Telecommunication data retention legislation has courted controversy in almost every jurisdiction it has been introduced, and with valid reason. In its most simplified form, it represents a crossroads between national safety and personal privacy, and at its worst an opportunity for monetary gain. When you start to dig into the details about who can access such data and how they can gain access, with or without data retention laws in place, it is easy to see why concerns continue to be raised. Even the UK data retention legislation passed in 2014 has already been slated to be superseded in 2016 following a legal challenge brought by a couple of MPs.
Despite such issues, many of which are clearly still being worked through, data retention compliance requirements have been in place for some time in some parts of the US and Europe and became effective in Australia when the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 passed into law in 2015. It seems straightforward, albeit not inexpensive, that CSPs in Australia would leverage off the lessons learned and teething issues experienced elsewhere.
After all, this is not really a technical exercise to set CSPs apart from their competition. At face value the work has little commercial benefit. Implementation is about meeting business and compliance obligations at lowest cost and with least disruption, as well as minimising the ongoing compliance overheads. CSPS should try to save money and time by understanding the lessons learned in other countries.
So have they? In reality, the data retention legislation in Europe is a basket case. The Data Retention Directive adopted by the EU in 2006 was declared invalid in 2014. Member states were meant to have adopted the directive into their national legislation, and of those that did, many have done so with local variations or only adopted it partially. And what about the US? In simplistic terms, commercial data retention in the US is voluntary (though data information can be subpoenaed under other legislation – including the USA Patriot Act). Attempts there to pass a range of mandatory data retention legislation have all failed.
Even so, systems and processes and the associated expertise and skill sets have been developed in the US and Europe to handle the data requests issued by law enforcement agencies. However, the legislation in Australia does have some additional nuances not seen elsewhere (or at least, compared to what has been attempted elsewhere). These additional ‘features’ to the Australian requirements have some pretty big practical consequences that may impede the ability to just plug and play systems and processes from overseas.
For instance, while the data must be held for the now fairly standardised two-year period, it must be encrypted. Depending on how and where the data is stored, there will be substantial overheads involved in encrypting and decrypting two years’ worth of data on a rolling basis.
The bigger challenge is that anything stored for the purpose of compliance with Data Retention legislation in Australia is also subject to the Privacy Act – any person can request the information that is retained about them. For data stores that are encrypted, CSPs now have to determine how they will comply with privacy requests since encrypted data cannot be searched. The obligations of the Privacy Act, combined with data encryption requirements, have the potential to add considerable complexity. Not only that, changes to privacy legislation over the last year have considerably increased the powers of Privacy Commissioner Timothy Pilgrim (pictured above). As a consequence, Pilgrim can demand undertakings by businesses and hand out substantial penalties for non-compliance.
Over AUD 128 million (USD98mn) of Data Retention Industry Grants have been made available to assist with implementation. Australia’s top three players, Telstra, Vodafone and Optus, have predictably taken the lion’s share of the grants, receiving AUD84mn (USD64mn) between them. A further 125 CPSs will share the remainder. This represents only a portion of the AUD 319 million (USD243mn) costs of implementation estimated by PricewaterhouseCoopers, with only half of the grant available up front, and the remainder released after completing the reporting requirements.
Global events of the last year have seen national security thrown into sharp relief. Locally, reports of customers being impacted by major events relating to reliability and speed of telco networks are occurring more regularly. Thus the focus and scrutiny on the full impact, benefits and concerns of the data retention legislation are yet to be seen. In any case, CSPs in Australia are still within the 18 month grace period where they’re permitted to operate a ‘data retention implementation plan’ in order to achieve compliance to this new legislation. However, there are potentially serious consequences beyond just time and money if they don’t complete this by April 2017.
Though this is a compliance exercise for CSPs, they need to worry about more than just fines and potential imprisonment. Their revenues may be impacted by the need to make new products compliant from launch. However, only time will tell whether the legislation enacted in Australia is robust enough to the withstand the intense public scrutiny and protests that have buffeted similar legislation introduced elsewhere.
In the meantime, there is a smiley-faced but tooth-sharpened Privacy Commissioner ready to test his new powers. In addition, there is likely to be an increase in the number of data requests from law enforcement agencies as cyber-forensic analysis starts to become the norm. Australian CSPs must be mindful that time is of the essence if they are to achieve compliance before the deadline. They are expected to rise to the new and conflicting demands of legislative goals not previously tried elsewhere. April 2017 does not seem so far away after all.