Australia: Encrypted communications act "has significant negative impacts on individuals' privacy"
The Office of the Australian Information Commissioner ('OAIC') submitted, on 1 October 2019, its comments to the Independent National Security Legislation Monitor Review on the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 ('the Act').
In particular, the OAIC provided comments on the proportionality of the Act to national security threats, and the appropriateness of its safeguards for protecting the privacy rights of individuals.
Alec Christie, Digital Law Partner at Ernst & Young Australia, told OneTrust DataGuidance, "[The Act] has significant negative impacts on individuals' privacy. It is not good enough to pass such privacy impacting laws simply on the basis […] that it is needed for national security or law enforcement, […] without an investigation and explanation […] as to its actual necessity […], and the proportionate oversight measures to be implemented to ensure […] the privacy of individuals is not eroded unnecessarily more than it absolutely has to be."
While the OAIC’s [proposals] do not eliminate the privacy impacts, they do seek to add checks and balances
The OAIC highlighted that the powers authorised under the Act may substantially weaken important privacy rights and protections under the Privacy Act 1988 (as amended), and provided recommendations to mitigate privacy risks inherent in the regime of access to encrypted communications. In particular, the OAIC proposed to further clarify the definitions of 'systemic weakness' and 'systemic vulnerability' under the Act, and recommended to extend the assessment mechanism to technical assistance requests ('TARs') and technical assistance notices ('TANs'). Furthermore, the OAIC noted that the Act should be amended to require independent judicial authorisation before TANs or technical capability notices ('TCNs') are issued or varied, or, in case this recommendation is rejected, make the decisions to issue TANs or TCNs subject to judicial review under the Administrative Decisions (Judicial Review) Act 1977.
Christie continued, "[The current regime] has very few check or balance mechanisms and [an extremely limited] ability for challenge by a company which believes the relevant notice is ultra vires [...]. [W]hile the OAIC's [proposals] do not eliminate the privacy impacts, they do seek to add checks and balances to reduce the risk of unnecessary and out of scope use of these powers, and arm companies with the ability to test the necessity and appropriateness of [TANs or TARs]. [Moreover], the OAIC's recommendations to further consider the definitions in the law will not only provide greater legal certainty but will serve to limit the scope of requests […] and be a key factor in the assessment mechanism."
Kotryna Kerpauskaite Privacy Analyst