Robert Ceglia: Between end-to-end encryption and a hard place – how does Australia’s new encryption law interact with the GDPR?

Despite confusion about how the laws of mathematics could possibly co-exist with the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (AA Act),[1] the AA Act has (somehow) now successfully survived for over 2 months. What’s more, rumours have circulated that Australian intelligence and law enforcement agencies have actively been exercising their powers under the AA Act.[2]  Unfortunately the strict secrecy provisions in the AA Act[3] mean that three key questions about these enforcement actions will remain unanswered – How many notices have been issued?  Who has received a notice? What have “designated communications providers” been ordered to do?

This blog post doesn’t re-hash the debate about potential problems with the AA Act.  Instead, we wanted to focus on one particular topic: how does the AA Act interact with foreign laws with extraterritorial effect – specifically, the GDPR.

What happens when one law requires your business to implement strict data protection measures (eg Art 32 of the GDPR) but another (in this case the AA Act) might require your business to design a weakness in a device or software that could severely compromise that security.

With both laws attracting severe penalties for non-compliance, what should your business do?

1 Application of the GDPR and Article 32

It’s been well documented that the GDPR has extraterritorial affect.[4]  Australian companies of any size may need to comply with the GDPR if they:[5]

(a)              have an establishment in the EU;

(b)              offer goods or services in the EU; or

(c)              monitor the behaviour of individuals in the EU.

One key requirement under the GDPR is the obligation to “implement appropriate technical and organisational measures” to protect the security of “personal data”.[6]

Essentially, companies that are subject to the GDPR  must ensure that the software, hardware and data centres they use include appropriate safeguards to protect personal data.

Hold that thought.

2  To protect, or not to protect.  That’s the AA Act’s conundrum

The AA Act has two notices that “designated communications providers” must comply with: (i) a Technical Assistance Notice (TAN);[7] and (ii) a Technical Capability Notice (TCN).[8]

With a TAN, an issuing agency can demand the designated communications provider assist with (amongst other things) accessing or decrypting encrypted data.  A TCN can actually be used to demand that a designated communications provider builds new capabilities (e.g. a way to remove encryption).

There are three general exceptions to the obligation to comply with the requirements of the TAN / TCN.  They are:[9]

(a)              a TAN / TCN can’t compel a designated communications provider to comply with a notice if it means they must implement a “systemic weakness” or “systemic vulnerability” to do so;

(b)              the TAN / TCN must be “reasonable and proportionate”; and

(c)              compliance with the TAN / TCN must be “practicable and technically feasible”.

Despite these “safeguards”, there’s a strong argument that any steps taken to remove encryption or implement other strategies to record how an individual is using a device could compromise the security of personal information (e.g. a forced installation of a keylogger).

Here is where the tension lies.  On the one hand, the GDPR requires entities to implement adequate security measures.  On the other hand, a TAN or TCN may require the removal or limiting of those security measures.

The AA Act does contain an exception to compliance with a TAN or TCN if compliance would cause contravention with a foreign law.  However, this exception only applies to acts that may contravene the TAN or TCN if those acts are done outside of Australia.[10] Whether this was intended, or was a legislative oversight, it means that there is no exception for compliance in Australia with a TAN or TCN.

3  What’s an Australian company to do?

Entities subject to a TAN or TCN might be able to argue that compliance with the notice is not “reasonable and proportionate” since it would cause them to contravene Art 32 of the GDPR.  Similarly, if an EU data regulator investigated why appropriate security steps weren’t taken, there might also be an argument that because of the AA Act, it wasn’t “appropriate” to implement certain technical or organisational measures that would ordinarily be recommended under Article 32.

But, there’s no guarantee either argument would be accepted.

Ultimately, non-compliance with the GDPR could result in a fine of up to 4% of the entity’s global revenue.  Non-compliance with the AA Act can result in a fine of almost AUD $10 million.

Without legislative change, Australian entities caught by the GDPR could be in a tough situation and forced to decide which law to comply with.

 

If you want to hear more you can join us for a multi-disciplinary panel discussion focusing on the encryption law at 6 pm on Monday 18 March.  See the VSCL events page to register.

 The content of this publication is for general information purposes only.  This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.

[1] New Scientist, Laws of mathematics don’t apply here, says Australian PM (14 July 2017) <https://www.newscientist.com/article/2140747-laws-of-mathematics-dont-apply-here-says-australian-pm/>.

[2] InnovationAus.com, AA bill notices ‘already issued’ (6 February 2019) <https://www.innovationaus.com/2019/02/AA-bill-notices-already-issued>.

[3] Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth), s 317ZF (AA Act).

[4] Office of the Australian Information Commissioner, Privacy business resource 21: Australian business and the EU General Data Protection Regulation (June 2018) <https://www.oaic.gov.au/agencies-and-organisations/business-resources/privacy-business-resource-21-australian-businesses-and-the-eu-general-data-protection-regulation>.

[5] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), L119, 4 May 2016, p. 1–88, art 3 (GDPR).

[6] Ibid art 32.

[7] AA Act s 317L.

[8] Ibid s 317T.

[9] Ibid ss 317P, 217V and 217ZG.

[10] Ibid s 317ZB.