Mandatory data retention laws and Australia’s attitude to the security versus privacy paradox

Introduction

This article discusses the evolution of the Telecommunications (Interception and Access) Act 1979 (Cth) (‘the Act’) which set off when both houses of the Australian Parliament passed key changes to the Act in 2015 which came into effect in 2017 following an implementation period. These changes created a system of mandatory data retention for Internet Service Providers (‘ISPs’) in Australia. This article looks to the origin and reasons for the change in the law, the relevant case law, what scholars have written about the law, the differences between Australia and the European Union, and makes recommendations to the Australian Government for change.

The origins of Australian's mandatory data retention program

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (Cth) (‘the Bill’), which passed both houses of the Parliament of Australia on 26 March 2015 and received Royal Assent on 13 April 2015, was a key piece of legislation on the ruling Liberal National Party Government’s political agenda. The Bill sought to bolster Australia’s ability to detect serious criminal activities (e.g., terrorism and child exploitation material) as early in the course of the conduct as possible. However, the legislation received significant media coverage because opponents of the Bill argued that the Australian people have a right to privacy and the Bill would sell-out an entire population’s privacy in exchange for purported essential security capabilities.

The media and the opposition to the Government of the day focused on the consequences of the Bill on the freedom of the press as it expressly provided for secret warrants to be issued to collect the retained data of journalists by Australian Government agencies such as the Australian Security Intelligence Organisation (‘ASIO’). The Bill passed the House of Representatives with 80 ‘Ayes’ and 51 ‘Noes’¹ and subsequently passed the Senate with 43 ‘Ayes’ and 16 ‘Noes’.²

Before this change in the law, Australian Government agencies had the power to request warrants for the monitoring of particular individuals or organisations. While certain historical information about a person of interest could be gathered after the issue of a warrant, it is the case that the majority of information obtained would be intercepted after a person had already engaged in conduct which prompted an agency to seek to monitor them. It follows that governments have an interest in having access to a history of information about a person of interest to more effectively develop a case. However, this change in law provided a long list of Australian Government agencies with almost unfettered access to the data of every internet user in Australia, which one immediately associates with mass data surveillance. The reason provided for this change in the Act is explained by the Attorney-General’s Department by providing that:

The Honourable Malcolm Turnbull MP, who was Minister for Communications at the time (and later Prime Minister of Australia), said in his Second Reading Speech that:

It is clear from the Honourable Member’s speech that the Australian Government was taking the position that one should not be concerned with the change in the law if they have nothing to hide. These exact words were said by the Attorney-General, Senator George Brandis when referring to the law. It followed that critics said that the Government had degraded Australian’s right to privacy in exchange for the prospect of making some criminal investigations easier for Australian Government agencies.

This change may lead one to wonder if the unquantified benefit provided to society through enabling the Australian Government to engage in mass surveillance outweighs what every Australian loses through the degradation of the fundamental rights we hold dear.

Judicial interpretation

The implementation period set for this change in law expired on 13 April 2017, after which all organisations to which the law applies must comply.

Despite a relatively lengthy implementation period, many saw that judicial interpretation was required, particularly as to what constitutes personal information for the purposes of the Act. A Federal Court of Australia judgment gave rise to questions about the nature of ‘personal information’ in an Australian context, despite considering a cause of action which accrued before the change in law came into force.⁵ It follows that how the Court interprets the test for personal information could affect the privacy rights of individuals. Yet, as Anna Johnston posits, the Court may find it difficult to hold its position concerning the test for personal information in causes of action which have arisen following the change in law coming into force.⁶

This case was one in which a person sought to use their right under Australian law to receive a copy of all personal information that a service provider holds about them. The service provider claimed that some of the information sought was not personal information, which the Federal Court ultimately found. This case reflects that some courts are not yet willing to accept that numerous metadata, when combined, can reveal the identity of an individual and this should receive the same protections under the law as more simple personal information such as one’s name.

Unfortunately, unlike the European Union and the United States of America, Australia does not have an overarching rights system such as the Charter of Fundamental Rights and the Bill of Rights. Thus, there has been no case law concerning the validity of the legislation because there is no provision for privacy, the right to be let alone, or a right to family life for it to be inconsistent with the Australian Constitution.

Academic interpretation

Much has been published by scholars about this change in Australian law, with almost all of it arguing against and decrying the change. Many scholars have compared the law to a big step towards Australia becoming a dystopian society such as those depicted in George Orwell’s 1984 and Aldous Huxley’s Brave New World. One scholar, Peter Leonard, stated that:

Writing for The Conversation, Uri Gal noted that Prime Minister Turnbull severely undermined the argument that this change in the law would help detect crime by demonstrating how it could be circumvented.⁸ Scholars, journalists and the Prime Minister have all admitted that the use of a Virtual Private Network (‘VPN’) would make the data that the ISP’s are forced to collect useless for the Government agencies. As a result, 13 April 2017 was unofficially named ‘Get a VPN Day’. This begs the question: if everyone who cares about their privacy or intends on committing a crime can easily circumvent the effect of the laws, how can they possibly achieve this stated purpose?

Interestingly, the Australian Government provided no information on the effectiveness of the laws after they came into effect. One of the central reasons for the change in law was for the detection and prevention of terrorist plots in Australia, but it is widely understood that these sophisticated networks already use encrypted communications which cannot be tracked through the metadata ISP’s collect.⁹ The Government will and should have known this.

It is peculiar as to why the intelligence community could push the purported need for these laws under the guise of preventing terrorism if it would be highly unlikely that that would be possible. One may then wonder what other reason the intelligence community had for greatly expanding their ability to surveil the populace on mass. Yet, the Government continued the same line of reasoning despite its blaring inadequacies and saw the Bill become law.

Australia and the European Union

The Bill was essentially a carbon-copy of the 2006 European Union Data Retention Directive,¹⁰ but with a longer retention period and far less oversight. On 8 April 2014, the Court of Justice of the European Union published its judgment finding that the Directive must be annulled because of its incompatibility with the Charter of Fundamental Rights of the European Union ('CJEU’).¹¹

The CJEU found that the Directive violated Articles 7 and 8 of the Charter.¹² Unfortunately for Australians, we do not have such a Charter, so it is impossible for this law to be struck down on the grounds that it violates one’s right to respect for private and family life or protection of personal data. However, the similarity of these laws demonstrates that governments around the world are ready to undermine the foundations of their democracies in exchange for a trove of data about all their citizens which may or may not assist in protecting national security. The CJEU has made it clear in the 2014 and subsequent rulings that mass data retention is illegal.¹³

The difference between Australia and the European Union in a practical sense is that each Member State must implement an EU Directive. In contrast, in Australia, the law was uniformly in force in all states at the same time. This difference would not have been the case had The European Parliament and The Council provided the legislation in the form of a regulation, much like the General Data Protection Regulation. This way, the law is directly applicable to the Member States upon coming into force at the European Union level. One might be thankful for the fact that the Directive took much longer to affect many European Citizens because the Member States had some time to implement it, and there was some flexibility in its interpretation.

On the other hand, the fact that the Directive had to be transposed into national laws meant that the process of removing it from all Member State’s national legal systems was time-consuming. Even so, Member States such as the United Kingdom forged forward to introduce the now-repealed and replaced Data Retention and Investigatory Powers Act 2014 (UK) ('DRIPA'),¹⁴ which again sought to enact a similar law to that of the Data Retention Directive and the law at hand in Australia. Cases were brought before the High Court, the CJEU, and the ECtHR concerning DRIPA, and it was subsequently repealed on 31 December 2016 following the 21 December 2016 CJEU judgment in the joined cases of C‑203/15 and C‑698/15 finding DRIPA to be unlawful.¹⁵

Australian citizens are less protected compared to European Union citizens from overreaches of power, such as mandatory data retention laws. The European Union has a strong track record of valuing the rights of its citizens despite strong calls to overlook them in exchange for bolstered intelligence capabilities. Some may say that the prevalence of terrorist attacks in Europe compared to Australia is evidence that Australia has done the right thing. But one must remember that Australia has both a significantly smaller population and is geographically displaced from the tumult in the Middle East and Africa. These elements together mean that Australia is not seen as an ideal target for those who wish to do western democracies harm because the impact (i.e., loss of life) would be less severe and the effort would be more expensive and risky because of elements such as radicalising individuals from a distance and access to weapons in a country which has very tight regulations on firearms. One could then pose the question: is it proportionate to the aim of the Australian law to sacrifice people’s privacy in exchange for the capacity to fight a risk that may well not materialise because of the adequacy of other laws concerning national security?

Critical analysis

There are two distinct groups of people when it comes to the debate about mandatory data retention. The first are those who believe that the right to privacy should be protected to a higher degree, and the second are those who believe that any measure of increased intelligence and security capability will trump any right to privacy.

I find myself sitting in the middle in the way that I believe competing interests need to be weighed against each other to strike an appropriate evidence-based balance, rather than an all-or-nothing approach.

I believe that citizens who wish to break the law should have little or no reasonable expectation of privacy after a Government agency has a reasonable suspicion that they have or are planning to commit a crime. However, before such a point, people must not have their data arbitrarily collected and processed by Government agencies as if every person is a suspect in a crime that is as yet undefined. Some refer to this concept as the right to be let alone. Essentially, if one is not suspected of doing something wrong, they should not be interfered with by the Government. But it is increasingly the case around the world that governments are seeing mass surveillance as a measure to deter and detect criminal activity at the expense of privacy. I believe that Theodore Konstadinides puts it best when he asks the question, ‘Destroying Democracy on the Ground of Defending It?’,¹⁶ in his article about the 2006 EU Data Retention Directive.

Recommendations

Unlike many scholars and journalists, I see that a compromise can be made to secure the privacy of Australians and make them feel less like their service providers and the Government are constantly monitoring them by recommending that the capability for Government agencies to access the retained data without a warrant be repealed in its entirety. The Government’s reasoning for the charge in law does not support such unfettered access to information without a warrant and the necessary oversight that comes with satisfying the judiciary as to the need for such action.

It appears that the lack of the requirement for a warrant does not make it any more likely that the crimes that the Government used as examples to promote the law would be solved. This is because in all the examples, such as tracking the users for forums for child exploitation materials, the Government agency had the IP addresses of the suspects. Those IP addresses could be the subject of a court order and warrant compelling the relevant Internet Service Provider to provide access to the archive of metadata for the past two years of the account holder in question. For the Government to attempt to circumvent the judicial system altogether would remove an essential third-party oversight which provides an indispensable roadblock for the prevention of abuses of power.

The concerns raised regarding abuses of power by Australian Government agencies, their employees, and contractors is that without adequate oversight the access to the metadata will be used for illegitimate purposes or in aggregate to create a mass surveillance system akin to the U.S. system that was spectacularly revealed by Edward Snowden.

While the Australian Government may take the position that those who have done nothing wrong have nothing to fear from a system that enables mass surveillance, it can have a detrimental effect on a person’s freedom to express themselves if they are conscious that their Government is keeping a record of their every digital move. This draws parallels to the Peoples Republic of China where self-censoring is widespread because it is the case there that the Government has the ability to tie a digital action back to an individual. Do we really want to live in a society where people censor themselves due to a fear that the Government would find out something about them that they wish to remain private?

My recommendation is quite simple and strikes a compromise which both appeases the Government’s need to better equip their agencies with evidence and the public interest in a right to privacy. Every Australian should be entitled to be confident that their private activities are theirs and theirs alone unless they become a suspect of committing a crime. I do not believe that the Government should have access to this data before there is a reasonable suspicion that a crime or unlawful act has been committed. This compromise sees that the metadata is available for two years if it is needed for a criminal investigation, but subject to the issue of a warrant for said information.

Conclusion

This article looked to the origin and reasons for the change in the law, the relevant case law, what scholars have written about the law, the differences between Australia and the European Union, and made recommendations to the Australian Government for change.

In essence, the changes to the law ignored the interest in protecting the privacy of everyday citizens who have done nothing wrong, yet now feel like the Government is treating them like a suspect and ignoring their right go about their private lives without interference. The effect of this is that Australians will become even more distrustful of their Government, undermining the foundations of Australia’s democracy as a result. This effect was best summed up by Uri Gal when he stated that ‘[w]e must not allow the pernicious intent of a handful of terrorists to be used as an excuse to harm the rights of all Australians and change the fabric of our society.’¹⁷

This article is an adapted and updated version of a research paper of the same name I prepared during the course, Law and Information Technology in Europe, at Universiteit Leiden.

• 1.

  Commonwealth of Australia, Journals of the Senate, Parliamentary Paper Number 90 (2015) 2483.

• 2.

  Commonwealth of Australia, House of Representatives Votes and Proceedings, Parliamentary Paper Number 107 (2015) 1213.

• 3.

  Commonwealth of Australia, Data retention, Department of Home Affairs.

• 4.

  Commonwealth of Australia, Parliamentary Debates, House of Representatives, 30 October 2014 (Malcolm Turnbull).

• 5.

  Privacy Commissioner v Telstra Corporation Ltd (2017) 249 FCR 24.

• 6.

  Anna Johnston, Data, Metadata & Personal Information: A Landmark Ruling from the Federal Court (2017) 31 Law Society of NSW Journal 82, 83.

• 7.

  Peter Leonard, ‘Mandatory Internet Data Retention in Australia - Looking the Horse in the Mouth after it has Bolted’ (2015) 101 Intellectual Property Forum 43, 57.

• 8.

  Uri Gal, The new data retention law seriously invades our privacy – and it’s time we took action (15 June 2017) The Conversation.

• 9.

  Robert Graham, How Terrorists Use Encryption (16 June 2016) Combating Terrorism Center at West Point.

• 10.

  Directive 2006/24/EC of The European Parliament and of The Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.

• 11.

  Joined Cases C‑293/12 and C‑594/12 - Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others and Kärntner Landesregierung and Others.

• 12.

  Roger Clarke, ‘Data retention as mass surveillance: the need for an evaluative framework’ (2015) 5(2) International Data Privacy Law 121.

• 13.

  Julia Fioretti, EU court says mass data retention illegal (21 December 2016) Thomson Reuters.

• 14.

  The DRIPA was replaced by the Investigatory Powers Act 2016 (UK).

• 15.

  Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others (Court of Justice of the European Union, Joined Cases C-203/15 and C-698/15, ECLI:EU:C:2016:970, 21 December 2016).

• 16.

  Theodore Konstadinides, ‘Destroying Democracy on the Ground of Defending It? The Data Retention Directive, the Surveillance State and Our Constitutional Ecosystem’ (2011) 36(5) European Law Review 722.

• 17.

  Uri Gal, The new data retention law seriously invades our privacy – and it’s time we took action (15 June 2017) The Conversation.