deals regularly with state and federal police and other agencies in relation to requests under the Telecommunications (Interception and Access) Act for information and content, in each case compliant with the various requirements under that act.

I want to emphasise that this bill does not provide law enforcement organisations and security agencies such as ASIO and the Australian Federal Police with new powers to access metadata. The powers that they have to access metadata are set out in the Telecommunications (Interception and Access) Act 1979, particularly in division 4 of chapter 4. There are no new powers to access metadata granted by this bill. Nor does the bill expand on the range of telecommunications metadata which the police and security agencies are able to access. Again, that is not something which is contained in this bill.

Indeed, I want to highlight just briefly some of the points made in the report of the Parliamentary Joint Committee on Intelligence and Security about the existing law in relation to police and security agency access to metadata. The report highlights the point that I have just made, that today so-called enforcement agencies as well as ASIO are permitted to access telecommunications data under an internal authorisation which is issued under part 4-1 of the Telecommunications (Interception and Access) Act. I hasten to add that enforcement agencies are defined to include the Australian Federal Police, state police and a range of other agencies, including state crime commissions and so on.

I will come to what telecommunications data includes under the terminology of the existing act before I go to the bill. Telecommunications data includes such matters as: the time, date and duration of a communication; the identifiers of the services and devices involved; certain information about the location of the respective devices, such as, for example, which mobile base station a mobile phone was connected to; and information about the parties to the communication, such as their name, address, contact details, billing and transaction information, and so on.

I want to emphasise again that I am speaking here about the current law which is contained in the Telecommunications (Interception and Access) Act 1979. This is law which has been in place for many years. It is worth bearing that in mind when you consider some of the things that are being said in this debate about what people are concerned that the bill before the House today may do. A number of the comments that have been made appear to have been made from a lack of knowledge on what the law presently says on this matter and has said for many, many years.

I also want to emphasise that this bill does not deal with the content of a communication. It deals with information about a communication, which is referred to by the term 'metadata', which we have all now come to know and love. It is referred to in the existing legislation as 'telecommunications data'. I want to make it clear that there is nothing new in this bill in relation to the scope of metadata. In fact, as I will come to, in some ways the scope is narrowed. I again want to emphasise that the bill does not change the grounds on which metadata can be obtained by enforcement agencies and security agencies.

I also want to make the point that large amounts of this data is today stored by telecommunications companies and internet service providers for their own business purposes. In the day-to-day operation of a telecommunications network, enormous amounts of information are generated. For example, each time a mobile phone is connected to a particular base station, that generates a piece of information. That information may be kept for some time or it may be kept for very short period of time. But it is information that is generated in the ordinary operation of a telecommunications network, and so are many other kinds of information. Information is generated and retained, for example, for billing purposes. All of this is done for the ordinary operational purposes of running a telecommunications network.

Let me turn, secondly, to the question of what this bill does. This bill deals with specific categories of metadata—that is, certain classes of information about telephone calls and so on. The primary purpose of this bill—and let us be very clear and specific on this, because again there has been a lot of confusion in the commentary—is to standardise the approach for how long metadata is retained. Let me make this point: today the law says, as I have sought to explain, that if the security agencies and police comply with the processes set out in the Telecommunications (Interception and Access) Act, they can obtain metadata from telecommunications companies and internet service providers. That is not information about the content, for example, of a telecommunications call, but certain information in relation to the call—the name of the A party, the name of the B party, the time of the call, the duration of the call and so on. The law as it stands today gives those powers, but it does not impose any particular requirement on the telecommunications companies and internet service providers as to the length of time for which they retain that data. That is what is new about this bill. That is the essence of the bill before the House today: it will impose on the telecommunications companies and internet service providers an obligation, which they hitherto have not faced, to retain the classes of metadata specified in the bill for a period of two years. We need to be very clear about what this bill does do and what it does not do. A lot of the public commentary about the effect of this bill misunderstands that fundamental point.

If we come to the policy intention behind imposing this new obligation on telecommunications companies and internet service providers, it is, firstly, that metadata is a vital investigative tool. Many speakers before me have quoted the statistics as to the very high proportion of particular kinds of investigations in which telecommunications data is used—for example, in 87 per cent of child protection investigations. But at the moment the position is that the success or failure of a particular investigation by the police or the security agencies can depend upon a random factor—that is, which telecommunications carrier or internet service provider happened to provide the service which was used by the person of interest to the police or to the security agencies and, in turn, what the particular business practices of that company are with regard to the retention of metadata. At the moment, the success or failure of an investigation—which could well be an investigation into a matter that goes to the physical safety and security of large numbers of Australians, depending upon the nature of the threat being investigated—can depend upon the random outcome of which particular network is used and the particular business practices of the relevant telecommunications company or internet service provider. A desire to systematise the retention requirements is the policy purpose and intent of this bill, and it is very important to be clear that that is what this bill does. It does not, for example, change the law as to the circumstances in which metadata is authorised to be obtained by the police or by the security agencies.

Let me turn, lastly, to some of the concerns that have been raised and the ways in which the bill before the House seeks to address those concerns. I note that the Parliamentary Joint Committee on Intelligence and Security conducted a very detailed examination of the bill and presented its report on 27 February. The government said that it would carefully consider recommendations made by the committee. The report makes 39 recommendations, including the recommendation that the parliament should pass the bill, and the government has supported all of the committee's recommendations. The recommendations in the committee's report focus largely on specifying the dataset in the primary legislation instead of regulations, specifying the agencies in the primary legislation instead of regulations and increasing oversight mechanisms and privacy protections. The government agrees that the bill should be amended to include the proposed dataset in primary legislation and also agrees that enforcement agencies be specifically listed in the legislation. The bill will also implement additional oversights for the new data retention regime and particularly will significantly reduce the number of agencies that are permitted to access metadata.

The point I want to make to the House this afternoon is that, if you listen to some of the commentary, you might think that this bill creates new powers for information to be accessed, that it greatly widens the scope of information that can be accessed and that it widens the range of people who can access that information. In fact, as I have sought to explain, it makes no change to the circumstances in which information can be accessed. It will limit the range of agencies that can access information and, indeed, by giving a specific definition of metadata, it makes quite specific what the obligations will be on the telecommunications companies and internet service providers.

A key issue is the cost of implementing these arrangements, because clearly there are costs incurred in storing data. PricewaterhouseCoopers has been retained to look at this question. Evidence was provided to the committee on the conclusions drawn by PricewaterhouseCoopers, which were that the up-front capital cost across industry was going to be between $188 million and $319 million. The government has consistently said that it will make a reasonable contribution to these costs, recognising of course that the industry participants are private sector companies and that there is a public policy purpose in imposing this data retention obligation.

The government also acknowledges the reality that it takes time to put in place new IT systems and processes, and therefore the bill allows individual telecommunications companies and internet service providers to develop an implementation plan to allow a pathway to compliance over a period of up to 18 months. That is very important, because what typically happens in telecommunications companies is that there is an annual IT upgrade cycle. This will allow the relevant information technology work to be accommodated within that annual IT upgrade cycle.

I conclude by reiterating the point that what this bill is about, despite some of the confused commentary, is the imposition on telecommunications companies and internet service providers of a uniform period for which they must retain metadata. That data is already extensively retained, but the key issues are that the period for which it is retained varies materially between different companies and that there is an underlying public policy purpose in retaining data, which is to ensure that the agencies and police are best equipped to do their work of seeking to maintain the security of Australians. It is a very important public policy purpose.

See this speech in context