The vast majority of Australian internet service providers (ISPs) are not ready to start collecting and storing metadata as required under the country's data retention laws which come into effect today.

ISPs have had the past six months to plan how they will comply with the law, but 84 per cent say they are not ready and will not be collecting metadata on time.

The Attorney-General's department says ISPs have until April 2017 to become fully compliant with the law.

Um, what's metadata again? Start by thinking about making a mobile phone call.

Start by thinking about making a mobile phone call. What you say on the phone is the content. This is not metadata.

What you say on the phone is the content. This is not metadata. The time of your call, who you called, how long the call lasted and which cell tower your phone contacted are all logged, traditionally for billing purposes. That information is metadata.

The time of your call, who you called, how long the call lasted and which cell tower your phone contacted are all logged, traditionally for billing purposes. That information is metadata. Find out more.

The figures come from a survey sent to ISPs by telecommunications industry lobby group Communications Alliance.

It found two-thirds of them are still not entirely sure what type of metadata the Government wants retained.

Communications Alliance chief executive John Stanton said ISPs have had to start collecting a significant amount of new data, and complying with the laws has been difficult and time consuming.

"The Government's claim that what they're asking for is retention of the status quo has never been correct," he said.

"The vast majority [of ISPS] are saying: 'We're trying, but we're not there yet'."

ISPs 'not given enough time'

ISPs must start retaining metadata as of today unless they have been granted an extension, according to the Attorney-General's Department.

More on what the survey found: More than two thirds of ISPs are either "not confident" or only "somewhat confident" that they fully understand what metadata the Federal Government wants them to collect and store

More than two thirds of ISPs are either "not confident" or only "somewhat confident" that they fully understand what metadata the Federal Government wants them to collect and store 84 per cent of ISPs are not ready to retain and encrypt the data as required under the Act

84 per cent of ISPs are not ready to retain and encrypt the data as required under the Act While many ISPs have lodged a Data Retention Implementation Plan, only a small subset (about 10 per cent) have been approved

While many ISPs have lodged a Data Retention Implementation Plan, only a small subset (about 10 per cent) have been approved There is a huge variance in estimates for the cost to business of implementing data retention - 58 per cent of ISPs say it will cost between $10,000 and $250,000; 24 per cent estimate it will cost over $250,000; 12 per cent think it will cost over $1,000,000; some estimates go as high as $10 million

There is a huge variance in estimates for the cost to business of implementing data retention - 58 per cent of ISPs say it will cost between $10,000 and $250,000; 24 per cent estimate it will cost over $250,000; 12 per cent think it will cost over $1,000,000; some estimates go as high as $10 million A majority of ISPs, about 61 per cent, are requesting exemptions or variations from parts of the legislation, for example, the requirement to encrypt retained metadata

Extensions are granted after the ISPs submit a Data Retention Implementation Plan (DRIP) to the Government and have it approved.

An extension gives the ISP a further 18 months to comply with the legislation.

But getting a DRIP approved has also been difficult, meaning many ISPs are today not compliant with their data retention obligations.

The survey found that while 81 per cent of ISPs say they have submitted a plan, only about 10 per cent have been approved so far.

Mr Stanton said ISPs were not given enough time to get ready.



"I think the survey shows that very clearly," he said.

"The way that the legislation is drafted doesn't provide us with all of the detail about what exactly is required in all of their services.

"There are a thousand different nuances that I've seen flying around as to what needs to be retained in respect of a particular service.

"The complexity has always been part of the bedevilling aspect of this regime.

"There are still many providers, as the survey highlights, that aren't certain that they've got their requirements completely figured out."

Small ISPs say regulations putting them out of business

Craig runs a small ISP in regional Australia and his business will not be ready to collect metadata.

He said he had begun the lengthy process to explain to the Government how the data will be retained, but it was taking too much time and was putting the business at risk.

"We've now reached 400 pages of this document [the DRIP]. It's a very complicated process and it's eating into our profitability," he said.

"The amount of time we're spending on it is so high that it has become an unviable thing to continue on.

"We have to look after our clients, customers and keep working."

He said he would be reducing the amount of services he offered clients because data retention regulations had made offering them non-profitable.

"There are already parts of our business that we are going to have to just switch off the lights because of the data retention side of things," he said.

Mr Stanton said it was possible smaller ISPs would close down rather than struggle on.

"I've seen the emails from smaller providers who are really questioning whether they ought to try and stay in business in the light of this cost [of metadata retention compliance]," he said.

"If you're a small family-owned operator in a regional town, with a few hundred customers, this is exactly the sort of regulatory cost that could convince you to try and find another way to earn your living."

Calls for an early review of the metadata retention scheme

Internet Australia, an organisation that represents internet users and also smaller ISPs, has called for an immediate review of the metadata laws.

Under the legislation, a review of the data retention scheme by the Parliamentary Joint Committee on Intelligence and Security is mandatory within three years.

Space to play or pause, M to mute, left and right arrows to seek, up and down arrows for volume. Listen Duration: 4 minutes 2 seconds 4 m 2 s Listen to Will Ockenden's report Download 7.4 MB

But Internet Australia's Laurie Patton said a review must take place now.

"Nobody is anywhere near ready," he said.

"It's such a complicated and fundamentally flawed piece of legislation that there are hundreds of ISPs out there that are still struggling to understand what they've got to do," he said.

"I think it's time for the Spycatcher, our Prime Minister, to really seriously rethink, first of all do we need one, but if we do then let's try and get it right.

"Let's make it much more easily understood and help everybody to comply."

A spokesman for the Attorney-General's Department said the legislation allowed up to two years for ISPs to implement data retention and the Government was working closely with the industry to achieve full compliance by April 2017.

During that period, the spokesman said the Federal Government's focus would be on implementation rather than enforcement.