Key Points:

Licenced carriers, carriage service providers and internet service providers must now retain and secure for two years metadata relating to the telecommunications services they offer, unless they have an approved Data Retention Implementation Plan.

New laws amending the Telecommunications (Interception and Access) Act 1979 (Cth) came into effect this week to require licensed carriers, carriage service providers and internet service providers to retain data arising from customer communications for not less than two years.

Up until the introduction of these new laws, the Act did not specify the types of data the telecommunications industry was required to hold, or specify how long that information should be retained for. This meant there was significant variation in the types of data available to law enforcement and national security agencies, impeding their ability to investigate and prosecute serious offences.

Who is subject to the new laws?

The new data retention obligations apply to licensed carriers, carriage service providers and internet service providers, but not to broadcasting service providers as they are specifically excluded from the new rules. Data retention obligations apply to a service that is: 

  1. for carrying communications or enables communications to be carried, by guided or unguarded electromagnetic energy;
  2. operated by a carrier, carriage service provider, internet service provider;
  3. operated by person that owns or operates, in Australia, infrastructure that enables the provision of any relevant service, and
  4.  not otherwise excluded,

and apply regardless of the size of the service provider. The Communications Access Co-ordinator, a statutory office within the Attorney General's Department responsible for overseeing the scheme, may declare that services otherwise excluded are subject to the new data retention obligations.

As might be expected, the new obligations extend to carriers (that is, a holder of a carrier licence) and ISPs. However the data retention obligations also apply to a wider set of participants in the telecommunications sector, because the regulations apply to "carriage service providers". Under the Telecommunications Act 1997 (Cth), a "carriage service provider" is a person who supplies, or proposes to supply, a listed carriage service to the public using a network unit owned by one or more carriers.

Subject to certain exceptions, all providers of communications services need to consider whether and what extent they need to comply with the new obligations. The exceptions ("same area" and "immediate circle") operate to exclude providers such as cafes that supply free Wi-Fi or internal internet networks that may be seen in large corporations, from complying with the obligations. However, for resellers of services to consumers for example, if relevant subscriber data is "visible" to a provider such as billing information, relevant metadata will need to be retained.

When did these laws take effect?

The new laws came into force on 13 October 2015. Service providers who could not achieve compliance by that date may have applied to the Communications Access Co-ordinator for:

  • an extension of up to 18 months (from 13 October 2015) by lodging an implementation plan that details how it will achieve compliance; and
  • an exemption from and/or variation of the data retention obligations in relation to the services being provided.

Industry participants may face substantial penalties if they do not comply with the data retention obligations, including remedial directions, formal warnings, infringement notices (with penalties of up to $10,000) and court ordered pecuniary penalties of up to $250,000 for a body corporate and $50,000 for an individual for each contravention.

What data must be retained?

The data set captured by the new laws include information relating to the source and destination of the communication, the date, time and duration of the communication, and the location of communications equipment. This information must be kept for two years starting from the date the information or document is created. This telecommunications "metadata" is distinct from the actual contents of a communication and does not include web browsing history.

The new laws also require the retention of subscriber and service level account information, which in some circumstances must be kept for the life of the account, and for a further two years after the closure of the account.

Service providers are obliged to only retain data about the services that they provide. Some types of data like broadcasting data are specifically excluded from the Act.

Who can access the data?

To comply with their obligations under the Act, service providers must protect the confidentiality of the information they retain by encrypting it, and protecting it from unauthorised access or interference. Additionally, all service providers that are required to comply with the Privacy Act and the Australian Privacy Principles must have a clearly expressed and up to date policy about their management of personal information, including retained data. If the service provider would otherwise be exempt from complying with the Australian Privacy Principles, such as small businesses, the privacy policy needs to address the provider's activities that related to the retained data.

A limited number of government enforcement and security agencies can access the data, including the Australian Federal Police and the Independent Commission Against Corruption.

Implementation

The Australian Government has committed to making a reasonable contribution to the capital costs of implementation of the data retention regime. It is widely expected that the remaining expense will be passed on to consumers.

The Attorney-General's Department has developed a package of guidance materials to support industry understanding its data retention obligations.