Australia’s new data retention laws came into effect on 13 October 2015. Under the laws telecommunications service providers (including ISPs) must retain certain data about the use of their services for a two year period and make that data available to law enforcement bodies on request.
But in the first few weeks of operation, several implementation problems with the new laws have arisen.
First, the obligation to retain data catches a broad range of entities, including some that do not provide telecommunications or internet access services as part of their core business.
Second, the laws have added a new layer of privacy obligations for smaller ISPs and telecommunications service providers.
Third, retained data must be encrypted, however the standard for this encryption is unclear and the cost of making it happen is potentially significant.
THE LONG ARM OF DATA RETENTION LAWS
The data retention laws apply to carriers, carriage service providers and internet service providers who own or operate infrastructure in Australia that enables the provision of telecommunications services.
The wide scope means that some organisations that don’t provide telecommunications or internet access services as part of their core business may still be required to retain data under the new law.
For example, some Australian Universities may fall within the definitions of “carriage service provider” and “internet service provider” as they provide telecommunications services (including internet network access) to entities located on their campuses.
Organisations must decide whether to comply with the data retention obligations (and incur the associated expenses) or apply to the regulator for a formal exemption from the requirement to comply.
Other entities that provide telecommunications and internet access services as an ancillary function to their core business must also consider whether they are obligated to retain data and whether they need to seek an exemption.
A range of penalties (including financial penalties) apply to service providers that fail to retain data in accordance with the laws’ requirements.
The data that must be retained relates to the source, destination, time, date and duration of communications as well as subscriber account information and the location of equipment used to send communications.
Service providers are not required to retain the content of communications sent using their services.
The Federal Government has pledged $131 million in assistance to partially meet service providers’ implementation costs. However to what extent this will compensate the industry is currently unknown. Close to a quarter of the service providers surveyed by the Communications Alliance prior to the commencement of the data retention laws estimated their compliance costs will exceed $1 million.
There is also concern that the costs of complying may make some smaller service providers (particularly ISPs) commercially unviable.
At this stage it’s not known how the assistance funding will be allocated among providers, and grants are not expected to be provided until early 2016.
COMPLEX PRIVACY OBLIGATIONS
The new data retention laws also add a new layer of privacy obligations for smaller telecommunications service providers.
At present, small businesses (including telecommunications service providers) with a turnover $3 million or less per year are generally exempt from complying with the Privacy Act.
However, this exemption doesn’t apply to any data that small businesses are required to retain under the under the new data retention laws.
This means that small-scale telecommunications providers, for example, will need to fully comply with the Privacy Act with respect to retained data.
Their new obligations will include:
- providing privacy notifications to individuals at or around the time that data is collected; and
- subject to certain exceptions, providing individuals with access to the data held about them.
Importantly, under the Privacy Act, small-scale telecommunications service providers may also be liable for the misuse of any data which is transferred outside of Australia. This may affect the ability of small-scale providers to take advantage of less expensive data storage solutions offshore, again increasing the cost of data retention compliance.
Under the data retention laws service providers must protect the confidentiality of retained data by encrypting and protecting it from unauthorised interference or access. The legislation does not specify a standard for encryption.
According to the regulator, service providers can choose one of two ways to meet their encryption obligations:
- create a stand-alone data store that is encrypted and protected for the retained data while leaving general operational systems unchanged; or
- expand operational systems to meet the required data capture and storage requirements and encrypt and protect those systems.
Both choices potentially add cost and complexity to service providers’ operations.
The Communications Alliance surveyed 63 service providers just prior to the new laws coming into effect, and found only 16% considered themselves to be “ready” to retain and encrypt data in accordance with the laws.
With this in mind, the Attorney-General's Department has stated that its current focus is on implementation rather than enforcement.