In October 2015, a new metadata retention scheme was introduced by way of amendments to the Telecommunications (Interception and Access) Act 1979 (Cth) (the Act). The scheme requires telecommunication carriers and internet service providers to retain for a period of two years metadata that outlines details of communications, such as:
Account holder details;
- The source from which the communication comes from;
- Date, time and duration of the communication;
- Location from which the communication was sent;
- The type of communication that was sent (i.e. by voice, social media, text message, email, etc).
Contents of communications need not be retained.
The joint media release issued on 3 March 2015 outlines that the overarching intention of the amendments is for use by law enforcement agencies to combat terrorism, espionage and cyber-attacks. The Australian Federal Policy advised that between July and September 2014, telecommunications data was used in 100% of cybercrime investigations as well as 92% of counterterrorism investigations.
In order to protect the privacy of individuals, section 187BA of the Act requires that metadata that is stored be encrypted and protected against unauthorised interference or unauthorised access. Until the scheme has been implemented, it is unclear whether the parameters of section 187BA in providing protection is sufficient to avoid breaches by way of accidental disclosure or through a cyber-attack. Further, it is unclear whether such metadata can be subpoenaed in litigation (or if certain privileges attach to such metadata retention or companies affected by the amendments to the Act).
The amendments highlight the government's recognition of the competing needs for access to information regarding individuals for security purposes and the rights of individuals to privacy.
Naturally, the Privacy Act 1988 (Cth) regulates the use of information retained in relation to individuals and any breaches can be investigated by the Privacy Commissioner. However, given Australia does not have a tort of breach of privacy (or intrusion upon seclusion), individuals who have been affected by a breach/misuse of such metadata may not have any direct cause of action against the party committing the breach (to see our earlier blog on this issue, click here).
The introduction of a mandatory data breach notification scheme could assist to regulate telcos as well as allow the government the ability to review and consider implementing further security measures. This was a previous recommendation made by the Parliamentary Joint Committee on Intelligence and Security.