Australia, US negotiate to speed data exchange under CLOUD Act

Australian national parliament house in Canberra

Australia and the US have entered into formal negotiations for a bilateral agreement under the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) set to "boost" cooperation between the two nations.

Australian Minister for Home Affairs Peter Dutton said the agreement, if passed, will result in "strong protections for rule of law, privacy and civil liberties".

The CLOUD Act is a US legislation passed in March 2018 with the intent to speed access to electronic information held by US-based global providers that is critical to US foreign partners’ investigations of serious crime, ranging from terrorism and violent crime to sexual exploitation of children and cyber crime. 

The United States Attorney General William Barr said the conclusion of an executive agreement with Australia will strengthen public safety for both countries.

“The United States looks forward to working with the Australian Government on this agreement, which will enhance each country’s ability to fight crime by allowing faster access to data needed for quick-moving investigations," Barr said.  "By increasing the effectiveness of investigations and prosecutions of serious crime, including terrorism, in both countries, citizens of both countries will be safer.”

If approved, the agreement will allow service providers in Australia and the United States to respond to lawful orders from the other country without "fear of running afoul of restrictions on disclosure", Barr explained.

Dutton said that the current processes for obtaining electronic information held by service providers in other countries risk loss of evidence and unacceptable delays to criminal justice outcomes.

This is currently possible through the mutual legal assistance (MLA) process, however the two nations believes the CLOUD Act allows for a faster response. MLAs involve a law enforcement agency in a nation using domestic legal provisions to seek evidence from a communications service provider on behalf of a foreign counterpart, using the local legal framework.

According to Home Affairs, the number of MLA requests for electronic information held by service providers in the US has increased dramatically in recent years, straining resources and slowing response times. 

"When police are investigating a terrorist plot or serious crime such as child exploitation, they need to be able to move forward without delay, but within the law – and the CLOUD Act strikes exactly that balance. This is the way of the future between like-minded countries," Dutton said.

"We have some way to go before the agreement is finalised, but once in place it will mean service providers based in the United States can respond directly to electronic data requests issued by our enforcement agencies under Australian law for data critical for the prevention, detection, investigation and prosecution of serious crime.”

Meanwhile, Digital Rights Watch chair Tim Singleton Norton expressed concern over the announcement.

"It's incredibly worrying to see the Australian government's anti-privacy agenda bleeding into our foreign diplomacy, with the reported negotiations underway in relation to the US CLOUD Act.

"As currently drafted, the agreement would require Australian-based cloud providers to hand over data requested by US law enforcement authorities. Under Australian law, police have the power to compel Australian-based technology companies to break encrypted protocols through the provisions of the Assistance and Access Act," Norton explained to Computerworld.

"And yet the US requires that for any bilateral agreement to proceed, that country’s laws must afford “robust substantive and procedural protections for privacy and civil liberties in light of data collection and activities of the foreign government that will be subject to the agreement.

"The existence of Australia's encryption-breaking powers mean that it's very hard to see how any agreement, particularly the one current drafted over the CLOUD Act, can be reached between the two countries," he added.

In July, the Law Council said that the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, which passed both houses on 6 December 2018 and became law on 9 December 2019, may disqualify Australia from entering into an executive agreement with the US under the CLOUD Act.

The CLOUD Act states that before entering an agreement the US attorney-general is required to certify that the other nation “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement”.

In a submission to an inquiry examining the 2018 legislation the Law Council said it considers that the current law in Australia as it relates to storing and accessing telecommunications data will be insufficient to allow Australia to qualify for entry into an ‘executive agreement’ with the US.

“This means that law enforcement agencies in Australia will be restricted to seeking access to data held by a service provider in the US through the existing and time consuming MLAT process.”