On 21 February 2023 the Australian Government released its response (Response) to the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) ‘Review of the mandatory data retention regime’ (Review), accepting most of the PJCIS’s 22 recommendations.
If the recommendations accepted by the Government are ultimately implemented, the initiatives referred to in the Response1 will:
- provide regulated telecommunication providers with greater clarity on the operation and scope of the mandatory data retention regime (MDRR);
- introduce additional safeguards around the use, access and storage of metadata by various government bodies; and
- increase the transparency of the regime by imposing additional reporting obligations on law enforcement authorities making use of the MDRR.
What is the mandatory data retention regime?
The MDRR is set out in the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA Act) and the Telecommunications Act 1997 (Cth) (Telecomms Act).
Part 5-1A of the TIA Act requires carriers and internet service providers that own or operate communications infrastructure in Australia to retain certain metadata relevant to communications carried by means of the telecommunication services they provide.
The categories of metadata that must be retained are:
- information about the subscriber (including names, address and other information for identification purposes), account, service and device information relating to the relevant service;
- the source and destination of the communication;
- the date, time and duration of the communication;
- the type of communication (eg Voice, SMS, email, chat, forum, social media) or of the relevant service used in connection with a communication (eg ADSL, Wi‑Fi, VoIP, cable, GPRS, VoLTE, LTE); and
- the location of equipment, or a line, used in connection with the communication.2
Section 187A(4) of the TIA Act lists information that must not be retained. This includes:
- the contents or substance of the communication;
- information about a subscriber’s web browsing history;
- information or documents that have origins which are independent of the service provider and which pass “over the top” of the underlying service (eg messaging and video call apps, video streaming content, and similar not provided by the relevant service provider); and
- information about the location of a telecommunications device that is not information used by the service provider to provide the relevant service.
Metadata which is retained under the MDRR must be encrypted, retained for 2 years3 and protected from unauthorised interference.4
Use and disclosure of retained metadata
The Telecomms Act prohibits the disclosure or use by regulated service providers of retained metadata,5 subject to certain exceptions. These exceptions include disclosure:
- to criminal enforcement agencies as necessary for the enforcement of criminal law or a law imposing a pecuniary penalty or for the protection of the public revenue;6
- to the Australian Federal Police or foreign law enforcement agencies for the purposes of enforcing the criminal law of a foreign country, crimes within the jurisdiction of the International Criminal Court and war crimes;7
- as required or authorised under a warrant in connection with the operation of a criminal enforcement agency;8 and
- as required or authorised by or under law (Legal Authorisation Exception).9
The Review10 found that other than criminal enforcement agencies, at least 87 other agencies have controversially used the Legal Authorisation Exception to gain access to metadata in a manner which exceeded the intended scope of the MDRR. This included local councils, the RSPCA, state fisheries bodies and other government departments.
What did the Review recommend, and how did the Government respond?
Of the 22 recommendations made in the Review, summaries of some of the more significant recommendations of the Review and responses by the Government are set out below.
Updating the TIA Act to provide greater clarity in the operation of the MDRR, including by clarifying:
- what constitutes the content or substance of a communication which is excluded from the MDRR;
- that service providers are not required to store information generated by Internet of Things devices; and
- the more limited circumstances in which a person can be designated by a criminal enforcement agency as an ‘authorised officer’ capable of requesting access to metadata under the MDRR.
Each of these recommendations were accepted.
With respect to Internet of Things in particular, the Response noted it would not be appropriate for service providers to retain data generated by such devices given the wide range of devices and the potentially significant compliance costs for service providers. However, the response noted that if the Government considers there are clear benefits in requiring service providers to keep information for particular Internet of Things devices, they could be included within the scope of the MDRR.
Updating the TIA Act to include stronger safeguards in the use of the MDRR, including:
- requiring criminal enforcement agencies that receive information which is excluded from the MDRR under s 187A(4) to not use the information, to quarantine the information and to notify the Commonwealth Ombudsman or Inspector-General of Intelligence and Security of the disclosure;
- requiring criminal enforcement agencies to retain metadata acquired under the MDRR for a prescribed minimum period and deleting it as soon as practicable after the data is no longer needed;
- reducing the situations in which authorised officers can make verbal authorisations for the disclosure of metadata; and
- increasing reporting requirements for criminal law enforcement bodies and for the responsible minister.
Each of these recommendations were either accepted or accepted in principle.
Repealing the Legal Authorisation Exception and clarifying that only ASIO and certain specified criminal law enforcement agencies are permitted to authorise the disclosure of metadata.
This recommendation was accepted in principle, and the Response noted that the Government shared the PJCIS’s concern that the Legal Authorisation Exception operated as an inappropriate means to access metadata without oversight and safeguards.
Despite this, recent legislative amendments to the Telecomms Act have been passed introducing additional record keeping obligations with respect to disclosures made in accordance with the Legal Authorisation Exception.11 These new record keeping requirements will take effect on 11 October 2023. It will be interesting to see what impact this has on any debate on the repeal of the Legal Authorisation Exception moving forward.
Preparation by the Department of Home Affairs of guidelines on:
- the operation of the MDRR by enforcement agencies; and
- data collection and the most cost effective way to achieve the intended outcome of facilitating better oversight.
Each of these recommendations were accepted.
Imposing certain additional obligations on service providers by:
- updating the Telecomms Act to require service providers to keep detailed records of the kinds of information included in each disclosure of metadata, including the type of data; and
- updating the TIA Act to require service providers to store metadata on servers located in Australia (unless specifically exempted) and to demonstrate to the Australian Communications and Media Authority that they have met the minimum standards for ensuring the security of retained metadata.
The recommendation relating to the Telecomms Act was accepted, with the Response noting that amendments to the Telecomms Act has been introduced into legislative amendments that have now been passed and assented to.12
The recommendation relating to the TIA Act was accepted in principle, although the Response noted that the design of reforms requiring the storage of metadata on servers located in Australia required further consultation to fully determine the potential burden on industry.
What are the next steps?
The Response notes that the Australian Government is currently developing more holistic reforms to the Commonwealth electronic surveillance framework, which will include the repeal of the TIA Act, Surveillance Devices Act 2004 (Cth) and parts of the Australian Security Intelligence Organisation Act 1979 (Cth) with a consolidated bill dealing with computer access and surveillance devices. No timeline was provided for the legislative reforms proposed in the Response, but such reforms could potentially be introduced as part of broader reforms to the Commonwealth electronic surveillance legislative framework.
- TIA Act s 187AA.
- TIA Act ss 187BA-187C.
- TIA Act s 187BA.
- Telecomms Act ss 276-278.
- TIA Act s 177-179.
- TIA Act ss 180A-180B.
- Telecomms Act s 280(1)(a).
- Telecomms Act s 280(1)(b).
- Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Act 2023 (Cth) Sch 1 cl 12, which introduces a new s 306(5)(cb) into the Telecomms Act.
- Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Act 2023 (Cth).