The introduction of the metadata retention regime way back in 2016 was one of the catalysts for creating Digital Rights Watch. Mandatory metadata retention, for access by a list of agencies that could grow at the whim of the Attorney General, seemed like a bad idea to a lot of people. Turns out now a bipartisan Parliamentary Committee has accepted that this needs to change.
The Joint Parliamentary Committee on Intelligence and Security (PJCIS) is a very influential committee. It was required by law to the review the mandatory metadata retention regime before the third anniversary of its implementation. For most of the last decade, the PJCIS has produced reports with bipartisan support for matters of national security. It’s a conservative and respected body across the parliament.
Meanwhile, the metadata retention regime has always been controversial. Such a significant number of activists were worried about it when it was first proposed that Digital Rights Watch was created, with a vision to ensure fairness, freedoms and fundamental rights for all people who engage in the digital world. Sadly, the proposal became law, but it was also clear that protecting digital rights is an ongoing struggle, and our work continues today.
It was therefore no surprise for many activists to learn that since the regime was implemented–despite the government of the day telling us it would only be used to investigate serious crimes–metadata has been accessed 350,000 times a year by over a hundred different agencies.
In its report on the regime, the Committee made 22 recommendations. The key takeaways are that they believe there needs to be more transparency in how the regime operates, and better record keeping to facilitate improved oversight. It’s great to see this problem finally being recognised.
Another key concern for the Committee was the kind of agencies that could access metadata via the regime. Originally 22 law enforcement and security agencies were included on the list, but through what the Committee described as a ‘loophole’ a further 87 agencies have been able to gain access. These include various local councils, a number of state and Commonwealth government departments, the Office of State Revenue NSW, South Australia Fisheries and even the RSPCA. The Committee recommended the repeal of this loophole, a return to the original list of agencies permitted to have access to metadata under the regime, and for it to be entrenched in law that this is the only method by which agencies could access this data.
The Committee also recognised that the threshold for accessing metadata was set too low. Indeed, historic telecommunications data if could be disclosed for the enforcement of any law imposing a pecuniary penalty, which includes, as the Committee pointed out, a parking ticket. As such, the Committee recommended that the law be changed so that people’s metadata can only be accessed by specified security and law enforcement agencies in connection with serious crimes. We welcome this recommendation.
It wasn’t all good news though. The Committee was not convinced of the need for agencies to obtain a warrant before accessing metadata. The Committee noted that there were privacy concerns associated with the current warrantless regime, however ‘set against that argument is one advanced by various law enforcement agencies as to the administrative burden that would occur if a warrant system is put in place.’ This is almost exactly the point–the warrant requirement is a burden, administratively and legally, and without it, the potential for abuse increases. Metadata can be very revealing. Imagine someone knowing all the places you visited over the last year, even if they didn’t know what you did there. Because of how personal this information is, there should be burdens placed upon agencies to make sure it only happens when absolutely necessary. If agencies are doing their job well, they should have little difficulty meeting this requirement.
It would be a surprise if the Committee’s recommendations were not taken up, which will be a great start. But there is still much more work to do if we want laws that properly respect our digital rights.
Want to learn more about metadata retention and what we’ve asked of the review?