NSW Police Force seeks 7-year data-retention scheme

Australian state and federal law-enforcement agencies have stressed that they are being pragmatic in accepting a two-year data-retention period and not being able to access web-browsing histories.
Written by Josh Taylor, Contributor

If privacy was no concern, Australian law-enforcement agencies have said they would like a wider selection of telecommunications customer data for much longer than two years, including the retention of every Australian's web-browsing history.

Under the mandatory data-retention legislation before the parliament, telecommunications companies will be required to retain a set of customer data for a minimum of two years for access by law enforcement. The type of data the government wants retained includes call records, customer location information, and assigned IP addresses.

It was initially unclear whether web-browsing history would be retained. This was only made more confusing when the legislation was first announced last year, and Attorney-General George Brandis, in a Walkley Award-winning interview, could not confirm whether URLs would be retained.

The government has now set out in the legislation that telecommunications companies are not required to retain browsing history, but they are not stopped from storing browsing history, either.

Police have argued for years that metadata should be retained for longer than two years, but have said that it is designed to be a pragmatic compromise to allay community concerns about the privacy implications for retaining large amounts of personal data on every Australian for access without a warrant.

But despite this compromise, some agencies are still pushing for longer storage periods. NSW Police Force Assistant Commissioner Malcolm Lanyon said the police would like to see the data retained for up to seven years.

"NSW Police Force is currently able to access stored telecommunications data for up to seven years -- that's generally call charge records, and reverse call charge records. At a time when encrypted mobile and internet-based communication degrades our interception capability, it is imperative that telecommunications data is kept as long as possible to facilitate investigations," Lanyon told a parliamentary committee on Friday.

Lanyon said murders, sexual assaults, and robberies can take several years to investigate, meaning the more data held, the more police has to work with.

Around 4,000 of the 120,000 requests made by NSW Police in the last year were for metadata older than two years, he said, and most related to murders.

ASIO director general Duncan Lewis said that more than two years would be ideal.

"Ideally, ASIO data needs would be better met if there was a significantly longer retention period," he said. He said two years is the bare minimum, and he would not endorse a shorter retention period as seen elsewhere in the world and advocated by some telcos including Vodafone.

Victoria Police said the agency would also like to have web-browsing history retained, but understands the public concern around the potential invasion of privacy.

All agencies rejected the possibility of requiring judicial approval before being given access to metadata, stating that metadata forms the building blocks for investigations, and many investigations would lack sufficient evidence to get judicial approval to access metadata at the early stage of an investigation.

Law Council says rewrite data laws

The Law Council has said the federal government should go back to the drawing board on its proposed data-retention laws.

Law Council president Duncan McConnel told the committee they should not be passed by the parliament.

"The Law Council has recommended that the Bill not be passed and that it be withdrawn, amended, and released as an exposure draft for public consultation," McConnel told the hearing.

The peak law body said the data set to be made available to law-enforcement and security agencies needs to be clearly defined in the main piece of legislation, rather than in a separate document.

The council said the legislation should also include a complete list of agencies that were able to access the data, and data access should be limited to agencies that were required to investigate serious indictable offences or specific threats to national security.

A warrant issued by an independent tribunal should be required to access the data, or, in an emergency situation, a ministerial warrant.

It said there should be specific protections for privileged and confidential information, minimum standards for data security, and a privacy impact assessment.

McConnel said the Law Council also has concerns about the two-year data-retention period, saying it should be "no longer than the minimal period as demonstrated to be required by law-enforcement and security agencies".

Editorial standards