‘The new data retention laws – what you should be aware of

Accom Management Guide Winter 2015

THE NEW DATA RETENTION LAWS – WHAT SHOULD YOU BE AWARE OF AND HOW DOES IT AFFECT YOU IF YOU ARE NOT A TELECOMMUNICATIONS OR INTERNET SERVICE PROVIDER?

The Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) (otherwise known as the “new data retention laws”) has been passed into law in April 2015.  The Act requires Internet Service Providers (ISP’s) operating a “relevant service” to retain “metadata” for a minimum period of two years.  “Relevant service” principally covers telecommunications and ISP’s, who have until 13 October 2015 to comply with the main operative provisions.

The types of “metadata” that must be retained are specified in the Act. Broadly, it includes:

  • identification information about the account holder (e.g. name, address or billing information)
  • information about the source and destination of a communication
  • date, time and duration of a communication
  • type of communication (e.g. voice, SMS or email) or the type of relevant service used for a communication (e.g. ADSL, wifi, VoIP or cable)
  • location of equipment or line used at both ends of a communication.

You’re probably thinking that this doesn’t affect your business as you are not an ISP, however there is some information you need to be aware of and you are responsible for who uses your internet connection and anything they do on it.

I have extracted some information from Piper Alderman’s website.  Piper Alderman is a commercial law firm with offices in Sydney, Melbourne, Brisbane and Adelaide and has extensive legal knowledge about the Act.

The Act excludes a service that is provided only to places that “are all in the same area.”  This clause is intended to exempt cafes, restaurants, accommodation providers etc providing free wifi access from compliance with data retention laws. Instead, the obligation to retain “metadata” rests with the ISP, supplying the underlying internet service.  This exemption has its limits.

The Communications Access Co-ordinator has power to impose the data retention laws on any particular service despite the exemptions.  Organisations will also need to have adequate procedures and policies to ensure access to their internal networks are appropriately limited, failing which, they will have data retention obligations under the Act.

Some activities may potentially involve both criminal offences and civil contraventions.  For example, “metadata” could reveal widespread downloading of copyright-infringing material in a network in the course of a criminal investigation.  An enforcement agency may, during its investigations, disclose that fact despite no criminal conduct being found.  This could alert potential civil litigants to seek discovery in relation to an organisation’s computer systems or logs.

The Act does not generally impose any data retention requirements on an entity that is not a telecommunications or ISP.  However, organisations operating internal networks need to ensure that their networks are exempted under the Act. Otherwise, they will need processes to comply with the new data retention requirements. In any event, legal compliance policies of organisations should be reviewed to ensure that they are adequate to minimise legal compliance risks in circumstances where evidence of non-compliance may be more readily available in regulatory investigations or which may encourage civil litigation.

IMPORTANT – Read your ISP’s Acceptable Usage Policy.  They clearly state that you are responsible for what someone does on your connection.

You must be able to prove it wasn’t you using the system, otherwise you are liable.  To be able to prove it wasn’t you, you must be able to retain information on your guest wifi system similar to that of the “metadata” requirements outlined above.

The Telstra Internet Solutions/Telstra Wholesale Internet Acceptable Usage Policy states:  This Acceptable Usage Policy outlines certain prohibited uses of the Telstra Network and the consequences which may flow from a violation of this Policy.

It goes on to outline prohibited use and that any breaches or violations to the policy, that Telstra reserves the right to take all legal and technical steps available under the Customer Agreement including suspending or disconnecting a Customer’s service. Telstra may also take remedial action if the law or a regulator or other authority requires Telstra to do so.  Such remedial action may include:

  • immediately terminating or suspending the provision of a Customer’s service;
  • giving a Customer a notice to stop the activities or conduct, or to take steps to remedy the Customer’s breach of this Acceptable Usage Policy;
  • giving a Customer a warning that any further repetition of the activity or conduct will result in Telstra immediately terminating or suspending the provision of a service to the Customer; and
  • reporting of the activities or conduct to relevant authorities.

Handing out a generic password to all your guests does not comply – they go through your modem/router and only your IP address is retained – you have no granular information to prove it wasn’t you using the system.

There can be serious consequences if you do not have the correct policies, procedures and systems in place.

 Judy Senn Director, Time Out Internet