When Paul Weiss first heard about the Optus data breach, he wasn't sure if his data was at risk.
The Melbourne man couldn't recall if he had been a customer within the six-year window of potentially affected customers described by Optus chief executive Kelly Bayer Rosmarin.
But then he checked his records: he'd held an account with the telco for a few months back in 2018, and sure enough, he got an email last Saturday warning that his personal information had been exposed.
A week on, he still doesn't understand why the company needed to hold onto his details for four years.
"If there's a legal reason … then I can't fight that," he said.
"I think it's got to make sense and have a good reason."
Mr Weiss is one of many Australians questioning why Optus was still holding on to their information long after they stopped being a subscriber.
After the breach was disclosed, Ms Rosmarin said the company was legally required to keep customer data from at least 2017.
In response to repeated requests for additional information, the company said only that it was "mindful of, and complies with, its obligations in line with the Telecommunications, Privacy and Corporations Acts".
Confusion about 'six years' of data storage
Telecommunication regulation and privacy experts have also tried to get to the bottom of how long data must legally be kept.
James North, head of technology, media and telecommunications at law firm Corrs Chambers Westgarth, told the ABC he didn't recognise the six-year term referenced by the Optus boss.
However, there are data retention obligations telcos must comply with.
When a customer buys a prepaid mobile service, for example, companies are required to check ID and verify that person is who they say they are.
That's to prevent prepaid mobile phones being used for criminal purposes, Mr North said, and enable law enforcement agencies to identify the owners of phones.
That identity check can use a range of documents, including drivers licences, passports and Medicare cards.
Then under the Telecommunication Interception and Access Act (TIA Act) — part of Australia's metadata laws — the company is also required to retain subscriber information for a minimum period of the life of the account plus two years after closure.
That includes name and address information, but also "any other information for identification purposes" and "documents" related to that subscriber.
Mr North said these provisions could be interpreted as requiring companies to keep a record of the documents they used to verify the subscriber's identity — like a passport number.
Telecommunication regulator ACMA declined an interview with the ABC about data storage rules for Australian telcos.
A spokesperson said the Optus data breach was "an evolving situation".
"The ACMA requires further information from Optus to determine whether this data breach raises questions about compliance with telco-specific obligations," he said in a statement.
"The ACMA will make public its determinations once made."
Storing data, and protecting it
While companies are required to keep some amount of data by law, they're also instructed to keep it safe.
Rob Nicholls, an associate professor of regulation and governance at UNSW Business School, said that under metadata retention rules, companies must keep what they're storing protected and encrypted.
But there does tend "to be a conservative approach to deletion of data" in some companies, Dr Nicholls said.
"Unless there is a good document retention program in place, there is a risk of keeping documents unnecessarily."
Australia's privacy rules also apply. Companies must "take reasonable steps to destroy or de-identify" personal information once it's no longer needed or when there is no further legal obligation to hold it.
But whether this obligation is enforced by the privacy regulator is another question, Corr's Mr North suggested.
"Companies deleting data when the lawful purpose of that data has been served is an area that deserves more focus," he said.
"Based on my anecdotal views, that's an area that companies don't pay enough attention to."
The privacy regulator, the Office of the Australian Information Commissioner, has not said whether it is considering an investigation of Optus' data handling practices, stating that its focus remained on supporting affected customers.
Backlash to data retention rules
Following the Optus data breach, the government has been vocal about the lack of stiff penalties for companies found mishandling sensitive information about Australians.
Attorney-General Mark Dreyfus told media this week there didn't seem to be "a valid reason" for companies that perform ID checks using passports and driver's licences to hold onto that information long term.
"Obviously the more data that's kept, the bigger the problem there is about keeping it safe," he said.
Some critics have also pushed for the government to revisit laws that require extensive data storage — such as Australia's metadata laws — which were introduced in the name of national security.
Greens Senator David Shoebridge said the push to store more data without checks and balances to protect it was "a disaster waiting to happen".
"It's tragically ironic that laws that were pushed through parliament allegedly to keep us safer have created these deep pools of data that are such a risk to our privacy and online integrity.
"What's happened with Optus is our worst fears come true."
