A loophole in Australia’s metadata retention laws allowing non-law enforcement agencies, including local councils, to access telecommunications data will be shut as part of a suite of legislative reforms to be progressed by the Albanese government.
The proposed reforms will also see the government introduce new local hosting requirements for the customer information that telecommunications companies like Telstra and Optus are required to store in order to comply with the data retention laws.
The government revealed the planned changes to the Mandatory Data Retention Regime in its response to the Parliamentary Joint Committee on Intelligence and Security’s (PJCIS) 2020 review released on Tuesday.
All but two of the 22 recommendations made in the report have been accepted, with Attorney-General Mark Dreyfus criticising the previous Coalition government for not progressing the “overdue” proposals for 18 months while in office.
“The PJCIS concluded that while the Mandatory Data Retention Regime provides critical assistance to law enforcement and intelligence services, the regime lacks transparency and adequate safeguards,” he said.
The regime, which was introduce by the then Abbott government in March 2015, requires telcos to hold their customer’s metadata for two years to assist law enforcement and security agencies with serious criminal and national security investigations.
But concerns with the scheme emerged shortly after, with telecommunications industry group Communications Alliance revealing in 2018 that local councils were among the more than 80 agencies making requests for metadata.
In the 2020 review, the PJCIS called for the government to repeal section 280(1)(b) of the Telecommunications Act 1997 to limit access to only the Australian Security Intelligence Organisation and other listed agencies.
On Tuesday, the government accepted the recommendation in principle, with the Department of Infrastructure, Transport, Regional Development, Communications and the Arts to work on new legislation.
“The government will introduce legislation to repeal this provision and replace it with one that limits access to data (including personal information of subscribers) to specific entities in situations where that access is necessary and proportionate to achieving and allowable purpose,” the report said.
“This will include consideration of reforms to other relevant provision of the Telecommunications Act 1997 as required. These reforms will address the need to protect the personal information of subscribers and manage regulatory costs to industry.”
Following the data breach that compromised the identity credentials of millions of Optus customers last year, the government has also agreed that “telecommunications providers… be subject to minimum security standards”.
It has similarly accepted a recommendation that “service providers… store information of the kind specified in or under section 187AA, or documents containing information of that kind, on servers located in Australia unless specifically exempted”.
Section 187AA lists the types of data that telcos must retain in order to comply with the data retention regime.
The planned local data storage requirements come as the government continues to consider data localisation requirements for other sectors to improve the security of sensitive data, despite industry’s objections.
The Attorney-General’s Department will now work with the Australian Communications and Media Authority, the Department of Home Affairs and other law enforcement agencies to determine how the minimum standards will be set and is planning to consult industry on the “potential burden”.
“The design of these reforms will require further consultation to fully determine the potential burden on industry; and with relevant agencies to ensure the committee’s intent of keeping data secure is met in the most appropriate manner,” the government added.
The government is separately working to improve telco record-keeping requirements through the Telecommunications Legislation Amendment (Information Disclosure, National Interest and Other Measures) Bill, which is currently before the Senate.
The government will also introduce new reporting requirements for law enforcement and national security agencies, as well as require improved record keeping practices and “appropriately address privacy considerations, effective oversight and operational requirements” when deleting data.
Other changes include clarifying what is considered ‘content’ and ‘non-content’ to reduce the prospect of telcos inadvertently disclosing potential ‘content’ information and formalising requirements for agencies to quarantine and delete information that is accidentally disclosed.
The Communications Alliance has welcomed the government’s acceptance of almost all recommendations in the review, with chief executive John Stanton saying it will “give all Australians greater protection against the inherent risks associated with giving government agencies access to consumers’ metadata without having to obtain a warrant”.
“In particular, the Government’s agreement to repeal part of the Telecommunications Act 1997 will close the notorious loophole which allowed more than 80 State-based agencies able to access warrantless metadata, despite the data retention legislation not authorising such access,” Mr Stanton said.
“There is a host of other sensible recommendations that the Government has accepted, including an exemption for retention of Internet of Things data, stronger reporting requirements on enforcement agencies, the creation of guidelines for how agencies must behave and a requirement to delete gathered data within a reasonable period.”
“Once implemented, the measures will create a more reasonable environment for all Australians, whose data and privacy were unreasonably put at risk by the flaws in the original legislation.”
The government also noted in its response to the review that work is continuing to replace existing legislation covering the use of computer access and surveillance devices powers with a single Act, as was recommended in the 2020 review of electronic surveillance laws.
Editor’s note: This story has been updated to include a statement from Communications Alliance about the proposed changes to the data retention regime.
