The compulsory two-year retention of metadata needs stronger safeguards.

Last week the federal government announced it would accept all of the recommendations made by the Parliamentary Joint Committee on Intelligence and Security from its review into new mandatory data retention laws.



The committee’s recommendations curtail data retention’s threat to privacy. But risks still exist.

You want my metadata, George Brandis? Get a warrant | Geordie Guy Read more

We already have a form of data retention. Companies just aren’t legally obliged to hold the data. Currently any government agency that imposes a fine can request metadata from telecommunications companies.

The scheme includes local councils, which are free to request metadata of the time and location of a person’s mobile phone if it will help justify a parking ticket. That is far too low a bar.

Constructively, the government has recognised this flaw.

The government’s original proposal granted metadata access for the Federal Police and Asio, but gave the attorney general the flexibility to include additional government agencies.



The committee recommended the inclusion of the ACCC and Asic. Metadata is very useful in investigations of white-collar crime.



Fortunately the committee also recommended limiting the addition of further agencies. Now the attorney general can add further agencies, but only for up to 40 sitting days of parliament. After 40 days there needs to be a change in the law.



Such a provision doesn’t resolve all the concerns of the potential “creep” of the scheme, but it does mean there will be proper debate should there be an effort to extend it.

Similarly, under the government’s original proposal, the type of metadata to be retained was going to be declared by regulation. It can now be declared, but then has to be written in law.



Australians should rightly be sceptical of data retention. It is worrying that such a large volume of data will be available for any organisation to search, especially the government.



Individuals have a false sense of privacy through technology. We think that just because we are in the privacy of our own home browsing for content that it is private. In practice it is not.



We have already voluntarily handed over information to telecommunications companies as a trade-off for using their phone and internet service.



It is not without precedent. We already compromise absolute privacy when we borrow a book from a library. Government requires some data to be held for defined periods, such as banking services or our own personal tax records.



Like it or not, metadata is equally the property of telecommunications companies as it is the consumer’s.



Our concern should be to make sure that any data is securely stored. That is a matter of resources and technology.



We should also be concerned that there are procedures in place to ensure it is accessed appropriately by public servants, coupled with heavy penalties if it is not.



To ensure data is accessed appropriately the Australian Human Rights Commission recommended, along with many other groups, a system of independent authorisation for accessing data separate from the body that requested it.



That needn’t require a formal warrant system through the courts. It could be a single-point of access where the justification for each request is assessed and scrutinised.



A formal warrant system would be preferable, but with more than half a million requests for metadata each year the administrative burden would be incredible.



Instead the committee recommended there be a legal requirement that an officer that authorises data requests has to be convinced that the data is relevant, necessary for an investigation and sufficiently serious.



What can you learn about me from 24 hours of my metadata? Read more

Considering the sensitivity of the information that is kept, it is not unreasonable to have a formal penalties regime introduced if metadata is inappropriately accessed by public officials.



The committee recommended a “mechanism” that would “enable individuals to seek recourse if their personal information is mishandled”. That is a start, but it isn’t enough.



A formal penalty regime should be in place to make sure that no public servant is tempted to inappropriately access the information of their fellow citizens.



Recently a senior Federal Police Officer argued that that “those with nothing to hide have nothing to fear” from data retention. That’s wrong.



It’s true that the government doesn’t currently have the resources or technology to trawl through the metadata of every Australian. The concern is about the potential for future systems to be connected through technology.



For example, in isolation CCTV can risk privacy. But if there are appropriate checks and balances placed on the holding of video, security of the storage of video, tight approvals to access video and heavy penalties for inappropriately accessing content then those risks are mitigated.



The risk is that technological advancement will enable government to access data in real-time and connect different systems. For example, if the government was able to access CCTV, financial information and metadata from a person’s mobile phone location in real-time anyone’s life could be tracked and mapped.



The surveillance state would be fully-realised – privacy would be dead.



The government’s data retention plans are not bringing the pages of George Orwell’s 1984 to modern Australian life. The concern is that compulsory data retention takes us a not-insignificant step down that road of possibility.



The potential of technology presents us with new frontiers. That’s why laws and regulation have to recognise the very serious risks that compulsory data retention can pose.

Additional checks and balances are needed to ensure data is secure, it is accessed rarely and there are heavy penalties if access is abused.