The eagerly anticipated report of the Parliamentary Joint Committee on Intelligence and Security data retention inquiry was released this afternoon.
It contains 38 recommendations for the government but the most important of the report's recommendations is the 39th: That parliament pass the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, introducing a far-reaching, indiscriminate data retention regime.
The report was supported by both the Coalition and Labor members of the PJCIS, confirming that the bill is unlikely to face any sustained opposition from the ALP.
Fronting a press conference in Melbourne after the report's public release, Liberal MP Dan Tehan, the committee's chair, praised the PJCIS's bipartisanship.
"We haven't reached a final position and I have reason to believe the government will accept Labor's propositions and will amend their initial legislation so we can get the balance right," opposition leader Bill Shorten said during a doorstop interview before the report's release.
The report states that a data retention regime is "a necessary, effective and proportionate response" to the "inconsistency and degradation of current retained telecommunications data, possible future reductions in retained data and the serious impact this may have on national security and public safety," the report states.
The report recommends largely leaving untouched the fundamentals of the government's bill. Among the major amendments that are proposed, however, is that the data set is spelled out in legislation, not regulation.
The decision to use regulation to set out the detail of what data telecommunications providers and ISPs would have to retain has previously been a source of criticism, including by the Parliamentary Joint Committee on Human Rights and the Senate Standing Committee for the Scrutiny of Bills.
"The set of telecommunications data that service providers will be required to retain is central to the operation of the proposed data retention regime," the report states.
"It is critical that industry and the Australian public are assured that the data set proposed comprises that which is necessary and proportionate, and that safeguards are in place to monitor any future proposals to amend the data set."
However, the committee does back the inclusion of an "emergency circumstances" provision to allow the attorney-general to declare new categories of data that must be retained. The declaration would expire within 40 days and the attorney-general would have to introduce an amendment into parliament to make it permanent.
The bill should also be amended to make clear that PINs, password and similar information do not need to be retained by telcos.
The agencies authorised to access metadata should be listed in the Telecommunications (Interception and Access) Act 1979, and the Australian Securities and Investments Commission (ASIC) and the Australian Competition and Consumer Commission (ACCC) should be added to that list.
As the bill is worded currently, the attorney-general can add more organisations to the list of those authorised to access metadata. If the recommendations of the report are implement, the attorney-general will only be able to designate additional organisations to the list under " "emergency circumstances" akin to those for adding additional elements to the data set.
Encryption, data breach notification
The report notes "the security risks associated with the proposed mandatory data retention scheme and the potential for increased unlawful access to personal information."
Data retained to comply with the scheme should be encrypted, the report states. "To give effect to this recommendation, the Committee recommends that the Data Retention Implementation Working Group develop an appropriate standard of encryption to be incorporated into regulations," the report states.
The bill should also clarify requirements of service providers to destroy after two-years data retained solely for the purposes of compliance with the data retention regime.
Legislation to introduce a mandatory data breach notification scheme should be introduced by the end of the year, the PJCIS recommended.
The government should make a "substantial contribution" to capital costs incurred by service providers implementing their obligations under the regime. There should "an appropriate balance" that "accounts for the significant variations between the services, business models, sizes and financial positions of different companies within the telecommunications industry".
"The Committee expects that national security and law enforcement agencies will continue to contribute to the operational costs associated with accessing data under the scheme under the existing 'no profit, no loss' arrangements," the report states.
Research by PricewaterhouseCoopers on behalf of the government has pegged the cost to industry of establishing the scheme at between $188.8 million and $319.1 million.
The committee rejected calls to reduce the bill's 24-month retention period.
The CEO of the Communications Alliance, John Stanton, said the organisation was "disappointed" that the PJCIS had not recommended reducing the length of time that telcos will be forced to retain data for.Read more:Still time to speak up about data retention bill, Internet Society says
"A two year retention period for these data adds to the increased costs that consumers will face and puts Australia out of line with the rest of the world," Stanton said in a statement.
The committee's report acknowledged that the two-year period "would place Australia at the upper end of retention periods adopted in other jurisdictions".
"Of the 35 Western countries identified as having implemented mandatory data retention obligations, only Italy, Ireland, Poland and South Africa require service providers to retain some or all telecommunications data for two years or more," the report states.
The bill should be amended to prevent data retained under the scheme from being used by civil litigants, closing off the potential for its use in copyright infringement cases
Attorney-General George Brandis has previously claimed that the data retention laws "can't be and won't be" used to pursue pirates.
"[T]he Committee holds concerns in respect of a possible increase in the frequency and volume of telecommunications data accessed by civil litigants as a result of the implementation of the proposed data retention regime," the report states. It would be "inappropriate for the data retained under that regime to be drawn upon as a new source of evidence in civil disputes".
The prohibition on the use of data in civil disputes should relate only to data retained to comply with the new regime
"It should not apply more broadly to telecommunications data retained for other purposes, such as data that is currently retained for the business needs of the service provider."
However, the committee also recommends that the amendment should contain a regulation-making power to "enable provision for appropriate exclusions, such as family law proceedings relating to violence or international child abduction cases".
"The Committee does not wish to prescribe how a regulatory power would work when it comes to what should be excluded. This will be a matter that will have to be reviewed and further considered by the Attorney-General," the report states.
Safeguards for journalists, access to personal metadata
The report states that there needs to be "further consideration" on the issue of protecting journalists' sources. It recommends a separate PJCIS inquiry into the issue to report back within three months.
The journalists' union, the Media, Entertainment and Arts Alliance (MEAA) , has called for the bill to be ditched or at least amended to protect the confidentiality of sources.
The report recommends that the data retention bill be amended to make clear that "individuals have the right to access their personal telecommunications data retained by a service provider under the data retention regime".
"Telecommunications service providers should be able to recover their costs in providing such access, consistent with the model applying under the Privacy Act in respect of giving access to personal information," the report states.
Resumption of debate on the Telecommunications (Interception and Access) Amendment (Data Retention) is scheduled for Tuesday, 3 March.
Follow Rohan on Twitter: @rohan_p