Im März 2015 hat das australische Parlament dem Entwurf für ein sehr weitreichendes Gesetz zur Vorratsdatenspeicherung (VDS) zugestimmt. Das TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) AMENDMENT (DATA RETENTION) BILL 2014 bringt eine deutlich weitergehende Pflicht zur Speicherung von Benutzerdaten, als die bei uns in Deutschland aktuell diskutierte VDS. Dennoch enthält das Gesetz einen Aspekt, dessen Übernahme – bei aller grundsätzlichen Kritik – auch unserem Gesetzgeber in der parlamentarischen Beratung zu raten wäre:
In der australischen Fassung einer VDS wird nämlich der ACMA, der „Australia Media and Communications Authority“, also der zuständigen Regulierungsbehörde (vergleichbar unserer BNetzA), die Möglichkeit eröffnet, bestimmte Services bzw. Anbietergruppen von der Überwachungspflicht zu befreien, um dem Gebot der Verhältnismäßigkeit und Datensparsamkeit individuell angemessen Rechnung tragen zu können. Ein Communications Access Coordinator (CAC) der beim Generalstaatsanwalt angesiedelt ist, ist zudem als koordinierende Bindeglied zwischen Ermittlungsbehörden und verpflichteten Unternehmen u.a. dafür zuständig, die konkreten Ausnahmen näher zu definieren.
Beim aktuellen Entwurf für eine VDS in Deutschland sollen dagegen alle Unternehmen, auch kleinste Ein-Mann- Provider, in unverhältnismäßiger Weise mit Aufwand und Kosten belastet, obwohl der Gesetzentwurf selbst zu dem Schluss kommt, dass 98% aller Datenverkehre bei nur 20 Unternehmen anfallen und für alle anderen Anbieter die Belastung eine unbillige Härte darstellen würden. In Ausnahmefällen soll dafür zwar eine Entschädigung gewährt werden, doch wird damit die eigentlich unverhältnismäßige Belastung nicht vermieden, wie es auch das Prinzip der Datensparsamkeit im Interesse der betroffenen Bürger eigentlich gebieten würde. Eine Marginalgrenze, wie Sie bereits in der Telekommunikationsüberwachung (TKÜV) bei 10.000 Teilnehmern gezogen ist, ist bislang auch nicht vorgesehen. Dieses ist im Rahmen der parlamentarischen Beratungen dringend nachzuholen.
Eine noch bessere Möglichkeit zur Sicherung der Verhältnismäßigkeit wäre es aber, nach dem Vorbild Australiens der BNetzA die Möglichkeit zu geben, im Benehmen mit den Ermittlungsbehörden solche Unternehmen und Services von der Verpflichtung ausnehmen zu können, bei denen sich keine oder nur sehr unwahrscheinlich überhaupt relevante Ermittlungsansätze durch eine VDS ergeben können.
Die relevanten Regelungen der Australier sind daher hier dokumentiert, die wichtigsten Stellen in Fett hervorgehoben:
Division 3—Exemptions
187K The Communications Access Co-ordinator may grant exemptions or variations Decision to exempt or vary
(1) The Communications Access Co-ordinator may:
(a) exempt a specified service provider from the obligations imposed on the service provider under this Part, either generally or in so far as they relate to a specified kind of relevant service; or
(b) vary the obligations imposed on a specified service provider under this Part, either generally or in so far as they relate to a specified kind of relevant service; or
© vary, in relation to a specified service provider, a period specified in section 187C, either generally or in relation to information or documents that relate to a specified kind of relevant service.
A variation must not impose obligations that would exceed the obligations to which a service provider would otherwise be subject under sections 187A and 187C.
(2) The decision must be in writing.
(3) The decision may be:
(a) unconditional; or
(b) subject to such conditions as are specified in the decision.
(4) A decision made under subsection (1) is not a legislative instrument. Effect of applying for exemption or variation
(5) If a service provider applies in writing to the Communications Access Co-ordinator for a particular decision under subsection (1) relating to the service provider:
(a) the Co-ordinator:
(i) must give a copy of the application to the enforcement agencies and security authorities that, in the opinion of the Co-ordinator, are likely to be interested in the application; and
(ii) may give a copy of the application to the ACMA; and
(b) if the Co-ordinator does not, within 60 days after the day the Co-ordinator receives the application:
(i) make a decision on the application, and
(ii) communicate to the applicant the decision on the application; the Co-ordinator is taken, at the end of that period of 60 days, to have made the decision that the service provider applied for.
(6) A decision that is taken under paragraph
(5)(b) to have been made in relation to a service provider that applied for the decision has effect only until the Communications Access Co ordinator makes, and communicates to the service provider, a decision on the application. Matters to be taken into account
(7) Before making a decision under subsection (1) in relation to a service provider, the Communications Access Co-ordinator must take into account:
(a) the interests of law enforcement and national security; and
(b) the objects of the Telecommunications Act 1997; and
© the service provider’s history of compliance with this Part; and
(d) the service provider’s costs, or anticipated costs, of complying with this Part; and
(e) any alternative data retention or information security arrangements that the service provider has identified.
(8) The Communications Access Co-ordinator may take into account any other matter he or she considers relevant.
187KA Review of exemption or variation decisions
(1) A service provider may apply in writing to the ACMA for review of a decision under subsection 187K(1) relating to the service provider.
(2) The ACMA must:
(a) confirm the decision; or
(b) substitute for that decision another decision that could have been made under subsection 187K(1). A substituted decision under paragraph (b) has effect (other than for the purposes of this section) as if it were a decision of the Communications Access Co ordinator under subsection 187K(1).
(3) Before considering its review of the decision under subsection 187K(1), the ACMA must give a copy of the application to:
(a) the Communications Access Co-ordinator; and
(b) any enforcement agencies and security authorities that were given, under subparagraph 187K(5)(a)(i), a copy of the application for the decision under review; and
© any other enforcement agencies and security authorities that, in the opinion of the ACMA, are likely to be interested in the application. Matters to be taken into account
(4) Before making a decision under subsection (2) in relation to a service provider, the ACMA must take into account:
(a) the interests of law enforcement and national security; and
(b) the objects of the Telecommunications Act 1997; and
© the service provider’s history of compliance with this Part; and
(d) the service provider’s costs, or anticipated costs, of complying with this Part; and
(e) any alternative data retention or information security arrangements that the service provider has identified.
(5) The ACMA may take into account any other matter it considers relevant.
Dazu heißt es erläuternd im Gesetz :
Division 3 of Part 5–1A—Exemptions
Section 187K—The Communications Access Co-ordinator may grant exemptions or variations
1. Section 187K provides that the CAC may exempt a service provider from the mandatory data retention and information security obligations imposed on the service provider under Part 5–1A of the TIA Act, or vary the obligations that the service pro vider is subject to. The CAC may grant this exemption or variation on his or her own volition or on application by a service provider.
2. This exemption and variation scheme is intended to permit exemptions or variations to be granted in a range of circumstances, including where imposing data retention obligations for a particular relevant service would be of limited utility for law enforcement and national security purposes.
3. The scheme provided by this section is modelled on existing sections 192 and 193 of the TIA Act, which provide that the CAC or the ACMA may grant exemptions in relation to the interception capability obligations of service providers.
4. Subsection 187K(1) provides that the CAC may make a determination in relation to a specified service provider that:
• removes or varies any or all of the mandatory data retention or information security obligations
• removes or varies any or all of the mandatory data retention or information security obligations imposed on the service provider under Part 5–1A for a particular kind of relevant service, or
• reduces the data retention period or the extent of the information security obligations, either generally or in relation to data that relates to a particular kind of relevant service.
5. A variation must not, however, impose obligations that would exceed the obligations to which a service provider would otherwise be subject to under sections 187A, 187BA and 187C.
6. The decision of the CAC may be expressed broadly. In making a determination, the CAC may specify service providers in any way, for example by reference to a class of service providers, and is not required to refer specifically to individual service providers. For example, the CAC may specify that any service provider that provides Internet Protocol television (IPTV) services is not required to retain any data in relation to its IPTV service. Similarly, an exemption or variation may be expressed to apply to a class of obligations.
7. Subsection 187K(1) ensures that determinations can be properly nuanced by vesting the CAC with the ability to elaborate, either to particular service providers or generally, how the data retention obligations introduced by Part 5 1A should apply to particular technologies. For example, a determination could exempt the retention of specific information relating to satellite or mobile internet services. Those services create different types of data, therefore it is appropriate to have a method of providing greater certainty to service providers about how high-level obligations apply to diverse technologies.
8. The data retention obligations under Part 5–1A may cover services that are of limited or no relevance to law enforcement or national security.These could include services relating to IPTV, content on demand, the leasing of dark fibre and machine-to-machine communications. Subsection 187K(1) recognises that, in certain instances, a service provider may not achieve complete technical compliance in relation to a particular service or some aspect of that service, or that the non-compliance has limited implications for law enforcement or national security agencies.
9. The decision of the CAC to grant an exemption or variation is not reviewable under the Administrative Decisions (Judicial Review) Act 1977 (the ADJR Act) as decisions under the TIA Act are not decisions to which the ADJR Act applies (see paragraph (d) of Schedule 1 to the ADJR Act). The exclusion of these decisions from the ADJR Act does not prevent decisions made under the TIA Act from being judicially reviewable under paragraph 75(v) of the Constitution and section 39B of the Judiciary Act 1901 (Cth).
10. Subsection 187K(2) provides that the CAC’s decision must be in writing.
11. Subsection 187K(3) provides that the CAC’s decision may be unconditional, or subject to such conditions as specified in the decision. Such conditions may include limits on the time for which the exemption or variation applies, limits on the numbers of customers or the geographic scope of a particular type of service, or requirements for ongoing consultations with agencies.
12. Subsection 187K(4) provides that a decision made by the CAC under subsection 187K(1) is not a legislative instrument. Subsection 187K(4) has been included to assist readers, as the instrument is not a legislative instrument within the meaning of section 5 of the Legislative Instruments Act 2003.
13. Paragraph 187K(5)(a) provides that where a service provider applies in writing for a particular decision, the CAC must give a copy of the application to affected enforcement agencies or security agencies and may give a copy to the ACMA. Where the requested exemption has an impact on the investigative capabilities or regulatory functions of an agency, it is appropriate that the CAC consults with that agency.
14. Paragraph 187K(5)(b) provides that if the CAC does not respond to a service provider’s application within 60 days, the decision requested by the service provider is deemed to have been granted to that service provider. This provision is intended to ensure that the CAC resolves applications in a timely manner and provides certainty for service providers as to their legal obligations under the TIA Act at any given time.
15. Subsection 187K(6) provides that the deemed decision under paragraph 187K(5)(b) has effect only until the CAC makes and communicates to the service provider a decision on the application. This ensures that the deemed exemption is only temporary.
16. Subsection 187K(7) requires that, in granting an exemption or variation, the CAC must take into account the interests of law enforcement and national security, which can include the relevance to law enforcement or national security of the services for which an exemption or variation is being sought.
17. The CAC must also take into account the objects of the Telecommunications Act 1997,[1] the main object of which is to provide a regulatory framework that promotes:
• the long-term interests of users of telecommunications services,
• the efficiency and international competitiveness of the Australian telecommunications industry, and
• the availability of accessible and affordable carriage services that enhance the welfare of Australians.
18. The CAC must also take into account the service provider’s history of compliance with Part 5–1A of the TIA Act, the service provider’s costs, or anticipated costs, of complying with data retention obligations under Part 5–1A, and any alternative data retention or information security arrangements that the service provider has identified. Such alternative data retention and security arrangements could be formalised as part of an exemption or variation granted by the CAC. Service providers are in a unique position to draw to the CAC’s attention specific cost implications, and to suggest alternative compliance arrangements in support of any exemption application.
19. Subsection 187K(8) enables the CAC to take into account any other relevant matter when deciding whether or not to grant an exemption or variation, which might include relevant technological or industry factors such as:
• the size, market share and national security and law enforcement risk profile of the service provider
• the degree to which an exemption would effectively mitigate costs and minimise impacts on the service provider’s cash flow, and
• the pre-existing business plans of the service provider.
20. Pursuant to section 33(3) of the Acts Interpretation Act 1901, the power to make or grant an instrument of administrative character, such as an exemption or variation under subsection 187K, is to be taken as including a power to repeal, rescind, revoke, amend or vary any such instrument. This power is to be exercised in the same manner and subject to the same conditions (if any) that applied to the making or granting of the instrument.
21. The CAC may seek to exercise the power to repeal or revoke an exemption or variation in a range of circumstances, including where an exemption (that has been granted on the expectation that it will remain confidential) becomes known publicly, to a class of persons, or to a specific individual in circumstances where that disclosure would have a detrimental impact on the interests of law enforcement and national security. Section 187KA– Review of exemption or variation decisions by the ACMA
22. Section 187KA implements recommendation 15 of the 2015 PJCIS Report.
23. The ACMA has the ability to determine disputes in relation to applications for data retention implementation plans (including applications for amendment). This item provides the ACMA with the additional role to determine disputes when a service provider has applied to the CAC for an exemption or variation from the data retention obligations. As such, section 187KA ensures a consistent approach to disputes between the CAC and service providers regarding the application of data retention obligations.
CAC exemption regime
24. Division 3, Part 5–1A of the TIA Act provides a mechanism for the CAC to grant an exemption to a service provider from some or all of the mandatory data retention obligations. The scheme operates in a similar way to the existing exemption regime for interception capability under section 192 of the TIA Act.
25. Under the data retention exemption scheme, a service provider may apply to the CAC for an exemption and the CAC is required to make a decision on the application within a specified period. The exemption may also stipulate expiration dates or circumstances whereby the service provider must reapply for an exemption.
26. The CAC exemption facility indirectly strengthens the right to privacy of individual customers in that it provides a method of reducing data retention obligations, for example, in circumstances where the volume of data to be retained is disproportionate to the interests of law enforcement and national security.
Right to an effective remedy – Article 2(3) of the ICCPR
27. Article 2(3) of the ICCPR protects the right to an effective remedy for any violation of rights or freedoms recognised by the ICCPR, including the right to have such a remedy determined by competent judicial, administrative or legislative authorities or by any other competent authority provided for by the legal system of the State.
28. Section 187KA allows the CAC to refer disputes over applications for exemptions from and variations to data retention obligations to the Australian Communications Media Authority (the ACMA).
29. Section 187KA engages and promotes the right to an effective remedy as it provides service providers with an additional remedial avenue for the resolution of disputes by the ACMA in relation to exemptions or variation decisions made by the CAC.
30. The Bill also confers on the ACMA a role to arbitrate disputes in relation to data implementation plans between the CAC and service providers and allows a service provider to apply to the ACMA for a review of CAC decisions about exemptions or variations of retention obligations applicable to their services.
31. Providing administrative review of CAC decisions, in addition to judicial review[2], advances an applicant’s right to an effective remedy.
32. Division 3 of Part 5–1A provides that the CAC may grant exemptions to service providers for any or all of the obligations. The CAC is required to consider both the interests of law enforcement and national security agencies, and the objects of the Telecommunications Act 1997 when deciding whether to grant an exemption. This allows exemptions to be granted where, for example, telecommunications data relating to the relevant service is likely to be of little or no relevance to law enforcement or national security investigations, or where the cost of complying, either in full or in part, with data retention and security obligations in relation to the relevant service would be disproportionately high.
33. Division 4 of Part 5–1A provides that the CAC must treat applications for implementation plans and exemptions as confidential, as must any person to whom the CAC discloses such applications. Division 4 also provides that the contravention of data retention obligations under Part 5–1A attracts civil penalties. Further, Division 4 allows the Commonwealth to make a grant of financial assistance to service providers and provides that the Privacy Act applies in relation to a service provider to the extent the extent of their data retention activities. Division 4 also requires the Parliamentary Joint Committee on Intelligence and Security (the PJCIS) to review the operation of the data retention regime within three years of the mandatory data retention scheme being fully implemented and requires the Minister to report annually on the operation of the data retention regime.
34. Under Division 2 of Part 5–1A, a service provider may seek approval of a data retention implementation plan that replaces the service provider’s obligations under section 187BA while the plan is in force. Additionally, under Division 3 of Part 5–1A a service provider may apply for and receive an exemption from or variation to the service provider’s obligations under section 187BA. An example of a situation in which such an exemption or variation might be appropriate would be where the cost of encrypting a legacy system that was not designed to be encrypted would be unduly onerous and the service provider has identified alternative information security measures that could be implemented. However, an exemption would not normally be appropriate where fulfilling the data protection obligations would be merely inconvenient.
35. Section 187C sets out the required period for service providers to retain specified telecommunications data. A retention requirement of two years is necessary having regard to the requirements of national security and law enforcement agencies to have telecommunications data available for investigations. It is also consistent with privacy expectations and the privacy of users of the Australian telecommunications system. The experience under the former European data retention scheme was that, while frequently data accessed by agencies was less than six months old, for national security and serious criminal offences, data up to two years old would often be required for the most complex investigations into crimes and threats to national security that can have the most damaging effect.
36. However, the retention period in section 187C is subject to an exemptions regime in Division 3 of Part 5–1A. In particular, paragraph 187K(1)© allows the CAC to reduce the required retention period. In addition, data retention implementation plans that a service provider may provide under Division 2 of Part 5–1A of the TIA Act may also be relevant to the period for which a service provider must retain relevant data. It is possible for a data retention implementation plan to specify a retention period for a service offered by a service provider of less than two years in relation to services under the plan while the plan is in force.
[…] zu dieser Marginalgrenze könnten auch Ausnahmemöglichkeiten durch Anordnung der BNetzA etwa nach australischem Vorbild erwogen […]