The company providing the protection cannot by definition circumvent it or be unauthorized. If a third party decides to deliver a payload to your browser to discover your Facebook password, then they are violating the DMCS in the US. But if Facebook decides to deliver a payload to your browser to discover your Facebook password that is simply them doing business in a different fashion. This isn't a violation of US law, so refusing it do it would be a violation of Australia's very poorly-considered new law.
I'm obviously not an expert on US law but I find it very hard to believe that it is legal for an employee of a US company, without the permission of that company to put up a fake login page for particular users and then provide that information to a foreign government.
Now if the TAN/TCN was issued to a US based company that would be a different issue but then you as an individual would not be in violation of it.
Not that that makes it a better law, but I think for people not physically in Australia the risk of being issued an enforceable (under Australian law) TAN/TCN is quite low.
> Circumventing an electronic protection
> Unauthorised access
The company providing the protection cannot by definition circumvent it or be unauthorized. If a third party decides to deliver a payload to your browser to discover your Facebook password, then they are violating the DMCS in the US. But if Facebook decides to deliver a payload to your browser to discover your Facebook password that is simply them doing business in a different fashion. This isn't a violation of US law, so refusing it do it would be a violation of Australia's very poorly-considered new law.