One of the most frequent questions I have seen is the simple question of “Do I have Data Retention Obligations”. David Ohri provided an excellent overview in his presentation.
If an entity wants to know if the data retention scheme imposes data retention obligations on it, it should ask itself the following three questions. If the answer to all three questions is yes, the entity will be required to retain data under the data retention scheme. If the answer to one of the questions is no it will not have any obligations to retain data under the data retention scheme:
- Are you a ‘carrier’, ‘carriage service provider’ or ‘internet service provider’?
- Do you operate at least one ‘relevant service’?
- Do you own or operate ‘infrastructure’ in Australia that enables the provision of at least one of your relevant services?
A service provider that satisfies all of these conditions will be referred to as a Relevant Service Provider.
Are you a ‘carrier’, ‘carriage service provider’ or ‘internet service provider’?
A lot of potential providers approach this question in the wrong order. They approach it from the perspective that they “run a relevant service” and then try to work out from there if they are a carriage service provider. Fortunately, the legislation isn’t drafted in that form.
It’s worth spending a bit of time considering each of these points individually. If you are a “carrier” you probably already know. You have applied for a Carrier license and been granted it by the ACMA.
The next two, “carriage service provider/internet service provider” can be a little more complicated. If you are an “internet service provider” – i.e. you provide internet to someone in the form of re-billing another parties service, terminating layer 2 internet tails and adding internet on top or providing internet in some other form, you are going to be covered.
If you are a member of the TIO, you are going to be a carriage service provider and so are going to be covered.
If you are purchasing a server in a data centre with internet from someone else and then delivering some service on top of it then you may, in fact, not be covered. In these situations you probably need to seek legal advice to help determine your status. I’ve asked industry groups, such as Internet Australia to consider whether they can assist small organisations that are struggling with determining if they obligations here with a more full matrix of what your obligations are.
I certainly hold the perspective that hotels, service offices, multi-tenanted buildings and other locations you would potentially think would “not” be covered are, in fact, probably technically carriage service providers or internet service providers and so have obligations under this legislation.
Do you operate at least one ‘relevant service’?
If you operate one relevant service (and lets face it, you probably do if you are reading this blog) you are covered.
Do you own or operate ‘infrastructure’ in Australia that enables the provision of at least one of your relevant services?
For the purposes of this question, Infrastructure is any server or infrastructure that facilitates the communications, including billing systems/servers. This may be a firewall on a customer site or a mail filtering appliance. We imagine that it would be very rare for someone to be able to answer “yes” to questions 1 or 2 and then answer “no” to this question, but perhaps, in some cases, it may be possible.
I’d love to discuss (in the comments section) a little bit more of the intricacies of whether particular scenarios, such as hosting providers or VoIP only providers (that don’t deliver internet access) have obligations in this area. I’m sure this isn’t the “intent” of the legislation, but it probably equates to the letter of the legislation.