US and Australia enter CLOUD Act agreement for cross-border access to electronic evidence

Australia and the United States have entered into a landmark CLOUD Act agreement to bolster efforts in preventing serious organised crime, terrorism, ransomware attacks, critical infrastructure sabotage, and child sexual abuse.

The Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, is a US legal instrument that allows for law enforcement to access data across borders.

"Signing the CLOUD Act Agreement will enable our two nations' law enforcement agencies to share important digital information and data with each other, under carefully defined legal authorities and safeguards," said Karen Andrews, Australia's Minister of Home Affairs.

Through the bilateral agreement, Australia's law enforcement agencies gain the ability to issue orders compelling US service providers to provide communications data for the purposes of combatting serious crime directly on US-based companies, and vice versa.

Previously, Australian law enforcement agencies could only rely on mechanisms such as mutual legal assistance agreements to access crucial evidence from other countries, which have been flagged as complex and time-consuming by Home Affairs.

It's the second CLOUD Act agreement to come into force, after a similar one was finalised between the UK and US in 2019.

"This agreement paves the way for more efficient cross-border transfers of data between the United States and Australia so that our governments can more effectively counter serious crime, including terrorism, while adhering to the privacy and civil liberties values that we both share," said US Attorney-General Merrick Garland.

Australia and the US have been working on an agreement since 2019, but Australia needed to implement other legislation over the past two years in order to establish the required framework for a CLOUD Act agreement to exist. Over that span, the Australian government has faced scrutiny over its push for a CLOUD Act agreement, with privacy advocates like Australian Privacy Foundation saying such an agreement "conflated bureaucratic convenience with what is imperative".

The CLOUD Act agreement comes off the heels of Australia announcing various initiatives in recent months to prevent crime. In December alone, Australia has announced the Online Safety Youth Advisory Council, passed "Magnitsky-style" and Critical Infrastructure cyber attack laws, commenced work on electronic surveillance law reforms, and proposed anti-trolling laws. The Australian government also started work on a new ransomware plan back in October.

While some of those initiatives have drawn praise, others have drawn criticism for being rush jobs and lacking nuance.  

The bilateral agreement will now undergo parliamentary and congressional review processes in both countries before it is finalised.

Related Coverage

• Australian Privacy Foundation labels CLOUD Act-readying Bill as 'deeply flawed'
• Critics label data-sharing Bill as 'eroding privacy in favour of bureaucratic convenience'
  
• Tech giants, telcos and Digital Rights Watch want clarity on monitoring requirements for online violent abhorrent content
  
• AI bias and discrimination aplenty: Australian Greens want Online Safety Bill repealed