This article exists as part of the online archive for HuffPost Australia, which closed in 2021.

Data Retention Laws Are Now In Effect And Here's What You Need To Know

It's more important than it seems.
Telecommunications companies are now required by law to retain customers' metadata.
Getty Images
Telecommunications companies are now required by law to retain customers' metadata.

The Federal government's data retention scheme has officially been in effect for a week, meaning the metadata of every Australian's mobile and online communications has started to be collected and will be stored for at least two years and put at the scrutiny of national security bodies.

The retention laws were passed back in 2015 and saw the Federal Government compel telecommunications companies and internet service providers to keep consistent and reliable data on their customers for two years.

As part of the changes, criminal law enforcement and intelligence agencies, such as ASIO and the AFP, will be able to quickly self-authorise access to the stored metadata in the interests of national security.

So with that being said, here is what you need to know.

Metadata is the background technical information around a communication; the time and date of a call, how long it lasted, the IP address of a webpage that an internet user browses to and email addresses, but not a recording of the actual content of the call or website visited.

In 2015, the government passed controversial laws that made it compulsory for telecommunications providers to retain metadata from their users for at least two years.

Attorney-General George Brandis famously compared metadata to a letter in the post; "The metadata is the name and address on the envelope, not the content of the letter".

As part of the changes, Australian telecommunications companies will be required by law to retain six different types of metadata from their customers' usage and the information subject to the scrutiny of law enforcement and national security bodies.

The areas of data to be stored and provided to the government include:

  • Any identifying information linked to the subscribers of accounts with service providers, meaning the names, addresses, phone numbers, email addresses and IP addresses of individuals in accordance with billing details that telecommunications companies have.
  • The source of any communications, meaning the phone numbers, usernames, email addresses and IP addresses of any individual or account that establishes a phone call, SMS message, voice message or email.
  • The destination of any communications. This includes the phone number, usernames, email addresses and IP addresses of any individual who receives SMS messages, voice messages, multimedia communications or emails. This excludes individual's internet browsing histories.
  • The date, time and duration of communication or any details identifying a connection to an internet service (such as Wi-Fi or ADSL).
  • The types of communications and internet services used. This will mean the government will be able to know if individuals send SMS messages, emails, voice messages, chat or forum messages or any social media usage via services such as Wi-Fi or ADSL connections.
  • The physical location from which a communication is made, whether that be the geographic location of a mobile device or the physical address linked to a fixed internet connection.

Despite an 18-month planning period requested of the Federal government by Australia's three biggest telecommunications companies (Telstra, Optus and Vodafone), the scheme is in effect as of Thursday and will extend until 2019 when the Parliamentary Joint Committee on Intelligence and Security is set to review it.

For Jon Lawrence, the Executive Officer of non-profit organisation Electronic Frontiers Australia which promotes digital freedom and privacy, the new laws are "indiscriminate". He says the information being gathered on every individual has a high likelihood of being compromised by the people who have access to it and that could cause "genuine harm" to ordinary people.

"The government is forcing telcos to collect this information which actually does provide the potential for really quite detailed conclusions to be drawn about your life," he said.

"People need to be aware because it is indiscriminate and it's catching everyone in one big trawl of information from society.

"We need to make sure that the government doesn't step too far down the wrong path here. If this information is compromised, that can do real genuine harm to people's lives. Certain information about people getting out in the public domain can do genuine harm to people."

Lawrence told The Huffington Post Australia the laws refuse Australians "a private space" in which to move and communicate and there are currently no processes in place to stop individuals' information falling into the hands of someone with "malicious intentions".

"We need to draw a line here so that we can continue to have a private space so that we can move around and communicate with people without essentially being recorded for posterity in case the government wants to look at it," he said.

"It's really about the fact that this information being used in the first place in itself is a risk. The likelihood of this information is going to get compromised is really quite high. The best way to avoid that is to not keep it in a national database.

"Our position on this is that we certainly don't want to stand in the way of legitimate law enforcement but there really should be some sort of independent authorisation service."

According to Australia's former Privacy Commissioner, Malcolm Crompton, the issue boils down to the "insufficient" authorisation processes that have been put in place to keep law enforcement and national security bodies accountable when accessing individuals' metadata.

Crompton, who is now the Managing Director of Information Integrity Solutions -- a consultancy organisation specialising in data protection, told HuffPost Australia the new laws allow government and law enforcement bodies to understand the "patterns" of an individual's actions through metadata and the protections available to individuals designed to avoid the misuse of that information are "weak".

"It's become abundantly clear that the most useful, predictive information about you actually comes from your behaviour and your behaviour is learnt from how your location moves, when you undertake activity and with whom you undertake activity... It's the metadata that gives you patterns," he said.

"The accountabilities for access to that data are incredibly weak... What is completely inappropriate is a lack of accountability for having such power and the lack of protection the ordinary citizen has."

He also said that, while there is an argument for allowing the laws to be in place to counteract crime and acts of terror, there needs to be higher standards of audits when it comes to understanding why metadata was accessed and what it was used for.

"Why shouldn't the police be forced to act on proper orders from courts to access this data? Why aren't they exposed to proper audits of why they've accessed the data and what they used it for?" he said.

"These are processes that are removing the ability of the individual to be let alone at your discretion as opposed to somebody else's discretion.

"These kinds of powers need to be available to law enforcement and national security but they must be held to much higher levels of accountability and require much higher standards of audit and assurance and much higher standards of redress."


This article exists as part of the online archive for HuffPost Australia. Certain site features have been disabled. If you have questions or concerns, please check our FAQ or contact