A parliamentary inquiry has given the green light to greater information sharing with US law enforcement despite its concern Australians will be kept in the dark about the number of orders made for data.
The joint standing committee on treaties has approved Australia’s Clarifying Lawful Overseas Use of Data (Cloud) Act agreement with the US, signed by the Morrison government in December 2021, labelling it an “important tool” for investigating serious crime.
The deal allows law enforcement and intelligence agencies in Australia and the US to demand data directly from communication service providers operating in the other jurisdiction.
The new system, enabled by legislation in mid-2021 and now set for formal ratification, will allow authorities to obtain data in days or weeks, rather than months or years.
The agreement includes safeguards including that a company can raise concerns about an order with a “designated authority” in its home country or appeal against the order in a court.
Each country retains control of how data is used in cases involving “essential interests”, including death penalty cases in the US and cases involving free speech in Australia.
In a report released earlier in December, the committee found obtaining data under the current mutual legal assistance treaty “can be cumbersome and not necessarily suited to modern communications, data storage, and cloud computing”.
The committee, chaired by Labor MP Josh Wilson, said it was “imperative that there be comprehensive reporting” of the number of data requests, noting the “permissive framework” in the deal contrasts with the “extensive” reporting requirements in Australia’s Telecommunications (Interception and Access) Act.
The designated authorities of Australia and the US will be aware of the number of orders for data, but their reports “would not be made public”.
Communications services providers “would be permitted to report on the aggregate number of orders they may have received” but “this would not be centralised or coordinated”, the report said.
“The committee did not receive any evidence that established why a consolidated report of incoming orders could not be published if appropriately de-identified and aggregated.
“The committee is of the view … some level of transparency and oversight is necessary in an open and democratic society to ensure the public does not lose confidence in the work governments undertake on their behalf.”
The committee said it had received evidence from stakeholders including the Australian Information Industry Association that the Australian government “would have little control or oversight of US executive and judicial decision-making in the process of issuing an order”.
The AIIA and NSW Council for Civil Liberties also warned that Privacy Act protections requiring consent for the collection, use and disclosure of “sensitive information” would not apply.
The committee noted that Australian law allowed warrants for interception of data for offences punishable by a maximum term of seven years or more in prison, but accessing existing stored communications “need only be in relation to a serious category 1 offence” punishable by three years or more in prison.
“In the contemporary computing environment, the difference between stored communications and interception would appear to be diminishing and to be almost imperceptible in some cases,” it said, potentially allowing agencies access to data for midrange offences.
In additional comments the Greens said that only more serious crimes should be covered by the Cloud Act agreement, with crimes punishable by a maximum term of at least three years’ imprisonment “adequately covered” under existing mutual assistance.
“The Australian Greens believe that solid reporting, strict and enforceable repercussions, and clear implementation requirements are essential in the success of this agreement,” the party said.