Review of the mandatory data retention regime (2019)

1. Introduction

1. The Australian Human Rights Commission makes this submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) in relation to its review of the mandatory data retention regime contained in Part 5-1A of the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act). This review is required by s 187N of the TIA Act.
    
2. In January 2015, the Commission provided a submission[i] to the PJCIS Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 the Bill), which introduced the mandatory data retention regime. In that submission, the Commission raised a number of concerns about the potential impact of the Bill on human rights and made a number of recommendations.
    
3. As outlined in the Commission’s 2015 submission and acknowledged by the Government at the time of its introduction,[ii] a mandatory data retention regime impacts on human rights—in particular the rights to privacy and freedom of expression. These rights, reflected in articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR),[iii] may be limited by proportionate measures to achieve a legitimate aim if those measures include safeguards and appropriate oversight.
    
4. In that submission, and here, the Commission refers extensively to the consideration of relevant issues by European courts and authorities. While, of course, Australia is not bound by laws and treaties that apply solely to European countries, the material referred to by the Commission addresses laws that are very similar to the international and domestic laws applicable in Australia, and so it would be common for Australian courts to consider such material in Australian proceedings that deal with such issues. The Commission also notes the Terms of Reference for this PJCIS review expressly include ‘developments in international jurisdictions since the passage of the Bill’.
    
5. Some of the concerns raised by the Commission in its 2015 submission were addressed by changes made to the Bill before it was passed into law. However, some of our recommendations were not adopted, and the Commission remains concerned about certain aspects of the regime — particularly its broad scope, especially when compared with developments in international jurisdictions.
    
6. As noted in our 2015 submission, ‘[h]uman rights law provides significant scope for [police and security] agencies to have expansive powers to investigate criminal activity as well as to protect our national security, even where they limit individual rights and freedoms. Such limitations must, however, be clearly expressed, unambiguous in their terms, and legitimate and proportionate responses to potential harms.’
    
7. The Commission considers that the mandatory data retention regime goes beyond what can be reasonably justified.
    
8. This submission is directed at the following aspects of the PJCIS Terms of Reference for this inquiry: the continued effectiveness of the scheme, the appropriateness of the dataset retention period, any potential improvements to oversight, and developments in international jurisdictions since the passage of the Bill.
    
9. Recent developments in Europe highlight the problems with mandatory and indiscriminate data retention schemes. It is difficult to justify the breadth of these schemes, given their serious encroachments on privacy and their indirect impacts on freedom of expression. The Court of Justice of the European Union (CJEU) has held that European Union law does not permit national legislation which:
   1. mandates general and indiscriminate data retention
   2. grants access to data in circumstances where access is not solely for the purpose of fighting serious crime, and where access is not subject to prior review by a court or an independent administrative authority.[iv]
       
10. The Commission’s recommendations are aimed at ensuring that the data retention regime is more closely tailored to the purpose of fighting serious crime and is subject to appropriate safeguards and oversight.

2. Recommendations

11. The Commission makes the following recommendations:

Recommendation 1

The Commission recommends that the TIA Act be amended to include a definition of the terms ‘contents’ and ‘substance’ as they appear in ss 172 and 187A(4)(a).

Recommendation 2

The Commission recommends that the two year retention period for communications data be significantly reduced or, alternatively, tailored retention periods be adopted.

Recommendation 3

The Commission recommends that retained communications data is only able to be accessed by enforcement agencies for the investigation of defined, sufficiently serious crimes.

Recommendation 4

The Commission recommends that a warrant or authorisation system by a court or administrative body be implemented for access to retained communications data.

[i] Australian Human Rights Commission (Commission), Submission No 42 to the Parliamentary Joint Committee on Intelligence and Security, Inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (2015) <https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Data_Retention/Submissions>.

[ii] See eg, Statement of Compatibility, Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Cth) 10 [33]; Explanatory Memorandum, Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Cth), 28.

[iii] International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 171 (entered into force 23 March 1976) <http://www.ohchr.org/EN/ProfessionalInterest/Pages/CCPR.aspx>.

[iv] Tele2 Sverige AB (C-203/15) and Secretary of State for the Home Department (C-698/15) v Post-och telestyrelsen and ors (21 December 2016) (‘Tele2 Sverige AB’).