Will Australia learn from the EU’s mistakes on data retention?
Police officers, anti-terrorism officials and politicians all tell us that we need data retention laws, especially in a time of increased technological sophistication. This week, George Brandis—the Attorney General for Australia—announced that Australia will this year join the states with data retention laws, requiring all telecoms providers to retain metadata for two years.
This decision is striking in the light of recent decisions by EU and national courts finding such laws to be disproportionately intrusive on individual rights. Until April of this year, the EU’s Data Retention Directive required data retention for between 6 and 24 months in all member states. The proposal for data retention laws had bubbled under the surface of EU politics for some years but it was not until the London and Madrid bombings that it secured sufficient political support, and it was introduced in 2006. It was, however, controversial right from the start, with civil society being highly critical of its ‘catch all’ approach to retention, the discretion it left to national states in terms of implementation, and the very long retention periods in some EU member states (overview).
In April 2014 the CJEU struck this law down on the basis that it interfered disproportionately in the rights of those within the EU: while data retention was introduced for legitimate security purposes, the Directive simply went too far. In this, the Court was echoing the findings of a number of national courts across the EU, which had also expressed dissatisfaction with the Directive. The concerns raised by the Court in that case offer cautionary tales for Australia at this time.
Importantly the Court expressly recognised that the data retention model in the Directive—and the model to be introduced in Australia—constitutes blanket surveillance. Once this law is introduced, the data of every single one of the 23 million Australians who use telecommunications devices would be retained and could then be accessed by the government. This is so whether one has ever done anything to arouse suspicion or not: simply using a phone or the internet will be enough for one’s data to be retained. This is problematic in itself, but also makes clear the importance of ensuring that the state can only access this information for good faith serious criminal investigations with a court order where a sound case for access has been made out.
The proposed retention period of two years is extremely long in light of available evidence about when data is usually accessed by states. Across the EU, the majority of requests for access to this data took place within six months of its retention (overview). Why, then, is a two-year retention period being proposed? Have there been cases where the security services and police needed, and could not secure, access to such data as long as two years after the communication in question? And will this be the retention period for everyone, or will people with criminal records (for example) have their data retained for longer than people who have never come to the attention of the state? These questions are fundamental to the proportionality of the law itself.
Metadata can help to make states more secure, however the mass collection of such data can also make citizens less secure. Telecommunications companies are not necessarily fully equipped to secure the data it holds from accidental release or, indeed, malicious attack by hackers and criminal entities. Furthermore, metadata can reveal deeply personal details about our individual lives. Australian politicians and civil society must ask themselves whether, in a country without a comprehensive bill of constitutional rights, this is a step they are prepared to take.
Governments are notoriously reluctant to provide hard facts to back up their plans for new anti-terrorism laws, however when a government proposes introducing a law the like of which has been struck down on human rights grounds in numerous states, evidence of its necessity must be demanded. So too must the government prove that the law being proposed contains safeguards showing Australia has learned from the mistakes of other countries. Blanket surveillance hands enormous power to the government: it must show it is prepared to exercise it only within strictly drawn limits.