Telecommunications service providers in Australia must now collect and retain telecommunications data for a period of two years under recent amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) ("Act"). The new laws apply to service providers, including internet service providers, carriage service providers and holders of a carrier licence that own or operate infrastructure in Australia. Service providers who are unable to comply with the new laws may apply for approval of a "data retention implementation plan" outlining the service provider's current practices for keeping and ensuring confidentiality of information and interim arrangements prior to full compliance with the Act (for a period of 18 months from 13 October 2015). Service providers that do not comply with their data retention obligations may face pecuniary penalties of up to AUD250,000 payable by a body corporate for each contravention of the Act.
Purpose of the New Telecommunications Data Retention Laws
Australian security agencies have "previously identified the lack of availability of data as a key and growing impediment to the ability to investigate and to prosecute serious offences". The amendments to the Act are intended to standardise the types of telecommunications data that service providers must retain and the period of time for which that information must be held.
Telecommunications Service Providers Subject to Data Retention Laws
The new laws apply to service providers, including internet service providers, carriage service providers and holders of a carrier licence, that own or operate infrastructure in Australia that enables the provision of a service that is:
- for carrying communications, or enabling communications to be carried, by means of guided or unguided electromagnetic energy or both;
- operated by a carrier, internet service provider or a carriage service provider; and
- not otherwise excluded (broadcasting service providers are expressly excluded from the data retention obligations).
The laws do not apply to a service provider where the service it operates is provided only to the provider's "immediate circle" or is provided only to places that are all in the "same area", i.e. providers such as hotels or restaurants that provide Wi-Fi to their patrons are excluded from complying with the data retention obligations.
Further, the definition of an "internet service provider" (Schedule 5 to the Broadcasting Services Act 1992 (Cth)) does not extend to service providers that do not provide internet access to customers nor the resale of capacity on dark fibre to customers, which may include some cloud computing providers.
Types of Data Required to be Retained and the Relevant Retention Periods
Telecommunications service providers are required to retain data that includes information about:
- the subscriber (name, address and other information identifying the subscriber of the service);
- the contract, agreement or arrangement relating to the service or any related account, service or device;
- billing, payment or contact information relating to the service;
- identifiers relating to the service or any related account, service or device;
- status of the relevant service or any related account, service or device;
- the source and destination of a communication, i.e. identifiers of a related account, service or device from which, or to which, a communication has been sent;
- the date, time (including time zone) and duration of a communication, or of its connection to or disconnection from a service;
- the type of communication or the relevant service used in connection with a communication—types of communication include voice, SMS, email, chat, forum or social media; types of the relevant service include ADSL, Wi-Fi, VoIP and cable; and the features of the relevant service that were or would have been used or enable the communication include call waiting, call forwarding and data volume usage; and
- the location of equipment, or a line, used at the start and end of a communication, e.g. cell towers and Wi-Fi hotspots.
The data that is required to be retained by service providers does not include the content of emails or calls, a user's internet browsing history, password or other log-in information for accounts and includes only the above-listed metadata.
If the information or document contains information as described in the first two points above, the service provider must retain the documents or information for a period starting from when the information or document came into existence and ending two years after the closure of the account to which the information or document relates. For all other types of information or documents required to be retained, the service provider must retain such data for two years starting from when the information or document came into existence.
Access to Retained Data
There are currently 14 Australian criminal law enforcement agencies that may access the retained data, including the Australian Federal Police, the Police Force of each state in Australia, the Australian Competition and Consumer Commission, the Australian Securities and Investments Commission and the Independent Commission Against Corruption. Interestingly, the Australian Taxation Office is not a prescribed criminal law enforcement agency (although the Attorney-General may make a declaration adding additional bodies as criminal law enforcement agencies). A recent parliamentary report has suggested that the Australian Taxation Office should be declared as a criminal law enforcement agency "for the purpose of protecting public finances from serious criminal activities such as major tax fraud".
The new laws do not alter the manner in which Australian criminal law enforcement agencies can access retained data. There are three situations where Australian criminal law enforcement agencies may access telecommunications data, namely where:
- the disclosure is reasonably necessary for the enforcement of Australian criminal law;
- the disclosure is reasonably necessary for the purposes of finding a person who the Australian Federal Police, or a Police Force of a state, has been notified is missing; or
- the disclosure is reasonably necessary for the enforcement of an Australian law imposing a pecuniary penalty or for the protection of the Australian public revenue.
Compliance with Data Retention Laws
Any service providers who are unable to comply with the Act may apply to the Communications Access Co-ordinator for approval of a "data retention implementation plan" outlining the service provider's current practices for keeping and ensuring confidentiality of information and interim arrangements prior to full compliance with the Act. If the Communications Access Co-ordinator approves the plan, the service provider will have 18 months from 13 October 2015 before full compliance with the Act is required.
Service providers may also apply to the Communications Access Co-ordinator for exemptions from and/or variations of their data retention obligations, with such applications to be considered confidentially and on a case-by-case basis.
Service providers that do not comply with their data retention obligations may face pecuniary penalties of up to AUD250,000 payable by a body corporate for each contravention, or up to AUD50,000 payable by an individual for each contravention. Service providers that infringe the Act may also receive infringement notices from the Australian Communications and Media Authority with penalties of up to AUD10,800 for body corporates, or AUD2,160 for individuals, as well as formal warnings or remedial directions.