The federal government’s mandatory data retention bill has “enormous” potential for mission creep, prominent law firm Gilbert & Tobin has warned.

The firm’s public law centre at the University of New South Wales has told the Government that its bill, which was introduced last month in an effort to force ISPs to store customer metadata for two years, is “little more than a shell” for a mandatory retention scheme.

It warned the Government that the bill lacks the detail required to ensure that individuals’ privacy is adequately protected.

The firm’s law centre presented its criticisms in a submission to a joint parliamentary security committee currently conducting an inquiry into the legislation.

“This ad hoc approach is unsatisfactory given that mandatory data retention has significant implications for the right to privacy," the firm wrote.

"Telecommunications data can reveal significant private details about an individual, such as who they have communicated with and their whereabouts at particular times. The core aspects of the regime should therefore be defined in the primary legislation and reconsidered by Parliament if change is later considered necessary."

In particular, the law firm argued that the Government needs to enshrine its definition of metadata in the bill rather than risk leaving this important job to regulatory instruments that could be manipulated by future governments.

“This would put it beyond doubt that only those types of information will be retained and accessed under the regime,” it wrote.

The firm also argued that the Government needed to tighten current telecommunications legislation to ensure that data is only used for criminal investigations. In particular it said that the wording of the Telecommunications Interception and Access (TIA) Act - which gives “enforcement agencies” access to the data - be changed “criminal law enforcement agencies”.

It also said the Government needed to make a stronger case for making ISPs store metadata longer than six months.

The firm’s criticisms echo those of recent parliamentary committees tasked with studying the bill.

The Senate Standing Committee for the scrutiny of bills outlined substantially similar concerns following its own investigation into the legislation.

It also said the Government's decision to define metadata and the law enforcement agencies involved in "supporting regulations" rather than the primary legislation would give successive governments too much discretionary power to bend the laws.

The joint parliamentary committee on human rights – charged with applying the Human Rights Act to new legislation – also found that the bill was open to misuse.

The committee will continue to take submissions on the bill until 19 January 2015, with public hearings scheduled for the 28th and 29th of that month.

The joint security committee expects to report its findings by February 27, 2015.