Earlier this year, on 13 April 2015, the Telecommunications (Interception and Access) Amendment (Data Retention) Bill (DRA) was granted Royal Assent and commenced as part of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIAA). There has been much controversy over these laws particularly over privacy concerns in light of the increased surveillance and access to metadata that the laws provide to government agencies, but also much confusion over what exactly is being monitored, by whom and what it all means for the average internet user. This article provides a breakdown of the issues.
- To whom do the laws apply?
In a nutshell, the core amendment of the DRA is Section 187A which requires "service providers" - or generally speaking telecommunication companies and internet service providers (ISPs), to retain for a mandatory period of (currently) two years, a range of customer information which can be collectively termed "meta-data". The implications however concern a broad range of users of the services of the service providers – effectively anyone in Australia communicating or transmitting information whether in the form of speech, music, sound, data, text, visual images (animated or not), signals, as well as any other form or combination of forms.
- What is metadata?
Metadata or the type of information that the service providers are required to retain is described in the new Section 187AA of the TIAA as information as to the:
- Source of communication: identifiers of the service account or device from which the communication was sent by means of that service
- Destination of a communication: identifiers of the account, device or relevant service to which the communication has been sent or forwarded, routed or transferred (including attempt of each)
- Date, time, duration of communication or connection to a device or service
- Type of communication (e.g. voice, sms, email, chat, forum, social media) or of a relevant service used in connection with a communication (e.g. ADSL, Wi-Fi, VoIP, cable, GPRS, VoLTE, LTE).
- Location of equipment used in a connection with a communication.
- Who can access the retained metadata?
The Amendments largely build on the current interception and access regime under Part 4 of the TIAA but amend the types of agencies to have access to the above information from "enforcement agencies" to "criminal law-enforcement agencies" to be defined by Section110A as follows:
- Each of the following is a criminal law-enforcement agency :
- the Australian Federal Police;
- a Police Force of a State;
- the Australian Commission for Law Enforcement Integrity;
- the ACC;
- the Australian Customs and Border Protection Service;
(ea) the Australian Securities and Investments Commission;
(eb) the Australian Competition and Consumer Commission;
- the Crime Commission;
- the Independent Commission Against Corruption;
- the Police Integrity Commission;
- the IBAC;
- the Crime and Corruption Commission of Queensland;
- the Corruption and Crime Commission;
- the Independent Commissioner Against Corruption;
- subject to subsection (7), an authority or body for which a
- declaration under subsection (3) is in force.
These agencies will have on demand access to retained metadata without a warrant except in cases of information held by journalists and whistleblowers.
- How will the information be stored?
The Amendments themselves are largely silent on any specific storage requirements of the retained information. The only requirement is contained in Section 187BA which provides as follows:
A service provider must protect the confidentiality of information that, or information in a document that, the service provider must keep, or cause to be kept, under section 187A by:
- encrypting the information; and
- protecting the information from unauthorised interference or unauthorised access.
There is also presently no restriction that the retained information needs to be stored in Australia, although it has been reported that this will eventually be required by future amendments.
- Does it affect my privacy?
The Amendments also insert a note into Section 6(1) of the Privacy Act to clarify that personal information can extend to information held under the data retention provisions. Therefore, if the retained data falls under Section 6(1) of the Privacy Act, the Privacy Act storage requirements would apply.
However, since metadata as described above does not include any substantive information such that would normally constitute personal information (information about an identified or reasonably identified individual) under the Privacy Act, we are yet to see whether there would be a significant interaction of the DRA and Privacy Act provisions.
Nonetheless, metadata could certainly be used to indirectly obtain personal information in contexts where the metadata is known to relate to an already identified individual in a certain context – e.g. metadata on email or IP addresses whose holders/users are known to the relevant agency.
Finally, it should be borne in mind that whilst the DRA does impose an obligation for retention of metadata and (mostly) does away with the requirements for obtaining a warrant for the information, the information that already happened to be retained by a service provider was already accessible albeit with a warrant under the TIAA prior to the DRA, and that could include information that would otherwise be protected by the Privacy Act.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.