T 03 9607 9311 F 03 9602 5270 [email protected] Mr MP Date 6 February 2015 Chair Parliamentary Joint Committee on Intelligence and Security PO Box 6021 Parliament House Canberra ACT 2600

By email: [email protected] CC: Mr Dan Tehan MP ([email protected]) The Hon Anthony Byrne MP ([email protected]) Senator David Bushby ([email protected]) The Hon MP ([email protected]) Senator the Hon ([email protected]) The Hon Mark Dreyfus QC, MP ([email protected]) Senator the Hon ([email protected]) Senator David Fawcett ([email protected]) Mr Andrew Nikolic AM, CSC, MP ([email protected]) The Hon Phillip Ruddock MP ([email protected]) Senator John Williams ([email protected])

Dear Mr Tehan MP,

Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 – Supplementary Submission

The Law Institute of (LIV) provided a submission to the Inquiry. We were not invited to appear before the Committee and have been informed that the Committee is not holding any further hearings.

In these circumstances, we have prepared this brief supplementary submission to assist the Committee. We request that you accept this as further evidence and urge the Committee to consider fully the recommendations, concerns and questions raised in our submissions (attached).

We have set out below a range of practical consequences if the Bill is passed in the current form in Appendix A.

Our primary recommendation remains that the Bill not be passed. In the event that this recommendation is not accepted, we are of the view that there are amendments that may assist in mitigating some of the possible unintended consequences flowing from the scheme. These are set out in Appendix B.

Please contact me or Leanne O’Donnell, at [email protected] on (03) 9607 9380, if you would like to discuss the issues raised in this letter or in our submission.

Thank you for your consideration.

Yours sincerely,

Katie Miller President Law Institute of Victoria

Appendix A

Use of telecommunications data in civil litigation

The Bill in its current form allows data retention of a larger, richer and more complex set of telecommunications information. It does not impose any limitation on access to the retained data by other legal processes, such as the courts’ powers to compel production of documents (e.g. subpoena, notice to produce and discovery).

This is likely to be an attractive target for discovery and in litigation. The following are examples of such uses.

1. Use of telecommunications data in family law proceedings

A father seeking orders granting him residence with the children may claim that the mother is not providing a suitable environment for the children. The father may apply for an order to access the mother’s telecommunications data in order to identify persons with whom the mother associates and then argue that it is not in the children’s best interests to associate with such persons. Furthermore, the father may then use the information to identify locations the mother frequents. This information could be harmful to the mother and/or the children if there is a risk of family violence.

2. Use of telecommunications data in personal injury proceedings

A defendant to a personal injury claim (e.g. a workplace injury claim, a motor vehicle accident claim, a negligence claim) may apply for an order to access the plaintiff’s telecommunications data in order to argue, that the places frequented by the plaintiff (e.g. a fitness club) are inconsistent with the plaintiff’s alleged injuries and/or to identify persons with whom the plaintiff associates in order to obtain witness statements to support the defendant’s case.

These examples are not exhaustive. Other disputes in which court orders may be used to access telecommunications data include: employment, intellectual property, breach of confidence and trade secrets cases.

Costs will be high firstly for obtaining detailed orders to access telecommunications data, then analysing the data and preparing submissions based on the evidence. It is likely that access to this type of data will be disproportionately exploited by institutional and well- resourced litigants. Responding to argument based on the complex data will add a further cost burden to parties with limited financial means. This will potentially widen power imbalances between well-resourced litigants and other litigants (e.g. between employer and employee; insurer and individual; copyright holder and individual accused of illegal downloading).

Unlike other information sought pursuant to a court order, it will be very difficult to limit the order to telecommunications data that is relevant to the issues in dispute. Information that could be subject to a claim of privilege or which may be subject to an expectation of confidence or privacy will only be identified after the telecommunications data has been released to, and analysed by, the litigant seeking the order. The knowledge that a defendant may gain access to telecommunications data which can reveal political affiliations, health information and financial interests may be a deterrent to plaintiffs bringing legitimate claims to court.

It must be remembered that the purpose of the Bill is to provide criminal law enforcement agencies with data to prevent, detect and enforce crime and terrorist activities – it is not to assist discovery in civil litigation.

Furthermore, telecommunications providers or internet service providers could themselves use telecommunications data in their own civil litigation, providing them with a resource not available to other litigants. The existing controls on use and disclosure of telecommunications data contained in the Privacy Act 1988 and Part 13 of the Telecommunications Act 1997 are insufficient to protect against this scenario.

Use of telecommunications data by government agencies

The Bill permits the Attorney-General to prescribe by regulation additional criminal law enforcement agencies who may access the telecommunications data.

ASIC has already indicated that it will seek to be prescribed. We anticipate that Centrelink, the ATO and other agencies that similarly have access to telecommunications data will similarly seek to be prescribed.

3. Use of telecommunications data by agencies to monitor self-assessment

Agencies that administer schemes involving self-assessment (such as the ATO and Centrelink) may access telecommunications data of persons within the scheme (e.g. persons receiving benefits or persons claiming tax deductions) and enter this information into databases which can automatically data match to the self-assessment information provided by the individual. For example, claims of deductions related to travel or claims relating to hours worked at a certain location could be cross-referenced to telecommunications data, such as the location of an individual when they made phone calls and sent or received emails contained in telecommunications data.

Due to developments in technology, telecommunications data can be analysed more quickly, in greater volumes and with less direct human intervention. The creation of databases and automatic monitoring processes can decrease the cost of such analysis for government agencies, thereby making it an option for more investigations, not just those relating to serious offences and breaches which are highly resourced. This enhances the power imbalance between the government agencies and individuals.

Using telecommunications data to find breaches relies on inferences to be drawn. The risk of incorrect assumptions being made is very real. It is anticipated that there will be an increase in agencies alleging breaches, based on telecommunications data and assumptions, which individuals will then need to correct. This will be a significant burden on individuals, as well as a source of great stress, especially if the assumptions are based on data that is two years old.

4. Assumptions based on telecommunications data

An individual receives a benefit which limits the individual to working no more than 20 hours per week. The agency uses data matching to monitor the calls and emails sent from the individual’s phone at locations identified as the individual’s workplaces. The agency infers that, if the phone is still receiving calls or emails or downloading information at the work location, then the individual is working. The agency uses this information to calculate that the individual has been working in excess of 20 hours and issues a breach notice.

In fact, the additional time the phone is at work is attributable to the individual’s practice of leaving his phone at work to download the latest updates to apps, during which time his phone continues to receive calls and emails and therefore records its location as near or at work.

In this scenario, the individual may or may not be able to identify the relevance of his practice of leaving the phone at work and explain it to the agency to its satisfaction. Even if he could, it results in a practical reversal of the burden of proof – rather than the agency establishing its case, it makes allegations based on assumptions drawn from telecommunications data, which it will act on unless the individual satisfies them otherwise.

Risk of unauthorised access or disclosure

The Bill creates a mandatory set of information that can be used to identify individuals, their associates, their financial interests, their health information, etc. This information will be attractive to third parties.

The Bill does not prohibit telecommunications data from being stored off-shore (e.g. through cloud computing services) under the control of foreign companies or governments, where the data may be subjected to the laws of foreign countries. The Privacy Act 1988 would not protect against the risk of unauthorised disclosure or access, as data breaches do occur even where an entity has taken reasonable steps to protect the personal information in accordance with the Privacy Act.

5. Unauthorised access by a third party

Hackers and organised crime successfully penetrate private and government data bases on a daily basis. They access the data, they may sell it, combine it with other data or use the information to commit crimes. Telecommunications data could be used to create fraudulent identities, which could then be used to commit crimes and circumvent law enforcement agencies and/or intelligence agencies. The strength of a fraudulent identity will depend on the richness of the data. The repository proposed collects this identity data into an attractive target.

6. Unauthorised disclosure by authorised users

Telecommunications companies may disclose telecommunications data in an unauthorised way, either deliberately or inadvertently. According to the Australian Privacy Commissioner, major telecommunications service providers are amongst the 20 entities most complained about to that office. The case of Vodafone allowing unauthorised access to customer passwords is an example of an inadvertent data breach by a telecommunications service provider. The case of the Department of Immigration and Border Control allowing unauthorised access to asylum seeker details is an example of an inadvertent data breach by a government agency.

The most secure data is the data that is not captured and retained.

Cost to business and taxpayers

It is unclear what the level of contribution the Government will make to industry toward the up front or ongoing cost of complying with the proposed data retention regime. The Bill does not require the government to make any contribution.

7. Increased cost for small businesses in the telecommunications industry

As at the end of June 2014, there were 1,384 carriage service providers (internet and telephone) (see ACMA’s Communications Report). Many of these carriage service providers are small businesses with a turnover of less than $3 million per annum (and therefore not subject to the Privacy Act 1988).

Providers will incur additional cost when entering the market (e.g. setting up the infrastructure to capture and store the required data) and on an ongoing basis (maintaining and securing the data and responding to requests for access). Small providers may decide not to enter, or leave, the market and/or foreign investment in infrastructure may be discouraged. Market competition could be reduced. In any event the additional costs that providers will incur will be passed directly to consumers. Our private and business telecommunications costs will increase. Any additional cost that Australian businesses must bear that is not borne by our competitors makes us less able to compete in world markets.

8. Increased cost for other small businesses

Small businesses that rely on the confidentiality of their client’s information (especially health practitioners and lawyers) will bear increased risk of their client’s information being compromised through unauthorised access to the data set (described above).

Legal remedies available to small businesses are inadequate. Small businesses may not be notified of a breach involving their data; remedies cannot address the damage to consumer confidence and reputation; and may be costly if the data is held off-shore (and the remedy must be pursued through a foreign complaints scheme).

Appendix B

Amend the Bill to include necessary and critical information

The LIV strongly recommends following matters be defined in the Bill, rather than being prescribed by regulations or ministerial declaration or left to interpretation by the courts:

1. The data set;

2. The agencies that may access the data (i.e. include an exhaustive list);

3. The meanings of:

a. the ‘contents or substance of a communication’ for the purposes of the proposed exception in s 187A(4)(a);

b. ‘telecommunications data’; and

4. The scope of the exception concerning browsing history in s 187A(4)(b);

These amendments will ensure that legislative power is not inappropriately delegated to the Executive, as well as mitigating the unintended consequences identified in scenarios 3 and 7.

Prohibit access otherwise than in accordance with the provisions of the Telecommunications (Intercept and Access) Act 1979 (TIA Act)

The LIV strongly recommends access to telecommunications data should be limited to the purposes of the Bill, i.e. preventing, detecting and prosecuting crime and terrorist activities. As such, access should be prohibited otherwise than in accordance with the provisions of the TIA Act. Such a prohibition should apply to the courts, as well as other persons. Such a provision could be modelled on s 57 of the Meat Industry Act 1993 (Vic).

To ensure that telecommunications providers can still use the data to deliver services, there should also be an exception to the prohibition, which permits telecommunications providers to use and disclose the telecommunications data for business purposes necessary to deliver the telecommunications or internet services.

Criminal law enforcement agencies should also be prohibited from secondary use or disclosure of telecommunications data accessed under the scheme.

These amendments will address the unintended consequences identified in scenarios 1 and 2.

Limit access to serious offences and terrorism

The LIV supports limiting access to telecommunications data to preventing, detecting and prosecuting serious crime. “Serious offence” is already a defined term in section 5D of the TIA Act and this threshold should also be adopted for access to telecommunications data.

This amendment will address the unintended consequences identified in scenario 3.

Require a warrant for access

The LIV recommends the Bill be amended to provide that access to telecommunications data retained under the scheme must be pursuant to a warrant issued by a court or independent administrative tribunal (such as the Administrative Appeals Tribunal).

Such a provision is necessary to ensure that access is proportional to the specific offence or risk being investigated and to ensure that an assessment of whether the limits imposed on access have been complied with occurs before access is given (e.g. assessing claims of privilege and relevance), rather than afterwards.

Duration of data retention

The LIV is of the view that the data retention period in proposed section 187C should be reduced from two years to what is strictly necessary and proportionate. From the evidence provided to the PJCIS to date and by reference to overseas experience, the LIV recommends that a 6-month data retention period is appropriate.

Introduce a mandatory data breach notification scheme

The LIV strongly recommends that the Privacy Act 1988 be amended in accordance with the recommendation of the Australian Law Reform Commission to introduce an obligation to notify the Privacy Commissioner and affected individuals in the event of a data breach (commonly referred to as a mandatory data breach notification scheme). This amendment will ensure that persons who are affected by breaches are aware of them and can seek legal remedies and mitigates the unintended consequences identified in scenarios 5, 6 and 8.