Encryption access for government agencies

15 March 2019
Michael Owens, Partner, Brisbane

New Commonwealth laws, which can also be used by State police forces in some cases, allow law enforcement agencies greater potential access to encrypted information, highlighting both security and privacy considerations.

As we come to rely more and more on technology, businesses and individuals need to be able to trust the security and privacy of their data. But what happens when this need conflicts with the needs of law enforcement in gathering information in the course of an investigation? And where does the balance between these two, seemingly conflicting, needs lie?

In answer to these questions, in its final sitting day last year the federal government passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (TOLA), which took effect on 9 December 2018.

TOLA established an “industry assistance scheme” by which certain Australian national security, intelligence and law enforcement agencies, including State police in some circumstances, can request or require Australian technology companies (and those that provide products/services in Australia) to provide technical assistance. This arguably weakens the privacy and security measures employed by these companies, and threatens trust in the Australian technology sector.

Under the new law, various government agencies can issue three different types of technical assistance notices:

  • Technical assistance request : a voluntary request whereby an agency can request an organisation to voluntarily provide access to technical information[1];
  • Technical assistance notice:  a compulsory notice by which an organisation is required to provide assistance or face a fine[2]; or
  • Technical capability notice: a compulsory process by which an organisation can be asked to build new technical capabilities.[3]

Compulsory notices can only be issued where the agency considers they are reasonable, proportionate, practicable and technically feasible for enforcing serious criminal law or national security. The relevant agency must consult with the recipient prior to giving a compulsory notice. Importantly, a recipient of a notice is immediately bound by strict confidentiality obligations. A notice may be challenged by judicial review.

Maximum penalties of $10m apply to a company which does not comply with a notice.

The Australian technology industry is concerned that the Act in its current form does not adequately balance security and privacy considerations and may affect their golobal competitiveness, sowing a seed of distrust in the privacy and security of Australian technology products and services.

Further amendments have been proposed to the TOLA. These are currently being reviewed by the Parliamentary Joint Committee on Intelligence and Security. The Committee is scheduled to report by 3 April 2019.

Some of the submissions for further amendment include:

  • Requiring a warrant or other judicial consent to issue a compulsory notice;
  • Clarifying some technical terms which are said to create uncertainty;
  • Lifting the threshold for using the powers in the legislation to more serious offences;
  • Strengthening requirements for consultation, urgent oral notices and payment of compensation; and
  • Clarify confidentiality obligations for notice recipients.

Key takeaway

The balancing of rights and obligations is a work-in-progress, particularly in areas such as technology which change faster than the law’s ability to maintain pace.
[1] Technical assistance requests can be issued by Director General of the Australian Security Intelligence Organisation (ASIO), Director General of the Australian Secret Intelligence Service (ASIS), Director General of the Australian Signals Directorate (ASD) and the chief officer of an “interception agency” (defined to mean the Australian Federal Police (AFP), Australian Crime Commission (ACC) and the Police Force of a State or the Northern Territory).

[2] Technical assistance notices can be issued by the Director General of ASIO and the chief officer of an “interception agency” (including State police).

[3] Technical capability notices can only be issued by the Commonwealth Attorney General.

 

Authored by:

Michael Owens, Partner

Lara Cresser, Senior Associate

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch