Ahead of parliamentary hearings this week into the Australian government's proposed data retention regime, privacy watchdogs have lined up to criticise the legislation.
Australia's Privacy Commissioner Tim Pilgrim has warned that the data collected poses a serious threat to privacy, and recommends that mandatory data breach notification be put in place.
“Telecommunications data retained under the scheme is likely to be a target for people with malicious or criminal intent. In the event of a security breach resulting in unauthorised access to or disclosure of telecommunications data, affected individuals would face increased risks of identity theft, fraud, harassment or embarrassment,” his submission to the inquiry states.
The commissioner also disagrees with the government's assertions that the regime doesn't require providers to collect any new information.
“[M]uch more personal information will be collected and retained by all service providers under the proposed data retention scheme than is currently, and would otherwise be, collected and retained,” the submission states.
“[T]he collection and retention of such a large volume of personal information has the potential to build a detailed picture of an individual’s activities, relationships and behaviours,” Pilgrim continues.
Citing the principle applied in other jurisdictions, that data collection should be necessary and proportionate, Pilgrim says the regime should collect only a minimum of data, and retain it for a minimum of time.
Pilgrim states that the government should publish the reasoning behind its desire to retain data for two years, and he adds that the legislation – the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 – should set out the retention period applicable to each type of data collected.
As it now stands, the legislation allows regulations to be set that apply different retention periods to different data sets. Regarding the data types set out in the legislation's explanatory memorandum (billing / payments, contract or plan type, service status and usage data, Pilgrim states that “It is not clear why each of these types of telecommunications data are required to be retained for the life of the account plus two years as a default”.
Victoria's Commissioner for Privacy and Data Protection is also harshly critical of the legislation. In its submission, the office says the regime attenuates privacy rights without safeguards to protect the public, and “creates undefined and uncontrolled security vulnerabilities”.
“These shortcomings, combined with the Bill’s failure to define fundamental concepts means that it is so vague and opaque as to make it impossible to clearly determine the risks it poses or to suggest appropriate mitigation measures. It also means that there is no meaningful way to determine how much it will cost taxpayers or to measure whether or not it produces public value commensurate with its cost”, the Victorian submission says. ®
Sponsored: Webcast: Ransomware has gone nuclear