LAURIE PATTON. The Data Retention Act. How not to introduce complex legislation.Feb 11, 2020
Appearing before a Parliamentary inquiry into the Data Retention Act the Commonwealth Ombudsman Michael Manthorpe revealed that law enforcement agencies have obtained individuals’ web browsing history without a warrant.
This validates the claim I made when the legislation was passed back in 2015 that its drafting was “fundamentally flawed”.
One of my first tasks shortly after joining Internet Australia was to front the Parliamentary Joint Committee on Intelligence and Security (PJCIS) to raise our concerns about the data retention legislation – the (Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015).
With our president and the head of our policy committee sitting beside me I told the committee the Bill had clearly been drafted by lawyers who didn’t understand how the Internet actually works. How prescient those comments have proven to have been.
We highlighted the Internet’s critical role in our emerging digitally-enabled economy and the danger in legislation that might cause people to lose trust in the Internet. We reminded the PJCIS of the debacle, back in March 2013 when ASIC’s well-meaning attempt to block a few shonky online operators inadvertently shut down more than 250,000 innocent websites.
We noted that international experience had not found data retention schemes to have had much effect. Indeed, during the limited public debate that accompanied the passing of the legislation certain high profile individuals took to the media to explain the many ways determined wrongdoers can easily bypass the long arm of the data retention law.
A critical aspect of the legislation is that it only allows law enforcement agencies to scour our ‘metadata’ not the actual contents of our online exchanges with others. Metadata indicates things like how big a document is, who the author is, and when it was written. That this baseline provision has been breached is a serious indication of ongoing inherent flaws in the Act.
At the PJCIS’s request Internet Australia provided a confidential briefing paper listing some of the more significant problems with the legislation. We secured 39 amendments, including a provision for the review now underway.
One of the more bizarre issues we raised is that no-one knows how many Internet Service Providers (ISP’s) there are in Australia. This is because there is no requirement for ISP’s to be licensed. Estimates range from around 250 to more than 500. With few exceptions, each of these is supposed to comply with the Data Retention Act. This involves reconfiguring their internal IT systems and then storing a good deal of information that was previously discarded immediately after its use, or not long thereafter. They are required to keep it for two years. For large telcos this is probably not a major issue. However, for some smaller independent ISP’s the cost of complying is quite onerous. There is no guarantee that we will ever get to the point where all ISPs (however many there might be) are complying. And probably no way for the Attorney General’s Department, or for law enforcement agencies, to know how many are not.
The Data Retention Act is so complex that there was widespread confusion and even some disagreement about what it requires of ISP’s many months after the Act came into force. Telstra, Australia’s biggest ISP, found the going so tough it sought and secured an 18 months extension on its requirement to comply. So imagine how the rest of the industry fared.
The history of the data retention scheme provides a spectacular case study in how not to introduce controversial legislation. It is a classic example of a badly designed law that was rushed through Parliament on the dubious theory that great urgency was justified and would not impede the efficient implementation of a complex new regulatory regime. Such haste in the design and implementation was certain to ensure problems would ensue. Those chickens appear to have come home to roost, as has been exposed by the Ombudsman’s report to the PJCIS.
The Attorney-General Department, which had carriage of the legislation, only consulted a limited number of external organisations. Internet Australia and other civil society groups with wide-ranging expertise were kept out of the loop until it was too late to provide their advice and assistance.
The PJCIS inquiry is ongoing and more contentious matters are sure to be raised. The Australian Human Rights Commission has asked the PJCIS to reduce the retention period from two years to a period of under six months. And long-standing objections to the range of organisations permitted to use the provisions of the Act is also back in the spotlight.No doubt the journalists’ union, the MEAA, will repeat its concerns about the use of the legislation to track down sources.
(Laurie Patton was CEO / Executive Director of Internet Australia, the NFP peak body representing the interests of Internet users, when the Data Retention Act passed. He is now the Vice President of TelSoc.)