The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (new law) passed both houses of parliament on Thursday 26 March 2015. The new law amends the Telecommunications (Interception and Access) Act 1979 (the Act) to introduce a mandatory data retention scheme (Scheme) for carriers and carriage service providers (Service Providers).
PJCIS recommendations and media-related amendments incorporated
Mandatory retention of Metadata introduced
Service Providers must keep certain customer identity and service activity related data, listed in section 187AA of the Act (Metadata), for at least two years. Certain types of data must be kept for two years from the closure of the relevant customer account. The new law incorporates amendments made by the government in response to recommendations made on the Bill as first tabled by the Parliamentary Joint Committee on Intelligence and Security (PJCIS). In addition, the law incorporates additional steps that must be taken before Metadata of a journalist can be accessed for the purpose of identifying a journalist’s source. A number of matters remain uncertain about the implementation and operation of the Scheme, including the extent to which the government will contribute to the costs of Service Providers in complying with the Scheme.
The initial Bill was tabled on 30 October 2014 and referred to the PJCIS. The PJCIS reported in February 2015. A copy of our update summarising the recommendations is available here.
Legislation, not regulations
In accordance with the recommendations of the PJCIS, the specifications of the Metadata covered are set out in the Act, not by regulation. However, the Minister may make a declaration to modify the table under section 187AA. Any such declaration will come into force when it is made, and cease to have force at the end of a period of 40 sitting days of a House of Parliament. This mechanism is intended to give the Minister time to introduce to Parliament a corresponding amendment to the Act. In addition to changes to section 187AA, the Minister may also determine by declaration that:
- a service is a service to which the data retention obligation applies. This power could be used to subject over-the-top services such as web mail or a VoIP service to the new law; or
- an authority or body is entitled to access Metadata by making a declaration that it is a criminal law-enforcement agency (under section 110A) or an enforcement agency (under section 176A).
Any such a declarations will also come into force when made, and cease to have force at the end of a period of 40 sitting days.
Definition of “infrastructure”
The new law applies to a service if the Service Provider “owns or operates, in Australia, infrastructure that enables the provision of any of its relevant services” (section 187A(2)). A definition of infrastructure has been added to the new law. Infrastructure is defined to mean “any line or equipment used to facilitate communications across a telecommunications network”. The Minister’s power to subject a service to the new law by declaration is constrained by this condition. Service Providers that do not have infrastructure in Australian cannot be made subject to the data retention requirements.
ASIC and ACCC to have access to metadata
Section 110A of the Act has been amended to add ASIC and the ACCC to the list of “criminal law-enforcement agencies” who can access metadata held under the Scheme.
In accordance with the PJCIS recommendations, the Act requires service providers to encrypt all information kept by the service provider under the Scheme.
In accordance with a recommendation of the PJCIS, amendments to the Telecommunications Act 1997, prohibit disclosure of Metadata for use in civil proceedings. The restriction applies only to data which is kept solely for the purpose of compliance with the Scheme, and which is not used or disclosed by the Service Provider for any purpose other than compliance with the Scheme, compliance with the requirements of any related warrants and in other limited circumstances.
Government contribution to costs
Under section 187KB of the Act, the Commonwealth Government may make a grant of financial assistance to a Service Provider to assist the Service Provider to comply with its obligations under the Scheme. This arrangement will be governed by a written agreement between the parties.
Access to the Metadata of a Journalist
The new law includes a mechanism to require a “journalist information warrant” where a notice to access Metadata targets a journalist or the employer of a journalist and the purpose is to obtain information regarding a journalist’s source. Under these amendments, the Director-General of Security (DG of ASIO) or Deputy Director-General of Security (Deputy DG of ASIO), an approved ASIO employee or affiliate, an enforcement agency or the Australian Federal Police cannot make an authorisation to give access to a particular person’s data if they know or reasonably believe that the person is a journalist or a journalist’s employer and the purpose of authorising access would be to identify a source unless there is a “journalist information warrant” in force for that person. The mechanisms for obtaining a journalists information warrant are as follows:
1. DG of ASIO can request the Minister to issue (sections 180J, 180L) a journalist information warrant. The request must specify the facts and other grounds on which the DG of ASIO considers it necessary to issue the warrant. The Minister must be satisfied that ASIO’s functions would extend to making access authorisations in relation to the person in question. In addition, the Minister must be satisfied that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the source’s identity. There are a number of factors relevant in assessing this public interest test, including the gravity of the matter, the potential interference with the person’s privacy, and any submissions made by a “Public Interest Advocate”. A journalist information warrant issued by the Minister must specify the length of time it is to be in force, which cannot be longer than 6 months. 2. DG of ASIO can issue (section 180M) a journalist information warrant, if the Minister has not made a decision in response to a request and there has not been a refusal within the previous 3 months. DG of ASIO must be satisfied that security is likely to be seriously prejudiced without the requested access to data. A written record must be made within 48 hours after the authorisation is given.
3. An enforcement agency can apply to an “issuing authority” (e.g. a judge of the Federal Court of Australia, Family Court of Australia or Federal Circuit Court, or a magistrate who has been appointed by the Minster as an issuing authority) for a journalist information warrant. The issuing authority can require further information. The issuing authority must be satisfied that the warrant is reasonably necessary for the enforcement of the criminal law. The issuing authority must be satisfied that the public interest in issuing the warrant outweighs the public interest in protecting the confidentiality of the source’s identity. There are a number of factors relevant in assessing this public interest test, including the gravity of the matter, the potential interference with the person’s privacy, and any submissions made by a “Public Interest Advocate”. Public Interest Advocates are declared as such by the Prime Minister, and may make submissions to the Minister about a range of matters relevant to the issuing of journalist information warrants. It is an offence punishable by 2 years imprisonment to disclose or use information about an application for, making, existence, non-existence or revocation of an journalists information warrant.
Additional reporting obligations
The Act introduces various layers of reporting obligations under the Scheme, in particular between the Ombudsman, the Inspector-General of Intelligence and Security, the PJCIS and the Minister. The Ombudsman has the power to inspect the records of enforcement agencies to assess the level of compliance, and may require an officer of that enforcement agency to provide information relevant to the inspection. The Ombudsman must report to the Minister about the results of such inspections during a financial year. The Minister must then present a copy of the report before each House of Parliament within 15 sitting days of receiving it, and the Ombudsman must give a copy of the report to the chief officer of any enforcement agency the report relates to. The PJCIS is to review the operation of the Scheme, starting within two years of the end of the implementation. In addition to this review process, any Bill amending (i) the application of the Scheme to particular services (section 187A), (ii) the type of information covered by the Scheme (sections 187A(4) and 187AA), or (iii) the list of criminal law enforcement agencies (section 110A) or enforcement agencies (s 176A), must be referred to the PJCIS for review.
Commencement and Implementation
The primary provisions of the new law commence six months from Royal Assent. Service Providers can delay full compliance by filing a data retention implementation plan with the Communications Access Co-ordinator.
There has been public comment and some controversy regarding a number of features of the new law including:
- the public policy implications of providing national security and law enforcement agencies to access two years of Metadata relating to any person (except in some cases, a journalist or news organisation) without a warrant;
- the discretion given to the Minister to expand the operation of the legislation by scope and coverage without the authority of parliament for an extended period;
- the limited protection provided to journalists through the “journalists information warrant” mechanism and, in particular, that it does not apply where Metadata is sought in relation to a whistle blower or other potential source;
- the lack of detail on the financial support to be provided to Service Providers and/or the need to protect the economic viability of smaller Service Providers;
- whether the provisions which purport to prevent Metadata from being used in civil proceedings will be effective in practice and/or produce widely ranging outcomes depending on the policies and practices of the relevant Service Providers; and
- how the requirement for Metadata to be encrypted can implemented in practice considering that in the first instance most Metadata is operational information used by Service Provider’s IT systems.
On 4 March the Attorney-General asked the PJCIS to further inquire and report on the question of “how to deal with the authorisation of a disclosure or use of telecommunications data for the purpose of determining the identity of a journalist’s source”.