A Window for Change: Why the Australian Metadata Retention Scheme Lags Behind the EU and USA

Genna Churches & Monika Zalnieriute

26.02.20

Australia has a long history of elevating security and law enforcement concerns above the protection of fundamental rights. Perhaps this is reflective of Australia’s lack of a federal human rights Bill or Charter. We have witnessed a growing palette of pro-security laws since 9/11, many of which conflict with Australia’s obligations under international human rights law. For example, the International Covenant on Civil and Political Rights (ICCPR) – which Australia has ratified –  guarantees the right to privacy, with only  limited exceptions made for interferences that are envisaged by the state’s law, which must specify in detail the precise circumstances in which such interference may be permitted. The interference must also be necessary and proportionate to the legitimate aims pursued by government, such as ensuring national security or fighting serious crime. The principle of proportionality requires that the least intrusive measures possible are employed to pursue those legitimate aims. However, the fear of terrorism, along with limitations in technological knowledge, has often tipped the scales in Australian politics: legislators have opted for blanket measures and pro-security legislation at the cost of fundamental rights.

One important piece of such pro-security legislation enacted in 2015 as an amendment (the 2015 Amendment) to the Telecommunications (Interception and Access Act) 1979 (Cth) (TIA Act) – known as Australia’s metadata retention scheme – requires telecommunication and internet service providers (telcos) to retain customer metadata for a period of two years. Metadata is a highly sensitive form of information about the individual. It shows a telecommunications user’s friends, family and other social contacts; their location; date, time, duration and form of a communication; and a host of other information which may include web browsing activity such as the URL accessed.  It differs slightly from ‘content’, which refers to the message itself, like the body of an email or a live phone call. Metadata can be even more revealing than content, as it enables agencies to create a comprehensive digital picture of individuals’ movements, contacts, interests and associations. An individual’s metadata is accessible without a warrant if, at any time in the future, that individual falls under suspicion of contravening any law – not just relating to serious crime.

The metadata retention scheme has come under fire after revelations that police accessed the metadata of journalists and 3,000 other telecommunications users without authorisation. Coinciding with unlawful access was the realisation that existing laws permitted access to such data by a huge variety of agencies, ranging from local councils through to teachers’ associations. Such liberal access was in existing legislation, despite legislators believing they had restricted access to only law enforcement agencies.

This year, the Federal Parliamentary Joint Committee on Intelligence and Security (PJCIS) is conducting a three-year review of Australia’s metadata retention scheme.  The PJCIS review provides an opportunity to reflect on the necessity and legality of the scheme. In our evidence before the PJCIS in Canberra on 14 February 2020, we argued that Australia’s current data retention regime does not sit comfortably with recent reforms internationally, and should be comprehensively reformed if Australia is not to lag behind the more progressive legal developments in other jurisdictions, such as the EU and USA.

In this post, we first briefly outline the Australian human rights and metadata retention frameworks. We then point to increasingly rigorous legislative requirements for data retention or access in the EU and USA. Finally, we explain why the Australian regime is different and suggest that a comprehensive review is needed to reduce the growing dichotomy between Australian and overseas domestic data retention and access laws.

Australian Human Rights and Metadata Frameworks

Australia is a signatory to the ICCPR and has obligations to protect human rights. However, unlike many Western democracies, Australia does not have a federal human rights Bill or Charter. Apart from the Parliamentary Joint Committee on Human Rights, there is little scope for scrutiny or room for initiating legal challenges to legislation that unnecessarily interferes with fundamental rights such as the right to privacy. Australian legislators have shown little willingness to fulfil their obligations under international human rights law, especially when it comes to access and retention of metadata.

Current Australian data retention legislation permits indiscriminate retention of metadata by telcos and access without a warrant by agencies ranging from police to local councils. This stands in contrast to Australia’s existing warrant-based system for accessing or recording content, despite metadata being generally considered as more pervasive. These traits of the Australian metadata retention scheme mean that it provides considerably lower levels of privacy protection than regimes developed in other jurisdictions such as the EU and USA. Those jurisdictions have robust human rights frameworks and provide normative guidance to their legislators on proportionate responses to societal objectives sought by their national data retention frameworks.

Latest Developments in the EU and US Data Retention Regimes

In many jurisdictions, blanket data retention regimes are now recognised as incompatible with the right to privacy and international obligations under the ICCPR, as recently emphasised by the United Nations Special Rapporteur on the right to privacy and the Office of the High Commissioner of Human Rights, and numerous judicial decisions in the EU and USA. Following the 2013 revelations by Edward Snowden about the secret mass surveillance programmes conducted by the US National Security Agency, the Court of Justice of the European Union (CJEU) delivered several ground-breaking judgments on data retention, which have resulted in regime reform in the EU. Similarly, in 2018 in the USA, the Supreme Court held that access to location data requires a warrant. We look at these developments more closely.

First, in the EU, following numerous earlier judgments by constitutional courts in EU Member States, in 2014 the CJEU declared the EU Data Retention Directive retroactively invalid in the Digital Rights Ireland case. The Data Retention Directive was enacted in 2006 and mandated the establishment of national legal frameworks requiring blanket data retention by telcos for a minimum period of six months and a maximum period of two years. The CJEU ruled that the Directive disproportionately interfered with the right to respect for private and family life and the right to protection of personal data enshrined in Articles 7 and 8 of the European Union Charter of Fundamental Rights (EUCFR). The judgment was praised as a victory for fundamental human rights over mass surveillance in Europe. While the CJEU did not rule on the validity of national laws implementing the invalidated Directive, some Member States invalidated their domestic rules and others have amended or introduced new data retention laws. In 2016, the CJEU extended the Digital Rights Ireland reasoning to national legislation in its Tele2 Sverige judgment, by holding that domestic data retention legislation in Sweden and the UK, which permitted indiscriminate retention of metadata by communication service providers, was incompatible with the EUCFR.

Last month, these findings were reinforced by the Opinion of Advocate General Campos Sánchez-Bordona (who provides non-binding opinions on EU law to the CJEU) on three national data retention schemes in the UK, France and Belgium. The Opinion, delivered on 15 January 2020, clarified the existing case law; reaffirming that only limited and discriminate retention may occur within the EU, with prior independent authorisation by a court or independent authority for accessing that data; that affected parties have to be informed (unless it would compromise the effectiveness of the measure); and that domestic laws must be enacted to prevent unlawful access or misuse of the data.

Second, in the USA in 2018, the US Supreme Court ruled in Carpenter v United States that location data is subject to the same level of legal protection as content data, requiring a warrant under the Fourth Amendment of the US Constitution. This warrant entails showing ‘probable cause’ that a crime has been committed and that the items to be searched for are relevant to that crime – a higher threshold than a court order. The case involved an assessment of the legality of access, based on a court order, to location data (records of when a particular cell phone has connected to a cell site) relating to a suspect. The Court found the accuracy of location data was approaching ‘GPS-level [tracker] precision’, but overall had greater implications for privacy as: ‘the cell phone is carried with the user, perhaps even into the shower’; the phone automatically carries out the surveillance; and the surveillance is retrospective – at any point in time enforcement bodies can go back through a person’s location record retrospectively, prior to the person becoming a person of interest. For comparison, a GPS tracker under Australian law generally requires a warrant and is therefore only prospective – applying only to data collected after the warrant was issued. This raises questions as to why Australian law permits access to location data without requiring a warrant. Even prior to the Carpenter judgment, the US Stored Communications Act required a court order for the disclosure of metadata, a substantial increase in the threshold for access compared to Australia.

These recent developments in the EU and USA sit in stark contrast to the Australian data retention scheme, which permits indiscriminate retention and requires no warrant to access metadata. In the next section we discuss the reasons why the Australian scheme has so far resisted changes similar to those in other jurisdictions.

Why is the Australian Metadata Regime so Different?

The Australian regime, which now lags behind the EU and USA, has been influenced by a number of factors.  For example, difficulties understanding the technologies involved and a pro-security stance have hampered legislators’ efforts to fully comprehend the effect of numerous amendments to the metadata scheme, and the permissibility of data access under previous and existing legislation. These factors have also made it more difficult for legislators to make impartial assessments of proportionality.

Importantly, the Australian data retention scheme has developed as an ad hoc system – as technology developed and metadata became more important for law enforcement purposes, a piecemeal system of amendments and additions to existing regimes designed to intercept telephone calls, has resulted in the system we have today. For example, location data has quite an exceptional legislative history in Australia. Despite the data being accessed by law enforcement bodies and other agencies, there was no specific legislative basis for data access in Australia prior to 2007, when the Telecommunications (Interception and Access) Amendment Bill 2007 (Cth) was introduced. Location data is now mandated to be retained by telcos, despite legislators’ attempts in 2014 to limit the number of location identifiers. Telcos are not prohibited from retaining the full spectrum of location and other data for commercial reasons or under other legislation or instruments, and can release the information without a warrant, notwithstanding the existing warrant-based system for similar technologies, such as GPS trackers.

The confusion around data retention continues when we consider other forms of metadata which, as we explain below, should be classed as content such as URLs or ‘web browsing’. Despite the Explanatory Memorandum to the 2015 Amendment flagging that ‘web browsing history’ should be specifically excluded from retention, the wording of s 187A(4) of the TIA Act does not specifically exclude the retention of web browsing histories, or – more correctly – URLs accessed. Historically, the use of terms such as ‘web browsing’ and ‘URL’ has been subject to ambiguity with different governmental departments applying their own interpretations. In various parliamentary reports and debates, URLs and webpages or web browsing have sometimes been classed as metadata and at other times content. Previous reports made under the TIA Act state that URLs can be accessed as part of metadata but only supplied ‘to the extent that they do not identify the content of a communication’. This has resulted in a scheme which may well mandate retention of URLs, does not prevent them from being voluntary retained and does not prohibit access to them.

The TIA Act also provides a strained definition of ‘telecommunications data’ (metadata) – everything that is not the contents or substance of a communication. Contents or substance is also not defined. Technology has moved far beyond the ‘letter’ and the ‘envelope’, a time when distinguishing between contents (the letter) and metadata (the envelope) was easy. Today, the new ways in which people communicate generate types of data which, if accessed, grant insights into our movements, interactions and daily activities which could not have been contemplated by legislators from previous generations. Parliamentarians have preferred using undefined and ‘technology neutral’ definitions hoping that these will prevent constant revisions to the Act. Yet, the TIA Act has been amended 68 times since 2001.

Once agencies access this metadata, they are permitted to retain it indefinitely and disclose it to other agencies for a broad range of reasons. Although a record of secondary disclosures is required to be kept, such disclosures are not part of annual reporting measures. Agencies have recently affirmed that they do not delete metadata they have obtained, and that they use that data for their own later investigations and share it with other agencies, suggesting an almost secondary data retention scheme made up of accessed and retained data across various agencies.

Measuring the proportionality of the interference with the right to privacy is difficult when the language used to justify blanket metadata retention schemes is so exceptional. The Explanatory Memorandum to the 2014 Bill leading to the 2015 Amendment stated:

Telecommunications data is central to virtually every counter-terrorism, organised crime, counter-espionage and cyber-security investigation, as well as almost every serious criminal investigation, such as murder, rape and kidnapping. Telecommunications data is increasingly important to Australia’s law enforcement and national security agencies, allowing agencies to determine how and with whom a person has been communicating.

There are further remarks throughout the Explanatory Memorandum regarding telecommunications data access by law enforcement and security agencies and the proportionality of that access with the pressing need to address serious crime. In 2014, Communications Minister Malcolm Turnbull said that ‘Australians potentially involved in child exploitation may not be traced and investigated’ if the legislation did not pass. When the emotional tug of such serious crimes is employed, it is difficult to measure the necessity and proportionality of the proposed legislation. This is particularly the case when the legislation permits access to metadata for minor offences or even fines. Under the principle of proportionality, an interference with the right to privacy will likely fail with any smaller objective than aiming to prevent or address serious crimes, rather than minor fines.

A Window for Change Now?

The data retention scheme has been the subject of rumour, incitements of fear and policy inuendo for over a decade now. Only one of the five Parliamentary reviews since then has endorsed a metadata regime. However, this endorsement has left Australia with a system of metadata access and retention which does not protect the human rights of its citizens; is disproportionate to the societal objectives sought to be achieved; is well out of synch with the latest jurisprudence in other jurisdictions; and above all, does not conform to the scheme envisaged by legislators.

Metadata is a highly technical concept – perhaps one not easily understood by those not working with technology. However, a human rights framework can provide normative guidance where the ability of legislators to understand the current metadata retention and access scheme is lacking. As the CJEU’s Advocate General stated in the recent Opinion on data retention schemes in UK, France and Belgium:

the fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law, under which power and strength are subject to the limits of the law and, in particular, to a legal order that finds in the defence of fundamental rights the reason and purpose of its existence.

Such legal effectiveness – the protection of fundamental human rights and the rule of law – must be in every piece of our legislation. We hope that the PJCIS will not miss the window of opportunity to recommend a full review of the data retention and access regime to ensure it better reflects Australian legal values and commitment to the rule of law.

—

Genna Churches is a PhD Candidate at UNSW Law.

Dr Monika Zalnieriute is a Research Fellow and Lead of the ‘Technologies and Rule of Law’ Stream at the Allens Hub for Technology, Law & Innovation at UNSW Law.

Suggested citation:  Genna Churches and Monika Zalnieriute, ‘A Window for Change: Why the Australian Metadata Retention Scheme Lags Behind the EU and USA’ on AUSPUBLAW (26 February 2020) <https://auspublaw.org/blog/2020/02/a-window-for-change-why-the-australian-metadata-retention-scheme-lags-behind-the-eu-and-usa/>