Telstra: We could be the only Australian telco with an approved data retention plan

As Australia's data retention laws came into effect last night, Telstra has revealed this morning that it has had its plans for its data retention implementation approved.

By last night's deadline, Australian telecommunications companies were due to be in accordance with the law in one of three ways: by either retaining and encrypting data with a working implementation; having an approved implementation plan that dealt with areas of non-compliance; or the company had been granted an exception.

Speaking at its annual general meeting today, Telstra chairman Catherine Livingstone said the company was well on top of the issue and had its implementation underway.

"We are pleased to say that Telstra is one of the few, if not only, I think, telecommunication providers that has submitted a data retention plan and had it approved by the government," she said.

"We are organised to do this and we will implement it over 18 months, and of course, we will work with the government following through on their undertaking to reimburse us for the costs incurred.

"We're very conscious of regulatory costs incurred, and will absolutely recover them as we can."

In a survey released by the Communications Alliance last night, it was found that 84 percent of Australian telcos would not be compliant with the deadline, and 37 percent of respondents revealed that they were "not confident at all" on understanding what data the law requires them to retain and for how long.

Only 16 percent of respondents, or 10 telcos, said that they would be fully compliant without needing to submit an implementation plan for approval. However, 22 companies said that they had submitted plans, and not heard back from the government, whereas two telcos had gained express approval, one had gained approval by default through a deadline lapse, and four had needed to make amendments before final approval would be given.

"It is no surprise that many service providers won't be compliant when the legislation comes into force -- many of them because they are still waiting to hear from government as to whether their implementation plans have been approved," said Communications Alliance CEO John Stanton.

"All providers are still waiting to hear from government as to how it will apportion the AU$131.3 million that has been pledged in assistance to partially meet the set-up costs that service providers -- and, ultimately, their customers -- are facing as a result of the regime."

Although telcos were expected to be compliant in one form or another today, and needed to have their plans submitted to the Attorney-General's Department for approval by August 13, Attorney-General George Brandis has taken a different view on the deadlines.

"With the expiry of the initial six month implementation period, telecommunications companies can apply for an extension of up to 18 months (April 2017) to comply with the legislation," Brandis said in a statement.

"The government continues to work constructively with the industry to achieve full compliance by April 2017."

ZDNet has asked the department to clarify the time differences in Brandis' statement with those in the legislation, but had not received a reply by publication.

Speaking in June prior to the plan submission deadline, Skeeve Stevens from Eintellego Networks said he was unimpressed with the department.

"We seem to be bullied and pushed down a specific path with the dates and the timeframes that are being thrown at us," he said.

"There is such a mess, and so many unanswered questions, and [AGD] needs to know what I am going to do in six weeks? Get serious, people, this is just ridiculous."

On the ABC earlier today, Greens Senator Scott Ludlam said he expects the data retention window to go beyond the two years currently mandated.

"If it is still this Attorney-General in a couple of years, I fear they will make it work," Ludlam said. "My prediction -- they will keep adding agencies, services, types of data. They will ask for five years, not two."

"While we are on the subject of predictions, there will be data breaches, peoples' lives will be ruined. Whether it be high profile individuals who have material spilt into the public domain or the more large scale data breaches where thousands or millions of peoples' material is accessed."

"It is a disaster waiting to happen."

In February, the Joint Parliamentary Committee on Intelligence and Security recommended that data breach notification legislation be in place by the end of 2015, prior to the start of data retention.

"The Committee considers that a mandatory data breach notification scheme would provide a strong incentive for service providers to implement robust security measures to protect data retained under the data retention regime," the report said.

With parliamentary sitting days in 2015 running out, Ludlam called for the data breach notification to be brought forward.

"One of the concessions that was made by government is they would introduce mandatory data breach notification laws by the end of the year, so if somebody loses control of your private material, they are obliged to tell you," he said.

"There are only 15 sitting days left in this calendar year, in this parliamentary year and there is no sign of that bill."

Former iiNet CTO John Lindsay downplayed the passing of the data retention act coming into force.

"Data Retention actually started months ago," he said on Twitter.

"All that starts this week is the obligation to back it up securely."