Should VPNs comply with Australian data retention laws? The $64,000 question!

Australian coat of arms

Debate is raging down under over whether Australian VPN providers are required to comply with the countries new data retention laws.

Readers may recall that last month we marked “National Get a VPN Day” which marked the date by which all telecoms companies and ISPs were required to comply with the new data retention rules included in the countries 2015 Telecommunications (Interception and Access) Amendment (Data Retention) Bill.

But as with the UKs Investigatory Power Act, which also requires all ISPs and telecoms companies to retain data, it is not yet clear whether VPN providers will be required to comply with the law too.

Do VPNs have to comply?

The debate in Australia was kicked off by a VPN provider called Wangle, which is based in Perth. They recently claimed to be the first ‘data retention and ACMA-compliant VPN’ in the country.

The first question that might leap to mind is why they think users might be enticed to use their service if they freely admit to retaining data about their online activity. But actually, more focus was put on whether VPNs were actually required to comply with the law at all.

The Australian Communications and Media Authority (ACMA) refused to comment on the matter to iTnews even to confirm whether or VPNs needed to comply with the law.

They instead referred enquiries to the Communications Alliance; Australia’s telecoms industry association.  According to them, telecoms companies which offer a VPN as one of many services are likely to have to comply with the law, but even they were unsure about providers who just offer a VPN service.

Remarkably, even the Australian Attorney-General’s Department, the government body which drafted the legislation in the first place, didn’t seem to know if VPNs fell under its scope. A spokesperson for them said that a VPN would have to comply if it met the criteria laid out in the legislation for “relevant services”.

This vague term is defined under the law as being a service which:

  • carries communications or enables communications to be carried by means of guided or unguided electromagnetic energy or both;
  • is operated by a carrier or carriage service provider or an internet service provider; and
  • is offered by a person who owns or operates infrastructure in Australia that enables the provision of any relevant service.

The criteria are also pretty vague and according to the law, a VPN would have to meet all three criteria to fall under the data retention laws. Rather unhelpfully, the Attorney-General’s Department refused to offer advice on whether VPNs fell under the law.

Opinions differ

Wangle seem certain they are required to comply. Their CEO, Sean Smith, told iTnews that “We worked very closely with ACMA and the office of the CAC who were very clear on this position.”

However, another Australian VPN provider, VPNSecure, which is based in Brisbane, is equally sure they do not fall under the law.

Their founder and CEO Shayne McCulloch was also approached by iTnews and said: “The conclusion drawn from our independent legal advice is that we are not an ISP or specifically a carriage service as outlined by the Telecommunications Act.”

An independent legal perspective

Interestingly, Patrick Fair, a partner at Sydney law firm Baker & McKenzie, independently told iTnews that he believed VPNs only provide security over other networks and are therefore not classed as ISPs and do not fall under the law.

The only thing that is really clear is that no-one can agree on whether or not a VPN is required to comply and it seems likely that the only way agreement on the matter will be found is when a test case is brought.

At present, there is no sign of that and it seems to be down to individual VPN providers whether they want to comply or not. Most are likely not to at this stage.

Many Australian internet users have turned to a VPN to get away from the state surveillance this new law has introduced and is unlikely to want their VPN to be complying in any way. We would advise them to check carefully with their provider to be sure whether or not they are retaining their user data.

If they want to be sure, they would be better to sign up with a VPN that offers a cast-iron no logs policy such as IPVanish or ExpressVPN. These are based outside Australia in countries where they are not obliged to comply with domestic law and can, therefore, offer the peace of mind many VPN users want.

David Spencer

Author: David Spencer

David is VPNCompare's News Editor. Anything going on in the privacy world and he's got his eye on it. He's also interested in unblocking sports allowing him to watch his favourite football team wherever he is in the world.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.


  1. Avatar Craig Thomas

    “These are based outside Australia in countries where they are not obliged to comply with domestic law …”
    I’d say we know that is untrue:

    Offshore services provided in Australia can clearly be made subject to our domestic law – enforcement is going to be a separate issue – and if you think you can break the law with impunity because you are using a VPN, you are probably in for a shock.

    As for Australian-based VPN services, these clearly meet all three tests for whether Data Retention applies. If an Australian-based VPN operator owns an IP address that becomes the subject of an investigation, the operator will have to answer any lawful requests as to which paying customer was assigned that IP address at the relevant time(s).

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter

Get the latest privacy news, expert VPN guides & TV unblocking how-to’s sent straight to your inbox.