Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Intelligence and Security

BYRNES, Ms Bronwyn, Lawyer, Australian Human Rights Commission

TRIGGS, Professor Gillian, President, Australian Human Rights Commission


CHAIR: I now welcome representatives of the Australian Human Rights Commission. Although the committee does not require you to give evidence on oath, I remind witnesses that this hearing is a legal proceeding of parliament and warrants the same respect as proceedings of the House itself. The giving of false or misleading evidence is a serious matter and may be regarded as contempt of parliament. The evidence given today will be recorded by Hansard. Do you wish to make some introductory remarks before we proceed to questions?

Prof. Triggs : Thank you, Chair, I would like to make some introductory remarks. I thank you for the opportunity to appear before the committee this afternoon. I have had the advantage in the last three hours of listening to the presentations, the questions and the answers, and they have in fact informed some of the things that I would like to say to you very briefly. I obviously do not want to repeat our submission to you, but I am very happy to answer questions in relation to that submission.

Can I begin by saying that the Australian Human Rights Commission recognises the importance of ensuring that our police and security agencies have appropriate tools to investigate criminal activity as well as to protect national security, and modernising our laws to reflect contemporary technical advances is obviously a sensible, justified and legitimate objective, by reference to this bill. We then, in short, support the passage of the bill, but we do suggest that some amendments be made to it. In particular, we strongly support the bill's proposal to confine the number of agencies that can access retained telecommunications data, and there are other aspects of the bill that we think are extremely useful. But, if I may, I would like to concentrate on three particular matters that do concern us.

I am sure you are aware that our entire mandate is based on a human rights standard—in particular, the International Covenant on Civil and Political rights, which is part of our schedule and the mandate under which we operate. At least for this presentation, we are looking in particular at articles 17 and 19 of that covenant, which deal with the right to privacy and also the right to freedom of expression. The point has been made many times—and, in particular, by Mr Ruddock—about the importance of the proportionality test under that law. It is actually a test that applies both at international law and domestic law, but the part of the test that has been left out by most speakers is that it must be proportionate to the legitimate aim. I would like to suggest to you that it is the element of the legitimate aim that allows some answer to the kinds of questions that have been put about the difficulty of adopting a proportionality test.

The commission has also considered, as part of our background to making a submission, the experience of the data retention schemes in Europe and the United Kingdom as, of course, comparable legal institutions—and, in particular the landmark judgement of the Court of Justice in the European Union on the EU's data retention directive, which underlies some of the thinking about what is an appropriate or best practice response to data retention.

So the first of the aspects that I would like to suggest to you are important concerns the retention period; you have been discussing that at some length. The two-year retention period is at the upper end of retention periods implemented in comparable jurisdictions. The majority of the European Union countries, including the United Kingdom, have a one-year period, and I think you are aware of the evidence from the EU that shows that only two per cent of requested data is over one year old. The commission has suggested an initial retention period of a year—maybe a compromise is 18 months—but it should be trialled for three years of the scheme's operation.

But I, having had the benefit of the discussion today, do believe that this concept is a very crude tool to deal with the problem that you are faced with, and that is that really you need some form of sliding scale which can take into account the seriousness of the matter. The question that arises from Mr Ruddock is: how you deal with the minor chance when the risk is loss of life and serious terrorism? I understand that the Australian Federal Police would like five years and not two years, 18 months or whatever turns out to be a political compromise. It seems to me that it would be far better to face the reality of the problem and create a structure that addresses that problem than to take a compromised period of time—let us say two years if it were to pass—that is not really addressing the issue, which is not one of statistics but is a matter of balancing the dimensions of the risk against the time needed to deal with that dimension. So I would suggest that some fresh thinking is required to really address this problem, and I am happy to come back to that.

The second point is that we recommend that the committee review the circumstances in which the retained telecommunications data can be accessed. In line with EU jurisprudence, the commission considers that access to and use of the retained telecommunications data should be restricted to the prevention, detection and prosecution of defined and sufficiently serious crimes.

The third point, and the final major point, that I would like to make is that we believe that the process of supervision that has been adopted in the bill is ex post facto; it is after the fact. Before I develop that point, may I say that of course the Australian Human Rights Commission will be part of that ex post facto process, because we will highly likely receive communications, inquiries and complaints from the Australian community that their fundamental human rights have been breached, and we will need to consider those complaints and ultimately to make reports to parliament. So that will be part of the process. In other words, the way in which this is actually working in practice will be a matter that would be of considerable concern to the public, who will doubtless come to the Australian Human Rights Commission.

Our key concern here is that all of the safeguards, or the major safeguards, are after the fact. We suggest that some form of administrative—possibly judicial but for practical purposes administrative—body be developed in advance of the access or collection process so that there is some form of control. I know that there is great reluctance to look at a warrant process—which currently exists, of course, in relation to content—but I would like to challenge or ask you to think about the accuracy of the submissions and the Attorney-General's explanatory memorandum in making a distinction between content and metadata. A great deal can be learned from metadata. Indeed, in many cases, more can be learned from metadata than can be learned from content, especially as many people are extremely cautious about content but forget that it is the metadata that can actually lead law enforcement agencies to a paedophile ring, to a terrorist group or to serious criminals. So I would suggest that the rationale for a distinction between the two is extremely weak and should be challenged. If it is accepted that a warrant is necessary for content, I think it at least has to be further explored why it is not necessary to have a warrant at the beginning of the process.

Again, I am conscious of the concerns that the warrant process can be time consuming, expensive and difficult to establish, and that is very important when we are dealing with critical questions of life and serious criminal offences. So we would suggest that, rather than going necessarily through a warrant process, some more nuanced process of administrative authorisation be adopted which is simpler, clearer and cleaner. That would help to deal with a problem that has again been pointed out—if it is only two per cent where you have got a really serious matter, you want it for four years, five years or sometimes longer. That is the practical reality that the law enforcement agencies will tell us about. And you are not going to solve that problem by having an 18-month or two-year retention period—or one year if that were to be accepted. But if you had an up-front administrative process that allowed the police criminal investigation authorities to come to that administrative body to say, 'We now have some evidence with a serious risk that we need longer to retain that data,' then that could be properly considered and extended for the period necessary in the circumstances. But it would mean that you would not be retaining data in relation to Australian citizens for a sort of catch-all purpose.

So I think the summary of our position at the commission is that this is a rather blunt or crude instrument to deal with a problem that is a very sophisticated one and one where considerably greater lengths of time may be necessary. But it is very hard in the first year, or 18 months or two years to know which is going to be that two per cent where you need it for longer. So you need a process at the beginning in order to be able to make these judgements, rather than ex post facto, by which case, of course, the damage is done—and it is going to be done on past performance, leading to damage to a lot of Australians who will be very concerned about their rights to freedom of speech and privacy at least, along with other concerns in relation to civil and criminal penalties.

A final point I want to make is a matter that has come up relatively recently—so we are perhaps all novices in this area—and that concerns the Council of Europe's Convention on Cybercrime. This is a convention of 2001, and Australia is a party to it. There is an obligation to allow access to what is stated to be specific criminal conduct. It does not say what specific criminal conduct is, but that is not relevant for the moment. There is a core obligation under that convention to allow access, and that is being used as a reason for permitting access in a way that can breach human rights. That is our concern. What I want to draw to your attention, if I may, is that article 15 of that convention specifically provides that the obligation to allow access for the purposes of specific criminal activity is subject to human rights protections and, in particular, is subject to the International Covenant on Civil and Political Rights. We would be very happy to provide some further information on that, as indeed I am sure are each of the other witnesses before this committee.

In summary, we agree that the passage of the bill should go forward. We would like to see some changes, and I think one of the most important is to consider how you deal with this problem of very serious, life endangering threats to the Australian community, and do it in a way that the law enforcement agencies are requesting but equally protect the rights of the overwhelming majority of Australians whose privacy and rights to freedom of expression should be protected.

Mr NIKOLIC: Thank you, Professor Triggs, for your testimony and also for your support of the bill. You may have noted my interest in the data retention period earlier on, so perhaps I can commence there. I note your comments about security agencies desiring up to five years or as long as possible. But I note that the AFP Commissioner, in his evidence to the committee last December, talk very specifically about the period required. He said: 'The AFP firmly believes that the two-year retention period proposed in the bill is a reasonable and appropriate time frame and that long-term complex investigations have demonstrated the critical importance of access to this historical telecommunications data.'

We earlier heard from my colleague of a case study, and there are many others that we have heard which I guess are the backbone of that comment that the commissioner made. You say we should perhaps trial a one-year period. One of the things I have heard in recent times is that victims of some crimes, including sexual crimes, often do not report immediately; they report well after the actual crime has taken place. So I am just struggling to understand, given what the commissioner has said and given the case studies we have seen and the evidence that I think we have seen on the public record, why we would not want to give victims the benefits of the police commissioner's experience that two years is what is required.

Prof. Triggs : Of course, we greatly respect the views of the Australian Federal Police and the commissioner's views in particular. He has put his mind to it. That is obviously important opinion and evidence to be taken into account. However, at least we feel that the committee should be aware that the majority of European countries believe that a year is sufficient. That is relevant evidence; it is not determinative. But it is important in a global environment that we have similar approaches, particularly with jurisdictions that are comparable to our own.

My view, frankly, is that, while we could have a best practice of a year, 18 months or whatever the compromise is, the key question is to allow flexibility so that it will be possible for the law enforcement agencies and other agencies to come to some form of administrative body operating on an efficient basis that should be able to approve an extension of that data retention requirement in relation to certain kinds of matters. But I would have thought that, after a year or 18 months, there would be a greater level of knowledge for the law enforcement agencies to be able to say, 'Now we want an extension and we've got a reason for doing it.' So you have the sort of supervisory role beforehand rather than later.

Mr NIKOLIC: Doesn't the obverse apply as well—that, if you start off with a two-year period, you gain knowledge over the same period that potentially you might require a shorter period? Why wouldn't we err on the side of the victims here? Why wouldn't we err on the side of not telling criminals, 'If you can get away with it for one year, the chances are that we're not going to be able to follow up the data relevant to you beyond a 12-month period'?

Prof. Triggs : As you put it in those slightly emotive terms, what you are really doing is saying that the interests of 23 million Australians on the other side of the equation must be subject to intrusion in the interests of those victims. Many in the community, and we, would say that the more serious the offence, the greater the right to interfere in the rights of the other 23 million. That is the balance that constantly has to be made as a subjective judgement: the more serious the offence, the greater the intrusion.

I feel that the debate about the period is missing the core point. That is my concern. Frankly, I would not argue too strongly for a year. That happens to be best practice in Europe. If that does not impress the committee, that is appropriate. We would listen to the views of our own Federal Police officers; that is very credible and important evidence. Make it two years, but there are costs involved in two years, and that is another consideration, and there will be further intrusions into ordinary Australians' lives.

That is why I come back again to saying that, rather than being overly concerned with the question of exactly how long this is going to be, if there were some flexible administrative process to begin with then it would be possible to say: 'We want it to go for longer. We've got some evidence that we'd now like to consolidate by having further retention in relation to certain areas, for example, or in relation to certain suspicions—hopefully reasonable—in relation to criminal activity.'

Mr NIKOLIC: Thanks. Could I move to your recommendation 5—and I am mindful of how much time we have—which would effectively require some form of warrant process for each request. I guess my concern is that in the early stages of any investigation, when metadata is most useful—agility and the capacity of law enforcement agencies to access information and to understand the links between people or networks of concern are perhaps most valuable in the early stages of any investigation—applying a warrant process, which you have in the content side or the post-access side of the equation, to the pre-access side in my view adds red tape, complexity and time and ties police officers up at the early stages of the investigation with another process. What evidence does the commission have that the current access to metadata by these agencies gives rise to your rationale that we must have some sort of warrant process prior to access of metadata?

Prof. Triggs : We are conscious of the concerns about red tape. Red tape is going to be the thing that interferes with the ability of proper criminal processes and investigation. The difficulty is that we are not convinced by the logic that there is a substantive difference for the purposes of law enforcement between content and metadata—in other words, anecdotally. We cannot say more than that; but I think it is something the committee should look at. It is unconvincing to suggest that you should have a warrant for content but no warrant for metadata, especially when there appears anecdotally to be evidence that metadata can be even more intrusive than the content itself. Indeed, it is arguable that now the ready access to content in some respects is already having a chilling effect on the willingness of people to commit their thoughts to the communications that are currently available. It is already clearly having an impact on the willingness of people to be frank in their communications. You might say, 'Well, that will be a reason for not having a warrant in relation to content,' which takes us away from the current debate.

Mr NIKOLIC: I'm not saying that.

Prof. Triggs : I know you're not. I think the key point is that, as we intrude on human rights for Australians, we have to be very alert to how we balance and particularly supervise those intrusions, and that is why we suggest that some form of preliminary administrative management of this will be a far more effective safeguard of those rights than to rely on ex post facto our protections when the damage is done.

Mr NIKOLIC: Why then have you taken a different view to that of the UN Human Rights Council? I refer to a report by Frank La Rue, the UN Special Rapporteur, who has distinguished between 'the surveillance of communications' which must only occur under the supervision of an independent judicial authority, like our warrant process, versus 'The provision of communications data to the State', which must be 'sufficiently regulated to ensure that individuals’ human rights' and 'should be monitored by an independent authority, such as a court or oversight mechanism.'

By any definition, the Ombudsman, the Privacy Commissioner and the Joint Committee on Intelligence and Security would constitute, in my view, a fairly effective oversight mechanism. By your own admission, there is nothing that gives rise to concerns that access to metadata in the past has been abused, and nor are we seeking to change the system. We are simply trying to standardise the period by which data is retained. Given that the UN Special Rapporteur on the Human Rights Council distinguishes between pre and post, why do you argue that both need that warrant or judicial process?

Prof. Triggs : I will ask my colleague, if I may, who is the senior legal adviser with the commission.

Ms Byrnes : The human rights committee has also recently questioned the distinction between content and metadata. They say that metadata gives an insight into an individual's behaviour, social relationships, private preferences and identity that can go beyond that conveyed by the content of a private communication. So our thinking is that, if a warrant is required for content of a communication and metadata provides an even greater picture than the content of the communications then a warrant would also be justified for that.

Mr NIKOLIC: The Special Rapporteur, as I read the report, distinguishes between the surveillance of communications—that is, entering content of communications versus the provision of communications data by the private sector to the states for the purposes, for example, that the AFP Police Commissioner and others have said they need it to determine pattern of life, to determine pattern of connectivity between individuals and networks of concern to try and respond in an agile way to the threats that are confronting our country from resurgent terrorism and paedophile networks and so on. You have taken a different definition to the metadata.

Ms Byrnes : Yes. The commission was also influenced by the European Union data retention directive decision, which also set out the permissible limits at human rights law for data retention, and one of the reasons why it found that the EU data retention directive was a disproportionate interference with the right to privacy is that it did not have access to an administrative or judicial body. The commission was also relying on that judgement when it suggested that a warrant for metadata might also be something the committee should consider.

Mr NIKOLIC: But your recommendation is not underpinned by a fear or evidence that people accessing metadata previously have behaved in ways—within Australia—that have raised concerns in your mind that they are mistreating that information at the metadata level, rather than the content levels?

Ms Byrnes : No. The commission has just looked at the EU data retention directive and European Union jurisprudence on this topic, as well as the Human Rights Committee.

Mr NIKOLIC: As I read that UN Special Rapporteur's report, I wonder if the bill is inconsistent with that, given the oversight mechanisms in place. But I appreciate your evidence, and thank you so much.

Prof. Triggs : We have relied, as Ms Byrnes has said, reasonably heavily on the very considered judgement of the European Court of Justice, and that is a very powerful decision. It tries to achieve that balance of proportionality and it is certainly a judgement that influences our own suggestions to this committee.

Mr NIKOLIC: Thank you, Professor Triggs.

Senator FAWCETT: Professor Triggs, thanks for your evidence. I want to come back to this concept of the sliding scale—

Prof. Triggs : Yes.

Senator FAWCETT: to understand the mechanics of it and your thinking. I understand that what you have proposed is that, rather than having a set limit, if a significant risk is identified—let us go back to Task Force Argos, which identified a paedophile ring involving children in Australia who were being abused—in such cases we should extend the period of retention. Is that correct?

Prof. Triggs : Yes, that is an example—and it is a very good one, because, as was pointed out, it can take four, five, six years.

Senator FAWCETT: I am just trying to understand how you would see this working. Advice is provided to the police that a paedophile ring has been operating for some months and children are at risk, so the police decide they need to act. They go to your authority and they say, 'We would like to extend the data collection period by a year,' four years, whatever, on a sliding scale—let us make it four years. Who does the authority give them permission to retain data on? I come back to the comment that Hetty Johnston made about this case. She said:

Offenders don't fit any kind of stereotype: they are police officers and priests and teachers and charity workers and media people …

There were nurses and others arrested in this case. So we have already reached our six-month point; we are applying for a longer period. Who is actually captured by this longer period? According to this case, it would have to be everyone in Australia.

Prof. Triggs : That is a good example of the difficulty of managing this problem. One might say that that is such a serious offence that it is worth intruding on the rights of others in order to ensure that you can capture those cases. Now, reasonable minds will differ about that. What we are talking about is a period of time. I am suggesting to you that, whatever compromise is reached at the political level, on the assumption this bill goes through, best practice in Europe is a year, but that is not nearly enough; two years may not be.

I am suggesting that, if we had an up-front administrative oversight body, we would have some capacity for that oversight body to take into account the accumulating evidence of the police or other law enforcement agency. They might say: 'All right. The act now says two years; we can accept that. We needed the two years.' But, at the end of the two years, they might say, 'Well, we've got some information here, but it's nowhere near enough to really get to the heart and the full extent of this circle of people we want to know more about.' So we would go to that administrative body and say we want these people under some level of supervision for another year or another two years, and report back to that body—something of that nature.

Senator FAWCETT: But that decision would then apply to every telco, every internet provider, for everyone in Australia who uses their services. At any given time we have espionage cases that ASIO are dealing with, we have paedophile rings, we have drug cases and we have terrorism cases that the various agencies are dealing with. All of those would meet the threshold of serious cases, in which case the sliding scale would be constantly at the five- or 10-year point. That is why I am struggling to understand how your concept would work. Once you have reached the six-month point or the 12-month point, the data is deleted. If you subsequently decide you have information that there is definitely a terrorist threat or something running, you cannot recreate the data; it is gone—even if this authority says it thinks two years or four years appropriate. So I think there is a problem with the mechanics of what you are suggesting.

Prof. Triggs : I think that it needs further thought, and that is essentially what I am saying to you. Whatever you reach as a final result if this legislation passes—whether it is 18 months or two years—I do not think that addresses the problem in an adequate way. Certainly it allows retention for a longer period than would currently be the case, as we have just been hearing from Vodafone. But I think we need a more nuanced approach to how we collect that data for longer periods where it is necessary for serious crimes. It is about the seriousness of the crime and the need for access to that material—the way we need to protect national security and to protect people against criminal offences. I do not think a blanket rule that applies to everything, without some pre-existing supervisory capacity, will ultimately help solve the problem. Indeed, I suspect that we will have thousands upon thousands of complaints and issues going to the Privacy Commission being considered by the Ombudsman and by the Australian Human Rights Commission. So, if one is thinking about red tape and things that are going to tangle us all up, it would be far better to have a more sophisticated, more nuanced approach. The technical issues are going to be complex—I am not underestimating it. What I am saying is that I think a rather different frame of reference needs to be thought about here, and an up-front capacity to supervise before you get to the situation where the damage is already done.

Senator FAWCETT: But isn't this process that we are part of now an up-front process of supervision? We are dealing with concurrent multiple serious threats, which means we have already passed your threshold for extending time. The community clearly is giving us feedback. Other jurisdictions are indicating that two years is probably about as far as people are happy to go. So this is the up-front process where we are saying there are multiple serious threats that require the retention of data. We cannot isolate and say that pocket of data is what we need to retain for four years because everyone is potentially a suspect when it comes to drugs, espionage or paedophilia, so this is the process. I am struggling to see how another process could be any more robust than the process we are currently going through.

Prof. Triggs : The bill will become an act, and your role will be over—apart from, presumably, looking at other amendments to that. So you will have created a process which sets, say, a two-year limit—and that perhaps is one the community can accept in the circumstances. I am saying that, assuming that passes, it will be helpful to have the additional role of some form of administrative authority that could supervise the access to this data and ultimately extend the period in certain contexts so that you are actually able to deal with the problem of the seriousness of the legitimate aim, if you like, and that would be justified as a matter of proportionality. But the key point I would like to make is that it is European practice, it is the Court of Justice view and it is the commission's view that some form of front-end administrative supervision would be a helpful way of preventing the damage at the end, where I think we are going to see a lot of problems arising in the future.

Mr BYRNE: Have you looked at the system the United Kingdom currently has in place?

Prof. Triggs : We have looked at it as a comparative exercise.

Mr BYRNE: Therefore, what would you say about the single point of contact that is utilised by the agencies and the law enforcement agencies to broker the requests for information with the CSPs, which is your front-end point of contact?

Prof. Triggs : I will ask my colleague to answer that question.

Ms Byrnes : We have looked at the United Kingdom very briefly in the 2011 European Commission report on the implementation of the data retention directive. The UK does not have a warrant system, but there are other countries in the European Union that do have requests to a judicial officer or senior official, so there is some precedent for having an administrative oversight of a data retention scheme.

Mr BYRNE: I am saying the Brits have it. I am saying: could you have a look at it, because it came in with the rushed legislation that was pushed through the British parliament? One of the things that was attached to that was a single point of contact. I am saying you are arguing about front-end administration but there is already one there in the United Kingdom system. Could you have a look at that and report back to the committee and see if that satisfies the concerns that you have? My understanding is that that system has in fact been implemented in the United Kingdom as one of the safeguards to get the stuff through the parliament.

Prof. Triggs : We would be very happy to look at that in more detail and come back to you with some information about it and how it has worked.

Mr BYRNE: Thanks.

Senator FAWCETT: You mentioned restricting access for the data. I wanted to get your sense of organisations like ASIC, who presented first this morning. They currently have access to metadata as part of their role against white-collar crime. They have presented a fairly cogent case to the committee, saying why they should be included in the bill as an agency. Would you support groups like ASIC being included in the bill as being given access to the data?

Ms Byrnes : We have not considered the specific question of whether ASIC should be allowed access to data in the retention scheme, but we certainly think it should be refined to bodies who are investigating sufficiently serious crime. So there might be cases where ASIC could meet that definition.

Mr RUDDOCK: ASIC gave us evidence that I found very compelling. It related to insider trading and substantial losses to seniors' investments in superannuation where they may at a time when they could never make it up lose all of the provisions they have made for their retirement. As I said, I found it very compelling, and I was hoping you might make the case against it so that I could better understand what the alternative is.

Prof. Triggs : I think the point that we are making is that, where it is a serious outcome, however you define it, that warrants the increased level of access or intrusion of the right. You have mentioned the loss of life. It is perhaps an obvious case that the paedophile ring is another one. This is an interesting one about older people who have lost their savings through insider trading or financial advice that goes wrong. That is a very serious matter, particularly with an ageing Australian population. So, again, it is a subjective judgement ultimately—a political one—but one might say that is a serious matter and should very well balance the intrusion on human rights. But I shall try to think of some anti arguments.

Mr RUDDOCK: It is nice to know the Human Rights Commission is not arguing against it.

Prof. Triggs : No.

Mr RUDDOCK: I then take you to my next question, which goes to what happens now in relation to the requests to access metadata. My understanding with both law enforcement agencies and security agencies is that, while they do not require warrants, they do have a procedure where senior officers are involved in assessing the material to make a decision as to whether or not they should request that particular data. Is that what you mean by an administrative process?

Ms Byrnes : I think we are requiring some form of independent oversight—something that is external to the agency.

Mr RUDDOCK: So, when we are looking at some agencies that have 60,000 or 70,000 requests, do you have any idea of what the costs of establishing such review arrangements for all of the various agencies might be?

Ms Byrnes : No, I certainly do not have those kinds of figures to hand, but we would be advocating—

Mr RUDDOCK: It might dwarf the retention costs that the providers are suggesting ought to influence this.

Ms Byrnes : Our recommendation is for some kind of independent oversight, but that could be by email or by telephone—something that could be very efficiently run.

Mr RUDDOCK: You do not think it is efficient oversight to have the latter review by the Ombudsman or the Inspector General of Intelligence and Security?

Ms Byrnes : The difficulty with that monitoring system is that it is after the fact.

Mr RUDDOCK: I understand that. But it does give you an indication of whether you are making flawed decisions under the arrangements that we have in place.

Ms Byrnes : After the fact, yes.

Mr RUDDOCK: As I understand it, there is already review of those matters by the Inspector General of Intelligence and Security and no matters have been drawn to notice.

Ms Byrnes : That is true.

Mr RUDDOCK: My principal concern is that your evidence that suggests that metadata is in some way comparable with content. As I understand it, the major purpose for which metadata is sought is to give agencies some idea about where to look. It is in fact about intelligence when they have not been able to get material that would produce a warrant and enable a very thorough investigation. So this is about looking to see who may have been talking to whom and then coming in later with a warrant to see whether or not a fuller inquiry should be pursued. In a sense I am very worried about—particularly in relation to security agencies—them not getting access to the first step, which is the intelligence material that may tell you where it is useful to look.

Prof. Triggs : I think that is a perfectly proper concern; but, as a matter of logic, if you protect content with a warrant, why would you not protect even more powerful information, which is metadata?

Mr NIKOLIC: How is that more powerful?

Prof. Triggs : Because the pattern of behaviour can reveal all sorts of things about a person's life that would not necessarily be revealed in the content of a particular email or text. That is why it is so important. That is why the law enforcement agencies and so on need it. You can develop patterns of relations. You can triangulate information: where they are going, how often they are doing it. You can learn a great deal more from that information than you can in relation to individual content or a series of emails.

Mr NIKOLIC: With respect, the reason why there is a warrant process for content is because it is far more intrusive and revealing. It is the content of information between people. The metadata—if you like, who talks to whom when—is that first cup for the AFP and agencies, as I understand it, to understand the patterns of contact between people of concern. Only when those patterns reveal a need to go further into those people—something comes out of the metadata to say two, three or more people of concern are talking to each other—is a warrant applied for for that much more intrusive content that they then look into. So I am not sure that is entirely right. I might have that wrong—

Prof. Triggs : Let me give you an example. Let us say somebody has a sexual orientation that means they like to go to particular clubs or they meet with certain friends. They make phone calls consistently to particular people as part of their network and do so in a totally legal way. To examine that metadata would tell a great deal about that person and the whole of the social network with which they operate, and it would expose them to an intrusion into their privacy in ways that they may find exceptional.

Mr NIKOLIC: How does someone's sexual preference fit the criminal intent of the metadata purpose in this bill?

Prof. Triggs : The point I am making is that, when you acquire information of that kind, you are intruding into the lives of ordinary Australians. So that is a very powerful tool to understand not only the personal life of one individual but to link that individual and link their behaviour with many others. For most Australians their linking through metadata will be totally legal, completely inoffensive and no threat to the Australian people.

Mr RUDDOCK: Who would be finding out about that? A police officer who is investigating a serious criminal issue who says, 'This person's behaviour is not of concern.' It in fact ensures that a person, when examined, is free from any blame.

Prof. Triggs : You would certainly hope so.

Mr RUDDOCK: I do not care how many police officers find out who is talking to me, who is visiting me and so on. I am behaving properly.

Prof. Triggs : But many Australians would find that an intrusion into their personal lives and their social networks that they would object to.

Mr NIKOLIC: The examination is targeted.

Senator BUSHBY: But the reality is that the examination would only occur if that person were either a primary person of interest which led to an examination of their metadata to look at their networks or, alternatively, if they came up as one of the people on those networks. I believe that examination looking at that metadata could be used to say that this pattern suggest that this person is involved in this conspiracy that we are looking at or this pattern suggests that this person is just coincidentally relevant to this person. Then you move on. As I understand it, that person's metadata would only be examined if they were that very tiny percentage of people who were associated with a person of interest or a criminal or terrorist issue that arose and they were trying to work that one through.

Prof. Triggs : That may be the case as a matter of practice. We will see how many of these matters come before, for example, the Australian Human Rights Commission where people feel that in fact that information has been misused.

Mr NIKOLIC: How many of those issues have come to you till now? Apart from restricting the number of agencies, we are not changing the metadata process. We are simply trying to standardise the time the metadata is retained for. As the process has been going over many years, how many people have you had to investigate up till now?

Prof. Triggs : I would be vey pleased to come back to this committee in the next few days with some illustration. As you know, we get 21,000 inquiries or complaints a year, but I am afraid I am not able to say how many of those concern access to data of this kind. I will certainly find out. We certainly do get a significant number of claims that data has been breached and privacy has been raised. That may be of value to you in thinking about how real or abstract this problem is. But I should also say that what we have just been saying is very much a matter of concern to the European Court of Justice in considering this matter. So we are presenting this to you not as though we are experts on this question but as we are looking at the jurisprudence that has been developed in best-practice nations with comparable legal systems, and it does at least need to be taken into consideration.

Senator BUSHBY: Thank you. I think that information will be very useful. One question I was going to ask you was related to that. Given that the proposed bill does not actually impact on access arrangements except to the extent that it actually tightens them up a little bit and provides additional oversight—it does not expand access arrangements—if the bill does not go ahead, would your recommendation that that type of regime be put in place stand regardless given that the authority to access metadata currently exists anyway?

Ms Byrnes : Yes, that is right.

Prof. Triggs : Yes, we would accept that. If it does not go through, I think I would like to see a more nuanced approach to assessing this information in order to get to the core of the problem rather than running the risk of intruding in the lives of so many millions of Australians. That is our primary concern.

Senator BUSHBY: You have mentioned on a number of occasions intruding in millions of Australians' lives. For clarification—I am not challenging you necessarily; I am just trying to understand it—how in your view does the retention of the data in an inert, hopefully secure way, only ever accessed for very clear, legislatively controlled purposes, and only for very, very small percentage of the people whose data is retained, intrude on millions of Australians' lives?

Prof. Triggs : The key point is that the data is a matter of personal privacy. When that is being collected and then made available to agencies that—

Senator BUSHBY: Is it the data being made available or is of the retention, or both? You are nodding—I am not sure what the answer is.

Ms Byrnes : It is both, even the collection itself.

Senator BUSHBY: So, in your view, the retention of that data in an inert way, 99.99 per cent of it never, ever looked at or touched, is an intrusion—

Ms Byrnes : Into the right to privacy.

Prof. Triggs : And there is a considerable body of jurisprudence that supports that view.

Senator BUSHBY: So that is an intrusion. Am I right in concluding that it is a fairly small one if it is never—

Prof. Triggs : Exactly, it is a small one, and that is where this balancing comes in.

Senator BUSHBY: And then you need to balance that against the benefits that the law enforcement and security agencies consider exist in that data being retained so that they can then make use of that for serious criminal investigations and terrorism investigations.

Prof. Triggs : And that is why we support the passage of the bill. That is our core position—we support it—but we are simply raising for the committee's interest—

Senator BUSHBY: Yes, a consideration that we need to look at.

Prof. Triggs : Our job is to help. This is not necessarily—

Senator BUSHBY: I am not trying to be combative today.

Prof. Triggs : No, thank you very much. I am mightily relieved, I have to say! But we do look at the jurisprudence, we look at what is going on in Europe, we look at what best practice is and we look at the views of many people, not all of them. The rapporteur's is an important view—this is all evidence for you to take into account. We are simply putting this on the table, but we would love to give you a bit more information, if we may, about the convention and about our own data in terms of levels of complaints and concerns within the Australian community. As you may know, we do settle about 70 per cent of these matters, so they never go out into the public arena; they are confidential. But we can certainly talk about the data.

Senator BUSHBY: I think that deals with the issue of access. Regarding your sliding scale or the time for which the data is retained, you made a suggestion which Senator Fawcett went through with you a few minutes ago. I still do not quite understand how it might work given the evidence that we have received from the law enforcement and security agencies. My understanding is that generally what will happen is that they will get a snippet of information. They will be informed through their own surveillance or their monitoring of individuals in a terrorism situation that something is afoot. They may be informed by an international law enforcement agency that they have come across some activity in Australia involving certain persons. They then look at these people, and one of the tools that they use to commence that investigation is to examine metadata. The metadata they look at is not the metadata from that day on; it is the metadata from that day backwards, which they use to try and piece together a picture of what those people might have been doing and who they might have been talking to and try and establish whether there is a conspiracy et cetera. That is why the time line for how far back you go is relevant. We have heard evidence that 90 per cent of relevant stuff happens within one year, but there is 10 per cent that extends further. That 10 per cent might be more important, it might be more egregious and it might not be, but there is probably a mix.

Your sliding scale suggests that you look forward and I do not really understand how that will work. As I understand it, once a person becomes a person of interest and they start accumulating the evidence against them, that is when the warrants—the more intrusive elements of their investigation—come into play, because they have some evidence. But looking back on the metadata is actually part of putting together the jigsaw puzzle to work out who might be involved in these activities. It might be to identify who is behind an IP address that somebody in a law enforcement agency in another country said was accessing a child exploitation site. Going backwards is where it is important; it is not going forward where they get most of the benefit. How would what you are suggesting work with that, or could it?

Prof. Triggs : Ms Byrnes, please interrupt me, but let us assume that the law is passed to provide a two-year retention period and the law enforcement agent comes to some form of administrative body and says, 'The two years have given us the beginnings of some worrying indications of a serious criminal matter,' however defined. 'We can keep an eye on these people, but we would like to be sure that the data in relation to these kinds of people or these kinds of activities is held for more than two years, because we don't want it to drop off at the end.' So, if you move forward in time, your two years keep dropping data off the end. They may very well come to the agency and say, 'We really need to keep not only the existing data but for the next year or so we'd like to just consolidate this because we think this ring is more extensive in another country,' or, 'We want to know more about it. We want clearer evidence. If you want a conviction, we need better evidence.' They will be compelling reasons for saying we will require the retention of that data for three years or four years, but we have to do it very secretly, very quietly and confidentially, in order to get to the outcome. That is the kind of flexibility that I think probably needs to be built into the system.

Senator BUSHBY: I think that is a constructive suggestion. I guess it comes back to Senator Fawcett's line of questioning about which data you keep. If you become aware that one person might be involved in criminal activities, you might look at their metadata and identify another five people who match up somehow, using the techniques that they use. There may well be more, but you do not know which metadata to keep to identify that issue.

Prof. Triggs : That is right.

Senator BUSHBY: I imagine that, once you have those five people, there are other powers that the law enforcement agencies have to retain the data for purposes of prosecution and so on down the track.

Prof. Triggs : Yes.

Senator BUSHBY: It is more about what else might be out there linked to what we know that metadata would be useful for to find those linkages.

Prof. Triggs : That is right. I fully appreciate that I do not have all the answers to these technical questions. But I guess what I am saying is that, if you are going to deal with the seriousness of the issue and the need to have evidence that may be required over a longer period, that should be part of your considerations. There needs to be flexibility built into it. Again, that body would then learn as we go with this massive range of data. The advance of technology is such that what we are talking about today is, I understand, going to be very different in five years from now.

Senator BUSHBY: No doubt.

Prof. Triggs : So we do need a flexible capacity. But also, dealing with your question, wouldn't it be useful to have a small administrative body that could follow this through, follow the data and technology changes, and tweak it and make suggestions so that they are meeting the proper needs of our agencies in protecting Australia and obviously whether it needs to be protected? Maybe if this bill goes through there will be a capacity to develop these other safeguards as we go along, which would be encouraging.

CHAIR: Thank you for giving evidence at the hearing today. You will be sent a copy of the transcript of your evidence, to which you may suggest corrections. If you have been asked to provide any additional material, please forward this to the secretariat as soon as possible. We would appreciate the additional material that we have discussed. If the committee has any further questions, the secretariat will write to you. Thank you very much.

Prof. Triggs : Thank you.