T 03 9607 9311 F 03 9602 5270 [email protected] Mr Dan Tehan MP Date 6 February 2015 Chair Parliamentary Joint Committee on Intelligence and Security PO Box 6021 Parliament House Canberra ACT 2600 By email: [email protected] CC: Mr Dan Tehan MP ([email protected]) The Hon Anthony Byrne MP ([email protected]) Senator David Bushby ([email protected]) The Hon Jason Clare MP ([email protected]) Senator the Hon Stephen Conroy ([email protected]) The Hon Mark Dreyfus QC, MP ([email protected]) Senator the Hon John Faulkner ([email protected]) Senator David Fawcett ([email protected]) Mr Andrew Nikolic AM, CSC, MP ([email protected]) The Hon Phillip Ruddock MP ([email protected]) Senator John Williams ([email protected]) Dear Mr Tehan MP, Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 – Supplementary Submission The Law Institute of Victoria (LIV) provided a submission to the Inquiry. We were not invited to appear before the Committee and have been informed that the Committee is not holding any further hearings. In these circumstances, we have prepared this brief supplementary submission to assist the Committee. We request that you accept this as further evidence and urge the Committee to consider fully the recommendations, concerns and questions raised in our submissions (attached). We have set out below a range of practical consequences if the Bill is passed in the current form in Appendix A. Our primary recommendation remains that the Bill not be passed. In the event that this recommendation is not accepted, we are of the view that there are amendments that may assist in mitigating some of the possible unintended consequences flowing from the scheme. These are set out in Appendix B. Please contact me or Leanne O’Donnell, at [email protected] on (03) 9607 9380, if you would like to discuss the issues raised in this letter or in our submission. Thank you for your consideration. Yours sincerely, Katie Miller President Law Institute of Victoria Appendix A Use of telecommunications data in civil litigation The Bill in its current form allows data retention of a larger, richer and more complex set of telecommunications information. It does not impose any limitation on access to the retained data by other legal processes, such as the courts’ powers to compel production of documents (e.g. subpoena, notice to produce and discovery). This is likely to be an attractive target for discovery and in litigation. The following are examples of such uses. 1. Use of telecommunications data in family law proceedings A father seeking orders granting him residence with the children may claim that the mother is not providing a suitable environment for the children. The father may apply for an order to access the mother’s telecommunications data in order to identify persons with whom the mother associates and then argue that it is not in the children’s best interests to associate with such persons. Furthermore, the father may then use the information to identify locations the mother frequents. This information could be harmful to the mother and/or the children if there is a risk of family violence. 2. Use of telecommunications data in personal injury proceedings A defendant to a personal injury claim (e.g. a workplace injury claim, a motor vehicle accident claim, a negligence claim) may apply for an order to access the plaintiff’s telecommunications data in order to argue, that the places frequented by the plaintiff (e.g. a fitness club) are inconsistent with the plaintiff’s alleged injuries and/or to identify persons with whom the plaintiff associates in order to obtain witness statements to support the defendant’s case. These examples are not exhaustive. Other disputes in which court orders may be used to access telecommunications data include: employment, intellectual property, breach of confidence and trade secrets cases. Costs will be high firstly for obtaining detailed orders to access telecommunications data, then analysing the data and preparing submissions based on the evidence. It is likely that access to this type of data will be disproportionately exploited by institutional and well- resourced litigants. Responding to argument based on the complex data will add a further cost burden to parties with limited financial means. This will potentially widen power imbalances between well-resourced litigants and other litigants (e.g. between employer and employee; insurer and individual; copyright holder and individual accused of illegal downloading). Unlike other information sought pursuant to a court order, it will be very difficult to limit the order to telecommunications data that is relevant to the issues in dispute. Information that could be subject to a claim of privilege or which may be subject to an expectation of confidence or privacy will only be identified after the telecommunications data has been released to, and analysed by, the litigant seeking the order. The knowledge that a defendant may gain access to telecommunications data which can reveal political affiliations, health information and financial interests may be a deterrent to plaintiffs bringing legitimate claims to court. It must be remembered that the purpose of the Bill is to provide criminal law enforcement agencies with data to prevent, detect and enforce crime and terrorist activities – it is not to assist discovery in civil litigation. Furthermore, telecommunications providers or internet service providers could themselves use telecommunications data in their own civil litigation, providing them with a resource not available to other litigants. The existing controls on use and disclosure of telecommunications data contained in the Privacy Act 1988 and Part 13 of the Telecommunications Act 1997 are insufficient to protect against this scenario. Use of telecommunications data by government agencies The Bill permits the Attorney-General to prescribe by regulation additional criminal law enforcement agencies who may access the telecommunications data. ASIC has already indicated that it will seek to be prescribed. We anticipate that Centrelink, the ATO and other agencies that similarly have access to telecommunications data will similarly seek to be prescribed. 3. Use of telecommunications data by agencies to monitor self-assessment Agencies that administer schemes involving self-assessment (such as the ATO and Centrelink) may access telecommunications data of persons within the scheme (e.g. persons receiving benefits or persons claiming tax deductions) and enter this information into databases which can automatically data match to the self-assessment information provided by the individual. For example, claims of deductions related to travel or claims relating to hours worked at a certain location could be cross-referenced to telecommunications data, such as the location of an individual when they made phone calls and sent or received emails contained in telecommunications data. Due to developments in technology, telecommunications data can be analysed more quickly, in greater volumes and with less direct human intervention. The creation of databases and automatic monitoring processes can decrease the cost of such analysis for government agencies, thereby making it an option for more investigations, not just those relating to serious offences and breaches which are highly resourced. This enhances the power imbalance between the government agencies and individuals. Using telecommunications data to find breaches relies on inferences to be drawn. The risk of incorrect assumptions being made is very real. It is anticipated that there will be an increase in agencies alleging breaches, based on telecommunications data and assumptions, which individuals will then need to correct. This will be a significant burden on individuals, as well as a source of great stress, especially if the assumptions are based on data that is two years old. 4. Assumptions based on telecommunications data An individual receives a benefit which limits the individual to working no more than 20 hours per week. The agency uses data matching to monitor the calls and emails sent from the individual’s phone at locations identified as the individual’s workplaces. The agency infers that, if the phone is still receiving calls or emails or downloading information at the work location, then the individual is working. The agency uses this information to calculate that the individual has been working in excess of 20 hours and issues a breach notice. In fact, the additional time the phone is at work is attributable to the individual’s practice of leaving his phone at work to download the latest updates to apps, during which time his phone continues to receive calls and emails and therefore records its location as near or at work. In this scenario, the individual may or may not be able to identify the relevance of his practice of leaving the phone at work and explain it to the agency to its satisfaction. Even if he could, it results in a practical reversal of the burden of proof – rather than the agency establishing its case, it makes allegations based on assumptions drawn from telecommunications data, which it will act on unless the individual satisfies them otherwise. Risk of unauthorised access or disclosure The Bill creates a mandatory set of information that can be used to identify individuals, their associates, their financial interests, their health information, etc. This information will be attractive to third parties. The Bill does not prohibit telecommunications data from being stored off-shore (e.g. through cloud computing services) under the control of foreign companies or governments, where the data may be subjected to the laws of foreign countries. The Privacy Act 1988 would not protect against the risk of unauthorised disclosure or access, as data breaches do occur even where an entity has taken reasonable steps to protect the personal information in accordance with the Privacy Act.