Telecommunications companies missed the government’s August 13 deadline for submitting plans on how they will store their customers’ metadata for two years, but the Attorney-General’s Department is insisting it is no big deal, despite the companies potentially being in breach of the new mandatory data retention laws.
Under legislation passed by the government in March, and given royal assent on April 13, Australian telecommunications companies will need to retain customer communications data — such as time of call, assigned IP address, number dialled, email address, and other so-called metadata — for a minimum of two years. This data can then be accessed without a warrant by a number of government agencies.
Telecommunications companies were given six months from the date of royal assent — to October 13 — to get their plans for storing the data ready, and have been attempting to plan how to deal with their obligations with the government for the past four months.
Poor communication from the Attorney-General’s Department and a lack of clarity over what exact data telecommunications companies are expected to retain led to pushback from the telcos in June at a Communications Alliance event, where ISPs complained about tight deadlines and little explanation of the scheme itself.
“We seem to be bullied and pushed down a specific path with the dates and the timeframes that are being thrown at us,” Skeeve Stevens from Eintellego Networks said at the time.
“There is such a mess, and so many unanswered questions, and [the department] needs [the information] in six weeks? Get serious, people, this is just ridiculous.”
The implementation plans must set out what current practices are for storing data, what interim plans are in place to store data while developing systems for mandatory data retention, and when those new systems will be in place. Each company must also tell the department how many customers they have, what their target market is, what sort of connections they have with customers (i.e. ADSL, dark fibre, private lines), and where in Australia their customers are located (i.e. in capital cities, regional areas, or Australia-wide).
The Attorney-General’s Department declined to comment on whether any companies had failed to submit their plans on time, but Crikey understands that while a number have been submitted from several telecommunications companies, many have not.
Although telcos believed they had to have their plans in by August 13, the department is now suggesting that it was never a legislative deadline, and agreed plans should “endeavor” to be in place by October 13, 2015, when data retention officially kicks off — although the companies have been told not to delete any data required for the scheme since April.
This is in contrary to what official department documentation said as recently as July, when the department stated:
“Service providers wishing to submit an implementation plan should do so by mid August 2015 to enable consideration and approval of the plan before the obligations commence.
“Providers that are not fully compliant with the data retention obligations and do not have an approved plan or exemption/variation in place on 13 October 2015 are in breach of their obligations.”
While the department appears to be going lighter on the telcos in submitting their plans, those that submitted plans even one day after August 13 could still find themselves in breach of the law. The plans need to be filed with the communications access co-ordinator within the department, and the co-ordinator will then “endeavour” to provide a decision on whether it agrees to the plan — this can take up to 60 days.
Many of the telcos that haven’t submitted already won’t have even lodged a plan by October 13, Crikey has been told, and telcos have not been guaranteed they won’t be found to be in breach of the data retention law if they are unable to have approved plans in place by October 13.
Once the plans are submitted, the telcos have 18 months to implement those plans, so the government argues that telcos are being given a full two years in order to comply with the mandatory data retention laws. However, those that miss the October deadline to have approved implementation plans could still face civil penalities for non-compliance with the act.
The government is currently reassessing how much the mandatory data retention scheme will actually cost the telcos, while insisting it is still making a substantial contribution to ISPs by offering $131.3 million to the industry to get the systems in place.