Should VPNs comply with Australian data retention laws? The $64,000 question!

Australian coat of arms

Debate is raging down under over whether Australian VPN providers are required to comply with the countries new data retention laws.

Readers may recall that last month we marked “National Get a VPN Day” which marked the date by which all telecoms companies and ISPs were required to comply with the new data retention rules included in the countries 2015 Telecommunications (Interception and Access) Amendment (Data Retention) Bill.

But as with the UKs Investigatory Power Act, which also requires all ISPs and telecoms companies to retain data, it is not yet clear whether VPN providers will be required to comply with the law too.

Do VPNs have to comply?

The debate in Australia was kicked off by a VPN provider called Wangle, which is based in Perth. They recently claimed to be the first ‘data retention and ACMA-compliant VPN’ in the country.

The first question that might leap to mind is why they think users might be enticed to use their service if they freely admit to retaining data about their online activity. But actually, more focus was put on whether VPNs were actually required to comply with the law at all.

The Australian Communications and Media Authority (ACMA) refused to comment on the matter to iTnews even to confirm whether or VPNs needed to comply with the law.

They instead referred enquiries to the Communications Alliance; Australia’s telecoms industry association.  According to them, telecoms companies which offer a VPN as one of many services are likely to have to comply with the law, but even they were unsure about providers who just offer a VPN service.

Remarkably, even the Australian Attorney-General’s Department, the government body which drafted the legislation in the first place, didn’t seem to know if VPNs fell under its scope. A spokesperson for them said that a VPN would have to comply if it met the criteria laid out in the legislation for “relevant services”.

This vague term is defined under the law as being a service which:

  • carries communications or enables communications to be carried by means of guided or unguided electromagnetic energy or both;
  • is operated by a carrier or carriage service provider or an internet service provider; and
  • is offered by a person who owns or operates infrastructure in Australia that enables the provision of any relevant service.

The criteria are also pretty vague and according to the law, a VPN would have to meet all three criteria to fall under the data retention laws. Rather unhelpfully, the Attorney-General’s Department refused to offer advice on whether VPNs fell under the law.

Opinions differ

Wangle seem certain they are required to comply. Their CEO, Sean Smith, told iTnews that “We worked very closely with ACMA and the office of the CAC who were very clear on this position.”

However, another Australian VPN provider, VPNSecure, which is based in Brisbane, is equally sure they do not fall under the law.

Their founder and CEO Shayne McCulloch was also approached by iTnews and said: “The conclusion drawn from our independent legal advice is that we are not an ISP or specifically a carriage service as outlined by the Telecommunications Act.”

An independent legal perspective

Interestingly, Patrick Fair, a partner at Sydney law firm Baker & McKenzie, independently told iTnews that he believed VPNs only provide security over other networks and are therefore not classed as ISPs and do not fall under the law.

The only thing that is really clear is that no-one can agree on whether or not a VPN is required to comply and it seems likely that the only way agreement on the matter will be found is when a test case is brought.

At present, there is no sign of that and it seems to be down to individual VPN providers whether they want to comply or not. Most are likely not to at this stage.

Many Australian internet users have turned to a VPN to get away from the state surveillance this new law has introduced and is unlikely to want their VPN to be complying in any way. We would advise them to check carefully with their provider to be sure whether or not they are retaining their user data.

If they want to be sure, they would be better to sign up with a VPN that offers a cast-iron no logs policy such as IPVanish or ExpressVPN. These are based outside Australia in countries where they are not obliged to comply with domestic law and can, therefore, offer the peace of mind many VPN users want.

Comments (1)
  1. Avatar Craig Thomas May 11, 2017

Leave a Reply

Your email address will not be published. Required fields are marked *