As governments in Australia and around the world seek to change the laws surrounding encryption, which protects information we send and receive online, the issues of privacy, anonymity and information protection in the virtual world have become key concerns.
While encryption helps to protect our privacy, legislators argue that it also facilitates cyber crimes, such as drug trafficking and terrorist activity.
At present in Australia, there are very scant laws in place around encryption and privacy. We examine the current privacy framework, how encryption fits into the legislation governing cyber crime, and how the government is intending to legislate on encryption in the future.
The current Australian privacy regime
Unlike some other developed countries, Australia does not have an explicit constitutionally enshrined right to either freedom of speech or privacy. Of course, this does not mean that Australians do not have any rights to privacy – while there is no overarching legal framework, there are numerous separate pieces of legislation which govern privacy.
Nationally, the most well-known and powerful legislative tool in relation to privacy protection is the Privacy Act 1988 (Cth). However, this is significantly hampered in its efficacy by virtue of the fact that individuals cannot pursue proceedings for breach of privacy, having to rely on the Australian Information Commissioner to follow up a complaint and commence legal action.
Relevant to the encryption of digital information, the Privacy Act stipulates that:
- Individuals are entitled not to identify themselves or their true identities when dealing with Australian Government agencies or private enterprises with annual turnover exceeding $3 million (except in certain circumstances set out in the Act)
- Where lawful and practicable, individuals otherwise have the right not to identify themselves when transacting with an organisation.
At state level, there are some more powerful legislative instruments, including statutory charters of rights in Victoria and the ACT which guarantee rights to privacy and freedom of expression.
In the international arena, Australia has ratified the International Covenant on Civil and Political Rights. Despite being a signatory to this Convention since 1980, international documents such as this one cannot be directly enforced in Australian domestic law.
Encryption and cybercrime legislation
Cyber crime is dealt with by the Cybercrime Act 2001 (Cth). This legislation stipulates that, although encryption is legal in Australia, law enforcement agencies may apply to a court requiring an individual to hand over encryption keys, passwords and anything else which would assist in obtaining relevant evidence. This overturns earlier laws under which people could refuse to provide passwords and similar information if to do so would incriminate themselves.
Recently, the Attorney-General’s Department announced the implementation of new data retention legislation created as an amendment to the Telecommunications (Interception and Access) Act 1979. The amendments require certain types of data to be retained by telecommunications service providers for at least two years. The data must be encrypted and protected from unauthorised access. An implementation period allowing providers time to ease into the changes expired on April 13, 2017.
Anticipated future actions
One matter presently being considered by the Law Reform Commission is the recognition of a tort of serious privacy invasions. This would represent a significant step forward in the protection of individual privacy.
The government is also proposing the introduction of legislation which would force tech companies and social media organisations to provide decrypted messages and communications passing between suspected terrorists or criminals to interested law enforcement agencies.
This concept has been at the forefront of recent controversial political discourse, with Prime Minister Malcolm Turnbull announcing in July 2017 that proposed new legislation would be introduced to parliament requiring tech companies to keep copies of encryption keys provided to customers at time of purchase, and be prepared to give them to Australian law enforcement if requested. The key flaw with this proposed legislation is that the majority of tech companies are based overseas, and Australian laws have no power to compel them to cooperate.
Data encryption is not something that immediately springs to mind as being relevant to all Australian citizens. However, the prospect of introducing legislation which forces arbitrary waivers of anonymity in relation to information shared online may permit the Australian Government unprecedented levels of intrusion into the average person’s privacy.
Nyman Gibson Miralis provides expert advice and representation in complex cases involving encryption law.
Contact us if you require assistance.