Australia's Changing Encryption Laws

On 8 December 2018, Federal Parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018.

The Act provides for the facilitation of covert access to data for the purposes of disrupting and investigating criminal activity, as well as establishing a framework to facilitate lawful assistance from communications providers.

It allows law enforcement agencies to request or order a designated communications provider to provide technological assistance including, but not limited to: removing encryption/electronic protection, providing technical information and facilitating access to devices and the data stored on them.

 

What are the three kinds of assistance request/orders that can be made?

Assistance orders fall under three categories:

  1. Technical Assistance Request (TAR) – a request asking a provider to voluntarily provide data or assistance in relation to criminal investigations or matters of national security
  2. Technical Assistance Notice (TAN) – similar to a TAR except that it is an order, rather than a request
  3. Technical Capability Notice (TCN) – mandates that a communications provider establish new capability to intercept and decrypt communications that would otherwise be encrypted.

 

The test to be applied varies depending on the specific request or order sought.

For a technical assistance request, (TAR) the request must be made pursuant to the enforcement of criminal laws and laws imposing pecuniary penalties, either in Australia or in a foreign country, or if it is in the interests of Australia’s national security, Australia’s foreign relations, or Australia’s national economic well-being. A TAR may also cover matters that are incidental or ancillary to such matters, therefore it appears there is a low threshold for getting such a request granted.

For technical assistance notices and technical capability notices (TAN and TCN) the test is the same as the TAR test, with additional conditions that the requirements of the notice be reasonable and proportionate, and that compliance with the notice is practicable and technically feasible. In applying this test, the Director-General of Security or the chief officer of an interception agency must have regard to the following considerations:

  • The interests of national security and law enforcement
  • The legitimate interests of the designated communications provider to whom the notice relates
  • The objectives of the notice
  • The availability of other means to achieve the objectives of the notice
  • The legitimate expectations of the Australian community relating to privacy and cybersecurity and any other relevant matters

 

What are the penalties for non-compliance?

A person who has been compelled to provide data or assistance under a computer access warrant and fails to do so may face up to 10 years imprisonment, a fine of up to $126,000 (600 penalty units), or both.

A carrier or carriage service provider that fails to comply with an assistance order (either a TAN or TCN) could face a fine of up to $250,000 for a body corporate or $50,000 for others. A designated communications provider (other than a carrier or carriage service provider) that fails to comply with an assistance order could face a fine of up to $9,999,990 (47,619 penalty units) if it is a body corporate, or $49,980 (238 penalty units) for others.

The penalties for non-compliance are severe, demonstrating the seriousness of these offences.

Nyman Gibson Miralis specialise in encryption law, and international investigations that span multiple jurisdictions. Contact us if you require assistance.