The federal government has begun negotiating a new data-sharing agreement with the US, amid concerns about whether the recently passed encryption laws will jeopardise these talks, and the impact streamlined data-sharing would have on privacy and civil rights.
In a joint statement on Monday, US Attorney-General William Barr and Home Affairs minister Peter Dutton confirmed they had begun formal negotiations for a bilateral agreement under the US Clarifying Lawful Overseas Use of Data (CLOUD) Act, which facilitates faster access by foreign countries to data held by US-based tech companies, and vice versa.
The two politicians met in the US on Monday to discuss the potential agreement.
“The CLOUD Act was created to permit our close foreign partners who have robust protections for privacy and civil liberties, such as Australia, to enter into executive agreements with the United States,” Mr Barr said in a statement.
“The United States looks forward to working with the Australian government on this agreement, which will enhance each country’s ability to fight crime by allowing faster access to data needed for quick-moving investigations.”
Mr Dutton said the current process around requesting data from a US company can lead to the loss of evidence and “unacceptable delays”.
“When police are investigating a terrorist plot or serious crime such as child exploitation, they need to be able to move forward without delay, but within the law – and the CLOUD Act strikes exactly that balance. This is the way of the future between like-minded countries,” Mr Dutton said.
Foreign countries currently have to seek a mutual legal assistance notice to request data from a US-based company like Facebook.
The US government has said the number of these requests has “increased dramatically” in recent years, leading to “straining resources and slowing response times”.
The CLOUD Act, enacted in early 2018, allows foreign governments to bypass this process and directly request data from a US tech company based on their own laws. The agreement also always the US government to complete this process in the other country.
The US entered into its first agreement under the CLOUD Act this week, with the UK securing a deal.
But the CLOUD Act has been widely criticised by civil and digital rights groups, with concerns surrounding the impact of the new rules on privacy and security.
The American Civil Liberties Union labelled it a “sinister piece of legislation” that “threatens the civil liberties and human rights of global activities”.
Australian organisations are also concerned about the move from the government to sign a deal under the act.
Electronic Frontiers Australia board member Justin Warren said such a deal would damage the privacy and data security of Australians.
“The US CLOUD Act privileges law enforcement over people’s privacy. It allows US law enforcement to bypass the laws of other nations that protect privacy,” Mr Warren told InnovationAus.com.
“It would also allow Australian authorities to bypass US privacy protections for data on Australians that happens to be held by US service providers like Facebook, Google or Netflix.”
“The CLOUD Act provides unlimited jurisdiction to US law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it.”
“An executive agreement would provide this same unilateral ability to Australian law enforcement to bypass US privacy protections, such as the US Constitution’s fourth amendment warrant requirements.
“It is yet another expansion of authoritarian power, steamrolling over the objections of civil society.”
There are also questions over whether Australia will even qualify for an agreement under the CLOUD Act due to its recently passed encryption laws, which allow authorities to compel tech companies to provide access to encrypted data.
In a submission to the Parliamentary Joint Committee on Intelligence and Security, the Law Council of Australia said the Assistance and Access Bill could contravene the requirements of the CLOUD Act.
The Act states that the country’s domestic law must “afford robust, substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement” and that it must also not “create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data”.
“The Law Council considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an executive agreement with the US,” the Law Council said.
“This means that law enforcement agencies in Australia will be restricted to seeking access to data held by a service provider in the US through the existing and time-consuming MLAT process.”
The Law Council said there was an “inconsistency of obligations” between the encryption powers and the US law.
Under the CLOUD Act, a foreign country must have laws and “robust, substantive and procedural protections for privacy and civil liberties”, including around cybercrime and electronic evidence, a respect for the rule of law, and clear legal mandates and procedures governing the collection, retention, use and sharing of electronic data.
“We expect the high standards required for eligibility for CLOUD Act agreements to be a significant motivation for countries to increase protections for privacy and civil liberties,” the US government said.
It also requires that foreign orders be subject to independent review or oversight and be based on a reasonable justification grounded in credible facts, identifying a specific person.
“To be eligible, some countries interested in executive agreements will likely need to increase standards and improve procedures,” it said.
The Australian government will have to pass specific legislation in Parliament relating to the Act before the agreement can be officially signed.