CLOUD Agreement eases law enforcement access to big tech data

On December 15, 2021, the United States and Australia signed an agreement to make it easier for law enforcement agencies to issue cross-border demands for data (including by interception or access to stored communications) from service providers.

The name of the Agreement – CLOUD Agreement – comes from the title of the related US legislation: the US Clarifying Lawful Overseas Use of Data (Cloud), Act. Despite its name, the Agreement does not try to regulate the cloud.  Its purpose is to help law enforcement agencies in the Australia and the US use existing warrants to access data from firms in the other country, including tech and social media giants, to prevent, detect, investigate and prosecute serious crime.

The Agreement is the second bilateral agreement to be entered into under the CLOUD Act, following the U.S.-UK agreement in 2019.

Purpose of the CLOUD Agreement

The US attorney general, Merrick Garland, said the deal would ensure “more efficient cross-border transfers of data … so that our governments can more effectively counter serious crime, including terrorism, while adhering to the privacy and civil liberties values that we both share”.[1] 

“Signing the CLOUD Act Agreement will enable our two nations’ law enforcement agencies to share important digital information and data with each other, under carefully defined legal authorities and safeguards,” said Karen Andrews, Australia’s Minister of Home Affairs.  Minister Andrews also noted that the agreement included “important safeguards” reflecting the two countries’ “respect for the rule of law and for human rights”.

Previously, Australian law enforcement agencies could only rely on mechanisms such as mutual legal assistance agreements to access crucial evidence from other countries, which have been flagged as complex and time-consuming by Home Affairs.[2]

CLOUD Agreement: Enabling Legislation

The path for the cross-border law enforcement Agreement was set by the passage of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 by the Australian government.  This Bill established a legal framework for Australian law enforcement agencies to access certain electronic data for law enforcement and national security purposes held by companies outside of Australia, by way international production orders.  The Bill covers the interception of real-time communications or the production of stored communications by communications providers in foreign countries with which Australia has an agreement.  In an Explanatory Memorandum, the Australian government explained that “[t]he Bill provides the legislative framework for Australia to give effect to future bilateral and multilateral agreements for cross-border access to electronic information and communication data.”

CLOUD Agreement: Practical issues

Although the Agreement will streamline the access process, the use of encryption that protects data even from the tech companies themselves, such as Facebook’s provision of end-to-end encryption for its users on WhatsApp, may stymie access requests made under the CLOUD Agreement.

As reported in The Guardian, in October 2019 the former home affairs minister, Peter Dutton, publicly lobbied Facbook not to roll out encryption, which he said would put users’ messages out of reach of police “even with a court-ordered warrant”. Facebook responded that people “have the right to have a private conversation online” and the Cloud Act “allows for companies to provide available information when they receive valid legal requests [but] does not require companies to build backdoors”.

In 2019, Labor welcomed Cloud Act negotiations but questioned whether a deal would require the Coalition to  amend Australia’s encryption legislation, so that Australia meets the requirements to have protections for privacy and freedom of speech.  Australia’s encryption legislation requires technology companies, device manufacturers and service providers to build the functionality needed for police to access encrypted messaging.  Its unclear how useful that legislation has been to date.

CLOUD Agreement: What happens next?

While a copy of the Agreement has not yet been made public, the CLOUD Act generally requires that foreign governments remove barriers in their domestic laws that would prevent U.S. law enforcement and national security agencies from obtaining electronic data directly from providers located in their jurisdiction.[3]  The CLOUD Act also permits U.S companies to disclose user data in response to orders from foreign governments that have entered into an agreement under the Act.[4]    The CLOUD Act also requires that the U.S. Attorney General certify to Congress that the partner country has “robust substantive and procedural protections for privacy and civil liberties.”[5]

The safeguards in the Australia-US deal are still unclear. The US’s first Cloud Act deal with the UK mandated that each country would gain permission before using the data for death penalty prosecutions in the US, or cases implicating freedom of speech in the UK.

The Agreement will go into effect following congressional and parliamentary review in both the United States and Australia.  In the U.S., the Agreement will take effect unless Congress disapproves by joint resolution. No further legislation is required in Australia, although parliament will still be able to disallow the finalisation of the Agreement.

The CLOUD Act agreement comes off the heels of a series of new laws and initiatives directed at tech firms, increasing security and regulating on-line behaviour. In December alone, Australia has announced the Online Safety Youth Advisory Council, passed “Magnitsky-style” and Critical Infrastructure cyber attack laws, commenced work on electronic surveillance law reforms, and proposed anti-trolling laws.

The Australian government also started work on a new ransomware plan back in October.  This is covered in our previous blog post.

With so much activity in the space of law enforcement, on-line safety and cracking down on big tech, one might think an election was on the way …

More information:

https://www.insideprivacy.com/international/u-s-and-australia-sign-cloud-act-agreement/

https://www.simmons-simmons.com/en/publications/ckqtoc4gf1n910986tkl6pvio/head-in-the-clouds-australia-passes-us-cloud-act-style-law

[1] https://www.theguardian.com/technology/2021/dec/16/australia-and-us-sign-cloud-act-deal-to-help-law-enforcement-agencies-demand-data-from-tech-giants

[2] https://www.zdnet.com/article/australia-and-the-us-enter-into-cloud-act-agreement-for-cross-border-access-to-electronic-evidence/

[3] See, e.g., 18 U.S.C. § 2523(b)(4)(I).

[4] See, e.g., Id. § 2511(2)(j).

[5] Id. § 2523(b).

At Privacy 108, we are passionate about privacy and data protection. We work with organisations to ensure they collect, use and secure all information in a way that is both compliant and meets community expectations. Privacy 108 is a law firm. Our team of lawyers can provide specialist legal advice on privacy and security issues.