Australia’s Anti-Encryption Collision with GDPR Sub-Processing

December 21, 2018 Amber Welch

On December 6th, Australia passed a surprising law with a global impact on privacy. The new law requires any Australian company to build backdoors to encrypted data and communications when instructed to do so by the government while requiring secrecy about the existence of such surveillance capabilities from individuals and enterprise customers. This unverifiable question of compromised encryption presents many technical threats but introduces international regulatory compliance challenges as well.

“It is likely not possible to build in functions to get around encryption without building in systemic weakness or vulnerability into a given product or service.”

-Australian Computer Society Inc.

This law also requires individual technologists to obey surveillance commands in silence on threat of up to 10 years of imprisonment (Section 64A), effectively conscripting every Australian civilian technology employee as a spy resource for government surveillance. If you’re thinking a warrant canary might bypass the secrecy order, the Australian Government was one step ahead, banning organizations from making any public reference to the “existence or non-existence of such a warrant” in 2015. Like the anti-encryption law, disclosing any information about warrants, even the lack of a warrant, carries a personal liability of imprisonment for two years.

While most software development lifecycles have security controls which would prevent a single employee from quietly compromising an application’s security, a company’s upper management could be forced to bypass these controls to implement weak encryption or insecure access without disclosing it to end users or customers of that software. What does this mean for international customers of Australian software platforms and applications?

Read full article at

About the Author

Amber Welch

Amber Welch is a Privacy Technical Lead for Schellman & Company, LLC. With more than 6 years of experience as a technical writer and privacy and security governance consultant, she is dedicated to GDPR and other privacy-focused engagements. Amber has served as a panelist during Black Hat and published several articles on recent privacy developments. She holds a master’s degree from the University of Nebraska, as well as the CIPP/E and CCSK designations from the International Association of Privacy Professionals and the Cloud Security Alliance.

More Content by Amber Welch
Previous Article
Chris Schellman Recognized for Excellence in Innovation by Consulting Magazine
Chris Schellman Recognized for Excellence in Innovation by Consulting Magazine

Schellman & Company's CEO, Chris Schellman, was named one of ALM Consulting magazine's Global Le...

Next Article
The 7 Habits for the Holidays
The 7 Habits for the Holidays

Stephen R. Covey, the author of the groundbreaking book that continues to top bestseller lists and shape bu...


Subscribe now
to receive content updates once a week

First Name
Error - something went wrong!