On June 24, 2021, Australian parliament passed legislation establishing a framework for its enforcement agencies to access certain electronic data held by companies outside of Australia for law enforcement and national security purposes.  The law paves the way for the establishment of a bilateral agreement with the United States under the U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act.

Similar to the function of the CLOUD Act, the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 enables Australian enforcement authorities to compel companies covered by the statute to provide data, regardless of where the data is stored.  The legislation introduces international production orders, a form of legal process for compelling real-time interception of communications or the production of stored communications and telecommunications data, which can be served directly on communications providers in foreign countries with which Australia has an agreement.
Continue Reading Australia Passes Cross-Border Data Access Law, Creates a Pathway for CLOUD Act Bilateral Agreement

In August 2018, the Government of Australia unveiled a new proposed bill that would grant the county’s national security and law enforcement agencies additional powers when confronting encrypted communications and devices. The text of the draft Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (the “Assistance and Access Bill” or the “Bill”) states that the purpose is “to secure critical assistance from the communications industry and enable law enforcement to effectively investigate serious crimes in the digital era.”

The Assistance and Access Bill, if enacted, could affect a wide range of service providers both in and outside of Australia.
Continue Reading Australia Proposes New Encryption Legislation

By Daniel Cooper and Fredericka Argent

On 29 November 2012, the Office of the Australian Information Commissioner announced that the Australian government passed the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (“the Act”). The Act, due to come into force in March 2014, is the biggest reform to Australian privacy law in over 20 years, since the passing of the original Australian Privacy Act 1988. It represents the culmination of a recommendation for reform made originally by the Australian Law Reform Commission (“ALRC”) in 2005. One of the aims of the reform is to bring Australia’s privacy laws “into the digital age”. Alongside the Privacy Act reforms, the ALRC are also currently in the process of consulting on introducing a mandatory personal data breach law for Australia. It is likely that the passing of the Act will give this discussion more momentum.

One of the key changes in the new Act is the introduction of a single set of 13 harmonised “Australian Privacy Principles” (“APPs”) which will apply to government agencies as well as the private sector. The 13 APPs will replace the current bifurcated system, which includes “National Privacy Principles” (“NPPs”) for the private sector and “Information Privacy Principles” (“IPPs”) for the public sector.  The APPs are intended to make it easier for businesses and consumers to understand their obligations with regard to personal data and privacy. The Act also introduces reforms that will reshape how entities may process personal information and the circumstances in which it can be used for direct marketing (APP 7), and how entities may transfer personal information overseas (APP 8). Further, the Act will introduce a higher standard of protection for “sensitive” information, including health-related information, DNA and biometric data. The Act will also bring in new powers for businesses to check individuals’ credit worthiness, by introducing more comprehensive credit reporting rules.Continue Reading Australia Introduces New Privacy Act

By Kurt Wimmer and Josephine Liu

The United Nations Office on Drugs and Crime has released a report warning that terrorists are increasingly using the Internet to spread propaganda, recruit and train supporters, finance their activities, and plan terrorist attacks.  Besides providing an overview of the existing legal frameworks to address terrorists’ use of the Internet, the report highlights a number of challenges associated with investigating and prosecuting terrorism cases — and specifically notes that “[o]ne of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.”   

As the report notes, some countries already require ISPs to retain certain types of data for a specified time period.  But even in the European Union, where Directive 2006/24/EC requires Member States to ensure that regulated providers retain specified communications data for a period between six months and two years, there is no consistent data-retention period.  Some Member States require data to be retained for six months, others for two years.  In addition, several Member States continue to grapple with implementing the Directive, including Germany (where an attempt to implement it was struck down by the constitutional court). Continue Reading UN Report Calls for Mandatory Data Retention

By Fredericka Argent

This month, following an inquiry by the Australian Law Reform Commission (“ALRC”) into the effectiveness of the Australian Privacy Act 1988, the Australian government launched a discussion paper which calls for views from the public on whether a mandatory data breach notification scheme should be introduced in Australia. This scheme refers to a legally-binding obligation to provide notice to the relevant authority and any affected persons where the party in charge of protecting personal information unlawfully or accidentally breaches their security obligations — for example by destruction, loss or unauthorised disclosure of information. The paper recognises the importance of a data breach reporting requirement in light of the increasing amount of personal data held by public and private organizations in Australia, often in electronic form, which are vulnerable to theft and loss.

The paper analyses the pros and cons of introducing a mandatory data breach notification scheme, weighing up arguments such as the onerous costs of compliance and the effectiveness of the current voluntary guidelines issued by the Office of the Australian Information Commissioner (“OAIC”) against the positive effects of a legally-binding scheme, such as:

• Allowing the affected person to mitigate the consequences of the breach;

• Providing an incentive for organizations holding personal information to adequately secure information;

• Enabling data breach incidents to be tracked and information on breaches to be provided in the public interest; and

• Maintaining public confidence in the legislative privacy regime.Continue Reading Australian Government Launches Discussion Paper on Privacy Breach Notification