The introduction of data retention laws for carriers and carriage service providers has been discussed between the Federal Government and the Australian telecommunications industry for more than 10 years. In the context of heightened concerns over national security associated with developments in the Middle East, the Federal Government has decided to act on this issue.
On 30 October 2014, the Federal Minister for Communications, Malcolm Turnbull introduced the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (Cth) (Bill) into the House of Representatives.
The Bill will amend the Telecommunications (Interception and Access) Act 1979 (Cth) (Act) to require the retention of loosely specified categories of data arising from customer communications for not less than two years. Key account information must be kept for until two years after the closing of the relevant account. Other information must be kept for two years from creation. It is the stated intention of the government to pass the Bill before the end of the year.
The law will apply to carriers, carriage service providers (including ISPs as defined by schedule 5 of the Broadcasting Services Act1992) and anyone prescribed by Regulation (service provider). There is an exception for services provided only to those within the service provider's immediate circle or where the connectivity is provided to people in the same place. These exceptions exempt communication services with a corporate group and services such as the provision of WiFi services by a café.
The Bill requires that service providers keep some information for two years from the date when the account of the relevant customer is closed and broader categories of information for not less than two years from creation. Service providers that are not able to comply immediately can seek approval to implement a "data retention implementation plan" while taking steps to fully comply.
In order to be approved, a data implementation plan must contain an explanation of current practices for keeping information, interim arrangements that the service provider proposes to be implemented while the plan is in force and the day by which the service provider will be able to retain the information as required by the Bill.
The data retention implementation plan must be approved by the Communications Access Co-ordinator (the Secretary of the Department or such other person as specified by the Minister).
Regulations will be made specifying details of information to be kept. The information can be about subscribers, accounts, telecommunications devices, other services, the source of a communication, the destination of a communication, the date, time and duration of a communication, the type of communication, service used and the location of equipment or line used.
The relevant Explanatory Memorandum (EM) states that most of this information required will form part of general customer records which are already generally retained by service providers for seven years. However, it appears that the information specified will include technical information not currently retained by subject entities and the legislation makes it clear that the service provider must keep the relevant information even if it is not created by the relevant service.
The proposed law provides that regulations cannot require a service provider to keep the contents or substance of a communication, nor an address to which a communication was sent from a telecommunications device. Specific mention is made that this exception is intended to make clear that browsing histories are not required to be retained. However, the breadth of the information that may be retained may be sufficient to enable a browsing history to be reconstructed from the other information that must be retained.
There is scope for a service provider to apply to the Communications Access Co-ordinator for an exemption from having to comply in whole or in part with the data retention obligations imposed by the proposed law. Factors to be taken into account in assessing an application include the interests of law enforcement and national security, the objects of the Telecommunications Act 1997 (Cth) and the service provider's costs of complying with the Bill.
The Bill limits the statutory right to access the data to criminal law enforcement agencies as defined in the Bill. The Minister retains a right to add agencies by Regulation, once satisfied of certain matters.
The agencies include the Australian Federal Police, the Independent Commission Against Corruption and the Australian Customs and Border Protection Service. An enforcement agency can obtain access to the retained records by issue of a notice requiring access from an "authorised officer" who may be the Head or Deputy Head or a senior executive employee authorised by the agency.
The current definition of enforcement agency in the Act includes any body whose functions include administering a law imposing a pecuniary penalty or administering a law relating to the protection of the public revenue. It also includes a body or organisation responsible to the Ministerial Council for Police and Emergency Management. The more limited definition of criminal law enforcement agency contained in the Bill would therefore have the effect of removing the rights of a wide range of Commonwealth and state instrumentalities to access stored data. Until and unless their power to access the information is reinstated by ministerial decree.
The Bill requires the relevant agencies to keep records of their access requests and gives oversight of the administration of the process to the Commonwealth Ombudsman. The Commonwealth Ombudsman is required to report to the Minister and Parliament regarding the extent of compliance of law enforcement agencies with their data access and use obligations under the Act.
Note that there is nothing to prevent information retained under data retention requirements from being accessible by subpoena in civil and criminal cases generally.
The failure of a service provider to comply with the requirement of the Bill is a civil offence carrying a penalty of up to $250,000.
The Act provides that interception agencies are to bear the cost incurred by a carrier in developing, installing and maintaining a delivery capability required by the Communications Access Co-ordinator. No similar provision is made to assist service providers with meeting the costs of complying with these new obligations.
Despite some comments by the government that it would make a contribution towards the cost of compliance, the Bill makes no mention about costs, leaving service providers bearing the full impact of these changes.
A copy of the Bill and its Explanatory Memorandum can be foundhere.
Although the regulations specifying the detail of the data to be retained have not been made available, the new law is clearly intended to require telecommunications companies to create and maintain a significant new data set. The storage, maintenance, access and use of this data set will require complex technical solutions and complex security arrangements. The amount of information to be stored may be vast.
The retained information could describe or make it possible to infer the location, relationships and behaviours of subject individuals over time. The data will be a valuable resource for civil litigants as well as law enforcement agencies. Lawyers involved in disputes and prosecutions of all kinds will need to become familiar with the nature of the information kept and how it can be used. Telecommunications companies will need to accommodate an increase in legal demand for stored information and manage the procedures required for deleting information that is older than the required retention period.
The retained data will be a target for hackers. Concerns have been expressed that mandating the retention of data will increase the risk of identify theft, blackmail and other adverse consequences for individuals affected by data theft.
There have been reports that the government is considering providing compensation to companies that are subject to the new law. It will be interesting to see whether the proposed compensation extends beyond implementation costs to the ongoing operations issues associated with maintaining, administering and protecting the information to be retained.