When it comes to covering the cost of implementing and complying with the Data Retention Act, Internet service providers (ISPs) are likely to wait more than a year for full government funding, the Attorney-General’s Department revealed during a Senate Estimates hearing last night.
In this year’s federal budget, $131.3 million was allocated to help ISPs cover data retention costs through a grants program.
Samantha Chard, assistant secretary of data retention within the Attorney General’s Department, revealed during Senate Estimates that $2.9 million will be taken out of the $131.3 million total, leaving ISPs really with $128.4m in funding.
That $2.9 million goes to the department over three years to cover administration, provisioning of IT systems so that service providers can apply online, negotiation of funding agreements, monitoring grants during their life, and any assurance mechanisms that need to be put in place, Chard said during the hearing
None of the $128.4m in funding has been provided to ISPs yet, Chard said. Further, the funding will likely not be paid out to ISPs in full, with near half of that amount ($63.5m) to be distributed in 2015-16 and the rest towards the end of the implementation period.
“It’s likely that the funding will be distributed as payments upon commencement of a grant, so in funding agreements between the commonwealth and the provider. And then there would be another payment made towards the end of the grant, towards the end of the implementation period,” Chard said.
The Data Retention Act has been in effect since 13 October 2015, with all ISPs given at most 18 months from that date to implement their data retention plans and be compliant with the law. The Act requires ISPs to store metadata on all their customers for a period of two years, which could incur storage and infrastructure costs.
A recent Communications Alliance survey of ISPs found that 32 per
cent of the 63 service providers that participated in the research estimated a one-off setup will cost between
$10,000 and $50,000, with 25 per cent believing it would be between
$50,000 and $250,000.
A further 12 per cent expected to pay between $250,000 and $1 million, 7 per cent said between $1 million and $10 million and 5 per cent would pay more than $10 million.
Only about 9 per cent are estimating the one-off setup cost of between $1000 and $10,000 with 10 per cent estimating a cost of less than $10,000.
The telecommunications industry body also found from its survey that 90 per cent of those who lodged a data retention implementation plan (about 58 per cent of survey respondents) are still waiting for it to be approved.
Chard said the department has made a decision on 79 on the 227 applications it has received as at 13 October, meaning 65 per cent of implementation plans are waiting to either be approved or requested for amendment. The department is expecting to make a decision for the service providers that are waiting by the end of December.
Internet users group, Internet Australia, said ISPs will “effectively have to bankroll the government for the time being” when it comes to covering their costs for complying with the Data Retention Act.
"We've already had one ISP tell us they're shutting up shop as a result of data retention. We fear they will not be the only casualty of this flawed legislation,” CEO of Internet Australia, Laurie Patton, told CIO.
Chard said in Senate Estimates that the feedback from industry on implementing data retention has been “quite positive”.
Patton said that comment from the Attorney General's Department was "absolutely mind boggling", and said many of Internet Australia’s ISP members have voiced their concerns around costs and confusion around their obligations.
"I don't know who they've been talking to, but I suggest they should start talking to some of the hundreds of ISPs affected,” Patton said.
Chard said the department has gone through extensive consultation with industry through the Industry Implementation Working Group (IWG), industry stakeholder forums, emails sent to industry groups through the Telecommunications Industry Ombudsman, a hotline that runs during standard business hours, and guidance material distributed to industry and published on the department’s website.
Chard added that the department won’t be using any enforcement action on ISPs to comply during the 18-month implementation period, “unless it’s an absolute last resort”.
“The priority for the department is to work collaboratively with any providers during the 18-month implementation period - that’s going to be our predominant focus; to work with those providers that have yet to submit any applications.”
Follow Rebecca Merrett on Twitter: @Rebecca_Merrett
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.