ARTICLE
30 August 2024

When Privacy Meets Security – The Impact Of Export Control Reforms On Information Security

The Defence Trade Controls Amendment Act 2024 commences on 1 September 2024. This includes the expansion of controls to certain supplies that occur within Australia. The controls can impact everyday technology.
Australia International Law

KEY TAKEAWAYS

The Defence Trade Controls Amendment Act 2024 commences on 1 September 2024. This includes the expansion of controls to certain supplies that occur within Australia.

The controls can impact everyday technology. For example, the threshold for controls on certain encryption technology is based on a standard adopted by the US government in the 1970s.

Australian businesses now have six months to ensure they are complying with these rules. The consequences of non-compliance can include significant penalties and imprisonment.

Much of the discussion regarding Australian export controls reforms has been filtered through the prism of AUKUS. While this is understandable, the focus on defence has perhaps led to a failure to recognise the implications for other industries, who may soon find themselves subject to export controls, even for transfers that occur within the bounds of Australia.

The Defence Trade Controls Act 2012 ("DTCA") controls the transfer of software and technology listed on the Defence and Strategic Goods List 2024 ("DSGL").1 The "defence" side – Part 1 of the DSGL, also known as the munitions list - is only 30 pages of the 350-page DSGL. The balance is taken up with dual-use goods, which can extend to everyday technologies.

In this newsletter, Special Counsel Alistair Bridges and Lawyer Emily Schilling leap into the intersection between privacy and export controls to illustrate the export controls compliance considerations that may be pertinent to Australian businesses following the amendment of the DTCA.

PRIVACY VERSUS SECURITY

In recent years, there has been an increasing focus on the security of personal information. That is no surprise, given repeated high-profile data breaches and the recent proliferation of data-hungry large language models, not to mention the massive increase in the value and utility of personal information. Any day now, it is anticipated the government will be releasing its draft reforms to the Privacy Act 1988. Encryption of personal data can play an important role in securing that information, indeed the Information Commissioner has cited its utility in taking reasonable steps to secure personal information as required by Australian Privacy Principle 11.

However, export controls may apply to information security systems too.2 The DSGL is a conglomeration of the key multilateral export control regimes, including the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies ("Wassenaar") first established in the 90s. While Wassenaar is updated regularly, many of the controls have not kept pace with technological change.

Take, for example, the controls on encryption systems included at item 5A002 of the DSGL. It is difficult to summarise these controls comprehensively in a newsletter - the DSGL is the enemy of pith - but, skipping over much of the detail, the DSGL places controls on various software that is designed to use "'cryptography for data confidentiality' having a 'described security algorithm'" including ""symmetric algorithms employing a key length in excess of 56 bits".3

56-bit encryption dates back to the 1970s, having been popularized via its adoption as the Date Encryption Standard ("DES") by the US government in 1977's Federal Information Processing Standards. Obviously, computing power has improved slightly since Jimmy Carter was in office. In 2001 the US Government replaced the DES with the Advanced Encryption Standard ("AES"), which described a symmetric key algorithm using key sizes of 128, 192 or 256 bits. The Australian government's own Information Security Manual, consider the AES to be the "only approved symmetric encryption algorithm".4 Many current, commercially available cryptographic functionalities are built to the AES.

That is not to say more modern cryptography software is necessarily controlled – the DSGL has multiple carveouts, caveats and exemptions. Honestly, even David Bowie would consider it tad too labyrinthine. However, the threshold question, being the description of the controlled software, harkens back to the same year that the first Star Wars was released. One cannot assume that their technology is not controlled without undertaking significant analysis.

AUSTRALIA'S EXPORT CONTROLS ARE PROLIFERATING

If software, or for that matter, goods and technology, meet a DSGL specification then they are subject to controls. Essentially, the prima facie, position is that certain prohibitions apply to DSGL items, unless (a) they meet an exemption; or (b) the exporter/supplier has a permit allowing them. The specific controls include the following:

  • prohibitions on the export of DSGL goods;
  • prohibitions on the export of goods that contain DSGL software or technology (referred to collectively as "DSGL technology");
  • prohibitions on the supply of DSGL technology from a place in Australia to a place outside of Australia;
  • prohibitions on the publication of DSGL technology; and
  • prohibitions on brokering DSGL goods and technology.

The "control" part arises because a breach of these prohibitions is an offence, with significant penalties and the risk of imprisonment. Given that, insuring compliance is a must.

However, the DTCA is scheduled to commence on 1 September 2024, ushering in an expansion of export controls. The new controls include:

  • a prohibition on the supply of DSGL technology to certain "foreign persons" in Australia; and
  • a prohibition on secondary supplies of DSGL goods and technology once they have left Australia.5

This will require some attention. In particular, the requirements to have a permit to transfer DSGL technology to certain individuals in Australia including, in some instances, employees, is a significant expansion of controls, which will require active compliance strategies.6

Other jurisdictions have taken a more flexible approach. For example, the US includes similar controls on cryptographic software, technology and goods, including the equivalent of the DES level discussed above. However, the US also includes license exemptions for these classifications. Note the operation of such an exemption is not without its own complexity, it applies differently to certain sub-classes of the controlled items, to different destinations, and to different end-users, and may come with additional requirements such as registration or semi-annual reporting. It is by no means a perfect system. But at least a supplier fully apprised of its export control compliance obligations has some certainty regarding which transactions it can enter into.

In Australia, if you handle DSGL technology, you need to understand what controls are imposed on them, and you need to seek the appropriate permits.

THE OPPORTUNITY TO ENSURE COMPLIANCE IS NARROWING

In the rush to secure AUKUS it seems as though the additional regulatory burden borne by every-day businesses may not have been fully considered. The controls on dual-use goods and technologies are broad, touching on items as diverse as electronics, computers, telecommunications, sensors, lasers, avionics and marine vehicles, to name but a few. As illustrated by the discussion of cryptographic technology, the controls are not necessarily focused on bleeding edge technology. Australian businesses now have six months to determine whether (a) they have controlled technology; (b) whether the way they handle that technology will require a permit; and (c) to obtain those permits, to ensure they are compliant with these new rules.

Footnotes

1 For the sake of clarity, when we refer to the DTCA we do so as amended by the commencement of the Defence Trade Controls Amendment Act 2024 on 1 September 2024.

2 DSGL, Category 5, part 2.

3 In case you were wondering, that is not including "parity bits".

4 See https://www.cyber.gov.au/sites/default/files/2024-06/22.%20ISM%20-%20Guidelines%20for%20Cryptography%20%28June%202024%29.pdf.

5 These new controls apply to conduct from 1 March 2025.

6 S 10A(3) of the DSGL.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Find out more and explore further thought leadership around International Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More