On 21 February 2023 the Australian Government released its response (Response) to the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) ‘Review of the mandatory data retention regime’ (Review), accepting most of the PJCIS’s 22 recommendations.
Key takeaways
If the recommendations accepted by the Government are ultimately implemented, the initiatives referred to in the Response1 will:
- provide regulated telecommunication providers with greater clarity on the operation and scope of the mandatory data retention regime (MDRR);
- introduce additional safeguards around the use, access and storage of metadata by various government bodies; and
- increase the transparency of the regime by imposing additional reporting obligations on law enforcement authorities making use of the MDRR.
What is the mandatory data retention regime?
The MDRR is set out in the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act) and the Telecommunications Act 1997 (Cth) (Telecomms Act).
Retention obligations
Part 5-1A of the TIA Act requires carriers and internet service providers that own or operate communications infrastructure in Australia to retain certain metadata relevant to communications carried by means of the telecommunication services they provide.
The categories of metadata that must be retained are:
- information about the subscriber (including names, address and other information for identification purposes), account, service and device information relating to the relevant service;
- the source and destination of the communication;
- the date, time and duration of the communication;
- the type of communication (eg Voice, SMS, email, chat, forum, social media) or of the relevant service used in connection with a communication (eg ADSL, Wi‑Fi, VoIP, cable, GPRS, VoLTE, LTE); and
- the location of equipment, or a line, used in connection with the communication.2
Section 187A(4) of the TIA Act lists information that must not be retained. This includes:
- the contents or substance of the communication;
- information about a subscriber’s web browsing history;
- information or documents that have origins which are independent of the service provider and which pass “over the top” of the underlying service (eg messaging and video call apps, video streaming content, and similar not provided by the relevant service provider); and
- information about the location of a telecommunications device that is not information used by the service provider to provide the relevant service.
Metadata which is retained under the MDRR must be encrypted, retained for 2 years3 and protected from unauthorised interference.4
Use and disclosure of retained metadata
The Telecomms Act prohibits the disclosure or use by regulated service providers of retained metadata,5 subject to certain exceptions. These exceptions include disclosure:
- to criminal enforcement agencies as necessary for the enforcement of criminal law or a law imposing a pecuniary penalty or for the protection of the public revenue;6
- to the Australian Federal Police or foreign law enforcement agencies for the purposes of enforcing the criminal law of a foreign country, crimes within the jurisdiction of the International Criminal Court and war crimes;7
- as required or authorised under a warrant in connection with the operation of a criminal enforcement agency;8 and
- as required or authorised by or under law (Legal Authorisation Exception).9
The Review10 found that other than criminal enforcement agencies, at least 87 other agencies have controversially used the Legal Authorisation Exception to gain access to metadata in a manner which exceeded the intended scope of the MDRR. This included local councils, the RSPCA, state fisheries bodies and other government departments.
What did the Review recommend, and how did the Government respond?
Of the 22 recommendations made in the Review, summaries of some of the more significant recommendations of the Review and responses by the Government are set out below.
|
Review recommendation |
Government response |
|---|---|
|
Updating the TIA Act to provide greater clarity in the operation of the MDRR, including by clarifying:
|
Each of these recommendations were accepted. With respect to Internet of Things in particular, the Response noted it would not be appropriate for service providers to retain data generated by such devices given the wide range of devices and the potentially significant compliance costs for service providers. However, the response noted that if the Government considers there are clear benefits in requiring service providers to keep information for particular Internet of Things devices, they could be included within the scope of the MDRR. |
|
Updating the TIA Act to include stronger safeguards in the use of the MDRR, including:
|
Each of these recommendations were either accepted or accepted in principle. |
|
Repealing the Legal Authorisation Exception and clarifying that only ASIO and certain specified criminal law enforcement agencies are permitted to authorise the disclosure of metadata. |
This recommendation was accepted in principle, and the Response noted that the Government shared the PJCIS’s concern that the Legal Authorisation Exception operated as an inappropriate means to access metadata without oversight and safeguards. Despite this, recent legislative amendments to the Telecomms Act have been passed introducing additional record keeping obligations with respect to disclosures made in accordance with the Legal Authorisation Exception.11 These new record keeping requirements will take effect on 11 October 2023. It will be interesting to see what impact this has on any debate on the repeal of the Legal Authorisation Exception moving forward. |
|
Preparation by the Department of Home Affairs of guidelines on:
|
Each of these recommendations were accepted. |
|
Imposing certain additional obligations on service providers by:
|
The recommendation relating to the Telecomms Act was accepted, with the Response noting that amendments to the Telecomms Act has been introduced into legislative amendments that have now been passed and assented to.12 The recommendation relating to the TIA Act was accepted in principle, although the Response noted that the design of reforms requiring the storage of metadata on servers located in Australia required further consultation to fully determine the potential burden on industry. |
What are the next steps?
The Response notes that the Australian Government is currently developing more holistic reforms to the Commonwealth electronic surveillance framework, which will include the repeal of the TIA Act, Surveillance Devices Act 2004 (Cth) and parts of the Australian Security Intelligence Organisation Act 1979 (Cth) with a consolidated bill dealing with computer access and surveillance devices. No timeline was provided for the legislative reforms proposed in the Response, but such reforms could potentially be introduced as part of broader reforms to the Commonwealth electronic surveillance legislative framework.
- https://www.ag.gov.au/crime/publications/government-response-parliamentary-joint-committee-intelligence-and-security-report-its-review-mandatory-data-retention-regime.
- TIA Act s 187AA.
- TIA Act ss 187BA-187C.
- TIA Act s 187BA.
- Telecomms Act ss 276-278.
- TIA Act s 177-179.
- TIA Act ss 180A-180B.
- Telecomms Act s 280(1)(a).
- Telecomms Act s 280(1)(b).
- https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/Dataretentionregime/Report.
- Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Act 2023 (Cth) Sch 1 cl 12, which introduces a new s 306(5)(cb) into the Telecomms Act.
- Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Act 2023 (Cth).
