The Federal Government should justify why mandatory collection and retention of personal data is necessary for law enforcement, a senate report into online privacy has found.

 

The report by the Environment and Communications References Committee concluded that an analysis of the costs, benefits and risks should be conducted before the government pursues its proposed data retention scheme.

 

The inquiry took an axe to the proposal by the Attorney-General’s Department to force ISPs to retain data about all telephone calls and emails made by Australians, highlighting a lack of consultation with the wider community which had given the so-called ‘OzLog’ proposal a bad reputation.

 

“There is a lot of misinformation and rumour about the scheme, and it seems to the committee that this is largely due to the Attorney-General’s Department’s narrow consultations on the issue to date,” the report concluded.

 

“While industry has been consulted, there has not yet been any discussion with the broader community or public interest and civil liberties organisations. While the committee acknowledges the Attorney-General’s Department’s explanation for this, the lack of information available to the public about the proposal has resulted in confusion, mistrust and fear about the proposal.”

 

In its report, the Senate committee said it had a number of concerns in general about the project in general.

 

“The committee’s central concerns about the proposal are the very real possibilities that it is unnecessary, will not provide sufficient benefit to law enforcement agencies, and is disproportionate to the end sought to be achieved,” the report stated.

 

“The proposal has very serious privacy implications, even if one accepts the arguments of the Attorney-General’s Department and Australian Federal Police that the same information is already available for fixed-line telephone records. The fact is that much of the information does not need to be collected for any other purpose, so the only reason to retain it is the mere possibility that it may prove useful for law enforcement.”

 

In addition, the commitee wrote, there was “a very real risk” that the most serious, tech-savvy criminals would be able to evade the monitoring anyway, through using new technology.

 

Because of these reasons, the Senate committee recommended that the Government should undertake an extensive analysis of the costs, benefits and risks of the proposed scheme. In addition, the report stated the Government should justify the collection and retention of personal data as well as the expense to ISPs by demonstrating its necessity to law enforcement. The Government would also need to assure Australians that the data retained under such a scheme “will be subject to appropriate accountability and monitoring mechanisms and will be stored securely”.

 

Consultation with a wide range of stakeholders should also be carried out, the report recommended.

 

The recommendations included:

 

Recommendation 1

 

2.31 The committee recommends that the government consider and respond to the recommendations in the Cyberspace Law and Policy Centre’s report: Communications privacy complaints: In search of the right path, and recommendations from the Australian Communications Consumer Action Network arising from that report.

 

Recommendation 2

 

3.30 The committee recommends that the Australian Privacy Commissioner's complaint-handling role under paragraph 21(1)(ab) of the Privacy Act be expanded to more effectively address complaints about the misuse of privacy consent forms in the online context.

 

3.31 The committee further recommends that the Office of the Privacy Commissioner examine the issue of consent in the online context and develop guidelines on the appropriate use of privacy consent forms for online services.

 

Recommendation 3

 

3.50 The committee recommends that the small business exemptions should be amended to ensure that small businesses which hold substantial quantities of personal information, or which transfer personal information offshore are subject to the requirements of the Privacy Act 1988.

 

3.51 To achieve this end, the committee urges the Australian Privacy Commissioner to undertake a review of those categories of small business with significant personal data holdings, and to make recommendations to government about expanding the categories of small business operators prescribed in regulations as subject to the Privacy Act 1988.

 

3.52 The committee further recommends that the second tranche of reforms to the Privacy Act 1988 amend the Act to provide that all Australian organisations which transfer personal information overseas, including small businesses, must ensure that the information will be protected in a manner at least equivalent to the protections provided under Australia's privacy framework.

 

Recommendation 4

 

3.86 The Committee recommends that the OPC in consultation with web browser developers, ISPs and the advertising industry, should, in accordance with proposed amendments to the Privacy Act, develop and impose a code which includes a 'Do Not Track' model following consultation with stakeholders.

 

Recommendation 5

 

3.96 The committee recommends that item 19(3)(g)(ii) of the exposure draft of amendments to the Privacy Act 1988 be amended to provide that an organisation has an Australian link if it collects information from Australia, thereby ensuring that information collected from Australia in the online context is protected by the Privacy Act 1988.

 

Recommendation 6

 

3.109 The committee recommends that the government amend the Privacy Act 1988 to require all Australian organisations that transfer personal information offshore are fully accountable for protecting the privacy of that information.

 

3.110 The committee further recommends that the government consider the enforceability of these provisions and, if necessary, strengthen the powers of the Australian Privacy Commissioner to enforce offshore data transfer provisions.

 

 

Recommendation 7

 

3.116 The committee recommends that the Australian government continue to work internationally, and particularly within our region, to develop strong privacy protections for Australians in the online context.

 

 

Recommendation 8

 

3.122 The committee recommends that the government accept the ALRC's recommendation to legislate a cause of action for serious invasion of privacy.

 

 

Recommendation 9

 

4.74 The committee recommends that before pursuing any mandatory data retention proposal, the government must:

  • undertake an extensive analysis of the costs, benefits and risks of such a scheme;
  • justify the collection and retention of personal data by demonstrating the necessity of that data to law enforcement activities;
  • quantify and justify the expense to Internet Service Providers of data collection and storage by demonstrating the utility of the data retained to law enforcement;
  • assure Australians that data retained under any such scheme will be subject to appropriate accountability and monitoring mechanisms, and will be stored securely; and
  • consult with a range of stakeholders.

 

The full report can be accessed here.