Service providers should get cracking with their data retention implementation plans
By Sonia Sharma & and Emily Lau• 02 April 2015 • 5 min read
Data industry players need to quickly come to terms with their new data retention obligations
With the Government's controversial data retention scheme now law, we unpick the timing and other key requirements of the new laws and advise service providers to act quickly.
The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 (Cth) (Data Retention Bill) is now law in Australia after stumbling its way through the lower house and senate last week despite vocal public opposition, such as Get-Up's 'Citizens Not Suspects' petition, and warnings from industry groups about the high price for mandatory data retention.
Data retention obligation
Now that the laws have passed, industry players need to quickly come to terms with their new data retention obligations. Telecommunications or internet service providers (service providers) will be required to retain their customers’ metadata for two years.
Metadata that service providers must keep includes:
- account and service information
- source of a communication
- destination of a communication
- date, time and duration of a communication
- type of a communication or of a relevant service used in connection with a communication
- location of equipment, or a line, used in connection with a communication.
Service providers must keep the metadata confidential by encrypting the information and protecting it from unauthorised interference or unauthorised access.
Data retention implementation plan
The substantive provisions of the Bill come into force six months after the Bill receives royal assent. In this interim period, service providers have the opportunity to lodge a data retention implementation plan (Plan). The Plan needs to set out a regime whereby the service provider will transition towards full compliance with the substantiative provisions of the Bill.
Once the plan is approved, the service provider is required to comply with the provisions of the Plan rather than the substantive provision of the Data Retention Bill. The Plan will remain in force until the end of the implementation phase, which is 18 months after the commencement of this Part (i.e. two years from commencement).
In other words, service providers will be in a much better position and have greater control if they act quickly and have an approved Plan in place as opposed to doing nothing and having to then comply with the Data Retention Bill.
A service provider may lodge a Plan for approval to the Communications Access Co-ordinator. A service provider will need to dedicate time and resources towards drafting their Plans and ensure that for each service, the Plan:
- explains the current practices for keeping, and ensuring the confidentiality of, information and documents that are required to be kept
- provides details of the interim arrangements that the service provider proposes to be implemented while the Plan is in force, for keeping, and ensuring the confidentiality of such information and documents
- provides a deadline for the service provider’s compliance with the mandated requirements. This deadline cannot be later than 18 months after the commencement of the Data Retention Bill if the service provider was operating the service at the commencement of the Data Retention Bill
- specifies any relevant services of the service provider that the Plan does not cover
- provides the contact details of the officers or employees of the service provider in relation to the Plan.
Timeline for lodgement and Communications Access Co-ordinator’s consideration of data implementation plan
While there is no deadline stipulated under the Data Retention Bill for the service provider to lodge a Plan, if a service provider does not have a Plan approved by the date that is six months from the Royal Assent of the Bill, it will have to be fully compliant with the new laws at that time.
Service providers who do take advantage of the 'grace period', will need to lodge their Plan with the Communications Access Co-ordinator for a consultation process. The Plan is circulated for comment to enforcement agencies and security authorities that the Communications Access Co-ordinator thinks would be interested.
If an enforcement agency or security authority makes a reasonable request for an amendment of the Plan, the Communications Access Co-ordinator must request that the service provider make the amendment within 30 days after the Communications Access Co-ordinator received the comment from the enforcement agency or security authority. The service provider must respond by making the amendment or providing reasons for its refusal of the amendment.
If the service provider has refused the requested amendment, the issue is escalated to the Australian Communications and Media Authority (ACMA) to decide if an amendment to the Plan is needed.
The Communications Access Co-ordinator must approve the Plan or respond by written request to the service provider to amend the Plan within 60 days after the Communications Access Co-ordinator receives the Plan.
A Plan comes into force when the Communications Access Co-ordinator notifies the service provider of the Plan’s approval or 60 days after lodgement if no decision has been made.
Penalties for non-compliance with data retention requirements
Service providers should be aware of the potentially harsh penalties for non-compliance which include fines up to $250,000 for each breach of key provisions of the new data retention laws. Additionally, an authorised officer may issue an infringement notice if the officer has reasonable grounds to believe that the service provider has breached key provisions.
Who can access the metadata?
Exactly who has access to metadata has been a contentious issue. Under the new laws, a criminal-law enforcement agency may apply for a warrant to access communications data. Examples of criminal-law enforcement agencies are the Australian Federal Police, Australian Customs and Border Protection Service and Australian Securities and Investments Commission. Enforcement agencies such as ASIC have publically stated that access to metadata is crucial to 'fighting' and 'combating' corporate crime.
The holder of information may also voluntarily disclose information or a document to an enforcement agency if the disclosure is reasonably necessary for the enforcement of the criminal law. The Data Retention Bill inserts a definition of 'enforcement agency' into the Telecommunications (Interception and Access) Act 1979 (Cth), being a criminal law enforcement agency or a body declared by the Minister to be an enforcement agency.
ACCC updates advertising and selling guide
By Laura Cantillon
The ACCC has updated its guidance to Australian businesses on what is required to ensure compliance with the ACL
Managing climate change-related risks in the financial system
By Patrick Ibbotson & Jessica Dorricott
Risks posed by climate change to the stability of the US financial system.
Franchisors, it’s time to update your disclosure documents
Key considerations when updating the franchising disclosure documents as per the Franchising Code of Conduct (Code).
GDPR decision slaps down Privacy Shield and imposes strict conditions on Standard Contractual Clauses – implications for Australian organisations
Impacts for Australian entities who are either directly subject to the GDPR or receiving personal data from the EEA.