Data retention: Privacy watchdogs urge caution over ‘metadata’ in lawsuits

Concern over privacy implications

Australia’s Privacy Commissioner, Timothy Pilgrim, and his Victorian counterpart, Commissioner for Privacy and Data Protection (CPDP) David Watts, have both warned against any rush by the government to allow the use in lawsuits of data kept as part of Australia’s data retention regime.

The Attorney-General’s Department last year with little fanfare launched a consultation on whether to permit the use in civil litigation of the data kept by telcos to comply with the regime.

Ahead of the data retention legislation being passed by parliament, a bipartisan report recommended a general prohibition on civil litigant access to data retained for the purpose of complying with the mandatory data retention regime.

However that report — prepared by the Parliamentary Joint Committee on Intelligence and Security (PJCIS) — also called for a regulation-making power to be included in the bill such that the scope of the prohibition could be modified so that data could potentially be used in civil cases in some circumstances. The PJCIS gave as examples family law proceedings relating to violence or international child abduction cases.

The government accepted the committee’s recommendations.

The decision to potentially allow the use of the data in civil cases came despite Attorney-General George Brandis claiming in 2014 that the regime would apply “only to crime and only to the highest levels of crime”.

“The mandatory metadata retention regime applies only to the most serious crime — to terrorism, to international and transnational organised crime, to paedophilia, where the use of metadata has been particularly useful as an investigative tool,” Brandis told ABC’s Q&A program

The prohibition itself is yet to come into force. It covers only data specifically kept by telcos to comply with the data retention regime and so is not a blanket ban on the use of telecommunications data in civil litigation — and so, as it stands, would not necessarily ban the use all data covered by the regime if some of that data was already being kept by telcos.

Ahead of the prohibition coming into force, the government has sought feedback on what kinds of data covered by the data retention scheme are typically sought in civil proceedings, as well as the potential impact that the prohibition could have and the circumstances under which the prohibition should not apply.

Pilgrim in a letter to the Attorney-General’s Department argues that if it is judged that broader access to the so-called ‘metadata’ covered by the scheme is considered necessary, any regulation “should be drafted as narrowly as possible to achieve the desired policy objective and employ appropriate privacy safeguards”.

“In particular, any regulation should strike an appropriate balance between intrusion on individuals’ privacy, and the overall public policy purposes of the data retention scheme,” Pilgrim states.

The Privacy Commissioner notes that the full impact on privacy of the data retention may not be known for some time. If the government pushes ahead with exceptions to the prohibition, it should conduct a further consultation on its scope and a privacy impact assessment (PIA) undertaken.

Watts in his submission (PDF) to the department was blunter: The CPDP did not support the introduction of a data retention regime “and we do not support a broadening of its purpose to enable access to telecommunications data by litigants in civil proceedings.”

The data retention scheme is not a necessary and proportionate response to the needs of law enforcement and national security and “any expansion of this scheme would inevitably also fail in necessity and proportionality”.

Access to individuals’ metadata should only be granted in the most serious of circumstances, Watts states, adding: “It is difficult to conceive of a civil matter of such consequence as to necessitate access to what is effectively a comprehensive surveillance system.”

Join the Computerworld newsletter!

Error: Please check your email address.

Tags data retentionprivacy

More about Attorney-GeneralQ

Show Comments

Market Place