Instant scope creep: Parliament recommends ATO data retention access


news The Parliament’s Joint Committee on Law Enforcement has recommended the Australian Taxation Office be added to the list of agencies able to access data retention under Australia’s new data retention legislation, as part of a report that also recommended other technological measures to curb financial crime.

The data retention legislation restricted the type of departments and agencies which would be able to access the stored data to ‘criminal law enforcement agencies’. This included police and related agencies, but locked out a variety of other agencies such as the ATO who had previously been able to access data stored by telcos such as Telstra, Optus, Vodafone and so on.

However, the list of agencies who can access data stored by telcos under the new legislation has already started increasing. The Australian Border Force Bill passed in May added the new Australian Border Force agency to the list. And yesterday, the Joint Committee on Law Enforcement published a new report recommending the ATO also be given access to all Australians’ retained data.

The Committee is a long-standing one and is dominated by the Coalition and Labor, with Liberal Democrat Senator David Leyonhjelm being the only crossbench member.

Yesterday the Committee published its report of its inquiry into financial-related crime, which has been running over the past year. The report mainly deals with law enforcement arrangements to support tracking and dealing with financial crime. However, it contains several recommendations which will be of interest to the technology sector.

The Committee’s third recommendation, for example, is that “subject to appropriate safeguards including adequate privacy and oversight arrangements,” the Government designate the ATO as a ‘criminal law enforcement agency’ under the Telecommunications (Interception and Access) Act, which would give the ATO access to the data retention powers.

The Committee stated that the purpose of this move would be to protect public finances from serious criminal activities such as major tax fraud.

The Committee also recommended that the Australian Securities and Investments Commission consider and implement mechanisms to make its response to Internet-based financial-related crimes “far more expeditious”, and that the national audit office conduct a performance audit of ASIC’s technological capacity, and provide a report to Parliament on the issue.

Beefed-up powers for the Australian Transaction Reports and Analysis Centre — which tracks transactions in Australia — were also recommended.

Perhaps controversially, the report also recommended that financial institutions which issued debit and credit cards create an “opt-in” function that would require customers to consent to contactless payment technology features being activated on their cards.

The Greens have previously spoken out about the possibility for the data retention legislation to expand in scope.

“[Attorney-General] Senator Brandis made a great show of narrowing the range of agencies that would be able to access this collected material,” Greens Senator and Communications Spokesperson Scott Ludlam said in the Senate when the Australian Border Force was added to the scheme.

“And here we are in parliament, on the very next sitting week after that mandatory data retention bill passed, and the first example of scope creep lies on the table today. Of course, the Australian Border Force wants to be able to scrape people’s home and email records and find out who they have been talking to and where they were.”

“This is the first instance of scope creep. It gives me absolutely no pleasure to say ‘we told you so’, but we did; we said at the time of the data retention debate that the bill has scope creep written into it.”

There is a great deal that is sensible in the Joint Committee on Law Enforcement’s report on financial crime. The Committee took a greal deal of evidence from many parties, as is usual doing any parliamentary inquiry, and some very interesting aspects of this shadowy branch of the financial system were brought to light. I commend the Committee on its report, which makes for very interesting reading.

Some of the recommendations made by the Committee are very sensible — I don’t think anyone has a problem with the Reserve Bank or the Australian Federal Police being given extra powers to track counterfeiting, for example.

And the review of ASIC’s technological capability is also timely. The agency’s incompetence in this area — which resulted in the accidental blocking of hundreds of thousands of websites through the Section 313 power — is well known. I hope that review goes ahead.

However, I must note that I am disturbed by the bipartisan recommendations that the ATO be given data retention access, and that some kind of ‘opt-in’ mechanism be added to contactless credit and debit cards.

The ink on the Data Retention legislation is barely dry. This legislation went through a torturous process as it progressed through the Parliament, and the ATO and other agencies had a very ample chance to have their say about it. They did so — at length — and both major sides of politics largely rejected the agency’s arguments, constraining data retention access more tightly, to criminal law enforcement agencies.

Now it appears that the ATO has been a bit more convincing, and Labor and the Coalition have been persuaded by its case for access to the data retention powers.

To my mind, this is not good enough. The data retention legislation has not yet had time to start functioning — many telcos have not yet implemented their plans to meet the requirements of the legislation. We don’t know how well the bill will yet work. The Joint Committee on Law Enforcement should not be seeking to change the scope of the legislation at this point.

The opt-in recommendation on contactless cards (payWave and PayPass) is also a poor one. This technology has been a huge boon to Australians, cutting huge swathes of time and effort out of payments. It functions well and already has effective security restrictions around how it can be used. There is no momentum or need to modify Australia’s approach to contactless cards at this point, and few serious security risks.

I am disappointed that the Committee has caved into the demands of law enforcement agencies on this front, and is seeking to curtail the rapid expansion of an extremely useful and quite harmless technology in Australia’s banking sector.


  1. I was disturbed to hear that this issue was only just considered by the pjcis and that we had hit scope creep territory so fast. So I went and browsed the pjcis report. It tells a different story from your article.

    It notes that the ATO has these powers today. So this isn’t scope creep in the usual sense. It would just keep its powers. Is there any evidence that the ATO is abusing metadata? Because the tax office’s work like Operation Wickenby is almost certainly in the public interest, so there would need to be a decent reason to limit it’s powers now. Maybe the pjcis got that one wrong (I’ll come to that in a moment).

    If there was a way you could easily unscramble data retention metadata from normal metadata maybe you could draw a distinction and only give the ATO access to normal metadata, but that doesn’t seem likely. You’d probably also need to show that there was a quantum difference between data retention metadata and normal metadata to justify the difference.

    The reason the Government gave for cutting the number of agencies was pretty straight forward. There was a short list of agencies that parliament had already named individually to have these powers, like the AFP, so they kept their powers, while everyone else had to make a case for them. ASIC and ACCC seem to have made their arguments to the pjcis, and so got listed. Contrary to your article, the ATO didn’t. It didn’t make a submission and it didn’t make an appearance. Maybe it should have, but in any case it has now – what actual, real world difference does it make whether it made its case in January, before data retention commenced, or Jun or September, still before data retention commenced?

  2. Once you uncork the genie it’s terribly difficult to put it back in.

    Observe, as virtually every government agency shuffles into a disorderly queue. Ultimately, meta-data access allows a short-circuit of the tradition legal process; so they’re all going to decide that maybe the should have access (or have it decided that they do) after all.

  3. “Financial Crime” or avoidance of the new Internet GST?

    Which is more likely, the ATO would take action against wealthy well connected business persons committing serious crimes, or the ATO would set up a bot to send automated demand for payment emails to ordinary Australians “guilty” of not paying 0.09c tax on a 0.99c download?

  4. I would suggest that everyone has a look at the powers that the ATO already have in regard to accessing financial record including entry to premises.

    No doubt there is a strong possibility that metadata could be useful in helping to uncover participants in tax dodges and where the “black” money is hidden and the ATO having access to the information is hardly more intrusive than their existing powers.

Comments are closed.