Retained data set and breach notification set to become law

Australian Communications Minister Malcolm Turnbull and Attorney-General George Brandis have said that the government will support all of the recommendations made by the Parliamentary Joint Committee looking into its proposed mandatory data-retention legislation, which was introduced into parliament by Communications Minister Malcolm Turnbull in October last year.

In a joint statement published on Tuesday, Turnbull and Brandis called on parliament to support the committee's principle, and final, recommendation that the Bill be passed.

The legislation would require telecommunications companies to keep a set of customer metadata for a minimum of two years. This would include call records, assigned IP addresses, email addresses, SMS history, and other communications records that can be accessed by law enforcement.

On February 27, the Parliamentary Joint Committee on Intelligence and Security (PJCIS) into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 released its advisory report, making 39 recommendations.

These recommendations include the establishment of a two-year period for metadata retention; the requirement for a telco to provide notification in the event of a security breach of its data stores, which will be mandated to be encrypted; and the government making a "substantial contribution" to the costs of creating the regime.

The committee also recommended that the Bill be amended so that the proposed data set to be retained by telcos, and the agencies permitted to access it, is set in the primary legislation. Initially, this would have been set by regulation, allowing changes to the data set to be made further down the track without parliamentary approval.

However, it also recommended that the attorney-general have the ability to declare items for inclusion in the data set, with the declaration ceasing after 40 sitting days of parliament. An amendment to include the item in the data set must be brought before parliament within this 40-day window.

The government's statement said it agrees that flexibility is needed to amend the data set, and will amend the Bill to reflect the committee's recommendation. Likewise, the committee also recommended that the attorney-general be able to declare additional classes of service providers under the condition that any such declaration ceases to have an effect after 40 sitting days of either house of parliament.

One of the government's selling points for the proposed legislation has been that it would reduce the number and variety of agencies that have warrantless access to retained metadata, with only agencies dealing in serious crime and national security to maintain access under the scheme.

In question time on Tuesday, federal Justice Minister Michael Keenan said the number of agencies that currently have access to such data stands at around 80, but would be reduced to about 20 under the proposed legislation.

However, the committee's recommendation that the attorney-general can declare an authority or body as a criminal law-enforcement agency subject to the conditions that the declaration expires after 40 sitting days could see the number of agencies granted access to the retained data fluctuate.

The government supported the recommendation, saying that it "agrees there is benefit in listing agencies that can access telecommunications data in the TIA Act, but that flexibility is required to be able to include additional enforcement agencies expeditiously".

The government also agreed to refer to the committee for further consideration the question of the appropriate approach to disclosure or the use of telecommunications data to identify journalists' sources.

"The government notes that Australia's existing legal framework is founded on robust legal principles to provide fair and equal treatment of all subject to its laws," the joint statement said.