The data watchdog has issued a stark warning about Home Secretary Theresa May's plans for internet firms to store records relating to people's web and social media use for up to a year
Information Commissioner Christopher Graham said the proposals would create a "huge haystack of potential problems" given the threat of cyber attack on telecoms firms.
Communications service providers (CSPs) will be required to retain internet connection records (ICRs) for up to 12 months under the draft investigatory powers bill.
These will detail services a device connects to but not users' full browsing history or the content of a communication.
Mr Graham, who was giving evidence to a cross-party committee investigating the TalkTalk hack, said the regime would have to be "very carefully managed" and MPs would have to be "very convinced it was necessary".
Culture, Media and Sport select committee chairman Jesse Norman suggested that Mr Graham "must be very concerned" about the plan because "it is going to create these enormous pools of data" and firms may not have the required levels of cyber security.
Mr Graham told the committee: "It creates a huge haystack of potential problems and would have to be very carefully managed and Parliament would have to be very convinced that it is necessary, given the risk that is created."
Ministers have said the legislation is necessary to update the rules in order to give the security services and police the powers they need in the "digital age".