Australia inches closer to compelling access to US data under CLOUD Act

If finalised, the agreement will mean service providers in the United States can respond directly to electronic data requests issued by Australian enforcement agencies for data critical for the 'prevention, detection, investigation, and prosecution of serious crime'.

The United States and Australia have entered into formal negotiations for a bilateral agreement under the U.S. Clarifying Lawful Overseas Use of Data Act (the CLOUD Act), with US Attorney General William Barr and Minister for Home Affairs Peter Dutton calling the move the first step towards "significantly boosting law enforcement cooperation", with "strong protections for rule of law, privacy, and civil liberties".

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read More

The CLOUD Act creates a legal framework regulating how law enforcement can access data across borders.

If the agreement is finalised and approved, service providers in Australia and the US will be able to respond to lawful orders from the other country for access to "electronic evidence".

A bilateral CLOUD Act agreement would enable Australian law enforcement to serve domestic orders for communications data needed to combat serious crime directly on US-based companies, and vice versa.

Read also: Why Australia is quickly developing a technology-based human rights problem (TechRepublic)

Barr said the agreement will create a process for providing access without fear of "running afoul of restrictions on disclosure, and thus provide more access for both countries to providers holding electronic evidence that is crucial in today's investigations and prosecutions".

"The CLOUD Act was created to permit our close foreign partners who have robust protections for privacy and civil liberties, such as Australia, to enter into executive agreements with the United States," Barr said. 

"The United States looks forward to working with the Australian government on this agreement, which will enhance each country's ability to fight crime by allowing faster access to data needed for quick-moving investigations. By increasing the effectiveness of investigations and prosecutions of serious crime, including terrorism, in both countries, citizens of both countries will be safer."

Dutton, meanwhile, touted the move towards an agreement as one that will help Australia's efforts in the "prevention, detection, investigation, and prosecution of serious crime", a similar justification for the introduction of Australia's encryption legislation.

"Current processes for obtaining electronic information held by service providers in other countries risk loss of evidence and unacceptable delays to criminal justice outcomes," he said.

"When police are investigating a terrorist plot or serious crime such as child exploitation, they need to be able to move forward without delay, but within the law -- and the CLOUD Act strikes exactly that balance."

Highlighting concerns to the Parliamentary Joint Committee on Intelligence and Security's encryption law review in July, the Law Council of Australia said the country's encryption laws were unlikely to be compatible with the CLOUD Act, as well as the European Union's General Data Protection Regulation,

The Law Council said at the time that Australian law enforcement would have to continue seeking data through the slower mutual legal assistance treaties (MLAT), rather than via the expedited service the CLOUD Act would offer.

"The Law Council considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an 'executive agreement' with the US," the Council said.

If a bilateral agreement can be agreed upon, the CLOUD Act would provide an alternative expedited framework for obtaining the data in comparison to the MLA process. Barr's department says the CLOUD Act addresses delays in the MLA process by providing a new route for trusted partner countries to obtain electronic data.

Read more: Encryption laws to run up against CLOUD Act and GDPR: Law Council

The Law Council's reasoning in July was that Australia fell foul of the need for orders to US companies to be "specific and identify the relevant individual, account, address or personal device or another specific identifier", as well as the fact that US companies cannot be compelled to break US law.

"In this context, the requirements under the Assistance and Access Act and the CLOUD Act clearly differ, as the US law does not allow for the mandating of the decryption of data as is now permitted under Australian law," it said.

The Council also said irrespective of the amendments introduced by the Assistance and Access Act in Australia, the provisions of the CLOUD Act would not allow US service providers to provide technical assistance beyond their existing obligations under the Communications Assistance for Law Enforcement Act.

"Therefore, even under the existing MLAT scheme a US service provider could not be compelled to comply with a TCN or a TAN issued under the Assistance and Access Act," it added.

RELATED COVERAGE