Australian ‘encryption’ law could run afoul of GDPR, US CLOUD Act: Law Council

The Law Council says that Australia’s ‘encryption’ legislation, which was intended to facilitate police interception of online communications channels, may end up leaving local law enforcement agencies unable to take advantage of a US scheme intended to make it easier to obtain access to data held by tech companies.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 could also lead to service providers breaking a key European Union privacy measure, the General Data Protection Regulation (GDPR), the organisation said.

The Law Council in a submission to an inquiry examining the 2018 legislation said it believes the law may disqualify Australia from entering into an executive agreement with the US under the CLOUD Act

The CLOUD Act is US legislation passed in March 2018. The legislation was an effort to ensure US law enforcement could access to data held overseas by US companies (following the protracted legal fight between Microsoft and the US Department of Justice over access to emails stored in an Irish data centre).

It has two key components. Firstly it makes explicit that companies subject to US jurisdiction must disclose data in response to valid legal processes regardless of where the data in question is stored.

Secondly it establishes a streamlined alternative to Mutual Legal Assistance Treaties (MLATs), enabling agreements to be struck between the US government and other nations that allow orders to disclose electronic evidence to be submitted directly to a communications service provider (CSP) based in the US or the other nation that is party to the agreement.

MLATs involve a law enforcement agency in a nation using domestic legal provisions to seek evidence from a CSP on behalf of a foreign counterpart, using the local legal framework. Using an MLAT to obtain evidence can take months, according to the US Department of Justice.

“The CLOUD Act authorizes executive agreements that lift any restrictions under U.S. law on companies disclosing electronic data directly to foreign authorities for covered orders in investigations of serious crime,” explains a DoJ white paper. “This would permit U.S.-based global CSPs to respond directly to foreign legal process in many circumstances.”

However, the CLOUD Act states that before entering an agreement the US attorney-general is required to certify that the other nation “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement”.

“The Law Council considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an ‘executive agreement’ with the US,” the Law Council’s submission states. “This means that law enforcement agencies in Australia will be restricted to seeking access to data held by a service provider in the US through the existing and time consuming MLAT process.”

“The reason for this is that irrespective of what laws Australia may pass, they are insufficient on their own to compel a service provider in the US to do anything not authorised by US law,” the document adds.

In a submission last year to an inquiry into the encryption bill before it was passed, Digital Industry Group Inc (whose members include tech heavyweights such as Facebook, Google and Twitter) argued that the proposed Australian legislation lacked procedural protections (such as judicial authorisation) and would not adequately minimise the acquisition, retention and dissemination of the data of US persons (also required under the CLOUD Act).

“For example, Notices can require technology providers to build or install weaknesses or vulnerabilities in their networks, systems, products or services, or build or install new data retention or interception capabilities (provided the company is not a carrier or carriage service provider under the telecommunications legislation),” DIGI argued.

GDPR

The EU’s GDPR applies to any Australian organisations that operate in or offer goods or services in the EU, or monitor EU individuals’ behaviour.

Although Australia’s legislation service provider bars ‘Technical Assistance Notice’ or ‘Technical Capability Notice’ issued to a service provider from requiring them to do anything that would create a ‘systemic weakness’ or ‘systemic vulnerability’, “there remains concern about the potential for this to nonetheless occur where a provider attempts to comply, and compliance with the notice potentially compromises the security of personal information,” the Law Council argued.

“This is contrary to the provisions of the GDPR which requires service providers and other controllers of data to implement appropriate technical and organisational measures so as to implement the data protection principles and provide protection and security for the ‘personal data’ within the EU,” the submission states.

“The aims of the GDPR and the requirements of a TCN or TAN to remove or limit the security measures required to protect privacy may be difficult to reconcile.”