Australian telecommunication companies forced by the government to store customer call records, location information, IP addresses, billing information, and other relevant data under the nation's data retention scheme could be storing all of that information overseas -- and the Attorney-General's Department (AGD), charged with overseeing the system, doesn't know where the data is stored.
Nor does AGD believe that the offshoring of metadata storage is a security risk, First Assistant Secretary National Security Division at AGD Sarah Chidgey told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Thursday morning.
In an exchange with Labor member of Holt Anthony Byrne, Chidgey said the existing metadata legislation does not contain a provision for telcos to inform the department of offshoring, only that it would be protected in accordance with the Privacy Act and Telecommunications Interception Act.
"The whole precursor to the [metadata] Bill was that they would tell us," Byrne said. "What you're telling me is that they will not even tell you whether or not they are storing the metadata offshore.
"Now how can that be satisfactory?"
Under the legislation being reviewed by the committee -- which would force telcos to provide information about their networks and services to AGD or face civil penalties -- Chidgey said the department would be able to know where metadata is retained.
"I don't think offshoring in and of itself is not necessarily a security risk," Chidgey said in response to Byrne stating Australian would be worried their data is stored overseas.
"That is not true, because we've been briefed to the fact that that isn't, that's not a true statement," Byrne said. "It was one of the concerns of the committee that if you did offshore it, it did impact the capacity of the agencies and the Attorney-General's Department to actually protect the data.
"And we've seen, publicly, fairly significant issues of data being stored offshore and it being susceptible to infiltration."
Byrne said it was an "incredibly significant concern" that the department is not currently able to answer his questions on whereabouts the nation's telecommunications metadata is stored.
Prior to those laws coming into force last year, the PJCIS recommended that Australia have a data breach notification scheme.
The legislation to create an Australian data breach notification scheme finally cleared the Senate earlier this week. The new laws are set to come into force either by a proclaimed date, or a year after they receive Royal Assent.