Privacy Law

Swiss company hands over user data

HomePrivate: BlogLegal insightsSwiss company hands over user data

by

reviewed by

Malcolm Burrows

Reading Time:

3–4 minutes

Protonmail, an end-to-end encrypted secure email provider based in Switzerland, was recently obligated by a Swiss Court order to provide a certain class of user’s IP addresses to French police via the transnational Europol law enforcement agency.  This article considers the Australian statutory perspective on obtaining access to ‘encrypted’ data where such information may be contained within end-to-end encrypted communications.

Legislative foundation for accessing encrypted information

It may be the case that similar, encrypted email or instant message platforms in Australia may be susceptible to Court orders much like Protonmail.  Recently, Dundas Lawyers published an article on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (Bill) which is linked here.  That article highlighted how the Bill could be used to access various types of personal information, including data contained in encrypted messages and emails.  Therefore, in Australia there exists avenues through which the government, through the Australian Federal Police or the Australian Crime Commission (as discussed in our earlier article on the passing of the Surveillance Legislation), can access and obtain control of encrypted personal or business communications.  The parallels between Australian law and the circumstance involving Protonmail are clear.

Notwithstanding the newly enacted Bill, there exists a slightly older amendment to statutes providing for governmental intervention in personal or business communications.  The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018  provides for this possibility by amending the Telecommunications Act 1997 (Cth) (Act), among other acts.  The Act generally operates in relation to the providers of telecommunication services and may obligate such providers to provide information to government agencies.

The primary function of the amendments was to provide law enforcement and intelligence agencies with the power to make ‘technical assistance requests’,[1] ‘technical assistance notices’[2] and ‘technical capability notices’.[3]  In providing this authority, the Act acknowledges that various enforcement agencies were hampered in their ability to carry out their expected functions as a result of their limited technical capacity to do so.  Often, targets of investigations were capable of usurping scrutiny because their communications were encrypted end-to-end.

It’s worth noting that a broad prohibition against the dissemination of any information retrieved subject to, amongst other things, a technical assistance notice, a technical capability notice or a technical assistance request.[4]  That encrypted information can be accessed by the government appears inevitable in certain circumstances, but it does not necessarily follow that the information accessed will enter the public domain.  The legislation takes appropriate steps to safeguard against this possibility.

Takeaways

It appears that the situation in Switzerland with Protonmail is entirely replicable under Australian statute.  Whilst only two (2) avenues have been identified in this article as to how such governmental access could be facilitated, there may be further avenues open to government bodies allowing them access to personal or professional end-to-end encrypted information.  Thus, Australian businesses need to be aware that legislation has adapted to overcome the barrier presented by end-to-end encryption.  Reasonable checks and balances are in place the ensure that a requirement to provide such information is not unjust, but this does not derogate from the reality that encryption is no longer a safe haven for private, electronically communicated messages.  It follows then, that persons and corporations may, in certain circumstances, consider using non-electronic communication means in respect ultra-sensitive information.

Links and further references

Legislation

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021

Telecommunications Act 1997 (Cth)

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

Further information about accessing encrypted data

If you are a business and need advice on accessing encrypted data, contact us for a confidential and obligation-free discussion:

[1] Act s 317G.

[2] Act s 317L.

[3] Act s 317T.

[4] Act s 317ZF.


Related insights about accessing encrypted data

  • Office of AI announced by Federal Government

    Office of AI announced by Federal Government

    On 15 July 2026, Prime Minister Anthony Albanese (Prime Minister) announced by media release an expansion of the Federal Government’s (Government) existing artificial intelligence (AI) governance framework, including the establishment of a new Office of AI as well as plans to legislate national standards governing large-scale data centres, AI training and the use of Australian…

    Read more …

  • AI businesses should have duty of care

    AI businesses should have duty of care

    In a recent interview with InnovationAus.com, Victorian Senator Michelle Ananda-Rajah (Senator) emphasised the need to adopt digital duty of care laws for artificial intelligence (AI) companies.[1]  As a representative of the ALP and former AI start-up founder, the Senator calls for the proposed digital duty of care to apply to AI companies.  If implemented, the…

    Read more …

  • Federal Court orders winding up of crypto mining investment scheme

    Federal Court orders winding up of crypto mining investment scheme

    The Federal Court of Australia delivered judgment in Australian Securities and Investments Commission v NGS Crypto Pty Ltd (No 5) [2025] FCA 1611, on 18 December 2025 ordering the winding up of two (2) cryptocurrency related entities after finding that they operated an unlicensed financial services business and an unregistered managed investment scheme in contravention…

    Read more …

  • Online Safety – is your online business a DIS or a RES?

    Online Safety – is your online business a DIS or a RES?

    Whether your online business has to comply with the obligations contained in the Online Safety Act 2021 (Cth) (OSA), and related standards and industry codes will largely depend on how your business is classified because of the functionality it provides to end users in Australia.

    Read more …

  • Bill to allow victims of AI deepfakes to sue for emotional damages

    Bill to allow victims of AI deepfakes to sue for emotional damages

    On 24 November 2025, Senator David Pocock introduced a private Senator’s bill, the Online Safety and Other Legislation Amendment (My Face, My Rights) Bill 2025 (Cth) (Bill) to amend the Online Safety Act 2021 (Cth) (Online Safety Act) and the Privacy Act 1988 (Cth) (Privacy Act). 

    Read more …

  • Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    Malcolm Burrows on ABC’s “Legal Eagles” segment – Deepfakes

    On 3 December 2025, Malcolm Burrows appeared live on Katherine Feeney’s ABC Radio program, “Legal Eagles” as the Technology and Intellectual Property Lawyer to discuss the proposed amendments to the Online Safety Act 2021 (Cth) through the introduction of the Online Safety and other legislation Amendment (My Face Rights) Bill (Cth) 2025 (My Face Rights…

    Read more …

  • Federal Gov rules out copyright text and data mining exception for AI

    Federal Gov rules out copyright text and data mining exception for AI

    On 26 October 2025, the Attorney-General, Hon Michelle Rowland MP, published a media release reiterating that the current Federal Government will not introduce a text and data mining (TDM) exception to copyright infringement in the Copyright Act 1968 (Cth) (Copyright Act).  The Attorney-General’s Department will instead engage in further consultations with members of the Copyright…

    Read more …

  • Australian Government announces a digital duty of care

    Australian Government announces a digital duty of care

    The Australian Government has announced that it will soon be introducing legislation to create a digital duty of care under the Online Safety Act 2021 (Cth) (Act) in response to findings from an independent Statutory Review of the Online Safety Act 2021 (Review).  The Honourable Anika Wells MP announced that “big tech” companies will soon…

    Read more …

  • Dundas Lawyers achieves SMB1001 gold level cyber security certification

    Dundas Lawyers achieves SMB1001 gold level cyber security certification

    On 14 November 2025 Dundas Lawyers achieved the Gold level of the SMB1001 cybersecurity standard.

    Read more …

Send this to a friend