Helaine Leggat, managing partner of law firm ICT Legal Consulting Australia, told iTWire in response to queries that the Telecommunications Legislation Amendment (International Production Orders) Bill No. XX 2020 — legislation that seeks alignment with the US CLOUD (Clarifying Lawful Overseas Use of Data) Act so that Australian agencies can gain faster access to information than through the mutual exchange process — was also intended to amend the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, or TOLA Act – which in common parlance is the encryption law passed in 2018.
"The extra-territorial reach of TOLA means that it will ease access to encrypted data and work hand-in hand with the CLOUD Act to facilitate access to electronic data held by 'communications-service providers'", Leggat said.
"You will recall last year’s numerous debates regarding Australia becoming the pariah of the world for weakening trust and breaking security by mandating 'designated communications providers' (anywhere in the world) to 'do acts or things' by way of giving certain types of help to national security and law enforcement agencies.
The US CLOUD Act was passed in 2018 to make it possible for warrants issued by an American authority to be used to seize data stored by branches of US firms abroad. The Act was passed to overcome an obstacle faced by the FBI in obtaining data which Microsoft had stored in Ireland. The agency said the data in question was related to a drug-trafficking case.
The corresponding Australian law would allow local authorities to have the same reach as the Americans, this time to data and individuals in the US, provided their data was needed for progressing a judicial or criminal case or investigation.
In the normal course of things, a request for data under the so-called mutual legal assistance treaty, takes a long time to deliver results, if any. That is the rationale behind the Australian move.
The UK has already passed a law that enables it to co-operate with the Americans in order to benefit from the reach of the CLOUD Act.
The Parliamentary Joint Committee on Intelligence and Security is conducting an inquiry into the new law, with submissions still being accepted. The PJCIS has been asked to submit its report by 26 June.
According to official statements, the changes being made are meant to:
- "provide a framework for Australian agencies to obtain independently-authorised international production orders for interception, stored communications and telecommunications data directly to designated communications providers in foreign countries with which Australia has a designated international agreement;
- "amend the regulatory framework to allow Australian communications providers to intercept and disclose electronic information in response to an incoming order or request from a foreign country with which Australia has an agreement;
- "make amendments contingent on the commencement of the proposed Federal Circuit and Family Court of Australia Act 2020; and
"remove the ability for nominated Administrative Appeals Tribunal members to issue certain warrants."
While the UK has laws on its books that provide for GDPR style privacy protections for individuals, Australian privacy law is not regarded as adequate by European standards.
Leggat said while she had not studied the new law in detail, "one point of interest is that, while the US-UK Agreement and the Privacy Shield arrangements between the EU and the US (in terms of which the US Government provides assurances for individuals to legal recourse), provide reasonable assurances for the protection of privacy, Australia does not have a Privacy Shield type arrangement with other countries.
"Again, on an initial reading of the Bill, and mindful of the Regulatory Universe, (including related surveillance laws), I find the Australian provisions weighted in favour of law enforcement and surveillance at the cost of privacy and the protection of personal information."
Leggat said the claim, mentioned in one submission to the PJCIS inquiry, that Australia would not be able to pursue cases involving Americans and American data, was not correct.
"That is not what I understand. These are bilateral agreements with mutual reciprocal rights," she said. "I also read that what starts as bilateral agreements, eg between the US and the UK, and between the US and Australia, will have the effect of becoming a multilateral agreement facilitating the access of data between the UK and Australia, and other signatory countries in future. I do not think that the provisions relating to restrictions on third-party sharing prevent this."
The question of encrypted data did not pose an obstacle to sharing data, Leggat said. "The way I read this is that under TOLA, encryption is no impediment to access. Australia requires all designated service providers, essentially to assist access to unencrypted information, and under the Cloud agreement, the unencrypted information can be accessed by the US.
"This is the interesting part, that I do not think the Australian public really understands. Even encrypted messaging systems like WhatsApp offer no security of privacy or confidentiality under TOLA, and the CLOUD Agreement is intended to make the unencrypted data available, so the reach of law enforcement is greatly enhanced.
"In the UK, the Regulation of Investigatory Powers Act 2000 (RIPA), Part III, requires people to decrypt information and/or supply keys to government representatives to decrypt information without a court order)."
Leggat cautioned against rushing legislation of this nature through Parliament. "Much awareness, public debate and consideration is required. This bill should not be rushed. It is a monster piece of legislation, detailed, precise and procedural in its approach," she pointed out.
"The government must allow time for informed public participation. The devil is in the detail. There is no question that law enforcement powers are necessary, but they must be balanced and proportional to the needs of civilised societies."