Australia’s new mandatory data retention scheme is headed for a big confrontation, as the Turnbull government moves to allow civil litigation lawyers access to the web, phone and email sessions of every private user.
Since October 13, 2015, all telephony and internet service providers have been required by law to retain for two years all their clients’ metadata, including voice, text and email communications, time, date and device locations and internet sessions.
The Data Retention Act was said to be needed for national security because of the global phenomenon of jihadi recruitment, lone wolf terror, money laundering, internet criminality and paedophile networks. Warrantless access is currently restricted to 21 designated law enforcement agencies led by the Australian Security Intelligence Organisation (ASIO).
The government is trying to move hundreds of telephony and internet service providers to full compliance by April 2017 so that all law enforcement agencies can instantaneously access an individual’s metadata without a search warrant through an access platform called SEDnode. SEDnode – secure electronic disclosure – has operated in Australia since 2006.
Now the Attorney-General’s department is seeking submissions by January 27 for a government review to extend access of retained metadata to lawyers acting for clients in civil litigation.
While public reaction to mandatory metadata retention for counter-terrorism was generally one of acceptance, the communications industry is now expecting a backlash over any further access to phone and email metadata in civil proceedings.
An indiscriminate breach of privacy?
“Opening up the data retention scheme to civil matters flies in the face of the government’s claim that it was urgently needed in the fight against terrorism and its assurances that its use would be tightly controlled,” Laurie Patton, CEO of web user advocate Internet Australia, told The New Daily.
From April 13, 2017, it will be legally impossible to access data retained by telcos in connection with civil proceedings.
The government is concerned this blanket rule may “impact the effective operation of the civil justice system”, and so is seeking submissions on whether it should be weakened.
Depending on whether any amendments materialise, metadata could be accessed by, for example, parties to contested divorce cases or commercial disputes.
The first test cases could involve foreign rights holders seeking to identify Australian internet pirates. Access to metadata would provide probative evidence for the plaintiff.
“It’s already becoming evident that the site-blocking law brought in last year at the insistence of the foreign rights holders won’t work. So the next step in this exercise could be to try to use metadata searches to launch claims against individual consumers,” Mr Patton said.
Currently Australia does not have a statutory right to privacy or a Bill of Rights which would enshrine such a right in Commonwealth law.
In December, the European Court of Justice, the highest court in the European Union, ruled that the UK’s new Investigatory Powers Act was illegal. The act, similar to Australia’s mandatory data retention law, empowers its security intelligence agency GCHQ access to bulk interception of all call records and online communications.
“General and indiscriminate retention” was illegal, the court ruled, while acknowledging that targeted interception to combat crime and terrorism was justified.
Data retention law already ‘unworkable’
Meanwhile, Australia’s phone and internet service providers are struggling to comply with the new data retention regime, with talk that increasing compliance costs inevitably will be passed on to consumers.
The New Daily has learned that a number of providers have been telling the Turnbull government the Act’s definitions are imprecise, requiring them to capture and retain all ‘internet of things’ connections, including parking meters and smart meters.
The providers also believe the Act’s provisions on internet browsing do not make sense.
While ISPs do not have to retain their clients’ browsing history, this exception did not cover any internet address from which a communication may have been received. This would identify the user’s choice of online content.
The providers say Section 187A(4)(b) of the Act covering internet browsing should be rewritten.
The Act’s requirement that all metadata must be ‘encrypted’ confused ‘encryption’ with security, providers said. Encryption does not make data secure when the key to unlock the encryption could be readily obtained. The requirement for encryption should be deleted, they said.
With many authorised agencies not using SEDnode, the industry was being forced to expensive and time-consuming manual handling of ‘Evidentiary Certificate’ demands from law enforcement agencies.
Mr Patton said Australia’s data retention law was “fundamentally flawed” and consumers were joining the communications industry in seeking an urgent review.