In a report released late Friday, Parliament’s Joint Committee on Intelligence and Security ticked off on the government’s proposed mass surveillance scheme, with some minor amendments.

Once legislated, the scheme will require all Australian communications companies to log and retain data about all customers’ usage of their services for two years.

The committee has recommended a number of protections that will depend heavily on drafting to achieve any effect, and in one case the committee has expanded the remit of the bill. Among the recommendations:

  • The dataset to be retained is to be listed in primary legislation rather than regulation, making it slightly harder to change (regulations can be disallowed, whereas legislation must pass both houses of Parliament). However, the Attorney-General would have a power to simply “declare” additions to the dataset for a period of 40 days before seeking to amend the legislation to add them. Given a bill can sit before Parliament for nearly three years after introduction before expiring, this recommendation would, unless carefully drafted, appear to allow the AG a virtually unlimited power to add additional types of data to the scheme.
  • A similar power for the AG to “declare” new service providers that would be subject to the scheme;
  • The exclusion of browsing history from the dataset to be included in the legislation;
  • The government’s financial support to be targeted to ensure smaller providers aren’t disadvantaged (reflecting the fact that smaller companies will have less capacity to absorb the costs of storing and accessing data);
  • The government’s financial support be targeted to “incentivise timely compliance” and “efficient solutions” on the part of communication companies, in effect punishing companies that may place greater emphasis on fulfilling legal obligations and ensuring customer privacy is protected;
  • The ACCC and notoriously inept corporate watchpoodle ASIC to be added to the list of agencies that can access stored data, but a restriction on the Attorney-General’s power to add other agencies to the list;
  • Civil litigants to be prohibited from being able to access metadata “held by a service provider solely for the purpose of complying with the mandatory data retention regime”, although the government will be able to provide exceptions via regulation. This is intended to address the concern that corporations such as the copyright industry, or companies pursuing whistleblowers, or individuals engaging in litigation (for example, family law disputes) will be able to subpoena metadata or access metadata via discovery. The exceptions power, however, will enable the government to regulate the right of, for example, the copyright industry, which the current government has bent over backwards to please, to access data in civil litigation;
  • Requiring security agency officers getting access to data to “have regard to” factors such as “whether the investigation relates to a serious criminal offence, the enforcement of a serious pecuniary penalty, the protection of the public revenue at a sufficiently serious level or the location of missing persons”. This has potential to be a worthwhile but self-regulated internal check on police fishing expeditions through retained data;
  • No restriction on accessing data that would identify journalists’ sources, despite Labor flagging that as a serious concern. Instead, there’ll be a three-month inquiry by the committee into the issue — meaning the government will be under no pressure to pass any bill the committee might recommend as a result;
  • Agencies to advise the Commonwealth Ombudsman (or Inspector General of Intelligence and Security in the case of ASIO) when they access journalists’ metadata to identify sources; those agencies will pass the information on to the committee;
  • An expansion of the committee’s own resources to reflect its greater oversight responsibilities, and legislative changes to give the committee the power to examine any aspect of the scheme;
  • An annual report breaking down the operation of the scheme. The committee will be able to demand briefings on all aspects of the scheme after such reports, including where it may have an impact on operational matters; and
  • Retained data to be encrypted and mandatory data breach notification scheme to be established by the end of the year.

Despite the dozens of recommendations and the appearance of rigour, this is a deeply flawed report, which accepts, and indeed quotes at length, the assertions of security agencies as to the importance of telecommunications data as if they demonstrate the need for data retention, when data retention schemes around the world have yielded no evidence of any beneficial effect. A number of the “safeguards” intended to limit the impact of the bill will depend heavily on drafting to work — and the department drafting them is AGD, which is behind the push for even more surveillance. In the case of the prohibition on civil litigants accessing information, the proposed prohibition may simply not work, although if it is drafted well, it will be a substantial block to misuse of the scheme by the copyright industry and other malign forces.

On the positive side, the committee — if it has the right personnel — will be able to aggressively interrogate agencies about the operation of the scheme and will be immediately advised if a journalist’s metadata is accessed. Security agencies are understood to be deeply unhappy at this extension of JCIS oversight.

Labor committee members — reflecting the shadow cabinet’s position — have entirely caved in on the issue of journalists’ sources, which had been flagged by Bill Shorten himself as a key issue of concern. Key no longer — there’ll be no protection of any kind for either journalists or whistleblowers from data retention, which in the view of the UK government can have a chilling effect on investigative journalism. Indeed, the British are moving at this very moment to establish a requirement that police can’t access journalists’ metadata to identify a source without a judicially issued warrant.

All JCIS has provided on that issue is an inquiry. Perhaps this time around, Australian media companies and prominent journalists will follow the lead of their UK counterparts and undertake a public campaign to protect their capacity to do their job well. If they don’t, data retention advocates and JCIS are entitled to say that the media have been offered multiple opportunities to object to this threat, and they failed to do so.