Small ISPs doing nothing about data retention compliance: Comms Alliance

The risk of bankruptcy is preventing smaller ISPs from meeting their data retention compliance obligations, the Communications Alliance has said.

Confusion and uncertainty continues to surround Australian data-retention laws, Communications Alliance CEO John Stanton has said, with smaller operators still having to face the spectre of going bust.

"Many service providers -- particularly smaller operators -- have told us that they are doing very little or nothing to build their compliance capabilities at the moment," Stanton said.

"Who can blame them -- if they start investing in new systems now, without knowing how much of that investment will remain unfunded once the subsidies arrive, they are putting themselves at risk of bankruptcy.

"Other operators have been investing in compliance measures, but are doing so in an ongoing climate of uncertainty."

At the heart of concerns is the lack of funding from the government's AU$128 million data-retention grant program, which was intended to help ISPs cover some of the upfront cost of complying with data-retention laws.

The Australian data-retention regime allows the nation's approved law-enforcement agencies to warrantlessly access two years' worth of customers' call records, location information, IP addresses, billing information, and other data stored by telcos.

Earlier this month, Stanton said the government still has not called upon its industry working group to divvy up the grant money.

"Only weeks away from the 2016-17 Budget ... telecommunications providers are no closer to knowing how much they will receive from the government," he said. "They therefore don't know how much their business -- and ultimately their customers -- will have to contribute to the costs of the data retention regime."

Stanton said compliance was a massive burden on service providers, which wasn't helped by the Attorney-General's Department siphoning off AU$3 million to cover its costs.

"The government must at the very least act quickly to provide some certainty to the telecommunications sector, which is battling plenty of economic and commercial challenges aside from data retention," he said.

"So far the only thing that is certain is that all the Attorney-General's Department costs will be fully covered."

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015, passed the Australian parliament in March 2015, and came into effect in October.

The Joint Parliamentary Committee on Intelligence and Security recommended in February 2015 that Australia have data-breach notification laws in place before the end of 2015, prior to the implementation phase of the data-retention laws.

No data-breach notification laws are in place, despite the start of the metadata retention regime, and the earliest that Australia will now have a working data-breach notification scheme is set to be sometime in 2017.