Google wants Australia to remove civil penalties from CLOUD Act-readying Bill
Google has raised a handful of concerns with Australia’s pending Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), including the Commonwealth’s choice of phrasing, the avenues proposed for record-sharing, and the Bill being at odds with the purpose of the United States’ Clarifying Lawful Overseas Use of Data Act (CLOUD Act).
The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa. It would also remove the ability for nominated Administrative Appeals Tribunal members to issue certain warrants.
The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the CLOUD Act.
The CLOUD Act creates a legal framework regulating how law enforcement can access data across borders.
If the agreement is finalised and approved, service providers in Australia and the US would be able to respond to lawful orders from the other country for access to electronic evidence.
A bilateral CLOUD Act agreement would enable Australian law enforcement to serve domestic orders for communications data needed to combat serious crime directly on US-based companies, and vice versa.
In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the IPO Bill, Google said while it encourages and supports efforts by the Australian government to negotiate an executive agreement, it said there are certain elements of the Bill that give it cause for concern.
“Especially when considering how the interception powers under this Bill could be used in tandem with technical capability notices under the controversial Telecommunications and Other Legislation (Assistance and Access) Act,” it wrote.
Making a recommendation to the PJCIS, Google said the Bill should not apply to service providers in their capacity as infrastructure providers to corporations or government entities, saying corporations or government entities are best placed to produce the requested records themselves.
Under the Bill, designated communications providers are instructed to provide any requested communications and data to the requesting agency or the Australian Designated Authority. Google would prefer the authority to be a two-way channel.
“Respectfully, our experience is that a better approach would be that all communications to and from an Australian law enforcement agency be channelled through the Designated Authority and that this authority acts as a coordinator across multiple agencies,” it wrote.
“Putting in place a coordinating body will guard against the risk of duplication and will act as a single point of contact for training, education, and access to designated communications providers.”
Google also poked holes in the Bill’s enforcement threshold.
Civil penalties for non-compliance with an IPO establishes a framework for compliance. If a designated communications provider receives a valid IPO and the designated communications provider meets the “enforcement threshold” when the IPO is issued, the designated communications provider must comply with the IPO.
Google labelled the two-step test that is the threshold, a “relatively low bar to meet”.
“Failure to comply with an IPO may lead to a civil penalty of up to AU$10 million for body corporates. The imposition of a mandatory obligation to comply with an IPO is contrary to the purpose of the CLOUD Act which is to lift blocking statutes, but explicitly does not create a compulsory obligation on service providers,” it said.
“The authors of the Bill appear to be aware of this dichotomy as the Bill explicitly asserts that Australian service providers do not have to comply with reciprocal requests from international agencies.”
Specifically, the search giant said it was concerned by the attempt to impose a mandatory obligation on overseas-based designated communications providers that exists “only in the construct of an otherwise non-compulsory international agreement”.
“[We] respectfully request that this be amended to reflect the intent of the CLOUD Act, which is that enforcement procedures be found in existing law, and that references to civil penalties be removed,” it wrote.
Elsewhere, Google is seeking further information about the role that eligible judges will play in approving IPOs that involve the interception of communications.
It also wants the appeal options contained within the Bill to be strengthened.
“Deferring to existing appeal mechanisms is not satisfactory given the lack of appropriate merit based appeal processes in other relevant legislation such as the TOLA Act,” it continued.
“The reliance on existing law as the primary source for appeal procedures is especially problematic … in particular, overseas providers may be subject to other third-country laws, conflicts with which are not and cannot be lifted through the international agreement, yet no option would exist to raise such an impediment to compliance.”
Google said this would create exactly the type of conflict of laws scenario that the CLOUD Act is designed to prevent.