Human Rights Commission wants data retention period limited to six months

The Australian Human Rights Commission (AHRC) is still holding firm to its distaste for the current state of the country's data retention regime, asking again on Friday for the retention period to be reduced from up to two years to a period of under six months.

AHRC Commissioner Edward Santow, appearing before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the data retention regime that came into being on March 2015, said the existing period for retaining data, undifferentiated by reference to the relevant crime, is too long.  

"Retaining personal data for six months to two years was disproportionate to the aim of fighting a serious crime," he said, citing a finding by the Court of Justice which assessed the impact of similar regimes in Europe, on privacy and freedom of expression.

See also: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)

"In any event, the operation of this law suggests that there may be no compelling need to retain this information for two years. The operation of the legislation since its inception suggests that over 80% of requested data was only zero to three months old, and less than 7% was more than a year old."

Santow said that the law as it stands allows for access to data for minor things like traffic offences, rather than simply for more serious crimes.

Santow said the United Nations Human Rights Committee made similar observations about Australia's data retention regime, expressing concern about the extent to which it impinges on privacy and related rights.

"We are something of an outlier compared to other jurisdictions and authoritative bodies ... [they] have made statements that essentially some of these visions go further in limiting privacy and other rights than is necessary to achieve the objectives -- we need to do better," he said.

"We can, and we need, to do better in making this legislation very targeted in combating serious crimes and serious crimes only, and advancing national security, bringing that within that scope."

The PJCIS said it agreed that "serious organisations looking at serious crimes" should be the only ones with access, pointing to the likes of the RSPCA of Victoria, Australia Post, and the Victorian Taxi Services Commission who previously had the ability to bypass the restriction.  

"We think it needs to be as targeted as possible, and one way of doing that is to be really clear on which agencies truly need this information … a fisheries agency, a local government agency, has been able to take advantage of this scheme, and it's hard to see how those bodies would be needing this information in order to fight serious crime," Santow said in response, pointing to similar international schemes.

"It would have to be a period under six months but we wouldn't want to state a very arbitrary figure when law enforcement agencies … might have a very specific view, but that gives some range."  

By reducing the data retention period, Santow said law enforcement agencies would have a range of tools at their disposal that allow for orders to be sought for preserving certain information from being destroyed by telecommunications providers that would otherwise be destroyed.

"I guess what we're saying is, this seems like a very blunt instrument in order to combat a very serious crime, there would be more targeted ways of combatting more serious crime, than simply having a blanket retention period of two years," he said.

"The fundamental point we're making is that law enforcement agencies have a range of tools and we would think that they are sufficient in combatting serious crime.

"The whole point about international human rights is that there has to be a balance struck."

According to Santow, that balance acknowledges two things: That there is a real impact on an individual's privacy, especially those who are never accused of any serious crime; and that concept also imposes some burden on law enforcement agencies to be diligent and creative to "make sure that they're able to investigate crimes and as quickly as possible".

The commissioner said there were "problematic ambiguities" in the legislation.

"For example, the Act provides that only metadata should be stored and this does not include the contents or substance of a person's communications. The terms 'contents' and 'substance' are not defined in the Act," Santow said.

"There is a serious risk that providers who are worried about falling foul of the law, will retain more personal data than is necessary to combat serious crime."

Under the legislation, access to metadata does not require a warrant; but access to the content of data does.

"Accessing metadata can lead to breaches of human rights, especially the right to privacy," Santow said, noting the current practice is simply to provide verbal authorisations, wrapped in no legal framework.

See also: Law Council wants warrants and crime threshold for metadata retention scheme

"What we're saying is, there should be oversight through a warrant system for accessing metadata. We don't see that would unreasonably, if at all, inhibit law enforcement agencies from carrying out their work. If the concern is that having to apply for a warrant, might lead an individual who might be the subject of an investigation to try and destroy the information -- I don't know how they would be able to do that because the metadata isn't held by the individual, it's held by the telco."

A warrant scheme, he said, would provide assurance there was no "unjustifiable" access and that an unreasonable burden wouldn't be placed on the law enforcement agencies when they are just fulfilling their basic functions.

The committee told the AHRC that agencies have voiced concerns over the burden a warranted system would place on them. Santow rejected such claims, and said applying for a warrant would "help to focus the mind of the agency that is seeking the data".

"It's a fairly modest hurdle to overcome, to work out whether they genuinely need the information or whether it's just something that is so readily accessible, they may as well have it whether they truly need it or not," he said.

"Secondly, I think what we've seen over the last, you know, 20 or so years is that governments have become more efficient in the way in which they create a framework for seeking and granting warrants. And so, while, some time ago, that may have been a very onerous process, I think now, the balance has been struck much better in the way in which warrants can be sought and granted.

"We don't say that that would be a disproportionate burden on the agencies."

RELATED COVERAGE

• Telstra questions whether metadata restrictions are working as intended
• Commonwealth Ombudsman singles out Home Affairs over stored communications and metadata handling
• Dutton defends metadata protections, claims consequences exist for breaches
• ACT Policing had an unauthorised metadata access party 3249 more times in 2015
• Australian enforcement agencies angling for metadata review on telco cost recovery
• Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board trying to access metadata: Comms Alliance
• Australian Taxation Office really wants its access to telco metadata returned