Metadata is the information that is generated when you use digital communication services, such as phone calls, emails, text messages, or internet browsing. Metadata can include details such as the time, date, duration, location, and recipients of your communications, but not the actual content or substance of what you say or write.
In 2015, the Australian government passed a law that requires telecommunications and internet providers to store customer metadata for at least two years under the Telecommunications (Interception and Access) Act 1979³. The law was introduced as a measure to combat serious crimes and national security threats by giving law enforcement and intelligence agencies access to metadata without a warrant.
However, the law has also raised concerns about the privacy and human rights implications of collecting and storing such a large amount of personal data without adequate safeguards or oversight. Critics of the law argue that metadata can reveal sensitive information about a person's identity, activities, associations, preferences, and opinions, and that it can be used for purposes beyond those originally intended, such as enforcing fine debts or protecting public revenue². Moreover, the law does not provide clear definitions of what constitutes metadata or serious crimes, leaving room for interpretation and potential abuse².
The law also poses challenges for data management and disposal by telecommunications and internet providers. According to the National Archives of Australia, data and datasets retained in business systems are Commonwealth records and must be managed in accordance with the Archives Act 1983¹. This means that providers need to identify, classify, store, protect, share, and dispose of data and datasets according to records authorities and standards. However, the law does not specify how providers should dispose of metadata after the retention period expires or how they should handle requests for access or deletion by customers or third parties¹.
The mandatory data retention regime has been subject to review by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which has made 22 recommendations for reform in 2020. Some of these recommendations include better reporting requirements, tighter restrictions on authorisation for accessing metadata, and clearer definitions of metadata and serious crimes². However, the PJCIS did not endorse some of the key recommendations made by the Australian Human Rights Commission, such as reducing the data retention period from two years or introducing a warrant system for metadata access².
The mandatory data retention regime remains a controversial and complex issue that affects the privacy and security of millions of Australians. As technology evolves and new forms of communication emerge, it is important to balance the legitimate needs of law enforcement and intelligence agencies with the protection of human rights and civil liberties.
If you find yourself needing advice, information or implementation of metadata retention for your business, please contact us for a custom quote.