New hurdle for encryption laws
Big problem: Australia's encryption regime may breach international law
The federal government’s new encryption laws may contravene major international laws in the US and Europe Union, putting Australian companies at risk of significant fines, according to the Law Council of Australia.
The Parliamentary Joint Committee on Intelligence and Security is conducting an inquiry into amendments made to the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, which was passed on the last sitting day of 2018.
The committee will report to government in April next year, and some submissions to the inquiry are now public, with a number raising concerns that the new powers given to agencies puts Australia at odds with international law.
The new powers, which give Australian agencies and authorities the power to compel tech companies to provide access to encrypted data and communications, are incompatible with the CLOUD Act in the US and the GDPR in the European Union, according to the Law Council of Australia.
In its submission to the PJCIS inquiry, the Law Council said the Assistance and Access Bill risks forcing Australian companies to contravene the General Data Protection Regulation in the European Union.
The GDPR, launched in May last year, enforces a series of restrictions on the processing and transfer of personal data out of Europe, and includes court orders issued by countries outside of the EU.
It applies to any Australian organisation processing personal data of an individual in the European Union.
“There remains concern about the potential for this to nonetheless occur where a provider attempts to comply, and compliance with the notice potentially compromises the security of personal information,” the Law Council’s submission said.
“This is contrary to the provisions of the GDPR which requires service providers and other controllers of data to implement appropriate technical and organisational measures so as to implement the data protection principles and provide protection and security for the ‘personal data’ within the EU.
“The aims of the GDPR and the requirements of a technology capability notice (TCN) or technology assistance notice (TAN) to remove or limit the security measures required to protect privacy may be difficult to reconcile.
“Acts done within Australia are not covered by the exemption and therefore compliance with the TCN and TAN may bring the service providers into conflict with a foreign law such as the GDPR.”
Other submissions to the PJCIS inquiry also raise concerns with how the AA Bill interacts with foreign laws, including a joint contribution from a range of technology and digital rights groups.
“The legislation only creates a defence for providers if the act requested by a TAN or TCN is done in a foreign country and would contravene foreign law. However, for example, if an Australian provider took action in Australia that compromised the security or privacy of a European citizen under the GDPR of the EU, the provider would be liable for fines of up to 4 percent of its global revenues, thereby placing the provider into an extremely difficult position with respect to compliance with either legislation,” the submission said.
The Law Council also raised concerns that the new encryption powers could prevent Australian authorities from qualifying from the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in the US.
Law Council said that the Assistance and Access Bill may prevent Australia from accessing the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) in the US.
The CLOUD Act allows countries to enter into a bilateral agreement with the US to bypass the “cumbersome” Mutual Legal Assistance Treaty (MLAT) process and serve electronic evidence requests to a US-based provider.
For example, if Australia had an “executive agreement” with the US under the CLOUD Act, the Australian Federal Police could request for Facebook to provide access to the communications of an Australian resident for assistance with the investigation of terrorism-related offences, without having to go through the slower MLAT process.
But the encryption powers may prevent Australia from being able to sign an executive agreement under the CLOUD Act, as domestic law must “afford robust, substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement”.
The agreement must also not “create any obligation that providers by capable of decrypting data or limitation that prevents providers from decrypting data”.
“The Law Council considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an ‘executive agreement’ with the US,” it said.
“This means that law enforcement agencies in Australia will be restricted to seeking access to data held by a service provider in the US through the existing and time-consuming MLAT process.”
According to the Law Council, there is a significant “inconsistency of obligations” between the encryption powers and US federal law, and the Australian legislation does not provide the sufficient requirements for independent oversight.
In its own submission, the International Civil Liberties and Technology Coalition also said that the new laws in Australia “imperils” its ability to qualify for an agreement under the CLOUD Act.
“Aspects of the Assistance and Access Act undermine substantive and procedural protections for privacy and civil rights in Australia, and threaten Australia’s ability to enter into a bilateral agreement under the CLOUD Act,” the submission said.
The AA Bill is also contrary to the General Data Protection Regulation in the European Union, the Law Council said.
The clashes with international law is “emblematic” of the different approaches to personal data protection in Australia and other countries around the world, the Law Council said.
“In the EU, there is greater protection being given to the fundamental human right of privacy, as reflected in the enactment of the GDPR. However, in Australia the laws relating to encryption are increasing the capacity of law enforcement to overcome one of the means by which privacy in electronic communications can be protected,” it said.