As countries within the APAC region upgrade their data privacy laws (consistent with the global trend) its interesting to observe the flipside to privacy laws through the prism (no pun intended) of laws relating to lawful interception, encryption and data retention.
Lawful interception is usually enshrined in a law enforcement agencies (LEA) enabling provision within local telecommunications and/or criminal legislation. The main compliance participants here are telcos, ISPs and hosting companies. In Australia for example, the Telecommunications (Intercept and Access) Act 1979 provides the means for law enforcement to issue warrants to access communications in transit or stored. The government’s joint parliamentary committee in June released its Report of the Inquiry into Potential Reforms of Australia’s National Security Legislation which recommended an overhaul of the existing interception regime but stayed any push for mandatory data retention laws.
Encryption regulations or ‘crypto-laws‘ are generally in the form of government export control licensing compliance. Here the Wassenaar Convention underpins the regulatory requirements of most jurisdictions. The usual compliance subjects in this area are the hardware vendors and encryption algorithm software developers.
Data Retention laws are currently only operating in the EU under the Data Retention Directive 2006/24/EC with many EU countries implementing varying retention periods for different data types. The typical compliance subject are naturally telcos and ISPs. The US is notably free of mandatory data retention although the recent PRISM relevations casts a slightly different shadow.
It will be interesting to keep tabs on this evolving area, which LEA will apply more pressure to reform.
