The data retention bill is controversial. It's proposed that carriers and carriage service providers retain all customers' metadata for two years. The government hasn't pinned down the exact dataset which will determine the data to be retained, and it doesn't have a clear idea of how much this will all cost. I've made a submission to the inquiry into the bill, raising these and other issues.
Submission to the Parliamentary Joint Committee on Intelligence and Security in respect of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (“the data retention bill”) is a Bill for an Act to amend the Telecommunications (Interception and Access) Act 1979 (“the Telecommunications Interception and Access Act”), and for related purposes.
This submission does not purport to be a full and comprehensive discussion of all of the possible considerations in relation to the proposed legislation. It is intended to be a modest contribution to a complex matter.
Some current sections of the Telecommunications Act 1997 (“the Telecommunications Act”) make it against the law for carriers, carriage service providers, and others to disclose telecommunications information, like:the contents or substance of a communication;
- the carriage services supplied (where “carriage service” means a service for carrying communications by means of guided and/or unguided electromagnetic energy);
- most relevantly, a person’s affairs or personal particulars (including any unlisted telephone number or any address).
Generally, carriers and carriage service providers have to provide reasonable help to the Commonwealth and agencies to:
- enforce the criminal law and laws imposing pecuniary penalties;
- help enforce other countries’ criminal laws;
- protect the public revenue;
- safeguard national security.
Telecommunications information other than the content and substance
Part 4-1 of the Telecommunications Interception and Access Act provides some exceptions to the rules, in the Telecommunications Act, against disclosure.
For example it allows carriers and carriage service providers to breach sections 276, 277 and 278 of the Telecommunications Act by disclosing information to certain people – relevantly, ASIO and law enforcement bodies. Part 4-1 of the Telecommunications Interception and Access Act does not allow disclosure of the contents or substance of a communication. That is dealt with in Chapter 3.
The committee’s 2013 Report of the Inquiry into Potential Reforms of Australia's National Security Legislation, tabled on Monday, 24 June 2013, records that the Attorney-General’s Department’s annual report, made under the Telecommunications Interception and Access Act, says the following information can be released without warrant under that Act:
- subscriber information;
- telephone numbers of the parties involved in the communication;
- the date and time of a communication;
- the duration of a communication;
- Internet Protocol (IP) addresses and Uniform Resource Locators (URLs) to the extent that they do not identify the content of a communication; and
- location-based information.
So, carriers and carriage service providers can disclose that information to ASIO and enforcement agencies, at the agency’s request, without the agency having to get a warrant.
For the agency’s request to qualify for the exception from the rule against disclosure, the disclosure must be reasonably necessary for the enforcement of the criminal law, or (for a more limited exception) for the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue.
Recent reports show that carriers and carriage service providers have disclosed this type of data to enforcement agencies, without warrants, hundreds of thousands of times each year.
However, it seems obvious that for serious offences, and national security risks, agencies would likely prefer to use their ample powers to obtain access to the content and substance of communications, not just data about the location from which the communication was sent (and similar).
Content and substance of communications
Agencies can presently get access to the content and substance of communications, by warrants to intercept communications, and by warrants to gain access to stored communications.
Chapter 2 of the Telecommunications Interception and Access Act provides for ASIO’s ability to intercept communications in some circumstances. 
Chapter 3 of the Telecommunications Interception and Access Act provides for a regime under which ASIO and enforcement agencies can:
- require carriers and carriage service providers to store data;
- get warrants to get access to the contents and substance of communications; and
- use those communications.
Since 2012 Chapter 2 has allowed for notices to be issued that require a carrier to store communications.
The word "communication" includes conversation and a message, and any part of a conversation or message. It includes speech, music, sounds, data, text, still and animated images, signals, and other forms.
The notices (for domestic use) can be ongoing or historical.
The provisions allowing for access to stored data predate the provisions allowing preservation notices to be issued. The current regime was created after the Blunn Report, by the Telecommunications (Interception) Amendment Bill 2006, which replaced interim arrangements put in place by the Telecommunications (Interception) Amendment (Stored Communications) Act 2004. In other words, the regime for gaining access to stored communications has been in place for a decade.
Though accessing stored communications is generally prohibited, it can be done with a warrant. Warrants are given by issuing authorities – who are judges, magistrates (more relevant prior to the change to the Federal Circuit Court) or senior members of the AAT, and who have been appointed by the Minister. The Minister can revoke their appointment as issuing authorities. Agencies can apply by phone if there’s urgency.
The warrant can only be issued if it’s likely that information (that would likely be obtained, by accessing the stored communications) would assist in connection with an investigation of a serious contravention.
In deciding whether to give a warrant for domestic purposes, the judge, magistrate or member has to consider:
(a) how much the privacy of any person or persons would be likely to be interfered with by accessing those stored communications under a stored communications warrant; and
(b) the gravity of the conduct constituting the serious contravention; and
(c) how much the information … would be likely to assist in connection with the investigation; and
(d) to what extent methods of investigating the serious contravention that do not involve the use of a stored communications warrant in relation to the person have been used by, or are available to, the agency; and
(e) how much the use of such methods would be likely to assist in connection with the investigation by the agency of the serious contravention; and
(f) how much the use of such methods would be likely to prejudice the investigation by the agency of the serious contravention, whether because of delay or for any other reason.
It seems that interception is used much more frequently than access to stored communications:
Stored data access warrants
Interception has also given rise to more convictions than using stored information. In 2012/13, agencies obtained:
- 65 convictions using stored communications; and
- 2700 convictions,
based on lawfully intercepted material.
Proposals for mandatory mass data retention
In July 2012, the Attorney-General’s Department published a discussion paper, Equipping Australia Against Emerging and Evolving Threats, in which data retention, among other things, was raised. The discussion paper stated that the committee should consider:
Applying tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities and privacy and cost impacts.
The committee’s 2013 report considered the introduction of mandatory data retention regime. It did so having regard to the competing policies considerations, as well as to comparative examples in the EU (which had a mandatory data retention directive) and the UK (which has a voluntary scheme).
In its 2013 report, the committee recommended:
There is a diversity of views within the Committee as to whether there should be a mandatory data retention regime. This is ultimately a decision for Government. If the Government is persuaded that a mandatory data retention regime should proceed, the Committee recommends that the Government publish an exposure draft of any legislation and refer it to the Parliamentary Joint Committee on Intelligence and Security for examination. Any draft legislation should include the following features:
- any mandatory data retention regime should apply only to meta-data and exclude content;
- the controls on access to communications data remain the same as under the current regime;
- internet browsing data should be explicitly excluded;
- where information includes content that cannot be separated from data, the information should be treated as content and therefore a warrant would be required for lawful access;
- the data should be stored securely by making encryption mandatory;
- save for existing provisions enabling agencies to retain data for a longer period of time, data retained under a new regime should be for no more than two years;
- the costs incurred by providers should be reimbursed by the Government;
- a robust, mandatory data breach notification scheme;
- an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers; and
- oversight of agencies’ access to telecommunications data by the ombudsmen and the Inspector-General of Intelligence and Security.
The Committee recommends that, if the Government is persuaded that a mandatory data retention regime should proceed:
there should be a mechanism for oversight of the scheme by the Parliamentary Joint Committee on Intelligence and Security;
there should be an annual report on the operation of this scheme presented to Parliament; and
the effectiveness of the regime be reviewed by the Parliamentary Joint Committee on Intelligence and Security three years after its commencement.
The data retention bill
The data retention bill seeks to insert a new Part 5-1A into the Telecommunications Interception and Access Act.
The Explanatory Memorandum for the data retention bill (“the explanatory memorandum”) states:
7. The Bill will give effect to several of the PJCIS’ [2013 report] recommendations including:
Mandatory data retention will only apply to telecommunications data (not content) and internet browsing is explicitly excluded (Recommendation 42)
Mandatory data retention will be reviewed by the PJCIS three years after its commencement (Recommendation 42)
The Commonwealth Ombudsman will oversight the mandatory data retention scheme and more broadly the exercise of law enforcement agencies’ exercise of powers under Chapters 3 and 4 of the TIA Act (Recommendations 4 and 42), and
Confining agencies’ use of, and access to, telecommunications data through refined access arrangements, including a ministerial declaration scheme based on demonstrated investigative or operational need (Recommendation 13).
8. This Bill will amend the TIA Act to standardise the types of telecommunications data that service providers must retain under the TIA Act and the period of time for which that information must be held.
The explanatory memorandum goes on to state that the data retention bill is consistent with most of the recommendations in the 2013 report.
The invalidation of the EU Directive
Since the committee’s 2013 report was tabled, the Court of Justice for the European Union (“the CJEU”) has declared the EU’s data retention directive - which required mandatory retention - to be invalid. The Explanatory Memorandum refers to the CJEU decision.
Like the proposed Australian scheme, the EU Directive did not apply to retaining content.
The EU Directive linked access to “serious crime”. The CJEU considered this too general. In the proposed Australian laws, enforcement agencies would continue to have access to historical data for the purposes of enforcing criminal laws, enforcing pecuniary penalty provisions, and protecting the revenue. If the CJEU approach was to be accepted and applied here, this low threshold would militate against mandatory mass data retention, as would the lack of any need to obtain a warrant to access the data. (It is the enforcement agency itself that grants the authorisation for disclosure, not a judge or separate body.) In reaching its decision, the CJEU noted that access to data retained pursuant to the Directive was not made dependent on the prior review by a court or by an independent administrative body.
The EU Directive required retention for between six months and two years. The Australian proposal is for two years. This is more arbitrary than the European position was (as there was at least scope for a decision to be made about an appropriate period of up to two years).
As with the EU Directive there is no stated objective basis, other than a general reference to “advice” from enforcement agencies, why that period is no more than the period that is strictly necessary to meet the aims that are said to justify the invasion of privacy.
In the United Kingdom, legislation for data retention was enacted after the CJEU decision. The Data Retention and Investigatory Powers Act 2014 (UK) allows the Secretary of State to require companies to retain data for up to twelve months. I am not aware of any mandatory mass data retention regime of two years’ length, in the world, other than in South Africa.
The data to be retained is generally described in the explanatory memorandum, with refinements in the first report of the implementation working group.
Instituting mandatory mass data retention arguably has significant adverse effects, such as:
- perception of mass surveillance (and the proposition that the fact or perception of being observed changes behaviour);
- further incursions on individual privacy;
- risk of misuse of data that has been unscrupulously or unlawfully obtained, including the risk of serious invasions of privacy;
- cost to carriers and carriage service providers, and therefore consumers and/or taxpayers;
- security of data;
- increases in the cost of litigation if there is a large new source of information that might be amenable to discovery (disclosure) obligations.
Each of these adverse effects has been canvassed in the 2013 report, other submissions, and/or public comment. For example, in his TED talk, high profile journalist Glenn Greenwald (the journalist who broke the Edward Snowden story) talked of the effect of the perception of surveillance on human behaviour. He described mass surveillance as a tool for societal control:
This realization was exploited most powerfully for pragmatic ends by the 18th- century philosopher Jeremy Bentham, who set out to resolve an important problem ushered in by the industrial age, where, for the first time, institutions had become so large and centralized that they were no longer able to monitor and therefore control each one of their individual members, and the solution that he devised was an architectural design originally intended to be implemented in prisons that he called the panopticon, the primary attribute of which was the construction of an enormous tower in the centre of the institution where whoever controlled the institution could at any moment watch any of the inmates, although they couldn't watch all of them at all times.
And crucial to this design was that the inmates could not actually see into the panopticon, into the tower, and so they never knew if they were being watched or even when. And what made him so excited about this discovery was that that would mean that the prisoners would have to assume that they were being watched at any given moment, which would be the ultimate enforcer for obedience and compliance.
The 20th-century French philosopher Michel Foucault realized that that model could be used not just for prisons but for every institution that seeks to control human behaviour: schools, hospitals, factories, workplaces. And what he said was that this mindset, this framework discovered by Bentham, was the key means of societal control for modern, Western societies, which no longer need the overt weapons of tyranny — punishing or imprisoning or killing dissidents, or legally compelling loyalty to a particular party — because mass surveillance creates a prison in the mind that is a much more subtle though much more effective means of fostering compliance with social norms or with social orthodoxy, much more effective than brute force could ever be.
Though this warning seems dire the underlying point is that observation (including the perception that one is under surveillance) changes behaviour. That should be a consideration in weighing the benefits of requiring carriers and carriage service providers to retain data (even if the content and substance of a communication is kept voluntarily not mandatorily).
The bill provides that the specific dataset is to be set by regulation, though it gives categories within which the regulation(s) must fall. This is presumably intended to provide some measure of future-proofing, but it is inappropriate. Such a significant invasion of privacy conducted on a mass basis should always be the subject of parliamentary scrutiny.
In addition, the Telecommunications Interception and Access Act should have a clear set of objects to assist in construing the law in the future as technologies change.
The objects of the legislation must seek to balance differing and in some cases inconsistent rights interests.
The rights and interests must include (and this is not intended to be an exhaustive list):
- the right to protection against arbitrary or unlawful interferences with privacy under Article 17 of the International Covenant on Civil and Political Rights, referred to in the explanatory memorandum;
- without limiting the general right of privacy, the specific interest in ensuring that highly personal information, especially health information, is not able to be the subject of surveillance;
- the community interest in avoiding misuse of data, and in avoiding creating honeypots of data for hackers and other unscrupulous potential users;
- more generally, the rights and interests to which effect is given by the Australian Privacy Principles;
- the interest in ensuring that our security and law enforcement agencies have access to the information needed to deal with serious crime and national security threats, and the interest in ensuring that their powers are no greater than is strictly necessary for those purposes;
- the interests of our community in having access to fast, high quality broadband services, without unnecessary cost, unnecessary fetters on productivity, or unnecessary fetters on competition between providers;
- the community interest in ensuring that data retention laws do not operate in unforeseen and unintended ways, by ensuring that datasets are as limited and specific as possible.
Content and substance of communications
The data retention bill excludes content from mandatory retention, though it doesn’t prohibit content retention.
(The data retention bill does not give effect to the 2013 report recommendation that “an independent audit function be established within an appropriate agency to ensure that communications content is not stored by telecommunications service providers.” To the contrary, providers may retain content (subject to privacy laws); it is just not mandatory that they do so.)
The 2013 report’s recommendation that “where information includes content that cannot be separated from data, the information should be treated as content and therefore a warrant would be required for lawful access;” does not appear to be explicitly addressed in the data retention bill or the explanatory memorandum.
New section 187A is drafted to provide the following exceptions to the requirement to retain data:
(4) This section does not require a service provider to keep, or cause to be kept:
(a) information that is the contents or substance of a communication; or
Note: This paragraph puts beyond doubt that service providers are not required to keep information about telecommunications content.
(b) information that:
(i) states an address to which a communication was sent on the internet, from a telecommunications device, using an internet access service provided by the service provider; and
(ii) was obtained by the service provider only as a result of providing the service; or
Note: This paragraph puts beyond doubt that service providers are not required to keep information about subscribers’ web browsing history.
The exceptions avoid imposing an obligation to retain content and browsing history, but they do not prohibit retention of same (as the explanatory memorandum acknowledges).
That begs the question as to whether a carrier and/or carriage service provider can, conveniently and practically, retain the data that falls within the dataset, without also retaining content.
This is an issue that will no doubt be of concern to any organisation seeking to discharge its obligations under Australian Privacy Principle 11 which relevantly provides:
an APP entity holds personal information about an individual; and
the entity no longer needs the information for any purpose for which the information may be used or disclosed by the entity under this Schedule; and
the entity is not required by or under an Australian law, or a court/tribunal order, to retain the information;
the entity must take such steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.
In addition to a possible lack of clarity in respect of where the obligation to retain ends and the obligation to destroy starts, the fact of retaining content and substance gives rise to a concern in itself.
Specifically, if content and substance is retained that will raise the possibility of access, lawfully or otherwise.
If the likely consequence of mandatory retention of data within the intended dataset is that content and substance of communications will be retained when they otherwise would not have been, or would be retained for longer than would otherwise be the case, that would militate against mandatory retention.
The data retention bill also does not appear to explicitly address the recommendation that “the data should be stored securely by making encryption mandatory,” or the recommendation that “a robust, mandatory data breach notification scheme,” presumably because it is to be left to CSPs to determine how to avoid breaching their non-disclosure and privacy obligations under telecommunications and privacy laws, and how to respond to breaches.
The failure to explicitly and clearly address these recommendations is surprising given the significant space devoted to issues of security from misuse and hacking in the committee’s 2013 report.
Concern about access and misuse is justified given international experience of intelligence agencies’ misuse of private information. In Surveillance in Society – global communications monitoring and data retention, Nigel Brew of the Australian Parliamentary Library said:
“Media reports outlined how the NSA and the UK’s equivalent, the Government Communications Headquarters (GCHQ), routinely harvest, store and analyse communications data and content from international fibre-optic cables, often by co-opting CSPs. According to one report, by May 2012, ‘300 GCHQ analysts and 250 NSA analysts had direct access to search this data at will’. Despite public assurances that people’s privacy was protected, this was evidently not always the case. As one report suggests, the NSA clearly suffers from ‘gaps in governance and oversight’, with leaked documents revealing that some staff had ‘looked up the details of people they were obsessed or infatuated with’.”
The AFP has previously denied that the proposed data retention obligations would give rise to similar situations. Whatever the AFP’s intentions, the fact is that the Telecommunications Interception and Access Act allows for ASIO to access communications. If data is retained by CSPs, then it seems, with respect, unlikely that the AFP will determine what action ASIO takes in respect of that data.
Sources and amount of information (internet of things)
In considering the present and future application of data retention laws, the nature of information that is to be transmitted via communication devices should be considered.
It is likely there will be steep growth in the total number of devices and in machine to machine connections. Some examples of innovative technology, either mooted or already in existence, include:
- Health monitoring, such as:
- the implantable heart monitor that the FDA approved earlier this year; 
- mobile medication compliance devices that monitor whether you have taken your medication correctly – some solutions already on the market;
- connected asthma pumps and monitors, already on the market;
- the proposed connected contact lenses that measure glucose levels (Google X is reportedly working on developing this idea);
- internet-connected toothbrushes, which are already on the market ;
- internet connected blood pressure monitors;
- fitness monitors, which are already in wide use;
- Augmented reality devices eg Google Glass;
- Cars that have their own wireless hotspots;
- GPS smart watches, which are already very common;
- Internet-connected home appliances, such as fridges, airconditioners, door openers, smart lightbulbs etc, that are connected to the internet (some already on the market).
Those examples demonstrate that the content and substance of communications in the immediate and more distance future will be intensely personal. Even putting aside the content and substance, significant personal information will be able to be gleaned from the data that would be within the proposed dataset.
Consideration should be given to ensuring that carriage service providers are not required to retain personal health information, or other highly personal information. That would not just relate to content: the fact that someone has a glucose monitor device that is transmitting information is health information of itself, regardless of whether the content of the transmission is known.
In addition, there should be limits on access in the event such data is retained.
Competition and Consumer ramifications
The issue of cost reimbursement, another of the recommendations, is also not clearly resolved. The explanatory memorandum says:
“The Bill will have financial impacts on service providers who will be required to meet the new minimum data retention obligations.”
In the second reading speech, the Communications Minister indicated there’d be taypayer-funded assistance. The amount is not apparent from MYEFO. That is unsurprising given that work is still underway to estimate costs.
Difficulties of estimation
The Data Retention Implementation Working Group is working with PwC in relation to costs. The work to date appears to have focussed on the capital costs of initial implementation rather than ongoing storage and security costs.
The PCJIS’s 2013 report canvassed significant information about cost. Cost is a real consideration. Imposing tens of millions of dollars of costs on carriage service providers will lead to increased cost of living pressures for consumers, greater burdens on taxpayers, or both.
Iinet has previously estimated that compliance would mean that consumers would pay $100 per year. There will be an obvious cost to CSPs in retaining the data (that is, the cost of storage itself) and ensuring that it is retained securely (the cost of security measures).
Difficulties of estimation into the future – volume of data and cost of storage
An obvious difficulty in estimating costs of both storage and security is that the amount of information transmitted over communications devices is growing sharply. The cost of storage also tends to decrease sharply.
Tech company Cisco published, in June 2014, a whitepaper entitled “The Zettabyte Era—Trends and Analysis”. That whitepaper considers the impact of the growth in machine to machine (M2M) communications. It says:
“Globally, devices and connections (10.7 percent CAGR) are growing faster than both the population (1.1 percent CAGR) and Internet users (9.2 percent CAGR). See Figure 2. This trend is accelerating the increase in the average number of devices and connections per household and per Internet user. Each year, various new devices in different form factors with increased capabilities and intelligence are introduced and adopted in the market. A growing number of M2M applications, such as smart meters, video surveillance, healthcare monitoring, transportation, and package or asset tracking, also are causing connection growth.”
Figure 2 of that paper is as follows:
[see PDF version of submission]
It’s trite to observe that it will be difficult to weigh the costs, risks, and benefits of the proposed legislation without having the best possible understanding of likely costs. That does not just mean understanding the capital costs of initial implementation, but the ongoing costs of both storage and security.
The committee should not form its final view about whether a mandatory mass data retention regime should be in place without understanding the costs generally, how the costs will affect smaller CSPs (which also means appreciating the effect those costs will have on competition), and how the costs will affect people in their capacities as consumers and taxpayers.
Access to justice ramifications
In addition to the issue of costs for CSPs, taxpayers and consumers generally, the committee also ought to be clear about the effect that the regime will have on the cost of access to justice.
That will be affected by the extent to which retained data will be amenable to orders for disclosure in civil proceedings. The Communications Minister has indicated the data will be able to be subject to discovery (disclosure) requirements in civil proceedings. If so, then the committee should consider whether the intrusions on privacy, and the impact on the costs of discovery (disclosure) in civil proceedings, are warranted. The cost of discovery is often cited as a very significant contributing factor in the costs of modern day trials. Increasing the cost of discovery by retaining a large amount of data, that would be amenable to discovery, raises important access to justice considerations.
Serious crimes including child pornography and exploitation
It appears that no case has been made out as to why existing interception warrants, which do not require data retention, are insufficient when it comes to fighting child pornography. (That is particularly so as it seems likely that access to content is more useful in fighting child pornography than access only to data about location, time, etc.)
If data retention is required, no case has been made out as to why the existing data storage regime, in place since 2006 (with an earlier version from 2004), is insufficient. No case has been made why mass storage should replace targeted storage.
For example, the explanatory memorandum says:
“In 2014 the Australian Federal Police (AFP) revealed that it could not identify more than one-third of all suspects in a current, major child exploitation investigation, because the telecommunications data is not available.”
But the explanatory memorandum does not explain why the much stronger powers of interception and data preservation notices (both historical and ongoing) are insufficient to deal with this issue. If one third of suspects can be identified, why can telecommunications data relating to the persons with whom they are interacting not be obtained using those interception and data preservation powers? There may well be good answers to these questions, but they have not been clearly articulated.
In 2012/13 the Attorney-General’s Department report was able to indicate that:
- intercepted material was used in 25 prosecutions; and
- there were 11 convictions,
in respect of which intercepted material had been used.
In contrast, there’s no indication, in that report, as to how many, if any, child pornography offences were among the 65 convictions in which stored material had been used.
There’s also no indication in the report of any examples where access to metadata without a warrant gave rise to chains of inquiry that assisted in identifying suspects, making arrests, or obtaining prosecutions.
From a review of recent child pornography cases involving carrier offences, it seems that the original leads come from police covert operations in online chat rooms and/or complaints from victims and their families. Evidence of the pornography itself then tends to be collected from the defendant’s computer, or by logging on through BitTorrent.
There are many existing tools to combat child pornography: investigative techniques, interception by warrant, connecting over the internet without need for a warrant (eg in chat rooms, on websites), preservation notices, access to stored communications, confiscating devices and computers by warrant, etc.
Law enforcement agencies are asking the Parliament to undertake serious incursions into people’s privacy. To persuade the Parliament of the necessity to do so, and of the proposition that the benefit to law enforcement outweighs the adverse consequences of data retention, good quality examples and information should be provided.
In forming a view about the data retention view, the PCJIS must have, and be able to articulate, a clear understanding of how much assistance law enforcement agencies would gain if the data retention laws were to be enacted.
Certainty for CSPs and rights of recourse for individuals
If more data is stored, for longer, that will be an incentive for unscrupulous if not unlawful access and use. Privacy protections must be strong and clear:
- The interaction between the data retention laws and the Privacy Act must be clear.
- Organisations must know when they can and should destroy data to meet their obligations under the privacy legislation without contravening obligations under the data retention regime.
- The PCJIS should revisit its previous recommendation for mandatory data breach notification.
- And, as the Australian Law Reform Commission has recommended, individuals should have a remedy for access and use that constitutes a serious breach of privacy.
Thank you for the opportunity to make this submission. Given the short time-frame for consultation it is necessarily limited in its scope. If you wish to discuss this submission please don’t hesitate to contact me.
Terri Butler MP
Member for Griffith
14 January 2015
 Sections 276, 277 and 278
 Section 313, Telecommunications Act
 see section 172 of the Telecommunications Interception and Access Act
 PCJIS, Report of the Inquiry into Potential Reforms of Australia's National Security Legislation, at 141, citing Attorney-General, Telecommunications (Interception and Access) Act: Report for the year ending June 2011, Commonwealth of Australia, 2011, at 10.
 See, eg Attorney-General, Telecommunications (Interception and Access) Act: Report for the year ending June 2011, Commonwealth of Australia, 2011 and Attorney-General, Telecommunications (Interception and Access) Act: Annual Report 2012-13, Commonwealth of Australia, 2013
 Interception is generally prohibited: section 7, Telecommunications Interception and Access Act
 Section 108, Telecommunications Interception and Access Act
 Section 6DB of the Telecommunications Interception and Access Act
 Which is defined in section 5E of the Telecommunications Interception and Access Act.
 Section 116(2), Telecommunications Interception and Access Act
 Source data: Attorney-General, Telecommunications (Interception and Access) Act: Annual Report 2012-13, Commonwealth of Australia, 2013
 Attorney-General’s Department, Equipping Australia Against Emerging and Evolving Threats, July 2012,
 PCJIS, Report of the Inquiry into Potential Reforms of Australia's National Security Legislation, at 192-3
 Explanatory Memorandum at pars  and 
 At 
 Brew, N, Surveillance in Society – global communications monitoring and data retention, Australian Parliamentary Library, 24 October 2012, http://www.aph.gov.au/about_parliament/parliamentary_departments/parliamentary_library/pubs/briefingbook44p/surveillance
 Hutchinson, J, “Police chief denies PRISM links,” Australian Financial Review, 23 July 2013
 at par 
 Report 1 of the Data Retention Implementation Working Group, file:///C:/Users/butlert/Downloads/Exhibit%20002%20-%20Report%201%20of%20the%20Data%20Retention%20Implementation%20Working%20Group.pdf
 See http://www.smh.com.au/federal-politics/political-news/telcos-relieved-at-limited-scope-and-cost-of-data-retention-law-20141030-11ehbb.html
 Ramli, D, “New data retention laws can be used to chase online pirates, says Malcolm Turnbull” The Sydney Morning Herald, 31 October 2014, http://www.smh.com.au/business/media-and-marketing/new-data-retention-laws-can-be-used-to-chase-online-pirates-says-malcolm-turnbull-20141031-11es70.html
 at par , statement of compatibility with human rights
 Eg DPP (Cth) v Zarb  VSCA 347 (18 December 2014), R v Engeln  QCA 313 (2 December 2014)
 Eg DPP (Cth) v Walls  VSCA 323 (8 December 2014)
 Eg R v Martin  NSWCCA 283
 Eg DPP v McConaghy  VCC 2007 (28 November 2014)