Broad range of businesses now required to comply with new access to data laws

Australia’s controversial new access to data laws have come into effect, making a wide range of businesses subject to government requests for help to access electronic information.

The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) (the  TOLA Act) introduces measures for government agencies to require industry assistance to better deal with encrypted data.

While its overarching purpose is aimed at tackling terrorism, organised crime, human traffickers and paedophile networks, the broad definition of who is affected by the laws have created uncertainty in certain industries.

For example, the technology sector has been directly impacted by the TOLA Act.

Atlassian co-CEO Scott Farquhar recently noted that customers have recently cancelled their accounts in fear of the potential under the new laws to require Atlassian to decrypt its customer data.

A group of technology firms, led by Atlassian, has co-signed a submission to the Federal Parliamentary Joint Committee on Intelligence and Security urging the laws to be appropriately amended. The new laws have been referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report, with the Committee expected to complete its review by 3 April 2019.

Who does the TOLA Act apply to?

Part 15 of the TOLA Act will apply to “designated communication providers” (Providers), which have been defined broadly in order to capture a wide scope of entities including (among others):

  • carriers (being owners of telecommunications network infrastructure in Australia) or carriage service providers (being sellers of telecommunication services delivered over a carrier’s network in Australia);
  • entities providing a service that facilitates or is ancillary to (or incidental to) the supply of a listed carriage service, or that provides an electronic service that has one or more end-users in Australia (including any service that allows end-users to access materials using a carriage service such as social media, websites and secure messaging apps); and
  • entities that manufacture, supply, install or maintain customer equipment (or any parts thereof) for use (or that is likely to be used) in Australia.

What assistance is required from designated communication providers?

A designated communications provider may receive:

  1. a technical assistance request requesting for that Provider to voluntarily assist the relevant government agency for the purpose of safeguarding national security and interests.
  2. a technical assistance notice which is similar to a technical assistance request except that it compels the Provider for compulsory assistance to the relevant government agency; and
  1. a technical capability notice which compels the Provider to compulsorily build a new capability in order to assist the relevant government agency. This notice can only be issued by the Attorney-General.

Assistance by the Provider may include (amongst other actions) removing electronic protection (such as decrypting data), providing technical information, installing, maintaining, testing or using software or equipment, assisting with access to a facility, customer equipment, various devices, services and software and notifying particular kinds of changes to that Provider’s service.

Part 15 of the TOLA Act expressly limits any notice or request from requiring a Provider to implement or build, a systemic weakness or vulnerability into a form of electronic protection (also known as “backdoors”), or preventing Providers from fixing an identified systemic weakness or vulnerability. This means a Provider cannot be requested or compelled to do anything that would make its current electronic encryption less effective. Additionally, a request or notice cannot require a Provider to do anything which would otherwise require a warrant under existing laws.

Who can issue a request or notice?

The head (or a delegate thereof) of the Federal Police, State and Territory Police, the Australian Criminal Intelligence Commission, ASIO, the Australian Secret Intelligence Service, the Australian Signals Directorate can issue a technical assistance request and notice. Only the Attorney-General can issue a technical capability notice.

Limitations on assistance

A request or notice must not be given unless it is reasonable and proportionate, with consideration given (among other factors) to national interests, the legitimate interest of the Provider and whether compliance with the request is practicable and technically feasible.

Cost for complying designated communication providers

If a Provider complies with a notice or request, the TOLA Act provides that the Provider should neither profit nor bear the reasonable costs of complying.

If a Provider does not comply with a request or notice, that Provider may attract a fine of $10 million (companies) or $50,000 (individuals).

If you need advice on how the TOLA Act could impact your business, please contact us.

This article was written Michael Huynh, Lawyer – Commercial.