- In April, the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) (Data Retention Act) received assent.
- The legislation mandates that, in general, telecommunication companies and internet service providers (Telcos) must store their customers’ metadata for a period of two years from the date of its creation.
- From 13 October 2015 service providers will need to comply with the Privacy Act in relation to the data they collect and retain under Part 5-1A of the Data Retention Act, including information collected and retained under an approved data retention implementation plan.
The Attorney General’s office has called on Telcos to increase their obligations in relation to the collection and storage of metadata in light of Telcos retaining less data and keeping it for a shorter period of time. The Attorney General has indicated the absence of such a regime is ‘degrading the investigative capabilities of law enforcement and security agencies and, in some cases, has prevented serious criminals from being brought to justice’.1
Service providers that use communications infrastructure in Australia to operate any of their services may be subject to data retention obligations. Service providers include: licenced carriers, carriage service providers and internet service providers. Under the Data Retention Act, these service providers must keep a limited set of metadata which is information about the circumstance of a communication for two years. Importantly, it is not the content of the communication and web-browsing history is specifically excluded from the scheme. The legislation also requires service providers to secure the stored data by encrypting it and preventing unauthorised access. The implication of the new scheme places further responsibilities on service providers with the Part 5-1A requiring all service providers that collect and retain telecommunications data under the data retention scheme to comply with the Privacy Act in relation to that data.
The Government has estimated the upfront capital cost of the regime to all of business to be between $188.8 million and $319.1 million.2
Metadata – what is it?
Metadata is information about a communication (the who, when, where and how)—not the content or substance of a communication (the what). The set of metadata required to be retained and secured under the Data Retention Act is defined by reference to the following six types of information:
- the identity of the subscriber to a communications service,
- the source of the communication,
- the destination of the communication,
- the date, time and duration of the communication,
- the type of the communication, and
- the location of the equipment used in the communication.
The Australian Government is not requiring Telcos to retain a person’s web-browsing history or any data that may amount to a person’s web-browsing history. The retention relates to ‘data about data’, not content.
Meta data as personal information
In May, the Information Commissioner, Timothy Pilgrim made a determination that indicates that metadata may be considered ‘personal information’ for the purposes of the Privacy Act 1988 (Cth).3 Relevantly, the decision signifies that the metadata stored under the Data Retention Act may also need to be treated as ‘personal information’ under the Privacy Act as well as the Telecommunications Consumer Protection Code. The Commissioner seems to have taken the view that metadata will be ‘personal information’ if:
- it’s possible - where the organisation has in place a process of cross-matching against different network management and records management systems to determine an individual’s identity, and
- it’s reasonable - that the process would not ‘exceed the bounds of what is reasonable’ for the organisation to perform in light of its resources and operational capabilities.
The Attorney General’s office has advised that data retained by industry under the mandatory data retention regime is protected as personal information for the purposes of the Privacy Act and the Australian Privacy Principles (APPs) and as such, “the Privacy Commissioner will assess industry compliance with the APPs, as well as monitoring industry’s non-disclosure obligations under the Telecommunications Act”.4
Where to from here?
In August the Office of the Australian Information Commissioner (OAIC) released a privacy business resource intended to assist Telcos to comply with their obligations in respect of the storage and management of metadata.5