Data-retention Bill an 'intrusion of privacy': Human rights committee

The government's move to force telcos and ISPs to retain customer metadata for two years has been branded 'intrusive of privacy' by the Parliamentary Joint Committee on Human Rights, in a new report calling for the government to define the types of data to be retained and review the two-year retention period.

The Parliamentary Joint Committee on Human Rights has raised concerns about the government's data-retention Bill in a new report (PDF).

The committee, which is charged with considering the compatibility of new legislation with national human rights obligations, said in its report that the proposed data-retention Bill was "very intrusive of privacy".

"A requirement to collect and retain data on every customer just in case that data is needed for law-enforcement purposes is very intrusive of privacy, and raises an issue of proportionality," the committee said in its report.

"Communications data can reveal quite personal information about an individual, even without the content of the data being made available, revealing who a person is in contact with, how often, and where. This in turn may reveal the person's political opinions, sexual habits, religion, or medical concerns.

"The proposed scheme clearly limits the right to privacy. The committee therefore considers that the scheme must be sufficiently circumscribed to ensure that limitations on the right to privacy are proportionate (that is, are only as extensive as is strictly necessary)," it said.

The committee also recommended that to avoid any arbitrary interference with the right to privacy that would result from reliance on regulations, the Bill should be amended to define the types of data that are to be retained.

"If the Bill is not amended, the committee recommends that the government release for consultation a exposure draft of the regulation specifying the types of data to be retained for the purposes of the scheme," it said.

The committee said that its concern about the undefined types of data to be collected is compounded by the fact that what constitutes the "content" of a communication — which would be excluded from collection — is undefined in the Bill, which it said could see data retained that does include aspects of content.

"The committee therefore recommends that to avoid the arbitrary interference with the right to privacy that would result from not defining the content that is excluded from required retention, the Bill be amended to include an exclusive definition of 'content' for the purposes of the scheme," it said.

The committee also called for the further advice of the attorney-general as to whether the two-year mandatory retention period is necessary and proportionate in pursuit of a legitimate objective.

It also recommended that the Bill be amended to limit disclosure authorisation for existing data to where it is "necessary" for the investigation of specified serious crimes, or categories of serious crimes, in order to avoid the "disproportionate limitation on the right to privacy that would result from disclosing telecommunications for the investigation of any offence".

Also of concern to the committee was that the communications data of individuals subject to an obligation of professional secrecy may be accessed, and that accessing this data could impact on legal professional privilege.

With this in mind, the committee requested the advice of the attorney-general as to whether such data could, in any circumstances, impact on legal professional privilege, and, if so, how this is proportionate with the right to privacy.

The government's data-retention Bill — the so-called third tranche of its anti-terror legislation — was rushed into parliament by Communications Minister Malcolm Turnbull late last month, proposing that telcos and ISPs retain customers' non-content metadata for a mandatory two-year period.

The committee's comments come as UK Prime Minister David Cameron has told a joint sitting of the Australian Parliament on Friday that businesses have a social responsibility to clamp down on extremist content on the internet.

"We must not allow the internet to be an ungoverned space," Cameron said at the event on November 14. "In the UK, we are pushing for companies to do more, including strengthening filters, improving reporting mechanisms, and being more proactive in taking down this harmful material. We're making progress, but there is further to go.

"This is their social responsibility, and we expect them to live up to it," he said.

In July this year, British parliament pushed through a Bill that would allow UK data-retention laws to stay in place after the European Court of Justice struck down the previous law in a ruling that said existing data-retention laws across Europe breached citizens' right to privacy.

In July, however, the United Nations Human Rights Council rejected claims by governments that mandatory data retention is required for national security protection, with the UN General Assembly adopting a resolution at the time stating that governments must respect the privacy rights of people both offline and online.