Encryption laws to run up against CLOUD Act and GDPR: Law Council

Laws show the different path Australia is taking to privacy, the Law Council of Australia has said.

Australia's encryption laws are unlikely to be compatible with the United States' CLOUD Act, as well as the European Union's General Data Protection Regulation, the Law Council of Australia has said.

What is GDPR?

Everything you need to know about the new general data protection regulations

General Data Protection Regulation, or GDPR, is coming. Here's what it means, how it'll impact individuals and businesses.

Read More

In a submission to the Parliamentary Joint Committee on Intelligence and Security's encryption law review, the Law Council said Australian law enforcement will have to continue seeking data through the slower mutual legal assistance treaties (MLAT), rather than the expedited service the CLOUD Act would offer once Canberra and Washington enter into an agreement.

"The Law Council considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an 'executive agreement' with the US," the Council said.

The Law Council's reasoning said Australia fell foul of the need for orders to US companies to be "specific and identify the relevant individual, account, address or personal device or another specific identifier", as well as the fact that US companies cannot be compelled to break US law.

"In this context, the requirements under the Assistance and Access Act and the CLOUD Act clearly differ, as the US law does not allow for the mandating of the decryption of data as is now permitted under Australian law," it said.

Further, the Law Council said the CLOUD Act requires orders to be subject to judicial review at the issuance of a notice, something that many groups critiquing Australia's encryption laws have been calling for.

"Irrespective of the amendments introduced by the Assistance and Access Act in Australia, the provisions of the CLOUD Act will not allow US service providers to provide technical assistance beyond their existing obligations under [the Communications Assistance for Law Enforcement Act]," the Council said.

"Therefore, even under the existing MLAT scheme a US service provider could not be compelled to comply with a TCN or a TAN issued under the Assistance and Access Act."

See also: Encryption laws are creating an exodus of data from Australia: Vault

Australia's encryption laws -- as defined in the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 that was passed in December 2018 -- create three kinds of notices that a so-called "interception agency" can serve on what are called "designated communications providers":

  • Technical Assistance Requests (TAR), which are "voluntary" requests for the designated communications providers to use their existing capabilities to access user communications;
  • Technical Assistance Notices (TAN), which are compulsory notices to use an existing capability; and
  • Technical Capability Notices (TCN), which are compulsory notices for a designated communication provider to build a new interception capability, so that it can meet subsequent TANs.

As for compliance with the European Union's GDPR, the Council said that even though notices do not allow for the creation of systemic vulnerabilities, a vendor could inadvertently create one when attempting to comply, which could compromise personal data.

"The aims of the GDPR and the requirements of a TCN or TAN to remove or limit the security measures required to protect privacy may be difficult to reconcile," the Council said.

The entire issue was "perhaps emblematic" of the different approaches the EU and Australia were taking to privacy, the submission said.

"In the EU, there is greater protection being given to the fundamental human right of privacy, as reflected in the enactment of the GDPR," it said.

"However, in Australia, the laws relating to encryption are increasing the capacity of law enforcement to overcome one of the means by which privacy in electronic communications can be protected."

Read: Home Affairs says no problems with encryption laws even though local companies suffer

Earlier this week, Telstra said in its submission that device vendors could skip Australia, thanks to the encryption laws, leaving local companies uncompetitive.

With vendors usually sharing technical information with telcos before launching products in order to test them, Telstra said the requirements in the encryption laws compelling them to share that information with interception agencies could see Australia being skipped -- as well as Telstra breaching its "contractual confidentiality obligations".

"This has potential to adversely affect the competitiveness of Australian telecommunications providers in international markets and their ability to deploy the latest technology developments (e.g. new smart phones, artificial intelligence and IoT devices)," the company said in a submission to the Parliamentary Joint Committee on Intelligence and Security's encryption law review.

"International vendors may also simply refuse to supply new technology or devices to Australian DCPs [designated communications providers]."

In an earlier submission, Vault Systems said it was being materially and detrimentally impacted by the encryption laws, even if it was just in relation to how the company is perceived.

As foreign governments and customers are assessing against a 'media headline test', we are in an unfortunate position where logical persuasion is not sufficient to counter perception," Vault said in its submission.

"We are currently seeing an exodus of data from Australia including physical, operational, and legal sovereignty."

Related Coverage