AIMIA, the digital policy group representing tech giants including Google, Twitter, Facebook, Microsoft, and eBay, has said that the government's mandatory data-retention legislation would be a disproportionate breach of the privacy of all Australians.
Under legislation currently before the parliament, Australian telecommunications companies would be required to retain an as-yet-undefined set of customer data for two years, not limited to but including call records, address information, email addresses, and assigned IP addresses.
The legislation is being backed up by Australian law-enforcement agencies, which claim that access to the data without a warrant is vital to almost every criminal investigation.
The aim of the legislation is to make mandatory data retention relatively technology neutral, meaning that the government can include technologies used for communications through regulation, rather than locking in the technology through the legislation.
This approach has been widely criticised by the industry and privacy advocates for allowing the government to massively expand the data-retention regime without needing the approval of the parliament.
In AMIA's submission, the group also warned that its services may be monitored as a result of the wide scope of the legislation.
"It increases our concern that the government's intention is to bring over-the-top [OTT] providers within scope of the scheme at a future date, via regulation," the group said.
"It appears from the categories of information that may be required to be retained that there is scope for the minister to direct ISPs to collect data about all third party OTT services carried on their networks."
The group warned that this would require ISPs to conduct deep packet inspection on their network traffic to ensure the correct data would be caught. This would ultimately mean that content data, as well as the so-called metadata, would be caught up by the mandatory data-retention scheme.
The legislation in its current form raises a real risk of interference with fundamental rights, the group said, and warned that given recent high-profile hacking incidents, there is no guarantee that the data retained by the telcos would be secure.
"The increased security risk of unnecessarily requiring businesses to retain data for two years should also not be underestimated, especially in light of the recent Sony hack. Businesses of all sizes that do not have a strong internal security engineering department will be particularly vulnerable to external threats when storing large volumes of data for long periods of time," the group said.
The Victorian Commissioner for Privacy and Data Protection slammed the legislation as an interference with the fundamental right to privacy given the small scope of people it is required to monitor.
"By requiring retention of such sweeping categories of data, and by allowing potentially numerous agencies to have access, the scheme significantly interferes with the fundamental right to privacy in a manner that is not proportionate to the objectives of the Bill," the commissioner said.
"We question the necessity of such wide-scale surveillance to detect a relatively confined cohort of terrorists and criminals given law-enforcement agencies already have the power to undertake targeted requests for data retention, for example by using an ongoing preservation notice under the TIA Act."
The Australian Human Rights Commission also deemed the legislation to be "beyond what can be reasonably justified". It suggested that the retained data set should be defined in legislation, and that the government first trial a one-year retention period instead of two years.