The Attorney-General's Department has admitted it has no way of knowing how much data stored under the national data retention regime is hosted offshore.
Australia's data retention laws came into operation in October 2015.
They require telecommunications providers to store certain customer data like personal details, billing information, IP addresses, location and traffic data, and upload and download volumes, among other things, for two years.
But the laws don't force telcos to host the stored data inside Australia.
It's an omission that at the time raised concerns by privacy and security advocates given at least one telco - iiNet - indicated it would find the lowest cost option for storage, which it said at the time was in China.
Shadow Attorney-General Mark Dreyfus at the time said the reforms would "deal not only with the question of where retained data should be kept, but a whole range of other requests relating to telecommunications sector security".
However, under the security reforms bill that entered parliament last November, telcos will only be required to notify the Attorney-General's Department of any new outsourcing or offshoring of sensitive parts of their networks, in case any national security concerns arise.
The legislation states notification is necessary when telcos move equipment outside Australia, buy equipment that is located outside Australia, or enter into new outsourcing arrangements. It makes no directions about the existing data retention regime.
Update: The department has advised that the bill provides it the power to obtain information from telcos "where that information is relevant to assessing compliance" with their obligations to "do their best to protect networks and facilities they own, operate or use from unauthorised access and interference for the purposes of security".
In a parliamentary committee hearing into the telco security reforms today, the Attorney-General's Department revealed it had no insight into the level of offshoring currently in use for the national data retention regime.
"That's something we don't know because there is no obligation for industry to tell us," AGD representative Sarah Chidgey conceded.
Labor MP and committee deputy chair Anthony Byrne argued that the "whole precursor" to the telco security reforms bill was that telcos would be required to detail their offshore data retention arrangements.
"In a sense the whole metadata scheme ... was predicated on the fact that telecommunications companies would have an obligation to protect that data. What you're telling me is that they won't even tell you whether or not they're storing that metadata offshore. How can that be satisfactory?" Byrne said.
The department argued telcos were required under the data retention legislation to adequately protect the dataset, meaning they were obligated to ensure any offshoring arrangements were secure.
Byrne labelled the lack of departmental insight "ridiculous" and "completely unacceptable".
"You're a government agency that is responsible to oversight this and you cannot answer a question about how much data is being offshored, that is just ridiculous," he said.
"It is completely unacceptable that you don't know how much data is being stored offshore ... you need to be aware of that, because you cannot make informed decisions, in my view, or the intelligence agencies can't, or offer the appropriate protections if you're not being given this information."
He called on the AGD to "make it a priority" to find out exactly what offshoring arrangements telcos have implemented for the data retention regime.
The AGD representatives claimed the telco sector security reforms, if passed, would enable the department to gain insight into how much data under the retention regime is being stored otuside Australia.
"This bill would introduce a notification requirement, and one of the kinds of changes that would have to be notified is information that is being stored offshore," AGD representative Anne Sheehan said.
The telco industry has long lobbied against the security reforms, labelling them broad and intrusive.