The Australian Federal Police (AFP) has cited the illegality of confirming or denying the existence of a metadata preservation notice to avoid telling an Australian senator whether his metadata has been collected.
Responding to a Question on Notice from South Australian Senator Nick Xenophon in February, the AFP said it was unable to provide any information on whether the metadata of any Australian federal politicians has been preserved over the past year.
"[Section 133 of the Telecommunications (Interception and Access) Act 1979] makes it an offence to communicate preservation notice information to another person," the AFP said in its answer [PDF]. "Preservation notice information is defined in Section 6EAA to include the giving of a preservation notice, the existence or non-existence of a preservation notice, or the expiry of a preservation notice."
Similar reasoning was provided for not saying whether the metadata of any political staffers or journalists had been accessed by the AFP in the past year.
Under Australian data-retention laws passed in March 2015 by both Liberal/National and Labor parties, enforcement agencies are able to warrantlessly access two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by telcos.
So far, 21 agencies are able to access metadata, including the Australian Security Intelligence Organisation, the AFP, state and territory police forces, state anti-corruption commissions, the Australian Competition and Consumer Commission, the Australian Securities and Investments Commission, the Australian Crime Commission, and the Department of Immigration and Border Protection.
In January this year, it was revealed that 61 other agencies have sought to gain access to telecommunications metadata, including organisations such as Australia Post, the RSPCA of Victoria, Bankstown City Council, and Victorian Taxi Services.
The Attorney-General's Department (AGD) said at the time that it had not granted any requests for agencies to be added to the list.
Despite the Joint Parliamentary Committee on Intelligence and Security recommending in February 2015 that Australia have data-breach notification laws in place before the end of 2015, no such laws are yet in place.
The earliest that Australia will have a working data-breach notification scheme is set to be sometime in 2017, after the AGD has released its exposure draft of amendments to the Privacy Act.