The Department of Home Affairs on Thursday faced the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of the committee's review of Australia's pending international production orders regime, which will essentially create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.
The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) but Home Affairs told PJCIS it expects the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill) to benefit Australia more than the United States.
"We get a lot of benefit out of this agreement because of, in the case of the United States, where they store a lot of data, Australia doesn't have those same over the top communications providers, so we expect very, very few requests will travel under this agreement the other way, but it is a reciprocal agreement and it does provide for the ability to do so," Home Affairs national security policy branch assistant secretary Andrew Warnes said.
"We have an expectation as we enter these agreements that we will have visibility of the numbers of requests that are coming to Australia, noting that we expect those numbers to be incredibly, incredibly low."
To that point, Warnes said there would not be any authority in Australia tracking incoming orders from the US to communications providers.
He also rejected the idea that service providers should be consulted before an IPO is provided.
"We're not seeking to slow this process down for additional consultation," Warnes added.
While the IPO Bill is intended to allow Australia to have agreements with countries other than the United States, there are no current plans to ink similar arrangements elsewhere.
"The only other process I'd point to … would be the Budapest convention, which deals ... in cross-border access to data," Warnes said.
"There is no priority list. The US is our number one priority and for obvious reasons, that it is the data storer for a large part of the world, when you're talking about Facebook, Apple, Google, among others … by the time we get that agreement in place, we will consider what other ones might be a priority."
Throughout the hearing, Home Affairs was far from forthcoming with providing information to the PJCIS, with committee members asking representatives the same question more than once. One such instance was to determine if Australia was going to seek a similar arrangement with the United Kingdom, considering the UK and the US have already made arrangements between themselves for a similar scheme.
"[The UK and Australia] are both going to end up having implemented agreements and there may be potential in the future but there is nothing official at all in terms of any discussion nor anything planned," Warnes said.
The department was asked what would be included in the agreement with the US, specifically if an agreement has been drafted.
"The negotiations are confidential and there is no plan to release a draft, but what I can say … is the United Kingdom agreement is public and I wouldn't expect that our agreement would be exactly the same in every way, but I think I can say, given the requirements of the CLOUD Act statute of which the agreements are being negotiated, you can expect to see very similar provisions," Warnes said.
IGIS RECOMMENDATIONS DISMISSED
The department rejected the idea that the Inspector-General of Intelligence and Security (IGIS) had her "quite simple" improvements to the Bill not included in the drafting of the legislation.
Rather, Warnes said after consultation with inspector-general Margaret Stone Home Affairs, "quite a number of changes" were then made.
"We don't always agree. We give IGIS's views quite considerable weight in developing legislation and try to accommodate as many of the IGIS's concerns … and we'll continue to do so," he said.
Home Affairs was asked to go through IGIS's submission and provide a written response to everything Stone had listed.
PJCIS said it was baffled as to why Home Affairs had not taken into consideration a number of issues IGIS and other entities responding to the committee had raised when drafting the IPO Bill. As a result, Home Affairs was also asked to provide a written explanation as to why it seems to have drafted the IPO without doing so.
LESSER PROTECTION FOR JOURNALISTS
Unlike the current domestic data access regime for access to telecommunications data, the IPO scheme does not include any specific protections for journalists.
The committee asked Home Affairs why an Australian journalist whose telecommunications data is held by a US carrier should have fewer protections than an Australian journalist whose telecommunications data is held in Australia.
"I wouldn't characterise it as they have less protections, in actual fact under this regime, there's no longer the ability to internally authorise under the TIA Act where we carved out the space for Journalist Information Warrants -- now all requests for metadata have to be done under this regime at a higher level of authorisation," Warnes said.
"Those protections in terms of the authorisation remain the same as in the Journalist Information Warrant, they all have to be authorised by an independent person whether that be the judge or the AAT member."
Home Affairs was reminded that a journalist information warrant is a very specific one and that it is in fact not replicated in the IPO Bill.
"It is not replicated, what is changed and replicated is that authorisation process has been lifted up … which is not the case in the general telecommunications authorisation process under the TIA Act," Warnes said.
There is also no public interest advocate, like there is in the journalist information warrant scheme, in the IPO Bill. The protection that's available to journalists in the TIA Act includes additional criteria that are to be considered for journalist information warrants that are not seen in the IPO scheme. The committee said it was not the same level of protection, and asked the department a further two times why there are less protections internationally than domestically.
"The authorisation process we've put in place have lifted it up to the same level of authorisation," Warnes said.
"I don't think I have anything else to add other than the fact that we have sought to change the regime to match the authorisation process within the Journalist Information Warrants regime and that will apply to the data of all Australians."
Home Affairs then opted to take the answer on notice.
NEW GUIDELINES FOR AUSTRALIA'S SPY AGENCY
The IGIS made the point in its submission to the PJCIS that the guidelines the Australian Security Intelligence Organisation (ASIO) follow when performing its duties not been updated or revised in over 10 years, despite huge changes in technology and statutory powers.
The committee had asked ASIO earlier on Thursday why it was operating under such archaic guidelines.
"We have done a review and taken a look at the guidelines, they are now with the Department of Home Affairs who are in coordination or consultation with the Attorney-General's Department … given its kind of left the building, if you like, that might be a question that you could get an update from them," ASIO Deputy Director-General of Enterprise Service Delivery Peter Vickery said.
"Under the new guidelines as currently drafted, there is an explicit stipulation that they be reviewed after a three-year period, so hopefully we wouldn't end up in a situation again where we're looking at 10 years hence before anybody looks at it again."
Home Affairs was asked where the guidelines were up to.
"It's the very nature of how important they are which has meant we've been reviewing them for some time and going through quite a deal of consultation with both ASIO and IGIS to make sure we get them absolutely right," Home Affairs said.
"That process is very nearing its conclusion, we're hopeful that we will see revised guidelines in the near future."
The department said it couldn't provide a tighter estimate, despite the committee asking they be in place before the Australian Security Intelligence Organisation Bill 2020 goes before Parliament.
MORE ON THE IPO BILL
- ASIO vows to consider privacy, proportionality, and human rights in IPO process
- Australian Federal Police made 44 requests for United States-held data in 2019
- International Production Orders Bill will give ASIO access to encrypted communications
- IGIS asks ASIO be required to provide transparency in IPO regime
- Australia served Microsoft nearly 900 data access requests in six months
- AGD says Australian data restricted for use in US capital offence investigations
- Australian Privacy Foundation labels CLOUD Act-readying Bill as 'deeply flawed'