Metadata Retention

On October 13th, the Telecommunications (Interception and Access) Act 1979 (Cth) legislated for the retention of metadata by telecommunications carriers and internet service providers (telcos) for a mandatory period of two years. This data will then be made available to federal, state and territory police, Medicare, Councils in NSW, Worksafe Victoria, the RSPCA, the Tax Office, Australia Post, domestic spy agency ASIO, ASIC and many others when conducting criminal and financial investigations.

What is Metadata

There is no formal legal definition of Metadata. The Attorney General’s department has submitted that it is data created ‘when online tasks are undertaken and other forms of electronic communication are made’.

In a more user friendly sense that definition would mean that the following would be considered meta:

Where using telephones:

  • Telephone numbers,
  • The time and length of phone calls
  • Location of parties making phone calls
  • To and from text number

When using the internet

  • The internet protocol addresses (IP addresses) of computers from which messages are received or sent
  • To and from email addresses on emails
  • Logs of visitors to chat rooms online
  • Status of chat sites – whether they are active and how many people are participating
  • Chat aliases or identifiers (the name a person uses in a chat room online)
  • Start and finish times of internet sessions
  • The location of an individual involved in communications
  • The name of the application someone uses online and when, where and for how long used

What is probably not Metadata

  • The content of any communications
  • The subject matter or subject line of a communication
  • What is said in a chatroom or email or text or a social media post
  • Attachments to emails such as photos or videos
  • Web camera transmissions
  • Browsing histories
  • The name of a websites a person visits

The New Laws

The scheme has been introduced for law and security purposes, so that law enforcement officials and security agencies can access Metadata without needing to first obtain a warrant. The exception to this is when obtaining information about journalists, in which a ‘journalist information warrant’ must be granted before Metadata is accessed. Without the need for warrants in most circumstances, there is little to no judicial oversight.

With such a large amount of information now being kept about an individual’s private communications, there is a risk that Metadata could be used in other ways, such as by hackers, cyber-criminals or in civil proceedings. In saying this, the Metadata must be stored in an encrypted format and protected against unauthorised access. The Privacy Act 1988 will apply to all Metadata retained under the scheme.

Given the size of the undertaking, many telcos have now entered into a ‘data retention implantation plan’, giving them up to 18 months to become compliant.

What next?

Alongside the Metadata Retention Scheme, the Joint Committee of Intelligence and Security suggested that a mandatory Data Breach Notification Scheme should be introduced. This scheme would add additional protections to those individuals whose information has been retained in the Metadata Retention Scheme. Under this scheme, in certain circumstances Australians would be notified if there was an unauthorised access to, or disclosure of, their personal information that was being held by a private sector organisation or the Federal Government.

The Federal government supported this recommendation and indicated its intent to introduce a bill for mandatory data breach notification laws later this year. It is believed that this new legislation would amend the Privacy Act (Cth). At this stage it is unclear whether the recommendation applies solely to data retention, or if the government intends to adopt is as a broader scheme applying to all entities subject to the Australian privacy principles.