Privacy Law

Swiss company hands over user data

HomePrivate: BlogLegal insightsSwiss company hands over user data

by

reviewed by

Malcolm Burrows

Reading Time:

3–4 minutes

Protonmail, an end-to-end encrypted secure email provider based in Switzerland, was recently obligated by a Swiss Court order to provide a certain class of user’s IP addresses to French police via the transnational Europol law enforcement agency.  This article considers the Australian statutory perspective on obtaining access to ‘encrypted’ data where such information may be contained within end-to-end encrypted communications.

Legislative foundation for accessing encrypted information

It may be the case that similar, encrypted email or instant message platforms in Australia may be susceptible to Court orders much like Protonmail.  Recently, Dundas Lawyers published an article on the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021 (Bill) which is linked here.  That article highlighted how the Bill could be used to access various types of personal information, including data contained in encrypted messages and emails.  Therefore, in Australia there exists avenues through which the government, through the Australian Federal Police or the Australian Crime Commission (as discussed in our earlier article on the passing of the Surveillance Legislation), can access and obtain control of encrypted personal or business communications.  The parallels between Australian law and the circumstance involving Protonmail are clear.

Notwithstanding the newly enacted Bill, there exists a slightly older amendment to statutes providing for governmental intervention in personal or business communications.  The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018  provides for this possibility by amending the Telecommunications Act 1997 (Cth) (Act), among other acts.  The Act generally operates in relation to the providers of telecommunication services and may obligate such providers to provide information to government agencies.

The primary function of the amendments was to provide law enforcement and intelligence agencies with the power to make ‘technical assistance requests’,[1] ‘technical assistance notices’[2] and ‘technical capability notices’.[3]  In providing this authority, the Act acknowledges that various enforcement agencies were hampered in their ability to carry out their expected functions as a result of their limited technical capacity to do so.  Often, targets of investigations were capable of usurping scrutiny because their communications were encrypted end-to-end.

It’s worth noting that a broad prohibition against the dissemination of any information retrieved subject to, amongst other things, a technical assistance notice, a technical capability notice or a technical assistance request.[4]  That encrypted information can be accessed by the government appears inevitable in certain circumstances, but it does not necessarily follow that the information accessed will enter the public domain.  The legislation takes appropriate steps to safeguard against this possibility.

Takeaways

It appears that the situation in Switzerland with Protonmail is entirely replicable under Australian statute.  Whilst only two (2) avenues have been identified in this article as to how such governmental access could be facilitated, there may be further avenues open to government bodies allowing them access to personal or professional end-to-end encrypted information.  Thus, Australian businesses need to be aware that legislation has adapted to overcome the barrier presented by end-to-end encryption.  Reasonable checks and balances are in place the ensure that a requirement to provide such information is not unjust, but this does not derogate from the reality that encryption is no longer a safe haven for private, electronically communicated messages.  It follows then, that persons and corporations may, in certain circumstances, consider using non-electronic communication means in respect ultra-sensitive information.

Links and further references

Legislation

Surveillance Legislation Amendment (Identify and Disrupt) Bill 2021

Telecommunications Act 1997 (Cth)

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018

Further information about accessing encrypted data

If you are a business and need advice on accessing encrypted data, contact us for a confidential and obligation-free discussion:

[1] Act s 317G.

[2] Act s 317L.

[3] Act s 317T.

[4] Act s 317ZF.


Related insights about accessing encrypted data

  • Misuse of confidential information within source code

    Misuse of confidential information within source code

    In Australia, computer code can amount to confidential information as well as being subject to copyright protection.  In some cases the two things overlap as was the case in decision of the Court in Optus Networks Pty Ltd v Telstra Corporation Ltd (2010) 265 ALR 281; [2010] FCAFC 21.

    Read more …

  • Updated USPTO guidelines on AI assisted inventions

    Updated USPTO guidelines on AI assisted inventions

    In response to the Biden administration’s Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence on 30 October 2023, which outlined policies and principles to promote responsible Artificial Intelligence innovation and competition, the United States Patent and Trademark Office (USPTO) issued inventorship guidance for artificial intelligence (AI) assisted inventions.  These…

    Read more …

  • Software developer obtains Court order – names behind IP addresses

    Software developer obtains Court order – names behind IP addresses

    Justice Burley of the Federal Court of Australia in the case of Siemens Industry Software Inc v Telstra Corporation Limited [2020] FCA 901 ordered that Telstra, within fourteen (14) days, provide to Siemens all documents in its control relating to the identity of certain Telstra Account holders.  Those account holders were suspected by Siemens of…

    Read more …

  • The Digital ID Bill 2023 (Cth) – key points

    The Digital ID Bill 2023 (Cth) – key points

    On 30 November 2023, the Digital ID Bill 2023 (Cth) and the Digital ID (Transitional and Consequential Provisions) Bill 2023 (Digital ID Bills) were introduced in the Australian Senate.  Digital IDs are designed to provide individuals with a convenient way to verify their identity when completing certain online transactions and dealing with government and certain…

    Read more …

  • What are adequate cybersecurity measures?

    What are adequate cybersecurity measures?

    The adequacy of cyber security measures was considered in the case of Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (ASIC v Ri Advice Group).  One of the issues raised was whether the respondent had adequate cyber security and cyber resilience in place across its network of financial advisors. …

    Read more …

  • National Classification Scheme – proposed federal changes

    National Classification Scheme – proposed federal changes

    Albanese Government announces intention to reform National Classification Scheme, proposing R18+ for games simulating gambling and M for computer games with paid loot boxes/in-game purchases linked to chance. Learn more about proposed reforms and if simulated gambling needs to be addressed.

    Read more …

  • Digital Platform Services Inquiry – submissions sought

    Digital Platform Services Inquiry – submissions sought

    The Australian Competition and Consumer Commission is investigating the activities of digital platform service providers and their impact on competition, consumerism, and business. Have your say and make a submission by 5 April 2023. Learn more in the seventh report of the Digital Platform Services Inquiry.

    Read more …

  • Australian legislation tackles loot boxes in video games

    Australian legislation tackles loot boxes in video games

    The Classification (Publications, Films and Computer Games) Amendment (Loot Boxes) Bill 2022 (Bill)  has been tabled in the House of Representatives on the 28 November 2022.  The private member’s Bill acts in response to growing support for the regulation of features and elements within video games which appear to simulate gambling.

    Read more …

  • Privacy Act amended to increase penalties to a max of $50 million

    Privacy Act amended to increase penalties to a max of $50 million

    The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (Bill) was passed by both Houses of Parliament on the 28 November 2022 and now awaits Royal Assent.  The Bill was passed with virtually no amendment.

    Read more …

Send this to a friend