Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) is an Act of the Parliament of Australia that amends the Telecommunications (Interception and Access) Act 1979 (original Act) and the Telecommunications Act 1997 to introduce a statutory obligation for Australian telecommunication service providers (TSPs) to retain, for a period of two years, particular types of telecommunications data (metadata) and introduces certain reforms to the regimes applying to the access of stored communications and telecommunications data under the original Act.

The Act is the third tranche of national security legislation passed by the Australian Parliament since September 2014. Pursuant to the Act, the following types of information need to be retained by telecommunication service providers: incoming and outgoing telephone caller identification; the date, time and duration of a phone call; the Location of the device from which phone call was made; the unique identifier number assigned to a particular mobile phone of the phones involved in each particular phone call; the email address from which an email is sent; the time, date and recipients of emails; the size of any attachment sent with emails and their file formats; account details held by the internet service provider (ISP) such as whether or not the account is active or suspended.

The content or substance of a communication is not considered to be metadata and will not be stored. Twenty-two agencies including the Australian Security Intelligence Organisation (ASIO), state police forces, Australian Crime Commission, Australian Taxation Office and NSW Independent Commission Against Corruption (ICAC) are able to view stored metadata without a warrant. The only exception is the metadata of those defined under the Act as journalists. Under a concession driven by the Australian Labor Party, agencies need to seek a warrant before a judicial officer before they are able to view the metadata of journalists, whilst ASIO will need to seek permission of the Attorney-General.

The Abbott government's decision to introduce a mandatory telecommunications data regime led to considerable community debate. It was supported by law enforcement and national security agencies, including the Australian Federal Police and ASIO, who argued telecommunications data is critical to criminal investigations and that it is only through legislation that they can be assured that it will be available. The decision was opposed by a wide range of groups and individuals including journalists, human rights organisations and civil liberties groups. Their objections were made on a number of grounds, such as the consequences for journalism and journalistic practice, the non-proportionate and increasing encroachment of the privacy of Australia's population, and the effectiveness of the regime as a tool to combat crime. Questions over its cost and the consequences for the telecommunications industry, in particular small to medium-sized providers, have also been raised as arguments against mandatory data retention. TSPs and ISPs were given an 18-month grace period to improve their systems and establish processes to comply with the legislation. Telstra has indicated it will store data it retains within Australia, but other TSPs and ISPs are not obligated to do so under the law.

Access to telecommunications data
Under the previous regime set down under the Telecommunications (Interception and Access) Act 1979 (the original Act), ‘enforcement agencies’ and ASIO could access telecommunications data through issuing an internal, or intra-organisation, authorisation. During the 2012-2013 inquiry into Australia's national security legislation conducted by the PJCIS, the Attorney General's Department issued a document detailing what it considered to be telecommunications data. This included "information that allowed a communication to occur", such as the date, time and duration of the communication, the devices involved in the communication, and the location of those devices such as mobile phone tower, and "information about the parties to the communication", such as their names and addresses.

Section 5 of the Act defined an enforcement agency to include the Australian Federal Police (AFP), the police force of a State or Territory, the Australian Customs and Border Protection Service, crime commissions, anti-corruption bodies and the CrimTrac Agency. The definition also included an allowance enabling organisations whose remit either involves the administration of law involving a financial penalty or the administration of a law to protect taxation revenue to access telecommunications data.

The head of an enforcement agency, the deputy head of an agency, or a management level officer or employee of an agency, given permission in writing by the head of the agency, had the power to authorise access to telecommunications data. For ASIO, authorisations for access to telecommunications data could only be made when the individual making the authorisation was "satisfied that the disclosure would be in connection with the performance by the Organisation of its functions". ASIO also had to comply with guidelines issued under Section 8A of the Australian Security Intelligence Organisation Act 1979. These guidelines demanded that the initiation and continuation of investigations only be authorised by the Director-General, or an officer at or above Executive Level 2 authorised by the Director-General for that purpose; and that any means used for obtaining information must be proportionate to the gravity of the threat posed and the probability of its occurrence.

In 2012-13, more than 80 Commonwealth, State and Territory enforcement agencies accessed telecommunications data under the original Act. In that same period, more than 330,640 authorisations were dispensed allowing access to data. These authorisations resulted in 546,500 disclosures.

Proposals for reform
Since at least June 2010, it had been reported that the Australian Government was considering establishing a telecommunications data retention scheme. On 4 May 2012, the Gillard government announced plans to review a range of national security legislation, including that covering "lawful access to telecommunications… to ensure that vital investigative tools are not lost as telecommunications providers change their business practices and begin to delete data more regularly."

In July 2012 the Attorney-General's Department released "Equipping Australia against Emerging and Evolving Threats", a discussion paper focused on proposed national security reforms. The paper's first chapter outlined the terms of reference for an inquiry to be conducted by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the potential reform of national security legislation, specifically the four following Acts:
 * Telecommunications (Interception and Access) Act 1979
 * Telecommunications Act 1997
 * Australian Security Intelligence Organisation Act 1979
 * Intelligence Services Act 2001

The discussion paper grouped these proposals into three different categories: those the Government wished to progress, those the Government was considering, and those on which the Government was seeking the Committee's opinion. Though the paper contained eighteen proposals and forty-one individual reforms, the suggestion that carriage service providers (CSPs) be required to retain information on the way Australians use the internet and mobile phones elicited much consternation and comment from the community. This was a point the Committee highlighted in its final report to the Government:"'The potential data retention regime attracted a large amount of criticism and comment from organizations and concerned individuals. These organizations and individuals generally considered any potential data retention regime a significant risk to both the security and their privacy. In addition to these general comments, the Committee received a large volume of form letter correspondence.' "On 24 June 2013, the Committee issued its report and put the decision on whether to progress with a mandatory data retention scheme back in the Government's hands. On the same day the report was released, Attorney-General Mark Dreyfus announced the Government would not be pursuing its proposal. On 30 October 2014, the Abbott government introduced the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 into the House of Representatives. On 21 November 2014, the Attorney-General Senator George Brandis wrote to the PJCIS, referring the provisions of the Bill for inquiry.

Chaired by MP Dan Tehan, the Committee received 204 submissions, 31 supplementary submissions and held three public hearings. On 27 February 2015, the Committee presented its report, containing 39 recommendations. On 3 March 2015, the Government announced it would accept all the Committee's recommendations. However, the opposition Labor Party only agreed to support the passage of the Bill through the Senate after amendments were made to protect journalistic sources. On 26 March 2015, the Senate voted in favour of the Bill. On 13 April 2015, the Governor-General gave his royal assent and the Act entered into law.

Report recommendations
In response to the need for available telecommunications data and growing national security threats, Attorney-General George Brandis asked the PJCIS to inquire into and report on the Act. The Committee handed down its report entitled Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation (2013 PJCIS Report) on 24 June 2013, in which it made these recommendations:
 * The data retention obligation only applies to telecommunications data (not content) and internet browsing is explicitly excluded (Recommendation 42)
 * Service providers are required to protect the confidentiality of retained data by encrypting the information and protecting (Recommendation 42)
 * Mandatory data retention will be reviewed by the PJCIS no more than three years after its commencement (Recommendation 42)
 * The Commonwealth Ombudsman will oversight the mandatory data retention scheme and more broadly law enforcement exercise of powers under Chapter 3 and 4 of the original Act (Recommendations 4 and 42); and
 * Confining agencies’ use of, and access to, telecommunications data through refined access arrangements, including a ministerial declaration scheme based on demonstrated investigative or operations need (Recommendation 5).

The Act was again referred to the PJCIS for inquiry on 21 November 2014, where the Committee tabled its Advisory Report on the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2014 (2015 PJCIS Report) on 25 February 2015. The PJCIS made these additional recommendations:
 * The implementation of a mandatory data retention regime is necessary to maintain the capability of national security and law enforcement agencies and recommended that the Act be passed (Recommendation 39)
 * Establish a ‘journalist information warrants’ regime and restrict the agencies who can access this data (Recommendation 26 and 27)
 * Provide for record-keeping and reporting the use of, and access to, telecommunications data and enable the Commonwealth Ombudsman to assess agency compliance (Recommendation 29)
 * Amend the Australian Security Intelligence Organisation Act 1979(Cth)to provide that certain matters relating to data retention be include in the ASIO Annual Report; and
 * Amend the Intelligence Services Act 2001(Cth) to enable to PJCIS to inquire into operation matters relating to the use of telecommunications data by ASIO and the Australian Federal Police, in relation to counter-terrorism function (Recommendation 34)

On 3 March 2015, the Abbott government announced that it would accept all of the above recommendations, and on 19 March 2015, the House of Representatives agreed to the amendments to the Act and to the Intelligence Services Act 2001, the Telecommunication Act 1997, and the Privacy Act 1988 and the Australia Security Intelligence Organisations Act 1979 to give effect to the 2015 PJCIS Report. The House of Representatives also agreed to amendments to implement the ‘journalist information warrant’ scheme.

The Act
The Act's purpose is to amend the original Act and Telecommunications Act 1997 so as to require service providers to retain a defined subset of telecommunications data (the data set) produced in the course of providing telecommunications services. Before the Act, the original Act did not specify the types of data the telecommunications industry should retain for law enforcement and national security purposes, or how long that information should be held. As a result, there was significant variation across the telecommunications industry in the types of data available to national law enforcement agencies and national security agencies and the period of time information was available. The lack of available data was identified by agencies as an impediment to their ability to investigate and prosecute national security-related offences, including counter-terrorism, counter-espionage and cyber-security and serious criminal offences such as murder, rape and kidnapping.

The amendments are contained in three schedules to the Act:
 * Schedule 1: Data retention – requires telecommunications services providers to retain data associated with a communication for a two-year period.
 * Schedule 2: Restricting access to stored communications and telecommunications data – deals with access to retained data.
 * Schedule 3: Oversight by the Commonwealth Ombudsman – sets out the Ombudsman's role in overseeing compliance with the Act.

Division 1 of Part 5-1A: Obligation to keep information or documents
Section 187A requires relevant telecommunications service providers to retain communications data associated with a communication specified in section 187AA for two years. The Revised Explanatory Memorandum (2013-2014-2015) (Memorandum) explains the two-year retention period is necessary so national security and law enforcement agencies have telecommunications data available for investigations.

Section 187AA lists in a detailed technologically-neutral table the kinds of information service providers must collect and retain in relation to each relevant service they provide. According to the Memorandum, section 187AA ensures the ‘legislative framework gives service providers sufficient technical detail about their data retention obligations while remaining flexible enough to adapt to future changes in communication technology’.

Subsection 187AA(2) permits the Attorney-General to amend the data set set out in section 187AA temporarily by issuing a declaration. This is designed to cover a situation where future technologies or changing telecommunications practices require amendments to the data set to ensure the data retention scheme continues to meet its underlying purpose. However, this power is subject to section 187AA(3)(a) which provides that the declaration ceases to be effective 40 sitting days of either House of Parliament after the declaration comes into force.

Information excluded from data retention regime
If telecommunication providers do not presently create the information or documents required by s 187AA, then section 187A(6) requires providers to use other means to create the information. Furthermore, s 187BA requires a service provider to protect the confidentiality of information it keeps by encrypting it and protecting it from unauthorised interference or access. The section does not prescribe a particular type of encryption. Section 187LA requires service providers to 'take such steps as are reasonable in the circumstances to protect (personal) information from misuse, interference and loss and from unauthorised access, modification and disclosure'. These privacy safeguards are in addition to pre-existing obligations under clause 4.6.3 of the Telecommunications Consumer Protection Code which require service providers to have 'robust procedures to keep its customers' personal information in its possession secure and restrict access to personnel who are authorised by the Supplier'.

These obligations can be varied and exempted. Under Division 2 of Part 5-1A, a service provider may seek approval of a data retention implementation plan that replaces a provider's obligations under s 187BA. This may be appropriate where the cost of encrypting a legacy system that was not designed to be encrypted would be unduly onerous and the provider has identified an alternative information security measure that could be employed.

While service providers are not prevented from retaining telecommunications data for more than two years for their own lawful purposes, the Act still requires service providers that hold ‘personal information’ to take reasonable steps to destroy that information or ensure that information is de-identified where the entity no longer needs the information for a reason set out in the APPs. In other words, when the retention period for the telecommunications data under Part 5-1A of the original Act expires, entities may be required to destroy or de-identify such information if it constitutes personal information.

Application of Part 5-1A to telecommunication service providers
Data retention obligations only apply to services that satisfy paragraphs 187A(3)(a), (b) and (c), which includes services for carrying communications, or enabling communications to be carried by guided or unguided electromagnetic energy, or both. Accordingly, data retention obligations apply to relevant services that operate ‘over the top’ (OTP) of, or in conjunction with, other services that carry communications and may, presumably, extend to internet service providers (ISPs) and Australian telecommunication companies such as Telstra, Vodafone and Optus. The Attorney-General is also granted power under section 187A(3A) to declare additional services to be within the data retention regime. Section 187B excludes certain service providers from complying with the data retention obligations, and ensures that entities such as the government, universities and corporations are not required to retain telecommunications data in relation to their own internal networks (provided they are not offered to the public). Similarly, s 187B extends to providers of communication services in a single place, such as free WiFi access in cafés and restaurants.

The exemption of a service is, however, subject to the discretion of the Communications Access Co-ordinator (CAC), who, pursuant to section 187B(2A), can declare a service provider is nevertheless required to retain telecommunications data. Subsection 187B(3) provides that in making such a declaration, the CAC must have regard to the interests of law enforcement and security, the objects of the Telecommunications Act and the Privacy Act, along with any submissions of the Privacy Commissioner.

Division 2 of Part 5-1A: Data retention implementation plans
Division 2 of Part 5-1A of the original Act relates to 'data retention implementation plans', which are plans intended to allow the telecommunications industry to design a pathway to full compliance with the data retention and security obligations within 18 months of the commencement of those obligations. There is a 2-year window for telecommunication service providers and ISPs to implement the changes made by the Act, and over the first 6 months, service providers and ISPs must apply to the Communications Access Co-ordinator (CAC) to obtain approval for their ‘data retention implementation plan’. This plan must explain the organisation's current practices, details of the interim arrangements, and the expected date when the organisation will comply with the data retention requirements. Section 187F sets out the factors the CAC must take into account when considering the approval of a submitted plan. These factors include:
 * Desirability of a service provider achieving substantial compliance with its data retention and security obligations as soon as practicable: s 187F (2)(a)
 * Whether the proposed plan would reduce the service provider's regulatory burden: s 187(2)(b)
 * The interests of law enforcement and security: s 187 (2)(d)

There is also an extensive consultation process with the Australian Communications and Media Authority (ACMA), under s 187G. Under Division 3 of Part 5-1A, a service provider is able to seek an exemption for some of its services under Division 3 while at the same time submit an implementation plan for some or all of its other services under Division 2. In particular, s 187K provides the CAC with the power to exempt a service provider from data retention and information security obligations. This exemption framework is intended to permit variations in service providers obligations in a range of circumstances, including where imposing data retention obligations would be of limited utility for law enforcement and national security purposes. The decision of the CAC to grant exemption or variations is open to judicial review under s 75(v) of the Constitution and s 39B of the Judiciary Act 1903 (Cth).

Amendments to the ASIO Act and Intelligence Services Act 2001
The Act amends the reporting requirements under s 94(2A) of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) to require that ASIO's annual reports include the following: the number or types of purposes of authorisations to access retained data under s 175 and s 176 (3) of the original Act, including ‘journalist information’ warrants; the length of time for which relevant documents covered by the authorisations were held; and the number of authorisations that related to retained subscriber data and communications traffic data as contained in Item 1, s 187AA Table.

The Act also amends the Intelligence Services Act 2001 (ISA), principally to confer a statutory function upon the PJCIS under s 29 of the ISA, enabling it to review the overall effectiveness of the operation of the data retention scheme, with specific focus on the data access activities of ASIO and the Australian Federal Police.

Journalist information warrants
The Act introduces a ‘journalist information’ warrant scheme under Division 4C. This scheme, requires ASIO and other law enforcement agencies to obtain a warrant prior to authorising the disclosure of telecommunications data for the purposes of identifying a journalist's confidential source. The Attorney-General or an issuing authority (including ‘eligible persons’ within ASIO and AFP) under s 180L and s 180T respectively, must consider several factors when deciding whether to issue an information warrant. In particular, they must be satisfied the warrant is ‘reasonably necessary’ to, enforce the criminal law, locate a person reporting missing to the AFP or State Police, enforce a law that imposes a pecuniary penalty, or protect the public revenue and investigate serious offences against Commonwealth, State or Territory law punishable by a 3-year imprisonment term. Additionally, the Attorney-General or the issuing authority must not issue a warrant unless satisfied the public interest in issuing the warrant outweighs the public interest in protecting the source's confidentiality. Submissions by the newly created Public Interest Advocate must also be considered when deciding to issue a warrant.

An enforcement agency may use or disclose the issuing of a warrant or information about such a warrant to a third party only for specified purposes, pursuant to s 182B. Such purposes include enabling a person to comply with their notification obligations under s 185D or s 185E in relation to journalist information warrants, enabling ASIO to perform its functions, or enabling the enforcement of the criminal law or a law imposing a pecuniary penalty, or the protection of the public revenue.

Public Interest Advocate
Section 180X creates the role of Public Interest Advocate, who considers and evaluates journalist information warrants made by ASIO and law enforcement agencies pursuant to s 180L and s 180T respectively. The Advocate can make independent submissions to the Minister, and to the issuing authority in the case of the law enforcement agencies, regarding the granting of a journalist information warrant.

Schedule Two
Schedule 2 amends the original Act to limit the types of agencies that can apply for stored communications warrants under Part 3-3 of Chapter 3 of the original Act, and the types of authorities and bodies that can authorise the disclosure of telecommunications data under Division 4, Part 4-1 of Chapter 4 of the original Act.

Prior to the Act, the original Act permitted ‘enforcement agencies’ to access both stored communications (such as content of emails or SMS messages) and data about communications (metadata). The former required a warrant for access under s 110 and s 116, but the latter did not. ‘Enforcement agencies’ were broadly defined to include all interception agencies, as well as a body whose function includes administering a law imposing a pecuniary penalty or the protection of public revenue. As a result, the range of agencies that had access to stored communications and telecommunications data was wide and included local government, councils and Commonwealth and State departments and agencies.

Schedule 2 creates only two categories of authorised agencies: ‘criminal law enforcement agencies’ and ‘enforcement agencies’ (which incorporate the former).

Criminal law enforcement agencies
The Act removes reference to an ‘enforcement agency’ in subsection 110(1) of the original Act and substitutes the new definition of a ‘criminal law enforcement agency’ in s 110A of the Act. According to the Memorandum, the definition reduces the number of agencies that can apply for stored communication warrants from all enforcement agencies that investigate serious contraventions to only those authorities and bodies recognised under section 110A of the Act as being a ‘criminal law enforcement agency’.

Under section 110A, ‘criminal law enforcement agency’ is defined as including the Australian Federal Police, a State Police force, the Australian Commission for Law Enforcement Integrity, Australian Crime Commission, Australia Customs and Border Protection Service, the Australian Competition and Consumer Commission, the Crime Commission, the Police Integrity Commission, the Crime and Corruption Commission of Queensland, the Corruption and Crime Commission and the Independent Commissioner Against Corruption.

Section 110A(3) enables the Attorney-General to declare, upon request, other authorities or bodies to be ‘criminal law enforcement agencies'. In making such a declaration, the Attorney-General must consider a range of factors, including whether the authority is involved in ‘investigating serious contraventions’. Section 110A(8) enables the Attorney-General to later revoke such a declaration if no longer satisfied that circumstances justify the declaration.

Enforcement agencies
Section 176A alters the definition of ‘enforcement agency’ in subsection 5(1) of the original Act to limit the authorities and bodies that can access telecommunications data (metadata) to only 'criminal law enforcement agencies' and authorities and bodies declared under s 176A to be an ‘enforcement agency’.

In declaring an authority or body an 'enforcement agency', the Attorney-General must consider a range of factors, including whether the agency enforces the criminal law, imposes pecuniary penalties, or protects the public revenue. Section 176A(3B) requires that the Attorney-General not declare a body an ‘enforcement agency’ unless satisfied on ‘reasonable’ grounds that the body has these aforementioned functions. The Attorney-General may later revoke such a declaration under s 176A(8) if no longer satisfied that circumstances justify the declaration. According to the Memorandum, this section ensures only bodies or authorities with a demonstrated need for access to telecommunications data can authorise service providers to disclose information.

Schedule Three
Schedule 3 inserts obligations into the original Act to keep records about access to stored communications and telecommunications data, and also inserts into the original Act a comprehensive record-keeping, inspection and oversight regime in relation to:
 * The issue of preservation notices by criminal law enforcement agencies; and
 * Access to, and dealing with, stored communications by criminal law enforcement agencies, and telecommunications data by criminal law enforcement agencies and enforcement agencies.

The record-keeping regime requires all Commonwealth, State and Territory enforcement agencies to keep prescribed information and documents necessary to demonstrate they have exercised their powers in accordance with their obligations under the original Act. The inspection and oversight regime requires the Ombudsman to inspect and oversee records of Commonwealth, State and Territory agencies in order to assess compliance with their duties under the original Act.

Record-keeping obligations
Section 186A sets out the information or documents an enforcement agency must retain to ensure the Ombudsman is able to inspect the agency's records to determine the agency's compliance with Chapter 4 of the original Act. The types of documents or information required to be kept in the agency's records include the authorisations made by an officer of the agency under sections 178, 178A, 179 or 180, and documents or materials that indicate whether the authorisation was made properly. Subsection 186A(2) allows the Attorney-General to prescribe additional kinds of documents and other materials enforcement agencies must keep.

Oversight by Ombudsman
Section 186B requires the Ombudsman to inspect records kept by enforcement agencies using or accessing telecommunications data and stored communications. The Ombudsman must determine whether an agency is compliant with its obligations regarding the issue of preservation notices, access to stored communications, and access to telecommunications data.

Section 186J requires the Ombudsman to report publicly on the results of its oversight functions under section 186B. This ensures the Ombudsman can make public the results of its inspections under Chapter 4A.

Compatibility with human rights
In accordance with its obligations under the Human Rights (Parliamentary Scrutiny) Act 2011 the Australian Government is required to provide statements of compatibility of all new bills with Australia's human rights obligations under international instruments, including the International Covenant on Civil and Political Rights (ICCPR). The Revised Explanatory Memorandum (2013-2014-2015) (Memorandum) provided a detailed exposition of the Act and its engagement with human rights and an analysis of the Act's compatibility with the ICCPR. The Memorandum claims the Act is compatible with human rights and freedoms recognised and declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.

In particular, the Act engages the ICCPR in these ways:
 * Protection against arbitrary or unlawful interference with privacy contained in Article 17 of the International (Article 17, ICCPR)
 * The right to a fair hearing, the right to minimum guarantees in criminal proceedings and the presumption of innocence (Article 14, ICCPR)
 * The right to freedom of expression (Article 19, ICCPR)
 * The right to life and the right to security of the person (Articles 6 and 9, ICCPR)
 * The right to an effective remedy (Article 2(3), ICCPR)

Privacy
Article 17 of the ICCPR provides that no one shall be subjected to arbitrary or unlawful interference with their privacy, family, home or correspondence. The use of the term ‘arbitrary’ means any interference with privacy must be in accordance with the provision, aims and objectives of the ICCPR and should be reasonable in the circumstances. The United Nations Human Rights Committee has interpreted this provision as requiring that any limitation of privacy must be both proportionate to a legitimate end and necessary in the circumstances of a particular case.

Schedule 1
According to the Memorandum, the legislative requirement for providers to store telecommunications data in relation to its services is consistent with Article 17. The specification of the types of data that may be retained (under s 187AA) ensures that only narrow categories of telecommunications data necessary for the investigation of serious criminal offences and national security threats are retained. The Memorandum claims that this means the retention of specified dataset under s 187AA, while an interference with privacy, is reasonable and is proportionate to and necessary for the legitimate aim of ensuring law enforcement and intelligence agencies have the investigative tools to safeguard national security and prevent or detect serious and organised crime. Each Item (1-6) in s 187AA specifying particular types of data that can be retained was then assessed for its compatibility with Article 17 of the ICCPR, and each Item was considered reasonable, proportionate and necessary to criminal and national security investigations. CAC exemption regime

Similarly, the exemption framework established by s 187B along with the introduction of the CAC indirectly strengthens the right to privacy of individual customers by providing a method of reducing data retention obligations in circumstances where the volume of data to be retained is disproportionate to the interest of law enforcement and national security.

Security and destruction of retained data

According to the Memorandum, the Act contains safeguards to ensure individuals' privacy rights, especially in relation to telecommunications, are protected. In particular, the Act provides that the Australian Privacy Principles (APPs) in the Privacy Act 1988 apply to all data retained under the Act. Specifically, the APPs impose an obligation on service providers to ensure the quality and/or correctness of any personal information (APP 10) and to keep personal information secure (APP 11). This introduces an oversight mechanism whereby the Privacy Commissioner can review and assess service providers' collection, storage and use of data. An additional layer of privacy and security protection for consumer data provided by the Act is the requirement that service providers protect retained data through encryption and introduce the Telecommunications Sector Security Reforms, which require service providers to do their best to prevent unauthorised access and interference. These safeguards are supplemented by already-existing obligations under the Telecommunications Consumer Protection Code.

Comparative frameworks – EU data retention directive

In 2014, the Court of Justice of the European Union (CJEU) assessed the legality of the EU's Data Retention Directive in two seminal decisions, namely, Digital Rights Ireland Ltd and Ors(C-293/12) and Karntner Landesregierung and Ors (C-594/12). In these cases, the CJEU enunciated criteria that a data retention regime must meet in order to be compatible with human rights principles. It also stated that proposed legislation ‘must lay down clear and precise rules governing the scope and application of the measures in question, imposing minimum safeguards so that the persons about whom data have been retained have sufficient guarantees to effectively protect their personal data against risk of abuse and unlawful access and use of that data’. The CJEU considered that the extent of interference proposed by the EU Data Retention Directive was disproportionate to the objective being achieved, and more broadly, was not compatible with applicable human rights instruments. The Memorandum states that the Act is consistent with the criteria established by the CJEU.

Schedule 2
The collective amendments in Schedule 2 reinforce the privacy protections established under Schedule 1. According to the Memorandum, the amendments regarding the limitation of agencies that can apply for access to stored communications warrants, and the types of authorities and bodies that can authorise the disclosure of telecommunications data under Division 4 of the original Act, contribute to ensuring that access is reasonable, proportionate and necessary.

The Memorandum claims that the amendment of the definition of ‘enforcement agency’ to clearly circumscribe the agencies who may access telecommunications data effectively ensures access is limited to those agencies that have a clear and scrutinised need for access to telecommunications data in the performance of their functions. Furthermore, in order to reinforce the privacy protections associated with a user's telecommunications data contained within the original Act, Schedule 2 introduces limitations upon the types of agencies permitted to authorise the disclosure of telecommunications data for an agency's investigation. In this respect, the Act increases the threshold requirement in s 180F, by requiring that the authorising officer be ‘satisfied on reasonable grounds’ that a particular disclosure or use of telecommunication data is proportionate to the intrusion into privacy it represents. According to the Memorandum, this amendment bolsters privacy safeguards by ensuring agencies weigh the proportionality of the intrusion into privacy against the value of the evidence and the assistance to be provided to the investigation. Agencies such as ASIO are also subject to strict privacy and proportionality obligations under the Attorney-General's Guidelines, made under s 8(1)(a) of the ASIO Act, which requires, inter alia, that the means used for obtaining the information must be proportionate to the gravity of the threat posed and investigations and inquiries into individuals and groups should be undertaken with as little intrusion into personal privacy as possible. These amendments ensure any abrogation of the privacy right in Article 17 is limited to the legitimate purpose articulated in the original Act.

Schedule 3
The oversight provisions contained in Schedule 3 extend the remit of the Ombudsman to comprehensively assess agency compliance with all the enforcement agency's obligations under Chapter 3 and 4 of the original Act, including the use and access to telecommunications data. According to the Memorandum, this oversight model promotes the right to privacy by confirming the Ombudsman's ability to audit an agency's use of its powers to access stored communications and telecommunications data under the original Act. This helps ensure an agency's access to the telecommunications information of interest to an investigation, and the interaction with the privacy right under Article 17 in that regard is a reasonable, necessary and proportionate limitation on that right to privacy. Furthermore, a comprehensive oversight model ensures that use, access to or disclosure of telecommunications data is subject to independent compliance assessment. It also provides an important level of public accountability and scrutiny of agency practice by virtue of the Ombudsman's public reporting regime implemented in Chapter 4A.

According to the Memorandum, the oversight model promotes the Convention rights by virtue of several key features of the regime, including a higher level of specificity and transparency in terms of the precise reporting obligations imposed on law enforcement agencies, consistency in inspection methodology by virtue of non-fragmentary model involving oversight of all agencies that apply the powers under Chapters 3 and 4, and clearly defining reporting obligations, which engender a higher level of compliance by agencies and greater acuity in statistical output to measure compliance for annual reporting and cross-agency compliance.

Freedom of expression
Article 19 of the ICCPR provides that all persons shall have the right to freedom of expression. This right includes the freedom to seek, receive and impart information and ideas of all kinds through any media. Article 19(3) provides that freedom of expression may be subject to limitations for specified purposes provided in the right, including the protection of national security or public order where such restrictions are provided by law and are necessary for attaining one of these purposes.

According to the Memorandum, the Act could potentially restrict the right to freedom of expression, as some persons may be more reluctant to use telecommunications services to seek, receive and impart information if they know data about their communication is stored and may be subject to lawful access. However, the limitation imposed by the data retention regime is in pursuit of the legitimate objective of protecting public order and further limits the abrogation of the right to freedom of expression by ensuring that only the minimum necessary types and amounts of telecommunications data are retained, and by limiting the range of agencies that may access the data.

Journalist information warrant regime

According to the Memorandum, the Bill promotes freedom of expression and the right to privacy by requiring a higher threshold for access through ex ante judicial review of a warrant for data authorisation requests and ensuring data access for the purposes of identifying a source receives specific and dedicated independent attention. Independent oversight minimises the risk that sources will be deterred from informing the press of matters of public interest, and ensures the media is not adversely affected by the measures. Furthermore, this measure ensures access is only permitted in circumstances where the public interest in issuing the warrant outweighs the public interest in maintaining the confidentiality of the source.

The additional protection afforded to these data authorisations complements journalists’ limited privilege not to be compelled to identify their sources where they have given an undertaking of confidentiality. The amendments add a further warrant threshold, providing a significant additional and unique protection in relation to the identification of confidential journalist sources. Additionally, the statutory criteria to which issuing authorities must have regard in considering a journalist information warrant application, including the gravity of conduct in relation to which the warrant is sought and the potential investigative utility of the information, ensures privacy and public interest considerations are always taken into account before a warrant is granted.

Life and security
Pursuant to Article 9 of the ICCPR, the state is to provide reasonable and appropriate measures within the scope of those available to public authorities to protect a person's physical security. Similarly, the right to life under Article 6 of the ICCPR imposes a positive obligation to protect life. The Memorandum points out that European jurisprudence has established that the obligation to protect life also requires the police and other protective authorities to take, in certain well-defined circumstances, preventative operational measures to protect an individual whose life is at risk from the acts of a third party. The obligation the Act places on service providers to retain a limited subset of telecommunications data buttresses the right to life in Article 6 of the ICCPR. According to the Memorandum, if such data is not retained, law enforcement investigations will be compromised and the police's ability to protect the security of potential victims of crime is critically undermined.

Modernisation
Access to telecommunications data in Australia was previously governed by the Telecommunications (Interception and Access) Act 1979 and the Telecommunications Act 1997. Since they were enacted, communication technologies have undergone a transformation. Online communication is an integral part of life. Australians now use a variety of devices to communicate, including fixed line telephones, mobile phones, personal computers and tablets. Australians also use various communication applications including email, instant messaging and social media platforms.

Telecommunications service providers have responded to the increasing use of these devices and applications with new business practices, selling their services to customers on the basis of monthly data volumes. Consequently, they no longer need to store information surrounding individual communications to accurately bill customers. Some providers only retain the details of the amount of data sent for their billing purposes.

Prior to the Act, the retention period for IP-based data is volatile; data is typically stored for only a number of weeks or months. As technology evolves, all historical telecommunications data will be based on internet protocols as providers of telephony services increasingly use IP based technologies.

In its 2013 report on its inquiry into Australia's national security laws, the PJCIS concluded that the increasing adoption of these practices and the failure to retain data had "resulted in an actual degradation in the investigative capabilities of national security agencies, a process that is likely to accelerate in the future."

Telecommunications data is critical to many criminal investigations. Telecommunications data accessed during the initial stage of an inquiry assists law enforcement officials to understand the lives of victims, identify potential perpetrators, and construct pictures of their networks. Access to telecommunications also enables law enforcement agencies to collect and assess critical information and other evidence that could not otherwise be acquired.

Furthermore, access to telecommunications data is in some instances the only way in which some types of crime can be understood, and perpetrators identified and punished. Cyber-crime is such a category. Cyber-crimes necessarily leave a limited physical footprint. Sifting through telecommunications data is the only way investigators can identify real world offenders.

The inability of police and other law enforcement agencies to access telecommunications data can hamper criminal investigations. In their submission to the PJCIS inquiry into the Bill, the South Australian Police described such one such instance:

"A stalled murder investigation was reviewed about 14 months after the victim’s death. Fresh information received during the review identified a suspect who was a known drug dealer. The victim, a regular drug user, had been in contact with the suspect and investigators suspect the victim may have been killed over a drug deal. Historical telecommunications data was sought for the suspect’s mobile service for around the time of the murder but it was no longer available. The unavailability of the telecommunications data has been detrimental to the investigation and the case remains unsolved. " Supporters of the Act argue it ensures the continued availability of telecommunications data to prevent and solve crime.

High-risk environment
The current ongoing perceived threat of terrorism in Australia is advanced as a reason why a mandatory data retention regime is needed. In September 2014, on ASIO's advice, the Australian government raised the National Terrorism Public Alert level from medium to high. ASIO dispensed its recommendation on a number of factors including the increasing number of Australians working with or inspired by the acts of a number of different terrorist organizations including the Islamic State, Jabhat-al-Nusrah and Al- Qai’da.

Moreover, in its 2014 submission to the PGCIS inquiry into the Bill, ASIO noted that cyber attacks by hostile powers launched in order to obtain privileged political, military, economic, trade, business and government information pose a threat to computer systems operated by both the state and business.

The Attorney General's Department has argued that in such a high-risk environment, a data retention regime is imperative.

"In an increased threat environment characterised by a higher operational tempo, there is a narrower margin for error in law enforcement and national security investigations. The narrower margin is particularly evident in relation to lone wolf threats: such persons have limited, if any, contact with other known extremists, giving authorities fewer opportunities to detect their activities and intentions. As such, any missed opportunity to identify and prevent these attacks represents a significant risk."

In its submission the Department also noted the non-retention of telecommunications data can lead to opportunities to combat crime being missed:

"In the best case, agencies may be able to progress investigations by using more resource intensive methods, limiting their capacity to investigate other matters, or more intrusive investigative techniques. In the worst case, crime or threat to security will not be adequately investigated."

Criticisms
Submissions made by key privacy, human rights and legal bodies, including the Australian Human Rights Commission (AHRC), Australian Lawyers for Human Rights (ALHR), Australian Privacy Foundation (APF), Law Council of Australia (LCA), Councils of Civil Liberties across Australia (CCLS) and the NSW and Victorian Privacy Commissioner, to the PJCIS were highly critical of the mandatory data retention scheme. The following headings represent the main arguments and criticisms made in several key submissions to the PJCIS.

Breaches human rights
The ‘statement of compatibility’ contained in the Revised Explanatory Memorandum claimed the regime did not breach Australia's human rights obligations under the ICCPR. However several submissions made to the PJCIS questioned the Bill's compatibility with several human rights principles. In its 2014 submission, the Australian Privacy Foundation argued the Bill was incompatible with fundamental human rights and freedoms, especially the right to privacy. It pointed to a considerable body of legal opinion that has concluded that laws mandating blanket retention of metadata breach international human rights law. It submitted that the Bill breached fundamental rights to privacy because it was neither necessary for nor proportionate to legitimate national security and law enforcements objectives. According to the APF, blanket data retention regimes are disproportionate because they ‘indiscriminately mandate the retention of data relating to entire populations, irrespective of the nature of the data or of whether or not there is a reasonable suspicions of a serious threat posed by those to whom the data relates’.

The APF referred to several key international law decisions, including reports of the UN High Commissioner for Human Rights and Human Rights Council, which all found metadata retention regimes breached human rights, especially the right to privacy. A similar position was taken by the Law Institute of Victoria (LIV), which submitted that, quoting the UN High Commissioner for Human Rights, ‘even the mere possibility of communications information being captured creates an interference with privacy, with a potential chilling effect on rights, including those to free expression and association’. As a result, the LIV submitted that mandatory third party data retention regimes are neither necessary nor proportionate, irrespective of increased concerns regarding national security threats.

Australian Lawyers for Human Rights (ALHR) also submitted concerns that the Bill constituted a serious and unreasonable infringement of the rights of law-abiding Australians. According to the ALHR, the Bill was an ‘indiscriminate, society wide’ invasion of privacy, which rebutted the presumption of innocence. Additionally, the ALHR contended the Bill infringes other human rights not acknowledged in the Memorandum, in particular, the right to be treated with dignity (Article 1, Universal Declaration of Human Rights), freedom from arbitrary interference with privacy, family, home or correspondence (Article 12, Universal Declaration of Human Rights). The ALHR also submitted the Bill was likely to chill freedom of association (Articles 21 and 22, ICCPR and Article 20, Universal Declaration of Human Rights), the right to free development of one's personality (Article 22, Universal Declaration of Human Rights), the right to take part in the conduct of public affairs (Article 25, ICCPR), and press freedoms. According to ALHR, the Bill would restrict free speech, as Australians would not know what information about them, including information about their contacts, might be shared among government (and non-government) bodies. Similarly, the Parliamentary Joint Committee on Human Rights argued that, although the data retention regime pursues a legitimate objective, the scheme's proportionality is questionable and it may have a ‘chilling’ effect on people's freedom and willingness to communicate via telecommunications services because people will ‘self-censor’ views expressed via telecommunications services. This view is also supported by the Law Council of Australia (LCA) and the Councils for Civil Liberties Australia (CCLA).

Problems with definition of the data set
A major concern emphasised in several submissions was that the Bill did not define the relevant data set, leaving the precise definition to be prescribed by regulations. The government's justification for this is that this approach is consistent with the technology-neutral approach of the Privacy Act 1988 and Part 13 of the TIA Act. However, the APF considered that the way in which the data set is defined in the Bill was deeply problematic for several reasons, including that the data set is not appropriately limited to that which is necessary and proportionate for law enforcement and national security. The APF proposed that the Government consider adopting a more circumscribed and targeted data preservation regime that ‘incorporates adequate thresholds and procedural safeguards to ensure the data are sufficiently relevant to specific investigations’.

Similarly, the APF submitted that the scope of data which may be lawfully accessed needed to be appropriately defined under Chapter 4. Furthermore, it claimed there were serious problems with the way the Bill dealt with browsing history, including in s 187A(4)(b). In particular, there is no prohibition on service providers collecting and retaining Internet browsing history, which must be accessed as data under Chapter 4, meaning that the government's claim that browsing history was excluded from the data set is disingenuous.

Australian Lawyers for Human Rights (ALHR) also submitted that the lack of certainty regarding the prescribed data set was bad legislative practice and likely to result in legislative ‘creep’, with individuals' privacy rights being increasingly attacked through expansion of the data set. Furthermore, the Law Council of Australia (LCA) recommended that the power to prescribe by way of regulation the mandatory data set should be removed from the Bill and the Bill should clearly define the types of telecommunications data and the specific data set to be retained.

The 2015 PJCIS Report took into consideration these concerns and recommended the Bill be redrafted to prescribe the data set in the primary legislation. When the Bill was amended in 2015, the data to be retained was detailed within the primary legislation, under s 187AA, and this was the form in which the Bill became law.

Distinction between content and metadata
A persistent argument made against the Act was the false distinction it draws between content and ‘metadata’. In its 2014 submission, the Council for Civil Liberties across Australia and the APF claimed that whilst the explicit exclusion of ‘content’ from the categories of prescribed data is welcome, the purported distinction between ‘content’ and ‘metadata’ overlooks how much ‘metadata' can reveal about a person, especially when combined with contemporary data analytics. The APF, quoting the decision of the Court of Justice of the European Union in Digital Rights Ireland, stated that metadata, ‘taken as a whole may allow very precise conclusions to be drawn concerning the private lives of the persons who data has been retained’.

Similarly, the UN High Commissioner for Human Rights pointed out that ‘the aggregation of information commonly referred to as ‘metadata’, may give an insight into an individual's behaviour, social relationships, private preference and identity that go beyond even that conveyed by access the context of a private communication’. The APF also referred to a statement by Steward Baker, the former general counsel of the NSA, who claimed that ‘Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content’. As a result, the APF considered the claim by the Government that telecommunications data is less intrusive than communications content to be misleading and recommended that legal safeguards on the collection of and access to telecommunications data should at least be as strong as those applying to communications content.

The Law Council of Australia (LCA) was also concerned that there was uncertainty about whether some types of telecommunications data would be considered ‘content’ (and thus excluded from collection), including whether meta-tags would be captured. Further, while the Memorandum to the Bill recognised that ‘text messages and e-mails stored on a phone or other communications device are more akin to content than data’, the LCA claims it did not adequately explain how this is so. The LCA also argued that despite the exclusion of content from the prescribed data set, the categories of telecommunications data that may be prescribed are nonetheless broadly defined and may provide information about crucial matters such as people's associations and their whereabouts. Examples of personal information that it said could be determined from the prescribed data set included medical connections, use of mental health services, use of suicide hotlines, use of domestic violence crisis support, use of child abuse support, family associations, friendship groups, financial connections, legal connections, religious associations, political affiliations, sexual association, commercial preferences, location and movement.

The LCA and the LIV also criticised s 187A(6), which introduces the requirement that telecommunication service providers create data not currently captured through their services. In particular, the LCA was concerned that it was unclear in the Memorandum and Bill how the content and substance of communications would be separated and filtered from the non-content by service providers in the course of meeting their data retention obligations.

Duration of data retention obligation
Another major criticism of the data retention regime was the two-year data retention period specified in s 187C. The CCLS urged the government to reduce the data retention period because it is high compared to mass data retention regimes in other jurisdictions. The CCLS submitted statistics showing that most data accessed for investigations of terrorism and complex criminal offences is accessed within 6 months of being captured and that following this period the percentage of data used decreases significantly. The Communications Alliance and AMTA also noted that the majority of requests made by agencies to access telecommunications data held by ISPs related to data less than 6 months old. Similarly, the APF was concerned that the retention period was excessive and disproportionate, and that it imposed disproportionate costs on carriers and ISPs. The APF recommended a retention period of 1 year be trialed for the first 3 years of the scheme's operation.

The Australian Human Rights Commission (AHRC) drew attention to the Evaluation Report on the EU Data Retention Direction in 2011, which considered that the shortening of mandatory retention would improve the proportionality of the scheme. The Report also found that 67% of accessed data was under 3 months old and only 2% of requested data was over 1 year old across the EU. The AHRC also pointed to the decision of the CJEU in Digital Rights Ireland, in which a retention period of no less than 6 months and up to 2 years was assessed. The CJEU held that the data retention period was arbitrary and not limited to what was 'reasonably necessary' to achieve the objective pursued. Accordingly, the AHRC considered the 2 year retention period as unreasonable and disproportionate. The LCA also considered the two-year period as unusually long by international standards and not satisfactorily justified.

Despite such widespread concern and statistical evidence, the two-year retention period became law.

Security of retained data
The security of retained data was also a point of contention. The LCA voiced concerns that there did not appear to be a minimum set of standards for government agencies and service providers to ensure security of retained telecommunications data. It drew attention to the recent experience of the Australian Federal Police (AFP), which mistakenly published sensitive information, including telecommunications data, connected to criminal investigations, demonstrating the importance of high levels of data security. It submitted that the implementation plan process would encourage service providers to seek the lowest possible cost solutions to data security. It referred to the CJEU's invalidation of the EU Data Directive on the basis it permitted providers to have regard to economic considerations when determining the level of security which they applied.

Both the LCA and the ALHR submissions expressed concern about s 187C(3), which allows a service provider to keep information or a document for a period longer than the two-year data retention period. Furthermore, once data is accessed by a law enforcement agency, there is no obligation upon it to destroy it in a timely manner even when it is irrelevant to the agency or no longer needed. The LCA made two recommendations - first, that the views of the Office of the Australian Information Commissioner should be obtained to determine whether the current APPs and the proposed Telecommunications Service Sector Security Reform (TSSR) relating to the destruction of telecommunications data by service providers is sufficient to safeguard personal information, and, second, that the Bill should be amended to require law enforcement and security agencies to de-identify or put beyond use in a timely manner, data containing ‘personal’ information which is no longer relevant or needed for the agencies purposes.

Access to stored communications
Many submissions welcomed the circumscription of agencies that can access stored communications data under Schedule 2. The LCA, however, argued these amendments allowed the Government to expand the list of agencies that can access retained data without parliamentary scrutiny and that this was an example of another inappropriate delegation of power in the Bill. Further, the LCA, CCLS and APF all submitted that the Bill left open the critical question of what authorities or bodies would be listed as an ‘enforcement agency’, and therefore be able to access data. As the CCLS pointed out, the issue of who will have access to stored telecommunications data is of great significance in determining the proportionality of this intrusion into individuals' privacy rights.

The APF submitted that the Attorney-General was given too much discretion to declare bodies or authorities as criminal law enforcement agencies and while the Bill provides that the Attorney-General must consider a range of factors, this is an ineffective limitation on the Attorney-General's discretion and could potentially mean the definition could be extended to bodies administering laws imposing pecuniary penalties or revenue laws. In its submission, the LIV considered these functions as incredibly broad and a reflection of the pre-existing and problematic situation under the original Act, where an unknown number of diverse federal, state and even local government entities can access telecommunications data.

The thresholds for access were also a central feature of several submissions. As discussed above, once the Attorney-General declares an agency an enforcement agency, that agency is able to access metadata retained by a service providers. The agency can do so by requesting and authorising service providers to disclose the information. Such authorisations can be made in relation to retrospective historical data where doing so is ‘reasonably necessary’ for the enforcement of the criminal law, a law imposing a pecuniary penalty, or a law protecting the public revenue. In relation to prospective data, such authorisations could be made where ‘reasonably necessary’ for the investigation of a serious criminal offence. This differs from the process relating to stored communications (content), which can only be accessed by criminal law enforcement agencies through a warrant process.

The CCLS, LCA and the APF all submitted that both thresholds for access were too low, for several reasons. First, ‘reasonably necessary’ was not defined in the Bill and according to the CCLS, this could be interpreted in several ways and would be better altered to simply use the word ‘necessary’. The APF recommended a higher threshold be applied to access of both real-time communications and stored content, and that it be required that such access relate to investigations of serious criminal offences, punishable by an imprisonment term of at least 7 years. Additionally, the APF submitted that the procedural safeguards for access to data under Chapter 4 of the original Act were inadequate. It recommended that safeguards be introduced to regulate access to non-content telecommunications data, which could involve a decision of an independent body required to balance the objectives of access against the intrusion of privacy.

The CCLS also argued that it is clearly unacceptable for ‘enforcement agencies’ to be their own authorisers of access to personal information. Accordingly, it submitted that access to both retrospective and prospective data under the proposed scheme should only be on the basis of a prior warrant authorisation from a judicial authority. The LIV also submitted that access to telecommunications data must require judicial oversight. Gilbert + Tobin, in their 2014 submission, were also concerned regarding the prospect that enforcement agencies will effectively be able to access metadata on a ‘self-serve’ basis and given that metadata can reveal a significant amount of personal information about an individual, believed that greater procedural protections for accessing metadata should apply, and could be achieved through a warrant process along the lines of that allowing access to stored communications.

Data retention is unnecessary
In its submission, the CCLS did not accept that the data retention regime should extend to compulsory collection and retention of mass metadata of virtually the whole population. The primary reason for this is the scepticism of many experts, parliamentarians and legal and civil society groups that ‘mass collection and retention of telecommunications data of non-suspect citizens for retrospective access will significantly increase Australia’s (or any nations) safety from terrorism or serious crime’. They pointed to the then-recent tragedies in Sydney and Paris, which generated comment around the fact the perpetrators were already well known to police and intelligence agencies, but had been allowed to drop from active intelligence. Furthermore, the APF and CCLS drew attention to a 2014 report on US data retention programmes of the United States Privacy and Civil Liberties Oversight Board (PCOB), an independent agency established to advise the US executive on anti-terrorism law, The PCOB stated:

"We are aware of no instance in which the program directly contributed to the discovery of a previously unknown terrorist plot or the disruption of a terrorist attack … we believe that only one instance over the past seven years has the program arguably contributed to the identification of an unknown terrorist suspect"

The APF drew attention to the US Klayman v Obama (2013) decision where Judge Leon concluded there was no single instance where the collection of mass metadata either stopped an imminent terrorist threat or otherwise assisted in achieving a time-sensitive objective, and that there were therefore ‘serious doubts as to the efficacy of the metadata collection program’. As a result of criticism of the NSA program, the US Freedom Act was introduced in 2013 in order to end mass metadata collection. In support of the Bill, Representative Sensenbrenner and Democrat Patrick Leahy stated that ‘it is simply not accurate to say that the bulk of collection of phone records has prevented dozens of terrorists’ plots’ and that their position was bi-partisan. The Law Council of Australia submitted that the ability to access telecommunications data under the Bill was not limited to national security or serious crime, as it said it should be, and also submitted that there is little evidence from comparable jurisdictions with mandatory data retention schemes to suggest they actually assist in reducing crime. For example, in Germany, research indicates the retention scheme led to an increase in the number of convictions by only 0.006%. Furthermore, there is a lack of Australian statistical quantitative and qualitative data to indicate the necessity of telecommunications data in securing convictions. The LCA suggested that if the proposed scheme was introduced, statistical reporting should indicate the times when access to retained data has resulted in a conviction, whether it has assisted in detecting serious criminal activity or assisted security agencies against threats to Australia's national security.

The CCLS and the APF concluded that the available evidenced-based research suggested a high degree of uncertainty as to the effectiveness and legitimacy of mass data retention regimes in preventing terrorism and other serious crime.

Journalists and their sources
Journalists and media organisations have long expressed concern over the introduction of a data retention scheme. This criticism, however, reached its peak in March 2015, after the Government agreed to accept amendments to the Bill outlined in a report by the JPCIS. On 9 March, the chair of the Australian Press Council, Professor David Weisbort said that if the Bill was passed into law as it stood the field of journalism would be adversely affected as whistleblowers would no longer be willing to come forward. Alarmed by growing criticism from the media, and committed to passing the Bill before the scheduled Easter recess of both Houses of Parliament, the Government assembled a team of high-ranking public servants including national security adviser, Andrew Shearer and Australian Federal Police Commissioner, Andrew Colvin, to meet with executives from News Corporation, Fairfax, the Australian Broadcasting Corporation (ABC) and representatives from the Media, Entertainment and Arts Alliance (MEAA) to discuss their concerns. On 16 March 2015, Opposition Leader Bill Shorten revealed he had written to Prime Minister Tony Abbott expressing the Labor Party's concerns about the Bill's effect on the freedom of the press and journalists' ability to protect their sources, and stating that if the Government did not change the Bill to protect journalistic sources, the Labor Party would move to amend the Bill in the Senate. Following negotiations with the Labor Party, the Government agreed to amend the Bill and introduce a warrant system. Law enforcement and other agencies seeking to view the metadata of journalists can only do so where a judicial officer or a legal member of the Administrative Appeals Tribunal has issued a warrant. This warrant can only be granted after arguments from both the agency seeking the metadata and a public interest advocate are heard.

The warrant system has been heavily criticised. Critics highlight the fact the public interest advocate, appointed by the Government, cannot contact the journalist whose metadata would be the subject of the warrant and cannot receive instructions from that journalist. Moreover, anyone who discloses information about a journalist information warrant and whether one has been applied for, granted, or not granted, can be punished with two years imprisonment. Dr Adam Henschke, an academic working at the Australian National University, has argued that in the world of Wikileaks, whistleblowers may not wish to risk detection by working with journalists, and may simply choose to make a "wholesale dump" of information on the internet.

Cost
The Attorney General's Department commissioned consulting firm Price Waterhouse Coopers (PWC) to provide high level costs for the initial implementation of the data retention scheme. PWC provided that report on 11 December 2014. In its final report, the PJCIS revealed that PWC had calculated the upfront capital costs of implementing data retention to be between approximately $188.8 million and $319.1 million.

After receiving submissions and hearing evidence on the issue of the cost from a number of stakeholders, including telecommunications providers Optus and Vodafone, and the Australian Communications Consumer Action Network (ACCAN) the Committee made a number of recommendations: "The Committee recommends that the Government make a substantial contribution to the upfront capital costs of service providers implementing their data retention obligations." "When designing the funding arrangements to give effect to this recommendation, the Government should ensure that an appropriate balance is achieved that accounts for the significant variations between the services, business models, sizes and financial positions of different companies within the telecommunications industry."

"That the model for funding service providers provides sufficient support for smaller service providers, who may not have sufficient capital budgets or operating cash flow to implement data retention, and privacy and security controls; without upfront assistance; incentives timely compliance with their data retention obligations; and does not result in service providers receiving windfall payments to operate and maintain existing legacy systems."

On 12 May 2015 Federal Treasurer Joe Hockey announced the Government would commit $131 million to assist telecommunications service providers with the cost of the scheme. This amount has drawn criticism from some in the telecommunications community. Laurie Patton, Chief Executive Officer of the Internet Society said this amount is simply not enough and costs will be passed onto consumers in the form of higher internet fees.

"The Government’s original cost estimate was not based on widespread industry consultation and the Internet Society is concerned that the costs have been significantly underestimated, especially in respect of small to medium sized ISPs (Internet Service Providers) that don’t have the resources to undertake the work in-house and therefore will be required to pay for external assistance."

Circumventing the Law
Opposition to the mandatory data retention scheme has led to commentary from both media and politicians on ways in which the scheme may be lawfully circumvented. Writing in the Australian Financial Review, journalist Laura Tingle identified a number of methods for circumvention including the use of phone me via a provider Skype, advertising supported email services such as Google's Gmail and instant messaging service, Facebook Messenger. In an interview with Sky News, then Communications Minister Malcolm Turnbull suggested journalists could avoid leaving a data trail through using over-the-top applications.

Greens Senator Scott Ludlam, an outspoken opponent of the data retention scheme, delivered a speech in the Senate encouraging Australians to utilise virtual private networks (VPNs) and free services such as The Onion Router (Tor) to anonymously access the Internet. Senator Ludlam also organised events, cryptoparties, teaching constituents the ways they can avoid having telecommunications data retained.

The accuracy of this advice has, however, been questioned by technology experts. Swinburne University academic Philip Branch has pointed out that while the content of Skype calls is encrypted, the IP addresses of participants may be collected and traced back to individuals. Branch has also argued that many offshore email services are based in the United States, and as such Australian enforcement agencies may be able to access information through the "Five Eyes" agreement, under which Australia, the United States, the United Kingdom, New Zealand and Canada have committed to share intelligence.

As the law is able to be circumvented, the Australian Government is seeking to close the loophole offered by encrypted messaging services and TOR.