On Thursday 26 March 2015, the controversial Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Cth), known popularly as the 'Data Retention Law' or 'Metadata Law' passed in the Senate with bipartisan support. It is expected to come into effect by the end of this year.
The law requires telecommunications and internet service providers to retain personal 'metadata' for a minimum of two years, on the basis that law enforcement and government agencies require warrant-less access to such information for the purpose of national security and combatting serious crimes.
In addition, the Government has pledged to introduce a mandatory data breach notification scheme by the end of the year, which would significantly increase the privacy compliance obligations of all entities subject to the Privacy Act 1988 (Cth).
What is data retention?
Data retention refers to the preservation of specified information and documents concerning an individual's telecommunication and online use. The categories of information specified are in the nature of data about the communication and not the content of the communication (what is commonly referred to as 'metadata' although that term is not used in the legislation).
By way of example, information about who you are, who you are calling, where you are calling from and the duration of the call is metadata, but not what you actually say over the phone, which is known as 'content data'. In relation to internet use, the Data Retention Law expressly excludes browsing data from the scheme. However, when it comes to internet usage, the line between what constitutes metadata and content data can be difficult to ascertain.
What does the new law change?
What many people don't realise is that law enforcement and intelligence agencies already have access to your metadata without a warrant. However, at present, telecommunications companies are not required to keep specific types of data for law enforcement or national security purposes. Information that is retained, including metadata, is retained at the company's discretion for business, taxation, billing and marketing purposes.
However, in recent years, telecommunication companies have been preserving data for less time due to the exorbitant costs of securely preserving such massive amounts of data.
The Data Retention Law has been created to combat the shrinking pool of metadata available to law enforcement agencies, by requiring telecommunication and internet service providers to retain metadata for a minimum of two years starting in 2017.
There are four key changes under the Data Retention Law:
- a compulsory requirement for telecommunication and internet service providers to preserve metadata for a minimum 2 years from 2017;
- 20 law enforcement and intelligence agencies will not require a warrant to gain access to metadata. These agencies also include the ATO, ASIC and the ACCC;
- a warrant will still be required to access 'content data' (eg. contents or substance of a communication or web browsing history); and
- a warrant will be required to access metadata of professional journalists for the purpose of identifying their sources.
The Data Retention Law also provides that the Australian Privacy Principles (under the Privacy Act 1988 (Cth)) apply to data retained under the data retention scheme. It also introduces requirements for service providers to protect the data retained through encryption and preventing unauthorised access and interference.
What does this mean for my business?
If you are a telecommunication or internet service provider it is likely you will be subject to the Data Retention Law. If so, you will need to review and update all data retention mechanisms and policies in order to fulfil your compliance obligations.
Although still unclear how much this regime will cost, it appears that telecommunication and internet service providers will shoulder the lion's share of this cost. These costs can be expected to be passed on to consumers in the form of higher telephone and internet services charges.
Foreshadowing of a Mandatory Data Breach Notification Scheme
The Data Retention Law has not introduced a mandatory data breach notification scheme. However, the Government accepted a recommendation to introduce a mandatory data breach notification scheme by the end of 2015.
It is not clear how this scheme will be implemented, although it is likely that it will affect all entities subject to the Privacy Act 1988(Cth) and not simply telecommunications and internet service providers. The implementation of such a regime will likely mean significant change to the compliance obligations of any entities subject to the Privacy Act.
The Data Retention Law will only affect your compliance obligations if you are a telecommunications or internet service provider. However, the pledge made by the Government to introduce a mandatory data breach notification scheme by the end of 2015 could mean more onerous privacy compliance for all entities subject to the Privacy Act.