Metadata needs to be defined in law: Committee

The Australian Senate committee for the scrutiny of Bills has slammed the government's decision to leave the data set out of mandatory data-retention legislation.

The parliament, not the government of the day, should determine the data set and who has access to the data that telecommunications companies will be forced to retain under mandatory data-retention legislation, according to the Senate Standing Committee for the Scrutiny of Bills.

The committee, made up of three Coalition MPs, two Labor MPs, and one Greens MP, made the recommendation in its report (PDF) investigating the legislation this week.

The Telecommunications (Intercept and Access) Amendment (Data Retention) 2014 Bill requires telecommunications companies to retain a set of customer data, such as time of call, call duration, the number dialled, assigned IP address, email addresses, and other information. The government deliberately left out the specific data set required to be retained as part of the legislation in order to be flexible and adaptive to technological advancement.

This means that the data set will be defined through regulation that is not required to go through parliament before being added. The committee said that the parliament should be required to approve or reject any proposed additions to the data set.

"It seems appropriate for parliament (not the executive) to take responsibility for ensuring that the scheme is adequately responsive to technological change in the telecommunications industry," the committee stated.

"Although the committee accepts that regulation-making powers are in some cases justified by the necessity to build in scope for flexible regulatory responses to changing circumstances, whether this scheme — which is highly intrusive of individual privacy — should be applied in a new technological context is a matter which will raise significant questions of policy. The committee generally expects that significant matters will be included in primary legislation — they are not appropriately delegated by the parliament to the executive government."

The committee also said that there should be a clearer definition of what "content" law-enforcement agencies could not get access to under the warrant-less data-retention regime.

In a bid to ensure that additional privacy safeguards were put in place for the scheme, the legislation narrows access to the metadata to a set list of law-enforcement agencies investigating criminal activities, with the exception that the attorney-general of the day can add agencies that request to be added to the list.

This would be done without requiring amendment to the legislation. The committee has asked the attorney-general to explain why access should be widened through ministerial declaration rather than legislation.

It comes as the Parliamentary Joint Committee on Intelligence and Security on Thursday commenced its inquiry into the legislation, chaired by Liberal MP Dan Tehan.

"We will be considering the appropriateness of the data-retention regime proposed in this Bill and its application to the investigation and prosecution of serious criminal offences and to countering threats to national security. Safeguards and oversight will be a key focus for the committee," Tehan said in a statement.

The committee is accepting submissions for just over one week until Monday, December 8, with public hearings to be held on December 17 and January 28 and 29, 2015, with more hearings possible.

The committee will report by February 27, meaning the legislation will not be debated or passed before the end of February 2015.