Legislation surrounding Australia's ascension to the European Convention on Cybercrime must not allow for information to be sent offshore that would result in the death penalty, a parliamentary committee has today advised.
The Cybercrime Legislation Amendment Bill 2011 was first introduced into parliament in June, and was passed by the lower house before being referred to committee in the Senate. The Bill, when passed, will amend two criminal Acts (the Mutual Assistance in Criminal Matters Act 1987 and the Criminal Code Act 1995) and two telecommunications Acts (the Telecommunications (Interception and Access) Act 1979 and the Telecommunications Act 1997), which will allow Australia to accede to the Council of Europe Convention on Cybercrime.
The Council of Europe Convention on Cybercrime is a treaty designed to foster cooperation and common policy between nations to deal with crimes committed on computer networks across the globe, such as online fraud or child pornography offences. Over 40 countries are party to the convention, and it has been in place since 2004.
In Australia, police will be given greater powers under the proposed legislation to force internet service providers (ISPs) to retain data of customers who are suspected to have committed a cybercrime while the matter is being investigated. However, according to Attorney-General Robert McClelland, the authorities will only be able to access that data once a warrant has been obtained.
The committee's report (PDF) into the Cybercrime Legislation Amendment Bill 2011, handed down in the Senate today, made 13 recommendations for amendments to the Bill allowing for greater oversight of information sharing between law enforcement agencies by the government. In cases where information being transferred offshore may be used in a case that would attract the death penalty, the committee has recommended that data only be sent with the approval of the attorney-general or the Home Affairs minister.
In order to achieve this, the committee has recommended that the Telecommunications (Interception and Access) Act 1979 be amended so that discretionary grounds for refusing a mutual assistance request fall in line with those set out in the Mutual Assistance in Criminal Matters Act 1987:
"The attorney-general must refuse assistance to a foreign country if the offence carries the death penalty in that country, unless he or she is of the opinion that special circumstances of the case warrant the provision of assistance (section 8 (1A) of the MA Act). Under section 8(1B), the attorney-general may also refuse assistance where the assistance may result in the death penalty being imposed, and, having regard to the interests of international cooperation, decided that assistance should not be granted."
In Telstra's submission to the inquiry, the telco raised concerns about "possible secondary uses" of customer information that may have been passed legally to international law enforcement agencies. In response to this concern, the committee has recommended that the Mutual Assistance Act be amended to include a discretionary ground that would allow Australia to decline a request if the country of origin's privacy protections are not substantially similar to Australia's.
Since Australia's privacy laws are not as clearly outlined as they are in European law, the committee has also advised that the legislation be amended "to elaborate the conditions of disclosure of historical and existing telecommunications data to foreign countries, including in relation to retention and destruction of the information, and an express prohibition on any secondary use by the foreign country". The committee has also asked the attorney-general to look at whether those who are having their data retained should be informed of that fact, provided that it would not prejudice an investigation.
The committee also suggested that ISPs be required to destroy preserved data as soon as it is no longer required by law enforcement agencies, unless the ISP needs that data in the regular course of business, and that the attorney-general should review whether smaller ISPs, which are exempt from the Privacy Act, should no longer be exempt from privacy regulation with the passage of legislation.
During the inquiry, Telstra highlighted concerns that implementing a data retention system would be expensive in time and money for ISPs, and that the providers should not have to foot the bill. Rather than directing that any compensation should be offered to the telcos, the committee has said that the Attorney-General's Department should consult widely with the ISPs to ensure that the legislation, "when enacted, can be implemented in a timely and efficient manner".
Greens communications spokesperson Senator Scott Ludlam told the parliament today that the Bill was a "colossal overreach" that would encroach upon the civil liberties of Australians in the name of law enforcement and counter-terrorism, and has left the door open for scope creep. He was concerned that the scheme would turn into full data retention.
"This does not just pertain to acts of terrorism or to child pornography or child abuse material. This relates to everything, every form of offense and every form of data," he said, adding that the Attorney-General's Department is seeking to push its data retention agenda through this legislation, after public outcry following ZDNet Australia's initial revelation of plans.
"Here it comes again, sneaking in under the cover of an otherwise sensible Bill about signing onto this European Convention. The convention itself, don't forget, these police powers in many European countries occur on the back of very strong human rights protections that don't exist in Australia," he said.
"There are very serious grey areas in this Bill," Ludlam said pleading with the government to review the committee report and "don't simply serve up the Bill unamended ... this one needs a second thought".
The Senate will debate the Bill at a later date yet to be determined.