Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security

Go To First Hit

WILLIAMS, Professor George, Private capacity

Evidence was taken via teleconference—

CHAIR: I now welcome the representative of the Gilbert + Tobin Centre of Public Law, Professor George Williams from the University of New South Wales.

Although the committee does not require you to give evidence under oath, I remind witnesses that this hearing is a legal proceeding of the parliament and warrants the same respect as proceedings of the house itself. The giving of false or misleading evidence is a serious matter and may be regarded as a contempt of parliament. The evidence given today will be recorded by Hansard. Do you wish to make some introductory remarks before we proceed to questions?

Prof. Williams : Yes—and thank you for the opportunity to make a submission in oral form on this legislation. I differ somewhat from some of the other submissions in that my starting point is I do accept in principle the government's object of providing a regular scheme for data retention in Australia. I accept that there is a need for such a scheme, given the use to which such data has been put and how it will be used in the future in terrorism and other investigations. I also accept that, if no legislation is enacted, we will be left in the position of the ad hoc scheme we have at the moment, which I think is clearly unsatisfactory on a number of fronts. So the question from my point of view is only: what sort of scheme should we have, and is this an appropriate scheme? My concerns relate to that, in that I do not think that the bill in this form ought to be passed. In particular, I have three key concerns that I think need to be remedied before parliament ought to enact it.

The first, as has been raised by the submissions, is that I think that the bill does not do enough to make clear what data needs to be retained. Of course, guidance is provided in section 187A(2), but it is fairly loose guidance in the sense that the categories there only need to relate to one of the matters in order to be retained. Even on issues such as the question of web-browsing history, I am not convinced that that guidance would prevent the mandatory retention of data—that, even if it does not directly set out the web-browsing history, it might not perhaps enable the history to be reconstructed. The absence of clear data retention information leaves great uncertainty at the core of the scheme.

The second concern that we have in our submission is that the legislation does not do enough to make clear which bodies will be able to access this data. If we turn to the two different sections that deal with that—and they are in a similar form—they both provide a mechanism, firstly, for identifying which bodies can presumptively access the data, such as under a criminal law enforcement agency definition; but, after that, they give a wide discretion to the minister by legislative instrument to declare other bodies to be a criminal law enforcement agency or an enforcement agency. If I can take the committee through the legislation, it seems clear to me that that discretion is a very wide one.

The key section is subsection (3) of section 110A. It says the minister may declare an authority or body to be a relevant agency and, in doing so, the minister need only consider the variety of matters in subsection (4). The key point is that those matters in subsection (4) are only matters for consideration; they are not mandatory requirements. It is possible, for example, to declare a body to be a criminal law enforcement agency even though it does not have a function of investigating serious contraventions. The minister has got to consider that, but it is not built into the legislation as a requirement. Similarly, in clause (f) of subsection (4), the minister can take into account 'any other matter that the minister considers relevant'. In my view, the minister can go through a proper process of consideration but under subsection (3) declare a number of bodies to be either type of agency—they could be local councils, they could be a wide variety of agencies or bodies—because of the absence of mandatory criteria.

The third point that we raise in our submission relates to the authorisation regime. I think it is somewhat accidental that we do not have some sort of warrant regime in the metadata process at the moment. It is due to the nature of how we have got to this ad hoc scheme. But continuing without some sort of authorisation process, I believe, is unacceptable. The data to be collected does raise serious questions of privacy, as many of the submissions have identified. The data could be used, and has been used, in solving serious crimes by finding out intimate, important points of information about individuals and their relationships with others, and it strikes me that this is exactly the sort of information that ought to be subject to some sort of warrant regime. Having the self-serve basis that we have at the moment, particularly for bodies like ASIO and the like, who have such a broad discretion, is unsatisfactory, I believe. That said, I do accept that the warrant regime should be of a lower kind than we might find in other contexts.

My key point is that there needs to be a level of political accountability such that, when this data is accessed, at the very least there is some form of ministerial sign-off. It may be that that can be consolidated in some way so that a single warrant can cover a variety of pieces of information, not only of this metadata kind or stored communications but also other types of surveillance information. It may even be that a class of information could be collected under the scope of a warrant, and I would accept the need for administrative efficiency with regard to that. Nonetheless, the absence of political accountability, given the potential to authorise even local councils and other bodies, is quite concerning, we would say.

They are essentially our three points, and we believe that if those things can be satisfactorily remedied then the bill ought to be passed.

CHAIR: Thanks very much. Do we have any questions?

Mr BYRNE: Professor Williams, you mentioned, I think in your submission, an issuing authority in terms of a single point of contact for authorisations for metadata to be accessed. Given the number of access requests that would have to be processed, is there any way around that? I do not know if you have looked at the United Kingdom legislation, but my understanding is that, with this emergency bill that they have pushed through the parliament, they have a single point of contact that each of the organisations seeking to access metadata have to go to. It could be a series of single points of contact. If this bill were passed into legislation, do you think we could examine something like an issuing authority? You have mentioned that in the past and also with respect to the SIOs. To try to funnel where those requests might come from or have some filtration process, there should be something like a single point of contact or an issuing authority—or, given the vast number of requests that you would have, issuing authorities or single points of contact.

Prof. Williams : I think that would be wise, yes. My point is only that there ought to be some external authorisation to the agency—ministerial, an issuing authority or the like. We do note in our submission the potential for a significant administrative burden if the warrant process is not done in the right way. I think it is one where we would recognise the limits of our own expertise. The agencies themselves might have some ideas as to how it could be done in a very efficient way—a single point of contact, possibly yes; minister, possibly yes; or perhaps even by consolidating some of the warrant processes so that, instead of going through a variety of processes, you can get a warrant covering a number of types of collection of information about a person so you do not need to deal with them on a separate basis. We do not have a firm view, simply because we would accept the agencies are better placed to know what would be efficient and effective.

Mr BYRNE: Could you have a look at the United Kingdom system for us and take on notice and provide some comments to the committee about that if you have the time? I understand that they have set some additional privacy protections that are not explored by the draft bill that is before us at the present period of time.

Prof. Williams : I am happy to take that on notice.

Mr BYRNE: Thanks. Do you think there should be a sunset clause with regard to the implementation of this particular regime should it be passed into law?

Prof. Williams : I would actually prefer a narrower regime that deals properly with the issue. I have not put forward the need for a sunset clause, and that is because I think it would be much better to get the legislation in the form it ought to be. This measure is not unknown in other countries; there are many nations that have data retention regimes. We already have a form of ad hoc data retention in Australia. I would say, though, that if we do not incorporate the sort of safeguards that many of the submissions are urging then a sunset clause and a mandatory review would be necessary, but it would be very inadequate to do that as opposed to just getting the legislation right in the first place.

Mr BYRNE: That is a good point. In terms of the draft data set, do you have a view as to how we on this committee could get greater clarity? Do you think we should accept as a committee that this should be just a regulation rather than incorporated within the body of the actual legislation?

Prof. Williams : I do not think that it is done in an adequate way at the moment. I accept the government's design for a level of flexibility; that does seem appropriate to me. But, to be frank, we have moved beyond flexibility to actually not telling much at all of substance about exactly what data will be collected. All we have are some guidelines which are fairly loose given they are relating to criteria, and I think what you have ended up with is a shell of a scheme that does not give you enough information about what data has to be held, who can access it and in what circumstances that can occur. On each of these key points I think parliament ought to be given greater clarity and so should the community. Regulation, in my view, is very unsatisfactory. I note there have been a number of other parliamentary reports and the like dealing with exactly that issue. So I think the balance here is to define as precisely as possible what the data set is while providing a power to the Attorney to make appropriate modifications to that within limits so that there is a degree of flexibility over time.

Mr BYRNE: We had evidence by ASIC yesterday that they discovered on the day that the legislation had been tabled that they were not automatically on the enforcement bodies list. They had some concern about the fact that, should the minister declare by legislative instrument that they be an enforcement body down the track, that could be subjected to challenge. Would you have a view as to whether or not that power that has been delegated to the Attorney-General minister could be subjected to challenge? Does that present an impediment to the Attorney-General's Department's desire to have bodies added onto that list of enforcement bodies subsequent to any legislation being passed?

Prof. Williams : I will say that personally I was surprised that ASIC was not on that list given its role in investigating quite serious crimes involving what can be significant criminal penalties. It would be much better for the list to be exhaustive and to include the appropriate bodies in the first place. As to adding bodies in the future: certainly challenges could be possible. The minister makes a decision that could be the subject of a variety of legal challenges, and that ultimately might be quite significant in proceedings because, if you can undermine the ability of the body to get the information, perhaps you might even be able to prevent the admission of that information in court proceedings and so prevent a prosecution.

That said, I think it is actually going to be quite difficult, if all the procedures are followed, to stop appropriate bodies being declared, and that is because, as I indicated in my opening remarks, the key clause is three, and it actually does not set down any criteria. It simply says the minister may declare the authority or body to be a criminal law enforcement agency or enforcement agency. There is no mandatory criteria. All the minister must do is consider certain things. So long as the minister properly considers them—the minister can consider, for example, whether they investigate serious contraventions but give it very little weight or determine that other factors such as those in any other matter should be given greater weight. So, yes, challenges are possible; but, if the minister follows the procedure appropriately, it is a very open door to nominating a number of bodies, including ASIC, that might be covered.

Mr BYRNE: That was one of the concerns with the previous committee, as you would be aware. It was the number of bodies that, as you say, could self-serve people's personal and private information. A thought that came to mind was: what if the Attorney-General then sought to prescribe by legislative instrument additional organisations? Do you think an appropriate safeguard would be that that would come before this committee so that we could examine whether or not it would be appropriate for those bodies to be added, given that we do have some measure of expertise in that area?

Prof. Williams : It would be a welcome safeguard because it would provide a level of scrutiny that is not otherwise there. Of course, your committee already fulfils similar roles with regard to prescription and other forms of Attorney's decisions. So that would not be inappropriate, but still I think it does not get to the heart of the concern that many people are expressing: that there should be greater clarity about the point of not only which organisations but, as you have indicated, the self-serve nature once declared that they can access the information. The information could be quite trivial. There is no requirement to access information about serious matters. Despite indications that this would only be used for serious crimes, there is nothing in this legislation that requires that. One option to overcome that issue might be, for example, to say that information can only be accessed if it does relate to serious crimes—perhaps punishable by a year or more in jail. Otherwise, the real prospect is there that you could have local government bodies accessing information about parking infringements and the like. Indeed, that is far from fanciful; that is an issue that has arisen in the UK.

Mr BYRNE: Thank you for that. When you look at some of the comparable schemes in countries like the United Kingdom, would there be any other independent level of oversight that you would recommend if this data retention regime were implemented?

Prof. Williams : In looking at those other counties, the lesson I get is that oversight cannot fix this bill. As I just indicated yesterday, ASIO can comply with the law and do so rigorously, but nonetheless the problem is the existing legislation is so broad that information can be sought lawfully that is quite questionable in terms of whether indeed that private information should be accessed by an agency in the first place. So oversight cannot work unless you tighten up these key issues. What I would like to see is actually a bill that reflects the public statements of the Attorney in particular, indicating for example that it will not be used for things like copyright infringement and will be limited only to serious crimes and the like. I think a bill of that kind is appropriate, but this is not that bill. We do not have those safeguards built in. Even if the current Attorney does not want to go down the path of extending it into more trivial matters, there is no doubt that a future attorney could seek to do so.

Mr BYRNE: I do not know if you heard the evidence from IGIS about ASIO keeping data past a certain point and it not in fact being destroyed? Did you have any particular perspectives on that?

Prof. Williams : I did not hear the evidence. I did look at their submission. I was not surprised. It is almost a laissez-faire system for ASIO given that it only needs to relate generally to their operations. That is an almost nonexistent threshold given the breadth of their operations and the scope with which security might potentially be defined. And again there are problems there, of course, in terms of the use of the information and just how trivial it might be. So I think significant tightening up there is required. If we are going to move to mandatory data retention—which, as I have indicated, I support—then surely coming with that must be the appropriate procedural and other safeguards and greater clarity about how long information is held for and the circumstances in which it can be sought.

Mr BYRNE: If the committee agreed to pass this particular bill, would you then suggest that as part of that we have a mandatory data destruction component of it—that any data that was not necessarily relevant to an investigation or that had been used and finished with by any enforcement agency, including ASIO, would be destroyed?

Prof. Williams : I think that would be appropriate and I think that would allay community concerns that their private information may be sought, perhaps legitimately, but then held for an extremely long period of time—well past the nature of the investigation—and perhaps looked at again sometime down the track in less appropriate circumstances. I think the community concern about what some see as a blanket surveillance regime is that the onus is on parliament to make sure a scheme is designed that is very well tailored to the problem. And there is a problem that needs to be met here. We need a bill that removes many of the quite significant loose ends, that being one of them, that as yet have not been adequately dealt with.

Mr NIKOLIC: You said a moment ago 'oversight cannot work'. Given that we are not trying to change the capacity of agencies to access metadata—we are simply trying to standardise the period of time for which metadata is held—how is oversight by the Ombudsman, IGIS and this committee failed to date in providing necessary protections? What egregious breaches can you point to?

Prof. Williams : What I said was that oversight cannot be effective in ensuring that a scheme operates within narrow and proper limits, when the legislation itself does not set down those limits. Oversight can only hold agencies to limits that are written into the legislation. My point is simply that we cannot expect oversight to achieve the sort of policy objectives I am suggesting—that is, narrowness in terms of, for example, when agencies access data, because the oversight function cannot actually compel that without the legislation reflecting it.

But I think your question also raises a broader point in terms of asking about breaches and the like. One of the concerns of the community and that I have about this is that if there are concerns of this kind we are unlikely to find out about them. By nature these processes tend to be secretive—they should be secretive. So I think it is important up-front that we know very clearly the limits on the scheme, knowing that it may well be that if something does go awry that it may not actually come to light.

Mr NIKOLIC: On page 2 of your submission you say:

… government has failed to satisfactorily justify why data should be retained for a period of two years. … [and] a stronger case needs to be made as to why it is necessary.

I am trying to weigh that view against substantial other evidence provided to the committee, including from the head of the AFP on 17 December, who talked about the absolute necessity, from his point of view, for a two-year period. New South Wales Commissioner Scipione says:

There's not a terrorism investigation since 9/11 that hasn't relied on metadata.

David» «Irvine» , the immediate past DG of ASIO:

Unless metadata storage practices change, counterterrorism efforts will be severely hampered.

As I said, the head of the AFP said:

Without a 2 year data retention period, the AFP is concerned such investigations, which rely heavily on telecommunications data, will continue to be frustrated by inconsistency in the retention of data by Australian service providers.

In light of your view that government, and, I guess, by extension, the agencies have failed to justify the need, what weight, if any, do you place on the evidence of those people who actually conduct these operations.

Prof. Williams : It is a good question. The first thing I will say is that that statement was made on 9 December, when we did not have access to other submissions that now have provided a much higher degree of detail about this. Indeed, I would say that I am very pleased to see that those agencies are now strongly making the case as to why that two-year period is necessary. One thing I have also looked at carefully is the table on page 30 of the Attorney-General's Department's submission, where, based upon European data, they have also given an indication as to when certain data is accessed. I do not have a strong view on this issue, because I think it is one that depends very much on operational issues. I think it gets outside of my expertise.

But I suppose the threshold question for me is that, based upon the European data, over 90 per cent of all requests are made within the first 12 months. Is the case compelling enough to extend it for another 12 months, given the cost and the extension of the scheme? As the submission indicates, it perhaps might be justified if it can be shown that in fact terrorism investigations, particularly, tend to take place in that second 12-month period. If that is the case then perhaps that threshold that I have indicated might be met.

Mr NIKOLIC: Could I acknowledge your comments there. Indeed, some of the comments we have received from the AFP highlight the difficulty of, for example, getting a lead with one carrier in a particular serious crime, potentially dating back 12 months, only to find that the links to that person and to others cannot be verified because the other carrier keeps the data for only six months, or not at all. So I agree with you that the case is being made out much more strongly. The other compelling piece of evidence I have heard in recent days relates to victims of crime, who often report well after the event. In some cases, when it comes to sexual crime, it is a considerable time after the event. For me, I found some of that evidence equally as influential as your are making it out to be.

Prof. Williams : Yes, I do find that evidence influential. I think the government has two choices. One is to remove the ability of agencies to access metadata and say that we should not be able to do that, in which case you would move away from the ad hoc scheme, or you move to what is being proposed: a scheme that is not ad hoc but actually deals with things more systematically. But I think the worst option, and the only one that is clearly not justifiable, is staying where we are. It is a scheme that has grown up without much thought. It is inconsistent. It does frustrate agencies in terms of their ability to access information across different networks. Also, it does not contain any of the safeguards that should be there. So the current situation is the worst. I think also it is clearly not satisfactory to remove access to the metadata. So for me the obvious solution is to move to a better scheme, but as I have indicated in my submission, do it properly and rigorously to satisfy people as to the appropriate use that will be made of that scheme.

Mr NIKOLIC: A number of submissions have talked about warrant access not just to data but when it gets into the content side of things, when the agencies have determined that they want to go a little bit deeper in exploring some networks or individuals of concern, but indeed in the pre-access period, when access to metadata is being sought. I am intrigued by the perspective that metadata is as privacy sensitive as the actual content of communications, which requires a warrant. But aren't non-warranted powers a normal part of any law-enforcement framework, whether it relates to banking, finance or health care? Also, are you aware of the distinction that Frank La Rue, the special rapporteur for the United Nations Human Rights Council, has made in a recent report that clearly distinguishes between the need for warranted access when it comes to content but says that an oversight mechanism is sufficient, if you like, for the metadata component? Why is your view different to that expressed by the special rapporteur?

Prof. Williams : Firstly, I would certainly say that, yes, I do think there are different degrees of information that require different levels of authorisation. I think there is a clear distinction between the stored communications as to content and metadata. But I do think that with metadata—in identifying the time, the place, who someone has communicated with, and, potentially, also enabling the reconstruction of web browsing history and the like—that is of its nature. I think the community is sending a pretty strong signal to your committee that they do see this information as sensitive. You only need to look at the public debate and the public reaction about this to see that the committee does not see this as ordinary information but is actually very concerned as to the circumstances in which government agencies would access it.

I think therefore the question is: what authorisation regime should be in place? I am not proposing a heavy compliance regime like that found for other types of warrants, but something that is administratively efficient. The key point for me is that at the moment this scheme can operate without political responsibility being undertaken for metadata requests. That I think is very unsatisfactory because matters of this kind ought to have a level of political responsibility attaching to them such that in parliament and other places it is clear where that responsibility lies.

Mr NIKOLIC: Your comment about community concern is obviously engaging the minds of the committee. I have had a look at some of the data that is available on community perspectives here and I note a Lowy Institute poll in February 2014 that asks people to rate threats to Australia. International terrorism and cyber-attacks from other countries are identified by 94 per cent and 88 per cent respectively as being critical or important. And 80 per cent of respondents accept the need for some imposition of individual rights in dealing with counterterrorism. A total of 68 per cent agree that government had struck the right balance between protecting individual rights and fighting terrorism. And over one in 10 thought that the government leans too much in favour of individual rights and needs to do much more in this area. Given the events after February 2014 that we have seen in Australia and elsewhere, I would imagine that those statistics could potentially even be stronger. I guess that is probably more of a comment. Feel free to respond should you wish. But to me that is fairly compelling evidence about public perspectives when it comes to action in this area.

Prof. Williams : I agree and I have no doubt about not only the community feeling about that but the demonstrable need to act in this area. It is why I actually support the government's in principle attempt to bring about this scheme. So it is the details I am concerned about. I also accept that seeking metadata will breach a person's privacy, but I think it is appropriate for that to occur. It only needs to be subject to safeguards to make sure it only occurs in the right circumstances.

I think the key distinction, though, between this regime and, say, the earlier bills your committee has looked at is that this regime potentially applies to every Australian. That is something that can change minds and also raise concerns. It is not as if we have been free from examples in the past where agencies have inappropriately sought information. I am not pointing any fingers, but there are many examples, even getting to roads and traffic authorities and the like, where people within organisations have acted inappropriately. These are the sorts of things that I think would make the community say, 'Yes, we accept the need for this, but you must have a scheme that makes it very clear that this is only accessed in the right circumstances.'

Mr CLARE: Professor, thank you for your submission. The three points that you have raised today are points that have been raised in a number of submissions to the committee. The point you made about whether the dataset should be in legislation or regulation we have had presented to us by a number of organisations.

I wanted to ask some questions, if I might, about your second recommendation—that is, that the power of the Attorney-General to declare law enforcement agencies under this bill should be more narrowly defined, or that we should reduce the scope of the power that the Attorney has. In your submission, I think you say that the Attorney should only be able to declare an authority or body as a criminal law enforcement agency if they are satisfied the agency is involved in investigating serious contraventions. In other evidence we have heard, it has been recommended to us that this power might it be limited to agencies that are responsible for investigating matters that are determined to be serious offences as defined under, I think, section 5 of the telecommunications interception act. I am just wondering if you might be able to provide us with more details about how you think the scope of the Attorney's power might or should be amended in the bill.

Prof. Williams : I think it can be dealt with quite simply. You simply need to move clause (4)(a) of section 110A into clause (3). That is, you would end up with a section that says, 'The Minister may declare, by legislative instrument, the authority or body to be a criminal law enforcement agency where that agency investigates serious contraventions.' So you would make it a requirement, as opposed to a mere consideration to be taken into account. If you said the minister can only declare bodies that investigate those contraventions, then you would provide a bill that is consistent with the statements of the Attorney-General, in that it would be limited to those sorts of bodies. I think that would allay the concerns I have, and many people have, because that would rightly knock out the large range of bodies that, frankly, should not have access particularly to stored communications.

CHAIR: To follow up on that, is that term 'serious contraventions' clearly defined? Would it be clearly understandable exactly what that meant?

Prof. Williams : It may well be appropriate to define that. You might, for example, limit it at a fairly high threshold to offences carrying, say, a criminal penalty of one year in jail or more, which is often regarded as a standard for a serious crime, or it could simply be something that involves any jail term, perhaps, to cover lower order offences as well. I accept that if you were to make it a mandatory requirement you would want greater clarity on that, but at the moment there is no clarity and it is only a mere consideration. So it is actually doing a very limited amount of work.

Mr CLARE: My only other question relates to your third point, which is the proposal of a simplified warrant regime. This has come up in some of the submissions that the committee has had presented to it. The counterpoint by law enforcement agencies is that there is a significant cost involved in any warrant based process, whether it is an internal process or a court based process. The practicalities of doing this are quite difficult, given the extremely large number of metadata requests—tens of thousands in any given year.

You made the point in your oral presentation today that this might be by way of some type of simplified sign-off at a political level by the Attorney-General. But would you be concerned that, if this was done in an extremely efficient way so that you would not have the Attorney-General signing off tens of thousands of different documents, it would be so generic as to be worthless?

Prof. Williams : It is a good point. Firstly, can I just add one point to my last answer to say that you can fix the enforcement agency definitional problem in the same way, by ensuring that the minister can, say, declare bodies imposing a pecuniary penalty, by making that a mandatory requirement as well.

But on the question of warrants, firstly, I am certainly not suggesting there should be a court based process. I recognise the extreme cost involved there. Also, I accept what you say—that you could have something so generic that perhaps you could get a single warrant to cover 1,000 metadata requests. In the end, it would not provide any form of realistic political accountability. It is where the balance lies that is difficult.

I think part of the difficulty with this bill is that, because it does not even have the beginnings of such a scheme and the government has not attempted to draft it, we are left very much in the dark. I would prefer the government to come back with an amendment suggesting how it believes such a scheme can be achieved that balances those considerations. It may be, for example, that individuals who are the subject of warrants can have the metadata request included as part of those other requests. It may be also that a particular investigation relating to a possible act of terrorism itself can give rise to a number of metadata requests being made on the one occasion rather than seeking them on a variety of occasions. Of course, there could be hundreds, potentially, relating to the one major investigation.

So there are some ideas for how you might consolidate these things but nonetheless improve political accountability. But personally I would like to see the details as to how the agencies and the Attorney's department are able to work together to try and achieve that balance.

Mr DREYFUS: I have a question relating to legislative drafting practice. We have been told by the government that the regulation to give expression to the classes of telecommunications data that companies are going to be required to keep is almost ready. It is being prepared now and of course this committee would hope to see it. But, as a matter of legislative practice, if something can be included in a regulation there is absolutely no reason, is there, that it could not be included in a bill?

Prof. Williams : That is certainly right and that is why I have been perplexed about the approach to this bill, because one way or the other it has to be drafted into legislation. Whether it is in a regulation or a bill makes no difference. In fact, you quite typically find in bills and legislation, as you well know, very elaborate schemes, definitional and otherwise. So it is obviously a strategic or political decision to put it in a regulation rather than a bill. But, as I have indicated, I think it is very inappropriate given that the definition itself is at the heart of whether the scheme should proceed in the form of this bill. It is something that excites some of the greatest community concern.

I suppose my underlying concern as well is: even though that has been indicated, do we even have a workable definition yet? Given public comments, I am still concerned that the government has not actually worked out what the data required to be retained is. I personally would like confidence about that. Even if we were stuck with the regulation, then you could not pass this bill without actually seeing the regulation, to have confidence that we know the very information to which it is going to apply.

Mr DREYFUS: Further on legislative technique, the bill already has within it a provision that would permit a ministerial lessening of the time period for retaining certain classes of data. As I understood your earlier answer to Mr Clare, your preference would be to see the bill contain the primary list, as it were, of all classes of data to be retained but it could provide for a regulation power for that list to be adjusted later—as indeed it already does in one respect, because it provides for a lessening of the retention period.

Prof. Williams : That would just be the normal way of dealing with this. And I must admit that when I first read the bill I was very surprised to see that the normal process had not been followed. And flexibility is required here, but set out a primary definition with a regulation-making power, and this does not strike me as an appropriate instance to depart from that normal course. In fact, it is a very clear example of something, in my view, given the community of interest, that this does need to be dealt with up-front, and the community needs some reassurance as to the sorts of data we are talking about, rather than merely passing a shell of a scheme and leaving that debate down the track.

Mr CLARE: Perhaps I could just ask one follow-up question on that point about having a primary definition in the bill and then a regulation-making power. In answer to a question by Mr Byrne, you made the point that you thought it would not be a bad idea, in the case of the Attorney-General making declarations relating to law enforcement agencies, if they came before this committee before those regulations were made. Do you have a similar view in relation to any regulations made that would alter that or supplement that primary definition of metadata or the dataset relevant to this legislation?

Prof. Williams : Well, the first point I would make as to both the definition of the data and the enforcement agencies is that the bill should just be very clear about what it has done, which would actually lessen the need for your committee to be actively engaged. I think your committee would need to be engaged if we have such a vague scheme that in the end it is so open-ended that anything from here needs exactly the same sort of scrutiny that you are providing now. If we have a tighter scheme, so only certain types of agencies can be declared, and if we also have a bill that sets down clearly what the data to be retained is, with guidelines as to how regulations can be made in the future, of a kind that is already there—so it is not an open-ended regulation-making power but a constrained one—then I think you would not need to mandate this committee being involved. But, nonetheless, it might still be involved in appropriate circumstances if a particularly significant decision was made that particularly sought to extend the data.

Senator BUSHBY: Thank you, Professor Williams, for assisting us today. I just have some questions about the warrant process that you recommend. I note that in your submission, on page 5, you say that you are concerned by the prospect that enforcement agencies will effectively be able to access metadata on a self-serve basis. Without adopting your terminology in terms of the self-serve basis—which I will come to in a minute—it seems to me that you are suggesting that there will be a change in process for agencies in terms of how they access metadata, whereas the evidence before this committee suggests that there is no change in the process or the legislative authority for agencies to access metadata; all that this does is remove the ad hoc nature of retention of that data and try to consolidate and put in place, as you were just discussing, a degree of certainty around what metadata is retained and for how long. Are you suggesting that there will be a change?

Prof. Williams : No, and my underlying concern is that I do not think the current system is appropriate, but I think it is somewhat accidental that we have got to this position where agencies can access vast amounts of data—tens of thousands, perhaps, over a number of years—without any form of clear political accountability. I think the scheme has grown up without actually being designed properly. And if we were starting fresh—let us say we did not have this data access that we have at the moment—I do not think there would be any doubt about the need to have some sort of authorisation process in play. It is just that we have this unfortunate ad hoc regime that I think we need to move beyond.

Senator BUSHBY: Earlier you said something along the lines that there is nothing in the bill restricting the use of the info to serious crime et cetera. I am not sure; you may well be correct in terms of this bill. But as seen in ASIO's submission, and also evidence that we have received from the AFP and otherwise, there are accountability and oversight arrangements in place. And just looking at the ASIO submission, on page 43 they go through some of those that guide them in terms of what they do and actually restrict them in what they can do with this metadata. They talk about six guiding principles which are being incorporated within their oversight and accountability measures, including in the ASIO Act, which regulates the purposes for which ASIO can collect, analyse, share and report on intelligence, and guidelines issued by the Attorney-General which require their intelligence methods to be proportionate, and so on. There are in-built accountability measures that apply to ASIO and similarly to AFP. With AFP we heard evidence yesterday that the Australian Commission for Law Enforcement Integrity would monitor the use of this sort of material and if it came to their attention that it had been used outside authority then they would consider that a corrupt action and take action accordingly. So, although you may well be correct in saying that there is nothing in this act, there are in other acts and other accountability measures restrictions on what agencies can do with the metadata if they access it. Isn't that correct?

Prof. Williams : Certainly I accept that there is a range of other accountability measures that do apply in these circumstances. I would say with regard to ASIO that I did look at their submission but it says on their submission that it is confidential to the committee, so I do not have the benefit of the information in their submission.

Senator BUSHBY: The one I am reading from is actually a public document.

Prof. Williams : That is my mistake in that case. I would say that I think when you are moving to a mandatory data retention regime for two years, given the controversy it has excited, that even though yes, I do accept that there is a range of other accountability and other measures in place, it would be sensible in this bill to set them out directly, with clarity, and to make very clear the circumstances to which the information can be used, because I am not convinced that those existing measures are sufficient. Indeed, when I look, for example, at the submission of IGIS, it says to me that the threshold is too low and really it does deserve to be tightened up. And it is a quid pro quo that on the one hand I think yes, mandatory data retention can be justified, but coming with that should be certain obligations and safeguards that are not currently there to convince the community that under this new scheme the data will only be used wisely and appropriately.

Senator BUSHBY: Okay; I will leave it at that.

Mr RUDDOCK: Perhaps I could be mischievous enough to take up what evidence you may be able to offer about abuse. My understanding is that we have had a scheme in place, which you call ad hoc, and it has been there for something like 20 or 30 years, probably getting something of the order of 60,000 or 70,000 or 80,000 requests, and you wonder why there has not been some clamour to contain it. Isn't it because it really has not been abused, and there is no evidence of abuse? And we are only looking at this because we are now legislating. And I wonder whether, in terms of your submission, you are able to give us clear evidence of abuse that we should take into account when considering your suggestions.

Prof. Williams : Firstly on the ad hoc point, I see it as ad hoc because yes, it is an old scheme, and it was a scheme that was never designed for the electronic age in which we live. And of course at the time that many of the changes were originally made it just was not anticipated that metadata of many of the contemporary forms—through smartphones and the like—would be available. So, it is a scheme that just has not yet been updated. And, again, I support the government's objective of doing so.

In terms of abuse, I am cautious in my use of words in terms of potential for and fear of abuse. And of course it is something that has been very prominent in public debate. My underlying concern is that even though I do look at agency reports and the like this may simply not come to light in a way that the community would hope, partly because it is such an open-ended scheme in terms of how it might be used. So, the rigorous requirements are not yet there. And also the level of secrecy involved—appropriately—in the use of this information means that if there are issues arising it is not always clear that that would get the community attention that it might warrant.

Mr RUDDOCK: We could have a discussion privately some time. Even traffic cases: say someone is arguing to defend themselves—'I wasn't there when the car was parked'—and you are able to find out that they were actually using their phone at a time when the car was parked at a particular place. It might have been a speeding offence. I remember the case of a former judge where this was a relevant issue. They are not serious offences. Maybe it is just helping our profession to give people a basis for getting themselves off.

Prof. Williams : Well, I think there is a distinction here between the example you are pointing to, which involved perjury, which was a serious offence and of course led to a jail term, and on the other hand whether it is appropriate for a local council to access this information where someone says, 'You gave me a parking ticket but I was not there.' Of course, metadata would be very useful to identify, 'Yes, you were there. Your phone shows you were there.' I think this is where—

Mr RUDDOCK: So you should get off and I should not.

Prof. Williams : That is a good question. I think the problem is that the bill does not give us answers to that. I think that is where the government should say that if the bill is to be used so that local councils can, for example, properly enforce parking fines then let us make that clear.

Mr RUDDOCK: I was willing to take councils off but you are helping to persuade me that maybe we should leave them on!

Prof. Williams : I am actually somewhat ambivalent about them, to tell you the truth.

CHAIR: Just for the record, I think this is Mr Ruddock's sense of humour. For all those who may be a little confused, he has a peculiar sense of humour.

Prof. Williams : I am well aware of his sense of humour. I have enjoyed it in the past.

CHAIR: Thank you for giving evidence at the hearing today. You will be sent a copy of the transcript of your evidence, to which you may suggest corrections. If you have been asked to provide any additional material, please forward this to the secretariat as soon as possible. If the committee has any further questions the secretariat will write to you.