New Bill to prepare Australian law enforcement for the US CLOUD Act

The Australian government has on Thursday introduced a Bill into Parliament that would prepare the nation for accessing the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).

The CLOUD Act creates a legal framework regulating how law enforcement can access data across borders.  

The Telecommunications Legislation Amendment (International Production Orders) Bill 2020 [PDF] would amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to establish a new framework that seeks to assist Australia's international crime cooperation efforts by "improving Australian agencies' access to overseas communications data for law enforcement and national security purposes".

Free PDF

Australia’s encryption laws: An insider’s guide

Australia now has world-first encryption laws. This guide explains what the laws can do, what they cannot do, and how Australia ended up here.

Read now

Under the proposed amendment, providers in Australia and the US would be able to respond to lawful orders from the other country for access to "electronic evidence".

It also puts Australian in position to enter into a bilateral CLOUD Act agreement, which would enable Australian law enforcement to serve domestic orders for communications data needed to combat serious crime directly on US-based companies, and vice versa.

"The global connectivity of the internet means evidence once stored in Australia and available under a domestic warrant is now distributed over many different services, in different countries," Home Affairs Minister Peter Dutton said.

"Investigations of serious crimes such as terrorism and child exploitation are too important to be stalled, or even derailed, by outdated, cumbersome processes when evidence includes communication data held in a different country."

The Bill also proposes three International Production Orders (IPOs) to allow Commonwealth, state and territory law enforcement, and national security agencies to "more efficiently acquire data held in a foreign country by a designated communications provider".

"Almost every crime type and national security concern has an online element -- agencies require electronic information and communications data not only for cyber investigations but also for investigations and prosecutions regarding violent crimes, human trafficking and people smuggling, drug trafficking, financial crimes, terrorism, and child sexual abuse," the Bill's explanatory memorandum [PDF] states.

"The exponential rise of global connectivity and reliance on cloud computing means that intelligence and evidence that was once stored within Australia and available under a domestic warrant or authorisation is now distributed over different services, providers, locations and jurisdictions, and is often only obtainable through international cooperation."

The document touts the Bill as providing the legislative framework for Australia to give effect to future bilateral and multilateral agreements for cross-border access to electronic information and communications data.

It is also reciprocal, with Australia looking to deal with "like-minded foreign governments" for cross-border access to communications data.

"It is anticipated that these agreements would allow law enforcement and national security agencies in each participating country to issue orders, through a competent authority, for the production of data directed to communications and technology companies in the other country's jurisdiction," the document explains.

"These agreements would significantly reduce the time it currently takes to acquire communications data that is vital to law enforcement and security efforts."

Schedule one of the Bill would introduce a regime for Australian agencies to obtain independently-authorised international production orders for interception, stored communications, and telecommunications data directly to designated communications providers in foreign countries with which Australia has a designated international agreement.

International production orders could also be sought by agencies under an amended TIA Act through a warrant; by law enforcement agencies for the purposes of investigating a serious criminal offence or monitoring a person subject to a control order; or by the Australian Security Intelligence Organisation (ASIO) for the purpose of it carrying out its functions.

"The United States, where many of the world's biggest communication providers are based, paved the way for much more efficient international crime cooperation with the CLOUD Act," Dutton said.

"A CLOUD Act agreement with the United States will significantly benefit our law enforcement and national security agencies by allowing orders for communication data to be directed at those providers, with robust privacy and civil liberty protections.

"There will be no trade-off of Australia's existing privacy and civil liberty protections to achieve this most welcome boost to our agencies' ability to keep Australians safe."  

The establishment of an Australian Designated Authority (ADA) to review international production orders for compliance would also occur under the Bill, with the ADA to act as an intermediary between Australian law enforcement and national security agencies and designated communications providers, including giving international production orders to designated communications providers and, in some cases, receiving data back from designated communications providers pursuant to international production orders.

The Schedule, however, does not place any obligations on Australian communications providers under Australian law to respond to incoming requests for information from foreign countries.

"Designated communications providers will be required to comply with international production orders to the extent they are capable of doing so, and subject to the provider meeting a particular enforcement threshold," the document explains.

An "appropriate enforcement mechanism" with civil penalties would also be established.

The Bill would also make consequential amendments to the Freedom of Information Act 1982, International Criminal Court Act 2002, Law Enforcement Integrity Commissioner Act 2006 and Mutual Assistance in Criminal Matters Act 1987, and would need to adhere to provisions already within the Privacy Act 1988.

Updated at 12:35 pm AEST, 4 March 2020: added comments from Home Affairs Minister Peter Dutton.  

RELATED COVERAGE

• AFP vows to damage tech giant reputations if found obstructing law enforcement
• ASIO: Relentless advance of technology was outstripping our capabilities
• Home Affairs report reveals deeper problems with Australia's encryption laws
• Terrorism, espionage, and cyber: ASIO's omne trium perfectum
• Dutton's non-denial fuels fears of domestic ASD cyber spying
• The pointless puppetry of national security's parliamentary processes
• Law enforcement leaning on Austrac as legislation 'lags' behind technology