Review of the Mandatory Data Retention Regime
In late October 2020, the Parliamentary Joint Committee on Intelligence and Security completed its review of the mandatory data protection regime enshrined in the controversial Telecommunications (Interception and Access) Act 1979 (Cth) (Act).
The mandatory data protection regime is a legislative framework which requires carriers, carriage service providers and internet service providers to retain a defined set of telecommunications data. However, the regime’s effectiveness has been brought into question with the Committee identifying numerous loopholes that violate humanitarian standards and other issues.
As the law currently stands, the legislation is inconsistent with mass data retention schemes in similar jurisdictions, with government agencies being able to keep extensive telecommunications data beyond what many consider to be necessary.
Among the 22 recommendations by the Committee, key takeaways include:
Having the Department of Home Affairs prepare national guidelines on the operation of the mandatory data retention scheme by enforcement agencies.
Amending various terms and definitions to ensure greater certainty for providing protection.
Amending the Act as to the handling of data by the Australian Security Intelligence Organisation.
Maintaining the data retention period to be two years.
Clarifying the issue that service providers are not required to store information generated by the Internet of Things devices.
Implementing additional reporting requirements for data retention handling, and
Closing “back doors” for metadata loopholes.
The Australian Privacy Foundation has expressed the contention that this current Australian law goes ‘further than any other democracy in the world’, posing issues with regard to consent, privacy, data collection and overreaching governmental power. It is humbling to see that the Committee has identified and addressed these concerns and proposed effective amendments that will benefit Australian society.
For further reading see ‘Review of the mandatory data retention regime’