2.1
This chapter provides a summary of the existing international cooperation framework, how the existing framework led to the establishment of the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) legislation and discusses the proposed designated international agreement provisions of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (‘the Bill’).
Mutual Legal Assistance
2.2
As a signatory to the United Nations transnational organised crime convention, Australia has the ability to request government-to-government assistance in criminal matters. The ability to request such information assists in obtaining evidence for the investigation and prosecution of drug trafficking, fraud, money laundering, child pornography and other child exploitation offences, as well as terrorism offences.
2.3
These requests take the form of mutual assistance requests (MARs) which are governed by the Mutual Assistance in Criminal Matters Act 1987 in Australia. This act governs both current incoming and outgoing requests for assistance in criminal matters.
2.4
When an offence occurs against Australian law and the investigatory body considers that information is held overseas, the Attorney-General’s Department drafts a MAR, considering Australia’s relationship with the foreign country, what the request asks, and relevant domestic and foreign laws. Once the terms are agreed, the Attorney-General of Australia (or delegate) approves the request and it is provided to the Foreign Central Authority, who then processes the request in line with their domestic laws.
2.5
A MAR can be provided for a variety of purposes:
a.
Taking evidence or statements from persons;
b.
Effecting service of judicial documents;
c.
Executing searches and seizures, and freezing;
d.
Examining objects and sites;
e.
Providing information, evidentiary items and expert evaluations;
f.
Providing originals or certified copies of relevant documents and records, including government, bank, financial, corporate or business records;
g.
Identifying or tracing proceeds of crime, property, instrumentalities or other things for evidentiary purposes;
h.
Facilitating the voluntary appearance of persons in the requesting State Party; and/or
i.
Any other type of assistance that is not contrary to the domestic law of the requested State Party.
2.6
An examination of 800 individual MARs by the Attorney-General’s Department revealed that 440 applications were made to the United States of America (USA) for assistance between 2014 and 2019.
Table 2.1: Mutual assistance requests to the USA (2014–2019)
|
|
|
|
|
|
|
|
|
CDPP
|
21
|
15
|
15
|
12
|
9
|
9
|
|
AFP (incl. ACT Police)
|
13
|
15
|
19
|
14
|
21
|
20
|
|
NSW Police
|
17
|
19
|
12
|
15
|
23
|
27
|
|
QLD Police
|
15
|
16
|
13
|
8
|
12
|
8
|
|
SA Police
|
7
|
4
|
2
|
1
|
4
|
4
|
|
TAS Police
|
0
|
0
|
0
|
0
|
1
|
1
|
|
VIC Police
|
2
|
6
|
9
|
8
|
7
|
5
|
|
WA Police
|
1
|
0
|
1
|
4
|
1
|
1
|
|
NT Police
|
0
|
0
|
0
|
1
|
0
|
1
|
|
Total
|
76
|
75
|
71
|
63
|
78
|
76
|
Source: Department of Home Affairs, Supplementary Submission 10.2, pp. 39-40
2.7
The Australian Federal Police (AFP) said that it has submitted 98 MARs to the USA since 2014 for telecommunications data in relation to the following offences:
29 related to drug offences
26 related to terrorism offences
24 related to child sex offences
11 related to money laundering offences
4 related to foreign bribery offences
3 related to human trafficking offences
1 related to a range of serious (unspecified) offences.
2.8
The Commonwealth Director of Public Prosecutions (CDPP) said that the majority of requests for evidence sought through mutual assistance are for stored communications data and telecommunications data:
It is the latter two – stored communications data and telecommunications data which form the preponderance of evidence sought through mutual assistance, predominantly from the major [communications service providers (CSPs)] located in the US, for example Facebook, Microsoft and Google. The range of CSPs in the US is increasing as new applications and products become available.
2.9
The growth in requests for telecommunications data is not unique to Australia. The Synod of Victoria and Tasmania, Uniting Church said that cross-border requests are needed in a significant number of criminal investigations in the European Union:
The European Commission reported in April 2018 that more than half of all investigations at that time involved a cross-border request to access electronic evidence. Electronic evidence is needed in approximately 85% of criminal investigations. In two-thirds of the investigations, there is a need to request evidence from online service providers based in another jurisdiction. The number of requests to Facebook, Google, Microsoft, Twitter and Apple grew by 70% between 2013 and 2016, from 35,300 requests to 60,200 requests.
2.10
Countries have the ability to negotiate treaties with individual states to expedite or clarify aspects of the process. As at November 2019, Australia had 29 bilateral mutual assistance relationships in place. However, the absence of a treaty does not prevent Australia submitting a Letter of Request through diplomatic channels.
2.11
The Department of Home Affairs suggested that the mutual legal assistance process can no longer keep pace with technological advances:
International crime cooperation mechanisms (such as mutual legal assistance) remain the principal means to obtain evidence, including electronic data, from foreign jurisdictions for use in criminal investigations and prosecutions. However, the digital world and the rapid increase in digital evidence for all types of criminal offences – not just cyber offences – is fundamentally undermining international crime cooperation. The traditional mechanism of mutual legal assistance has proven to be a slow and cumbersome way of working, not responding sufficiently to this fundamental shift in the offshore storage of Australians’ data.
2.12
Microsoft also considered the Mutual Legal Assistance Treaty (MLAT) provisions are no longer fit for purpose:
Microsoft has long recognised that the traditional Mutual Legal Assistance Treaty (MLAT) processes for enabling governments’ access to data held in foreign jurisdictions is no longer fit for purpose and hinder the ability of law enforcement to effectively investigate crimes and ensure public safety. This is a valid frustration shared by many nations, including Australia.
2.13
The CDPP indicated that some MARs can take between 10–12 months and the Committee received evidence that in some cases the timeframe can be significantly longer – for example, the AFP said that it took nearly four and a half years to receive formally sealed MAR material in a child exploitation case.
2.14
The NSW Police provided that the timeframe for response to a MAR prevented a full range of charges being brought against an offender using Facebook to threaten to kill and intimidate a victim, as provided in the following case study.
Box 2.1: NSW Police Case Study – Use of carriage service to threaten to kill – withdrawal of prosecution on 16 counts
Between 2013 and 2015, the alleged offender used the on-line social media platform Facebook to threaten to kill and intimidate a victim. The offender created multiple Facebook accounts in false names and sent the victim threats and pictures of the victim’s deceased relatives. The offender also created a Facebook account in the victim’s own name and sent themselves harassing messages purporting to be the victim. The offender applied for an Apprehended Violence Order (AVO) against the victim, causing the victim considerable expense and hardship. The offender also used Facebook to invite persons to the victim’s residence for sexual activity.
Facebook provided Internet Protocol (IP) address details that investigators used to identify the offender by linking Facebook accounts to his computer. However, the addresses were provided as ‘Intelligence only’ and did not provide a statement/evidentiary certificate for production at court.
The accused was charged with 22 offences in 2015. The IP logs provided by Facebook linking the offender to the accounts could not be produced in the court proceedings. Investigators submitted an MLAT request for all accounts created by the offender in 2015 and to Google to link the email address used in the creation of the accounts to the offender. The prosecution sought an estimated completion date for the request. A completion date could not be provided.
The MLAT request was ultimately complied with in 2019. As a result of the delay, 16 charges were dropped. The offender was convicted of six out of the 22 offences.
2.15
Similarly, the AFP has provided several case studies showing that delays in the MAR process can result in the continuation of criminal activity, affecting additional victims and prolonging trauma.
2.16
The difficulty of the mutual legal assistance process in enabling evidence gathering in the USA led to the passage of the USA’s CLOUD Act.
Enabling provisions of the CLOUD Act
2.17
The catalyst for the introduction of the CLOUD Act was a 2013 civil court case where Microsoft challenged a US warrant for data held on an overseas server:
… the CLOUD Act resolved a case that Microsoft brought in 2013 and ended at the US Supreme Court—the Microsoft Ireland case—in which we challenged a US government warrant for data held in our Irish data centre. We didn't bring our case out of a desire to frustrate law enforcement; we brought that case to derive the systemic changes necessary to advance public safety and security while at the same time ensuring adequate protections for privacy, human rights and digital sovereignty.
2.18
Prior to the introduction of the CLOUD Act, a warrant was issued under the US Stored Communications Act which could be served on a telecommunications organisation under USA jurisdiction.
2.19
However, the CLOUD Act dictates that warrants issued to a provider in the US under the Stored Communications Act apply regardless of where the data is held. The CLOUD Act also enables the US government to enter into bilateral agreements with foreign countries. The International Civil Liberties and Technology Coalition summarised the provisions as follows:
The first part of the CLOUD Act now clarifies that US government requests under the Stored Communications Act of companies that are under US jurisdiction apply, regardless of whether the data is located within or outside of the United States. The second part of the US CLOUD Act is directly relevant to the international production orders bill. It sets up a process through which countries like Australia can enter into a bilateral agreement with the United States that will enable each country to bypass the time-consuming traditional mutual legal assistance treaty, or MLAT, process for gaining access to electronic communications information. This will allow law enforcement officials in each country to make direct requests to be considered in the other country in order to obtain communications information like emails.
2.20
The Department of Home Affairs has indicated that Australia is seeking to enter into a bilateral agreement with the US.
Australia is likely to be the next qualifying foreign government to enter into an agreement with the United States (after the United Kingdom, who finalised an agreement with the United States in October 2019). On 7 October 2019, Australia and the United States announced the commencement of formal negotiations for a bilateral agreement pursuant to the CLOUD Act.
2.21
The authorisation process and its compatibility with the requirements of the CLOUD Act are discussed further in Chapter 3.
Incoming international production orders
2.22
The Bill makes general provisions for incoming orders and requests. The incoming international production orders (IPO) clauses operate to remove barriers to Australian communications providers cooperating with requests:
The removal of blocking provisions is reasonable and necessary in the circumstances, as it ensures Australian communications service providers are not be prevented from responding to requests for communications data by foreign governments with which Australia has a designated international agreement, and which are expected to operate under the principle of reciprocity. These measures are permissive in nature, and place no obligations under Australian law on Australian communications service providers to provide data in response to an incoming request.
2.23
The Department of Home Affairs said that a successful cross-border access to data agreement requires blocking statutes to be lifted:
Cross-border access to data agreements are expected to be reciprocal and to require that Australia remove blocking statutes to ensure that Australian industry can disclose electronic data to a foreign authority.
2.24
The substance of conditions relating to the treatment of incoming IPOs are expected to be covered in designated international agreements, rather than in the proposed Act itself.
Designated international agreements
2.25
The Bill provides for a bilateral or multilateral designated international agreement (DIA) to be made between Australia and a foreign country.
2.26
The Explanatory Memorandum defines the intent of clause 3 of the Bill for designated international agreements to be specified in the regulations and subject to disallowance:
Subclause 3(1) provides, for a bilateral agreement to be a designated international agreement, it must be an agreement that is between Australia and a foreign country, that is specified in the regulations and has come into force. Any regulations made under subclause 3(1) will be legislative instruments and subject to disallowance.
2.27
The Inspector-General of Intelligence and Security (IGIS) suggested the Bill may not provide sufficient certainty that DIAs will be tabled in Parliament and published publicly:
IGIS assumes that subclause 3(7) of proposed Schedule 1 will mean that any designated international agreement that is entered into for the purposes of the IPO framework will be tabled in the Parliament and made public. However, the Committee may wish to seek assurances that this will be the case, as this provision could be interpreted differently. IGIS would be concerned to be in a position where agencies are held accountable to standards that have not been made public. This would be likely to affect IGIS’s statutory responsibility to assure the Parliament and the public that intelligence and security matters are open to scrutiny.
2.28
In response, the Department of Home Affairs said that designated international agreements would be made available through parliamentary processes and by publication in treaties databases:
… designated international agreements, including any amendments to these agreements, would be made publically available through the usual parliamentary processes and publication in treaty databases. It is normal practice that bilateral treaties are confidential between the parties until the treaty has been signed, unless both parties agree to earlier disclosure. After signing, all treaties must be tabled in Parliament to facilitate public consultation and parliamentary scrutiny.
Under Article 102 of the Charter of the UN, any Treaty that comes into force must be registered with and published by the UN. Additionally, the designated international agreements as treaties will also be published in the Australian Treaties Database and Australian Treaties Library.
2.29
The Australian National University Law Reform and Social Justice (ANU LRSJ) Research Hub also suggested that the Committee and the Office of the Australian Information Commissioner should scrutinise proposed DIAs in addition to the Parliamentary Joint Standing Committee on Treaties (JSCOT) against several criteria:
In addition to review by the Parliamentary Joint Standing Committee on Treaties (PJSCT), we recommend that any entry into a designated international agreement is carefully scrutinised and assessed by the PJCIS and the Office of the Australian Information Commissioner (OAIC) and that such reviews consider (among other things):
The domestic privacy protections available in the other jurisdiction, and whether they are equivalent to the protections afforded under Australian law;
Whether the agreement allows for requests or orders to be issued in circumstances that afford lower protections than those under the current Australian framework;
The circumstances under which Australian companies would be required to comply with the order and whether there is appropriate scope for Australian companies not to comply if they fear the information may be used to harm an individual or in a manner not commensurate to the security value of the information;
The likely use of information by the foreign jurisdiction, especially whether surveillance measures have been deployed to prevent dissidents from raising valid concerns with the government;
The adherence of the foreign jurisdiction to the rule of law and whether appropriate oversight mechanisms are in place;
Whether the agreement provides for domestic reporting of requests made and granted similar to the reporting required under the IPO framework.
2.30
The Bill provides that where there is an agreement in place between Australia and one or more foreign countries, the regulations will continue to recognise the DIA as an agreement when amended. The Law Council said that this provision would displace the provisions of the Legislation Act 2003 that ensures that other legislative instruments include the conditions in force at the time the regulation was made:
The result of Clause 182 of the Bill disapplying subsection 14(2) of the Legislation Act is that, once regulations are made under Clause 3 to prescribe a named agreement with a foreign country as a DIA (and thereby enliven the IPO regime), the regulations will continue to recognise that agreement as a DIA even after it is amended. This means that the executive government is not required to table new regulations in Parliament (with a new disallowance period) whenever the relevant agreement is amended. Consequently, the Parliament is deprived of the opportunity to disallow potentially significant amendments to the agreement, in respect of which it may have exercised its disallowance power had those matters been included in the original version of the agreement when the regulations were tabled.
2.31
The Department of Home Affairs responded that it is the intention that ‘all amendments to designated international agreements will be subject to Australia’s treaty-making requirements, including tabling in Parliament and consideration by the Joint Standing Committee on Treaties’ and that amendment of the clause could cause uncertainty about the status of IPOs:
If the reference to agreements as ‘amended and in force from time to time’ in clause 182 were removed, this would mean an agreement would need to be specified as a new agreement in the regulations each time it is amended, extended or renewed for a further period.
This could lead to uncertainty about the status and/or operation of international production orders that have already been issued or are in force when a new agreement is entered into and comes into force.
2.32
While the Bill would allow for Australia to negotiate DIAs with foreign governments for reciprocal arrangements, the Department of Home Affairs said that the main priority is the negotiation of an agreement with the US:
There's no priority list at this stage. The US is the No. 1 priority, for obvious reasons, as it is the data storer for a large part of the world when you're talking about Facebook, Google, Apple and others. It is a real priority. It's what Australians are using in their day-to-day communications. They happen to all be in the US, so this is the No. 1 priority.
After that, once we're able to get that agreement in place, we would consider what other ones might be a priority. The reasons for those priorities could include what other countries have significant data holdings in relation to Australian communications, or what other countries have like-minded processes whereby we could make an agreement. But that is not in consultation at the moment. It's the US that we are absolutely focused on for the first bilateral agreement.
2.33
Submitters have suggested that a draft of the DIA should be made available prior to finalising it. However, the Department of Home Affairs has indicated that releasing a draft version is not their intention, and that concerned parties should look to the agreement between the US and the United Kingdom (UK) for broad guidance on expected inclusions in the agreement – discussed further below.
2.34
Once the terms of a designated international agreement has been agreed by representatives of both State parties, the instrument is tabled, subjected to scrutiny processes and subjected to a period of disallowance. In Australia, the standard timeframe for disallowance is 15 sitting days; however, the US Congress has a period of 180 days to disallow the instrument
International comparisons
2.35
As the only country that has finalised negotiations with the US on a CLOUD Act agreement, the agreement between the US and the UK signed on 3 October 2019 is a reference to compare to the provisions of the Bill.
2.36
The agreement provides that subject to judicial review or oversight, the US or the UK may approach a provider to seek stored or live communications through each party’s Designated Authority. An issuing country may approach a receiving country’s communications provider directly for subscriber information without submitting through the relevant Designated Authority.
2.37
The issue of such orders are restricted, in broad terms, to those who are not citizens, residents, or organisations of the country receiving the request.
2.38
The agreement expressly provides that the issuing country’s Designated Authority shall review the orders to ensure compliance with the agreement and provide a written certification that the order is lawful and complies with the agreement. A provider in receipt of an order may raise objections with the issuing Designated Authority in the first instance, and the issuing Designated Authority must respond.
2.39
Where an agreement cannot be reached, the agreement states that a communications provider may approach the Designated Authority of the receiving country. Upon consideration, the receiving country’s Designated Authority may determine that the agreement does not apply to the order.
2.40
The agreement states that an issuing country must seek permission from the receiving country’s Designated Authority if an order would seek information in a way that could be used in the prosecution of a death penalty case – as in the US – or in a way that would infringe upon freedom of speech – as in the UK. A receiving country may impose restrictions on how the information can be used, or may decline the information being used entirely.
2.41
The agreement provides that parties shall engage in a review of compliance with the terms of the agreement, and that each party shall provide an annual report detailing aggregated data concerning the use of the provisions of the agreement.
2.42
Finally, the agreement is in force for a five year period, but may be extended for an additional five year period through an exchange of diplomatic notes – or any other period as agreed.
2.43
Following the required period of notice, the agreement came into effect on 8 July 2020.
Committee comment
2.44
The Committee notes the evidence received from submitters in relation to the challenges posed by the mutual legal assistance process, and that the regulatory requirements of MARs create inefficiency for the investigation and prosecution of serious offences.
2.45
The Committee thanks the Australian Commission for Law Enforcement Integrity, the Corruption and Crime Commission (WA), the Australian Federal Police and NSW Police for providing case studies to enhance its understanding of the operational consequences of delays with the mutual legal assistance process.
2.46
On its face, the CLOUD Act will provide opportunities to streamline requests for information, and the Committee supports this intent, and Australia’s desire to negotiate a designated international agreement with the USA in the first instance.
2.47
The Committee notes that the provisions of the Bill are designed to be non-prescriptive to allow for details to be decided between parties in consideration of the laws of the country with which Australia is seeking to make a designated international agreement.
2.48
While the Committee generally supports this principle, the Committee supports the concerns raised by the Law Council of Australia and the Inspector-General of Intelligence and Security that certain core aspects related to designated international agreements are not sufficiently explicit.
2.49
The Committee welcomes the advice of the Department of Home Affairs that the Parliamentary Joint Standing Committee on Treaties will have the opportunity to scrutinise proposed designated international agreements as part of the treaty-making process.
2.50
The Committee also welcomes the advice of the Department of Home Affairs that it will adhere to the practice of advising foreign countries that Australia has taken all appropriate steps to enter the agreement into force only after the period of disallowance has expired.
2.51
The Committee considers that while a designated international agreement should come into force at the expiry of the disallowance period provided by the Legislation Act 2003 (i.e. 15 sitting days) the bill should be amended to allow for the statutory disallowance period to align with foreign country Australia is seeking to make an agreement with.
2.52
The Committee recommends that the bill be amended to provide that a designated international agreement must be published and tabled in the regulations, subject to parliamentary scrutiny and subject to a period of disallowance. The Committee also recommends that the bill be amended to provide that the statutory disallowance period should reflect the longer of the standard 15 sitting days disallowance period, or the disallowance period that applies in the foreign country.
2.53
The Committee recommends that a new subclause be added to the proposed Clause 182 of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 to provide that designated international agreements must be published and tabled in the regulations, subject to parliamentary scrutiny, and subject to a period of disallowance.
For the commencement of the regulations, proposed Schedule 1 should be amended to provide that regulations made under clause 3 (i.e. listing an agreement as a designated international agreement) cannot commence until no earlier than the expiry of the standard period for disallowance (i.e. 15 sitting days) under the Legislation Act 2003, or until the commencement of the other party’s agreement, whichever is the longer.
For the period for disallowance, the bill should be amended to provide that the statutory disallowance period for regulations made under proposed clause 3 of Schedule 1 is the longer of:
the standard period for disallowance under the Legislation Act 2003; or
the period for disallowance that applies in the parliament of the foreign country (i.e. the other party to the relevant international agreement).
2.54
The Committee notes that the Department of Home Affairs suggested that amendments to designated international agreements would be made publicly available through parliamentary processes and published in treaties databases.
2.55
The Committee also notes the advice of the Department that uncertainty regarding the authority of designated international agreements could have an adverse impact on the outcome of IPO processes.
2.56
The agreement between the USA and the UK allows for the agreement to be extended for an additional period following the initial term. The Committee notes that there is a potential benefit to being able to extend an agreement with a foreign government without amendment when the agreement is working effectively.
2.57
However, the Committee also considers that periodic scrutiny of agreements will provide Australians with assurance that the provisions of the agreement are being used effectively and appropriately. Therefore, the Committee recommends that a designated international agreement should be authorised to be extended for a period of three years following commencement, but that a parliamentary scrutiny process should apply a further extension. For the avoidance of doubt, the Committee also recommends that where an amendment is made, the amended designated international agreement should be specified as a new agreement and subject to appropriate parliamentary processes.
2.58
The Committee recommends that an additional subclause be added to the proposed Clause 182 of Schedule 1 of the Telecommunications (Interception and Access) Act 1979 to provide that a designated international agreement may be renewed or extended for a period of three years without completing the parliamentary treaty process, if such a renewal or extension is proposed without amendment to the agreement.
However, the Committee recommends that the clause also provide that, following the term of the initial agreement and any additional three year period, any further renewal or extension should be subject to parliamentary scrutiny and disallowance even where no amendment is proposed.
Finally, the same clause should also be amended to provide that, whenever an amendment to a designated international agreement is made or proposed, the amended agreement must be specified as a new agreement in the regulations and thus subject to the usual parliamentary treaty process and be subject to disallowance.
2.59
The Committee notes that the agreement between the United States and the United Kingdom provides protections for issue of orders against its citizens and addresses specific human rights issues impinging on sharing of information, and that the Bill is intended to be a framework to allow for negotiation.
2.60
However, the CLOUD Act also requires several conditions to be contained in an executive agreement, which includes matters addressed by the Bill, such as appropriate external authorisation, robust oversight, consideration of human rights matters, prevention of third-party requests and ensuring that requests relate to the prevention, detection, investigation or prosecution of serious crime, including terrorism.
2.61
Where a designated international agreement permits a foreign country to issue orders or requests directly to Australian communications provisions, the Committee considers that it would be appropriate for the designated international agreement to contain minimum requirements for orders, including that:
it be appropriately targeted towards specific accounts, persons, other specific identifiers (clearly excluding indiscriminate or bulk data collection);
subject to a specified period of time and subject to reauthorisation if required; and
issued pursuant to domestic legal criteria designed to ensure they are reasonable, proportionate and necessary or other equivalent thresholds. This requirement would not require the same Australian particularly exacting standard (e.g. reasonable grounds of criminal suspicion), but achieve similar objectives (e.g. probable cause in the United States).
2.62
The Committee considers that it would be appropriate for a country seeking a designated international agreement to have sufficient safeguards in place to detail how Australian-sourced information would be handled, used and disclosed. In the Committee’s view, this requirement should allow for a foreign country with a designated international agreement to seek permission to share information on a case-by-case basis or through a standing permission – for instance, allowing consideration of legitimate information sharing with INTERPOL, EUROPOL, war tribunals or the International Criminal Court.
2.63
The Committee considers that there is an opportunity for the Bill to be more prescriptive in relation to incoming international production orders on issues that will not preclude the successful negotiation of agreements with like-minded countries on issues such as protection of information, respect of law, and proportionality, and recommends that the Bill be amended to explicitly outline these principles.
2.64
The Committee recommends that a new subclause be included in proposed Clause 3 of Schedule 1 of the Telecommunications (Interception and Access) Act 1979 to provide that – in order to qualify as a designated international agreement – the agreement must:
prohibit the foreign government from intentionally targeting an Australian citizen or permanent resident; or
prohibit the foreign government from intentionally targeting a non-Australian person located outside of Australia if the purpose is to obtain information about an Australian citizen or permanent resident;
in relation to production orders for the interception of communications, require that the interception activities of the foreign government only be carried out for the purpose of obtaining information about communications of an individual who is outside of Australia;
provide that all production orders must comply with the minimum requirements for foreign orders specified in paragraph 2.61;
include safeguards for the use, handling and disclosure of information, as set out in paragraph 2.62;
provide that all production orders must comply with the domestic law of the relevant foreign country;
provide that production orders must not last longer than is reasonably necessary to accomplish the approved purposes of the order;
provide that no production order may relate to the prevention, detection, investigation or prosecution of a political offence or an offence that is not recognised in the ordinary criminal law of Australia; and
provide that a production order may only be issued if the same information could not reasonably be obtained by another less intrusive method.
2.65
In addition, the Committee considers that a provision should be inserted to prevent a foreign government from seeking information on behalf of a third-party government. However, the Committee also notes that there may be some benefit in allowing cooperation with international bodies when mutually beneficial – see paragraph 2.62 – and the Committee therefore recommends that such a prohibition not preclude a country with a designated international agreement from seeking authority to share Australian-sourced information as set out in Recommendation 4.
2.66
The Committee recommends a subclause be included in proposed Clause 3 of Schedule 1 of the Telecommunications (Interception and Access) Act 1979 to provide that a designated international agreement shall not permit a foreign government to:
issue an order at the request of or to obtain information to provide to the Australian government or a third-party government, nor shall the foreign government be required to share any information produced with the Australian government or a third-party government.
such a prohibition will not preclude a foreign government seeking authorisation to share information as set out by Recommendation 4.
2.67
Noting that the intention of the Bill is to allow for information to be sought in relation to serious offences and issues related to terrorism and Australia’s national security, the Committee considers that it would be appropriate to articulate this purpose in the Bill.
2.68
The Committee recommends a subclause be included in proposed Clause 3 of Schedule 1 of the Telecommunications (Interception and Access) Act 1979 to provide that incoming international production orders under a designated international agreement must only be issued for the purpose of obtaining information relating to the prevention, detection, investigation or prosecution of serious crime, including terrorism.
2.69
The Committee notes that if its recommendations are accepted, it would be appropriate for the Attorney-General, with the concurrence of the Minister for Home Affairs to provide assurance that the conditions for a designated international agreement have been met – such as those set out at Recommendation 4 and Recommendation 8 of this report. The Committee therefore recommends that the Bill be amended to require the Attorney-General with the concurrence of the Minister for Home Affairs to submit a written certification, including a detailed explanation, where it has determined the agreement has met the statutory requirements.
2.70
The Committee recommends that proposed Clause 182 of Schedule 1 to the Telecommunications (Interception and Access) Act 1979 be amended to provide that, for the purposes of the Act, an agreement – and a foreign government – will be considered to satisfy the statutory requirements (including the requirements set out in Recommendation 4 and Recommendation 8 of this report) if the Attorney-General, with the concurrence of the Minister for Home Affairs:
determines that the agreement and the foreign government satisfy the statutory requirement; and
submits a written certification, including a detailed explanation, of such a determination to the Joint Standing Committee on Treaties. That certification should be provided at the same time that the regulations are tabled.
Human rights obligations
2.71
Australia is a party to the International Covenant on Civil and Political Rights (ICCPR) which provides for the right to life (art. 6), the protection against arbitrary or unlawful interference with privacy (art. 17), and the protection of the right to freedom of expression (art. 19) and these matters are engaged by the provisions of the Bill.
2.72
Several submitters to the inquiry commented that a precondition to entering into a bilateral agreement with the US is the adherence to applicable international human rights obligations. The Attorney-General’s Department said that matters concerning incompatibility under international law will be considered as part of the parliamentary scrutiny process:
There are various safeguards in section 8 of the [Mutual Assistance in Criminal Matters Act 1987] relating to the Attorney-General’s grounds of refusal of assistance. For example, there are mandatory and/or discretionary protections relating to the death penalty, torture, military offences, political offences, dual criminality, double jeopardy, national security and national or State/Territory interests. AGD understands that the inclusion of appropriate safeguards in a DIA that Australia seeks to implement under the Bill framework will be negotiated on a case-by-case basis with the particular country or countries and subject to Parliamentary scrutiny. That is, before Australia’s ability to issue IPOs pursuant to a DIA is given effect in Australian domestic law by way of regulations under the Bill, those agreements must be laid before Parliament and are subject to scrutiny by the Joint Standing Committee on Treaties, parliament and the public.
2.73
However, in its submission to the inquiry the Law Council of Australia considers that the Bill has inadequate human rights protections:
It seems to us that there are no legal safeguards in the bill that would prohibit Australia from giving domestic legal effect to an agreement that could be used to disclose information that could in turn be used to inculpate a person in foreign death penalty proceedings; to prosecute a child as an adult; to prosecute a person for a political offence that, in substance, targets peaceful dissent, advocacy or discussion; to violate rights to freedom of expression, such as targeting a journalist's source or telling a journalist to disclose their sources; and to prejudice a person's right to a fair hearing by targeting and using information that's subject to client legal privilege.
The right to life
2.74
The Bill does not refer to human rights obligations aside from the right to life, where the Minister must seek written assurance about the use or non-use of Australian-sourced information in the prosecution of a case that could attract the death penalty.
2.75
The Capital Punishment Justice Project suggested that the wording of Clause 3 provides ambiguity in how Australian-sourced information could be used in death penalty cases in the US:
Clause 3 of proposed Schedule 1 does not, for example, impose an obligation on the Minister to obtain in writing an absolute assurance from the foreign government in question that information provided from Australian sources will not, in any circumstances, be used in death penalty proceedings, or in investigations of crimes that may attract the death penalty in their jurisdiction. There is also no requirement that the Australian sourced information in such instances will only be used for exculpatory purposes. As such, these proposed provisions are in practice capable of permitting actions which are incompatible with Australia’s stated foreign policy position, of being against the death penalty in all circumstances.
2.76
The Law Council of Australia echoed the concerns of the Capital Punishment Justice Project, and noted that the intention of the relevant clause outlined in the Explanatory Memorandum does not accord with the proposed statutory provision:
These provisions use the broad ambulatory words ‘relating to’ to prescribe the requisite nexus between ‘Australian-sourced information’ and either its use or non-use by foreign countries in death penalty cases. There is no explicit requirement for the Minister to be reasonably satisfied that Australian sourced information will only be used in a manner that is compatible with international human rights obligations with respect to the right to life, and is consistent with Australia’s bipartisan foreign policy position of opposing the death penalty in all countries.
2.77
The Attorney-General’s Department said that the relevant intent of the clause is to prevent the Minister from specifying a DIA without written assurance restricting or excluding information from death penalty cases:
… the Bill provides that the Minister cannot specify a DIA without a written assurance from the relevant partner country regarding restricting or excluding the use of Australian-sourced information in a proceeding relating to a foreign offence that is punishable by death.
2.78
In addition, the Attorney-General’s Department said that seeking assurances as part of the treaty negotiating process can take a variety of forms:
The Australian Government has previously received written assurances regarding the death penalty in a range of forms. For example, a written assurance may be contained in a single document, or across a number of documents, such as the text of the agreement, a letter or exchange of letters, or a record of understanding or memorandum of understanding. The written assurances may deal with how Australian-sourced information may be used by the foreign country in proceedings in connection with prosecutions for death penalty offences, including for exculpatory purposes, and subject to any restrictions or conditions. They may also specify that Australian-sourced information is not to be used in prosecutions of offences that attract the death penalty. This approach to death penalty risks is broadly comparable with Australia’s existing MLA arrangements concerning the death penalty at the prosecution stage.
2.79
Mr Andrew Warnes, Assistant Secretary, National Security Policy Branch, Department of Home Affairs said that protections surrounding right to life will be at the centre of negotiations for designated international agreements:
Further, I would like to note a core protection in the bill concerning the death penalty. The bill provides that a country that has the death penalty must provide a written assurance about the use of information obtained from Australian service providers in death penalty prosecutions before an agreement can be designated. This will ensure that the death penalty is of paramount consideration from the outset in negotiating and settling international agreements and that Australia's longstanding opposition to the death penalty can be reflected. The use of assurances to protect Australia's death penalty interests is a longstanding practice in related mutual assistance regimes.
The framework set out in the bill will be supplemented by additional safeguards and protections within designated international agreements. Agreements will set requirements for foreign countries that reflect Australian values such as respect, the rule of law, privacy and civil liberties.
Protection against arbitrary or unlawful interference with privacy
2.80
The ICCPR provides that ‘no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour and reputation, and that everyone has the right to the protection of the law against such interference or attacks.’
2.81
The Attorney General’s Department said that not all interferences with privacy are unlawful under international human rights law:
Not all interferences with privacy are unlawful. To be permissible as a matter of international human rights law, interferences with privacy must be according to the law and not arbitrary. In order not to be arbitrary, any such interference must be reasonable and necessary in the particular circumstances, as well as proportionate to the objectives it seeks to achieve.
2.82
The Explanatory Memorandum states that the provisions of the Bill necessarily intrude on individual privacy for a permitted purpose:
The purpose of the Bill, and the associated limitations on the protection against arbitrary or unlawful interference with privacy, are to protect national security, public safety, and address crime and terrorism. The Bill aims to protect the rights and freedoms of individuals by providing law enforcement and national security agencies with the tools they need to keep Australians safe.
2.83
The Bill proposes a number of measures designed to ensure that an individual’s privacy is weighed against the overarching obligation to ensure the overall safety of Australians. There are specific measures included as part of the authorisation process that are discussed in Chapter 3. However, several submitters raised concerns about the implications of the Bill on privacy outside of the authorisation process.
2.84
The Australian Privacy Foundation said that the Bill is ‘a manifestation of a drip by drip erosion of privacy protection in the absence of a justiciable constitutionally-enshrined right to privacy in accord with international human rights frameworks’ and further that:
… the Bill seeks to enable “the exemption from Commonwealth laws restricting interception or disclosure” on the basis of a designated international agreement: a low threshold at odds with the Minister’s reference to “robust privacy and civil liberty protections”.
That threshold should be contextualised through reference to ongoing ‘privacy creep’ (ie drip by drip year by year erosion of privacy protection) and the regulatory incapacity of watchdogs such as the Commonwealth Ombudsman and Office of the Australian Information Commissioner.
2.85
The ANU LSRJ Research Hub said that access to digital surveillance by law enforcement agencies has increased through relatively recent passage of laws:
In Australia, powers of law enforcement agencies have increased through the passage of laws, granting:
Access to metadata, that must be held by telecommunications providers for two years;
Extended warrant schemes under the TIA Act and the Crimes Act allowing for greater access to information stored digitally (see especially s. 3F Crimes Act); and
Greater powers to compel assistance from technology companies (in regard to accessing information) through the use of TARs, TANs and TCNs under the TIA Act, following amendments made at the end of 2018.
2.86
The increase in global connectivity provides an ongoing exercise in balance between individual privacy and the investigation or prosecution of serious crimes and national security. The Explanatory Memorandum discusses serious crimes and their online elements:
Almost every crime type and national security concern has an online element— agencies require electronic information and communications data not only for cyber investigations but also for investigations and prosecutions regarding violent crimes, human trafficking and people smuggling, drug trafficking, financial crimes, terrorism and child sexual abuse.
2.87
In its case study below, the AFP said that delays in the outcome of investigations puts a victim at risk of continued offending, and creates potential new victims.
Box 2.2: AFP Case Study – Child exploitation investigation – delays on behalf of overseas jurisdiction
Investigation Summary
The AFP was investigating an individual who was blackmailing a juvenile to produce child abuse material (CAM). The AFP identified content held by a carriage service provider located in a foreign country, which was crucial to prove elements of the offence. Accordingly, the AFP initiated an MAR with the Australian Central Authority.
MAR Challenges
In this case, there were significant delays with the foreign Central Authority progressing the MAR and seeking the material from the provider.
The AFP received the material 9 months after initiating the MAR process. In the meantime, the offender continued to produce CAM and was distributing it to contacts, resulting in ongoing offending and harm to the victim.
The material obtained via MAR was fundamental for investigators to be able to link the offender to the production of the CAM.
As a consequence of this delay over a 9 month period, the offender was also able to actively use another online forum, potentially to groom further victims.
Alternative Impact if an IPO was available
An IPO would have allowed the request to be quickly directed to the relevant foreign provider, who would then be in a position to provide the content or data directly back to Australian authorities, likely within much shorter timeframes.
Any reduction in timeframes in this matter would have significantly hindered the offender in being able to continue using forums to identify and target other victims, while reducing the overall length of the investigation (including reducing strain on AFP resources) and initiation of a more timely justice process.
2.88
The Explanatory Memorandum says that ‘it is expected that consideration of protections and safeguards related to privacy will also be a consideration when developing international agreements’ and this principle is also stated in submissions by the Department of Home Affairs and the Attorney-General’s Department.
2.89
The Independent National Security Legislation Monitor (INSLM) recently outlined the importance of independence, and the appearance of independence, in the inquiry into the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (TOLA Act):
This independence engenders the necessary trust in the minds of members of the public that the powers are being exercised in a manner that is no more than is necessary. A proper appreciation of the impact of an intrusive TOLA power depends upon the issuer being independent of the agency concerned and, importantly, having technical knowledge. The powers under TOLA cannot be exercised, let alone their impact understood, in the absence of independent technical expertise.
2.90
The Law Council of Australia said that access to technical expertise – in addition to special advocates – to provide advice on the potential impacts of the use of technology on an individual’s privacy, and how intrusive such technical measures are would be a useful tool to support independent decision-makers in supporting applications for IPOs.
2.91
BSA | The Software Alliance said that IPO applications should be made in consultation with technological providers who are most qualified to provide weight to technical capabilities.
2.92
The INSLM proposed the introduction of an investigatory powers division to be established within the Administrative Appeals Tribunal. The proposed division would have the ability to consider applications for access to intrusive telecommunications powers under the TOLA Act and appoint a panel of technical and legal advisers to the division in carrying out its functions.
2.93
The INSLM said that such a mechanism would be valuable in the establishment of the IPO framework:
The desirability of a decision-maker independent of the executive and its agencies is recognised in the Government’s Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), which is a critical step that enables Australia to seek a bilateral agreement with the US under their Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act). The IPO Bill would enable Australia to give effect to such a bilateral agreement by creating a new international production order framework that allows Australian law enforcement and intelligence/security agencies to issue or obtain extraterritorial orders for electronic data on foreign DCPs (where there is an agreement in place).
2.94
The CLOUD Act provides additional protections for the privacy of its citizens, stating that an agreement requires:
(A) the foreign government may not intentionally target a United States person or a person located in the United States, and shall adopt targeting procedures designed to meet this requirement;
(B) the foreign government may not target a non-United States person located outside the United States if the purpose is to obtain information concerning a United States person or a person located in the United States;
(C) the foreign government may not issue an order at the request of or to obtain information to provide to the United States Government or a third-party government, nor shall the foreign government be required to share any information produced with the United States Government or a third-party government…
The protection of the right to freedom of expression
2.95
In 2015, the Committee’s advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 (‘Data Retention Bill’) noted the importance of the principle of press freedom and the protection of journalists’ sources and subsequently conducted an additional inquiry into how to protect those principles under the data retention regime.
2.96
While the second inquiry was underway the Bill was amended to include journalist information warrants, a process that ascribes a higher degree of consideration to applications by law enforcement or the Australian Security Intelligence Organisation (ASIO) when seeking access to the data of a journalist in order to identify their source.
2.97
In 2019, the Committee was asked to review the impact of national security legislation on the freedom of the press by the Attorney-General. The Committee tabled its report in August 2020 and made a series of recommendations to address the freedom of the press in Australia.
2.98
The IGIS said that journalist protections provided under domestic legislation were not replicated in the Bill:
The Bill proposes to establish a new authority for agencies to be able to obtain the content of communications and telecommunications data of certain persons, in parallel with existing domestic regimes. However, some of safeguards that are afforded under Australia’s existing domestic scheme for the same type of information do not appear in the Bill. For example, the domestic regime provides additional protections where ASIO or law enforcement agencies are seeking to access the telecommunications data of a journalist for the purpose of identifying another person whom is reasonably believed to be that journalist’s source.
2.99
In response, the Department of Home Affairs said that independent authorisation in addition to governance and accountability mechanisms would be sufficient to ensure protection of journalistic privilege:
The journalist information warrants under the TIA Act provide an additional layer of protection telecommunications data relating to journalists’ sources. An independent authorisation by a decision-maker outside of the agency will issue the warrant, rather than the typical process of internal authorisation by agencies for telecommunications data.
However, our domestic interception and stored communications warrants do not include these particular carve-outs as they are already subject to independent authorisation. Exemptions may also raise issues associated with the application of investigatory powers on the basis of profession-based carve-outs and present challenges for agencies in investigating matters relating to crime or national security.
In addition to legislative safeguards, there will be governance and accountability mechanisms, such as ministerial directions under subsection 37(2) of the Australian Federal Police Act 1979. In August 2019, the Minister for Home Affairs issued a Ministerial Direction outlining the Government’s expectations for the AFP in relation to investigative action involving a professional journalist or news media organisation in the context of an unauthorised disclosure of material made or obtained by a current or former Commonwealth officer.
2.100
Mr Karl Kent, Deputy Commissioner of Specialist and Support Operations, said that the AFP would comply with its processes for IPOs related to journalists:
In terms of the AFP's response to that, we would still apply our processes that are put in place in relation to journalists internally in the organisation that reflect the legislative environment in Australia and our changed approach as a result of recent matters in order to strengthen our approach and where we also need to comply with a ministerial direction in relation to journalists and those processes.
2.101
In addition, ASIO restated their concern with having provisions specifically designed for members of the community:
I would say in relation to journalism or, indeed, any profession, that ASIO's point of view is that we have potential concerns if carve-outs are made in relation to a particular class of persons based purely on their profession.
2.102
Mr Michael Fitzgerald, Assistant Commissioner and Commander, Forensic Evidence and Technical Services Command, said that NSW Police would expect to go before a public interest monitor for an application related to a journalist:
What we do support is the current regime under the telecommunications interception act. It's a fairly strict regime and, if we ever did attempt to seek information in regard to a journalist, it would have to go before a public interest monitor. I would assume that it would be the same process that we'd find. I would certainly believe that if we ever did seek this information then it would come across my desk, and then I would seek fairly high-level legal advice and corporate advice in regard to proceeding.
2.103
The Bill provides that for applications made in Victoria and Queensland in relation to interception of data, a Public Interest Monitor will assess the application against the same criteria as the designated decision-maker, in accordance with the statutory requirements of those jurisdictions. The decision-maker must then consider the assessment of the Public Interest Monitor in deciding whether to grant the order. No such provision is made for stored communications data and telecommunications data.
Committee comment
2.104
The Committee notes the concerns raised by submitters in relation to human rights considerations in the Bill. Given the Department of Home Affairs’ advice that designated international agreements will be subject to scrutiny by the Joint Standing Committee on Treaties, the Committee is assured that Australia’s human rights obligations will be given appropriate weight when designated international agreements are considered.
2.105
In relation to submitters’ concerns regarding the right to life, the Committee notes that the Bill requires written assurances from the Designated Authority of the country that has a designated international agreement with Australia regarding any potential use of information sourced from Australia in a death penalty proceeding – the practice that occurs under the current Mutual Legal Assistance Treaty process, which allows cooperation in death penalty cases with appropriate assurances. However, the Committee recommends that additional safeguards in relation to the death penalty and broader human rights considerations be included in the proposed Schedule 1 of the Telecommunications (Interception and Access) Act 1979 to articulate the appropriate thresholds that a country must meet to have a designated international agreement with Australia.
2.106
The Committee considers that requiring a country seeking a designated international agreement to demonstrate respect for the rule of law would provide that Australia may enter into cross-border access to data agreements to be designated under the international production order framework only with countries that that abide by the rule of law and provide equal treatment of an individual or group irrespective of particular characteristics.
2.107
The Committee also considers that requiring a country seeking a designated international agreement to demonstrate respect for international laws, and international human rights recognised as international laws where applicable, would provide assurance that human rights are given adequate weight in designated international agreements. This would include human rights recognised in international treaties, for example the ICCPR, such as:
protection from arbitrary and unlawful interference with privacy;
procedural fairness in law, in the form of rights of due process, and a fair and impartial trial;
freedom of expression, association, and peaceful assembly;
prohibitions on arbitrary arrest and detention; and
prohibitions against torture and cruel, inhuman, or degrading treatment or punishment.
2.108
In addition, the Committee considers that it would be appropriate to require a country seeking a designated international agreement to demonstrate clear legal procedures and restrictions in terms of how government entities, such as law enforcement and national security agencies use electronic surveillance investigatory powers for the purposes of investigating serious crime. The Committee considers that this should include clear legal mandates and procedures that govern the collection, retention, use and sharing of information collected using those powers. In the Committee’s view, such a core principle also recognises the importance the Australian community places on mechanisms that go to accountability, transparency and oversight. The Committee also considers that this requirement would be in addition to the existing requirements in relation to seeking assurances on the use or non-use of Australian-sourced information in connection with prosecutions for an offence that is punishable by death.
2.109
In relation to prosecutions offences punishable by death, the Committee notes that Australia has a long standing commitment to the right to life and the Committee considers that the Bill should more explicitly state Australia’s expectations in relation to use of Australian-sourced material in investigations where death is a sentencing option.
2.110
The Committee recommends that the proposed Schedule 1 of the Telecommunications (Interception and Access) Act 1979 be amended to state that a country seeking a designated international agreement with Australia must meet the following criteria:
Demonstrates respect for the rule of law and the principles of equality and non-discrimination, as set out in paragraph 2.103;
Demonstrates respect for applicable international human rights obligations and commitments, as set out in paragraph 2.104;
Clear legal procedures and restrictions governing the use of electronic surveillance investigatory powers, as set out in paragraph 2.105; and
There is an agreement between Australia and a foreign country; and
If the agreement deals with (among others things) the issue of orders (however described) by a competent authority (however described) of the foreign country; and
One or more offences against the law of the foreign country are punishable by death
The name of the agreement must not be specified under paragraph (1)(b) unless the Minister has received a written assurance from the government of the foreign country relating to the non-use of Australian-sourced information obtained by virtue of the agreement in connection with any proceeding for a death penalty offence in the country or territory.
2.111
The Committee notes the Independent National Security Legislation Monitor’s recommendation that an investigatory powers division be established within the Administrative Appeals Tribunal to have oversight of the powers provided by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.
2.112
The Committee supports the evidence provided by the Independent National Security Legislation Monitor and notes that the proposed investigatory powers division could have a role in considering international production order requests.
2.113
The Committee considers that strengthening the independence of the authorisation process will provide valuable assurance to foreign governments that requests are appropriate and proportionate to the threat and is broadly supportive of such a model.
2.114
The Committee acknowledges the evidence from the Department of Home Affairs that the authorisation process for international production orders are higher than under the current domestic provisions, and that the Department considers that this process will ameliorate concerns regarding access to journalist information, including sources.
2.115
The Committee will consider the recommendations of the Independent National Security Legislation Monitor in the Committee’s inquiry into the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018.
2.116
However, in line with the recommendations made by the Committee in its recent inquiry into the impact of law enforcement and intelligence powers on the freedom of the press, the Committee considers that its recommendations – such as those related to Public Interest Advocates – be incorporated into the relevant provisions of the Bill.
2.117
The Committee recommends that, where relevant, the Telecommunications and Other Legislation Amendment (International Production Orders) Bill 2020 be amended to implement the recommendations set out in the Committee’s report of its Inquiry into the Impact of the Exercise of Law Enforcement and Intelligence Powers on the Freedom of the Press, including recommendation 2 (i.e. that the current role of the Public Interest Advocate, as provided for under the Telecommunications (Interception and Access) Act 1979 be amended in line with the terms of that recommendation and expanded to apply to applications for international production orders.