Government to reform Australia’s shaky metadata retention laws

The country’s metadata retention laws were introduced in their current state to assist law enforcement and security agencies with serious criminal and national security investigations. The scheme requires telecommunications and internet providers to hold their customers’ metadata for up to two years for warrantless access by law enforcement. However, the framework has various loopholes which more than 80 agencies exploited to gain access to Australians’ private information.

How was this ever possible? Here’s a snapshot.

What is the mandatory data retention regime?

Australia’s metadata retention laws came into effect in 2015 with the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. This gave a legal framework for law enforcement agencies like the Australian Federal Police, the Independent Commission Against Corruption (ICAC), the Australian Securities and Investments Commission (ASIC), and state authorities to access the metadata of Australians without a warrant if deemed of interest.

The mandatory data retention regime requires carriers, telecommunications, and internet providers to retain specific telecommunications data for up to two years. This allows law enforcement agencies to access private data for criminal investigations and national security reasons.

The type of data that can be lawfully retained under the scheme includes phone numbers, the length of phone calls or information about the duration of the communication(s), location information (such as cell tower data), email addresses, and timestamps of messages, but not the content of communications or internet browsing activity. Metadata paints a picture of a person’s private life that is no less sensitive in terms of privacy than the content of communications themselves. It would be foolish to think that accessing metadata only provides context since viewing metadata as a whole can reveal a lot about a person’s private life including where they live, their daily movements, whom they speak to and how long for, etc.

Privacy advocates argue the metadata retention scheme as it currently stands effectively gives legal impetus to law enforcement agencies and other organisations to spy on people under the guise of aims like a criminal investigation, counter terrorism, or protecting national security. Experts also held concerns the laws would be extended to cover civil cases like divorce cases. Either way, the regime incites unlawful access to citizens’ private data and has been labelled nothing more than indiscriminate retention of telecommunications data without any of the consent requirements or privacy safeguards you’d expect from a robust national data retention regime.

Parliamentary Joint Committee on Intelligence and Security (PJCIS) says metadata retention laws lack adequate oversight

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) made key recommendations to overhaul the mandatory data retention regime after finding that it provided ‘inappropriate means to access telecommunications data without appropriate oversight and safeguards.’ It specially referred to a lack of clear guidelines about exactly which agencies could request and manage metadata after it was revealed local councils, the RSPCA, Australia Post, and a number of racing organisations were among the agencies making requests for metadata. In short, warrantless access to telecommunications metadata was only ever intended to apply to 20-something law enforcement and security agencies; however, more than 80 other agencies – many of which were state and local authorities – could use the laws for a range of enforcement purposes.

What are the PJCIS proposed changes?

The PJCIS proposed sweeping changes for revised practices and legislative reform of the framework in a review tabled back in 2020. The review contained 22 unanimous and bipartisan recommendations which the Government has only now committed to implementing with some overdue reforms to the scheme, more than two years after the findings were made public.

The Government accepted all recommendations proposed in the review, except for one, which has been noted because its implementation would require support from the states and territories. The reforms won't make any specific changes to legislation but amend certain sections or further clarify provisions that pertain to who can access metadata under the scheme, and how that data is used, stored, and managed. This will include:

• Clarification of provision that service providers are not required to store information generated by the Internet of Things (IoT) devices.
• Tighter rules around which agencies (and who within these agencies) are authorised to make metadata requests, and only under circumstances where access is necessary and proportionate. Only a number of authorised officers in each enforcement agency and ASIO with specific training levels will be authorised to access metadata.
• Only ASIO and criminal law enforcement agencies will be permitted to authorise the disclosure of telecommunications data and only if it’s reasonably necessary for the investigation of a serious offence; an offence against a law of the Commonwealth, a state, or a territory or national security.
• Providing national guidelines for what constitutes ‘content’ or ‘substance of a communication’ to reduce the prospect of telcos inadvertently disclosing potential content information and formalising requirements for agencies to quarantine and delete information accidentally disclosed. This will include a legislated definition of ‘content.’
• Establishing new local hosting requirements for customer information that telecommunications companies like Telstra and Optus will be required to store in order to comply with the data retention laws. Select retained metadata information will be stored on servers located in Australia unless specifically exempted.
• Address the need to protect the personal information of subscribers and manage regulatory costs to the telco industry.

A final word

The reforms to metadata retention laws will reduce (but not close) loopholes that allowed telcos and creep agencies to misuse metadata and access the personal information of everyday Australians. The reforms will also seek to provide clearer guidelines for accessing and managing metadata and better training to officers in charge or authorised to release and manage personal metadata. The Government also said it would tighten rules around who within agencies will be authorised to make metadata requests and tie the authorisation to specific training levels. The aim here is for agencies to demonstrate that they’re accessing and storing collected data safely and to report on the outcomes achieved with that collected data like arrests or successful prosecutions. For more information about how to best protect your data, contact us via email: enquiries@xiphcyber.com.