Explained: Australia’s Data and Encryption Laws

Enforcement of the Privacy Amendment (Notifiable Data Breaches) Act 2017 has now been in effect for over a year. Here’s a go-to guide.

What’s the Privacy Amendment (Notifiable Data Breaches) Act?

The Privacy Amendment (Notifiable Data Breaches) Act 2017 (NDB Act) established the Notifiable Data Breaches scheme in Australia. This legislation requires organisations to notify individuals whose personal information is involved in a data breach that is “likely to result in serious harm” and report the breach to the Australian Information Commissioner.

The scheme applies to all organisations that are subject to the Privacy Act 1988 (Cth) (Privacy Act) and requires them to:

  • assess suspected ‘eligible data breaches’

AND

  • notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals of an ‘eligible data breach’.

 

What is the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018?

This Act provides intelligence agencies and Federal Police the authority to compel individuals and companies to provide them with sensitive data.

The Act provides three key powers:

  • A technical assistance request: A company can choose to help.
  • A technical assistance notice: A company is required to give assistance if they can.
  • A technical capability notice: The company must install certain technical facilities to assist law enforcement.

Institutions that fail to hand over data linked to suspected illegal activities could face fines up to A$10 million.

 

Where did these laws originate?

In past investigations of serious crimes, Australian law enforcement continually hit roadblocks with international companies. Law enforcement was unable to access relevant chat logs in these investigations, which motivated a change in legislation.

Overall, the regulations were designed to drive better security practice but have spurred quite a bit of controversy within the global tech community. Australia’s government states these laws are necessary to counter militant attacks and organized crime.

 

Two Sides to Every New Law

Opponents of the legislation nicknamed it the “The Anti-Encryption Bill”. In an effort to more critically examine the law, they raised many questions.


What You Need to Know

 

Here are a few of the major issues being raised:

1. Economy – How will this affect Australian companies? There are several provisions for companies included:

  • Subsection 317F(13) – Companies can publish statistics regarding the number of requests/notices they have received in a six month period, even when the number is zero.
  • Subsection 317ZF (14)-(17) – Companies can make conditional disclosures to interested parties about assistance given.

Most companies should be minimally affected because they will be able to:

  • Disclose that they haven’t been asked to provide assistance

OR

  • Demonstrate their systems aren’t compromised since the law explicitly protects against the creation of backdoors or the degradation of security features.

 

2. Job market – Does this make things difficult for Australian companies and their employees? All companies that supply communications services and devices in Australia might be required to comply with the technical assistance obligations under the Assistance and Access Act. This Act does not apply to Australian citizens working for communications companies offshore or the overseas operations of Australian companies.

Why is there a “penalty for individuals”? The legislature includes penalties for individuals for specific cases such as sole-traders and individuals acting as businesses.

 

3. Security – Is my data safe? The Act prohibits creating any vulnerability in software of physical devices that would jeopardise the security of innocent users. Making a system’s encryption or authentication less effective is also prohibited.

Was this designed to assist the Five Eyes alliance? The industry powers for intelligence gathering are limited to collecting intelligence connected with Australia. The act requires the activities and company to have a geographical link to Australia.  Five Eyes is an intelligence alliance between Australia, New Zealand, Canada, the United Kingdom and the United States. However, The Five Eyes share intelligence for security purposes, and any information obtained under this legislation will be shared in a matter consistent with the existing channels of cooperation.

 

4. Global Tech Community – Will other countries follow Australia’s example? The Assistance and Access Act and the industry assistance powers are not unique to Australia. These bills grant similar authority to law enforcement and require cooperation from private companies:

  • UK’s Investigatory Powers Act 2016
  • New Zealand’s Telecommunications (Interception Capability and Security) Act 2013

 

5. Democracy – Can the government access journalists’, opposition politicians’, unions’ and businesses’ private communications?

A warrant or authorisation is still required to access communications content and data. The use of this act is limited to serious crimes. The act does not authorise mass surveillance.

 

6. Security vs. Privacy: Can Data Encryption Laws Serve Both?  These data encryption laws are controversial, inspiring a lot of criticism from the technology industry. However, balancing security and privacy is no easy task. In the first year alone, there were 964 eligible data breaches reported to the OAIC. Although 80% of them affected less than 1,000 people, there were several alarming patterns. For example, in the health care sector, human error was the leading cause of data breaches (55% compared to a 35% average overall). Required reporting may help uncover previously unknown vulnerabilities, as well as compel companies to rectify them. Although most within the technology industry oppose this legislation, law enforcement has long since lobbied for support during criminal investigations.

With data encryption laws in their infancy, no one really knows the cost of such regulation. Only time will tell whether privacy is indeed, the best policy.


 



Subscribe to
the Prototype