Melissa Parke (Fremantle, Australian Labor Party, Shadow Assistant Minister for Health) Share this | Hansard source

I rise to speak on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014. The proposal to introduce a mandatory data retention scheme is of deep concern to many Australians and organisations, particularly with regard to its potential impact upon privacy, media freedom and freedom of expression, cost and competition.

The amendments brought about through the work of the Parliamentary Joint Committee on Intelligence and Security have done much to improve what was really just a shell of a bill presented by the government. I thank the shadow Attorney-General and shadow minister for communications in particular for their consultative approach to this issue and I also thank the individuals and organisations who have taken the time to make submissions on the legislation.

It will perhaps be a surprise to many people in the community that over 80 agencies, including local councils, can already access anyone's metadata without a warrant. To the extent that this bill imposes some limitations and oversight around this process it is clearly an advance. It is, however, apparent that even with the amendments significant concerns remain regarding the lack of evidence as to necessity and the lack of adequate safeguards ensuring proportionality, security and oversight.

It is worth noting at the outset that the primary purpose of the Telecommunications (Interception and Access) Act, which this bill seeks to amend, is to ensure the privacy of telecommunications and to prohibit the accessing or interception of telecommunications. That purpose meets the human rights imperative identified in article 17 of the International Covenant on Civil and Political Rights, to protect from arbitrary interference a person's privacy, family, correspondence or home, and article 19, the right to freedom of opinion and expression. In protecting these rights, the Telecommunications Act has always provided for exceptions under which law enforcement and national security agencies can access data in appropriate circumstances.

We are informed this bill is needed to ensure that law enforcement agencies can keep pace with rapidly evolving telecommunications technology and services. I note the evidence given to the intelligence committee that, while preservation notices issued under the Cybercrime Legislation Amendment Act 2012 can secure information into the future, law enforcement agencies frequently require historical data. There is a concern that such data will become increasingly unavailable as service providers adapt to new technology; the term used is 'going dark'.

As per the intelligence committee recommendations in its March 2013 report, which have not been implemented by the government, what is needed is a comprehensive revision of the TIA Act and the entire interception and access regimes. This is supported by the Law Council of Australia, which in its submission to the committee noted that the bill should have been 'preceded by rigorous and comprehensive review of the alleged deficiencies in current processes and unavailability of data needed for investigatory purposes'.

In its attempt to sell this bill, the government has given the community many inconsistent messages. It claimed that the retention of and warrantless access to metadata are less intrusive to privacy than access by warrant to content, and therefore we should not be concerned. The Attorney-General and Prime Minister described metadata as akin to the address on an envelope. This view has been comprehensively debunked in many of the submissions as well as by the Parliamentary Joint Committee on Human Rights, which stated in its report on the bill:

Communications data can reveal quite personal information about an individual, even without the content of the data being made available, revealing who a person is in contact with, how often and where. This in turn may reveal the person’s political opinions, sexual habits, religion or medical concerns. As the European Court of Justice has stated in its recent ruling that held that blanket retention of metadata was disproportionate, such data 'taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.

Indeed, the Victorian Commissioner for Privacy and Data Protection's submission quotes former CIA and NSA director General Michael Hayden as saying, 'We kill people based on metadata,' and that metadata without content is capable of telling the government 'everything' about an individual. The Western Australian internet service provider iiNet has stated that metadata reveals even more about an individual than the content itself'.

At the same time as the government has been telling the community that metadata access is no big deal and that it is not intrusive of privacy, we are informed by the government that metadata is absolutely vital to investigations. The Minister for Justice has in question time cited the example of the joint ASIO-law enforcement operation in 2005 that prevented a mass-casualty terrorist attack at the MCG, in which telecommunications data was critical. But, as noted by the Pirate Party in its submission, this case study serves to demonstrate that law enforcement and intelligence agencies already have sufficient capabilities.

Furthermore, other more recent confirmed or suspected terrorist attacks such as those in Boston, Ottawa, Paris and Sydney were committed by people already known to authorities or acting alone. The Pirate Party notes:

Thus, data retention would not have helped to pre-empt them. Resources should be directed towards current law enforcement efforts and targeted surveillance rather than placing an entire nation under suspicion and thereby diverting, diluting and distracting their efforts.

Indeed, as many submissions, including from a number of councils for civil liberties point out, the review set up by President Obama following Edward Snowden's revelations reported it could find 'no evidence that sweeping collection of the telephone metadata of Americans led to a single major counterterrorism breakthrough', and a German parliamentary study referenced by European Digital Rights showed that blanket data retention would have made a difference in only an infinitesimal 0.002 per cent of criminal investigations.

On the other hand, the proposed data retention regime would ensure that police and intelligence agencies would have a large source of information with which to hunt down whistleblowers and the journalists and others, including MPs, to whom they may have provided public interest information, thus potentially having a chilling effect on media freedom and public interest disclosures of wrongdoing. Crikey's Bernard Keane notes in his submission that 'the Australian Federal Police has admitted in Senate Estimates that in hunting for whistleblowers it obtains the metadata of journalists and even politicians'. The Human Rights Law Centre notes that AFP Commissioner Tony Negus admitted in December 2013 that up to five MPs had been the subject of data surveillance without a warrant.

The firm pressure from the Labor opposition and a strong campaign by media organisations has prompted the government to agree to introduce an amendment requiring law enforcement agencies to obtain a warrant for access to journalists' metadata. The Media Arts and Entertainment Alliance has objected that this does not go far enough to protect media freedom, since access to information by warrant is still access, which should not be permitted. Indeed, as noted by Bernard Keane in yesterday's Crikey, a judge would likely issue warrants to police who claimed that laws had been broken by a public servant leaking a story. The MEAA says that such data could be used to capture the communications between a journalist and a source and, once that is known, the other tranches of national security legislation, particularly National Security Legislation Amendment Bill (No. 1) 2014 can be used to jail both the source and the journalist for up to 10 years and to tamper with the media organisation's computer network.

I share these concerns about the unacceptable threat to media freedom from this suite of national security laws. The Law Institute of Victoria and the WA Law Society have also pointed out the danger to legal professional privilege of the warrantless access regime. One of the reasons the EU Court of Justice found the EU data retention directive—on which this proposed scheme is modelled—to be invalid was that 'it does not provide for any exception, with the result that it applies even to persons whose communications are subject...to the obligation of professional secrecy'.

The requirement to force ISPs to retain, and in some cases create and store, data for two years in advance of the telecommunications sector security reforms is, in my view, putting the cart before the horse. The issue of where data will be stored is a matter of concern to many Australians, including notably the Director-General of ASIO David Irvine, who this week described himself as a 'cyber nationalist' and said he would feel much more comfortable with data governed by Australian law than law by some other country. It is significant I think that another of the reasons that the EU Court of Justice ruled the EU data retention directive invalid was because it did not require data to be stored in the EU.

The Australian Lawyers for Human Rights has noted that the bill 'outsources' compliance to private companies. This arrangement unfairly imposes an enormous cost, which will be passed on to consumers, will have anti-competitive results as it is likely to drive smaller operators out of business and unfairly penalises companies with eligible infrastructure in Australia as against overseas companies.

The government has indicated it will pay 'a substantial share' of the cost of implementing this regime and the Prime Minister has named a loose figure of $400 million. An amendment to the bill provides that the Commonwealth 'may' make a grant of financial assistance to a service provider to assist with compliance under the scheme, but this discretionary provision is unlikely to give comfort to service providers that their costs will be covered. Whether it is via taxpayers or costs passed onto consumers from service providers, it is clear that Australian citizens and businesses are expected to pay for their own surveillance, as well as any damage that may result from the inevitable misuse of metadata or unauthorised access to such data.

A number of submissions also noted that the massive 'honey-pot' of data that the legislation will require business to create and retain under the legislation could in fact be a magnet for cyber attacks. The Law Council notes that the bill does not provide a minimum set of standards for government agencies and service providers to ensure storage and security of telecommunications data; it does not require data to be stored in Australia; nor does it require the destruction of stored metadata at the expiration of the two-year period, unlike the requirement for information obtained pursuant to a warrant which must be destroyed when no longer required for the particular purpose.

The sweeping scope of the data retention scheme, together with the permissive nature of the access regime, presents very real risks to the rights and freedoms Australians are entitled to expect. The UN High Commissioner for Human Rights concluded in her July 2014 report on the right to privacy in the digital age that mandatory third-party data retention is neither necessary nor proportionate.

The Human Rights Law Centre observed that:

… the absence of a warrant or other independent authorisation process prior to access and use of the stored data gives rise to serious concerns regarding the propriety of the access and use.

The PJC on Human Rights and many other submissions to the Intelligence committee recommended that access should only be granted on the basis of

…a warrant approved by a court or independent administrative tribunal, taking into account the necessity of access for the purpose of preventing or detecting serious crime on defined objective grounds.

The government has made much of the need for data retention laws to enable law enforcement and national security agencies to identify people involved in serious crimes, such as child pornography, and those who present a serious threat to public safety. Yet there is no requirement in the bill that access to metadata may only be for the purpose of investigating serious crime or national security matters. Police forces gave evidence to the committee that metadata is used primarily in general crime investigations, rather than for serious crimes, which account for only around two per cent of the cases of access to metadata.

The AFP Commissioner has even conceded the information could also be used to investigate copyright infringement. While the amendments made to the bill as a result of the intelligence committee recommendations generally preclude disclosure of information for civil litigation purposes, including by way of subpoena, they do not address a requirement imposed by a court on an individual to disclose information under the rules of court or an obligation of discovery and inspection.

I am also concerned about the ability of the Attorney-General under this bill to make declarations as to items for inclusion in the data set, additional classes of service providers or additional authorities as law enforcement agencies, as well as regulations providing for exceptions to the prohibition on disclosure of information for civil litigation purposes. In my view the period of 40 sitting days—approximately six months—before the Attorney-General has to bring a bill before the parliament, or the declaration or regulation lapses, is too long.

The final issue I want to raise is that of the oversight provided in this bill. Under the bill the Commonwealth Ombudsman is charged with responsibility for oversight of law enforcement agencies' use of powers and the intelligence committee is to do a review of the scheme two years after the conclusion of the implementation phase. These are worthwhile measures, but they are directed at reviewing access powers after they have been exercised. The Ombudsman's oversight does not extend to the use and handling of data by the service providers required to retain the data. Furthermore, there has been no watertight assurance by the government that the Ombudsman will receive the significant additional resources needed to carry out the oversight function. As mentioned earlier, an independent warrant process for access to the stored data would constitute a greater safeguard and provide some measure of reassurance to the general community.

In short, this bill, which has been introduced with too much haste and too little concern on the government side, proposes a quantitative and qualitative expansion of data retention and access over the private communications of millions of law-abiding Australians. There should have been a comprehensive review of the data access regime, including the question of whether any warrantless access should continue to be allowed at all. These and other issues around security and storage of data, and oversight mechanisms, should have been investigated before this bill was embarked upon. Such legislative change—with implications for fundamental rights of privacy and freedom of expression and media freedom as well as the significant implications for businesses—should only occur very carefully, and with the utmost rigour in its design. Unfortunately, notwithstanding the best efforts of the Labor opposition and many others outside the government, that is not the case with this bill.

See this speech in context