That seems like a weak slippery-slope argument. The exemptions to the usual rules that require ISPs to comply with government security policy here and keep quiet about it only cover those things.

So for one thing, using the data collected for anything else or providing it to anyone else would be an immediate and severe breach of both data protection and security laws. That would have serious consequences for the ISP doing it.

For another, it would bring that monitoring system into disrepute and damage the credibility of a government that wants to be seen as strong on security. As a previous government learned to its cost when it tried to introduce personal ID cards here, even voters in the UK (who traditionally have a majority in favour of tough policing and security measures) still have lines they aren't willing to cross.

In short, while there is plenty of scope to debate whether a system like this is necessary or justified as a security measure, it's highly unlikely that it will also be turned into the kind of sell-all-your-data exercise that might be a concern in some other parts of the world.