As of 13 October 2015, Australian telecommunications companies and internet service providers (ISPs) must retain customers' metadata for two years. Under the new (controversial) laws, which were passed as amendments to theTelecommunications (Interception and Access) Act 1979, a limited number of enforcement and security agencies can access the stored information if they have an operational or legislative need. The Australian Government argues that the scheme is necessary to enable law enforcement and security agencies to maintain their investigative capabilities.
What Data Must Be Retained?
The retention obligations only apply to a specified list of telecommunications information. Colloquially referred to as "metadata" (i.e. the "who, when, where and how" of the communication), this is defined to include information about the telecommunications service provided, as well as the source, destination, date, time, duration and type of the communication and the location of the communications equipment. The content or substance of telecommunications and web browsing histories are explicitly excluded from the retained data set.
Who Has To Retain The Data?
The data retention obligations apply to all telecommunications providers and ISPs regardless of their size or customer base from 13 October 2015.
However, the legislation allows organisations to progressively achieve compliance over a period of up to 18 months through Data Retention Implementation Plans. This implementation period expires on 13 April 2017 and all affected providers must be fully compliant with the legislation by this date.
Who May Access The Data?
A limited number of enforcement and security agencies including State and Federal police forces, intelligence agencies and corporate and competition regulators may request access to stored data. Access must only be authorised if the agency can prove that the relevant data is reasonably necessary for the approved agency's operational or investigative need. This includes locating missing persons, enforcement of criminal law or a law imposing a pecuniary penalty, or the protection of public revenue. Access authorisations do not require a warrant except where access to retained data is sought for the purpose of identifying a journalistic source.
Further, the legislation does not prevent State agencies with independent evidence gathering powers using those powers to access metadata.
Data Retention: Privacy Concerns?
Australia's metadata retention scheme has attracted heated debate. Some politicians and public interest groups argue that the laws entrench mass surveillance without justification. The length of the retention period (which is long compared to other jurisdictions) and the regulation of access to the stored data are still a source of public concern and media criticism. In response, amendments were made to the legislation to include a requirement that all metadata be encrypted and specific protections for the phone and internet records of journalists.
Australia is not the only jurisdiction with concerns about the privacy implications of comparable domestic data retention laws. Some nations including several EU countries and the U.S. have seen domestic data retention legislation being challenged (frequently successful in the EU, less so in the U.S.) on the basis that it violates the right to personal privacy protected by human rights charters or domestic constitutions. In the EU, we can also expect another important ruling from the European Court of Justice next year on the compatibility of data retention laws with the right to privacy (as reported in this post).
However, in contrast to the experience of other jurisdictions, it is doubtful that these personal privacy concerns will provide grounds for challenging the Australian legislation as Australia does not have a bill or charter of rights that enshrines a right to privacy or the protection of personal data. As a result it is likely that the Australian legislation will stand as passed until it comes up for review in October 2018.