Prepared by Lisa Vanderwal, Special Counsel Sydney office. Lisa advises our clients on all privacy and data protection issues relating to Australia, and has a particular focus on the telecommunications and technology industries.
New data retention obligations to apply to telecommunications carriers, internet service providers and others have been proposed by the Australian government. While there has been substantial opposition to the draft legislation, the government maintains that the proposed legislation is a key component in its suite of anti-terrorism legislative reforms.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014("Bill") intends to introduce a compulsory retention period for certain types of information. As it is currently drafted, it will apply to:
- services that carry communications, or that enable communications to be carried, by guided and/or unguided electromagnetic energy
- any services operated by a carrier, whether or not the particular service has to be licensed under the Telecommunications Act 1997 ("Telco Act");
- any services operated by an internet service provider ("ISP"), whether or not a particular service is governed by the Broadcasting Services Act 1992; or
- any person that operates a service in Australia, or owns or operates infrastructure in Australia, that facilitates, or relates to, the provision of a service for carrying communications or enabling communications to be carried.
Given current technology, and the likely development of additional technologies, it will be interesting to see whether services specifically designed to reduce the application of the Bill will be offered, such as communications services that can be accessed from Australia but where the provider is not an ISP, does not operate services in Australia, and does not own or operate any infrastructure in Australia.
Information that must be retained
The information that must be retained is limited to 6 categories of communication data:
- subscriber information, which includes names, addresses, other account details, device-related information, and information about other associated services;
- the source of a communication;
- the destination of a communication;
- the date, time and duration of a communication;
- the type of communication and service used in connection with a communication; and
- the location of a line, equipment or device used in connection with a communication.
The Bill specifically excludes certain types of information.
- The content or substance of a communication, which can only be accessed in accordance with Part 13 of the Telco Act, and the interception and stored communications provisions of the Telecommunications (Interception and Access) Act 1979.
- The address to or from which a communication is sent on the internet solely as a result of providing an internet access service, ie the web browsing history. However, if this information is obtained through a different method (for example in the subscriber details, or as a result of providing another service such as VOIP calls), then the web browsing history will be required to be retained. While the collection of web browsing information has been widely covered by the media, this alternative collection process appears to have been overlooked.
- Any information required to be deleted pursuant to a Determination made under section 99 of the Telecommunications Act 1997.
- Any location based information not normally kept in relation to the relevant service.
The retention period will vary depending on the type of information:
- All data other than subscriber information must be kept for 2 years from when it came into existence;
- Subscriber information must be retained while the subscriber's account is active, and for an additional 2 years from the date the subscriber account is closed.
Of course, businesses may retain this information after the statutory retention period has expired, provided that they have a legal right to do so – for example the information is required to be retained for tax purposes, or personal information is still required for the reason(s) that the personal information was originally collected under the Privacy Act 1988.
The Bill sets out a range of exemptions and implementation plans that are available to providers. However, the Explanatory Memorandum seems to indicate that exemptions may be difficult to obtain, and the process of applying for implementation plans may be challenging with the current resourcing in the Attorney-General's department.
There are a range of civil penalties under the Telco Act for a failure to retain the required information, including remedial directions, formal warnings, infringement notices (with penalties of up to $10,000) and court ordered pecuniary penalties of up to $250,000 for a body corporate and $50,000 for an individual for each contravention.
Who can access this information?
Only State, Territory and Federal police, anti-corruption bodies, and customs can access any of the retained information, provided that the access is reasonably necessary:
- enforcement of the criminal law;
- enforcement of a law imposing a pecuniary penalty; or
- protection of the public revenue.
What is the current status?
The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security, and it is anticipated that the Committee's report will be tabled on 27 February 2015.