The Law Council of Australia has told a parliamentary security committee reviewing the government’s controversial encryption busting laws the new powers conflict with privacy regulations in the EU and US.
The group has also raised concerns over Minister for Home Affairs’ ability to withhold information from the security ombudsman reviewing the use of the encryption access powers — widely held to be the most far reaching of any western nation.
In its submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which is currently reviewing the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, the Law Council of Australia noted while Parliament had made some necessary amendments to the controversial legislation it passed in December 2018, there are still “a number of outstanding concerns”.
The latest PJCIS committee’s terms of reference include a review of the Act’s interaction with foreign laws with specific reference of the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
A cohort of the technology industry’s largest companies, including US tech giants, last week argued that, under the CLOUD Act, Australia’s encryption laws would disqualify it from some bilateral trade deals because it undermines the requirement that foreign countries have robust privacy protections.
The Law Council of Australia has taken a similar view and added separate US laws would also likely provide a way for US companies to refuse to provide access to encrypted messages to Australian security agencies.
Because the CLOUD Act’s requirements would prevent “executive agreements” between Australia and the US, Australian law enforcement agencies would have to rely on preexisting treaties to access data, a more time consuming process, according to the Law Council.
“The reason for this is that irrespective of what laws Australia may pass, they are insufficient on their own to compel a service provider in the US to do anything not authorised by US law,” the submission says.
Europe’s General Data Protection Regulation (GDPR), which protects citizens’ data and privacy rights, may be “difficult to reconcile” with Australia’s Assistance and Access Act, according to the Law Council of Australia.
While there are provisions under the Australian law to prevent requests which could create a “systemic weakness” or “systemic vulnerability”, the Law Council of Australia is concerned compliance with requests made under the new Act could still compromise the safeguards of personal data.
“This is contrary to the provisions of the GDPR which requires service providers and other controllers of data to implement appropriate technical and organisational measures so as to implement the data protection principles and provide protection and security for the ‘personal data’ within the EU,” the LCA submission says.
“The aims of the GDPR and the requirements of a [Technical Capability Notice] or [Technical Access Notice] to remove or limit the security measures required to protect privacy may be difficult to reconcile.”
The Assistance and Access Act received criticism for a lack of oversight and reporting requirements when it was first introduced. While some amendments have been made to address the concerns, the Law Council of Australia argues the overriding powers of the Department of Home Affairs Minister, currently Peter Dutton, could impede the oversight of the Secretary General and the Commonwealth Ombudsmen, which currently act as a check on the use of the new laws.
Under the Act the Department of Home Affairs Minister can delete information from reports to the Ombudsman if it could reasonably be expected the information would “prejudice an investigation or prosecution” or “compromise any interception agency’s operational activities or methodologies”.
According to the Law Council the powers are “unnecessary and is inconsistent with the Ombudsman’s role as an independent and impartial office” and it has called for the removal of the redaction power.