(1) An owner or exclusive licensee of the copyright in a work or other subject - matter may bring an action against a person if:
(a) the work or other subject - matter is protected by an access control technological protection measure; and
(b) the person does an act that results in the circumvention of the access control technological protection measure; and
(c) the person knows, or ought reasonably to know, that the act would have that result.
Exception--permission
(2) Subsection (1) does not apply to the person if the person has the permission of the copyright owner or exclusive licensee to circumvent the access control technological protection measure.
Exception--interoperability
(3) Subsection (1) does not apply to the person if:
(a) the person circumvents the access control technological protection measure to enable the person to do an act; and
(b) the act:
(i) relates to a copy of a computer program (the original program ) that is not an infringing copy and that was lawfully obtained; and
(ii) will not infringe the copyright in the original program; and
(iia) relates to elements of the original program that will not be readily available to the person when the circumvention occurs; and
(iii) will be done for the sole purpose of achieving interoperability of an independently created computer program with the original program or any other program.
Exception--encryption research
(4) Subsection (1) does not apply to the person if:
(a) the person circumvents the access control technological protection measure to enable:
(i) the person; or
(ii) if the person is a body corporate--an employee of the person;
to do an act; and
(b) the act:
(i) relates to a copy of a work or other subject - matter that is not an infringing copy and that was lawfully obtained; and
(ii) will not infringe the copyright in the work or other subject - matter; and
(iii) will be done for the sole purpose of identifying and analysing flaws and vulnerabilities of encryption technology; and
(c) the person or employee is:
(i) engaged in a course of study at an educational institution in the field of encryption technology; or
(ii) employed, trained or experienced in the field of encryption technology; and
(d) the person or employee:
(i) has obtained permission from the owner or exclusive licensee of the copyright to do the act; or
(ii) has made, or will make, a good faith effort to obtain such permission.
In this subsection, encryption technology means the scrambling and descrambling of information using mathematical formulas or algorithms.
Exception--computer security testing
(5) Subsection (1) does not apply to the person if:
(a) the person circumvents the access control technological protection measure to enable the person to do an act; and
(b) the act:
(i) relates to a copy of a computer program that is not an infringing copy; and
(ii) will not infringe the copyright in the computer program; and
(iii) will be done for the sole purpose of testing, investigating or correcting the security of a computer, computer system or computer network; and
(iv) will be done with the permission of the owner of the computer, computer system or computer network.
Exception--online privacy
(6) Subsection (1) does not apply to the person if:
(a) the person circumvents the access control technological protection measure to enable the person to do an act; and
(b) the act:
(i) relates to a copy of a work or other subject - matter that is not an infringing copy; and
(ii) will not infringe the copyright in the work or other subject - matter; and
(iii) will be done for the sole purpose of identifying and disabling an undisclosed capability to collect or disseminate personally identifying information about the online activities of a natural person; and
(iv) will not affect the ability of the person or any other person to gain access to the work or other subject - matter or any other work or subject - matter.
Exception--law enforcement and national security
(7) Subsection (1) does not apply in relation to anything lawfully done for the purposes of:
(a) law enforcement; or
(b) national security; or
(c) performing a statutory function, power or duty;
by or on behalf of the Commonwealth, a State or a Territory, or an authority of one of those bodies.
Exception--libraries etc.
(8) Subsection (1) does not apply to the person if:
(a) the person circumvents the access control technological protection measure to enable the person to do an act; and
(b) the person is:
(i) a library (other than a library that is conducted for the profit, direct or indirect, of an individual or individuals); or
(ii) a body mentioned in paragraph (a) of the definition of archives in subsection 10(1), or in subsection 10(4); or
(iii) an educational institution; and
(c) the act will be done for the sole purpose of making an acquisition decision in relation to the work or other subject - matter; and
(d) the work or other subject - matter will not be otherwise available to the person when the act is done.
Note: A library that is owned by a person conducting a business for profit might not itself be conducted for profit (see section 18).
Exception--prescribed acts
(9) Subsection (1) does not apply to the person if:
(a) the person circumvents the access control technological protection measure to enable the person to do an act; and
(b) the act will not infringe the copyright in a work or other subject - matter; and
(c) the doing of the act by the person is prescribed by the regulations.
Note: For the making of regulations prescribing the doing of an act by a person, see section 249.
Burden of proof
(10) The defendant bears the burden of establishing the matters referred to in subsections (2) to (9).