Metadata law takes effect, but few if any are compliant

Australia’s controversial mandatory metadata retention legislation has officially come into effect, despite a continued lack of clarity over compliance retirements.

Under the legislation passed in March, ISPs and other telecom service providers will need to retain customer metadata for two years for access by law enforcement and regulatory agencies.

The legislation stipulates that operators should be compliant from today. But research from the Communications Alliance published last week suggests that only 58% of its members have submitted a data retention implementation plan to the government, and of these three-quarters have not been informed if their plan has been improved.

Furthermore, 36.5% admit to not being at all confident that they understand what the legislation requires them to retain, and only 11.1% were very confident in their understanding. More than eight in 10 agreed that they would not be fully compliant once the legislation came into effect.

ITNews reported today that none of Australia’s big three operators are yet compliant with the legislation. Telstra has submitted an implementation plan and been granted an 18-month extension, while Optus and Vodafone have applied for their own extensions.

Telstra Chairman Catherine Livingstone mentioned at the company’s latest AGM that Telstra may be the only Australian telecom operator with an approved data retention implementation plan. She added that the company is “very conscious of regulatory costs incurred, and will absolutely recover them as we can”.

“It is no surprise that many service providers won’t be compliant when the legislation comes into force — many of them because they are still waiting to hear from government as to whether their implementation plans have been approved,” Communications Alliance CEO John Stanton said in a statement.

The federal government meanwhile no longer plans to pass mandatory data breach notification laws by the end of the year, according to Attorney-General George Brandis.

Brandis had previously stated that data breach legislation will be passed this year. But in Question Time on Tuesday he stated that the government intends only to introduce legislation to the parliament before the end of the year.

With only around three weeks’ worth of sitting days remaining, Greens senator Scott Ludlam had called on the government to bring forward the legislation to ensure it was in place to offer a degree of protection to any individuals who have their metadata stolen.

The introduction of notification requirements was a key concession made by the Coalition government to ensure the metadata retention law passed.

Ludlam predicted that there will be metadata breaches and “peoples’ lives will be ruined” as a result of the data retention legislation.

Brandis also confirmed during Question Time that the majority of the $131 million allocated by the government to help telecom service providers affray the costs of introducing metadata legislation would go towards smaller ISPs.

Internet Australia has previously warned that the cost of complying with the new legislation could lead to the demise of some smaller ISPs, but Brandis said the funds allocated are “a reasonable contribution to those costs”.

Image courtesy of CollegeDegrees360 under CC