Mitch Fifield (Victoria, Liberal Party, Assistant Minister for Social Services) Share this | Hansard source

I table the revised explanatory memorandum relating to the bill and I move:

That this bill be now read a second time.

I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) AMENDMENT (DATA RETENTION) BILL

The Bill contains a package of reforms to prevent the further degradation of the investigative capabilities of Australia's law enforcement and national security agencies. The Bill will require companies providing telecommunications services in Australia, carriers and internet service providers to keep a limited, prescribed set of telecommunications data for two years. The Bill amends the Telecommunications Interception and Access Act 1979 (Interception Act), and the Telecommunications Act1997 (Telecommunications Act).

Modern communication technologies have revolutionised the abilities of people to communicate, collaborate and express themselves. Sadly, however, these same technologies are routinely misused and exploited by criminals, including those who threaten our national security.

Historically, telephone companies have kept call records showing the numbers of both the A and B parties, time of call, duration of call and often the location of the parties. These records have been kept for long periods and were used for billing purposes. Under existing and long-standing legislation, a range of law enforcement and other agencies have had the ability to access this information without a warrant.

The type of data referred to in the Bill as telecommunications data, more often described as metadata, is information about a communication but not its content. So, in the telephone world, it reveals that one number belonging to a particular account was connected to another number at a time and for a duration, but does not reveal what they discussed. In the IP world it reveals that a particular IP address, which may have been observed to have been engaged in some unlawful activity, had been at the relevant time allocated to a particular account. In the context of messaging—email, for example—it reveals the sender, recipient, time and date, but again not the content. Access to the content of communications requires a warrant.

Access to metadata plays a central role in almost every counterterrorism, counterespionage, cybersecurity and organised crime investigation. It is also used in almost all serious criminal investigations, including investigations into murder, serious sexual assaults, drug trafficking and kidnapping. The use of this kind of metadata, therefore, is not new.

However, as the business models of service providers are changing with technology they are keeping fewer records. And they are keeping those records for shorter periods of time because they do not need them any longer, in many cases, for billing. Many of the records that are still kept are kept because of legacy systems put in place years ago. In June 2013, the Parliamentary Joint Committee on Intelligence and Security concluded that this diminution in the retention of metadata is harming law enforcement and national security capabilities, and that these changes are accelerating.

Existing powers and laws are not adequate to respond to this challenge. Preservation notices under the Interception Act can require carriers to 'quick freeze' records that they hold, but these notices cannot create records that have never been kept, and cannot bring back records that carriers have deleted days, weeks or months before a crime is brought to an agency's attention.

Simply put, because of businesses' changing practices investigations are failing.

For example, in a current major child exploitation investigation, the AFP has been unable to identify 156 out of 463 potential suspects, because certain internet service providers do not retain the necessary IP address allocation records to enable the resolution of the IP address to the particular account number the person in question was using. These records are critical to link criminal activity online back to a real world suspect.

These impacts are not limited to law enforcement agencies in Australia. During a recent Europol child exploitation investigation, child exploitation investigations relied heavily on access to telecommunications data as perpetrators primarily shared information online, meaning that physical evidence was rarely available. Three hundred and seventy-one suspects were believed to be in the United Kingdom. Using retained telecommunications data, UK authorities were able to positively identify 240 suspects, leading to 121 arrests and convictions. In contrast, of the 377 suspects believed to be in Germany, which does not have a data retention regime in force, German authorities were only able to identify seven and were unable to obtain sufficient evidence to arrest or convict a single person.

I can also give a clear example of how a simple business decision can undermine the national interest. In 2013, a major Australian ISP reduced the period for which it keeps IP address allocation records from many years to three months. In the 12 months prior to that decision, the Australian Security Intelligence Organisation (ASIO) obtained these records in relation to at least 10 national security investigations, including counter-terrorism and cybersecurity investigations. If those investigations took place today, vital intelligence and evidence would simply not exist.

No responsible government can sit by while those who protect our community lose access to the tools they need to do the job. In the current threat environment in particular, we cannot let this problem get worse.

Data retention

As such, this Bill will allow regulations to prescribe a consistent, minimum set of records that service providers who provide services in Australia must keep for two years.

A two-year retention period is based on the advice of our law enforcement and security agencies, as well as the experience of a number of foreign jurisdictions. While many cases are solved within a few months, investigations into serious and complex crimes and threats to security often span many years, requiring access to older records.

The Government recognises that data retention raises genuine concerns about privacy. We are committed to addressing those concerns.

The dataset that has been endorsed by the PJCIS, and inserted into the bill as recommended by that Committee, is strictly limited. For example:

1. service providers will not be required to retain the content or substance of any communication, including subject lines of emails or posts on social media sites

2. the Act will expressly exclude a person's web-browsing history, and

3. providers will not be required to keep detailed location records that could allow a person's movements to be tracked, akin to a surveillance device.

There has also been a great deal of conjecture about how much data retention may cost. I can advise the Senate that the cost, both up front and ongoing, of data retention in its first ten years will average out to $73 million per year. This is a remarkably small impost on an industry that generates over $42 billion in revenue each year. It is in fact well under 0.1% of the industry's revenue.

That low cost must be measured against the immeasurable benefit to the victims of crime who will be much better protected by our agencies than without data retention.

As has been previously stated, the government is committed to ongoing, good faith consultation with industry and will make a substantial contribution to the cost of implementing the scheme. In terms of the ongoing costs, it is important to recognise that providers will be able to recover from law enforcement and security agencies the financial cost incurred in providing requested data. Those ongoing costs will be recoverable on a no-profit/no-loss basis. These cost recovery arrangements already apply to agency requests for telecommunications data collected by industry for its own purposes. This practice will not change.

I can say that, to date, our consultation with industry has been very productive. For example, based on industry advice, the Bill allows individual service providers to develop an implementation plan that provides a pathway to compliance over up to 18 months. These plans will allow industry and government to prioritise the retention of data that is most critical to investigations, while allowing service providers to significantly reduce their implementation costs by aligning any systems changes with their internal business cycles.

The PJCIS Report into the Bill

I draw to the Senate's attention the concluding remarks of the Parliamentary Joint Committee on Intelligence and Security in its inquiry into this Bill:

Through the process of this inquiry, the Committee has considered the current utility of telecommunications data to law enforcement and national security investigations. The Committee has noted the inconsistency and degradation of current retained telecommunications data, possible future reductions in retained data and the serious impact this may have on national security and public safety.

Accordingly, the Committee considered carefully the rationale for a mandatory data retention scheme, and has concluded that such a regime is justified as a necessary, effective and proportionate response. The Committee therefore supports the intention of the Bill.

The Committee's support is subject to thirty-eight recommendations. Twenty-six of these recommendations relate to amendments to the Bill or Explanatory Memorandum.

A further eleven recommendations relate to additional administrative measures (including additional resourcing for the Committee and Commonwealth Ombudsman), reviews, and further reform (including telecommunications sector security reform and data breach notification).

The PJCIS also recommended that the proposed two-year retention period be maintained.

The Government supports all of the recommendations to amend the Bill and so moved amendments to implement them. The other place has passed the Bill with those amendments.

Access arrangements

This Bill does not provide agencies with new powers to access communications data; the Bill simply ensures that data will continue to be available to agencies as a part of legitimate investigations, subject to strict limits that currently apply and additional safeguards.

In fact, the Bill will significantly reduce the range of enforcement agencies permitted to access telecommunications metadata without a warrant.

The Bill will allow what we might call 'traditional' law enforcement agencies, such as the police, Customs, crime commissions and anticorruption bodies, to access this information.

The Bill will also grant the Attorney-General the power to temporarily declare, via legislative instrument subject to parliamentary oversight, additional agencies. Before making such a declaration, the Attorney-General of the day will be required to consider a range of strict criteria, including whether the agency is subject to a binding privacy scheme. Any permanent additions to the list of agencies with these powers will require an Act of Parliament.

Safeguards

The Bill will introduce a range of new and enhanced safeguards. In particular, it:

The Government has also committed to reforms to strengthen the security and integrity of Australia's telecommunication infrastructure by establishing a security framework for the telecommunications sector. This will provide better protection for information held by industry in accordance with the data retention scheme.

Concluding remarks

This Bill is critical to prevent the capabilities of Australia's law enforcement and national security agencies being further degraded. It does not expand the range of telecommunications metadata which is currently being accessed by law enforcement agencies. It simply ensures that metadata is retained for a period of two years.

More broadly, this Bill demonstrates the Government's commitment to ensuring that access to sensitive and personal information by these agencies is strictly controlled through robust accountability processes.