Data retention — how not to introduce complex legislation

By LAURIE PATTON | 21 December 2015

One of my first tasks shortly after joining Internet Australia in 2014 was to front the Parliamentary Joint Committee on Intelligence and Security (PJCIS). My appearance at the hearing into the (Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015) came at the end of a long day of mostly critical submissions.

With our president and the head of the policy committee sitting beside me I boldly told the committee that the Data Retention Bill was “fundamentally flawed” and had clearly been drafted by lawyers who didn’t understand how the Internet actually works. How prescient those comments have proven to have been.

We highlighted the Internet’s critical role in our emerging digitally-enabled economy and the danger in any legislation that might cause people to lose trust in the Internet. We reminded the PJCIS of the debacle, back in March 2013, when ASIC’s well-meaning attempt to block a few shonky online operators had inadvertently shut down more than 250,000 innocent websites.

We noted that international experience has not found data retention schemes to have had much effect. Indeed, during the limited public debate that accompanied the passing of the Data Retention Bill certain high profile individuals (remember Malcolm Turnbull) took to the media to explain the many ways determined wrongdoers could easily bypass the long arm of the data retention law.

At the committee’s behest, we subsequently provided a confidential briefing paper listing some of the more significant problems with the legislation. When it brought down its report there were 39 amendments recommended, all of which were agreed to by the Government and the Opposition. Unfortunately, as is the way with these things, the PJCIS did not put its mind to the more difficult question of how to deal with the serious drafting issues we warned them about. Then, nor did the Attorney General’s Department.

No-one knows how many Internet Service Providers (ISP’s) there are in Australia. This is because there is no requirement for ISP’s to be licensed. Estimates range from around 250 to more than 500. With few exceptions, each of these is required to comply with the Data Retention Act. This involves reconfiguring their internal IT systems and then storing a good deal of information that was previously discarded immediately after its use, or not long thereafter. They are required to keep it for two years. For large telcos this is probably not a major issue. However, for some smaller independent ISP’s the ongoing cost of complying could be quite onerous. Of course, if they figure the authorities don’t now about them they can just ignore the whole thing.

Also appearing before the PJCIS hearing late in 2014, a senior Telstra executive warned that we would be creating “honeypots” – large masses of private and confidential data that would be very enticing to hackers. Any large repository of confidential data is a potential hacking target.

The journalists union, the MEAA, raised its fear that the legislation would be used to identify sources, pointing to the important role that “whistle blowers” often play. At the last minute the media companies secured what some thought was a form of protection. Before they can use a journalist’s data law enforcement agencies must seek a court warrant. However, it is arguable that by the time they’ve trawled through the honeypots and subsequently discovered that the data belongs to a journalist they will have enough prima facie evidence to justify a warrant.

The drafting of the Data Retention Act is so complex and fundamentally flawed that there remained, after months of consultations and discussion with the Attorney General’s Department, widespread confusion and even some disagreement about what it requires of ISP’s.

Telstra, Australia’s biggest ISP, found the going too tough; seeking and receiving an 18 months extension on its requirement to comply.

There is no guarantee that we will ever get to the point where all ISPs (however many there might be) are complying. And probably no way for the Attorney General’s Department, or for law enforcement agencies, to know how many are not. So how effective can a scheme like this really be if parts of the jigsaw puzzle  are missing?

The history of data retention provides a spectacular case study in how not to introduce complex legislation. It is a classic example of a badly designed law that has been rushed through the Parliament in the dubious belief that urgency was justified and would not impede the efficient implementation of a new regulatory regime. This haste in the design and implementation has almost certainly ensured unforeseen problems will ensue. It has also resulted in a lot of unnecessary cost to industry, which will inevitably be passed on to consumers.


As this article states, “Commonwealth Ombudsman Michael Manthorpe says that ambiguity in Australia’s data retention regime means that on some occasions law enforcement agencies have been able to obtain details of an individual’s web browsing history without a warrant. Manthorpe appeared today before a Parliamentary Joint Committee on Intelligence and Security (PJCIS) inquiry that is reviewing Australia’s data retention legislation”.  Chickens coming home to roost.

One of the 39 changes Internet Australia secured was for the PJCIS to review the Act once it was up and running. That review is currently underway.

The Australian Human Rights Commission has asked the PJCIS to reduce the retention period from two years to a period of under six months.

(Laurie Patton is a former CEO / Executive Director of Internet Australia, the NFP peak body representing the interests of Internet users. He is currently Vice President of TelSoc.)