01 March 2015

PJCIS 'Metadata Bill' report

The 362 page Advisory Report [PDF] by the Parliamentary Joint Committee on Intelligence and Security regarding the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Cth) features the following recommendations, with the Government presumably ignoring several recommendations (eg RR 33, 38) and the Bill  becoming law in the near future.
R1 The Committee recommends that the Government provide a response to the outstanding recommendations from the Committee’s 2013 Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation by 1 July 2015.
The data set
R2 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to include the proposed data set in primary legislation.
R3 To provide for emergency circumstances, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare items for inclusion in the data set under the following conditions:
  • The declaration ceases to have effect after 40 sitting days of either House, 
  • An amendment to include the data item in legislation should be brought before the Parliament before the expiry of the 40 sitting days, and 
  • The amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sitting days for review and report.
R4 The Committee recommends that the proposed data set published by the Attorney-General’s Department on 31 October 2014 be amended to incorporate the recommendations of the Data Retention Implementation Working Group.
R5 The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are not required to collect and retain customer passwords, PINs or other like information.
R6 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are only required to retain telecommunications data to the extent that such information is, in fact, available to that service provider.
R7 The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that service providers are not required to keep web-browsing histories or other destination information, for either incoming or outgoing traffic.
R8 The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to provide greater clarity in defining ‘sessions’ in proposed new subsection 187A(7) of the Bill.
Data retention period
R9 The Committee recommends that the two-year retention period specified in section 187C of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be maintained.
R10 The Committee recommends that the Explanatory Memorandum to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 clarify the requirements for service providers with regard to the retention, de-identification or destruction of data once the two year retention period has expired.
Application to particular services, and implementation, cost and funding arrangements
R11 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to define the term ‘infrastructure’ in greater detail, for the purposes of paragraph 187A(3)(c).
R12 The Committee recommends that the Attorney-General’s Department and national security and law enforcement agencies provide the Parliamentary Joint Committee on Intelligence and Security with detailed information about the impact of the exclusion of services provided to a single area pursuant to subparagraph 187B(1)(a)(ii) as part of the Committee’s review of the regime, pursuant to section 187N of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.
R13 The Committee recommends that proposed section 187B in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require the Communications Access Co-ordinator to consider the objects of the Privacy Act 1988 when considering whether to make a declaration under proposed subsection 187B(2). If there is any uncertainty or a need for clarification, the Co-ordinator should consult with the Australian Privacy Commissioner on that issue before making such a declaration. Further, the Co-ordinator should be required to notify the Parliamentary Joint Committee on Intelligence and Security of any declaration made under 187B(2) as soon as practicable after it is made
R14 To provide for emergency circumstances, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare additional classes of service providers under the following conditions:
  • The declaration ceases to have effect after 40 sitting days of either House, 
  • An amendment to include the class of service provider in legislation should be brought before the Parliament before the expiry of the 40 sitting days, and 
  • The amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sitting days for review and report.
R15 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and accompanying Explanatory Memorandum be amended to enable the Communications Access Co-ordinator to refer any disputes over proposed implementation plan exemptions or variations to the Australian Communications Media Authority for determination.
R16 The Committee recommends that the Government make a substantial contribution to the upfront capital costs of service providers implementing their data retention obligations. When designing the funding arrangements to give effect to this recommendation, the Government should ensure that an appropriate balance is achieved that accounts for the significant variations between the services, business models, sizes and financial positions of different companies within the telecommunications industry. In particular, the Committee recommends that the Government ensure that the model for funding service providers:
  • provides sufficient support for smaller service providers, who may not have sufficient capital budgets or operating cash flow to implement data retention, and privacy and security controls, without up-front assistance; 
  • minimises any potential anti-competitive impacts or market distortions; 
  • accounts for the differentiated impact of data retention across different segments of the telecommunications industry; 
  • incentivises timely compliance with their data retention obligations; 
  • provides appropriate incentives for service providers to implement efficient solutions to data retention; 
  • does not result in service providers receiving windfall payments to operate and maintain existing, legacy systems; and 
  • takes into account companies that have recently invested in compliant data retention capabilities in anticipation of the Bill’s passage.
Authority to access stored communications and telecommunications data
R17 The Committee recommends that criminal law-enforcement agencies, which are agencies that can obtain a stored communications warrant, be specifically listed in the Telecommunications (Interception and Access) Act 1979. To provide for emergency circumstances, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare an authority or body as a criminal law-enforcement agency subject to the following conditions:
  • the declaration ceases to have effect after 40 sitting days of either House; 
  • an amendment to specify the authority or body as a criminal law-enforcement agency in legislation should be brought before the Parliament before the expiry of the 40 sitting days; and 
  • the amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sittings days for review and report.
Further, consistent with the existing provisions of the Bill, the Attorney-General must have regard to the factors listed in proposed paragraphs 110A(4)(b)-(f), and must also be satisfied on reasonable grounds that the functions of the agency include investigating serious contraventions.
R18 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, or its Explanatory Memorandum, or both, be amended to provide that the characteristics of a binding scheme referred to in proposed subparagraph 110A(4)(c)(ii) of the Telecommunications (Interception and Access) Act 1979 include a mechanism:
  • for monitoring the authority or body’s compliance with the scheme; and 
  • to enable individuals to seek recourse if their personal information is mishandled.
The Committee notes that the Australian Privacy Commissioner currently has these functions in relation to Commonwealth agencies, and some States have privacy commissions which would be well placed to perform these functions within these jurisdictions. Other jurisdictions may need to expand the functions of their existing oversight bodies, or establish new oversight arrangements to meet these requirements.
R19 The Committee recommends that the Attorney-General’s Department review whether:
  • the agencies which may access the content of communications (either by way of interception warrants or stored communications warrants) under the Telecommunications (Interception and Access) Act 1979 should be standardised, and 
  • the Attorney-General’s declaration power contained in proposed section 110A of the Telecommunications (Interception and Access) Act 1979 in respect of criminal law-enforcement agencies should be adjusted accordingly.
The Committee further recommends that the Attorney-General report to Parliament on the findings of the review by the end of the implementation phase of the data retention regime. 
R20 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to list the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC) as criminal law-enforcement agencies under proposed section 110A of the Telecommunications (Interception and Access) Act 1979.
R21 The Committee recommends that enforcement agencies, which are agencies authorised to access telecommunications data under internal authorisation, be specifically listed in the Telecommunications (Interception and Access) Act 1979. To provide for emergency circumstances the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended so that the Attorney-General can declare an authority or body as an enforcement agency subject to the following conditions:
  •  the declaration ceases to have effect after 40 sitting days of either House; 
  • an amendment to specify the authority or body as an enforcement agency in legislation should be brought before the Parliament before the expiry of the 40 sitting days; and 
  • the amendment should be referred to the Parliamentary Joint Committee on Intelligence and Security with a minimum of 15 sitting days for review and report.
Further, consistent with the existing provisions of the Bill, the Attorney-General must have regard to the factors listed in proposed paragraphs 176A(4)(b)-(f), and must also be satisfied on reasonable grounds that the functions of the agency include enforcement of the criminal law, administering a law imposing a pecuniary penalty, or administering a law relating to the protection of the public revenue.
R22 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, or the Explanatory Memorandum, or both, be amended to provide that the characteristics of a binding scheme referred to in proposed subparagraph 176A(4)(c)(ii) of the Telecommunications (Interception and Access) Act 1979 include a mechanism:
  • for monitoring the authority or body’s compliance with the scheme; and 
  • to enable individuals to seek recourse if their personal information is mishandled.
The Committee notes that the Australian Privacy Commissioner currently has these functions in relation to Commonwealth agencies, and some States have privacy commissions which would be well placed to perform these functions within these jurisdictions. Other jurisdictions may need to expand the functions of their existing oversight bodies, or establish new oversight arrangements to meet these requirements.
R23 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to prohibit civil litigants from being able to access telecommunications data that is held by a service provider solely for the purpose of complying with the mandatory data retention regime. To enable appropriate exceptions to this prohibition the Committee recommends that a regulation making power be included. Further, the Committee recommends that the Minister for Communications and the Attorney-General review this measure and report to the Parliament on the findings of that review by the end of the implementation phase of the Bill.
R24 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to make clear that individuals have the right to access their personal telecommunications data retained by a service provider under the data retention regime. Telecommunications service providers should be able to recover their costs in providing such access, consistent with the model applying under the Privacy Act in respect of giving access to personal information.
R25 The Committee recommends that section 180F of the Telecommunications (Interception and Access) Act 1979 be replaced with a requirement that, before making an authorisation under Division 4 or 4A of Part 4-1 of the Act, the authorised officer making the authorisation must be satisfied on reasonable grounds that any interference with the privacy of any person or persons that may result from the disclosure or use is justifiable and proportionate. In making this decision the authorised officer should be required to have regard to:
  • the gravity of the conduct being investigated, including whether the investigation relates to a serious criminal offence, the enforcement of a serious pecuniary penalty, the protection of the public revenue at a sufficiently serious level or the location of missing persons; 
  • the reason why the disclosure is proposed to be authorised; and 
  • the likely relevance and usefulness of the information or documents to the investigation.
R26 The Committee acknowledges the importance of recognising the principle of press freedom and the protection of journalists’ sources. The Committee considers this matter requires further consideration before a final recommendation can be made. The Committee therefore recommends that the question of how to deal with the authorisation of a disclosure or use of telecommunications data for the purpose of determining the identity of a journalist’s source be the subject of a separate review by this Committee. The Committee would report back to Parliament within three months. In undertaking this inquiry, the Committee intends to conduct consultations with media representatives, law enforcement and security agencies and the Independent National Security Legislation Monitor. The review will also consider international best practice, including data retention regulation in the United Kingdom.
R27 The Committee recommends that the Telecommunications (Interception and Access) Act 1979 be amended to require agencies to provide a copy to the Commonwealth Ombudsman (or Inspector General of Intelligence and Security (IGIS) in the case of ASIO) of each authorisation that authorises disclosure of information or documents under Chapter 4 of the Act for the purpose of determining the identity of a journalist’s sources. The Committee further recommends that the IGIS or Commonwealth Ombudsman be required to notify this Committee of each instance in which such an authorisation is made in relation to ASIO and the AFP as soon as practicable after receiving advice of the authorisation and be required to brief the Committee accordingly.
R28 The Committee recommends that the Attorney-General’s Department oversee a review of the adequacy of the existing destruction requirements that apply to documents or information disclosed pursuant to an authorisation made under Chapter 4 of the Telecommunications (Interception and Access) Act 1979 and held by enforcement agencies and ASIO. The Committee further recommends that the Attorney-General report to Parliament on the findings of the review by 1 July 2017.
Safeguards and oversight
R29 The Committee recommends that the Government consider the additional oversight responsibilities of the Commonwealth Ombudsman set out in the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and ensure that the Office of the Commonwealth Ombudsman is provided with additional financial resources to undertake its enhanced oversight responsibilities.
R30 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require the Parliamentary Joint Committee on Intelligence and Security to commence its review no later than the second anniversary of the end of the implementation period. The Committee considers it is desirable that a report on the review be presented to the Parliament no later than three years after the end of the implementation period.
R31 At the time of the review required to be undertaken by the Parliamentary Joint Committee on Intelligence and Security under proposed section 187N of the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, the Committee recommends that the Attorney-General request the Committee to examine the following issues:
  • the effectiveness of the scheme, 
  • the appropriateness of the dataset and retention period, 
  • costs, 
  • any potential improvements to oversight, 
  • regulations and determinations made, 
  • the number of complaints about the scheme to relevant bodies, and 
  • any other appropriate matters.
To facilitate the review, the Committee recommends that agencies be required to collect and retain relevant statistical information to assist the Committee’s consideration of the above matters. The Committee also recommends that all records of data access requests be retained for the period from commencement until the review is concluded. Finally the Committee recommends that, to the maximum extent possible, the review be conducted in public.
R32 The Committee recommends that the Attorney-General coordinate the provision of a standing secondee or secondees to the secretariat of the Parliamentary Joint Committee on Intelligence and Security, in recognition of the additional oversight and review requirements associated with the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014 and the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.
R33 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require the annual report prepared under section 187P to include:
  • costs of the scheme, 
  • use of implementation plans, 
  • category of purpose for accessing data, including a breakdown of types of offences, 
  • age of data sought, 
  • number of requests for traffic data, and 
  • number of requests for subscriber data.
The Committee also recommends that the Attorney-General’s Department provide the Committee with an annual briefing on the matters included in this report.
R34 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to provide that the Committee may inquire into any matter raised in the annual report prepared under proposed section 187P, including where this goes to a review of operational matters. Legislative change to the Intelligence Services Act 2001 should be implemented to reflect this changed function. The Committee further recommends that the Commonwealth Ombudsman and Inspector-General of Intelligence and Security provide notice to the Committee should either of them hold serious concerns about the purpose for, or the manner in which, retained data is being accessed.
R35 Having regard to the regulatory burden on small providers with an annual turnover of less than $3 million, the Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require all service providers to be compliant, in respect of retained data, with either the Australian Privacy Principles or binding rules developed by the Australian Privacy Commissioner.
R36 The Committee recommends that the Government enact the proposed Telecommunications Sector Security Reforms prior to the end of the implementation phase for the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014.
R37 The Committee recommends that the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be amended to require service providers to encrypt telecommunications data that has been retained for the purposes of the mandatory data retention regime. To give effect to this recommendation, the Committee recommends that the Data Retention Implementation Working Group develop an appropriate standard of encryption to be incorporated into regulations, and that the Communications Access Co-ordinator be required to consider a provider’s compliance with this standard as part of the Data Retention Implementation Plan process. Further, the Communications Access Co-ordinator should be given the power to authorise other robust security measures in limited circumstances in which technical difficulties prevent encryption from being implemented in existing systems used by service providers.
R38 The Committee recommends introduction of a mandatory data breach notification scheme by the end of 2015.
R39 The Committee recommends that, following consideration of the recommendations in this report, the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 be passed.
Update

The Government released its response - accepting all 39 recommendations late on 3 March 2015