The Attorney-General's Department has provided further information on Australia's pending Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), specifically around granting foreign law enforcement bodies with data that could be used to condemn an individual to death.
"Australia maintains a long-standing, bipartisan policy of opposition to the death penalty, in all circumstances, for all people," the AGD wrote in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
"It is feasible that Australia may wish to make agreements with countries that retain the death penalty for certain serious offences. Accordingly, the Bill provides that the Minister cannot specify a DIA [Designated International Agreement] without a written assurance from the relevant partner country regarding restricting or excluding the use of Australian-sourced information in a proceeding relating to a foreign offence that is punishable by death."
The Australian government, under existing multinational law enforcement arrangements, has received written assurances that deal with how Australian-sourced information may be used by the foreign country in proceedings with prosecutions for death penalty offences, including for exculpatory purposes, and subject to any restrictions or conditions.
The approach to death penalty risks in the IPO Bill, AGD said, is broadly comparable with Australia's existing mutual legal assistance (MLA) arrangements concerning the death penalty at the prosecution stage.
"While the Bill provides the mechanism for international agreements to be designated by regulation (clause 3), before getting to this point agreements will be subject to considerable Parliamentary scrutiny through the treaty-making process," AGD wrote.
"It is appropriate that consideration about death penalty matters and the adequacy of any assurances received from the foreign government are considered during this process. Once this process is complete, the proposed agreement would be subject to regulation-making processes. Regulations which seek to prescribe a DIA for the purposes of the Bill will be legislative instruments and, accordingly, subject to the process of disallowance by members of Parliament."
Parts of the US still practise the death penalty and is a concern of the Australian Privacy Foundation, and many others, that local enforcement action could result in death to an offender elsewhere.
The IPO Bill is a precondition for Australia to obtain the proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
The CLOUD Act creates a legal framework regulating how law enforcement can access data across borders.
The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa. It would also remove the ability for nominated Administrative Appeals Tribunal (AAT) members to issue certain warrants.
"The biggest advantage of the Bill will be the increased speed at which relevant data can be shared between crime cooperation partners," AGD wrote, noting this will be due to IPOs being given directly to the foreign Designated Communications Provider (DCP) rather than via the foreign government.
As other submissions have noted, currently, on average, it takes 10-12 months before an Australian agency receives electronic data for a criminal matter through the existing process, with some matters taking up to 18 months.
"Reasons for delays include the time needed to fulfil statutory requirements associated with MLA requests (such as each country's domestic legal requirements concerning search warrants, or requirements of the requesting country as to the form in which material must be provided by the requested country)," AGD added.
"These extended timeframes mean that the value of the information for the purposes of criminal investigations or prosecutions may be lost."
The proposed new IPO process will not replace the MLA process, rather, it would be complementary, AGD explained.
Rejecting claims to the contrary, AGD said the Bill contains a broad range of matters that must be considered before issuing an IPO, including the impact on the privacy of affected individuals, and any other matters which the authorised judge, magistrate, or AAT member considers relevant.
"This ensures that the rights of affected individuals are always considered, and that the decision to issue an IPO is independent from the functions of law enforcement agencies," it said.
The AGD clarified that information that may be accessed under interception and stored communications IPOs will include the content of communications, such as messages and voice calls, including those made over the internet such as via mobile applications, and related telecommunications data.
"Interception IPOs will compel a DCP to intercept live communications in transit whereas stored communications IPOs capture sent and received communications at rest and still held by the DCP," AGD said.
The Attorney-General will be required to consent to IPOs before an application is made to an AAT Security Division member. Under the Bill, it is proposed that prior to making an application to obtain an IPO for intercepted communications or disclosure of stored communications, ASIO would be required to first obtain AGD's consent to the application being made.
ASIO -- the Director-General or Deputy Director-General of Security, or an ASIO employee who is authorised in writing by the Director-General of Security -- would then apply to a nominated AAT Security Division member to issue the IPO.
"In order to give consent for an IPO request to be made to an AAT Security Division member, the Attorney-General would need to be satisfied that: There are reasonable grounds for suspecting that the individual who is being targeted through an IPO is engaged in, or is likely to engage in, activities prejudicial to security; the information that would likely be obtained from the IPO would be likely to assist ASIO in carrying out its function of obtaining intelligence relating to security," AGD wrote.
The United States Department of Justice has said there is nothing in Australia's Telecommunications (Interception and Access) Act 1979 (TIA Act) that would impede the countries coming to an agreement under the CLOUD Act.
"It is the view of the US Department of Justice that there is nothing in Australia's Assistance and Access Act that would preclude or prevent the conclusion of a CLOUD Act agreement between our governments," DOJ wrote in a submission [PDF] to the PJCIS.
Australia announced the commencement of formal negotiations for a bilateral agreement pursuant to the CLOUD Act in October.
If the agreement is finalised and approved, service providers in Australia and the US would be able to respond to lawful orders from the other country for access to electronic evidence.
A bilateral CLOUD Act agreement would enable Australian law enforcement to serve domestic orders for communications data needed to combat serious crime directly on US-based communications service providers through a legal process, rather than needing to go through the US government, and vice versa.
DOJ said CLOUD Act agreements may not prevent partner countries from addressing encryption requirements in their own domestic laws.
"The CLOUD Act requires that the agreements it authorises be 'encryption neutral'," DOJ wrote.
"The statute provides that CLOUD Act agreements 'shall not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data'. This means that CLOUD Act agreements may not create any new requirement on service providers to decrypt communications, nor may CLOUD Act agreements prevent or limit service providers from assisting in decryption."
The department told the PJCIS such neutrality allows for encryption issues to be discussed and addressed separately among governments, companies, and other stakeholders pursuant to domestic law and policy.
It said addressing such requirements in domestic law does not affect a country's eligibility for a CLOUD Act agreement.
"We hope that we can continue to make progress despite the strained circumstances caused by the COVID-19 pandemic," the submission stated.