Laurie Patton. Data Retention: How not to introduce complex legislation.Dec 21, 2015
One of my first tasks shortly after joining Internet Australia (nee ISOC-AU) was to front the Parliamentary Joint Committee on Intelligence and Security (PJCIS). Our appearance at the hearing into the (Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015) came at the end of a long day of mostly opposing submissions.
With our president and the head of our policy committee sitting beside me I boldly told the committee that the Data Retention Bill was “fundamentally flawed” and had clearly been drafted by lawyers who didn’t understand how the Internet actually works. How prescient those comments have proven to have been.
We highlighted the Internet’s critical role in our emerging digitally enabled economy and the danger in legislation that might cause people to lose trust in the Internet. We reminded the PJCIS of the debacle, back in March 2013, when ASIC’s well-meaning attempt to block a few shonky online operators had inadvertently shut down more than 1000 innocent websites.
We noted that international experience has not found data retention schemes to have had much effect. Indeed, during the limited public debate that accompanied the passing of the Data Retention Bill certain high profile individuals took to the media to explain the many ways that determined wrongdoers, or even completely innocent people, can easily bypass the long arm of the data retention law.
At the committee’s behest, we subsequently provided a confidential briefing paper listing some of the more significant problems with the legislation. When it brought down its report there were 39 amendments recommended, all of which were agreed to by the government and the opposition. Unfortunately, as is the way with these things, the PJCIS did not put its mind to the more difficult question of how to deal with the serious drafting issues we warned them about. Then, nor did the Attorney General’s Department.
No-one knows how many Internet Service providers (ISP’s) there are in Australia. This is because there is no requirement for ISP’s to be licensed. Estimates range from around 250 to more than 500. With few exceptions, each of these is required to comply with the Data Retention Act. This involves reconfiguring their internal IT systems and then storing a good deal of information that was previously discarded immediately after its use, or not long thereafter. They are required to keep it for two years. For large telcos this is probably not a major issue. However, for some smaller independent ISP’s, especially those in regional areas, the cost of complying could be so onerous as to see them go out of business.
Also appearing before the PJCIS hearing late in 2014, a senior Telstra executive warned that we would be creating “honeypots” – large masses of private and confidential data that would be very enticing to hackers.
The journalists union, the MEAA, raised its fear that the legislation would be used to identify sources, pointing to the important role that “whistle blowers” often play. At the last minute the media companies secured what some thought was a form of protection. Before they can use a journalist’s data law enforcement agencies must seek a court warrant. However, it is arguable that by the time they’ve trawled through the honeypots and subsequently discovered that the data belongs to a journalist they will have enough prima facie evidence to justify a warrant.
Nine months after the Data Retention Act received Royal Assent the implementation process is in disarray. It is likely that implementation is at least another year away. So much for a law that was needed urgently!
The drafting of the Data Retention Act is so complex and fundamentally flawed that there remains, after months of consultations and discussion with the Attorney General’s Department, widespread confusion and even some disagreement about what it requires of ISP’s.
Telstra, Australia’s biggest ISP, found the going too tough; seeking and receiving an 18 months extension on its requirement to comply. So imagine how the rest of the industry is going.
There is no guarantee that we will ever get to the point where all ISPs (however many there might be) are complying. And probably no way for the Attorney General’s Department, or for law enforcement agencies, to know how many are not.
Internet Australia recently raised with Senator Brandis our concerns about the implementation process, pointing to the poor drafting as a major contributor. His sensible response was “I’m always happy to look at fixing flawed legislation”. We have since written to Senator Brandis and to the Prime Minister’s office calling for an urgent review of the provisions of the Data Retention Act so that at the very least the drafting issues are addressed.
The history of the data retention scheme provides a spectacular case study in how not to introduce complex legislation. It is a classic example of a badly designed law that has been rushed through the parliament in the dubious belief that urgency was justified and would not impede the efficient implementation of a new regulatory regime. This haste in the design and implementation has almost certainly ensured ultimate failure to achieve the Government’s stated aims. It has also resulted in a lot of unnecessary cost to industry, and to consumers.
It is perhaps timely to observe that Prime Minister Turnbull has reversed an Abbott Government decision and recommenced the process for Australia joining the global Open Government Partnership. A bit more openness from the Attorney General’s Department would have been a good idea in the case of the data retention scheme.
Laurie Patton is CEO of Internet Australia, the peak body representing Internet users, and a chapter of the global Internet Society – see www.isoc.org