Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

Home Affairs says US CLOUD Act will not be able to penetrate Hunt COVIDSafe directive

Secretary of Home Affairs Mike Pezzullo says COVIDSafe data has some of the most complete legal protections he has seen in his career.

michael-pezzullo-home-affairs.png

Screenshot: Chris Duckett/ZDNet

Secretary of Home Affairs Mike Pezzullo has batted away concerns that American authorities would be able to access data saved in the COVIDSafe app's National Data Store under the provisions of the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) via the proposed International Production Orders Bill.

Pezzullo told the Senate Select Committee on COVID-19 that he was "very confident" that the supremacy of Australian law would win for data stored on shore.

"In the negotiations generally, that we've undertaken with the US Department of Justice before COVID ever came on the scene, that there would be no clash of law -- that our laws would prevail, as would American laws in relation to data stored in America," he said.

"We have advice on how the CLOUD Act is intended to operate. Remembering that we haven't legislated for it here, but we know the proposition that we've put to Parliament that would cover not just the COVID matter, but would cover all conceivable circumstances in relation to data stored in Australia."

The secretary said the privacy protections in the direction of the Health Minister Greg Hunt -- which were translated into legislation released on Tuesday -- were "absolutely binding" on all officials.

"No purported direction request access instrument would be able to penetrate his absolute direction under the biosecurity determination that he's made, and then once the Parliament sees fit to legislate more generally for [the CLOUD Act], that same level of protection will be applicable," Pezzullo said.

"Not only relation to [the CLOUD Act] down the track, because that's still before Parliament, but in relation to any domestic legislation that is put in place prior to that in relation to the app itself."

Must read: Australia's COVIDSafe contact tracing story is full of holes and we should worry

Pezzullo also told the committee that locally, the agencies sitting underneath his department -- such as the Australian Federal Police, Australia Criminal Intelligence Commission, Australian Transaction Reports and Analysis Centre, Border Force, and Australian Security Intelligence Organisation -- would not be able to access data generated by the app.

"It will be contrary to the law," Pezzullo said on Tuesday.

"Having consulted closely with our colleagues in the Attorney General's Department on precisely this question ... It's one of the most complete protections, if not the most complete protection, that shields from usage -- even for security purposes -- of any technology application, I've ever seen in my career, ever."

Responding to a question on notice from the committee on Tuesday, Home Affairs revealed it had spent over AU$416,000 on procurement of an "early 'conceptual prototype' design" of COVIDSafe across a 10-day period. That figure consisted of over AU$220,000 to Boston Consulting Group, almost AU$165,000 to Amazon Web Services, and over AU$31,000 to CTO Group.

All procurement was from standing arrangements via Digital Transformation Agency (DTA) or Treasury.

Pezzullo told the committee his department was looking at coronavirus responses from around the world when the DTA came knocking.

"The digital technology agency [sic] on the 23rd of March ... said, 'We don't have the capacity at this stage to look into this, we're working on the earlier app, the information app, not the tracing app, would you mind having a look at it?' We were very happy to help out," he said.

See also: Canberra using a cold beer on a Friday as a guilt trip to download COVIDSafe

The work of Home Affairs was subsequently handed off to the DTA on April 3, as well as across all prototype designs and other relevant information, which Home Affairs had no involvement. Pezzullo said Home Affairs did not hand across any AWS procurement, and the selection of AWS for the app's infrastructure was made by the DTA.

"It made sense because it's a technology application for other than border or security purposes, it's a public health tracing application and we have no need for it," Pezzullo said.

In his opening remarks, Pezzullo revealed that 1,300 new Australians have been able to become citizens online since the end of March.

The proposed legislation released on Tuesday also contained offences that could result in imprisonment for five years or 300 penalty units -- at AU$210 per unit, potentially AU$63,000 -- or both.

The collection, use, or disclosure of COVIDSafe data is permitted if the person is employed by, or in the service of, a state or territory health authority, and the data is to be used only to the extent required for the purpose of undertaking contact tracing.

At the time of writing, Australia was closing in on 5 million registrations of the COVIDSafe app.