Australia, insurance, car, home, live, holidays

At least 87 agencies - including councils,the Victorian Institute of Education,the RSPCA and the South Australian fisheries department - were using a"loophole"in the Telecommunications Act to access people's metadata while investigating minor legal breaches.

The mandatory data retention legislation passed in 2015 - made famous by former attorney-general George Brandis ina gaffe-prone interview where he struggled to explain metadata - permitted just 21 agencies to access the metadata.

Under the laws,telecommunications companies must store customer metadata for at least two years so it can be accessed by security and policing agencies if required. Metadata includes the identity of a subscriber and the source,destination,date,time,duration and type of communication. It excludes the content of a message,phone call or email and web-browsing history.

But section 280 of Telecommunications Act already allowed the release of the data to more agencies"if the use or disclosure is required or authorised by or under law".

In its report tabled in Parliament late on Wednesday afternoon,the Parliamentary Joint Committee on Intelligence and Security has recommended only domestic intelligence agency ASIO and other law enforcement agencies listed in the Interception and Access Act be allowed to authorise the disclosure of metadata. This will mean many agencies and bodies previously able to access metadata without a warrant will no longer able to do so.

The inquiry,established in April last year,also recommended the data retention laws only apply to breaches of the law listed in the Interception and Access Act as a"serious offence"or any other offence that is punishable by at least three years imprisonment.

The inquiry heard that some telecommunications companies were providing law enforcement with data that included IP addresses and the URLs they had searched,despite government assurances that this wouldn't occur. In the lead-up to thelegislation's passage in 2015,the federal government said the data retention bill"explicitly excludes anything that is web-browsing history or could amount to web-browsing history,such as a URL or IP address to which a subscriber has browsed".

The PJCIS recommended the laws be amended to clearly define the term"content or substance of a communication",which could mean browsing history is no longer accessible.

The committee has also called on the Department of Home Affairs to prepare national guidelines on the operation of the data retention regime within 18 months.

In additional comments to the report,Labor members of the PJCIS said the committee should have gone further by requiring security and law enforcement agencies to seek the consent of a person who is not accused of any wrongdoing before accessing their metadata.

If the person refuses,they said the agencies should then have to obtain a warrant.

"Putting to one side the power to access telecommunications data to locate a missing person,Labor members are concerned that the power to access telecommunications data without a warrant may be used – and is,in fact,currently being used – to access the telecommunications data of individuals who are not themselves suspected of any wrongdoing,"the Labor members wrote.

Get our Morning&Evening Edition newsletters

The most important news,analysis and insights delivered to your inbox at the start and end of each day. Sign up toThe Sydney Morning Herald’s newsletter here andThe Age’s newsletter here.

License this article