Keeping up with new privacy legislation can amount to a full-time job. Last year we held our collective breath as we waited for the impact of GDPR. Since then we’ve seen the passage of the California Consumer Privacy Act (CCPA), the Massachusetts data protection law, major tech companies calling for a US version of the GDPR, and the introduction of the US Data Care Act calling for a federal privacy law. While these laws and proposals cover the rights of an individual to know who has their data, who can access it and what they can do with it, they do not specifically address an individual’s rights as pertains to their private electronic communications.
In December 2018 the Australian Parliament passed a law that requires tech companies to provide law enforcement and security agencies with access to encrypted communications. The government claimed the law was necessary to provide law-enforcement agencies with the tools necessary to protect citizens from criminals and terrorists who are likely to use encrypted messaging platforms (think WhatsApp, iMessage and the like) to communicate.
The law was controversial before its passing, facing opposition from both privacy advocates and tech companies who claimed the law was vague, weakened security, and compromised Australians’ privacy. Among the main concerns are: that any ‘back door’ that would allow law enforcement agency access would be vulnerable to hacking, and authorities could force companies to provide access to an individual’s messages without the users’ knowledge since the order to comply is secret. Considering that encryption is a safeguard against unauthorized access to data, there have been many criticisms of the Australian legislation as placing undue risks on the average citizen.
The impending EU ePrivacy Regulation, meant to complement the GDPR, is expected to be adopted in 2019. Where GDPR addresses protections for personal data, the ePrivacy Regulation will address the privacy protections for personal electronic communications. It broadens an older directive to cover modern communications including texting messaging and various chat apps and requires an individual’s explicit permission to use their information. It could have a broad impact given that many apps and services include some ability for users to communicate with each other.
So, it seems that the Australian law would be in direct conflict with the EU ePrivacy Regulation. The Australian law was rushed to passing at the end of 2018 with the promise of amendments to come. The scope of the ePrivacy regulation is still being debated. Hopefully legislation can move us to a place where we don’t need to be concerned that our toaster is spying on us (although I did just learn of a new dating app that connects to you to potential dates according to the contents of your IoT refrigerator). It will be an interesting space to watch as we move forward in an IoT world.