JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Why is data retention an option in Australia after Europe says no?

Date

Angela Daly and Sean Rintel

ANALYSIS

Law enforcement agencies want all your bits and bytes.

Law enforcement agencies want all your bits and bytes. Photo: Reuters

There has been plenty of technology-related legal activity in the European Union this month. Last week the Court of Justice of the EU (CJEU) ruled that data retention regulations, as they currently stand, are not in accordance with EU law and the European Parliament voted in favour of introducing net neutrality into EU telecoms regulation the week before.

As Australia is currently in the midst of a data retention inquiry – the second in three years – what effects will this ruling have on the debate?

What is the data retention directive?

Similar data retention schemes proposed in the United States and Britain have sparked fierce debate.

Similar data retention schemes proposed in the United States and Britain have sparked fierce debate. Photo: Rob Homer

The particular law at issue is the data retention directive from 2006.

The directive applies to data generated by users of electronic communications services and networks, and stipulates that the operators of these services and networks must keep this data on all users for a period of time between six months and two years.

The kind of data that should be kept includes telephone numbers, account holders' and recipients' names and addresses, IP addresses, and location data, but not information about the content of the communications.

The purpose of these rules is to ensure that this information is available for "the investigation, detection and prosecution of serious crime".

What did the CJEU decide?

For some time there has been concern that the data retention directive was too intrusive of law-abiding European citizens' privacy.

This resulted in privacy campaigners in Austria and Digital Rights Ireland mounting a challenge to the measures. They argued that the rules were disproportionate and unnecessary to achieve the aim of ensuring data was available for the purposes of fighting serious crime.

They also argued that the rules were incompatible with the rights to privacy, data protection and free expression contained in the EU's Charter of Fundamental Rights.

The CJEU found that, although the retention of data "genuinely satisfies an objective of general interest" (the fight against crime), the data protection rules went beyond what was strictly necessary to achieve this goal.

In practice, the rules entailed an "interference with the fundamental rights of practically the entire European population", with the vast majority of those people not being "even indirectly in a situation which is liable to give rise to criminal prosecutions".

The CJEU also condemned the lack of limitations to the access of this data by national authorities and their subsequent use. For instance, there was no restriction on the access and use of the data to the purpose of fighting serious crime.

Also of concern to the CJEU was the weakness of security measures around the data, and the fact there was no requirement to retain this data within the EU.

It's unclear what exactly is going to happen now since the CJEU declared the data retention rules invalid. Different European countries have had different reactions to the CJEU's decision.

A Finnish government minister responded by saying that Finland must revise its laws on data protection and retention, but it seems that the legislation implementing the data retention directive in Luxembourg will still apply and bind telecoms operators.

Furthermore, the day after the CJEU's decision, the Romanian government issued a new draft law that would increase surveillance of its citizens.

What's going on in Australia?

The decision comes at an important point in the data retention debate in Australia. We are currently in the midst of the second inquiry within three years from two successive Commonwealth governments.

In 2012 the Labor government's inquiry into potential reforms of National Security Legislation received 240 submissions and 29 exhibits.

Many responses pointed to a significant shortcoming in the 2012 discussion paper's vague proposal for up to two years of mandatory data retention by internet service providers.

Despite the prominence of the need for mandatory data retention in pro-surveillance arguments, the discussion paper's proposal for data retention managed to be both so short and so broad as to allow egregious overreach.

The proposal was: "tailored data retention periods for up to 2 years for parts of a data set, with specific timeframes taking into account agency priorities, and privacy and cost impacts".

The accompanying definition of data retention was equally vague: "The storage of telecommunications data for prescribed periods of time."

No further information was supplied.

The 2012 inquiry resulted in a May 2013 report of the inquiry into Potential Reforms of Australia's National Security Legislation, but no actual reforms were carried out due to the proximity of the looming 2013 election.

Just a month later US NSA whistle-blower Edward Snowden's revelations demonstrated that various forms of data retention and mass surveillance were already happening.

In this climate of increasing disquiet over surveillance overreach, the Coalition government initiated another inquiry into the comprehensive revision of the Telecommunications (Interception and Access) Act 1979.

This current inquiry asks for responses to the May 2013 Report and the recommendations of the Australian Law Reform Commission's For Your Information: Australian Privacy Law and Practice report.

The May 2013 report contains an entire chapter on data retention. While it notes the public backlash against data retention, and recommends oversight mechanisms and an exposure draft of any legislation, it nevertheless treats data retention as a critical part of Australian security policy.

At core, the report perpetuates distinctions between "metadata" and "content" that many civil liberties groups argue are increasingly impoverished in the age of "pattern-of-life" searches.

Implications for Australia

The May 2013 report spent quite some time discussing the European experience of data retention. The Attorney-General put forward the same data retention directive as the CJEU has just declared invalid as an appropriate model for Australia.

The May 2013 report notes that a voluntary scheme was implemented in the UK while controversies occurred in countries with "human rights frameworks that are significantly different to those in Australia".

Australia tends to follow rather than lead in security issues, and tends to try to follow traditional allies and those with whom it believes it has most in common.

If the UK decides to include more accountability its data retention implementation as a result of the CJEU ruling, this might bode well for Australian civil liberties – but given the fragmented response so far from European countries, arguably the time to look for models is over. It is time for Australians to take their own rights seriously.

The ConversationAngela Daly is a research fellow in media and communications law at Swinburne University of Technology, a former board member of digital rights group Electronic Frontiers Australia and currently a general member of the organisation.

Sean Rintel is a lecturer in strategic communication at the University of Queensland. He is the current chair of Electronic Frontiers Australia.

This article was originally published on The Conversation. Read the original article.

6 comments

  • We don't know if Australia leads or follows in security issues because our secret services are as impenetrable as the NSA, if not more so. My guess is they may not have the budget and technology of the NSA, but they have at least as much belief they are above the law.

    Commenter
    John
    Date and time
    April 15, 2014, 5:14AM
    • What's all the fuss? It's metadata only. Happy for the coppers to have it as a tool in their investigations re a murder, paedophiles, terrorism, serious fraud etc. People need to calm down and stop getting in a flap. The banks collect information on where you spend, supermarket loyalty cards tell what you eat, mobile phone apps like Facebook or Whatsapp record your friends, locations and associates, and airlines your travel, and telcos your call data. Is an ISP keeping your internet log data any different???!!??
      Note to the paranoid: police are too busy to target you random nobodies, the beige, the plebs, the masses... Sleep easy.

      Commenter
      unconcerned
      Date and time
      April 15, 2014, 6:02AM
      • Fine, until they confuse you with someone else of similar habits, who also happens to commit a serious crime. Also, while I am fully aware of what can be collected (and frequently is), I am quite concerned about who can access it. Even if you trust "the authorities" to give you the benefit of the doubt, what about the Nigerian scammers who manage to hack into these repositories, or even worse - get permission to access this data on some pretext?

        Commenter
        MerriD
        Date and time
        April 15, 2014, 9:21AM
      • You're not thinking as you put a lot of faith in the system. I hope you don't become that random nobody for false alarm. Any regulations have short coming. E.g. the secret random blacklist.

        Also are you aware that IP addresses are shared with some hosting services? E.g. an illegal website could shared the same IP as a legitimate site.

        I have several sites, and one was showing malicious activity not because of my domain name but because ip address that was sharing with others. Took several weeks to sorted it out. Now imagine the police are involved!

        For you it's probably ok, because i presumed you don't own any sites.

        Commenter
        Site owners
        Location
        Sydney
        Date and time
        April 15, 2014, 10:04AM
      • "Note to the paranoid: police are too busy to target you random nobodies, the beige, the plebs, the masses... Sleep easy."

        No, they USED to be too busy.

        What people like you forget is that technology is making universal surveillance easier and easier. So they don't need to be busy any more, and they can still watch you constantly.

        Commenter
        DM
        Date and time
        April 15, 2014, 3:45PM
    • Simple answer is that you can't have a successful dictatorship without monitoring people and controlling the media. I don't think our politicians like a country where the people can be in control, otherwise they would take so many poorly disguised measures to prevent it. No protesting? No saying negative things about the government? How else can you monitor these?

      Commenter
      really it's about the terrorists
      Date and time
      April 15, 2014, 7:37AM
      Comments are now closed
      Featured advertisers