Australia keeps telco data longer than all but three countries

The Law Council said if the mandatory data retention scheme is to be maintained, significant amendments will be required.

The Law Council of Australia (LCA) has joined the debate for the retention period for data held by the nation's telecommunications carriers to be reduced from the current two-year timeframe.

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

Representing the LCA at the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the data retention regime that came into being in March 2015, professor Peter Leonard said comparisons with similar international schemes, via a list of 28 countries provided by the Department of Home Affairs, revealed that Australia keeps data for longer than all but three countries: Belgium, Italy, and Ireland.

"When we look to our Five Eyes counterparts, the retention period is, I believe, 12 months for the UK and a voluntary retention period for the US," Leonard said.

"When we look at two years, quite a number of jurisdictions are two years but, interestingly, the two jurisdictions with whom we most closely compare ourselves are, in fact, either shorter or voluntary."

See also: How the B-Team watches over Australia's encryption laws and cybersecurity

Co-chair of the National Criminal Law Committee at the LCA Dr David Neal said when comparing Australia to other countries that do have similar schemes, two years seems to be how it "strikes the balance".

He noted however, that the current retention period -- given that access to it is not supervised by any independent authority -- affects this balance.

"When you add to the equation, or to this balance, the fact that the access to this data is warrantless … and as a number of the submissions we notice have pointed out, the operation of the safeguards that currently exist, which are internal, seem to be a patchy quality," Neal added.

"If you were having agencies which would have to justify access to that data to an independent body then some of these questions would be quite different. But at present, we don't have that."

To that end, the LCA has asked that the data retention period be reduced from two years to no longer than the minimum period required by law enforcement and security agencies.

While Neal accepts that the mandatory data retention scheme seeks to address and prevent serious crime and threats to national security, he said the LCA believes the scheme significantly impacts the privacy of all Australians, not just those suspected of crime or people of national security interest.

In addition to shortening the data retention period, the LCA has asked for amendments to legislation that would expressly list the agencies which can access the stored communications and telecommunications data.

It also wants an independent court or tribunal to authorise warrants to the retained telco data and has asked that the ambiguity around when a journalist information warrant is required be addressed.

See also: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)

The LCA also wants standards for the security of telecommunications data to be developed and compliance with such standards monitored by the Australian Communications and Media Authority.

With "significant technological developments" introduced since the data retention scheme came into play, Neal said more can be gleaned about an individual than ever before through the telecommunications data and the application of data analytics.

"With that, we note that these possibilities are going to magnify with the advent of 5G technology," he said. "Despite the scheme not permitting access to the content of communications, a certain amount of metadata about an individual may provide sufficient information to construct a complete profile of that individual, particularly if it is matched with publicly-available records.

"If the mandatory data retention scheme is to be maintained, significant amendment is required."

HERE'S MORE