Last fall, the United Kingdom and United States announced the first executive agreement under the CLOUD Act. The 180 days for Congress to disapprove the agreement expired on July 8, without the House or the Senate holding public hearings or taking any formal action on the agreement. According to a July 16 interview with the U.S. Department of Justice, the agreement will take effect after an exchange of diplomatic notes, which has not yet occurred. The Cross-Border Data Forum, with whom we work, has published extensive materials about these executive agreements, including an article by Jennifer Daskal and Peter Swire explaining multiple privacy safeguards in the U.S./U.K. agreement that go beyond the minimum requirements of the CLOUD Act.
The greatest change in practice is that the U.K. can go directly to U.S. service providers to request the contents of communications, such as emails or social messaging posts. Previously, the Electronic Communications Privacy Act had made it illegal for a U.S. provider to supply such content to a foreign government, unless the foreign went through the often-slow process of a Mutual Legal Assistance Treaty. As of July 8, a U.K. office designated under the agreement can issue the content request directly to U.S. service providers, so long as the agreement’s safeguards are met. We are in the process of drafting an article on some implementation issues for the U.S./U.K. agreement, which we expect to publish in the near future.
Now, Australia and the United States are negotiating the second of the executive agreements envisioned by the CLOUD Act, and U.S. negotiations are also officially underway with the European Union. This spring, the Australian government introduced legislation that would provide the Australian legal basis for evidence requests directly to foreign providers, notably for use in an agreement with the U.S. under the CLOUD Act.[1] The Australian Parliamentary Joint Committee on Intelligence and Security (‘PJCIS’) issued a call for public comments, concerning the Australian Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (‘the Bill’).[2]
This article summarizes key issues raised in the public comments about the Bill. Part (i) of this article provides an overview of the Bill and its purpose. Part (ii) summarizes the submission which Swire submitted to the PJCIS in his personal capacity. Part (iii) summarizes a submission made by an international civil liberties and technology coalition including Access Now and New America’s Open Technology Institute, which Swire also signed in his personal capacity. Finally, Part (iv) provides a summary of some key points which we noted throughout the remaining submissions which are of particular interest to issues of cross-border transfers of evidence and the civil liberties protections that should accompany such transfers.
(i) Overview of the Bill and its purpose
As outlined by the Law Council of Australia’s submission (linked here), the primary objective of the Bill is to establish a framework to give effect to future agreements that Australia may enter into with foreign countries, for the purpose of reciprocally obtaining and granting cross-border access to electronic communications and related data. Australia is currently negotiating an executive agreement of this kind with the U.S. under the CLOUD Act. The Law Council describes such negotiations as a ‘significant impetus for the introduction of the Bill, given that many major global communications providers are based in’ the U.S.
Under the framework established by the Bill, such an executive agreement would notably:
-
- Enable Australian law enforcement to issue orders to investigate serious crimes directly to Designated Communications Providers (‘DCPs’) in the foreign country in order to access the content of communications by use of an International Production Order (‘IPO’).
- Permit Australian DCPs to disclose communications data in response to incoming orders or requests from a foreign country.
As set out by the submission of the Australian Attorney-General’s Department (linked here), the biggest advantage of the Bill will be the increased speed at which relevant data can be shared between crime cooperation partners, when compared with the existing MLA regime.
(ii) Swire’s submission to the PJCIS
In his submission, Swire performed a ‘gap analysis’ of the Bill and the CLOUD Act, in order to identify areas where the Bill as currently drafted may not meet CLOUD Act requirements, and to propose some solutions. Swire’s submission focuses on 7 issues:
-
- Judicial authority. The Bill may violate the CLOUD Act requirement that an IPO ‘shall be subject to review or oversight by a court, judge, magistrate, or other independent authority […]’. Although the Bill enables orders by the Administrative Appeals Tribunal (‘Tribunal’), it appears that the Tribunal is neither a court nor an independent authority.[3]
- Lack of notice. There is a lack of provisions enabling the DCPs to notify the US DOJ, the subjects of an IPO or third countries. In particular, the lack of an ability to notify the US DOJ prevents the US DOJ from enforcing its right to block an improper order to a DCP.
- Scope of the law. The CLOUD Act provides that that orders may only be made in relation to ‘serious crime, including terrorism’. The Bill, however, authorizes orders for (i) orders for ‘enforcement of the criminal law’, (ii) ‘control orders’, which concern anti-terrorism activities; and (iii) orders relating to national security. It is not clear whether an order under the latter two categories would be consistent with the CLOUD Act.
- Possible lack of Australian administrative structures. The CLOUD Act contains multiple provisions requiring effective management and oversight of requests, to ensure compliance with the CLOUD Act requirements. However, currently, the Bill is unclear as to the extent to which Australian institutional structures currently exist or are authorized by current law to serve those purposes.
- Transparency. The CLOUD Act provides that ‘the foreign government shall agree to periodic review of compliance’ with the executive agreement by the United States Government. It also requires the US Attorney-General and Secretary of State to review the executive agreement every 5 years. In order to successfully negotiate an executive agreement with US DOJ, there must be enough transparency about operations of the IPOs to enable the required review, including specific enough statistics to enable effective transparency. Such transparency and legal structure may be specified by a subsequent executive agreement.
- U.S. persons. The prohibition on direct or indirect targeting of U.S. persons in the CLOUD Act are not explicitly provided for in the Bill. To reach an executive agreement, the U.S. Department of Justice (‘US DOJ’) would need to determine that the requisite institutional arrangements can and would exist.
- Negative effect on encryption. The CLOUD Act requires that the Executive Agreement does ‘not create any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.’ However, the Bill (and subsequent executive agreement) would appear to have the effect of creating such an obligation when read in conjunction with other Australian legislation.[4]
(iii) The international civil liberties and technology coalition letter
The coalition’s submission (linked here) urges the PJCIS not to move forward with the Bill as currently written, because it does not provide adequate safeguards to protect human rights.[5] In particular, the signatories are concerned that the Bill:
-
- Fails to ensure prior judicial review under a robust legal standard. As well as expressing concerns about the Tribunal, the coalition argued that the Bill does not adequately protect personal privacy or against government overreach or abuse. Judicial authorization should be based on a minimum factual showing.[6]
- Provides insufficient notice and transparency mechanisms. For example, the coalition notes a concern that the Bill does not include a mechanism requiring government officials to notify subjects of data requests, whether individuals or other entities, that access to their data has been requested. This is at odds with the principle that users generally have a universal right to notice. In addition, bilateral agreements under the CLOUD Act should provide for notice to the government of the DCP’s home country.
- Requires the compulsory production of user data from DCPs, counter to the CLOUD Act’s intent. The CLOUD Act (merely) lifts the blocking provision under the U.S. Stored Communications Act (SCA) and authorizes U.S. DCPs to disclose data to foreign governments pursuant to an executive agreement. The Bill, however, seeks to subject DCPs to civil penalties if they fail to comply with an IPO. This contravenes the intent of the CLOUD Act.[7]
- Fails to provide a clear and robust mechanism for DCPs to challenge inappropriate and overbroad requests. Although the Bill provides that DCPs may object to IPOs by written notice to the Australian Designated Authority, the procedures are vague. Opportunities to challenge are only meaningful if clear procedural and substantive rights to challenge are provided.[8]
(iv) Key points in the remaining submissions
In this section, we provide a summary of some key points in other submissions. We do not focus on internal Australian issues, such as budget implications of the bill; instead, the focus is on issues that are likely to be relevant to ongoing discussions about an Australia/U.S. CLOUD Act executive agreement, or other cross-border requests for evidence.
One recurring concern is a familiar one from prior research — the limitations and inefficiencies of the existing mutual legal assistance regime, which can undermine the effectiveness of investigations. In addition, based on the public comments, Australian law enforcement and investigatory bodies generally support the Bill, although there is some appreciation that further guidance is needed about how the regime would operate in practice.
Other points of particular interest are as follows:[9]
-
- The benefits of implementing reimbursement schemes: One suggestion, raised by the Communications Alliance in its submission (linked here) is that a reimbursement scheme should be included within the Bill, mirroring the arrangements contained the Australian Telecommunications Act 1997, in order to allow DCPs to recoup the costs they are likely to incur when complying with an IPO. In our view, such a reimbursement scheme would be fair to DCPs. It would also be a useful way to ensure that law enforcement, rather than issuing multitudinous requests, focuses on priority investigations – i.e., those that they are willing to ‘pay’ for using their finite resources.
- Pre-issuance consultation with DCPs: BSA | The Software Alliance notes that the Bill does not provide a right for the DCP to comment on the IPO until after it has been issued. The submission argues that without consulting with the DCP, it is highly possible to issue an IPO that is neither practicable nor feasible to comply with. The interception agency, Australian Designated Authority, and issuing authority are not in a position to assess the technical feasibility of a request, whereas the DCP would be able to do so. The DCP would also be able to assess whether it holds the relevant data, and would, for example, have an understanding of any legal obligations to which the relevant legal entity is subject.
- Centralizing requests: Google’s submission notes that DCPs are instructed under the Bill to provide any requested communications and data to the requesting agency or the Australian Designated Authority, depending on the directions of the IPO. A better approach would be that all communications to and from an Australian law enforcement agency be channeled through the Australian Designated Authority and that this Authority acts as a coordinator across multiple agencies. Centralizing requests in this way will guard against duplication and create a single point of contact. The authors of this article note that it is the practice in the UK to have communications sent to a designated authority. Such a practice enables transparency, oversight and auditing – and therefore better monitoring of how the CLOUD Act is being implemented.
- Lack of appeal options in the Bill: Google’s submission also argues that the appeal options contained within the Bill could be strengthened. According to Google, deferring to existing appeal mechanisms is not satisfactory given the lack of appropriate merit-based appeal processes in other relevant legislation such as the Australian Telecommunications and Other Legislation (Assistance and Access) Act 2019. In particular, overseas DCPs may be subject to other third-country laws, conflicts with which are not and cannot be lifted through the international agreement.
- Microsoft’s submission (linked here) outlines its concerns about how an executive agreement may be implemented through the Bill by reference to Microsoft’s six principles[10] which it recommends as global best practices. For example:
- Under Microsoft’s ‘Notice’ principle, people have a right to know when the government accesses their data, and cloud providers must have a right to tell them. However, Microsoft notes that the Bill imposes a blanket prohibition on DCPs notifying their customers of an IPO targeting their data and does not require the government to ever notify the target of surveillance that their data has been examined.
- Under its ‘Modernising rules for seeking enterprise data’ principle, enterprises should typically have the right to control their data and receive investigatory demands directly from law enforcement. It is rarely necessary and proportionate to seek enterprise data from a cloud service provider instead of seeking the data from the enterprise directly. However, the submission points out that the Bill’s definition of service provider would include those providing services to business and government enterprises. Under the Microsoft principle, the Bill should either exclude the use of IPOs directed at DCPs for enterprise data or include a requirement that investigators seek evidence directly from enterprises unless there is evidence that doing so would jeopardize the investigation.
- Grounds to Challenge: The Bill authorizes service providers to object to an IPO only on the basis that it does not comply with the designated international agreement. Although the Explanatory Memorandum states that this right to object is in addition to any other review rights or remedies available under Australian law, this provision is not set out in the Bill itself. The Bill should explicitly provide a basis to challenge IPOs that are overbroad, abusive, violate the terms of an international agreement or are otherwise unlawful.
- Mechanisms to Resolve and Raise Conflicts with Third-Country Laws: The Bill provides no clear legal basis for service providers to challenge IPOs that would force them to violate the laws of a third country. Without such mechanisms, the IPO could lead to more conflicts of law and defeat the spirt and intent of intentional agreements envisioned by the Cloud Act.
[1] For an explanation of the CLOUD Act, see Peter Swire & Jennifer Daskal, “Frequently Asked Questions about the CLOUD Act,” Cross-Border Data Forum (Apr. 19, 2019), at https://www.crossborderdataforum.org/frequently-asked-questions-about-the-u-s-cloud-act.
[2] The Bill and official discussion of it can be found here.
[3] Other submissions also express concerns with reliance on the Tribunal. For example: (i) The Australian Privacy Foundation’s submission highlights perceptions that the Tribunal is being influenced through appointments reflecting political affiliation; (ii) The submission by Communications Alliance (a telecommunications industry body in Australia – linked here) voices concerns that the oversight of the Tribunal does not provide appropriate judicial oversight, and suggested that there should also be a national system for public interest monitors in relation to IPO applications; and (iii) BSA | The Software Alliance’s submission (linked here) also underlines the need for independent judicial oversight, noting that at the worst, the Tribunal could be seen by the Australian public and overseas governments as the executive branch of the Australian Government approving its own applications for IPOs.
[4] Concerns about decryption obligations are expressed in other submissions; for example in those by Eric Wilson (a software developer – linked here), and Google (linked here).
[5] The Law Council of Australia and DIGI (a non-profit industry association that advocates for the interests of the digital industry in Australia – whose submission is linked here) similarly express concerns about the lack of safeguards in their submissions.
[6] BSA | The Software Alliance also argues that the issuance of IPOs should be based on proper findings: evidence from the requesting interception agency regarding the necessity of issuing the IPO, including why other less intrusive measures are unavailable or insufficient, as well as the reasonableness, proportionality, practicability, and feasibility of the proposed requirements.
[7] Other submissions, such as the submission from the Communications Alliance, Google’s submission, the submission from ACT | The App Association (linked here), and the Ai Group’s submission (linked here) make similar arguments that the Bill should not require compulsory compliance with IPOs.
[8] The submission from ACT | The App Association also raises a concern with the Bill’s ‘opaque’ challenging mechanisms.
[9] In total, 32 submissions were made, some of which were accompanied by one or more supplementary submissions. In relation to each point below, we have highlighted a submission making that particular point. However, we note overlaps across the submissions, and the same arguments may have been made in different submissions.
[10] The six principles can be accessed here.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
This article was revised on July 19, to report the interview with the U.S. Department of Justice that the US/UK agreement has not yet gone into effect.
Authors
-
Paul Greaves is a senior associate in the Brussels office and a member of the Privacy, Cyber & Data Strategy Team. Paul’s privacy, information technology, and data protection practice includes a focus on compliance with the General Data Protection Regulation, ePrivacy rules, and cross-border data transfers.
View all posts -