George Brandis (Queensland, Liberal Party, Attorney-General) Share this | Hansard source

Yes, you are correct, Senator Ludlam: the bill does not provide for or create a destruction obligation after the expiry of the two-year retention period. Although you say that your proposed amendment relies upon a sole purpose test, it does not. If you wanted to change your amendment by altering the words in subclause (a) by inserting the words, 'solely for the purpose of compliance with' rather than 'in accordance with' then we would still vote against your amendment, but that would be a sole purpose test. This is not your fault, Senator Ludlam; it is drafting error, I suspect. However, your amendment does not do what you think it does. That being said, I feel the force of the argument; it was considered, as well, by the PJCIS.

For reasons that I expounded upon earlier in the day, it is unlikely that telcos and ISPs would want to retain data for longer than the statutory minimum period; their case is that that is a burdensome obligation. But it remains the case—were telcos and ISPs to choose, counterintuitively, to do so—that that is not against Australian law as it currently stands. In fact, when I had the discussion earlier today with Senator Leyonhjelm about variable retention periods, I pointed out that in some cases at the moment metadata is stored for up to seven years. That is not against the law. In any event, although this bill does not deal with the handling obligation; that is dealt with, in particular, by the Privacy Act, which requires entities to take reasonable steps to notify customers if their information will be disclosed to an overseas recipient, of the countries where the information will be held, and to ensure that any overseas recipient of personal information does not breach the Australian privacy principles.

Lastly, might I point out, as I have done in another context, that it is by no means unusual for Australian law to mandate the retention of business records for more than two years. Under the Taxation Administration Act, the Australian Taxation Office requires business records that are relevant to a taxpayer's tax affairs to be retained for five years. Our law has not adopted a destruction obligation; what it has adopted is a handling obligation so as to protect the security of data that is retained.