On 15 December 2021, the Minister for Home Affairs, the Hon Karen Andrews MP, and the US Attorney General, Merrick Garland, signed the
Agreement between the Government of Australia and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime (commonly referred to as the Australia-US CLOUD Act Agreement).
The Australian Government is committed to ensuring our law enforcement and national security agencies have appropriate tools to keep pace with modern technology as it evolves.
As part of this commitment, the
Telecommunications Legislation Amendment (International Production Orders) Act 2021 (IPO Act) was passed by Parliament on 24 June 2021. This legislation established the new international production orders (IPO) framework under the
Telecommunications (Interception and Access) Act 1979 (TIA Act). This enables Commonwealth, state and territory agencies to seek data, via the Australian Designated Authority, from communications service providers in foreign countries with which Australia has a designated agreement.
The Australia-US CLOUD Act Agreement is the first agreement that will be designated under the IPO framework. It will now be reviewed by the Australian Parliament and the US Congress before it enters into force, anticipated to be by the end of 2022.
The IPO Act and the Australia-US CLOUD Act Agreement will enable Australian law enforcement and national security agencies to send international production orders directly to communications service providers in the US seeking the disclosure of electronic data, without those orders needing to be separately authorised by US government agencies and courts. This will enhance the effectiveness of Australian investigations and prosecutions of serious crimes.
Background
Communications platforms and services based overseas are often used to commit a range of serious crimes, such as terrorism, child sexual abuse, and cybercrime. This means that electronic data relating to serious crimes, once traditionally available in Australia, is now held in foreign jurisdictions and subject to foreign laws.
International crime cooperation continues to be the key mechanism that Australian agencies use to obtain electronic data from foreign jurisdictions. However, current processes for obtaining electronic data held by service providers in other countries can be challenging, particularly in light of the increasing demand for electronic data by law enforcement investigations worldwide. Not being able to access this information in a timely manner significantly undermines efforts by Australian law enforcement and national security agencies. This can jeopardise criminal justice outcomes.
US CLOUD Act
In March 2018, the US Congress passed the Clarifying Lawful Overseas Use of Data Act, or “CLOUD Act” to improve procedures for both foreign and US investigators to obtain access to vital electronic information held by service providers. The CLOUD Act permits the US to enter into agreements with foreign partners that allow their authorities to obtain critical electronic data from communications providers in the other country. More information about the US CLOUD Act is in this
White Paper prepared by the US Department of Justice.
Australia’s IPO framework
Schedule 1 to the
TIA Act creates the IPO framework, a domestic legal framework for Australian agencies to request certain types of electronic data directly from communications service providers in a foreign country with which Australia has an agreement. Schedule 1 also lifts statutory bars to enable Australian providers to respond to incoming requests from foreign countries with which Australia has an agreement. The IPO framework also establishes minimum requirements for Australia entering into international agreements under the TIA Act.
Law enforcement access to data under this Agreement
The Australia-US CLOUD Act Agreement sets out the specific framework for transmitting and receiving requests for electronic data between Australia and the US. The Australia-US CLOUD Act Agreement requires each country to lift restrictions that would otherwise inhibit their domestic providers complying with orders issued by the other country. This means the designated authority of each country can issue requests directly to providers in the other country without a request being reviewed by the receiving country’s government.
The Australia-US CLOUD Act Agreement will not replace mutual legal assistance and other forms of international crime cooperation with the US, but will complement the existing framework. Under the Australia-US CLOUD Act Agreement, Australian agencies will have more efficient access to US based providers. Australian agencies will still be able to use existing international crime cooperation methods, such as police-to-police assistance and formal mutual legal assistance. This ensures agencies have as many tools as possible to fight crime.
Industry impacts of the Australia-US CLOUD Act Agreement
The impact of the Australia-US Cloud Act Agreement on Australian industry is not expected to be significant. This is because most global communications service providers are based in the US. Australians are more likely to use US based services than the other way around. The Department of Home Affairs has had considerable engagement with industry and will continue to engage as we look towards implementation of the Australia-US CLOUD Act Agreement and the IPO framework. Orders cannot be sent until the Australia-US CLOUD Act Agreement is operational (anticipated to be by the end of 2022).
The Australia-US CLOUD Act Agreement enables US agencies to send orders through the US designated authority to Australian communications providers for the purpose of preventing, detecting, investigating or prosecuting serious crime. The IPO framework in the TIA Act lifts the barriers that would otherwise prevent Australian communications providers from responding to such orders.
A broad range of providers will be captured under the Australia-US CLOUD Act Agreement and could potentially receive US orders for content data, traffic data and/or metadata. This includes traditional carriers and carriage service providers (including telecommunications service providers), as well as companies such as over-the-top, VOIP and messaging app providers, social media and chat forum websites, and back-up and storage service providers.
The Australia-US CLOUD Act Agreement does not compel providers in either country to comply with an order. However, the domestic law of the issuing country may do so. We anticipate the instances of the US applying penalties on Australian providers will be rare.
Safeguards in the IPO framework and Australia-US CLOUD Act Agreement
The protections and safeguards in Schedule 1 to the TIA Act are similar to the protections in Australia’s domestic framework. International production orders will be independently issued, and subject to safeguards and limitations to ensure that any encroachment on privacy is reasonable and proportionate. There will also be comprehensive oversight by the Commonwealth Ombudsman and the Inspector-General of Intelligence and Security.
The Australia-US CLOUD Act Agreement supplements the protections of the IPO framework with additional safeguards and protections. It emphasises the importance of, and our commitment to, human rights, civil liberties, the rule of law, principles of non-discrimination and the protection of privacy. This includes:
- safeguards relating to the use of Australian-sourced data in prosecutions that could result in the death penalty being applied, and the use of American-sourced data in a manner that could raise freedom of speech concerns for the US (Article 9(4))
- safeguards relating to privacy and data protection (Articles 3(4), 3(5), 7 and 9) and principles of non-discrimination (Article 4(2))
- safeguards and requirements to minimise the US’ collection, retention, use and disclosure of data relating to Australian persons (Articles 3(4) and 7), and
- clear guidelines for requests that can be sent, including requirements for independent review or oversight, and that orders must relate to criminal offences punishable by at least three years’ imprisonment (Articles 4(1) and 5(1)).
The Australian Designated Authority will review all international production orders issued to Australian agencies to ensure they comply with the requirements of the CLOUD Act Agreement before transmitting them to US providers. The US Designated Authority will do the same for US orders.
Privacy protections in the Australia-US Cloud Act Agreement
Protecting the privacy of Australian communications is a primary consideration of the Australia-US CLOUD Act Agreement. The Australia-US CLOUD Act Agreement is focussed on allowing Australia and the US to gather evidence in relation to crimes committed by their own citizens, located in their own jurisdiction. The Australia-US CLOUD Act Agreement includes specific prohibitions on the targeting of each other’s citizens and people located in the other’s jurisdiction.
The US will be prohibited from targeting Australian persons under the Agreement, including citizens, permanent residents, corporations, non-incorporated associations like charities, government entities and persons physically located in Australia. Likewise, Australia will be prohibited from targeting US persons.
Both Australia and the US will adopt procedures to minimise the acquisition, retention, and dissemination of information concerning each other’s citizens or permanent residents where their communications were incidentally obtained.
There are also several provisions in the Australia-US CLOUD Act Agreement that set out robust privacy and data protection safeguards. Personal data received by Australian agencies will be protected in accordance with Australia’s domestic legal framework. Likewise, data received by US agencies will be protected in accordance with US domestic laws.
Next steps for the Australia-US CLOUD Act Agreement
While the signing of the Australia-US CLOUD Act Agreement is a significant achievement, there are still a number of steps that must be undertaken before the Agreement can become operational. It will now be reviewed by the Australian Parliament and the US Congress. The Agreement will not enter into force until these processes have been completed. It is anticipated that the Australia-US CLOUD Act Agreement will be operational by the end of 2022.
More information
Find out more about the Australia-US CLOUD Act Agreement:
Contact
For more information contact:
crossborderdatapolicy@homeaffairs.gov.au