Fed Govt urged to fine-tune Bill that will pave way for US CLOUD Act agreement

Parliamentary Committee Intelligence Security Review

A parliamentary inquiry has urged the Federal Government to add further protections into a legislative framework set to fast-track its access to overseas-held communications data, including evidence for prosecutions for serious crime and investigation of suspected terrorist activity.

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) tabled its report last week, recommending that the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 pass with 23 changes.

Among the requested changes include additional privacy safeguards, greater scrutiny on international agreements, specified criteria for “like-minded countries”, and stronger oversight for the new framework.

The International Production Orders (IPO) Bill is seen as a necessary step for the Australia Government to establish bilateral reciprocal data exchange agreements with the UK, US and other governments.

Negotiations for a data-sharing deal with the US Government have been ongoing since 2019, which would align Australia with the US’s Clarifying Lawful Overseas Use of Data Act (CLOUD Act).

The CLOUD Act was enacted in 2018 to compel US technology and cloud companies to comply with foreign governments’ requests for electronic data. It also forges a pathway for governments to skirt the existing mutual legal assistance (MLA) mechanism and request data directly from US providers.

Australia’s Commonwealth Director of Public Prosecutions (CDPP) notes that most requests for evidence (sought in connection with serious crime investigations) from stored data held by major communications service providers (including Facebook, Microsoft, and Google) are processed through MLAs.

The Department of Home Affairs (DHA) has criticised the current MLA process as “slow and cumbersome”, and moreover that it fails to address today’s “fundamental shift in offshore storage of Australians’ data”.

“The digital world and the rapid increase in digital evidence for all types of criminal offences – not just cyber offences – is fundamentally undermining international crime cooperation,” a submission from the DHA read, stressing the need to establish new IPO arrangements.

Under the Government’s proposed Bill, if a bilateral agreement is in place, Australian law enforcement and national security agencies will have power to access data directly from foreign communications providers, and vice versa, through an IPO.

In submissions regarding the IPO bill, however, several stakeholders – namely the Australian Privacy Foundation and the ANU LSRJ Research Hub – raised concerns about the legislation’s privacy implications and increasing levels of digital surveillance by law enforcement agencies.

Among the PJCIS recommendations for the new Bill includes a protective clause mandating that IPOs only be issued “for the purpose of obtaining information relating to the prevention, detection, investigation or prosecution of serious crime, including terrorism”.

In addition, the committee suggested that all international agreements be published and tabled for parliamentary scrutiny prior to signing, followed by a 15-day disallowance period.

Any agreement signed by Australia can be renewed or extended for up to three years if no new amendments are proposed. However, the PJCIS recommended that further renewal or extension be subject to parliamentary scrutiny and disallowance.

The Bill should also define “urgent circumstances” for which a data request can be served on the phone rather than in writing; for example, when there is “imminent risk” of “serious harm to a person”, or “substantial damage to property”, the report stated.

The committee further stressed that appointed oversight bodies, the Office of the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security (IGIS), must be adequately resourced.

The latest federal budget saw $9.6 million allocated over four years to support progress with cross-border data exchange agreements – most of which was handed to the Commonwealth Ombudsman – with $1.5 million allocated for 2021-2022.

“Robust oversight arrangements provide assurance to the Australian community that these necessarily intrusive powers are used proportionately and appropriately to investigate and prosecute the commission of serious crimes and uphold Australia’s national security,” the PJCIS report noted.

Apart from that, the committee recommended that only countries which uphold “rule of law”, “principles of equality and non-discrimination” and observe “applicable human rights obligations and commitments” be allowed to negotiate data-sharing agreements with Australia.

Chair of the committee, Senator James Paterson referred to the IPO scheme as a “vital power in an increasingly digital world”, as evidence for serious crimes is increasingly “located offshore”.

“The Committee’s recommendations seek to provide necessary assurances that any international agreement that Australia enters into under the provisions in the Bill are necessary, proportionate and subject to appropriate oversight,” Senator Paterson said.

The PJCIS’ full report can be viewed here.