Legislation paving the way for a data-sharing deal with the US “does not provide adequate safeguards to protect human rights”, according to an international coalition of tech groups that includes Google and the Internet Society.
The legislation lays the groundwork for Australia to enter into an agreement with the US under the CLOUD Act, which would facilitate expedited data sharing between jurisdictions.
The arrangement would allow American authorities to request data from an Australian company directly without going through local authorities, and vice versa, providing a quicker method than the existing mutual assistance notice system.
The legislation was introduced to Parliament in early March and quickly referred to the committee for inquiry by Home Affairs Minister Peter Dutton.
In a submission to the inquiry, the International Civil Liberties and Technology Coalition, whose members include Google, Access Now, Privacy International and the Internet Society, urged the Australian government to make changes to the legislation.
In its current form, the international coalition said the bill “does not provide adequate safeguards to protect human rights”.
The group of civil society organisations said there are “significant revisions” needed to fix a range of issues with the bill. These include a lack of prior judicial review, insufficient notice and transparency, and a failure to provide a clear mechanism to challenge a request for data.
The legislation should require improved independent oversight for any request made under the data-sharing deal, the groups argued.
“As companies and advocates alike have argued throughout the CLOUD Act debate, to ensure that this is a rights-protective regime, any government seeking to send law enforcement demands directly to a foreign provider must be required to implement prior independent judicial authorisation based on a meaningful minimum legal and factual showing,” the submission said.
“Judicial authorisation under a robust privacy standard would provide a critical safeguard against overbroad and unlawful demands for customer data.”
The current bill also doesn’t include a requirement for government officials to notify the subjects of data requests, whether that’s an individual or company, when a request for data has been made.
“Providing notice should be a duty of governments. It should not be left to the discretion of providers and individuals cannot be barred from exercising their rights,” they said.
There also needs to be a clear outline of how companies or individuals can challenge a request for data, with the current bill “failing to provide a sufficient procedure for challenges, and clear standards for approval or denial of those challenges”.
In another submission, Western Australia Police asked for more information about the new powers included in the legislation, but said they could be a “highly valuable investigative tool”.
“The WA Police Force require more information and guidance as to what services are able to be intercepted from overseas carriers, especially those that originate in the USA. If the restrictions imposed by encrypted services (such as WhatsApp, Viber, Facebook Messenger) may be overcome to enable live interceptions, we expect that the IPO framework under the bill will provide law enforcement officers with a highly valuable investigative tool,” the submission said.
The PJCIS is due to report back on the International Production Orders bill by 26 June.