Why access to retained data in civil proceedings should not be permissible

The Australian Attorney-General’s department are seeking submissions on the consultation paper, “Access to Retained Data in Civil Proceedings”. Here is my submission.


Senator the Hon George Brandis QC By email (communicationssecurity@ag.gov.au)

26th January, 2017

Submission response on the consultation paper “Access to Retained Data in Civil Proceedings”

Why access to retained data in civil proceedings should not be permissible.

Dear Attorney-General, I am an experienced independent consultant and trainer to Australian businesses on matters of security and privacy, and a prominent presenter at international conferences on the same topics.

As such, this submission will make the case for sustaining the current position of the Telecommunications Act; of prohibiting disclosure of data collected under data retention obligations in connection with civil proceedings.

Purpose, and Scope of Abuse

When the data retention scheme was introduced, it was for the purpose of aiding law enforcement agencies on matters of serious crime, such as terrorism, child pornography, and human trafficking. There was an understandable level of concern at the list of organisations that would have access to this data, including the RSPCA, and Australia Post.

“The mandatory metadata retention regime applies only to the most serious crime - to terrorism, to international and transnational organised crime, to paedophilia, where the use of metadata has been particularly useful as an investigative tool” – George Brandis, ABC’s Q&A, 3rd November 2014

In order to address this concern, the list of authorised organisations was reduced to around two-dozen, and only to those who had a need to use the data in actual and serious criminal cases. The Australian Labor Party further insisted on a requirement for a warrant for data on journalists. It seems incongruent to now propose that the data become available for use in civil cases.

The EFA (Electronic Frontiers Australia) recently reported that the FAQ on the Attorney-General’s Department web site has had any references removed relating to the exclusion of data collected under data retention obligations being used in copyright enforcement. As touched on already, the remit of the data retention scheme was for assisting in serious criminal cases, as confirmed by you on the 3rd of November, 2014:

“Breach of copyright is a civil wrong. Civil wrongs have got nothing to do with this scheme.” – George Brandis, ABC’s Q&A, 3rd November 2014

In a much more detailed and firm stance, the Australian Federal Police Commissioner, 4 days earlier, outlined that the amendments were never about civil cases.

“I want to be very clear on this. The Government’s introducing this to address vital needs of national security and law enforcement, not copyright. Copyright is essentially a civil matter. This is about criminal matters. So we will be using it for criminal matters. The Telecommunications Intercept Act makes it very clear that we can only do this to enforce criminal laws.

Copyright breaches are civil wrongs and that’s not what we’re interested in.”

– Australian Federal Police Commissioner Andrew Colvin, ABC Radio’s “AM”, 31st October 2014

Based on the promises made by various departments in order to allow the proposed amendments to the Telecommunications Intercept Act to pass, it behoves you to preclude access in civil cases.

The Film Industry

Please indulge an aside, based on an informed assumption that there exists pressure from the film industry to allow such access in civil cases, so that they might discover information on copyright infringers. According to the Creative Content Australia report, 2015 Research - Australian Piracy Behaviours 2015 Wave 7 Adults, there was a decline in “piracy” from 2014 to 2015, with one-third of those who pirated less attributing their decline to the availability of material via legal means.

All indications are that the solution to film copyright infringement is an increase in availability, not in prosecution.

Duty of Care / Privacy of Data

When law enforcement organisation access data as evidence to an investigation, there exists a strict duty of care, including privacy guidelines, and chain of custody. If the data becomes available for use in civil cases, it could become part of the court record. Further, the data would be made available to a regular citizen, who is not subject to a chain of custody.

The privacy of someone’s data could be at risk of public disclosure through the availability of that data in civil cases, and while the Privacy Act may apply, there is no privacy tort in Australia.

Intent of this Consultation

It distresses me to consider that this consultation was announced on the 23rd of December, with submissions due by the 12th. It is common practice in Government, for displeasing announcements to be made during the Christmas and New Year’s break, and for submissions deadlines to be placed inconveniently close to the time people return from their holidays. I must assume that spokespeople of Government departments are familiar with this practice, rather than ignorant of it, and therefore conclude that your department intended this to fly under the radar.

Summary

Notwithstanding the fact that the data retention scheme was specifically intended only for national security and law enforcement purposes, the dangers of allowing civil case access are expansive and irrevocable. It is my contention that information collected under the data retention scheme should only be accessed for investigations of the most serious crimes within the confines of existing, rigorous evidence handling processes, and never within a civil context.

Given the scheme already meets criminal case requirements as it stands, I call upon you and your department to make sure the scheme also serves the best interest of the people, and their civil liberties.

Access to retained data in civil proceedings should not be permissible.

With kind regards,

Ben Dechrai Chief Consultant CTO for Hire

Get updates in your inbox

I don't send many updates. I don't like to spam. Let's face it - I've not posted many new articles for a while (although I do plan on changing that). If you subscribe to new articles, I'll send no more than two emails a week. As for workshop and conference information, that'll be as and when I have details. It's not likely to be more than an email a week.

Tell me about

* indicates a required field