The federal government’s privacy office has called for changes to legislation facilitating data-sharing agreements with other countries in order to protect the personal data of Australians.
Australia Information and Privacy Commissioner Angelene Falk said that legislation currently before Parliament which paves the way for Australia to enter into a CLOUD Act data sharing agreement with the US, needed to be strengthened to better uphold privacy.
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is scrutinising the International Production Orders (IPO) bill, and had been due to report back by June 26, but the inquiry is still ongoing.
The IPO legislation lays the legal groundwork for Australia to enter into “designated international agreements” facilitating cross-border access to electronic information and communications data by law enforcement.
The purpose of the legislation is to allow Australia to secure a CLOUD Act deal with the US, which would mean American authorities are able to directly request data from an Australian company rather than going through local authorities, and vice versa. This provides a quicker method than currently available through the existing mutual assistance notice system.
But better safeguards are needed in the legislation to ensure that countries Australia enters into agreements with will protect the data of Australians, Ms Falk said in a submission to the PJCIS inquiry.
“The Office of the Australian Information Commissioner recommends that the bill be amended to ensure personal information that is disclosed by Australia designated service providers to foreign governments is appropriately protected,” Ms Falk said in the submission.
“The bill should require that, in relation to foreign countries which do not have privacy protections equivalent to the Privacy Act, designated international agreements contain provisions which afford comparable privacy safeguards.”
The Australian Privacy Principles require that Australian companies disclosing data to overseas jurisdictions ensure that the recipient does not breach the Australian privacy laws. But this will not be required under the current IPO legislation, Ms Falk said, and this should be added to the bill before it is passed.
The privacy commissioner argued the bill should require that if a foreign government that doesn’t have equivalent data protection laws to Australia, then these safeguards need to be included as part of the designated agreement, covering the collection, storage and use of data, a data breach response plan and a requirement to notify the Australian government if there is a breach of that data.
The IPO legislation and a CLOUD Act deal is being made under the auspices of targeting serious crime and terrorism. But Ms Falk said it is important that any of these measures be proportionate considering the sensitive data covered by the scheme.
“The wide range of data that could potentially be accessed under an IPO can provide a rich and detailed picture of an individual’s location, habits, associations, beliefs and preferences, with detail increasing commensurately with the volume of data collected and the methods used to process it,” she said.
“Initiatives which impact privacy in pursuit of these policy objectives must be reasonable, necessary and proportionate to achieving the policy aims. The scope of proposed measures must be as clear and transparent as possible and subject to appropriate safeguards, oversight and accountability.”
Other groups have also raised concerns with the legislation through the PJCIS inquiry.
An international coalition of tech groups, including Google and the Internet Society, said the legislation “does not provide adequate safeguards to protect human rights”, criticising the bill for a lack of prior judicial review, insufficient notice and transparency and a failure to provide a clear mechanism to challenge a request for data”.