Privacy Law

Swiss company hands over user data

HomePrivate: BlogLegal insightsSwiss company hands over user data

by

reviewed by

Malcolm Burrows

Reading Time:

3–4 minutes

Protonmail, an end-to-end encrypted secure email provider based in Switzerland, was recently obligated by a Swiss Court order to provide a certain class of user’s IP addresses to French police via the transnational Europol law enforcement agency.  This article considers the Australian statutory perspective on obtaining access to ‘encrypted’ data where such information may be contained within end-to-end encrypted communications.

Legislative foundation for accessing encrypted information

It may be the case that similar, encrypted email or instant message platforms in Australia may be susceptible to Court orders much like Protonmail.  Recently, Dundas Lawyers published an article on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (Bill) which is linked here.  That article highlighted how the Bill could be used to access various types of personal information, including data contained in encrypted messages and emails.  Therefore, in Australia there exists avenues through which the government, through the Australian Federal Police or the Australian Crime Commission (as discussed in our earlier article on the passing of the Surveillance Legislation), can access and obtain control of encrypted personal or business communications.  The parallels between Australian law and the circumstance involving Protonmail are clear.

Notwithstanding the newly enacted Bill, there exists a slightly older amendment to statutes providing for governmental intervention in personal or business communications.  The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018  provides for this possibility by amending the Telecommunications Act 1997 (Cth) (Act), among other acts.  The Act generally operates in relation to the providers of telecommunication services and may obligate such providers to provide information to government agencies.

The primary function of the amendments was to provide law enforcement and intelligence agencies with the power to make ‘technical assistance requests’,[1] ‘technical assistance notices’[2] and ‘technical capability notices’.[3]  In providing this authority, the Act acknowledges that various enforcement agencies were hampered in their ability to carry out their expected functions as a result of their limited technical capacity to do so.  Often, targets of investigations were capable of usurping scrutiny because their communications were encrypted end-to-end.

It’s worth noting that a broad prohibition against the dissemination of any information retrieved subject to, amongst other things, a technical assistance notice, a technical capability notice or a technical assistance request.[4]  That encrypted information can be accessed by the government appears inevitable in certain circumstances, but it does not necessarily follow that the information accessed will enter the public domain.  The legislation takes appropriate steps to safeguard against this possibility.

Takeaways

It appears that the situation in Switzerland with Protonmail is entirely replicable under Australian statute.  Whilst only two (2) avenues have been identified in this article as to how such governmental access could be facilitated, there may be further avenues open to government bodies allowing them access to personal or professional end-to-end encrypted information.  Thus, Australian businesses need to be aware that legislation has adapted to overcome the barrier presented by end-to-end encryption.  Reasonable checks and balances are in place the ensure that a requirement to provide such information is not unjust, but this does not derogate from the reality that encryption is no longer a safe haven for private, electronically communicated messages.  It follows then, that persons and corporations may, in certain circumstances, consider using non-electronic communication means in respect ultra-sensitive information.

Links and further references

Legislation

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021

Telecommunications Act 1997 (Cth)

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

Further information about accessing encrypted data

If you are a business and need advice on accessing encrypted data, contact us for a confidential and obligation-free discussion:

[1] Act s 317G.

[2] Act s 317L.

[3] Act s 317T.

[4] Act s 317ZF.


Related insights about accessing encrypted data

  • Malcolm Burrows on ABC’s “Legal Eagles” segment – artificial intelligence law

    Malcolm Burrows on ABC’s “Legal Eagles” segment – artificial intelligence law

    On 30 July 2025, Malcolm Burrows appeared live on Katherine Feeney’s ABC Radio program, “Legal Eagles” as the Technology and Intellectual Property Lawyer to discuss legal issues associated with the adoption of artificial intelligence.

    Read more …

  • How are Google and Microsoft implementing age verification?

    How are Google and Microsoft implementing age verification?

    From 27 December 2025, all ‘internet search engine services’ operating in Australia will be legally required to comply with Schedule 3 – Internet Search Engine Services Online Safety Code (Class 1C and Class 2 Material) (Code) registered under the Online Safety Act 2021 (Cth) (eSafety Act).  The Code, registered by the eSafety Commissioner on 27…

    Read more …

  • Risks when implementing retrieval-augmented generation systems

    Risks when implementing retrieval-augmented generation systems

    Retrieval-augmented generation (RAG) is an artificial intelligence (AI) system architecture that combines large language models (LLMs), such as GPT-4, with external data retrieval processes.

    Read more …

  • What is the US Take It Down Act?

    What is the US Take It Down Act?

    The Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (Take It Down Act ) is a United States (US) federal law enacted on 19 May 2025. The Take It Down Act amends 47 U.S. Code § 223 (Code) of the Communications Act 1934 (US) (Communications Act) by establishing new…

    Read more …

  • QITC IT contracts framework an introduction

    QITC IT contracts framework an introduction

    In August 2017, the Queensland Government introduced the Queensland Information Technology Contracting (QITC).  The QITC framework replaces the Government Information Technology Contracting (GITC) framework.  It was designed for the purpose of guiding all Queensland Government Information and Communications Technology (ICT) contracts.

    Read more …

  • Federal parliament enacts cyber security legislation

    Federal parliament enacts cyber security legislation

    On 25 November 2024, the Australian Parliament passed a suite of legislation, collectively referred to by the Australian Government as the Cyber Security Legislative Package 2024.  The purported impetus for this legislation was a series of high-profile data breaches in 2022 and 2023.

    Read more …

  • Domain name disputes – a summary of the process

    Domain name disputes – a summary of the process

    A domain name is a string of text that maps to an alphanumeric IP address, enabling users to access websites through client-side software.[1]  Domains can be valuable business assets, and they frequently become the subject of disputes regarding the legitimacy of their registration among organisations with competing rights.

    Read more …

  • New OAIC guidance on Artificial Intelligence

    New OAIC guidance on Artificial Intelligence

    On 21 October 2024, the Office of the Australian Information Commissioner (OAIC) published two (2) new guides on artificial intelligence (AI), purportedly in effort to make privacy compliance easier for business.

    Read more …

  • Artificial Intelligence defined – why no uniform approach?

    Artificial Intelligence defined – why no uniform approach?

    Artificial Intelligence (AI) is commonly thought of as the capacity of computer systems to execute tasks that usually need human intelligence, such as learning, reasoning, and making decisions.[1]  It covers a range of specialised fields, each focusing on different functions.  For example, machine learning allows computers to learn from data, computer vision enables them to…

    Read more …

Send this to a friend