Put privacy protections in IPO agreements if Australia hands data to other nations: OAIC

Should an agreement between Australia and a nation without similar privacy protections be struck under the IPO Bill, the OAIC wants clauses added to bring the lagging nation forward.

The Office of the Australian Information Commissioner (OAIC) has said in a submission to the Parliamentary Joint Committee on Intelligence and Security that Australia should add provisions to agreements struck with other nations whose privacy protections are lagging to ensure data is handled in a similar fashion to Australia's privacy principles.

The Telecommunications Legislation Amendment (International Production Orders) Bill 2020 is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa.

The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).

"As we understand it, the Bill does not prohibit the Australian government from entering into designated international agreements with foreign countries that do not have, or have less robust, privacy regimes than Australia," the OAIC said.

"The wide range of data that could potentially be accessed under an IPO can provide a rich and detailed picture of an individuals' location, habits, associations, beliefs and preferences, with detail increasing commensurately with the volume of data collected and the methods used to process it."

Consequently, OAIC recommended that information disclosed by Australian companies be "appropriately protected".

"The Bill should require that, in relation to foreign countries which do not have privacy protections equivalent to the Privacy Act, designated international agreements contain provisions which afford comparable privacy safeguards," its submission said.

"The OAIC also recommends that the permitted use, recording and disclosure of protected information for the purposes of an investigation under the Privacy Act (subsection 153(1)(r) of the Bill) be expanded to include preliminary inquiries and complaint resolution processes, compliance with the Notifiable Data Breach scheme and the OAIC's assessment functions."

The Office also said any international agreements should include a mechanism for foreign entities to notify the Commonwealth of a suspected data breach when Australian information accessed under an international agreement is involved.

At a hearing in May, the Department of Home Affairs said Australia would get more out of a deal with the United States, than vice-versa, and the US was its only priority as it is the home to the likes of Facebook, Apple, and Google.

"We get a lot of benefit out of this agreement because of, in the case of the United States, where they store a lot of data, Australia doesn't have those same over the top communications providers, so we expect very, very few requests will travel under this agreement the other way, but it is a reciprocal agreement and it does provide for the ability to do so," Home Affairs national security policy branch assistant secretary Andrew Warnes said.

"We have an expectation as we enter these agreements that we will have visibility of the numbers of requests that are coming to Australia, noting that we expect those numbers to be incredibly, incredibly low."

Warnes said there would not be any authority in Australia tracking incoming orders from the US to communications providers.

He also rejected the idea that service providers should be consulted before an IPO is provided.

That same month, the Australian Federal Police said it had made 98 telco data requests to the US since 2014, and said the nature of the current process actively discouraged its use .

Of the 98 requests, 29 were related to drug offenses, 26 to terrorism offenses, 24 to child sex offending, 11 to money laundering, four to foreign bribery, three to human trafficking, and one was described as a "range of serious, unspecified offenses".

IPO a go-go