A comparative review of governmental access and assistance laws

As the global economy becomes one that is increasingly online, fast-moving and driven by data, there is a corresponding rise in cyber-related and data-related threats. Moreover, the increasing ubiquity of technologies such as messaging applications that are end-to-end encrypted have increased the possibility of technology being misused to facilitate the activities of bad actors and to frustrate the attempts of law enforcement and national security agencies to investigate and prosecute these crimes.

Against this background, governments are reassessing the strength of their laws on rights of information access by law enforcement and national security agencies, as well as related laws on matters such as data privacy, cybersecurity and the protection of critical infrastructure. There is growing recognition by governments that conventional access and assistance laws may be inadequate when it comes to online and electronic communications, as the information obtainable by these conventional means may be of limited use (for example, because that information is encrypted). Legislation to compel assistance from communications and related industries to provide greater assistance in obtaining and understanding electronic information is increasingly being considered and introduced by governments around the world.

Some of these efforts have been met with criticism – for example, the access and assistance laws introduced in Australia in late 2018 were widely condemned by industry players as too overreaching. Similarly in Europe, the proposed “e-evidence regulations” – which permit judicial authorities in one EU Member State to bypass those in another when making judicial orders for electronic evidence from service providers in criminal matters – have also been much criticised. These laws impact not only telecommunications network operators (who have traditionally been the main players tasked with facilitating access and assistance to communications for law enforcement and national security agencies), but increasingly parallel businesses such as equipment manufacturers, software developers, cloud providers and over-the-top and web-and-app based services.

The extraterritorial application of access and assistance laws is also a concern for businesses. China, in particular, has been perceived to have implemented laws which allow unfettered governmental access to information, whether or not held within Chinese borders. There is a sense of fear among many non-Chinese companies and governments that the Chinese cybersecurity and information laws are open to misuse. Among the most common concerns cited are governmental directives to require Chinese companies to plant “backdoors” or surveillance capabilities into their products, increased risk of intellectual property theft and other compulsory access to information by Chinese authorities for ulterior purposes. Such misconceptions encourage speculation that choosing an ICT vendor in China would create a security threat and so excluding the vendor from China will make network and data more secure and less subject to government access. What is not well understood, however, is whether these concerns are valid based on a proper understanding of the relevant Chinese laws and how these laws compare with other access and assistance regimes around the world.

This paper seeks to examine the governmental access and assistance regimes in seven jurisdictions – China, UK, US, Germany, Australia, Sweden and Finland – and to assist businesses to make more informed decisions about doing – or abstaining from doing – business in or with companies located in these jurisdictions.