Simplifying Data Retention Rules: A Harder Task Than Expected

The Australian government’s review of data retention obligations, particularly in light of the Optus data breach, reveals a complex and time-consuming process that will likely take longer than initially anticipated due to issues with the scope and clarity of existing laws. Peter Anstee, the first assistant secretary of cyber and technology security policy in the Department of Home Affairs, explained that the government’s efforts to understand and streamline the various data retention requirements on companies are hindered by ambiguities in the legislation. These unclear provisions make it difficult to determine exactly what data companies are obligated to retain and for how long, creating challenges in forming clear policy recommendations.

Anstee elaborated on the phased approach the government is taking to address these issues. The first step involves examining all relevant Commonwealth legislation to identify existing obligations placed on companies. This task, while seemingly straightforward, has proven to be far more complicated than anticipated. The next phase will involve determining whether there is a logical way to consolidate or simplify these requirements. For example, specific retention periods may be needed in sectors like healthcare and financial services due to regulatory reasons, and the government needs to weigh the importance of these sector-specific rules against the broader goal of streamlining data retention requirements.

A key challenge in this process is the “scope” of the review. Many of the existing laws were drafted before the rise of digital storage, and as such, they often lack clarity about what data must be retained and how it should be stored. Anstee emphasized that digital resilience is an important consideration in this review, especially since many of these laws were developed in an era before the proliferation of digital technologies. The government is working to ensure that any regulatory changes will accommodate the modern data landscape while balancing privacy concerns and the need for businesses to comply with appropriate retention practices.

The government’s ongoing efforts to better understand and manage the makeup of digital supply chains have also been accelerated in part by the CrowdStrike incident. This event highlighted the potential fragility of digital supply chains, demonstrating how a seemingly routine software update could quickly escalate into a global crisis. Anstee pointed out that the incident underscored the importance of creating a systems-level view of the interconnectedness of digital systems across industries. While the Security of Critical Infrastructure Act has provided some insight into the supply chains of critical infrastructure operators, Anstee noted that there is still a lack of visibility into the broader supply chains affecting the economy.

In response, the government is working with industry partners to better map these digital interdependencies, particularly in sectors like energy, healthcare, and higher education. This mapping effort aims to enhance digital resilience by testing and understanding the dependencies between different critical infrastructure systems. By identifying and addressing these interdependencies, the government hopes to strengthen the overall security and robustness of Australia’s digital economy.

Anstee also touched on the recent passage of the first specific cybersecurity bill in Australia, calling it a “foundational piece of legislation” that will allow the government to build on and adapt as the cybersecurity threat landscape evolves. One of the key provisions of this law is the requirement for companies to disclose ransom payments made to threat actors. Anstee framed this as part of a broader data collection effort aimed at better understanding the cybersecurity landscape, rather than penalizing companies for making payments. While companies that fail to disclose ransom payments could face fines, Anstee emphasized that this would be a last resort, with the government planning to first engage with companies to obtain the relevant data voluntarily.

This approach to regulatory enforcement—starting with voluntary codes of practice and gradually increasing enforcement if necessary—represents a more collaborative and measured response to emerging cybersecurity threats. Anstee highlighted the importance of engaging with the industry throughout the legislative process to ensure that regulations are practical and aligned with the needs of businesses while also addressing the broader security concerns that affect the country.