New search and surveillance powers have come into force in Australia which have extra-territorial reach to some New Zealand organisations.
In the wake of the
GDPR1, these new powers highlight the:
increasing relevance of international data laws to organisations in New Zealand; and
importance of data governance and privacy reviews, to ensure that your organisation has a comprehensive understanding of your data flows and the full scope of data protection legislation that you may be subject to.
The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (the
Assistance and Access Act) was passed by the Australian federal government in December. It was enacted despite widespread industry opposition, including opposition by DIGI (an association representing the Australian digital industry, whose members include Google, Facebook, Twitter and Amazon).
The Assistance and Access Act expands the search and access powers of Australian national security and criminal law enforcement agencies (Agencies) and allows them to request or require certain organisations (referred to as “designated communications providers” (DCPs)) to assist, or ensure they are capable of assisting, Agencies. For example, a DCP may be required to assist Agencies by:
removing electronic protection from a service or device;
providing technical information (e.g. source code); and
facilitating access to devices, services or data.
The Assistance and Access Act follows an international trend of expanding statutory search and access powers in the wake of similar legislation in the United States and the United Kingdom.
Important limitations apply to Agencies’ powers under the new Assistance and Access Act. An Agency must:
only exercise the new powers for purposes relating to national security or criminal law enforcement;
be satisfied that the request is reasonable and proportionate, and that compliance with the request is practicable and technically feasible;
not exercise the new powers to require a DCP to implement or build a systemic weakness or a systemic vulnerability into a form of electronic protection, and must not prevent the DCP from rectifying any weakness or vulnerability; and
only exercise the new powers in relation to a DCP’s activities that bring it within the ambit of the Act.
The Assistance and Access Act also attempts to address conflict of law issues, by including a defence for failure to comply with the assistance requirements, if it would require the DCP to do something outside of Australia that would contravene the laws of that country. However, there is no equivalent defence excusing a DCP for non-compliance where the DCP would be required to do something in Australia that might violate the laws of another country where a DCP operates or has customers.
Does the Assistance and Access Act apply to my organisation in New Zealand?
The new powers of Australian Agencies have extra-territorial reach and may be relevant to your organisation in New Zealand if you are:
using cloud services with servers or end-users located in Australia;
using any other services that involve the transfer to or storage of data in Australia; or
providing services to end-users located in Australia.
For example, the Assistance and Access Act is likely to be relevant if you provide or use of any of the following services, if the relevant service, software or device is used (or, in some cases, is likely to be used) in Australia:
websites, chat forums, messaging platforms and peer-to-peer sharing platforms;
phone and internet services;
software development used in connection with communication services; and
manufacturing of components used in telecommunication equipment.
Further changes expected
The Assistance and Access Act remains the subject of debate and further changes are anticipated. The Australian Government has indicated legislative reform is likely once the Joint Committee on Intelligence and Security of Inquiry completes its review (expected to be in April 2019). The Federal Opposition has also signalled that it will request amendments.
Next steps – have you mapped your data flow?
The new Australian laws highlight the importance of data governance and reviews within New Zealand organisations, including understanding where your data is collected, held, used and disclosed and the legal obligations and access powers that may apply as a result. Data held by service providers, such as cloud services providers, is an important part of that review.
Bell Gully regularly undertakes Privacy Reviews with our clients to assist with the practical and legal aspects of data compliance. These projects have a range of objectives, including:
data flows – identifying or confirming your data flows, including where data is collected, stored, disclosed and used;
digital strategy – supporting digital and data use strategies, with robust supplier and customer contracts and update to privacy policies – particularly if you are using or considering the use of new technologies to harness the value of personal data;
best-practice consents - reviewing your privacy policies and customer consents to ensure that they are up to date with best practice; and
legal compliance – assisting with compliance with the full scope of data protection obligations – including international obligations that may be applicable and “front-footing” the
upcoming reform of New Zealand’s Privacy Act 1993.
Please contact your
usual Bell Gully advisor or any of the contacts listed if you would like any advice or assistance in relation to a Privacy Review or any other matter addressed in this update.
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.