Telstra is taking a different tack in Australia.
The Australian Communications and Media Authority (ACMA) has told telcos that they have to maintain a database of customer records, even when a customer is no longer using the service.
It means that telcos will no longer have to collect that data when they get a court order for a data breach.
But the ACCC has warned that the requirement will be too strict and could end up creating an incentive for ISPs to do things that would be unlawful under Australian law.
In its report, the ACCCs warns that telco providers “may be able to use this database to collect personal information about the subscriber in order to identify them as a particular customer, for example for billing purposes.”
The ACCC is asking telcos to maintain the database of customers who have been removed from the service for reasons other than breaches, and to give customers the option to opt out of data collection by the telco.
Telcos must also keep records of “data use” of the customers who were removed from their service.
“This is a requirement of the Telecommunications Act 1988, and must be maintained at all times.
Telcos will be required to provide a list of the names and addresses of the individuals whose data has been collected,” the ACCs said.
In Australia, telcos collect the following data: Name of customer Account Number Age Height Weight Body type Gender Occupation Job title Phone number Mobile phone number Email address Other information Telecommunications providers have to keep records for two years, after which the data is deleted.
However, the Australian Privacy Principles (APPs) state that “no data can be deleted without the express consent of the person to whom it relates.”
In other words, if a telco receives a court injunction, the company has to maintain records for at least two years.
If the telcos want to delete customer records they must follow a strict legal process, such as a request for a court hearing, and have a court’s approval.
For instance, in a case where the ACC was asked to maintain customer records in relation to a breach, the telcs must provide a request to the court for a hearing on whether to retain the records, and comply with the APPs.
However, in other cases, telco companies have to follow a legal process to comply with their customers.
When a customer requests a court to keep their personal data, the court must review the request and decide whether to keep the records.
In some cases, the information could be retained for at the customer’s request for an indefinite period of time.
The ACTC is currently seeking further information from telcos about how they will comply with these requirements.
Follow Josh on Twitter here