The Department of Home Affairs has said Australia is likely to be the next qualifying foreign government to enter into an agreement with the United States under its Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
Australia announced the commencement of formal negotiations for a bilateral agreement pursuant to the CLOUD Act in October.
The CLOUD Act creates a legal framework regulating how law enforcement can access data across borders.
If the agreement is finalised and approved, service providers in Australia and the US would be able to respond to lawful orders from the other country for access to electronic evidence.
A bilateral CLOUD Act agreement would enable Australian law enforcement to serve domestic orders for communications data needed to combat serious crime directly on US-based companies, and vice versa.
The United Kingdom finalised a similar agreement with the US in October 2019.
“This has been recognised as a significant shift towards a new paradigm, which supports efficient and effective cross-border access to the electronic data needed to combat serious crime, while safeguarding privacy and human rights,” Home Affairs wrote in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
The CLOUD Act would permit, if the agreement is forged, the Australian government to go directly to US-based communications service providers (CSP) through a legal process, rather than needing to go through the US government, and vice versa.
“Noting that the United States is the largest data controller in terms of communications technologies, services, and platforms, entering such an agreement with the United States would have significant benefits to Australian law enforcement and national security efforts,” Home Affairs wrote.
The department’s submission was made to the committee’s review of the nation’s pending Telecommunications Legislation Amendment (International Production Orders) Bill 2020.
The Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa. It would also remove the ability for nominated Administrative Appeals Tribunal members to issue certain warrants.
The Bill is a precondition for Australia to obtain the proposed bilateral agreement with the United States.
“It stands up a new international production order (IPO) framework that allows Australian law enforcement and national security agencies to, amongst other things, issue extraterritorial orders for electronic data on foreign designated communications providers (DCPs) where there is an agreement in place,” Home Affairs added.
“The IPO framework will complement other international crime cooperation mechanisms and is not intended to restrict other means of obtaining electronic data.
“The Bill also removes the ‘blocking statutes’ for Australian providers to respond to foreign orders or requests from countries with whom Australia has an agreement.”
As Home Affairs prepared the Bill, it doesn’t make any recommendations or suggestions to the PJCIS like others have, rather it listed a handful of policy challenges it says are behind the need for this legislative reform.
“The United States has a significant proportion of the world’s CSPs and is a major data-controller within the modern world,” it said.
“Communications data also regularly moves across geographical borders, through servers and other infrastructure located around the globe, meaning the exact location of data and relevant jurisdiction may be difficult for law enforcement and national security agencies to determine.”
Home Affairs said that international crime cooperation mechanisms, such as mutual legal assistance, remain the principal means to obtain evidence, including electronic data, from foreign jurisdictions for use in criminal investigations and prosecutions.
“However, the digital world and the rapid increase in digital evidence for all types of criminal offences — not just cyber offences — is fundamentally undermining international crime cooperation,” it wrote.
“The traditional mechanism of mutual legal assistance has proven to be a slow and cumbersome way of working, not responding sufficiently to this fundamental shift in the offshore storage of Australians’ data.”
According to the department, the pressure placed on existing mechanisms is significant and has been “exacerbated by the increasingly global operations of CSPs who are subject to the laws of multiple jurisdictions, or the location of the relevant data being undetermined because of the nature of international data flows”.
Home Affairs said, on average, it takes 10-12 months before an Australian agency receives electronic data for a criminal matter through the existing process, noting that some matters have taken up to 18 months.
“This delay can mean that while investigations cannot be progressed, criminals continue to offend and victimise, and take advantage of the complexities of electronic evidence gathering across jurisdictions,” the department continued.
“For example, if electronic evidence cannot be obtained in accordance with court timeframes, this can result in charges being withdrawn, less serious charges being laid, or a weaker case going before the court which does not show the full picture of criminality, and may ultimately lead to lower sentences being imposed, if at all.”
It also said that in circumstances where foreign CSPs hold electronic data relevant to offshore criminal matters, it often involves a “complex web of legal compliance and regulation”.
“It also significantly frustrates agencies’ access to electronic data to combat crime, putting the Australian community at risk,” Home Affairs said.