The report reviews one proposed treaty action: the Agreement between the Government of Australia and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime (CLOUD Act Agreement).
The CLOUD Act Agreement would allow a range of Australian agencies to seek an Order under Australian law to obtain the electronic data of any Covered Person where it relates to a serious offence, from communications service providers that operate under the jurisdiction of the United States (US), and vice versa. Orders could be made, on certain grounds, for the interception of communications, access to stored communications, and access to telecommunications data.
For Australia, the legal authority for Orders under the CLOUD Act Agreement would come from the Telecommunications (Interception and Access) Act 1979 (TIA Act). What the CLOUD Act Agreement does is provide an agreed administrative mechanism so providers in the receiving country can comply with Orders made under the domestic law of the issuing country, without the necessity of law enforcement or intelligence agencies relying upon the broad but relatively cumbersome and slow mutual legal assistance arrangements.
Although the legal authority for Orders comes from the law of the issuing country, the CLOUD Act Agreement requires certain steps to be followed for the CLOUD Act Agreement to be properly invoked, including limitations on who may be targeted, minimisation procedures, issuing requirements for Orders, and exceptions for ‘essential interests’ that are specified in side letters.
For Australia, the CLOUD Act Agreement would complement but significantly improve on the current mutual legal assistance treaty process for the acquisition of data held by US communications service providers. It would allow Australia to provide an Order for Covered Data directly to a Covered Provider in the US without involving US authorities or otherwise engaging with the US legal system. In so doing, it has the potential to substantially reduce the timeframes for the acquisition of relevant data relating to the commission of a serious offence.
Each Party would establish a Designated Authority to ensure an Order complies with the domestic law and the various provisions of the CLOUD Act Agreement, and to transmit the Order directly to the relevant Covered Provider. There is no requirement for the Australian Designated Authority to advise the US Designated Authority an Order has been made, and vice versa.
The Committee examined a range of issues with regard to the CLOUD Act Agreement, including the implications with respect to civil liberties, reporting on and oversight of the use of Orders, and consultation during the negotiation of the Agreement. The Committee encourages the Australian Government to be especially mindful that consultation, reporting, and oversight are critical integrity elements that should be applied appropriately where surveillance or other incursions into privacy are involved, even when those incursions serve a legitimate purpose.
The Committee supports the CLOUD Act Agreement and recommends binding treaty action be taken.