Privacy Law

Swiss company hands over user data

HomePrivate: BlogLegal insightsSwiss company hands over user data

by

reviewed by

Malcolm Burrows

Reading Time:

3–4 minutes

Protonmail, an end-to-end encrypted secure email provider based in Switzerland, was recently obligated by a Swiss Court order to provide a certain class of user’s IP addresses to French police via the transnational Europol law enforcement agency.  This article considers the Australian statutory perspective on obtaining access to ‘encrypted’ data where such information may be contained within end-to-end encrypted communications.

Legislative foundation for accessing encrypted information

It may be the case that similar, encrypted email or instant message platforms in Australia may be susceptible to Court orders much like Protonmail.  Recently, Dundas Lawyers published an article on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (Bill) which is linked here.  That article highlighted how the Bill could be used to access various types of personal information, including data contained in encrypted messages and emails.  Therefore, in Australia there exists avenues through which the government, through the Australian Federal Police or the Australian Crime Commission (as discussed in our earlier article on the passing of the Surveillance Legislation), can access and obtain control of encrypted personal or business communications.  The parallels between Australian law and the circumstance involving Protonmail are clear.

Notwithstanding the newly enacted Bill, there exists a slightly older amendment to statutes providing for governmental intervention in personal or business communications.  The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018  provides for this possibility by amending the Telecommunications Act 1997 (Cth) (Act), among other acts.  The Act generally operates in relation to the providers of telecommunication services and may obligate such providers to provide information to government agencies.

The primary function of the amendments was to provide law enforcement and intelligence agencies with the power to make ‘technical assistance requests’,[1] ‘technical assistance notices’[2] and ‘technical capability notices’.[3]  In providing this authority, the Act acknowledges that various enforcement agencies were hampered in their ability to carry out their expected functions as a result of their limited technical capacity to do so.  Often, targets of investigations were capable of usurping scrutiny because their communications were encrypted end-to-end.

It’s worth noting that a broad prohibition against the dissemination of any information retrieved subject to, amongst other things, a technical assistance notice, a technical capability notice or a technical assistance request.[4]  That encrypted information can be accessed by the government appears inevitable in certain circumstances, but it does not necessarily follow that the information accessed will enter the public domain.  The legislation takes appropriate steps to safeguard against this possibility.

Takeaways

It appears that the situation in Switzerland with Protonmail is entirely replicable under Australian statute.  Whilst only two (2) avenues have been identified in this article as to how such governmental access could be facilitated, there may be further avenues open to government bodies allowing them access to personal or professional end-to-end encrypted information.  Thus, Australian businesses need to be aware that legislation has adapted to overcome the barrier presented by end-to-end encryption.  Reasonable checks and balances are in place the ensure that a requirement to provide such information is not unjust, but this does not derogate from the reality that encryption is no longer a safe haven for private, electronically communicated messages.  It follows then, that persons and corporations may, in certain circumstances, consider using non-electronic communication means in respect ultra-sensitive information.

Links and further references

Legislation

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021

Telecommunications Act 1997 (Cth)

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

Further information about accessing encrypted data

If you are a business and need advice on accessing encrypted data, contact us for a confidential and obligation-free discussion:

[1] Act s 317G.

[2] Act s 317L.

[3] Act s 317T.

[4] Act s 317ZF.


Related insights about accessing encrypted data

  • Data security – the increasing burden

    Data security – the increasing burden

    The consequences for an Australian business victim for a breach of cyber security are forecast to exponentially increase. In February 2015 the Parliamentary Joint Committee on Intelligence and Security (Committee) recommended the introduction of mandatory data breach notification scheme (Scheme) by the end of 2015.[1] Whilst the details of the incoming Scheme are currently scant,…

    Read more …

  • Intellectual property theft and employee information theft

    Intellectual property theft and employee information theft

    Leica Geosystems Pty Ltd v Koudstaal (No 3) [2014] FCA 1129 (Leica Geosystems) is a notable court case involving an Anton Piller order and employee theft. Find out more about what this means for companies and their intellectual property rights.

    Read more …

  • Revenge porn – legal options

    Revenge porn – legal options

    Revenge porn (Revenge Porn) refers to sexually explicit media that is distributed without the consent of the individual(s) involved.[1]  An act of Revenge Porn therefore involves the recording of video or still images of a person that is usually engaged in sexual acts (Revenge Content) and publishing or threatening to publish it.  A person’s participation…

    Read more …

  • Anton Piller orders – preventing evidence destruction

    Anton Piller orders – preventing evidence destruction

    An Anton Piller order is an extraordinary remedy used to prevent evidence destruction. This article explores scenarios in which it may be granted and the Court safeguards imposed.

    Read more …

  • Proposed anti-bullying laws to target social media platforms

    Proposed anti-bullying laws to target social media platforms

    The Federal Government is introducing legislation to protect children from online bullying on social media. Find out more about the powers the Children’s e-Safety Commissioner will have to address this issue.

    Read more …

  • Cupid Media risks privacy of the dateless

    Cupid Media risks privacy of the dateless

    The Privacy Act 1988 (Cth) (Privacy Act) requires entities to take reasonable steps to secure personal information.

    Read more …

  • Getting confidentiality agreements in place

    Getting confidentiality agreements in place

    Part 5 – Planning a business acquisition Confidentiality Agreements (Confidentiality Agreement or NDA’s) are essential in business Acquisitions, particularly if either the Target or Acquirer is subject to the ASX Listing Rules. Whilst generally an equitable obligation of confidence is applicable, a Confidentiality Agreement reduces the obligations of the parties to writing to ensure that…

    Read more …

  • Changes to the Privacy Act commence today!

    Changes to the Privacy Act commence today!

    Changes to the Privacy Act 1988 (Cth) included the introduction of thirteen Australian Privacy Principles (App’s). Learn more about potential civil penalty orders if you are a business with a turnover of over 3 million or more, a health care provider or a business that trades in personal information.

    Read more …

  • Are your privacy practices up to date with the amended Privacy Act 1988 (Cth)?

    Are your privacy practices up to date with the amended Privacy Act 1988 (Cth)?

    Organisations must act ensure compliance with the Privacy Act 1988 (Cth) reforms. Learn more about the thirteen new Australian Privacy Principles (APP’s) the penalties for non-compliance, and the steps you can take to protect your business.

    Read more …

Send this to a friend