Im März 2015 hat das aus­tra­li­sche Par­la­ment dem Ent­wurf für ein sehr weit­rei­chen­des Gesetz zur Vor­rats­da­ten­spei­che­rung (VDS) zuge­stimmt. Das TELECOMMUNICATIONS (INTERCEPTION AND ACCESS) AMENDMENT (DATA RETENTION) BILL 2014 bringt eine deut­lich wei­ter­ge­hen­de Pflicht zur Spei­che­rung von Benut­zer­da­ten, als die bei uns in Deutsch­land aktu­ell dis­ku­tier­te VDS. Den­noch ent­hält das Gesetz einen Aspekt, des­sen Über­nah­me – bei aller grund­sätz­li­chen Kri­tik – auch unse­rem Gesetz­ge­ber in der par­la­men­ta­ri­schen Bera­tung zu raten wäre:

In der aus­tra­li­schen Fas­sung einer VDS wird näm­lich der ACMA, der „Aus­tra­lia Media and Com­mu­ni­ca­ti­ons Aut­ho­ri­ty“, also der zustän­di­gen Regu­lie­rungs­be­hör­de (ver­gleich­bar unse­rer BNetzA), die Mög­lich­keit eröff­net, bestimm­te Ser­vices bzw. Anbie­ter­grup­pen von der Über­wa­chungs­pflicht zu befrei­en, um dem Gebot der Ver­hält­nis­mä­ßig­keit und Daten­spar­sam­keit indi­vi­du­ell ange­mes­sen Rech­nung tra­gen zu kön­nen. Ein Com­mu­ni­ca­ti­ons Access Coor­di­na­tor (CAC) der beim Gene­ral­staats­an­walt ange­sie­delt ist, ist zudem als koor­di­nie­ren­de Bin­de­glied zwi­schen Ermitt­lungs­be­hör­den und ver­pflich­te­ten Unter­neh­men u.a. dafür zustän­dig, die kon­kre­ten Aus­nah­men näher zu definieren.

Beim aktu­el­len Ent­wurf für eine VDS in Deutsch­land sol­len dage­gen alle Unter­neh­men, auch kleins­te Ein-Mann- Pro­vi­der, in unver­hält­nis­mä­ßi­ger Wei­se mit Auf­wand und Kos­ten belas­tet, obwohl der Gesetz­ent­wurf selbst zu dem Schluss kommt, dass 98% aller Daten­ver­keh­re bei nur 20 Unter­neh­men anfal­len und für alle ande­ren Anbie­ter die Belas­tung eine unbil­li­ge Här­te dar­stel­len wür­den. In Aus­nah­me­fäl­len soll dafür zwar eine Ent­schä­di­gung gewährt wer­den, doch wird damit die eigent­lich unver­hält­nis­mä­ßi­ge Belas­tung nicht ver­mie­den, wie es auch das Prin­zip der Daten­spar­sam­keit im Inter­es­se der betrof­fe­nen Bür­ger eigent­lich gebie­ten wür­de. Eine Mar­gi­nal­gren­ze, wie Sie bereits in der Tele­kom­mu­ni­ka­ti­ons­über­wa­chung (TKÜV) bei 10.000 Teil­neh­mern gezo­gen ist, ist bis­lang auch nicht vor­ge­se­hen. Die­ses ist im Rah­men der par­la­men­ta­ri­schen Bera­tun­gen drin­gend nachzuholen.

Eine noch bes­se­re Mög­lich­keit zur Siche­rung der Ver­hält­nis­mä­ßig­keit wäre es aber, nach dem Vor­bild Aus­tra­li­ens der BNetzA die Mög­lich­keit zu geben, im Beneh­men mit den Ermitt­lungs­be­hör­den sol­che Unter­neh­men und Ser­vices von der Ver­pflich­tung aus­neh­men zu kön­nen, bei denen sich kei­ne oder nur sehr unwahr­schein­lich über­haupt rele­van­te Ermitt­lungs­an­sät­ze durch eine VDS erge­ben können. 

 


Die rele­van­ten Rege­lun­gen der Aus­tra­li­er sind daher hier doku­men­tiert, die wich­tigs­ten Stel­len in Fett hervorgehoben:

Divi­si­on 3—Exemptions

187K The Com­mu­ni­ca­ti­ons Access Co-ordi­na­tor may grant exemp­ti­ons or varia­ti­ons Decis­i­on to exempt or vary

(1) The Com­mu­ni­ca­ti­ons Access Co-ordi­na­tor may:
(a) exempt a spe­ci­fied ser­vice pro­vi­der from the obli­ga­ti­ons impo­sed on the ser­vice pro­vi­der under this Part, eit­her gene­ral­ly or in so far as they rela­te to a spe­ci­fied kind of rele­vant ser­vice; or
(b) vary the obli­ga­ti­ons impo­sed on a spe­ci­fied ser­vice pro­vi­der under this Part, eit­her gene­ral­ly or in so far as they rela­te to a spe­ci­fied kind of rele­vant ser­vice; or 
© vary, in rela­ti­on to a spe­ci­fied ser­vice pro­vi­der, a peri­od spe­ci­fied in sec­tion 187C, eit­her gene­ral­ly or in rela­ti­on to infor­ma­ti­on or docu­ments that rela­te to a spe­ci­fied kind of rele­vant service. 
A varia­ti­on must not impo­se obli­ga­ti­ons that would exceed the obli­ga­ti­ons to which a ser­vice pro­vi­der would other­wi­se be sub­ject under sec­tions 187A and 187C. 
(2) The decis­i­on must be in writing. 
(3) The decis­i­on may be: 
(a) uncon­di­tio­nal; or 
(b) sub­ject to such con­di­ti­ons as are spe­ci­fied in the decision. 
(4) A decis­i­on made under sub­sec­tion (1) is not a legis­la­ti­ve instru­ment. Effect of app­ly­ing for exemp­ti­on or variation 
(5) If a ser­vice pro­vi­der appli­es in wri­ting to the Com­mu­ni­ca­ti­ons Access Co-ordi­na­tor for a par­ti­cu­lar decis­i­on under sub­sec­tion (1) rela­ting to the ser­vice provider: 
(a) the Co-ordinator: 
(i) must give a copy of the appli­ca­ti­on to the enforce­ment agen­ci­es and secu­ri­ty aut­ho­ri­ties that, in the opi­ni­on of the Co-ordi­na­tor, are likely to be inte­res­ted in the appli­ca­ti­on; and 
(ii) may give a copy of the appli­ca­ti­on to the ACMA; and 
(b) if the Co-ordi­na­tor does not, within 60 days after the day the Co-ordi­na­tor recei­ves the application: 
(i) make a decis­i­on on the appli­ca­ti­on, and 
(ii) com­mu­ni­ca­te to the appli­cant the decis­i­on on the appli­ca­ti­on; the Co-ordi­na­tor is taken, at the end of that peri­od of 60 days, to have made the decis­i­on that the ser­vice pro­vi­der appli­ed for. 
(6) A decis­i­on that is taken under paragraph 
(5)(b) to have been made in rela­ti­on to a ser­vice pro­vi­der that appli­ed for the decis­i­on has effect only until the Com­mu­ni­ca­ti­ons Access Co ordi­na­tor makes, and com­mu­ni­ca­tes to the ser­vice pro­vi­der, a decis­i­on on the appli­ca­ti­on. Mat­ters to be taken into account 
(7) Befo­re making a decis­i­on under sub­sec­tion (1) in rela­ti­on to a ser­vice pro­vi­der, the Com­mu­ni­ca­ti­ons Access Co-ordi­na­tor must take into account: 
(a) the inte­rests of law enforce­ment and natio­nal secu­ri­ty; and
(b) the objects of the Tele­com­mu­ni­ca­ti­ons Act 1997; and 
© the ser­vice provider’s histo­ry of com­pli­ance with this Part; and 
(d) the ser­vice provider’s cos­ts, or anti­ci­pa­ted cos­ts, of com­ply­ing with this Part; and 
(e) any alter­na­ti­ve data reten­ti­on or infor­ma­ti­on secu­ri­ty arran­ge­ments that the ser­vice pro­vi­der has identified. 
(8) The Com­mu­ni­ca­ti­ons Access Co-ordi­na­tor may take into account any other mat­ter he or she con­siders relevant.

187KA Review of exemp­ti­on or varia­ti­on decisions

(1) A ser­vice pro­vi­der may app­ly in wri­ting to the ACMA for review of a decis­i­on under sub­sec­tion 187K(1) rela­ting to the ser­vice provider. 
(2) The ACMA must: 
(a) con­firm the decis­i­on; or 
(b) sub­sti­tu­te for that decis­i­on ano­ther decis­i­on that could have been made under sub­sec­tion 187K(1). A sub­sti­tu­ted decis­i­on under para­graph (b) has effect (other than for the pur­po­ses of this sec­tion) as if it were a decis­i­on of the Com­mu­ni­ca­ti­ons Access Co ordi­na­tor under sub­sec­tion 187K(1).
(3) Befo­re con­side­ring its review of the decis­i­on under sub­sec­tion 187K(1), the ACMA must give a copy of the appli­ca­ti­on to: 
(a) the Com­mu­ni­ca­ti­ons Access Co-ordi­na­tor; and 
(b) any enforce­ment agen­ci­es and secu­ri­ty aut­ho­ri­ties that were given, under sub­pa­ra­graph 187K(5)(a)(i), a copy of the appli­ca­ti­on for the decis­i­on under review; and 
© any other enforce­ment agen­ci­es and secu­ri­ty aut­ho­ri­ties that, in the opi­ni­on of the ACMA, are likely to be inte­res­ted in the appli­ca­ti­on. Mat­ters to be taken into account 
(4) Befo­re making a decis­i­on under sub­sec­tion (2) in rela­ti­on to a ser­vice pro­vi­der, the ACMA must take into account: 
(a) the inte­rests of law enforce­ment and natio­nal secu­ri­ty; and
(b) the objects of the Tele­com­mu­ni­ca­ti­ons Act 1997; and 
© the ser­vice provider’s histo­ry of com­pli­ance with this Part; and 
(d) the ser­vice provider’s cos­ts, or anti­ci­pa­ted cos­ts, of com­ply­ing with this Part; and 
(e) any alter­na­ti­ve data reten­ti­on or infor­ma­ti­on secu­ri­ty arran­ge­ments that the ser­vice pro­vi­der has identified. 
(5) The ACMA may take into account any other mat­ter it con­siders relevant.

Dazu heißt es erläuternd im Gesetz : 

Divi­si­on 3 of Part 5–1A—Exemptions

Sec­tion 187K—The Com­mu­ni­ca­ti­ons Access Co-ordi­na­tor may grant exemp­ti­ons or variations

1. Sec­tion 187K pro­vi­des that the CAC may exempt a ser­vice pro­vi­der from the man­da­to­ry data reten­ti­on and infor­ma­ti­on secu­ri­ty obli­ga­ti­ons impo­sed on the ser­vice pro­vi­der under Part 5–1A of the TIA Act, or vary the obli­ga­ti­ons that the ser­vice pro vider is sub­ject to. The CAC may grant this exemp­ti­on or varia­ti­on on his or her own voli­ti­on or on appli­ca­ti­on by a ser­vice pro­vi­der.
2. This exemp­ti­on and varia­ti­on sche­me is inten­ded to per­mit exemp­ti­ons or varia­ti­ons to be gran­ted in a ran­ge of cir­cum­s­tances, inclu­ding whe­re impo­sing data reten­ti­on obli­ga­ti­ons for a par­ti­cu­lar rele­vant ser­vice would be of limi­t­ed uti­li­ty for law enforce­ment and natio­nal secu­ri­ty pur­po­ses.
3. The sche­me pro­vi­ded by this sec­tion is model­led on exis­ting sec­tions 192 and 193 of the TIA Act, which pro­vi­de that the CAC or the ACMA may grant exemp­ti­ons in rela­ti­on to the inter­cep­ti­on capa­bi­li­ty obli­ga­ti­ons of ser­vice providers. 
4. Sub­sec­tion 187K(1) pro­vi­des that the CAC may make a deter­mi­na­ti­on in rela­ti­on to a spe­ci­fied ser­vice pro­vi­der that: 
• remo­ves or varies any or all of the man­da­to­ry data reten­ti­on or infor­ma­ti­on secu­ri­ty obligations 
• remo­ves or varies any or all of the man­da­to­ry data reten­ti­on or infor­ma­ti­on secu­ri­ty obli­ga­ti­ons impo­sed on the ser­vice pro­vi­der under Part 5–1A for a par­ti­cu­lar kind of rele­vant ser­vice, or 
• redu­ces the data reten­ti­on peri­od or the ext­ent of the infor­ma­ti­on secu­ri­ty obli­ga­ti­ons, eit­her gene­ral­ly or in rela­ti­on to data that rela­tes to a par­ti­cu­lar kind of rele­vant service. 
5. A varia­ti­on must not, howe­ver, impo­se obli­ga­ti­ons that would exceed the obli­ga­ti­ons to which a ser­vice pro­vi­der would other­wi­se be sub­ject to under sec­tions 187A, 187BA and 187C. 
6. The decis­i­on of the CAC may be expres­sed broad­ly. In making a deter­mi­na­ti­on, the CAC may spe­ci­fy ser­vice pro­vi­ders in any way, for exam­p­le by refe­rence to a class of ser­vice pro­vi­ders, and is not requi­red to refer spe­ci­fi­cal­ly to indi­vi­du­al ser­vice pro­vi­ders. For exam­p­le, the CAC may spe­ci­fy that any ser­vice pro­vi­der that pro­vi­des Inter­net Pro­to­col tele­vi­si­on (IPTV) ser­vices is not requi­red to retain any data in rela­ti­on to its IPTV ser­vice. Simi­lar­ly, an exemp­ti­on or varia­ti­on may be expres­sed to app­ly to a class of obligations. 
7. Sub­sec­tion 187K(1) ensu­res that deter­mi­na­ti­ons can be pro­per­ly nuan­ced by ves­t­ing the CAC with the abili­ty to ela­bo­ra­te, eit­her to par­ti­cu­lar ser­vice pro­vi­ders or gene­ral­ly, how the data reten­ti­on obli­ga­ti­ons intro­du­ced by Part 5 1A should app­ly to par­ti­cu­lar tech­no­lo­gies. For exam­p­le, a deter­mi­na­ti­on could exempt the reten­ti­on of spe­ci­fic infor­ma­ti­on rela­ting to satel­li­te or mobi­le inter­net ser­vices. Tho­se ser­vices crea­te dif­fe­rent types of data, the­r­e­fo­re it is appro­pria­te to have a method of pro­vi­ding grea­ter cer­tain­ty to ser­vice pro­vi­ders about how high-level obli­ga­ti­ons app­ly to diver­se technologies.
8. The data reten­ti­on obli­ga­ti­ons under Part 5–1A may cover ser­vices that are of limi­t­ed or no rele­van­ce to law enforce­ment or natio­nal secu­ri­ty.The­se could include ser­vices rela­ting to IPTV, con­tent on demand, the lea­sing of dark fib­re and machi­ne-to-machi­ne com­mu­ni­ca­ti­ons. Sub­sec­tion 187K(1) reco­g­ni­s­es that, in cer­tain ins­tances, a ser­vice pro­vi­der may not achie­ve com­ple­te tech­ni­cal com­pli­ance in rela­ti­on to a par­ti­cu­lar ser­vice or some aspect of that ser­vice, or that the non-com­pli­ance has limi­t­ed impli­ca­ti­ons for law enforce­ment or natio­nal secu­ri­ty agencies.
9. The decis­i­on of the CAC to grant an exemp­ti­on or varia­ti­on is not reviewa­ble under the Admi­nis­tra­ti­ve Decis­i­ons (Judi­cial Review) Act 1977 (the ADJR Act) as decis­i­ons under the TIA Act are not decis­i­ons to which the ADJR Act appli­es (see para­graph (d) of Sche­du­le 1 to the ADJR Act). The exclu­si­on of the­se decis­i­ons from the ADJR Act does not pre­vent decis­i­ons made under the TIA Act from being judi­ci­al­ly reviewa­ble under para­graph 75(v) of the Con­sti­tu­ti­on and sec­tion 39B of the Judi­cia­ry Act 1901 (Cth).
10. Sub­sec­tion 187K(2) pro­vi­des that the CAC’s decis­i­on must be in writing. 
11. Sub­sec­tion 187K(3) pro­vi­des that the CAC’s decis­i­on may be uncon­di­tio­nal, or sub­ject to such con­di­ti­ons as spe­ci­fied in the decis­i­on. Such con­di­ti­ons may include limits on the time for which the exemp­ti­on or varia­ti­on appli­es, limits on the num­bers of cus­to­mers or the geo­gra­phic scope of a par­ti­cu­lar type of ser­vice, or requi­re­ments for ongo­ing con­sul­ta­ti­ons with agencies. 
12. Sub­sec­tion 187K(4) pro­vi­des that a decis­i­on made by the CAC under sub­sec­tion 187K(1) is not a legis­la­ti­ve instru­ment. Sub­sec­tion 187K(4) has been included to assist rea­ders, as the instru­ment is not a legis­la­ti­ve instru­ment within the mea­ning of sec­tion 5 of the Legis­la­ti­ve Instru­ments Act 2003. 
13. Para­graph 187K(5)(a) pro­vi­des that whe­re a ser­vice pro­vi­der appli­es in wri­ting for a par­ti­cu­lar decis­i­on, the CAC must give a copy of the appli­ca­ti­on to affec­ted enforce­ment agen­ci­es or secu­ri­ty agen­ci­es and may give a copy to the ACMA. Whe­re the reques­ted exemp­ti­on has an impact on the inves­ti­ga­ti­ve capa­bi­li­ties or regu­la­to­ry func­tions of an agen­cy, it is appro­pria­te that the CAC con­sults with that agency. 
14. Para­graph 187K(5)(b) pro­vi­des that if the CAC does not respond to a ser­vice provider’s appli­ca­ti­on within 60 days, the decis­i­on reques­ted by the ser­vice pro­vi­der is dee­med to have been gran­ted to that ser­vice pro­vi­der. This pro­vi­si­on is inten­ded to ensu­re that the CAC resol­ves appli­ca­ti­ons in a time­ly man­ner and pro­vi­des cer­tain­ty for ser­vice pro­vi­ders as to their legal obli­ga­ti­ons under the TIA Act at any given time. 
15. Sub­sec­tion 187K(6) pro­vi­des that the dee­med decis­i­on under para­graph 187K(5)(b) has effect only until the CAC makes and com­mu­ni­ca­tes to the ser­vice pro­vi­der a decis­i­on on the appli­ca­ti­on. This ensu­res that the dee­med exemp­ti­on is only temporary. 
16. Sub­sec­tion 187K(7) requi­res that, in gran­ting an exemp­ti­on or varia­ti­on, the CAC must take into account the inte­rests of law enforce­ment and natio­nal secu­ri­ty, which can include the rele­van­ce to law enforce­ment or natio­nal secu­ri­ty of the ser­vices for which an exemp­ti­on or varia­ti­on is being sought. 
17. The CAC must also take into account the objects of the Tele­com­mu­ni­ca­ti­ons Act 1997,[1] the main object of which is to pro­vi­de a regu­la­to­ry frame­work that promotes: 
• the long-term inte­rests of users of tele­com­mu­ni­ca­ti­ons services, 
• the effi­ci­en­cy and inter­na­tio­nal com­pe­ti­ti­ve­ness of the Aus­tra­li­an tele­com­mu­ni­ca­ti­ons indus­try, and 
• the avai­la­bi­li­ty of acces­si­ble and afforda­ble car­ria­ge ser­vices that enhan­ce the wel­fa­re of Australians. 
18. The CAC must also take into account the ser­vice provider’s histo­ry of com­pli­ance with Part 5–1A of the TIA Act, the ser­vice provider’s cos­ts, or anti­ci­pa­ted cos­ts, of com­ply­ing with data reten­ti­on obli­ga­ti­ons under Part 5–1A, and any alter­na­ti­ve data reten­ti­on or infor­ma­ti­on secu­ri­ty arran­ge­ments that the ser­vice pro­vi­der has iden­ti­fied. Such alter­na­ti­ve data reten­ti­on and secu­ri­ty arran­ge­ments could be for­ma­li­sed as part of an exemp­ti­on or varia­ti­on gran­ted by the CAC. Ser­vice pro­vi­ders are in a uni­que posi­ti­on to draw to the CAC’s atten­ti­on spe­ci­fic cost impli­ca­ti­ons, and to sug­gest alter­na­ti­ve com­pli­ance arran­ge­ments in sup­port of any exemp­ti­on application. 
19. Sub­sec­tion 187K(8) enables the CAC to take into account any other rele­vant mat­ter when deci­ding whe­ther or not to grant an exemp­ti­on or varia­ti­on, which might include rele­vant tech­no­lo­gi­cal or indus­try fac­tors such as:
• the size, mar­ket share and natio­nal secu­ri­ty and law enforce­ment risk pro­fi­le of the ser­vice pro­vi­der

• the degree to which an exemp­ti­on would effec­tively miti­ga­te cos­ts and mini­mi­se impacts on the ser­vice provider’s cash flow, and
• the pre-exis­ting busi­ness plans of the ser­vice pro­vi­der.

20. Pur­su­ant to sec­tion 33(3) of the Acts Inter­pre­ta­ti­on Act 1901, the power to make or grant an instru­ment of admi­nis­tra­ti­ve cha­rac­ter, such as an exemp­ti­on or varia­ti­on under sub­sec­tion 187K, is to be taken as inclu­ding a power to repeal, rescind, revo­ke, amend or vary any such instru­ment. This power is to be exer­cis­ed in the same man­ner and sub­ject to the same con­di­ti­ons (if any) that appli­ed to the making or gran­ting of the instrument. 
21. The CAC may seek to exer­cise the power to repeal or revo­ke an exemp­ti­on or varia­ti­on in a ran­ge of cir­cum­s­tances, inclu­ding whe­re an exemp­ti­on (that has been gran­ted on the expec­ta­ti­on that it will remain con­fi­den­ti­al) beco­mes known publicly, to a class of per­sons, or to a spe­ci­fic indi­vi­du­al in cir­cum­s­tances whe­re that dis­clo­sure would have a detri­men­tal impact on the inte­rests of law enforce­ment and natio­nal secu­ri­ty. Sec­tion 187KA– Review of exemp­ti­on or varia­ti­on decis­i­ons by the ACMA 
22. Sec­tion 187KA imple­ments recom­men­da­ti­on 15 of the 2015 PJCIS Report. 
23. The ACMA has the abili­ty to deter­mi­ne dis­pu­tes in rela­ti­on to appli­ca­ti­ons for data reten­ti­on imple­men­ta­ti­on plans (inclu­ding appli­ca­ti­ons for amend­ment). This item pro­vi­des the ACMA with the addi­tio­nal role to deter­mi­ne dis­pu­tes when a ser­vice pro­vi­der has appli­ed to the CAC for an exemp­ti­on or varia­ti­on from the data reten­ti­on obli­ga­ti­ons. As such, sec­tion 187KA ensu­res a con­sis­tent approach to dis­pu­tes bet­ween the CAC and ser­vice pro­vi­ders regar­ding the appli­ca­ti­on of data reten­ti­on obligations.

CAC exemp­ti­on regime

24. Divi­si­on 3, Part 5–1A of the TIA Act pro­vi­des a mecha­nism for the CAC to grant an exemp­ti­on to a ser­vice pro­vi­der from some or all of the man­da­to­ry data reten­ti­on obli­ga­ti­ons. The sche­me ope­ra­tes in a simi­lar way to the exis­ting exemp­ti­on regime for inter­cep­ti­on capa­bi­li­ty under sec­tion 192 of the TIA Act.
25. Under the data reten­ti­on exemp­ti­on sche­me, a ser­vice pro­vi­der may app­ly to the CAC for an exemp­ti­on and the CAC is requi­red to make a decis­i­on on the appli­ca­ti­on within a spe­ci­fied peri­od. The exemp­ti­on may also sti­pu­la­te expi­ra­ti­on dates or cir­cum­s­tances wher­eby the ser­vice pro­vi­der must reap­p­ly for an exemption. 
26. The CAC exemp­ti­on faci­li­ty indi­rect­ly streng­thens the right to pri­va­cy of indi­vi­du­al cus­to­mers in that it pro­vi­des a method of redu­cing data reten­ti­on obli­ga­ti­ons, for exam­p­le, in cir­cum­s­tances whe­re the volu­me of data to be retai­ned is dis­pro­por­tio­na­te to the inte­rests of law enforce­ment and natio­nal security.

Right to an effec­ti­ve reme­dy – Artic­le 2(3) of the ICCPR

27. Artic­le 2(3) of the ICCPR pro­tects the right to an effec­ti­ve reme­dy for any vio­la­ti­on of rights or free­doms reco­g­nis­ed by the ICCPR, inclu­ding the right to have such a reme­dy deter­mi­ned by com­pe­tent judi­cial, admi­nis­tra­ti­ve or legis­la­ti­ve aut­ho­ri­ties or by any other com­pe­tent aut­ho­ri­ty pro­vi­ded for by the legal sys­tem of the State. 
28. Sec­tion 187KA allows the CAC to refer dis­pu­tes over appli­ca­ti­ons for exemp­ti­ons from and varia­ti­ons to data reten­ti­on obli­ga­ti­ons to the Aus­tra­li­an Com­mu­ni­ca­ti­ons Media Aut­ho­ri­ty (the ACMA). 
29. Sec­tion 187KA enga­ges and pro­mo­tes the right to an effec­ti­ve reme­dy as it pro­vi­des ser­vice pro­vi­ders with an addi­tio­nal reme­di­al ave­nue for the reso­lu­ti­on of dis­pu­tes by the ACMA in rela­ti­on to exemp­ti­ons or varia­ti­on decis­i­ons made by the CAC. 
30. The Bill also con­fers on the ACMA a role to arbi­tra­te dis­pu­tes in rela­ti­on to data imple­men­ta­ti­on plans bet­ween the CAC and ser­vice pro­vi­ders and allows a ser­vice pro­vi­der to app­ly to the ACMA for a review of CAC decis­i­ons about exemp­ti­ons or varia­ti­ons of reten­ti­on obli­ga­ti­ons appli­ca­ble to their services. 
31. Pro­vi­ding admi­nis­tra­ti­ve review of CAC decis­i­ons, in addi­ti­on to judi­cial review[2], advan­ces an applicant’s right to an effec­ti­ve remedy. 
32. Divi­si­on 3 of Part 5–1A pro­vi­des that the CAC may grant exemp­ti­ons to ser­vice pro­vi­ders for any or all of the obli­ga­ti­ons. The CAC is requi­red to con­sider both the inte­rests of law enforce­ment and natio­nal secu­ri­ty agen­ci­es, and the objects of the Tele­com­mu­ni­ca­ti­ons Act 1997 when deci­ding whe­ther to grant an exemp­ti­on. This allows exemp­ti­ons to be gran­ted whe­re, for exam­p­le, tele­com­mu­ni­ca­ti­ons data rela­ting to the rele­vant ser­vice is likely to be of litt­le or no rele­van­ce to law enforce­ment or natio­nal secu­ri­ty inves­ti­ga­ti­ons, or whe­re the cost of com­ply­ing, eit­her in full or in part, with data reten­ti­on and secu­ri­ty obli­ga­ti­ons in rela­ti­on to the rele­vant ser­vice would be dis­pro­por­tio­na­te­ly high.
33. Divi­si­on 4 of Part 5–1A pro­vi­des that the CAC must tre­at appli­ca­ti­ons for imple­men­ta­ti­on plans and exemp­ti­ons as con­fi­den­ti­al, as must any per­son to whom the CAC dis­c­lo­ses such appli­ca­ti­ons. Divi­si­on 4 also pro­vi­des that the con­tra­ven­ti­on of data reten­ti­on obli­ga­ti­ons under Part 5–1A attracts civil pen­al­ties. Fur­ther, Divi­si­on 4 allows the Com­mon­wealth to make a grant of finan­cial assis­tance to ser­vice pro­vi­ders and pro­vi­des that the Pri­va­cy Act appli­es in rela­ti­on to a ser­vice pro­vi­der to the ext­ent the ext­ent of their data reten­ti­on acti­vi­ties. Divi­si­on 4 also requi­res the Par­lia­men­ta­ry Joint Com­mit­tee on Intel­li­gence and Secu­ri­ty (the PJCIS) to review the ope­ra­ti­on of the data reten­ti­on regime within three years of the man­da­to­ry data reten­ti­on sche­me being ful­ly imple­men­ted and requi­res the Minis­ter to report annu­al­ly on the ope­ra­ti­on of the data reten­ti­on regime.

34. Under Divi­si­on 2 of Part 5–1A, a ser­vice pro­vi­der may seek appr­oval of a data reten­ti­on imple­men­ta­ti­on plan that replaces the ser­vice provider’s obli­ga­ti­ons under sec­tion 187BA while the plan is in force. Addi­tio­nal­ly, under Divi­si­on 3 of Part 5–1A a ser­vice pro­vi­der may app­ly for and recei­ve an exemp­ti­on from or varia­ti­on to the ser­vice provider’s obli­ga­ti­ons under sec­tion 187BA. An exam­p­le of a situa­ti­on in which such an exemp­ti­on or varia­ti­on might be appro­pria­te would be whe­re the cost of encryp­ting a lega­cy sys­tem that was not desi­gned to be encrypt­ed would be undu­ly one­r­ous and the ser­vice pro­vi­der has iden­ti­fied alter­na­ti­ve infor­ma­ti­on secu­ri­ty mea­su­res that could be imple­men­ted. Howe­ver, an exemp­ti­on would not nor­mal­ly be appro­pria­te whe­re ful­fil­ling the data pro­tec­tion obli­ga­ti­ons would be mere­ly inconvenient.
35. Sec­tion 187C sets out the requi­red peri­od for ser­vice pro­vi­ders to retain spe­ci­fied tele­com­mu­ni­ca­ti­ons data. A reten­ti­on requi­re­ment of two years is neces­sa­ry having regard to the requi­re­ments of natio­nal secu­ri­ty and law enforce­ment agen­ci­es to have tele­com­mu­ni­ca­ti­ons data available for inves­ti­ga­ti­ons. It is also con­sis­tent with pri­va­cy expec­ta­ti­ons and the pri­va­cy of users of the Aus­tra­li­an tele­com­mu­ni­ca­ti­ons sys­tem. The expe­ri­ence under the for­mer Euro­pean data reten­ti­on sche­me was that, while fre­quent­ly data acces­sed by agen­ci­es was less than six months old, for natio­nal secu­ri­ty and serious cri­mi­nal offen­ces, data up to two years old would often be requi­red for the most com­plex inves­ti­ga­ti­ons into cri­mes and thre­ats to natio­nal secu­ri­ty that can have the most dama­ging effect. 
36. Howe­ver, the reten­ti­on peri­od in sec­tion 187C is sub­ject to an exemp­ti­ons regime in Divi­si­on 3 of Part 5–1A. In par­ti­cu­lar, para­graph 187K(1)© allows the CAC to redu­ce the requi­red reten­ti­on peri­od. In addi­ti­on, data reten­ti­on imple­men­ta­ti­on plans that a ser­vice pro­vi­der may pro­vi­de under Divi­si­on 2 of Part 5–1A of the TIA Act may also be rele­vant to the peri­od for which a ser­vice pro­vi­der must retain rele­vant data. It is pos­si­ble for a data reten­ti­on imple­men­ta­ti­on plan to spe­ci­fy a reten­ti­on peri­od for a ser­vice offe­red by a ser­vice pro­vi­der of less than two years in rela­ti­on to ser­vices under the plan while the plan is in force.