Wednesday, 28 October 2020
Intelligence and Security Joint Committee; Report
On behalf of the Parliamentary Joint Committee on Intelligence and Security, I present the committee report, incorporating a dissenting report, entitled Review of the mandatory data retention regime:a review of the mandatory data retention scheme as prescribed by part 5-1A of the Telecommunications (Interception and Access) Act 1979.
In accordance with standing order 39(e) the report was made a Parliamentary Paper.
I am pleased to present the Parliamentary Joint Committee on Intelligence and Security's Review of the mandatory data retention regime, the MDRR, as required by section 187N of the Telecommunications (Interception and Access) Act 1979, the TIA Act.
In 2015, the coalition government inserted part 5-1A of the TIA Act in order to enact new obligations on telecommunications and internet service providers to retain prescribed metadata for a period of two years for the purposes of access by national security authorities, criminal law enforcement agencies and enforcement agencies. It also requires service providers to encrypt the retained metadata, subject to certain exemptions, and outlines which enforcement agencies have access to the information and documents available under the scheme.
In its report, the committee noted:
… the technical difference between the mandatory data retention regime … allowing access to metadata and access to telecommunications data as provided for in sections 280 and 313(3) of the Telecommunications Act. In practice telecommunications data kept under the mandatory date retention regime can, after the two year retention period has expired and as long as it is still being kept, be accessed by a wide range of agencies under section 280 and 313(3) of the Telecommunications Act.
Therefore, in addition to reviewing the MDRR, the committee also looked at access to telecommunications data under the Telecommunications Act.
The committee's report makes 22 targeted recommendations that increase transparency around the use of the MDRR and increase the threshold for when data can be accessed under the MDRR and, importantly, does so in a way that does not have a great effect on law enforcement's and ASIO's ability to do their very important work. In addition, the committee makes recommendations that reduce the currently very broad access to telecommunications data under the Telecommunications Act.
We as the committee take our job very seriously. Our first priority, always, is the safety of the Australian people and making sure that our operational agencies have what they need for our national security. But we're also a parliamentary committee, and foremost in our minds in this review were the principles of transparency and accountability. It may be that the government and operational agencies advise us that some of the recommendations in our report pose difficulties for ongoing operations; we accept this. We're a parliamentary committee, as I said. We don't pretend to have detailed expertise or insight into operations, but we strive for accountability and transparency. That's our job as an oversight committee, particularly when dealing with the accessing of personal data of Australian citizens. We want to strike the right balance between national security and personal liberty, so we look forward to ongoing discussions and engagement on these questions and to working out the best possible balance, upholding national security and personal liberty with the government and the relevant agencies.
After reviewing the evidence, the committee had no major concerns over ASIO's access to data under the MDRR. For that reason, most of the committee's concerns were around access to data under the MDRR by law enforcement agencies. Importantly, the committee did not recommend any changes to the current two-year retention requirement. What the committee would like to see is more reporting on this access, and, as mentioned, an increased threshold for that access. To this end, the committee has recommended that the Department of Home Affairs should, within 18 months of this report, develop guidelines for data collection to be applied across the mandatory data retention regime to achieve the intended outcome of facilitating better oversight, including an ability for enforcement agencies and Home Affairs to produce reports for oversight agencies or parliament when requested. This should include the section of the TIA Act used to access the data; the case number associated with the authorisation; the specific offence or offences that the investigation is related to; if the authorisation related to a missing person case, the name of the missing person; and brief reasons why the authorised officer was satisfied that the disclosure was reasonably necessary. In addition, the committee has made recommendations that the law enforcement access to data kept under the MDRR will only be available in the following circumstances: voluntary disclosure, locating a missing person or the investigation of a serious offence or an offence against a law of the Commonwealth, a state or a territory, that is punishable by imprisonment for at least three years.
I mentioned the access to the telecommunications data under the Telecommunications Act. This was a matter to which the committee gave great thought. In order to reduce the number of agencies accessing telecommunications data in this manner, the committee has recommended the repeal of Section 280(1)(b) of the Telecommunications Act which allows for access where, 'disclosure or use is required or authorised under law'. It is the exceptionally broad language in this subsection that has allowed the access that has concerned the committee. I hasten to add that Section 280(1)(a), which requires disclosure where telecommunications data is required in connection with the operation of enforcement agency, is a section that the committee has made no recommendation on. Law enforcement will still be able to access telecommunications data via the Telecommunications Act when it so requires.
As I'm sure the House will appreciate, in this speech it's difficult to go through all 22 recommendations, that's why we have a report. It's good reading. Suffice to say, the recommendations all strive towards increased transparency and accountability with the accessing of telecommunications data of Australian citizens, whilst not affecting the important work of those agencies who are tasked with protecting and keeping Australians safe.
Before I close, I would like to acknowledge, as always—up there on the screen—the member for Holt, my deputy chair. He is always great counsel and helpful in getting these reports out of the committee, also the member for Isaacs, who has just popped up as well. I want to make, on my side, a particular mention of Senator Fawcett, who was around for the last report and provided a lot of insight and help with this report.
[by video link] by leave—In late 2014 the government introduced the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 into the parliament and referred it to the intelligence and security committee for inquiry and report. While its 2015 report concluded that the introduction of the mandatory data retention regime was justified, the committee was not satisfied that the regime in its original form was subject to adequate safeguards and oversight. That is why the committee made 43 detailed and bipartisan recommendations to improve the bill. For example, in 2015 the committee recommended that the proposed mandatory data retention regime be amended to: (1) limit the number of agencies that could access telecommunications data without a warrant to prescribed law enforcement agencies and ASIO, (2) better protect journalist sources and, (3) provide for increased privacy protections and more rigorous oversight. The government accepted each of the committee's recommendations.
It has now been over five years since the mandatory data retention regime became law. Over that time many concerns have been raised about how the regime has operated in practice. Loopholes have been identified, gaps in oversight have emerged and the adequacy and effectiveness of key safeguards have been called into question. For that reason the committee's review—which began last year and formally concluded in April of this year—was timely.
Before I mention a few of the committee's key recommendations, it's important to place the mandatory data retention regime in context. Significant intrusions into privacy by government—such as the search of a person's home, opening a person's mail, installing a listening device or obtaining a saliva sample—generally require agencies to obtain a person's consent or a warrant from an independent issuing authority. By contrast, agencies do not require a warrant to access telecommunications data under this regime. Consistent with the position we took in 2015, the committee has not recommended the introduction of such a requirement now, but, make no mistake, when an agency obtains a person's telecommunications data without consent, that is a significant invasion of that person's privacy. The absence of a warrant requirement therefore makes it especially important that the powers to access telecommunications data be subject to rigorous oversight, and that they only be exercised in appropriate circumstances by properly qualified individuals. To that end, as this report makes clear, all committee members agree that the mandatory data retention regime is not currently up to scratch and a number of changes need to be made.
I do not have time to go through each of the 22 recommendations in the committee's report, but I would like to mention a few of them. The committee has today recommended that section 280(1)(b) of the Telecommunications Act 1997 be repealed. This should not come as a surprise and nor should it be controversial, but it is, nonetheless, significant. The committee received evidence that with assistance of that provision, at least 80 non-law enforcement authorities have been accessing the telecommunications data of Australians outside the framework of the Telecommunications (Interception and Access) Act. Those authorities include local councils and the RSPCA.
As I alluded to earlier, in 2015, the committee recommended that only prescribed law enforcement agencies and ASIO should have access to telecommunications data. Moreover the committee clearly intended that such access should be governed by the framework set out in the Telecommunications (Interception and Access) Act. The government accepted that position in 2015 and it was on that basis that the mandatory data retention regime was passed by the parliament. The way in which section 280(1)(b) of the Telecommunications Act 1997 has been used by dozens of authorities across Australia is therefore completely at odds with the way in which the mandatory data retention regime was intended to operate. It should be repealed urgently.
In addition, the committee has recommended significant improvements to existing record keeping and reporting requirements to facilitate greater oversight and public scrutiny and better decision-making by authorised officers. The committee has recommended that the Telecommunications (Interception and Access) Act be amended so that, among other requirements, only individuals who have completed a compulsory training program and who have the requisite experience, knowledge and skills be authorised to access telecommunications data.
The committee has recommended that the government prepare national guidelines on the operation of the mandatory data retention regime by law enforcement agencies to ensure greater clarity, consistency and security in respect of requests for and the collection and management of telecommunications data. The committee has recommended amendments to the Telecommunications (Interception and Access) Act to increase the existing thresholds for ASIO and law enforcement agencies to access telecommunications data, and, recognising the ongoing difficulty in distinguishing between content and metadata, the committee has recommended that the Telecommunications (Interception and Access) Act be amended to delineate more clearly between content and metadata. Those are just some of the committee's recommendations.
It is true that in one respect Labor members believe the committee should have gone further in seeking to balance the legitimate interests of law enforcement on the one hand with the protection of privacy on the other. That is the subject of an additional comment by Labor members. I would stress that this is very much an additional comment, not a descent, and, rather than dwelling on that single area of this agreement, I want to use my time today to talk about the many more areas of agreement between Labor and Liberal members of this committee.
The report which the chair of the intelligence and security committee has tabled today is the product of a lengthy and ultimately very productive dialogue between 11 individuals from both sides of politics. That dialogue was informed by nearly 50 submissions from agencies, industries, civil society organisations and members of the public. I thank the member for Canning, the member for Berowra, the member for Goldstein, Senators Stoker and Abetz and, in particular, Senator Fawcett, for the constructive and considered way in which they approached this important review.
Finally, I would also like to thank the many submitters to this inquiry for their detailed, thoughtful submissions and the staff of the secretariat for the support that they continue to provide to committee members. Thank you.
[by video link] by leave—I am very pleased to speak on this report as a longstanding member of the Parliamentary Joint Committee on Intelligence and Security. In reflecting on my contribution today, I went back to the report that basically started this all, that basically created the foundation for the mandatory data retention regime which we are discussing today in this committee's report. It started with this. I want to read it to you because it highlights the work of the committee and how much influence this committee has had in the shaping of the mandatory data retention regime and also illustrates why it's important for this committee's recommendations to continue to be taken into consideration by the government given that the committee has had a substantially very positive influence on the legislation that has been brought forward post this original report. Mandatory data retention came before my committee in a letter that was sent to me by the then Attorney-General Nicola Roxon. Data retention was stipulated in these 2.5 lines:
… tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities, and privacy and cost impacts.
Our committee was asked to look at that. That was the information that the committee was given on mandatory data retention.
This was in 2012. May 2012 was when the Attorney-General sent that letter of request to the committee of which I was then chair. So what effectively happened was that the genesis of the mandatory data retention was in 2.5 lines. It was up to the intelligence committee of the day—and I refer here to George Brandis, who was the shadow Attorney-General, and Philip Ruddock, who was my deputy chair—to extract that out of the then Attorney-General's department, also working very collaboratively with the law enforcement agencies. I would like to pay tribute here to the former Director-General of ASIO David Irvine and the person that was formerly involved at the AFP that I worked with, Mike Phelan, who is now CEO of the Australian Criminal Intelligence Commission. Without those two individuals and without the collaboration between the committee and the intelligence and security agencies, we would not have had the foundation that was enunciated, delineated and clearly articulated in the report that was tabled in 2013.
I point out this history because it is always good to learn about history when we look at these things. We should always reflect back on history. At the start of 2014, our intelligence agencies and security agencies didn't believe that we would legislate a mandatory data retention regime in this country. What changed all of that was the threat that was posed to Australia by the emergence of ISIL. Then the whole game changed. But we should always remember that history can turn very, very quickly. At the start of 2014, when this government actually had what it called a 'regulation day', they were going to abolish the Independent National Security Legislation Monitor—that was a thing that was being put forward. The second thing that was being put to me by agencies was their lack of confidence that there would be a mandatory data regime. ISIL changed everything. We then contemplated that legislation in 2014, and in May 2015 there was a very comprehensive report that drew extensively from the 2013 report on our intelligence committee. We set benchmarks. We agreed with the agencies that they needed these powers to actually perform their duties and that, to keep our country safe, we needed to give law enforcement agencies the powers to prosecute the people that we want prosecuted to protect our country and our civil society. But there must always be as a founding principle of any new legislation of this type corresponding civil liberty concerns and corresponding oversight powers that match the new and extraordinary powers that are given to agencies.
I'd like to point out that very few other places in the world have as comprehensively mandated a regime as Australia has with this regime. When we were first looking at this, we were looking at the United Kingdom and the United States. They do not have in their legislation anything that is as closely mandated as this data retention regime, and I would submit that that is because of the work that was done by the PJCIS in 2012, 2013, 2014 and 2015. That laid the groundwork and improved the legislation. When we got the legislation in 2014, it needed significant improvement. The report in 2015 significantly improved the mandatory data retention regime and made it workable.
In keeping with that trajectory, this report also further improves on that legislation. It improves safeguards. It also gives confidence to the agencies. One of the things that the agencies are concerned about—and it's in this report, in testimony from both ASIO and the AFP—is that 87 parties, outside of those parties that are mandated under the data retention regime, could in fact access metadata. I remember, when we first looked at this in 2012, I didn't want the RSPCA to be able to access my metadata or the metadata of any Australian. But under the existing law, as it stands, they can. And they don't need to use it. They're not a declared law enforcement agency. They are just one of a host of agencies—of 87 that have been identified—that can use and have been using another provision of the telecommunications act to access metadata outside of the metadata regime. One of the strongest recommendations of this committee, which I would be very disappointed if the government didn't accept, is that that loophole must be closed. As Mike Burgess said, the metadata was created for a set number of agencies—security agencies and law enforcement agencies—to be able to get a prescribed set of information that is kept by telecommunications companies. It wasn't intended that the RSPCA, local councils or any other body were able to do that, and I think the public was justifiably concerned, and so were we.
One disappointment for me in listening to the evidence was that the department that was supposed to be monitoring this, the Department of Home Affairs, did not bring this to the committee's attention. Given than the committee has done so much work in terms of its involvement in the architecture of the subset of data that was kept in 2012, 2013, 2014 and 2015, you would have thought that the Department of Home Affairs would have had the courtesy to inform the committee of a substantial breach of the metadata regime by agencies. That disappointed me a very great deal.
The recommendations in this report—this unanimous report with an additional, helpful comment provided by the Labor PJCIS members—will in fact strengthen this world-leading regime even further and offer further protections for that data, target it better and, most importantly, protect people who are accessing the data. The report talks about the number of people that can access it, and we quantify it. We insist on a unified regime where people have to go through a set procedure before they can seek the data from a telecommunications company. These things are not protecting just civil society; they're protecting the security agencies, their personnel and the police forces as well.
The report itself is a tribute to the bipartisanship that exists on what I think is the most important committee in this parliament. There have been many, many reports produced by this committee that have resulted in better laws that make our country safer, and both groups on the PJCIS, both Labor members and coalition members, work together to make that happen. That sometimes gets lost in rancour when we're having a party-political stoush like I saw yesterday. The key thing is that this is a bipartisan report with an additional comment, not a dissenting report.
I'd also like to pay tribute to the young man who chaired the committee. That's Andrew Hastie, the member for Canning. He's had an enormous workload. He has an enormous workload on those very broad shoulders of his, and we are very lucky to have a chair who has the patience, diligence and tenacity of this young man. I think he'll look at the legislation that's been passed in his tenure as chair, and it will reflect very well on him and bode very well for his future.
So I commend the report to this House. I would also like to thank other committee members, in particular the shadow Attorney-General, who did a huge amount of work on this, and my fellow committee members the shadow minister for home affairs and Senator Jennifer McAllister for coming together and working for a solution. What we recommend here will even strengthen a regime which has been used and which keeps Australians safe but does have appropriate safeguards and oversight. Thank you very much for your indulgence, Deputy Speaker.