Agreement between the Government of Australia and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime
Introduction
2.1
This chapter examines the Agreement between the Government of Australia and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime (CLOUD Act Agreement), which was signed in Washington on 15 December 2021, and tabled in the Parliament on 8 February 2022.
2.2
The CLOUD Act Agreement would allow Australian authorities to seek an Order under Australian law to obtain certain electronic data of a Covered Person (broadly, a person or organisation that is not American or located in the United States (US)) that relates to a serious offence, from communications service providers that operate under the jurisdiction of the US, and vice versa.
2.3
The legal effect of the CLOUD Act Agreement is to provide an agreed administrative mechanism so providers in the receiving country can comply with Orders made under the domestic law of the issuing country, without the necessity of law enforcement or intelligence agencies relying upon the broad but relatively cumbersome and slow mutual legal assistance arrangements. For Australia, the legal authority for Orders under the CLOUD Act Agreement would come from the Telecommunications (Interception and Access) Act 1979 (TIA Act).
2.4
The CLOUD Act Agreement does constrain the issue of Orders and how the data obtained is dealt with insofar as it requires certain steps to be followed for the CLOUD Act Agreement to be properly invoked, including limitations on who may be targeted, minimisation procedures, issuing requirements for Orders, and exceptions for ‘essential interests’ that are specified in side letters.
Background
CLOUD Act
2.5
The shorthand reference—CLOUD Act Agreement—is derived from the US legislation that provided the authority for the US executive to enter into the agreement: the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). The CLOUD Act amended title 18 of the US Code to provide authority for the executive branch to conclude an ’executive agreement’ allowing certain foreign governments to seek data directly from US technology companies in cases involving serious crime when not targeting US persons. The CLOUD Act Agreement is an executive agreement.
2.6
Where presently a request to access data stored by a technology company in the US generally has to be made through the US Justice Department (under some form of mutual legal assistance arrangement—see below), an executive agreement would allow foreign authorities to request data under their own laws directly from US providers, and potentially with a lower legal threshold than the probable-cause standard required for a warrant under US law.
Executive agreements and the TIA Act
2.7
Title 18 of the US Code establishes the parameters for the executive to negotiate agreements to allow foreign governments to directly request data from US companies. Section 2523 establishes requirements in two broad areas:
attributes of the legal and political system of the foreign government
content of the executive agreement itself.
2.8
Various provisions in title 18 prescribe the content of an executive agreement. Given the legal authority for an Order comes from Australian legislation, title 18 requires that certain provisions are made in Australian legislation. These were made through amendments to the TIA Act by the Telecommunications Legislation Amendment (International Production Orders) Act 2021 (IPO Act), which inserted a schedule for international production orders (IPOs) into the TIA Act. The IPO Act received Royal Assent in July 2021.
Content of the CLOUD Act Agreement specified by US legislation
2.9
Significant portions of the CLOUD Act Agreement reflect specific provisions, and in some cases the exact wording, of section 2523 of title 18. This includes provisions in the CLOUD Act Agreement dealing with: data localisation; domestic legal requirements for the preservation, authentication, disclosure and production of data; purpose of Orders; non-discrimination; not intentionally targeting a Receiving Party Person; not targeting a Covered Person to obtain information concerning a Receiving Party Person; requirements for targeting to be specific; prohibition on Orders issued at the request of, or to provide data to, the Receiving Party or a third-party government; compliance of Orders with domestic law; review and oversight of Orders; specific requirements for Orders for interception; authority to set aside an Order; targeting and minimisation procedures; requirements to segregate, delete and not disseminate certain material; instances where information may be provided to the Receiving Party; no obligation for the Issuing Party to share information; and review requirements.
Impetus for the CLOUD Act
2.10
One impetus for the CLOUD Act was dealing with the need for countries to access data stored abroad, often by US companies, in a way that addressed the inefficiencies of the overburdened legal architecture established by the mutual legal assistance treaty (MLAT) system. It was feared that absent a change in US law, frustrated foreign governments unable to reasonably obtain data held by US companies might enact data localisation or data restriction laws.
Data localisation references in the CLOUD Act Agreement
2.11
Under the US Code, executive agreements are to prevent data localisation. Data localisation means certain data related to citizens or residents of a country (for instance, personal, health, business, financial) has to be physically stored on infrastructure within the country’s borders—in effect, data created within a state’s borders must remain there. This might be legislated for a variety of reasons including enhancing sovereign control over citizen data, preventing foreign government interference, preventing the digital dominance of certain countries, securing important data, or to advantage domestic industries and technology development.
2.12
Certification of an executive agreement requires that a foreign government:
… demonstrates a commitment to promote and protect the global free flow of information and the open, distributed, and interconnected nature of the Internet …
2.13
According to the CLOUD Act Agreement itself, the Parties note ‘the harms of data localization requirements to a free, open, and secure Internet’, and endeavour ‘to avoid such requirements’. Article 2 of the CLOUD Act Agreement specifies one purpose of the CLOUD Act Agreement is to protect an open Internet.
2.14
Australia has elsewhere committed to an open internet—for instance, through provisions in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership and the Australia-Singapore Digital Economy Agreement.
Other CLOUD Act Agreements
2.15
The US and the United Kingdom (UK) signed an executive agreement in October 2019 (US-UK Agreement), and the US is currently negotiating agreements with the European Union (EU) and Canada. Australia’s CLOUD Act Agreement closely resembles the US-UK Agreement.
Rationale for the CLOUD Act Agreement
Growing use of international communication services
2.16
According to the National Interest Analysis (NIA), online communications services are increasingly being used to undertake criminal activity. Under Australian law, agencies have powers to efficiently access information from Australian communications service providers.
2.17
However, as the popularity of non-Australian based services for communications has grown, electronic data related to serious crime can be distributed over different services, locations and jurisdictions, and held by companies primarily based in the US. This means agencies are more often using international crime cooperation mechanisms to gain access to information held overseas. The NIA stated this is a resource-intensive and time consuming process and impacts the ability of law enforcement to prevent, detect, investigate, and prosecute serious crime.
2.18
As it stands, Australian law enforcement agencies currently use the 1997 Treaty between the Government of Australia and the Government of the United States of America on Mutual Assistance in Criminal Matters to obtain electronic data held by US-based communications service providers. This is a MLAT.
2.19
Other than through the MLAT process, the Regulation Impact Statement (RIS) acknowledged that some communications service providers choose to provide voluntary assistance. However, the RIS stated this was often inconsistent and dependent on the internal disclosure policies in the particular organisation. These policies may adopt conservative or broad interpretations of what can or cannot be disclosed under domestic law, making it difficult, according to the RIS, to rely on voluntary assistance.
Mutual legal assistance treaties—procedures and requirements
2.20
Under a MLAT, law enforcement agencies in one country seek the assistance of law enforcement agencies in another country. Any request for assistance is reviewed under the laws of the country receiving the request for assistance. If the request complies with the laws of that country, authorities may seek a court order under those laws to obtain the data. If granted, the foreign government obtains the data and transmits it to the requesting government.
2.21
The US is of the view some countries can find MLAT requests to the US demanding because requirements to obtain a warrant for the content of electronic communications are amongst the toughest in the world due to US privacy protections:
A request to issue a warrant must be submitted to an independent judge for approval. The judge cannot authorize the warrant unless he or she finds that the government has established by a sworn affidavit that ‘probable cause’ exists that a specific crime has occurred or is occurring and that the place to be searched, such as an email account, contains evidence of that specific crime. Further, the warrant must describe with particularity the data to be searched and seized; fishing expeditions to see if evidence exists are not permitted.
2.22
As noted above, executive agreements allow countries to obtain data directly from a company using legal thresholds that apply in their own jurisdictions (subject to a ‘serious crime’ requirement, see below), which can be a lower legal threshold than that required in the US. However, as discussed below, the threshold for a Covered Offence in the CLOUD Act Agreement is higher than that for MLAT matters where there is generally a 12-month imprisonment threshold for a serious offence. A further point of difference is that mutual legal assistance arrangements allow requests for access to stored data, but do not allow for interception.
Outgoing requests for assistance
2.23
Over 14 years (2007 to 2020), Australia made approximately 1,000 requests to the US for electronic data—roughly an average of 71 each year. The NIA stated ‘many’ requests sought data from communications service providers like Google, Microsoft, Yahoo! and Snap—though the exact distribution of requests is not identified.
2.24
Through the MLAT process, the NIA stated it can take in excess of 12 months for data to be supplied from the US to Australian law enforcement agencies. In general, the complexity of a matter and the nature of the assistance sought mean requests can take between three months and two years. It was acknowledged, however, that in a ‘life-threatening’ situation, a mutual assistance request may be complete in ‘a matter of days’.
… if electronic evidence cannot be obtained in accordance with Australian court timeframes, this can result in charges being withdrawn, less serious charges being pursued, or a weaker case being put to the court. This can ultimately lead to lower rates of conviction and lesser sentences being imposed, if at all.
2.26
The RIS argued that maintaining only the existing MLAT process would weaken Australia’s ability to combat the evolving tactics of criminals, and diminish Australia’s national security and criminal justice efforts. While it was possible for the MLAT system to be recalibrated and better resourced, the RIS stated the rapidly developing modern communications environment meant ad-hoc fixes would not solve identified problems. Further, it would be up to foreign governments to update their own processes; unilateral actions by Australia may not result in reciprocal benefits.
Views of participants—No clear evidence for claim delays are impacting prosecutions
2.27
During the inquiry, Mr Andrew Ray, a Visiting Fellow at the Australian National University College of Law, questioned whether there was evidence for the claim that delay in access to data was impacting prosecutions in Australia—publicly available statistics did not support an assessment at the federal level that convictions were being significantly impacted by any delay.
2.28
Further, according to Mr Andrew Ray, it did not necessarily follow that increasing the amount of data law enforcement and national security agencies could analyse would reduce the incidence of serious crime or enable agencies to prevent crimes. It may be more fruitful to focus on improving data analysis capabilities and using existing data-gathering powers more efficiently.
2.29
The Attorney-General’s Department addressed this issue broadly, when it stated it was necessary to consider:
… the investigations that aren't happening. If you're a state or territory police officer and you have a very big case load on and you realise that one of your investigations is going to require mutual legal assistance and it's going to take 12 months or more, you might move on to the next one where you think you can go quicker. What happens is that only the most serious crimes—the absolute top, top end—end up going through mutual legal assistance. I think you can tell that by the numbers because, even though we're saying there's been an exponential growth in mutual legal assistance, I still think the numbers are incredibly small for the amount of data that we know the US hold. I think you will find the numbers, when this agreement [CLOUD Act Agreement] is up and running, are multitudes of times larger, because mutual assistance is putting a finger in the dam.
Incoming requests for assistance
2.30
Between 2007 and 2020 under the MLAT process, the RIS stated Australia received fewer than 30 requests for the types of data that would be provided for under the CLOUD Act Agreement. The RIS also stated under the CLOUD Act Agreement, this number would be lower due to the CLOUD Act Agreement’s targeting restrictions.
Australian providers potentially captured by the CLOUD Act Agreement
2.31
According to the Department of Home Affairs, a broad range of Australian providers would be captured as ‘Covered Providers’ under the CLOUD Act Agreement and could potentially receive US Orders for content data, traffic data, and/or metadata, including:
traditional carriers and carriage service providers, including telecommunications service providers
over-the-top, VOIP [Voice Over Internet Protocol] and messaging app providers
social media and chat forum websites
back-up and storage service providers.
Australia’s interests
2.32
The RIS stated it was ‘strongly’ in Australia’s interests to enter into the CLOUD Act Agreement because it was expected to:
ensure Australian agencies can effectively and efficiently obtain electronic data
reduce current burdens on international crime cooperation mechanisms, which would reduce the workload of the US in responding to MLAT requests
enhance the relationship between Australia and the US and between Australia and US communications service providers
ensure data obtained is afforded reasonable, necessary and proportionate privacy protections.
2.33
The CLOUD Act Agreement would not affect other legal authorities and mechanisms either Party has to obtain or preserve electronic data from the other Party or service providers including:
legal instruments and practices under the domestic law of either Party that do not require the CLOUD Act Agreement to be invoked
requests for mutual legal assistance
Australia’s enabling legislation
2.34
As noted above, the legal authority for Orders would not come from the CLOUD Act Agreement, it would derive from Australian and US law respectively.
Schedule 1 of the TIA Act
2.35
The CLOUD Act Agreement, upon becoming a ‘designated international agreement’, would enliven Schedule 1 of the TIA Act and allow for IPOs to be issued to US communications providers. IPOs would be ‘Orders’ under the CLOUD Act Agreement. The TIA Act provides for an IPO to be issued for purposes in connection with:
investigation of an offence of a serious nature under the criminal law
monitoring of a person subject to a supervisory order (Part 5.3 supervisory orders)
the Australian Security Intelligence Organisation (ASIO) carrying out its functions.
Types of IPOs and authorised agencies
2.36
There are three types of IPO under the TIA Act:
2.37
The grounds (offences and/or relevant thresholds) upon which an IPO can be sought, the agencies able to apply for an IPO, to whom agencies must apply for approval for an IPO and the content of an IPO, vary according to the type and purpose of the IPO sought. The following summarises the agencies that may apply for an IPO.
Table 2.1: Agencies that may apply for an IPO
|
|
|
|
|
Type of Order: Interception
|
|
Investigating serious offences
|
Interception agency
|
Australian Federal Police (AFP), Australian Commission for Law Enforcement Integrity (ACLEI), Australian Criminal Intelligence Commission (ACIC), state police forces, certain crime commissions and anti-corruption bodies
|
|
Supervisory order monitoring
|
Part 5.3 IPO agency
|
AFP, ACLEI, ACIC
|
|
ASIO’s functions
|
ASIO
|
ASIO
|
|
Type of Order: Stored communications
|
|
Investigating serious offences
|
Criminal-law enforcement agency
|
AFP, state police forces, ACLEI, ACIC, Department of Home Affairs (in some instances), Australian Securities and Investments Commission (ASIC), Australian Competition and Consumer Commission (ACCC), certain crime commissions and anti-corruption bodies
|
|
Supervisory order monitoring
|
Part 5.3 IPO agency
|
AFP, ACLEI, ACIC
|
|
ASIO’s functions
|
ASIO
|
ASIO
|
|
Type of Order: Telecommunications data
|
|
Investigating serious offences
|
Enforcement agency
|
AFP, state police forces, ACLEI, ACIC, Department of Home Affairs (in some instances), ASIC, ACCC, certain crime commissions and anti-corruption bodies, New South Wales Department of Communities and Justice (subject to some limitations)
|
|
Supervisory order monitoring
|
Part 5.3 IPO agency
|
AFP, ACLEI, ACIC
|
|
ASIO’s functions
|
ASIO
|
ASIO
|
Source: TIA Act.
Reasons for which an IPO may be sought
2.38
Within each of the three types of IPOs, there are three sub-types—those relating to enforcement of the criminal law, supervisory orders, and national security. ASIO is the only agency able to apply for an IPO on the grounds of national security (see below).
Criminal offences for which an IPO may be sought
2.39
Under the TIA Act, the legal threshold for an IPO is that the information would be ‘likely to assist’ in connection with an investigation into a ‘serious offence’. As noted above, this is a lower threshold than the ‘probable cause’ threshold required for MLAT proceedings in the US. The TIA Act specifies two categories of ‘serious offences’, which apply to different types of Orders:
Serious category 1 offence means:
(a) an offence that is punishable by a maximum term of imprisonment of 3 years or more; or
(b) an offence that is punishable by imprisonment for life.
Serious category 2 offence means:
(a) a serious offence (see section 5D); or
(b) an offence that is punishable by a maximum term of imprisonment of 7 years or more; or
(c) an offence that is punishable by imprisonment for life.
2.40
The category of serious offence that may be investigated using the various types of IPOs are as follows:
interception—serious category 2 offence
stored communications—serious category 1 offence
telecommunications data—serious category 1 offence.
Interaction of the TIA Act and the CLOUD Act Agreement with regard to ASIO
2.41
With regard to the basis upon which ASIO would be able to obtain an IPO under the provisions of the CLOUD Act Agreement, the Attorney-General’s Department advised ASIO could apply for an IPO in connection with carrying out its functions, which under section 17 of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) include ‘to obtain, correlate and evaluate intelligence relevant to “security”’. The definition of ‘security’ in section 4 of the ASIO Act would encompass activities that are also criminal offences attracting a term of imprisonment of at least three years and may be classified as Covered Offences for the purposes of seeking an IPO. The Attorney-General’s Department stated it was:
… anticipated that ASIO could use IPOs for matters relating to counter espionage, counter terrorism or counter foreign interference—all of which are serious crimes.
2.42
While ASIO, under the TIA Act, could apply for an IPO on the grounds of national security, the CLOUD Act Agreement requires an Order issued under the CLOUD Act Agreement relate to a Covered Offence. This would in effect, the Attorney-General’s Department confirmed:
… limit the purposes for which ASIO can apply for an Order under the Agreement [CLOUD Act Agreement] to the prevention, detection, investigation, or prosecution of matters that meet the definition of Covered Offence.
This limitation was included to ensure consistency across the purposes of all Orders invoking the Agreement by both Australia and the US.
Civil penalties under the TIA Act
2.43
The TIA Act deals with IPO compliance by communications providers and the extra-territorial application of civil penalty provisions. Clause 124 of Schedule 1 applies a civil penalty of 238 penalty units ($52,836) for failure to comply with an IPO to the extent to which the provider is capable of doing so. For a body corporate, the penalty can be not more than 200 times the pecuniary penalty specified in clause 124—47,600 penalty units ($10,567,200). The civil penalty provision is enforceable under Part 4 of the Regulatory Powers (Standard Provisions) Act 2014.
Protected information provisions
2.44
The TIA Act defines the following information as ‘protected information’:
(a) information obtained in accordance with an international production order; or
(b) information about any of the following:
(i) an application for an international production order;
(ii) the issue of an international production order;
(iii) the existence or non-existence of an international production order;
(iv) compliance or non-compliance with an international production order;
(v) the revocation of an international production order;
(vi) the cancellation of an international production order.
2.45
The TIA Act establishes a significant range of limitations on the disclosure of protected information—mostly allowing it only to be disclosed for the purposes of admitting it in evidence in a range of circumstances. The legislative framework provides authority for communications providers to disclose electronic data in accordance with legislation that prohibits disclosure.
2.46
Communications providers would be prevented from disclosing publicly they have received a specific IPO, the details of the specific IPO, or how they have responded to a specific IPO, except under very limited circumstances. Prescribed communications providers may disclose only the total number of IPOs given to the provider during a period of at least six months, providing the disclosure is aggregate statistical information. The information cannot be broken down by agency or in any other way.
Reporting requirements
2.47
Notwithstanding the protected information provisions, under the TIA Act, the Attorney-General is required to table in the Parliament an annual report on Australian agencies’ use of the IPO framework. These annual reporting requirements only relate to IPOs for enforcement of the criminal law and Part 5.3 supervisory orders; national security IPOs (issued on behalf of ASIO) would not be reported on publicly.
2.48
ASIO would however report on its use of IPOs to the Minister for Home Affairs as part of its annual report, but parts of the report laid before Parliament may be deleted to avoid prejudice to security, the defence of the Commonwealth, the conduct of the Commonwealth’s international affairs or the privacy of individuals. ASIO and its operations are subject to comprehensive oversight by the Inspector-General of Intelligence and Security. This oversight would extend to national security IPOs.
2.49
Under the TIA Act, ASIO is also required to report to the Attorney-General on each IPO relating to interception (national security) within three months. This report would not be published. It is notable that national security IPOs must be issued by a member of the Security Division of the Administrative Appeals Tribunal (AAT).
2.50
With regard to reporting on IPOs issued for enforcement of the criminal law and Part 5.3 supervisory orders, amongst other things, the statutory reporting requirements for relevant agencies require an annual report to the Minister that sets out, where one or more IPOs have been issued before the end of the financial year:
the number of occasions during the financial year on which protected information obtained in accordance with those Orders was shared with other relevant agencies
the number of arrests that were made during the financial year on the basis of protected information obtained in accordance with those Orders
the number of prosecutions where protected information obtained in accordance with those Orders was used in evidence during the financial year
the number of convictions during the financial year where protected information obtained in accordance with those Orders was used in evidence in the prosecutions that resulted in those convictions.
Key provisions in the CLOUD Act Agreement
Purpose of the CLOUD Act Agreement
2.51
In order to preserve an open internet, and whilst protecting privacy and civil liberties, the CLOUD Act Agreement is intended to resolve:
… potential conflicts of legal obligations when communications service providers are served with Legal Process from one Party for the production or preservation of electronic data, where those providers may also be subject to the laws of the other Party.
2.52
It does so by providing a means for each Party to obtain electronic data held within the jurisdiction of the other Party in a manner consistent with its own domestic legal framework, and the domestic legal framework of the other Party.
Key definitions
Types of ‘persons’
2.53
The term ‘person’ is used with different modifiers in the CLOUD Act Agreement.
Australian Person or US Person
2.54
An Australian Person or US Person under the CLOUD Act Agreement is defined for each country as being:
an unincorporated association with a substantial number of members who are citizens or permanent residents
a corporation incorporated within that jurisdiction.
Receiving Party Person
2.55
The definition for Receiving Party Person is a broader category and for the Receiving Party means:
any governmental entity (including federal, state, territory)
an unincorporated association with a substantial number of members who are citizens or permanent residents
a corporation incorporated within that jurisdiction
a person located in the territory.
Covered Person
2.56
A Covered Person means a ‘person’ reasonably believed not to be a Receiving Party Person. Orders for Covered Data can only target a Covered Person. Targeting procedures must be implemented to ensure good-faith reasonable efforts are employed to determine whether a person is a Covered Person (see below).
2.57
While Orders cannot be issued for data of a Receiving Party Person, the subject of an Order is not otherwise significantly limited. Providing the relevant thresholds are met in the TIA Act (‘likely to assist’ in connection with an investigation into a ‘serious offence’) and CLOUD Act Agreement (Covered Offence), Orders can be issued by Australia that target an account controlled by an individual, government entity, unincorporated association, or corporation of Australia or a third country.
Types of data
Covered Data
2.58
The following types of data when possessed or controlled by a private entity acting in its capacity as a Covered Provider are ‘Covered Data’:
content of electronic or wire communications
computer data stored or processed for a user
traffic data or metadata pertaining to an electronic or wire communication or the storage or processing of computer data for a user
Subscriber Information (includes name, address, length and type of service, subscriber number or identity, assigned network address, device identifiers, telephone connection records, records of session times and durations, means of payment).
Personal Data
2.59
Personal Data means information relating to an identified or identifiable individual.
Covered Provider
2.60
A Covered Provider is any private entity that:
provides to the public the ability to communicate, or process or store data, by means of a computer system or telecommunications system
processes or stores Covered Data on behalf of such an entity.
Covered Offence
2.61
Covered Offence is defined as conduct that, under the law of the Issuing Party, constitutes a ‘Serious Crime’. A Serious Crime is one where the maximum term of imprisonment is at least three years.
2.62
As discussed below, the Legal Process for preservation of Covered Data or for Subscriber Information need not relate to serious crime, only to the prevention, detection, investigation, or prosecution of ‘crime’.
Views of participants—Threshold for Covered Offence
2.63
As the CLOUD Act Agreement stands, authorities could potentially request access to data for offences where, according to Mr Andrew Ray, there is no clear risk of immediate harm or any resulting need for expedited access to data. He suggested instead a higher maximum penalty of seven years. For lower level offences, law enforcement and intelligence agencies could use the existing MLAT process. This, said Mr Andrew Ray, would provide Australian authorities with greater oversight on the use of Australian data by overseas agencies.
Domestic law requirements
2.64
Parties undertake to ensure domestic laws relating to the preservation, authentication, disclosure and production of electronic data permit Covered Providers to comply with Orders subject to the CLOUD Act Agreement.
2.65
Each Party is to advise the other of any material changes in its domestic laws that would ‘substantially frustrate or impair’ the operation of the CLOUD Act Agreement.
Views of participants—Reporting on legislative changes
2.66
The New South Wales Council for Civil Liberties (NSWCCL) and Australian Information Industry Association (AIIA) suggested the threshold of ‘substantially frustrate or impair’ for informing the other Party of a change to its domestic laws was high and subjective. While a Party may terminate the CLOUD Act Agreement upon receipt of such advice, they believed it was not certain this would protect Australia or Australians’ interests should the regulatory, political or cultural context evolve in the US. The organisations recommended each Party be required to provide a report to the other detailing all new, amended or repealed laws impacting on matters subject to the CLOUD Act Agreement.
Privacy and the protection of civil liberties
2.67
The domestic legal framework of the Issuing Party must protect ‘Personal Data’ received from a Covered Provider.
2.68
Subject to reasonable restrictions within each Party’s legal framework, the protections are to include the following with regard to Personal Data:
limiting use and disclosure to purposes not incompatible with the purpose for which it was obtained
limiting retention for only as long as necessary and appropriate
safeguards to protect against loss or accidental unauthorised access, disclosure, alteration or destruction
a framework for individuals to seek and obtain access to Personal Data concerning them, and to seek correction to Personal Data that is inaccurate, when appropriate
a framework to respond to complaints from individuals.
Views of participants—Potential undermining of Australian privacy protections
2.69
In their joint submission, the NSWCCL and AIIA argued despite wording in the CLOUD Act Agreement requiring domestic privacy protections, these would potentially be undermined. They stated the Australian Government would have little control or oversight of US executive and judicial decision-making in the process of issuing an Order. Without oversight, there could be little assurance privacy considerations had been taken into account.
2.70
The NSWCCL and AIIA stated requirements under the Privacy Act 1988 (Privacy Act) to obtain consent for the collection, use and disclosure of ‘sensitive information’ were not provided for under the CLOUD Act Agreement. The NSWCCL and AIIA were of the view once an Order was issued, the protections under the Privacy Act, specifically compliance with the 13 privacy principles, would be significantly eroded. They pointed to section 13D of the Privacy Act which states acts or practices done or engaged in outside Australia are not an interference with the privacy of an individual if required by an applicable law of a foreign country (subject to provisions dealing with credit reporting, tax file numbers, data matching, and regulations under the National Health Act 1953).
2.71
The organisations cited one example of lesser protections in the US: the US requirement only for a subpoena rather than a warrant to obtain the release of older emails. The issue of an Order from the US, according to the NSWCCL and AIIA, would likely be subject to a different privacy threshold and fewer protections than would occur in Australia for similar access. The organisations recommended baseline privacy protections be included in the CLOUD Act Agreement.
2.72
The NSWCCL and AIIA recommended the CLOUD Act Agreement incorporate a right for an individual to be notified of the existence of an Order, which should contain information on how an individual could lodge a complaint. However, appearing before the Committee, the NSWCCL acknowledged ‘it would not normally be appropriate for the individual who is the subject of the data to be given notice,’ but other arrangements might be made, for instance by giving advance notice to a service provider who might make representations in relation to the proposed Order or ensuring appropriate privacy authorities were aware of access requests.
2.73
The NSWCCL later clarified:
Individuals in Australia should be provided similar rights to individuals in the EU under the GDPR [General Data Protection Regulation]. The overriding premise is that an individual has a right to be informed when data about them is disclosed to a third party, with limited exceptions.
Restrictions on Orders
2.74
Under the CLOUD Act Agreement, Orders are subject to targeting restrictions, which means they are:
to be for the purpose of obtaining information relating to the prevention, detection, investigation, or prosecution of a Covered Offence
not to be used to infringe freedom of speech or for disadvantaging persons based on their race, sex, sexual orientation, religion, ethnic origin or political opinions
not to intentionally target a Receiving Party Person, and be made subject to targeting procedures
not to target a Covered Person if the purpose is to obtain information concerning a Receiving Party Person
to be targeted at specific accounts and identify a specific person, account, address, or personal device, or other specific identifier.
2.75
Further, Orders are not to be issued at the request of or to obtain information to provide to the Receiving Party or a third-party government.
General requirements of Orders
Compliance with domestic law
2.76
Orders must comply with the domestic law of the Issuing Party. They must be based on ‘requirements for a reasonable justification based on articulable and credible facts’, particularly, legality and severity regarding the conduct under investigation.
2.77
Under the TIA Act, an Order may be issued for the purpose of investigating serious offences if it is ‘likely to assist in connection with the investigation’ by the relevant agency.
Views of participants—Conflicts with state and territory surveillance devices laws
2.78
The NSWCCL and AIIA sought clarification on the compatibility of an Order with state and territory surveillance devices legislation. The organisations suggested a Covered Provider could breach these laws in certain circumstances. They called for clear guidance on the interface between state/territory surveillance devices laws, the TIA Act and the CLOUD Act Agreement, and for its scope to be limited to exclude data gathered using surveillance devices in breach of applicable state/territory laws.
Review or oversight
2.79
Orders are to be subject to review or oversight under the domestic law of the Issuing Party by a court, judge, magistrate, or other independent authority prior to, or in proceedings regarding, enforcement of the Order.
Views of participants—Concerns about ‘other independent authority’
2.80
Mr Henry Chen, a law student at the University of New South Wales, argued against members of the AAT (as ‘other independent authority’ and provided for under the TIA Act) being able to review and approve Orders for criminal investigations because this risked leaving Australia with a second-class system. He stated AAT members could be politically appointed and contrasted the requirements under EU law that required systematic and prior judicial authorisation for the issuing of investigative measures.
Requirements for certain Orders
Orders for interception
2.81
Orders for interception of wire or electronic communications are only to be issued if the same information could not reasonably be obtained by another less intrusive method. Where such Orders are issued, they are to be for a fixed, limited duration—not longer than is reasonably necessary to accomplish the approved purposes of the Order.
Preservation and Subscriber Information Orders
2.82
The CLOUD Act Agreement provides for the following Legal Processes, which are subject to a lower threshold than the serious crime threshold that applies to Orders for Covered Data:
preservation of Covered Data
preservation, disclosure, production, or authentication of Subscriber Information.
2.83
In such situations, the process must relate to the prevention, detection, investigation, or prosecution of a crime, and must be issued in compliance with and subject to review or oversight under the domestic law of the Issuing Party.
Issuing and transmitting Orders
2.84
The Issuing Party can issue Orders directly to a Covered Provider. This means Australian Orders can be issued directly to a US Covered Provider without advising or otherwise involving US authorities, and vice versa.
Designated authorities
2.85
Designated Authorities are to be established by each Party to perform various functions under the CLOUD Act Agreement. However, the Designated Authorities are able to mutually agree to delegate some of the functions to other government authorities. The Designated Authorities of the Parties may, by mutual decision, prescribe rules and conditions for any such delegated authorities.
Certification and notification requirements
2.86
Orders are to be transmitted by the Issuing Party’s Designated Authority, after the Designated Authority has reviewed the Order for compliance with the CLOUD Act Agreement.
2.87
The Designated Authority:
must include a written certification that the Order is lawful and complies with the CLOUD Act Agreement
must notify the Covered Provider that the Issuing Party is invoking the CLOUD Act Agreement with respect to the Order
must notify the Covered Provider of a point of contact at the Issuing Party’s Designated Authority who can provide information on legal or practical issues relating to the Order.
Responsibility to consider objections
2.88
A Covered Provider that receives an Order may raise specific objections with the Issuing Party’s Designated Authority if it has a reasonable belief the CLOUD Act Agreement may not be properly invoked with regard to the Order.
2.89
The Issuing Party’s Designated Authority is required to respond to any objections raised, and if these objections are not resolved, a Covered Provider may raise its objections with the Receiving Party’s Designated Authority.
2.90
The Designated Authorities may confer to resolve objections, and may also meet periodically to discuss and address any issues raised under the CLOUD Act Agreement.
Views of participants—Advance notice to Covered Providers
2.91
The NSWCCL and AIIA argued it would be difficult in practice for a Covered Provider to consider a challenge to an Order without incurring civil penalties for non-compliance with the Order timeline. The organisations suggested Covered Providers be given advance notice an Order would be issued and basic information as to the content of the Order.
Authority to set aside an Order
2.92
The Receiving Party’s Designated Authority may determine the CLOUD Act Agreement does not apply to an Order if it concludes the Agreement may not have been properly invoked with respect to any Order.
Transmission of Orders and receipt of Covered Data
2.93
Covered Providers, in response to an Order, are expected to provide Covered Data directly to the Issuing Party’s Designated Authority. The Designated Authority may make arrangements with Covered Providers for the secure transmission of Orders and Covered Data.
2.94
The Designated Authority may establish requirements as to the manner in which a Covered Provider responds to an Order, for instance, it may require the completion of forms that attest to the authenticity of the records produced, or the absence or non-existence of such records, and that the Order and information provided be kept confidential.
Targeting and minimisation procedures
2.95
Under the CLOUD Act Agreement, Parties are to develop their own targeting and minimisation procedures, and to adopt these procedures in consultation with, and subject to the approval of, the other Party. Parties are to seek the approval of the other Party for any changes in procedures.
2.96
As of September 2022, Australia had finalised its targeting and minimisation procedures, following consultations with the US. While Australia’s consultations with the US on its targeting and minimisation procedures have also concluded, the US procedures have yet to be finalised.
Views of participants—Oversight of targeting and minimisation procedures
2.97
The NSWCCL and AIIA argued the history of privacy complaints to the Office of the Australian Information Commissioner was evidence organisations did not always comply with their privacy obligations unless required to do so by the regulator. They criticised the lack of oversight or accountability for the targeting and minimisation procedures and called for the appointment of an independent public interest monitor (or similar). This position would have the ability to make applications and oppose the transfer of information on public interest grounds. In their view, it was a role the Australian Designated Authority could not undertake due to conflict of interest. The organisations also called for a complaints mechanism, in which the public interest monitor would have a role.
Targeting
2.98
The CLOUD Act Agreement requires Parties to develop procedures through which good-faith, reasonable efforts would be employed to establish an Account targeted by an Order was used or controlled by a Covered Person.
2.99
The reliance on the legal principles of ‘good faith’ and ‘reasonableness’, according to the Attorney-General’s Department, reflects the fact agencies able to seek an Order vary significantly—in terms of their size, the matters they investigate, the profile of their targets, and their powers and technical capabilities. The requirement for ‘good faith’ and ‘reasonable efforts’ means:
… it is not necessary to be absolutely certain about the identity or location of a target in order to comply with the targeting requirements in the Agreement [CLOUD Act Agreement]. For example, ‘reasonable’ efforts may involve each agency using their available resources and information to determine if there is any information available that they hold around the identity and location of a target. Australia and the US are both instituting oversight mechanisms to ensure requesting agencies comply with the Agreement and targeting procedures, including to assess their reasonableness.
Minimisation
2.100
The CLOUD Act Agreement recognises information on persons who are not Covered Persons may be acquired in response to an Order. Nevertheless, this information may be examined and provided to the other Party in certain circumstances (see below).
2.101
Australia and the US are required to adopt and implement procedures to minimise the acquisition, retention and dissemination of information concerning US Persons and Australian Persons respectively acquired pursuant to an Order.
2.102
The provision specifies the minimisation procedures apply to US Persons and Australian Persons respectively, not to other persons that are ‘Receiving Party Persons’.
2.103
The minimisation procedures would be consistent with the need of Parties to acquire, retain and disseminate Covered Data relating to the prevention, detection, investigation, or prosecution of a Covered Offence.
2.104
Minimisation procedures, the legal status of which is not clear, are to include rules that require a Party to segregate, seal, delete and not disseminate certain material. The definition of such material is imprecise:
… material found not to be information that is, or is necessary to understand or assess the importance of information that is, relevant to the prevention, detection, investigation, or prosecution of a Covered Offense, or necessary to protect against a threat of death or serious bodily harm to any person.
2.105
Rules included in the minimisation procedures would also require Parties to promptly review material collected pursuant to an Order, and store any unreviewed communications on a secure system accessible only to persons trained in applicable procedures.
Instances where information may be provided to the Receiving Party
2.106
Though the minimisation procedures are to include a provision stating Australia must not disseminate to the US content of a communication of a US Person acquired pursuant to an Order, the following exception is made:
… [where] the communication may be disseminated pursuant to the minimization procedures and relates to significant harm, or the threat thereof, to the United States or US Persons, including crimes involving national security such as terrorism, significant violent crime, child exploitation, transnational organized crime, or significant financial fraud.
2.107
No definition of ‘significant harm’ is provided in the CLOUD Act Agreement.
2.108
There is no provision in the CLOUD Act Agreement that provides for the US to provide information to Australia if the same circumstances arise, but equally there is not the same prohibition. The Attorney-General’s Department stated:
We don't have the same restrictions in our legislation. If there were the flipside example, where the US had appropriately used the targeting procedures but inadvertently captured Australian data, we would be comfortable with them sharing that information back with us if it related to a serious crime.
Limitations on the use and transfer of data
2.109
Any data acquired by the Issuing Party pursuant to Legal Process is to be treated in accordance with the Issuing Party’s domestic law, including privacy and freedom of information laws.
2.110
The Issuing Party cannot transfer data received pursuant to an Order to a third-party government or international organisation without first obtaining the consent of the Receiving Party, unless the data has already been made public in accordance with the Issuing Party’s domestic law.
2.111
The Attorney-General’s Department explained:
If covered data was to be made public in a manner consistent with the relevant domestic law, for example if it was used as evidence in a public court hearing, then that information would now be in the public domain and would no longer be considered covered data. This means that the data would no longer be subject to restriction under this [CLOUD Act] Agreement and would be able to be shared to a third-party country.
2.112
There are no requirements under the CLOUD Act Agreement for the Issuing Party to share any information produced pursuant to Legal Process with the Receiving Party or a third-party government.
Essential interests
2.113
Provisions in the CLOUD Act Agreement deal with sensitivities related to the death penalty in Australia and freedom of speech in the US. In effect, it provides for the Parties to specify how Covered Data may or may not be used by the courts in the other country in circumstances where:
the US as the Issuing Party receives data from a Covered Provider in Australia (Receiving Party), and Australia has declared its essential interests may be implicated by the introduction of such data as evidence in the prosecution’s case in the US for an offence for which the death penalty is sought
Australia as the Issuing Party receives data from a Covered Provider in the US (Receiving Party), and the US has declared its essential interests may be implicated by the introduction of such data as evidence in the prosecution’s case in Australia in a manner that raises freedom of speech concerns for the US.
2.114
If these circumstances arise, prior to using the data in a manner that may be contrary to the essential interests, the Issuing Party is required, via the Receiving Party’s Designated Authority, to obtain permission to do so. The Receiving Party may:
grant permission, subject to conditions that the Issuing Party must comply with
2.115
The essential interests clauses would not affect the issuing of an Order or the provision of Covered Data in response to an Order. The clauses would only be engaged if a Party sought to use the information in a manner that may be contrary to the essential interests. For instance:
Australia’s essential interests will only be engaged if the US seeks to use Australian data in the prosecution of an offence in which the death penalty is being sought, or to support or justify the detention of a current person, or a person nominated, or designated for, detention at Guantanamo Bay, Cuba.
2.116
If the Receiving Party does not grant approval, the Issuing Party cannot use the data it has received ‘pursuant to the Legal Process in that manner’.
2.117
There are three side letters that declare the essential interests of each Party and these are discussed below.
Other limitations on use
2.118
The CLOUD Act Agreement allows for other limitations on the use of Covered Data to be imposed where mutually agreed upon by the Parties.
Administrative arrangements and dispute resolution
Reviews
2.119
The CLOUD Act Agreement provides for a review process. The first review is to occur ‘within one year’ of the entry into force, then periodically thereafter, as mutually decided by the Parties. The process provides for a review of each Party’s compliance with the terms of the CLOUD Act Agreement, including the issuance and transmission of Orders and handling of data. Depending on the outcome of the review, the Parties may determine whether to modify procedures.
Dispute resolution
2.120
No disputes concerning the implementation of the CLOUD Act Agreement would be referred to any court, tribunal or third party—the Parties are to consult as necessary to resolve such issues.
Views of participants—Permissive framework and its implications for enforcement and dispute resolution
2.121
Concerns about the interface between the CLOUD Act Agreement’s permissive framework and verifying compliance were raised during the inquiry. Mr Henry Chen argued there was a risk situations would arise, particularly in relation to the US death penalty, where US compliance with procedures in the CLOUD Act Agreement could become a significant issue. He noted it was generally agreed any IPO treaty to which Australia is party should contain substantive protections for human rights, and this was even more important given the legislative framework provided by the TIA Act was ‘entirely permissive’—outgoing Orders are subject to Australian domestic legal protections, incoming Orders are not.
2.122
Mr Henry Chen stated notwithstanding the protections for human rights and non-discrimination in the CLOUD Act Agreement, the absence of a dispute resolution mechanism meant Australia had few binding remedies available if the US exceeded its powers. He wrote:
… if the United States targets Australians with data production orders, or improperly uses Australian data in a death penalty case, Australia’s only options will be to do nothing, or to terminate the treaty with one month’s notice and lose the benefit of the data production order regime.
2.123
While noting that the lack of a formal enforcement mechanism (or gate) on either side was a feature of the CLOUD Act Agreement, not a flaw, he further stated:
It's an international law instrument that explicitly excludes any ability for the US and Australia to enforce the mechanisms of the treaty. It's essentially just putting in place a document that sets out the procedures that should be followed, but, if those procedures are not followed, there isn't actually anything that can be done about that.
Reporting between Designated Authorities
2.124
To the extent it is consistent with operational or national security, the Designated Authorities are to issue annual reports to each other reflecting aggregate data concerning the use of the CLOUD Act Agreement.
2.125
The intent of the reporting provisions is, according to the Attorney-General’s Department, to assess each Party’s compliance with the CLOUD Act Agreement including the targeting and minimisation procedures, and to review the practical effectiveness of the Agreement.
2.126
Though it is not specified in the CLOUD Act Agreement itself, the Attorney-General’s Department stated:
The annual reports will identify specific instances where further details about an order will be required. Both parties will be able to request and provide additional information to the Designated Authority about information contained in the reports. Aggregate data is considered sufficient for this purpose.
2.127
In September 2022 the details of the reporting requirements between the Designated Authorities was still being finalised, however the Attorney-General’s Department expected it would be based on the reporting provisions in the TIA Act, with additional reporting on Australia’s compliance with the terms of the CLOUD Act Agreement, including targeting and minimisation procedures. The Attorney-General’s Department stated it expected to see equivalent reporting from the US Department of Justice to allow it to understand the full suite of Orders being given to Australian providers. This kind of detail would seem to be beyond that required under the terms of the CLOUD Act Agreement.
2.128
There is no requirement in the CLOUD Act Agreement for these reports to be published and the Attorney-General’s Department stated they would not be. Nevertheless, Covered Providers are not restricted under the CLOUD Act Agreement in the reporting of statistical information, consistent with applicable law (for Australia, the TIA Act), regarding any Legal Process received.
Views of participants—Annual reporting
2.129
The NSWCCL and AIIA called for more detailed annual reporting from the Designated Authorities. Mr Henry Chen suggested beefing-up the annual reporting obligations to provide more granular information could be one solution to the lack of a formal enforcement or dispute resolution mechanism in the CLOUD Act Agreement.
Costs
2.130
Each Party bears its own costs arising from the operation of the CLOUD Act Agreement.
Amendments
2.131
The CLOUD Act Agreement could be amended by written agreement of the Parties at any time, with any amendments entering into force on the date of the later diplomatic note confirming the necessary steps have been taken to bring the amendment into force.
2.132
For the US, any revision (amendment) would constitute a new agreement. For Australia, the NIA stated any future amendment would constitute a treaty action and be subject to Australia’s domestic treaty approval process, including consideration by this Committee.
Applicability
2.133
The CLOUD Act Agreement would apply to Legal Processes on or after the entry into force, regardless of when the offence at issue was committed.
Views of Participants—Opposition to retrospective application
2.134
The NSWCCL and AIIA highlighted Australia’s common law tradition that disapproved of retrospective criminal laws and recommended the CLOUD Act Agreement be varied so Orders could not be issued in relation to offences committed prior to the CLOUD Act Agreement coming into force.
Entry into force
2.135
The CLOUD Act Agreement would enter into force on the date of the later diplomatic note confirming the necessary steps have been taken to bring the Agreement into force.
Expiry and termination
2.136
The CLOUD Act Agreement would remain in force for five years, and the Parties may agree to its extension. Any extension would constitute a treaty action and be subject to Australia’s treaty-making process, including tabling in the Parliament and consideration by the Committee.
2.137
Other than through expiration, the CLOUD Act Agreement may be terminated by either Party sending a written notification through diplomatic channels. Termination would become effective one month after the date of notice.
2.138
Termination of the CLOUD Act Agreement by Australia would be subject to Australia’s treaty-making process, including tabling in the Parliament and consideration by the Committee.
2.139
If the CLOUD Act Agreement was terminated, the Agreement would continue to apply to any Orders already issued prior to the date on which the Agreement terminated or expired.
2.140
In the event of expiration or termination, any data provided to the Issuing Party could be used, and would remain subject to the provisions of the CLOUD Act Agreement.
Essential interests—side letters
2.141
Three side letters declare essential interests that, with the exception of the Guantanamo Bay side letter (see below), would enliven the requirements under article 9(4) to obtain permission to use data in a manner that is or could be contrary to the essential interests.
Australia side letter—death penalty
2.142
A side letter from Australia declares Australia’s essential interests may be implicated by the introduction of data as evidence for an offence for which the death penalty is sought. It specifies the US is to obtain permission from Australia’s Designated Authority prior to the use of any data in a manner that is or could be contrary to that essential interest.
US side letter—freedom of speech
2.143
A side letter from the US declares US essential interests may be implicated by the introduction of data as evidence in the prosecution’s case in a manner that raises freedom of speech concerns for the US. It specifies Australia’s Designated Authority is to obtain permission from the US Designated Authority prior to any use of the data in a manner that is or could be contrary to those essential interests.
2.144
The letter further states whether US essential interests are implicated would depend on the facts of the case so the Australian Designated Authority ‘should consult with and obtain permission’ from the US Designated Authority prior to introducing such data as evidence for any offence as to which conduct constituting any of the following is part of the basis for the offence charged:
advocating terrorism or genocide
membership of a terrorist organisation
associating with a terrorist organisation in the context of conduct that does not involve the provision of material support or resources
advocating or inciting violence in circumstances not involving imminent or actual harm
racial vilification or harassment
using a service to menace, harass or cause offence, in the context of both the making or publishing of statements
unauthorised disclosure of information in the context of activities that are journalistic in nature
failing to remove, or ceasing to host, abhorrent violent material
any other federal, state or territory offences analogous to the above categories, including those that relate to anticipatory offences.
2.145
The letter further identifies prosecutions for other offences that may also raise freedom of speech concerns for the US, depending on the facts of the case, such as prosecutions for conduct involving news gathering and publication, or public protest.
2.146
Consequent of the broad range of offences that may trigger US essential interests, the letter states Australia should thus consult with the US Designated Authority when Australian officials intend to introduce data received pursuant to Legal Process:
… as defined by the [CLOUD Act] Agreement, as evidence in the prosecution’s case in relation to an offense category not listed above and such officials have reason to believe, based on the context of the case and their understanding of US views—including Australia’s experience with US views expressed in the mutual legal assistance process— that the introduction of the data as evidence in the prosecution’s case may raise freedom of speech concerns for the United States.
2.147
The US reiterates that if there are freedom of speech concerns that cannot be resolved by the imposition of conditions, such data is not to be introduced as evidence in the prosecution’s case.
2.148
The US goes on to add prosecutions under Australia’s control order and extended supervision order regimes (this is one ground upon which an IPO may be obtained under the TIA Act—Part 5.3 supervisory orders) may implicate the same concerns and should be dealt with in the same manner.
2.149
The US concludes it may unilaterally supplement the categories of offences—whether existing at federal, state or territory level, or enacted in future.
US side letter—Guantanamo Bay
2.150
The US commits to inform Australia if it intends to invoke the CLOUD Act Agreement to target data for the purpose of obtaining evidence or information to support or justify the detention of a current detainee held under law-of-war detention at Guantanamo Bay, Cuba, or a person nominated for, or designated for, such detention at Guantanamo, or for the purpose of obtaining evidence for use in a proceeding before a military commission at Guantanamo.
2.151
The US also commits to inform Australia if the US Department of Defense intends to use data it knows was obtained pursuant to Legal Process in military commission proceedings, reviews of detention, proceedings regarding the Department of Defense authority to detain, or as intelligence in support of military detention operations at Guantanamo.
2.152
Australia is provided no authority to refuse permission for the use of data obtained for these purposes pursuant to Legal Process. The same side letter is included in the US-UK Agreement.
Implementation
2.153
The NIA stated there would be minimal regulatory impact or costs associated with implementation of the CLOUD Act Agreement.
Legislative amendments and new regulation
2.154
Schedule 1 of the TIA Act was inserted in 2021 to establish the IPO framework in anticipation of the CLOUD Act Agreement. As a consequence, according to the NIA, no further substantive legislative reform is required to implement the CLOUD Act Agreement. The TIA Act requires some minor procedural and regulatory changes. Some of these requirements have been completed, such as the issuing of the Statutory Requirements Certificate and receipt of assurance in relation to US death penalty offences.
2.155
The NIA stated the necessary laws and practices were in place to protect data obtained under the CLOUD Act Agreement (as required by article 3(4)), including privacy protections which are provided through the Privacy Act. As noted above, this was questioned by the NSWCCL and AIIA.
Designated authorities and other costs
2.156
The CLOUD Act Agreement specifies each Party would bear its own costs arising from the operation of the CLOUD Act Agreement. The cost of establishing the Designated Authority would be met from the budget of the Attorney-General’s Department. The costs accrued by requesting agencies obtaining Orders under the CLOUD Act Agreement would be borne by those agencies.
2.157
The RIS stated the 2021-22 Federal Budget provided additional resources to a range of Commonwealth agencies to ensure the effective implementation of the CLOUD Act Agreement, including to the AAT to support an expected increase in Orders being sought. The RIS anticipated the CLOUD Act Agreement would result in an increase in the number of criminal matters being prosecuted and additional resourcing was being provided to the Commonwealth Director of Public Prosecutions. The Office of the Commonwealth Ombudsman and Office of the Inspector-General of Intelligence and Security were receiving additional resourcing to oversee the framework’s operation.
2.158
The RIS stated a technical solution to manage the forecast large volume of outgoing Orders to the US had been designed.
Costs to Australian industry
2.159
The NIA stated there may be a small increase in the number of requests for the preservation and disclosure of electronic data as a consequence of the CLOUD Act Agreement, and this could result in additional costs to Australian industry. The NIA suggested Australian providers ‘will be able to work closely with the United States to recover these costs’, though it does not say how.
2.160
The RIS stated there may be a cost impact on Australian communications service providers should they challenge an Order made under the domestic legal framework of the US.
Consultation
2.161
The consultation details provided below relate to the negotiation of the CLOUD Act Agreement. Other consultation was undertaken during the preparation of Schedule 1 to the TIA Act, which was detailed in the RIS.
Government
2.162
Consultation occurred with a range of Australian Government departments and agencies, as well as state and territory governments, including ASIO, law enforcement agencies, and crime and corruption bodies.
Industry
2.163
The Department of Home Affairs stated it consulted with Telstra, Vodafone, Optus, TPG, NBN Co, Vocus and Fastmail. The Department said it made clear to the organisations they would be further engaged and guided as the CLOUD Act Agreement became operational and during the period it remained in operation.
Civil society
2.164
The Department of Home Affairs stated limited consultation was undertaken with civil society bodies during the development of Schedule 1 of the TIA Act and the CLOUD Act Agreement. The Department stated consultation was limited due to the confidential nature of international negotiations between governments.
Committee view
2.165
The current processes for obtaining data from US communications service providers under the MLAT process can be cumbersome and not necessarily suited to modern communications, data storage, and cloud computing. While the CLOUD Act Agreement would not replace this process, it would provide a parallel and more efficient alternative for Australian authorities dealing with matters relating to serious crime.
2.166
The Committee notes the legal authority for Orders would come from the TIA Act and acknowledges evidence from the Attorney-General’s Department that the IPO regime largely replicates the domestic process for obtaining warrants—the same thresholds and safeguards generally apply.
2.167
Given amendments to the TIA Act to provide for IPOs received substantive scrutiny at the time by the Parliamentary Joint Committee on Intelligence and Security, the Committee did not relitigate the provisions of the TIA Act.
2.168
As a consequence of the permissive framework established by the CLOUD Act Agreement, it is imperative that there be comprehensive reporting on Orders made pursuant to its provisions. The Committee notes there are extensive requirements in the TIA Act for reporting on Australian agencies’ use of IPOs and the data obtained through them.
2.169
However, consolidated reporting on Orders issued at the request of US authorities to Australian providers would only be exchanged between Designated Authorities, and even then, may not be disclosed in their entirety if operational or national security concerns are present. Reports of the Designated Authorities would not be made public.
2.170
While individual providers in Australia would be permitted to report on the aggregate number of Orders they may have received, this would not be centralised or coordinated.
2.171
The Committee did not receive any evidence that established why a consolidated report of incoming Orders could not be published if appropriately deidentified and aggregated. The Committee is of the view, that while needing to consider operational and national security, some level of transparency and oversight is necessary in an open and democratic society to ensure the public does not lose confidence in the work governments undertake on their behalf. This is particularly the case where issues of civil liberties, and especially privacy, potentially arise.
2.172
The Committee heard evidence from the Attorney-General’s Department the CLOUD Act Agreement was:
… an efficient privacy- and civil-liberties-protective approach to ensure effective access to electronic data that lies beyond a requesting country's reach due to the revolution in electronic communications ...
2.173
However, the Committee received evidence the Australian Government would have little control or oversight of US executive and judicial decision-making in the process of issuing an Order, and that certain requirements under the Privacy Act would not be operationalised under the CLOUD Act Agreement.
2.174
While the possibility of individuals being informed where an Order had been made for their data was discussed during the inquiry, the Committee is firmly of the view this would interfere with the ability of authorities to conduct investigations into serious crimes. The Committee notes Covered Providers are able to raise concerns if they reasonably believe the CLOUD Act Agreement may not have been properly invoked.
2.175
More broadly with regard to transparency, the Committee has often raised concerns about consultation during the negotiation of international agreements. The Department of Home Affairs stated consultation with civil society was limited due to the confidential nature of international negotiations between governments, though it is notable consultation with industry did occur.
2.176
In actual fact, the CLOUD Act Agreement reflects requirements in US legislation and closely resembles the US-UK Agreement signed in October 2019. Negotiations on Australia’s CLOUD Act Agreement began in October 2019.
2.177
As has been noted by the Committee previously, consultation should be timely, meaningful, and responsive. Such consultation is an important contribution to the transparency, fairness, and contestability that good democratic government process requires, even if it occurs on a confidential basis.
2.178
As a general observation, the Committee explored the issue of thresholds for IPOs and the interface with modern computing technologies. An IPO for interception under the TIA Act must be in relation to a serious category 2 offence, but for stored communications need only be in relation to a serious category 1 offence. In the contemporary computing environment, the difference between stored communications and interception would appear to be diminishing and to be almost imperceptible in some cases. The Committee notes ongoing policy work in this area and encourages a holistic examination of Australia’s laws in this context.
2.179
Notwithstanding some general concerns and issues discussed here, the Committee sees the CLOUD Act Agreement as an important tool for Australian agencies to combat the increasingly sophisticated tactics of criminals, in a way that is largely consistent with existing domestic requirements.
2.180
The Committee is of the view the CLOUD Act Agreement is in the national interest and recommends it be ratified.
2.181
The Committee supports the Agreement between the Government of Australia and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime and recommends that binding treaty action be taken.
Mr Josh Wilson MP
Chair
8 December 2022