Folks, in my opinion CASA is going to be hit with something that will send them spinning - the EU GDPR - general data protection regulation. I'm not sure in fact if anyone in Government saw this coming. What the GDPR does is establish rules for the handling of personal data, with massive fines and jail terms for any organization that breaches them. It covers what data may be collected, how it must be handled, who may have access and what and when things must be destroyed. Most importantly it regulates what permissions must be sought before data can be collected and disseminated which is quite involved.
While this is an EU law, it has very wide applications to anyone even remotely connected to Europe as Apple, Google and a host of other companies and governments are finding out as we speak. American companies, let alone Australian institutions don't even know what's going to hit them.
https://www.eugdpr.org/
If CASA issues any licenses to a European citizen or AVMED a certificate, then CASA is caught. Same with ASICS and the myhealth e record system.
This from talking to someone knowledgeable on the matter over here.