ISPs cry out for extension to data retention deadline

The telecommunications industry has urged the government to roll back its deadline for when internet and carrier service providers must comply with the data retention scheme due to ongoing confusion over their obligations.

Telcos required under the new law to store the metadata of their customers for two years need to either be compliant or submit an implementation plan for compliance with the scheme to the Attorney-General's Office by October 31.

But the 60-day approval timeline for the implementation plan means the companies need to have the document lodged by August 13 or face penalties.

Frustrations around the extremely tight compliance timeframes as well as the lack of clarity on telcos' obligations boiled over today as industry body the Communications Alliance called on the AGD to extend the deadline past October 31.

"We're very rapidly getting to the point where the [federal] government needs to do one of two things," Comms Alliance CEO John Stanton said.

"It either needs to roll back the deadlines for those implementation plans, or make it very clear that they'll exercise forbearance and not move against those players who may be in breach and don't get their plans in by the deadline."

Stanton said the reality of the impending regulatory obligations was proving very daunting both to small and large operators.

"There's an enormous groundswell of concern, particularly among smaller providers, about the ability to understand the requirements of the legislation, get enough information guidance from the Attorney-General's department, and to complete the work," he said.

"And the implementation plan template the Attorney General's department has been working on points to it being a very technical and detailed document, as indeed the explanatory memoranda forecast these plans to be."

A key issue, according to Stanton, is that there is a wealth of different ways service providers could interpret their obligations under mandatory data retention legislation.

He said the auditor-general had advised some obligations also applied to data centre operators.

"A data centre operator who provides physical infrastructure such as air con, electricity or server racks won't have data retention obligations around those services," Stanton said.

"Cabling, lit and unlit fibre, and switches within the data centre are all in services, but they don't have data retention obligations because they're within the same area and covered by that exclusion under the bill.

"Services that are carrier-enabled to or from the data centre will have data retention requirements. It raises the question of what the difference is between dark fibre within a data centre and dark fibre that's provided from one centre to another.

"[The Attorney General's Office] said off-site data retention-type services they didn't think would be subject to data retention, but they would need to look at the details."

At the same conference, leading communications law expert Tony Dooley of Thomson Geer warned that the confusion threatened smaller service providers, who were struggling to come up with data retention compliance plans.

"The companies that are too busy to do anything are getting themselves to the point where they're backed into a corner and they won't have time to get their implementation plan in on time," Dooley said.

Stanton similarly warned that some smaller ISPs might go out of business as a result of their efforts to meet their data retention obligation.

Companies whose implementation plans are approved by the AGD will have 18 months to become compliant with the scheme.