Privacy Law

Swiss company hands over user data

HomePrivate: BlogLegal insightsSwiss company hands over user data

by

reviewed by

Malcolm Burrows

Reading Time:

3–4 minutes

Protonmail, an end-to-end encrypted secure email provider based in Switzerland, was recently obligated by a Swiss Court order to provide a certain class of user’s IP addresses to French police via the transnational Europol law enforcement agency.  This article considers the Australian statutory perspective on obtaining access to ‘encrypted’ data where such information may be contained within end-to-end encrypted communications.

Legislative foundation for accessing encrypted information

It may be the case that similar, encrypted email or instant message platforms in Australia may be susceptible to Court orders much like Protonmail.  Recently, Dundas Lawyers published an article on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (Bill) which is linked here.  That article highlighted how the Bill could be used to access various types of personal information, including data contained in encrypted messages and emails.  Therefore, in Australia there exists avenues through which the government, through the Australian Federal Police or the Australian Crime Commission (as discussed in our earlier article on the passing of the Surveillance Legislation), can access and obtain control of encrypted personal or business communications.  The parallels between Australian law and the circumstance involving Protonmail are clear.

Notwithstanding the newly enacted Bill, there exists a slightly older amendment to statutes providing for governmental intervention in personal or business communications.  The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018  provides for this possibility by amending the Telecommunications Act 1997 (Cth) (Act), among other acts.  The Act generally operates in relation to the providers of telecommunication services and may obligate such providers to provide information to government agencies.

The primary function of the amendments was to provide law enforcement and intelligence agencies with the power to make ‘technical assistance requests’,[1] ‘technical assistance notices’[2] and ‘technical capability notices’.[3]  In providing this authority, the Act acknowledges that various enforcement agencies were hampered in their ability to carry out their expected functions as a result of their limited technical capacity to do so.  Often, targets of investigations were capable of usurping scrutiny because their communications were encrypted end-to-end.

It’s worth noting that a broad prohibition against the dissemination of any information retrieved subject to, amongst other things, a technical assistance notice, a technical capability notice or a technical assistance request.[4]  That encrypted information can be accessed by the government appears inevitable in certain circumstances, but it does not necessarily follow that the information accessed will enter the public domain.  The legislation takes appropriate steps to safeguard against this possibility.

Takeaways

It appears that the situation in Switzerland with Protonmail is entirely replicable under Australian statute.  Whilst only two (2) avenues have been identified in this article as to how such governmental access could be facilitated, there may be further avenues open to government bodies allowing them access to personal or professional end-to-end encrypted information.  Thus, Australian businesses need to be aware that legislation has adapted to overcome the barrier presented by end-to-end encryption.  Reasonable checks and balances are in place the ensure that a requirement to provide such information is not unjust, but this does not derogate from the reality that encryption is no longer a safe haven for private, electronically communicated messages.  It follows then, that persons and corporations may, in certain circumstances, consider using non-electronic communication means in respect ultra-sensitive information.

Links and further references

Legislation

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021

Telecommunications Act 1997 (Cth)

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

Further information about accessing encrypted data

If you are a business and need advice on accessing encrypted data, contact us for a confidential and obligation-free discussion:

[1] Act s 317G.

[2] Act s 317L.

[3] Act s 317T.

[4] Act s 317ZF.


Related insights about accessing encrypted data

  • Do you need to disclose a database?

    Do you need to disclose a database?

    This article looks at the disclosure requirements for civil litigation in Queensland, and whether computer databases are considered ‘documents’ in this context. Get an overview of the relevant legal precedent and definitions, and discover the key points to consider.

    Read more …

  • What exactly is an Initial Coin Offering?

    What exactly is an Initial Coin Offering?

    With the rise of cryptocurrencies (think Bitcoin and Ethereum), start-up businesses have engaged in a new method of sourcing funding from would-be investors – Initial Coin Offerings (ICOs).  ICOs are becoming an increasingly popular method for new businesses to raise money in a short period of time with minimal effort.  As ICOs are a new…

    Read more …

  • Software as a service (SaaS) contracts

    Software as a service (SaaS) contracts

    Drafting a SaaS (Software-as-a-Service) contract requires careful legal consideration. This article covers the business model, Australian Consumer Law (ACL), jurisdiction and choice of law, third party access, data, user-generated content, intellectual property (IP) ownership and major clauses. Learn how to ensure an effective SaaS contract is in place.

    Read more …

  • Preventing ex-employees from using your client list

    Preventing ex-employees from using your client list

    This article examines a Federal Court of Australia decision to grant an interlocutory injunction against a former employee. Learn how the Court reached its decision, what businesses can take away from the case, and find out how to protect your business from similar breaches.

    Read more …

  • What is the Meaning of Personal Information

    What is the Meaning of Personal Information

    Court discussed meaning of “personal info” and when identity can be ascertained. Didn’t define when metadata is personal info, but determined Section 6(1) of the Privacy Act 1988 (Cth) was substantial in making determination.

    Read more …

  • Software licences classified as “goods” under the ACL

    Software licences classified as “goods” under the ACL

    This Federal Court case highlights the risks of supplying goods and services to Australian consumers. Companies should be aware of their legal obligations and seek advice to ensure their contractual terms comply with Australian Consumer Law. Find out more about the case and its implications.

    Read more …

  • Are software developers responsible for defects in their software?

    Are software developers responsible for defects in their software?

    Software developers in Australia may face legal liability in negligence and under the Australian Consumer Law. This article examines what is required for negligence in the context of relevant case law.

    Read more …

  • Legal challenges arising from data loss

    Legal challenges arising from data loss

    Organisations must protect confidential data from external and internal threats. Learn steps to secure data, potential data breach implications, and how a data breach notification bill may require affected entities to notify consumers.

    Read more …

  • Data Breach Bill 2016 – key data security considerations

    Data Breach Bill 2016 – key data security considerations

    The Privacy Amendment (Notifiable Data Breaches) Bill 2016 has been passed, making notification of data breaches mandatory from 23 February 2018. Find out how this could affect you and what measures you can take to protect your data.

    Read more …

Send this to a friend