As we foreshadowed, a new law requiring mandatory data retention by ISPs was introduced into the Australian federal parliament last week. In the few days since then, there have been claims and counter-claims about whether data obtained under the new law would be limited to use in fighting major crimes (such as terrorism, as the government originally claimed), or if it could be used to target citizens who download and share files online.

The current party line, from flip-flopping Attorney-General George Brandis (whom some may remember from this train-wreck interview in which he attempted to define “metadata”) is that the new laws “can't be and they won't be” used to prosecute file sharers, because copyright infringement is only a civil offense.

Except, of course, when it isn't. There are a wide range of criminal offenses defined under Australia's copyright law, including penalties for sharing copyright works on (what is loosely defined as) a commercial scale, and penalties for breaking DRM—both of which result from Australia's 2005 free trade agreement with the United States, and are likely to be replicated and perhaps toughened in the Trans-Pacific Partnership.

Moreover, as Minister for Communications, Malcolm Turnbull, has admitted, once the data has been collected and is being retained by an ISP, there is nothing to prevent a civil court from allowing access to that data to other parties, for purposes other than those the government intended. This might, for example, include a movie studio suing an ISP for release of retained customer data to support lawsuits or shakedown claims against those customers. (By no coincidence, exactly such a lawsuit is currently underway.)

The only solution is the obvious one—not to require the collection and retention of the data in the first place. If data stored under a compulsory mandate can be misused for extraneous purposes, history tells us that it will be. This lesson lies behind the adoption of data minimization as a key principle of modern data protection law—a lesson that Australia's lawmakers seem to have forgotten.

If even the government itself can't give a clear account of what metadata will be collected and whether or not it will be used in enforcing copyright laws, why should ordinary Internet users have any faith that their collected data won't be misused in practice? Now is time for Australian users to stand up to their government and Stop the Spies, before it's too late.