A policy statement from the Australia Privacy Foundation:
The Commonwealth Attorney-General has rammed a Cybercrime Amendment Bill through the House of Representatives, and now has it before the Senate. His claim is that its purpose is to to enable Australia to accede to the Council of Europe’s Convention on Cybercrime.
The Attorney-General contrived to squeeze the time available for consideration by a Parliamentary Committee to the shortest in living memory. He also kept it away from Committees with expertise in the area and exploited a short-lived Committee whose real purpose is to consider children’s cyber-safety. Another Joint Parliamentary Committee, which considers Treaties, also wants to review the Bill.
Despite the short time available for preparing submissions, the Bill was savaged by an array of civil society organisations. The Committee is Government-controlled (6 Labor including the Chair, 4 Liberal and 1 Green). The Committee’s Report nonetheless showed that they were unimpressed by the Bill, and the Green’s Senator Scott Ludlum wrote a scathing minority report.
The Commonwealth Attorney-General has since sought to rebut criticism of the Bill, alleging in an Opinion piece in The Age that critics have misled the public and distorted its overall purpose.
Analysis undertaken by organisations as diverse as the Law Council of Australia, the Australian Privacy Foundation, the Commonwealth Ombudsman, NSW Council for Civil Liberties, and the UNSW Cyberspace Law and Policy Centre, shows the Attorney-General’s claims to be false. The Bill goes well beyond what is needed to enable Australia to accede to the European Convention, and it lacks compensatory protections that the Convention’s drafters expect to be in place.
In their submissions to the Committee, these organisations generally acknowledged the importance of enabling appropriate cross border cooperation between law enforcement, but all submitted that the Bill in its current form was not acceptable. The Bill does not maintain an appropriate balance between domestic sovereignty and standards, on the one hand, and cooperation with foreign countires regarding the investigation of serious criminal offences, on the other.
The Committee examined these concerns from an objective viewpoint and agreed with many of them. The Committee’s final report contains 13 recommendations that attempt to address some of the fundamental weaknesses of the Bill. Greens Senator Scott Ludlum’s minority report took up many more of the criticisms. So far, the Attorney-General has chosen to ignore the Committee’s recommendations and instead has used public statements to unfairly label genuine criticism by a wide range of organisations as inaccurate and unnecessary.
The Attorney-General’s statements themselves contain inaccuracies. First, the Attorney-General claimed that the Bill has adequate mechanisms to protect the privacy of individuals and will ensure the integrity of preserved data. Neither is the case. The Cyber Safety Committee was critical of the current Bill on both of these points – the in-built privacy protections are not strong enough and the integrity of preserved data is not explicitly assured in the Bill.
Second, the Attorney-General stated that law enforcement agencies would not be able to access preserved data without a warrant. This is incorrect. Only stored communications such as voice recordings, emails and text-messages will need a warrant. Other telecommunications data that can be the subject of a preservation notice, such as the dates and times of communications, can be accessed by the alternative, much weaker mechanism of an agency authorisation with no judicial oversight. Consequently, judicial oversight is not a prerequisite to all forms of law enforcement access to preserved data.
Third, although the Attorney-General is correct in stating that some carriers and carriage service providers may be required to securely retain data under the Privacy Act, he is incorrect in stating that the secure retention of data will be managed in compliance with the National Privacy Principles. The requirement to preserve information for longer than a business would do for its own purposes is inherently intrusive and is also contrary to the intent of National Privacy Principle 4.2. The Cyber-Safety Committee made three significant recommendations about clarifying and enhancing the security of data handling procedures in conjunction with carrier and service carriage providers.
Fourth, the Attorney-General declared that the existing mutual assistance framework and current principles of dual criminality are adequate. On the other hand, many of the submissions to the Cyber-Safety Committee highlighted weaknesses and gaps in the arrangements, which would inevitably result in leakage of data about Australian residents to foreign governments that have dismal human rights records.
The serious concerns about the Cybercrime Bill are fully justified. The undue haste with which the Attorney-General has attempted to force the passage of the Bill through Parliament precluded the more detailed analysis required for such a complex legal proposal. It is clear that many of the Bill’s more controversial provisions have been included in the Bill not to enable accession to the Convention, but for other reasons, which must be discussed in depth and openly, and evaluated on their own merits.
This Bill goes beyond the requirements of accession to the Council of Europe Convention on Cybercrime and its passage would seriously impact upon the privacy of Australian citizens and foreign nationals residing in Australia.
The Attorney-General should concentrate public resources not on the preparation of self-serving public statements but rather on the process re-casting the Bill to reflect the public’s concerns and the recommendations of the Parliamentary Committee.