News & Thinking

Metadata retention laws

The contentious data retention laws passed by the Federal Parliament in 2015 allow Telecommunications companies and Internet Service Providers until 2017 to fulfil their implementation plans, at which time the ramifications of these laws will become more apparent.

The data retention laws require telecommunications companies and Internet Service Providers to keep records of consumer metadata for a minimum period of two years. This article gives insight into what metadata is and how it impacts your privacy.

Background

Law enforcement agencies have publicly identified the lack of availability of data as a key and growing impediment to the ability to investigate and to prosecute serious offences.

The changes to the data retention laws provide additional tools which reflect the level of change in the telecommunications environment in the last 15 years.

To better understand the laws we have provided an overview below of some of the key issues.

What is metadata?

The type of data which must be retained includes phone numbers, length of phone calls, general location information (such as cell tower data), information about the duration of the communication, email addresses and the time a message was sent, but not the content of phone calls or emails and internet browsing history is excluded.

A simple example of what constitutes metadata is when you make a phone call, what you say is the content. The metadata is the technical information about the phone call. What the phone does to let you say it, the number you dialled, when and what the phone connected to is all recorded as metadata.

Why have these laws been introduced?

The retention of the data will allow security agencies to access the records, assisting to support Australian law enforcement and security agencies in the performance of their functions.

Prior to the changes, the law did not specify any types of data the telecommunications industry should retain for law enforcement and national security purposes or how long that information should be held.

Individual carriers retain information based on their own business requirements meaning there are significant variations across the telecommunications industry in the types of data available to law enforcement and national security agencies and the period of time that information is available.

When can the data be accessed?

Security agencies (there are 21 agencies that can gain access to the metadata) can be given access to the data when they can make a case that it is “reasonably necessary” to an investigation.

The data retention laws still require security agencies to obtain a warrant before accessing the actual content of messages or conversations.

What safeguards exist to protect privacy?

Safeguards have been established to protect privacy by providing for an independent oversight mechanism, allowing the Commonwealth Ombudsman access to agency records.

Specific protections for the phone and internet records of journalists have also been introduced, in a bid to protect anonymous sources and whistleblowers.

There are two sides to the argument

Similar data retention schemes overseas have been condemned and invalidated for their interference with privacy and civil liberties and are currently under challenge in various countries causing civil libertarians to raise their concerns.

Arguments against the data retention laws include that:

  • Society is trading away too much privacy in the name of security
  • Not many people believe the risk of terrorism will be lessened due to the introduction of the policy
  • The expense involved with ISPs storing the data being will ultimately be passed on to customers
  • The metadata will be used to identify whistleblowers and journalists’ sources
  • There is a potential for improper use of the collected data and adverse societal impacts of blanket surveillance.

On the other hand proponents of metadata retention laws say that in a connected world metadata is central to virtually every organised crime, counter-espionage, cybersecurity and counter-terrorism investigation, and has also used in almost every serious criminal investigation, such as murder, rape and kidnapping.

Conclusion

The data retention laws do not provide new powers or access to telecommunications data, the number of agencies permitted to access metadata has been reduced and the government will not be retaining the data, industry will continue to do so.

The Joint Committee on Intelligence and Security, who conducted a review of the need for the data retention laws and proposed amendments that were included in the final laws, consider that the data retention laws were “a necessary, effective and proportionate response to the serious threat to national security and public safety caused by the inconsistent and degrading availability of telecommunications data”.

For consumers, this means those agencies which have access will be able to access metadata relating to their personal computer, work computer, mobile phone, landline, tablet, laptop or any other communications device.

For journalists, extra protection will be provided in order to protect confidential sources, but for other professionals who might handle confidential information, the data retention laws will provide no exemption.

For more information on the data retention laws or for advice on how you or your business could be affected contact us on +61 3 9282 9200 or email josh.flett@fletcherclarendon.com.au.

View all articles