INSIGHT

Federal Government passes wide-ranging data retention laws

By Gavin Smith
Data & Privacy Startups Technology & Outsourcing Technology, Media & Telecommunications

In brief

Telecommunications and internet service providers will incur significant new compliance costs under the Federal Government's controversial new data retention laws. Following a wave of criticism of the Government's original proposals, a number of important changes were made to the original Bill during its passage through Parliament, including the introduction of safeguards on access to the retained data by government agencies and concessions made to protect journalists' confidential sources. Partner Gavin Smith, Lawyer Brydon Wang, and Law Graduate Leah Wickman report on what the new regime means for the telecommunications industry.

How does it affect you?

  • The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) was passed on 26 March 2015. Its wide-ranging new set of data retention obligations on telecommunications carriers, carriage service providers and internet service providers (the service providers) will lead to significant new compliance costs that are likely to be passed through to customers. It remains unclear how much the Federal Government will contribute to the scheme, but it has indicated that it will make 'an appropriate upfront contribution to the costs'.1 The costs of the scheme are likely to be revealed during the release of the budget in May. However, PricewaterhouseCoopers estimates the cost to be between $188.1 million and $319.1 million2 and the Office of Best Practice estimates an annual increase of $73.8 million in compliance costs.3
  • The Bill was passed in both houses with bipartisan support after having been on the legislative agenda for nearly two years.4 A number of important changes were made during the Bill's passage through the committee stage and debates in both houses. Of these, the following are perhaps the most important:
    • clarification on the specific data set to be retained;
    • oversight on access to data by both the Commonwealth Ombudsman and the Parliamentary Joint Committee on Intelligence and Security (PJCIS); and
    • a mechanism to protect the confidential sources of journalists.
  • Neither the amendments to the Bill nor the explanatory memorandum touch on the PJCIS's recommendation, and the Government's surprising agreement, that a broader mandatory data breach notification scheme should be introduced into law. Nonetheless, it is understood that this scheme is still slated for implementation by the end of 2015, and will apply to all organisations currently subject to the Privacy Act 1988 (Cth). For more information about the proposed mandatory data breach law, see our Client Update: Data deal – mandatory data breach notification laws to be introduced as trade-off for controversial metadata retention regime.
  • Enforcement options currently available under the Telecommunications Act 1997 (Cth) for non-compliance by telecommunications service providers will apply to the new data retention regime including remedial directions, formal warnings and pecuniary penalties. If a service provider which is subject to the new regime fails to comply with its requirements, it could be issued with infringement notices by the ACMA.

How the TIA has changed

The Act amends and builds on existing mechanisms set out in the Telecommunications (Interception and Access) Act 1979 (Cth) (the TIA). Chapter 4 of the TIA already sets out a scheme under which certain government bodies and agencies can gain access to telecommunications data (but not the content of communications) held by carriers and carriage service providers. However, there is no obligation on carriers and carriage service providers to collect and store such data. The amendments introduce a new data retention obligation, standardise the types of data that must be retained and standardise the time for which the retained data must be held.

The amendments also limit who can access both telecommunications data and stored communications. As the law stands, any authority or body that enforces criminal law, a law imposing a pecuniary penalty or a law that protects public revenue can access telecommunications data or stored communications. This will now be limited to agencies that fall under the definition of a 'criminal-law enforcement agency' (Enforcement Agency), ensuring that only authorities and bodies with a demonstrated need have access to the data and can apply for stored communications warrants.

Clarification on the data set to be retained

Clients who will be subject to the new data retention laws will need to retain all data falling within the scope of the data set for a minimum of two years. The data set has been specified in the Act and includes:

  • the type of communication (SMS, phone call, email, video chat, social media platform) and what features were used (data volume usage, call forwarding, call waiting);
  • the date and time of a communication (when a phone call is made, an email or message is sent, or when a chat began);
  • the duration of a phone call and size of email;
  • what service was used (ADSL, cable, GPRS, Wi-Fi);
  • the identifiers of the account participating in the communication (email addresses, phone numbers of incoming and outgoing caller, identification number of a mobile device that was used);
  • data on the status of the service and any related account or device; and
  • the location of the equipment (phone, wifi hotspot, cell tower) at the beginning and end of the phone call.

Importantly, the data set does not include the content of emails or calls and does not include a user's web browsing history, log-in information or password.

All data retained under the new regime will be 'personal information' under the Privacy Act. The data stored must be encrypted, although the new laws do not prescribe any particular type of encryption. A service provider can apply for an exemption to the requirement to encrypt data by offering an alternative information security measure where compliance costs relating to the encryption would be 'unduly onerous'.

Oversight on access to data

Under the TIA in its existing form, an authorised officer must have 'regard to whether any interference with the privacy of any person… is justifiable' before authorising the disclosure of data, having regard to the data's likely usefulness and relevance, and why the disclosure or use is being proposed. The law as amended by the Act will now require the authorising officer to 'be satisfied on reasonable grounds that any interference with the privacy of any person… is justifiable and proportionate' [emphasis added] and the authorising officer will have to regard the gravity of any conduct in relation to which the authorisation is sought as well as its relevance, usefulness and why it's being sought.

The amendments also address concerns that data retained under the regime could be accessed by civil litigants as an evidentiary source by prohibiting litigants from accessing data in connection with civil proceedings. Only the Enforcement Agencies listed will have the power to access stored data. This list includes the ACCC and ASIC. Further, the Minister may declare an authority or body to be an Enforcement Agency; however, such a declaration has several conditions and a set expiration date of 40 sitting days of Parliament.

The Commonwealth Ombudsman and the Inspector General of Intelligence and Security (IGIS) will oversee enforcement agencies' access to telecommunications data. These enforcement agencies will be required to keep prescribed information and documents necessary to demonstrate they have exercised their powers in accordance with their statutory obligations.

The Ombudsman will have the power to inspect and oversee these records to ensure compliance and must publish a public report on its findings. While a suspected contravention reported by the Ombudsman may be contained in the public report, it neither gives rise to nor implies legal liability by the alleged contravening Enforcement Agency. It is therefore unclear what, if any, consequence a non-compliant Enforcement Agency will face.

The Commonwealth Ombudsman will have the power to require an officer of a particular Enforcement Agency to attend and provide information in relation to data access records. Failure to comply may result in imprisonment of up to six months. The Commonwealth Ombudsman cannot be sued in relation to the exercise of a power under the regime.

Additionally, the PJCIS must conduct a review of the scheme within two years of implementation.

Greens Senator Scott Ludlam was unable to obtain support for an amendment requiring service providers to 'take all reasonable steps' to keep data within Australia. However, despite there being no requirement to store the retained data onshore, Telstra has announced that it will store data retained under the new regime in Australia to allay customer concerns.5

Protections to confidential sources of journalists

For clients in the media, agencies seeking to access journalists' data for the purpose of identifying a confidential source will be required to first obtain a 'journalist information warrant'. The regime prohibits the grant of any historic or prospective authorisation for access of a journalist or their employer's data without an ex ante judicial review and a journalist information warrant being issued. There are restrictions on who can apply for the warrant, particularly where an enforcement agency is not an interception agency. Attorney-General George Brandis has asserted that 'no comparable nations will have greater pre-authorisation approval and post-authorisation oversight requirements for journalists'.6

These warrants are to be issued by an appointed issuing authority (federal judicial officer or AAT member), who can only issue a journalist information warrant if they are satisfied that the warrant is reasonably necessary to:

  • enforce the criminal law;
  • locate a person reported as missing;
  • enforce a law that imposes a pecuniary penalty or protects the public revenue; or
  • investigate serious offences or an offence carrying a three-year imprisonment term.

The test to be applied is whether 'the public interest in the issue of the warrant outweighs the public interest in maintaining the confidentiality of the source'.

Applications for these warrants are assessed by the Public Interest Advocate(s) who can make independent submissions on the application. Agencies utilising these warrants have reporting requirements, and the PJCIS is to access this information in its long-term review of the data retention scheme. Warrants cannot remain in force longer than six months.

The rules make it an offence to use or disclose information on the journalist information warrant. Breach of the provision may lead to a maximum of two years' imprisonment. This matches equivalent offence provisions under the TIA relating to telecommunications interception warrants and stored communications warrants. However, the position of Public Interest Advocate has also been criticised by critics drawn from academia and the Media Entertainment and Arts Alliance (MEAA), who noted that the advocate would be bound by confidentiality protocols that would limit input from the affected journalist.7

What happens to data that is stored after the mandatory retention period?

The new laws do not prescribe any rules for the de-identification or destruction of the retained data after the expiry of the two-year retention period. However, given that data retained under the scheme will be 'personal information', APP 11.2 will apply once the two-year period has expired. APP 11.2 imposes an obligation on all organisations that are subject to the Privacy Act (not just telecommunications carriers, carriage service providers or internet service providers) to destroy or de-identify personal information if they no longer need the personal information for a purpose for which it may be used or disclosed under the Australian Privacy Principles. In practice, the costs of retaining the vast volumes of data that will be collected and retained under the scheme are likely to act as a powerful commercial incentive for service providers to delete the retained data as soon as the two-year retention period has expired.

Government contributions

The Government has indicated that it may contribute to the upfront costs of the data retention regime. The Act will provide a process by which the Commonwealth may make grants of financial assistance to service providers to assist the service provider in complying. The terms and conditions of that financial assistance are to be set out in agreements entered into with service providers on behalf of the Commonwealth and they will be provided with money appropriated by Parliament.8

Conclusion

The new data retention regime will have a very significant impact on telecommunications service providers. They will need to establish and implement new systems and processes to store the data and to deal with an expected increase in access requests from government agencies. That will come at an extremely high cost. And, ultimately, those costs will need to be passed through to consumers.

Footnotes

  1. Agence France Presse, 'Australia passes data retention bill amid privacy abuse concerns' (26 March 2015) Yahoo!7 News.
  2. Attorney-General's Department, 'Cost' Data Retention.
  3. Attorney-General's Department, Annual Deregulation Report 2014 4
  4. The Parliamentary Joint Committee on Intelligence and Security previously examined a mandatory data retention regime in its Report of the Inquiry into Potential Reforms of Australia's National Security Legislation, tabled on 24 June 2013.
  5. Rohan Pearce, 'Data retention: Telstra to keep customer data within Australia' (27 March 2015) Computerworld.
  6. James Bennett, 'Criminals may be able to get around Government's new metadata laws: Brandis' (27 March 2015) ABC News.
  7. Emma Griffiths, 'Data retention: Access to journalists' records to be tougher under deal between Government and Labor Party' (19 March 2015).
  8. Senate, Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 Revised Explanatory Memorandum 64 [347].