Important Notice - Data breach reported
A data breach has been reported and some user data may have been compromised.
Click here to read more about the incident and check if it affected you.
A data breach has been reported and some user data may have been compromised.
Click here to read more about the incident and check if it affected you.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the Bill) was enacted into Australian law on 8 December 2018. The Bill inserted a new Part 15 into the Telecommunications Act 1997 (Cth) (the Act).
The new law provides Australian State, Territory and Federal law enforcement agencies the power to demand that Designated Communications Providers create a capability to provide access to encrypted communications and data. The Explanatory Memorandum notes that the increased encryption in personal, commercial and government information that is intended to promote confidence in communications technology has significantly degraded the ability of law enforcement agencies to conduct investigations.
The new law allows Australian law enforcement agencies to make a Technical Assistance Request (TAR) and require compliance with a Technical Assistance Notice (TAN) or Technical Capability Notice (TCN).
One of the most controversial parts of the Bill are the industry assistance provisions which allow these agencies to request or order that a Designated Communications Provider assist with decryption of communications/data. Also controversial is the capability provisions that have been criticised as requiring providers to build in back doors to their software/hardware.
The new laws apply to Designated Communications Providers which include foreign and domestic communications providers, device manufacturers, component manufacturers, application providers and traditional carriers and carriage service providers. This means the law also applies to foreign companies who provide a relevant communication service with one or more end-users in Australia, and includes anyone who develops, supplies, or updates equipment in connection with the service.
Designated Communications Providers, defined in Section 317C of the Bill, expands the application of the Act to a broader range of providers than presently captured by the Act to include manufacturers of components that are used or even likely to be used in Australia.
The law enforcement agency can require a Designated Communications Provider to do ‘listed acts or things’ set out in section 317E of the Bill.
This includes:
The Bill requires Designated Communications Provider to comply with the Bill on a no profit-no cost basis. This means the reasonable costs of compliance may be recoverable from law enforcement agencies. There are civil penalty protections in the new law for providing assistance to law enforcement agencies.
Law enforcement agencies can request the assistance of the Designated Communications Provider under a broad power which is not limited to the ‘listed acts or things’. However, the request must relate to a ‘relevant objective’ of the agency, which could include safeguarding national security or assisting with enforcement of serious crimes in Australia or overseas.
Designated Communications Providers can be required to assist law enforcement agencies functions or activities which must be a ‘listed act or thing’. There is also a requirement that the actual assistance must relate to safeguarding national security or assisting with the enforcement of serious crimes in Australia or overseas.
Designated Communications Providers can be required to build new capabilities to enable them to assist law enforcement agencies with a ‘listed act or thing’. There is uncertainty on the limits placed on ‘acts or things’ as well as the scope of technical characteristics or provider systems that must be disclosed to the law enforcement agencies. This could include for example, spyware to be hidden in a software or hardware update.
There are the following protections in the Bill:
The interaction with international laws is uncertain. The reach of the new laws could extend, for example, to communications providers in the USA, by providing a back door for the U.S. Government to access encrypted information, which is contrary to laws recently passed by Congress.
There is a defence in the Australian law for not complying with requested assistance if compliance in the foreign country would mean a law of the foreign country is contravened. For foreign-owned companies, this exemption should be considered prior to taking any action required under the Australian law.
The penalties for non-compliance are a maximum penalty for TAN and TCN of $10 million. TAR compliance is voluntary and there are no non-compliance penalties.
A Parliamentary Committee of Inquiry is to conduct a review and hold public hearings on the Bill as a concession to the opposition party for the Bill being passed prior to the end of 2018. The Inquiry is to occur by 3 April 2019.
We anticipate amendments will be required to provide further definitions on terms included in the Bill and give providers greater certainty on the application of certain parts of the Bill. In particular, the Bill does not include a definition of ‘technical information’, which raises concerns about the scope of the Bill for companies seeking to protect intellectual property. The definitions of ‘systemic weakness’ and ‘systemic vulnerability’ were late inclusions in the Bill and it is unclear how these concepts are to be applied in practice and what protections will be provided to providers or individuals.
There are some mechanisms in the Bill that providers should seek to use to protect their intellectual property, such as requesting an assessment of a consultation notice which must be issued prior to a TCN. We can assist your business with managing this process.
If you receive a TAR, TAN or TCN you should consider if you are a Designated Communications Provider and if any of the exemptions apply. Contact us for a discussion about the new laws and how we can assist you with your compliance obligations.