Data retention – what’s at stake?

Mandatory data retention is mass surveillance.

As the former Victorian Privacy Commissioner has said mass data retention:

“…is characteristic of a police state. It is premised on the assumption that all citizens should be monitored. Not only does this completely remove the presumption of innocence which all persons are afforded, it goes against one of the essential dimensions of human rights and privacy law: freedom from surveillance and arbitrary intrusions into a person’s life”

So you’ve got nothing to hide? Not fussed about rights and freedoms?  Well, here’s some further practical consequences of data retention to consider.

Your “metadata” in the court room

The Data Retention Bill does not impose any limitation on access to the retained data by other legal avenues.  This means there’s nothing stopping your ex-husband, your employer, the tax office or a bank using a subpoena to get access to that data if it is relevant to a court case.

Your telecommunications data – such information as who you called, when you called, your location or who you emailed, or messaged could be relevant to any range of disputes. (Here’s the draft data set – it’s complex and still not yet finalised).

Metadata isn’t like an envelope. It is possible to create meaningful personality profiles – including personal preferences, social/political affiliations, sexual orientation, health information, financial interests and ethnic identity. For example, certain phone numbers & email addresses are context specific eg suicide hotline, political parties, doctors, police , the list goes on.

Telco data would be useful in commercial disputes such as those involving trade secrets, intellectual property, breach of confidence. And then there’s family law disputes, insurance disputes, workers compensation claims, and that’s before we get to the oft-cited example of copyright cases.

And all this will likely increase the cost of litigation and reduce access to justice.  Better resourced companies or individuals can more easily afford cost of issuing subpoenas or even preliminary discovery applications as in the Dallas Buyers Club case.

Taxpayers will fund their own surveillance

We’ve heard much about the government’s cutting the red tape agenda.

But not so much about the costs and regulatory burden of data retention on small telcos? How will this impact competition in the communications sector?

AIMIA also argues that the data retention will be a strong disincentive for companies to invest in infrastructure in Australia.

It’s unclear what the level of contribution the Government will make to industry toward the up front or ongoing cost of complying with the proposed data retention regime.  We do know that the costs will be significant.  What costs will be passed on to residential and business customers?  Ultimately we’ll all pay as tax payers and consumers.

How much will this all cost? We still don’t know

Drive consumers away from Australian businesses

A range of pragmatic compromises have been made to get this Bill introduced into Parliament.

Just one example: what are known as third-party over the top services such as Gmail, Skype and Facebook are not currently covered by the data retention obligations. But data associated with services such as email, VoIP and SMS provided by your telco will be retained.

This decision about the scope of the regime is  likely to reduce revenue of Australian businesses, and reduce the already questionable effectiveness of the scheme in making the community safer.

Off-shore data storage

Your ISP can choose where it wants to store your data.

As the Victorian Privacy Commissioner has submitted:

  • The Bill does not prevent retained data from being transmitted to, and stored in, offshore cloud computing services that are under the control of foreign corporations and foreign governments.
  • It does not exclude retained data being stored in cloud computing services that are physically located within Australia but which are owned by foreign entities that may be subject to extraterritorial legal obligations that subject the retained data to the laws of foreign countries

So how is your personal information safe from the reach of foreign countries? 

How safe will your data be?

The Bill does not place any additional obligations on your telco to keep your data secure.

Telcos and the Privacy Commissioner has warned of increased risk of security breaches from the retention of large amounts of personal information for an extended period of time and the attraction to hackers by retention of larger amounts of data.

Your telco has no absolute liability for the results of these increased risks, only a potential obligation under the Privacy Act to take ‘such steps as are reasonable in the circumstances to protect the information’.

The Victorian Privacy Commissioner has highlighed that:

  “Breaches to the security of large, well resourced private sector organisations are commonplace but many remain unknown because of commercial secrecy and the fact that Australia does not have a data security breach framework in place”

The Australian Privacy Foundation in their excellent submission set out the risks, namely

  • risks associated with unanticipated uses of the data by service providers;
  • risks associated with disclosures to third parties; and
  • risks associated with the difficulties of adequately ensuring the security of large data sets.

Such risks are a concrete reality as Privacy International have highlighted:

  •  In 2013, senior Queensland police misused caught pulling confidential mobile phone records to catch officers faking sick days;
  • UK: call records of over 1,000 journalists over a 2 year period handed over to police – “human error” on part of a telco employee;

In recent years, the Privacy Commissioner has investigated breaches of security by telcos and government agencies:

 Australian service providers have experienced significant issues in handling and keeping personal information secure. Major telecommunications services providers that will be covered by the scheme are amongst the 20 entities most complained about to our office,” Pilgrim says.

And if your telco does get hacked and your personal information is disclosed, they don’t have to tell you.


It is expected that, as with the Snowden revelations, a move to mandatory data retention will increase the already growing appetite for encryption and anonymisation products.

Moves to more encryption and tools such as VPNs (already commonly used by businesses and many consumers) is counter-productive to the government’s objectives of retaining data to assist it in protecting national security and tackling serious crime.

Will much of the data left to be retained be that belonging to relatively unsophisticated or incautious Internet users?

But don’t ASIO and the AFP need data retention to protect us?

We haven’t been provided with compelling evidence that explains how “metadata” used by police will no longer be available if we don’t have mandatory data retention.

The AGD couldn’t provide Senator Ludlam with any evidence that data retention was effective in addressing  the claimed objectives of tackling serious crime or protecting national security. (Note: there is no limitation in the Bill that the data can only be accessed to investigate or prosecute serious crimes.)

Our government isn’t alone in scratching around for evidence. UK representatives before the CJEU in July 2013 conceded there was no “scientific data” to underpin the claimed need for data retention. In the US, the Privacy and Civil Liberties Oversight Board  found that there is little evidence that the metadata program has made the US safer.

As the authors of a study on the EU Data Retention Directive highlight in respect to the “evidence” which had been presented to justify the Directive, it is sufficient to note that the plural of anecdote is not “data”.

Want to know more?

  • Register for the Law Institute of Victoria’s free Data Retention Forum on 24 February.
  • Check out the submissions to the PJCIS on the Data Retention Bill
  • Check out my post on what’s missing from the government’s site on data retention
  • Follow the work of journalists who are covering these issues such as Josh Taylor, Bernard Keane, Allie Coyne, Rohan Pearce, Ben Grubb, Claire Reilly and Paul Farrell.


Leave a comment

Please be polite. We appreciate that. Your email address will not be published and required fields are marked