Businesses should develop formal plans and appoint a first point of contact for dealing with requests made under the controversial ‘Encryption Act’, legal experts have advised, as the government fights allegations against abuse of new powers that some feel could turn well-meaning employees into sleeper agents.
Pushed through late last year, the Telecommunications and Other Legislation Amendment (Assistance and Access Act) (AA Act, also known as the ‘Encryption Act’) has caused concern after recent revelations that the laws were used to facilitate Australian Federal Police (AFP) raids on journalists.
Home Affairs said in its submission to a Parliamentary Joint Committee on Intelligence and Security review of the Act, that it has been working with the Australian Federal Police to deliver training to “operational agencies…. and are leading on the development of administrative guidance material to ensure the powers in the Assistance and Access Act are used consistently.”
What’s an employee to do?
One significant source of concern for many businesses has been the question of whether the law could put employees in the difficult position of being forced to honour a technical request without telling their employers.
The potential ramifications of such a requirement – which could theoretically put employees afoul of their employment contracts – had caused great concern and led Home Affairs to address “myths” about the Act and to explicitly state that it is not targeting individual employees.
“Individual employees who receive a notice can and should discuss that notice with their employer for the purposes of actioning it,” the department said in its submission.
“While the notice may be handed or sent to an individual employee… it is the corporate entity (not the individual) who is being served with the request or notice.”
Navigating the AA Act minefield
Yet national security law is notoriously complex, and teaching employees to discuss notices with their employers is just the first step towards compliance.
Telecommunications providers and developers of software incorporating encrypted messaging capabilities are in the spotlight, and likely targets of AA Act orders need to figure out in advance how they would action one.
“There definitely should be a protocol within any organisation that thinks it’s likely to receive a request under the legislation,” advised Michael Swinson, a partner with King Wood Mallesons, which has been fielding enquiries from organisations about their exposure under the AA Act.
“It’s important for the people who will be involved on the front line in putting together the response to not only understand the legislation, but also to understand the guidance that the government has put out on this.”
“It’s fair to say that every significant technology company that has a presence in Australia has taken notice of this legislation and will be considering how they comply with it.”
One of the key issues is disclosure: the Act prohibits recipients of notices from sharing information about what the notice instructs them to do, and they are only allowed to say how many orders they have received within the previous six months.
It also provides an offence with up to five years’ imprisonment for unauthorised disclosure of information, enforcing what Baker McKenzie partner Patrick Fair called a “highly constrained” environment for transparency around AA Act activities.
This includes educating employees about whom they should contact if they receive a notice – the company’s general counsel is a good start – and setting very clear guidelines before employees start talking about AA Act orders.
This is important, Fair noted, because AA Act orders may well be related to anti-terrorist or other activities where the law provides for control orders where “you cannot tell anybody anything.”
“You wouldn’t want to give your employees a blanket order to go ahead and tell us everything about [an AA Act order] because that might be in direct contravention of what the warrant requires.”
Employers may want to consider implementing AA Act-specific obligations in employers’ contracts to ensure harmony with the law – but even where there is no specific guidance, Fair said, employees shouldn’t be scared that complying with an order will put them in breach of their employment contract.
“In the choice between doing what your employment contract says and what the law requires you to do, subject to a formal penalty arrangement, you’ve got to do what the law requires you to do.”
Concerns proving founded
As feared abuses of the Act emerge, critics of the legislation are concerned that its consequences are only starting to become apparent.
The impact on Australia’s software developers was also being felt, Home Affairs has admitted.
While the legislation “does not impose any standing obligations” on industry, the department acknowledged industry advice that “perception of the legislation has had a material impact on the Australian market and the ability for Australian companies to compete globally”.
The issues raised by the legislation will have a direct impact on company strategy, said LegalVision IT lawyer James Adler.
“Businesses who are looking to expand internationally, especially start-ups, need to consider these laws when setting up their corporate structure and developing their expansion plan,” he explained.
Submissions to the review, which will hand down its findings in April 2020, reveal a range of ongoing concerns with the legislation, which enables law-enforcement bodies to request technical assistance from companies in intercepting encrypted communications.