Anti-encryption Australian law and GDPR
The new controversial Australian anti-encryption law allows the government to access encrypted data.
On the 6th of December 2018, the Australian Parliament approved an anti-encryption law that collides with some essential principles in privacy in a global way, and directly with GDPR.
Under this regulation, Australian companies will be obliged to construct “backdoors” or back access doors to information in such a way that it is available to the Government, while being required not to communicate the existence of such System to the users or customers, nor is it done in any other public way, under penalty of imprisonment. In this way, companies will be compelled even to falsify data for audits that could reveal such vulnerability.
What then happens to international customers of Australian software companies? Users now rely on the implementation of end-to-end encryption, but this feature will need to be modified to allow government access to the data being processed, implying that any information on the Clients, including those related to a security breach, with confidential environments or intellectual property elements.
This regulation adds an additional risk to the disposition of the information by the Government; it presents many technical threats and introduces international regulatory compliance challenges as well.
In this way, the application of the new anti-encryption law will generate complete uncertainty in the users whose data are stored on Australian software platforms, because they will not be able to know if the treatment is completely safe or is subject to vulnerabilities, since the government vetoes these companies even withdrawing from their web pages the encryption notices.
This situation will prevent any responsible or manager in the EU from assessing compliance and adaptation to the GDPR of an Australian company, which will create obstacles to the use of the respective platforms or tools, in accordance with article 28 of the GDPR.