Advances in predictive analytics and metadata technology are adding more privacy risks to an already problematic national data retention regime, the Australian Privacy regulator has told an intelligence and security inquiry.

Speaking at a public hearing for the review of the mandatory data retention regime on Friday, Australian Information Commissioner and Privacy Commissioner Angelene Falk told the Parliamentary Joint Committee on Intelligence and Security that the current approach lacked proportionality and appropriate oversight, presenting a risk to Australian citizens’ privacy.

“Analysis of telecommunications data can paint a very detailed picture of an individual’s location movements, habits, relationships, and preferences, with accuracy and detail that increases in line with the nature and volume of the data that’s available,” Falk told the bipartisan committee.

“And as technology and predictive analytic capabilities continue to evolve, the insights that can be derived from telecommunications data will increase in detail and accuracy.”

Australia’s mandatory data retention regime, introduced by the coalition government in 2015, requires telecommunication providers like Telstra, Optus and the NBN Co to retain customers’ metadata for two years so it is available for law enforcement and national security investigations.

But there have been continuous cases of mission creep with government authorities ranging from federal law enforcement to local councils able to exploit loopholes in the regime to access the data, often without warrants or any other oversight.

The Saturday Paper reported in late 2018 that 80 government authorities were making over 350,000 access requests a year. At the latest hearing, the Commonwealth Ombudsman revealed providers are handing over browsing history, including URLs, to police in some cases despite the legislation specifically prohibiting it.

“The piece of ambiguity we observed through our inspections is sometimes the metadata, in the way it is captured, particularly URL data … in its granularity starts to communicate something about the content of what is being communicated,” commonwealth ombudsman Michael Manthorpe told the inquiry.

Account numbers and physical addresses are also being provided in some cases, Manthorpe said.

Falk also highlighted the access and oversight problem on Friday and called for the regime to be tightened with more oversight, limits on what data can be accessed, and legislating the agencies which can access it.

She called for the committee to consider introducing a warrant system for metadata access, and that telecommunications providers record what types of metadata they are providing government agencies. Currently, the telecommunication companies typically only disclose limited details of what information they hand over to government agencies to the regulator, Falk said, making its role in overseeing the regime particularly difficult.

“I think that requirement would provide some additional accountability and it would be something, then, that my office could then inspect,” Falk said.