The New Data Retention Laws: What You Need To Know

The new data retention law came into effect yesterday, meaning mobile and telecommunications companies must keep customer metadata for up to two years.

We at B&T spent the better part of our morning pulling together what you need to know about the new law.

What is the new law?

The new law was passed in March this year. It was first introduced in October 2014 as a further commitment from the Government to tackle possible terrorist threats and security. The changes mean government agencies and the Australian Security and Intelligence Organisation can have access to the data without a warrant. However, if the law is trying to find a journalist’s source, they are required to obtain a Journalist Information Warrant first.

The law requires telecommunications companies, such as Telstra, Optus, Vodafone and the like, to retain customer metadata records for two years. The legislation also requires the telcos to encrypt the data and not provide unauthorised access.

Metadata is the information about who you are communicating with, not what the content of the message is. So the metadata of a text message or email would be who is sending it, who is the recipient, the time and the place. But would not include the actual message inside the message.

The Government is not asking internet service providers to keep data on a person’s web browsing history.

Why was the new law needed?

Per the Government’s data retention hub, metadata is used in a number of criminal cases, to either rule out suspects, identifying people, as evidence and so on.

“Australia needs a data retention scheme because telecommunications companies are retaining less data and keeping it for a shorter time,” the website said.

“This is degrading the investigative capabilities of law enforcement and security agencies and, in some cases, has prevented serious criminals from being brought to justice.”

The data retention scheme was apparently needed in Australia because the constant explosions of technology mean some telcos aren’t keeping all types of metadata, which could be hindering criminal cases.

Cost

The scheme was estimated by PricewaterhouseCoopers (PwC) to cost all businesses between $188.8 million and $319.1 million each year.

The Government’s data retention site put this at less than one per cent of the $43 billion generated in revenue by the telco industry each year.

In February this year, before the law had been officially passed, the then Prime Minster Tony Abbott said it would not cost consumers and businesses more than $400 million.

“There are a range of figures which have been taken to the joint standing committee, but even at the highest estimate it’s less than one per cent of this $40 billion a year and growing sector,” he told the ABC.

“It seems like a small price to pay to give ourselves the kind of safety and the kind of freedom that people in a country like Australia deserve.”

Privacy

While the issue of privacy has been raised multiple times, the Government is insistent the data retention scheme is protected as personal information under the Privacy Act and the Australian Privacy Principles (APPs).

The APPs were updated in March last year. The sixth principle underlines the requirements for use or disclosure of personal information, stating the entity (whoever collected the information) must not use or disclose the information for another purpose unless the individual has consented, or it’s required by law. The principles go into more depth, which you can read about here if you would like.

However, many have called into question online privacy.

Contrubuting editor to the Sydney Morning Herald, Quentin Dempster, penned a piece saying it was the end of digital privacy in Australia.

“People are being asked by the Federal Parliament to accept that this regime of agency access is vitally necessary for national security at a time of geo-political tension, jihadi recruitment and the war on terror,” he wrote.

“But in a country where the biggest terrorism threat comes from lone wolves and random acts of terror, it’s a system that appears singularly ill-equipped to catch terrorists. What it does is render privacy a thing of Australia’s past.”

The Media, Entertainment and Arts Alliance (MEAA), the organisation for the media and journalists, recently condemned the move, saying it put journalists’ sources at risk. Read more about that here.

What’s happening with the telcos?

Scott Ludlam, Australian Greens deputy leader and communications spokesperson senator, yesterday said many internet service providers (ISP) hadn’t received a response about implementing the new changes from the Attorney-General’s Department.

“Instead of reinvesting in their businesses to meet the growing digital demands of Australians, ISPs are paying lawyers to try to decipher the data retention scheme and ensure their compliance with legislation that is vague and unclear,” he said in a statement on the Greens’ website.

“Smaller ISPs that serve regional communities may be forced out of business due to the expense that complying with this legislation has forced upon them. This implementation is Attorney-General George Brandis’ latest disaster.”

A Vodafone spokesperson said: “Vodafone is working with the Federal Government to agree the detail of our data retention implementation plan. We expect to complete all of the system upgrades and be compliant with our plan obligations by April 2017.

“Industry is still seeking clarification from government about how funding is to be allocated to offset the significant cost of systems changes and the on-going data retention obligations.

“The privacy of our customers and protection of their information is our highest priority and all customer personal information is handled in accordance with Australian privacy laws.”

An Optus spokesperson said: “Optus has established a significant compliance program and is on track to meet its meta-data retention obligations.

“We are working closely with the Attorney-General’s Department on a range of issues including administrative processes associated with compliance plans, and capital funding arrangements.”

A Telstra spokesperson said the company now has 18 months to become compliant after the approval of its implementation plan:  “Telstra has submitted a Data Retention Implementation Plan (DRIP) to the Attorney-General’s Department,” the spokesperson said.

“The Department has approved this plan, and we now have 18 months to become fully compliant.

“We continue to discuss the funding for this program with the Government and other stakeholders and we are hopeful that there will be a sensible solution that does not impact on our customers or shareholders.”

What the media is saying

Much of the coverage is similar articles detailing what you need to know, however some publications such as Mashable, New Matilda and SBS have pinpointed ways the act can be circumvent.

New Matilda spoke to Ludlam from the Greens, where he was encouraging Aussies to know adapt to an environment where their data is held.

His tips include not using the same password for everything, using online messaging systems instead of text messages, and start using a VPN. Read more about his tips here.

Journalist Asher Wolf wrote about her menstrual cycle on SBS, and why the data retention laws newly introduced will mean that for two years, the telco will know when she called her doctor, how many times etc. It’s  information the government doesn’t need, she argued, and can be a loss of dignity.

The Media, Entertainment and Arts Alliance (MEAA) has condemned the passing of the law, saying it poses a threat to journalists and their sources. Read more about that here.

Twitter reactions

Beginning today, if you are Australian, everything you do online is being tracked, stored, and retained for 2 years. https://t.co/g8etUYgHGr

— Edward Snowden (@Snowden) October 12, 2015

http://www.sbs.com.au/news/article/2015/10/13/comment-nothing-hide-data-retention-dignity-and-tampons

Australia’s Diabolical #DataRetention Act should be repealed. It is a threat to citizens, journalists, whistleblowers and politicians alike.

— Matthew Rimmer (@DrRimmer) October 13, 2015

What the difficultly with meeting 13 Oct deadline shows is that the data retention scheme is much more complex than political spin suggested

— Leanne O’Donnell (@MsLods) October 13, 2015

I’ve updated my explainer on what data retention is, why it is so damaging, and how to reduce the threat to you http://t.co/nJ0VEsxiTW

— Bernard Keane (@BernardKeane) October 13, 2015

Vodafone and Optus are among the majority of telcos/ISPs to still be working on data retention extension plans http://t.co/os0LxqPkM8

— Allie Coyne (@alliecoyne) October 13, 2015

Happy #dataretention day! Check out how easy it is to circumvent the regime here: http://t.co/sOF5UakthL pic.twitter.com/wO84xtRPmp

— GetUp! (@GetUp) October 13, 2015