Orders Without Borders: Australia's new law allows authorities access to data from communications service providers
- On 23 July 2021, the Telecommunications Legislation Amendment (International Production Orders) Act 2021 received Royal Assent, and most of its provisions came into force immediately.
- The Act establishes a framework that, subject to an international agreement of a reciprocal nature, will allow Australian Government agencies to obtain "International Production Orders" (IPOs) issued directly to foreign "prescribed communications providers", in respect of information stored overseas. Australian-based prescribed communications providers would similarly be subject to compliance with incoming IPOs issued by international authorities, if there is a designated international agreement between Australia and one or more foreign countries.
- The law is a precondition to Australia entering into a bilateral agreement with the United States under its "Clarifying the Lawful Overseas Use of Data Act", also known by its backronym "CLOUD Act". Such an agreement would represent a major step forward for international cooperation in investigating crimes – from cyber and financial crimes, through to terrorism, drug trafficking, and human trafficking/exploitation.
- Social media companies, cloud service providers, and other internet service providers should review their practices and procedures, to ensure they are prepared to receive and respond to IPOs from law enforcement and other agencies.
A new law for the digital age
International arrangements have long facilitated the making and receiving of requests for access to electronic and communications data held overseas. For example, under the Mutual Assistance in Criminal Matters Act 1987 (Cth), the Commonwealth Attorney-General currently has the power to authorise information to be provided to the International Criminal Court or a requesting foreign country where the entity holding the information is based in Australia. Similar arrangements exist in reverse.
However, the existing law has been criticised for being too slow to allow enforcement agencies to respond quickly and effectively to criminal activity online. In addition, the demand for access has grown significantly in recent years, adding to administrative delays in formal mutual assistance requests.
The new Act seeks to address some of these issues. It amends the Telecommunications (Interception and Access) Act 1979 (Cth), to establish a framework for Australian authorities (such as the Australian Security Intelligence Organisation (ASIO) and other law enforcement agencies) to seek and obtain IPOs to obtain data direct from communication service providers based overseas, subject to a designated international agreement being in place. The arrangement will be reciprocal; foreign authorities will similarly have the power to issue IPOs directed to Australian-based prescribed communications providers, and the Act allows for exemptions from Australian laws which would otherwise prevent those Australian providers from complying with the incoming IPO.
The majority of the new Act concerns the making of Australian orders (outgoing requests issued by Australia to foreign communication service providers). The making and issuing of foreign orders (incoming requests from foreign countries to Australian communication service providers) is dealt with in Part 13 of the Act, which provides that Australian communication service providers will be exempt from laws that would otherwise prevent their compliance with incoming IPOs and requests.
Checks and balances in Australia for issuing an outgoing International Production Order to foreign communication service providers
An IPO can only be issued to a foreign communication service provider if there is a designated international agreement in place between Australia and the relevant foreign country. None is currently in place, but Australia and the United States have been in negotiations for several years, so a bilateral agreement between them is expected in the near future. Any international agreements made as part of the regime will be subject to the approval of the Attorney-General and parliamentary scrutiny.
Once a designated international agreement is in place, the Act permits an IPO to be issued to a foreign communication service provider for purposes in connection with:
- the investigation of an offence of a serious nature; or
- the monitoring of a person subject to a control order (relevant to counter-terrorism); or
- the carrying out by the Australian Security Intelligence Organisation (ASIO) of its functions.
IPOs from Australia are not issued by the agencies themselves – they are issued by either an independent eligible Judge or an independent nominated member of the Australian Administrative Tribunal (AAT). To obtain an IPO, the relevant interception agency, ASIO, criminal law-enforcement or other enforcement agency (as permitted under the Telecommunications (Interception and Access) Act 1979) must make an application, accompanied by an affidavit setting out the facts and grounds on which the application is based.
In deciding whether to issue an IPO, the eligible Judge or nominated AAT member will have regard to a number of matters, including:
- privacy implications for the individual(s) the subject of the IPO;
- the gravity of the conduct constituting the offence being investigated;
- how likely the information would be to assist with an investigation;
- the extent to which other methods of investigation have been used or are available; and
- other matters that may be considered relevant by the eligible Judge or nominated AAT member.
If the eligible Judge or nominated AAT is satisfied that the IPO should be issued, they may issue the IPO accordingly.
Higher grounds for more invasive International Production Orders
There are three types of IPOs that may be issued from Australia to a foreign communications service provider:
- Interception IPOs, which enable communications to be intercepted and made available to the requesting agency, together with specified "telecommunications data" (essentially metadata) relating to the intercepted communications or the individual services;
- Stored communications IPOs, which require the disclosure of specified stored data; and
- Telecommunications data IPOs, which require the disclosure of specified telecommunications data (essentially metadata).
For interception IPOs, the eligible Judge or AAT Member must be satisfied (among other things) that the information would likely assist in connection with the investigation of serious "category 2" offence(s) involving the person making or receiving the communication. Offences that qualify include those punishable by a maximum term of imprisonment of 7 years or more.
For the other two types of IPOs, the eligible Judge or AAT Member must be satisfied that there are "reasonable grounds" for suspecting that the prescribed communications provider holds, or is likely to commence to hold, the relevant stored communications and telecommunications data.
Additional safeguards help to ensure the IPO regime is exercised appropriately. For example, Public Interest Monitors operate in Victoria and Queensland under the Public Interest Monitor Act 2011 (Vic), the Police Powers and Responsibilities Act 2000 (Qld) and the Crime and Corruption Act 2001 (Qld), and may assess applications for interception activities made by agencies within their jurisdiction. They can also make submissions, appear at any hearing, and question any person giving information, in relation to IPO applications before an eligible Judge or member of the AAT. The Commonwealth Ombudsman also has independent oversight of government agencies, and the Attorney-General's Department, for the purposes of compliance with the Act and designated international agreements.
Many different service providers could be affected
Australian IPOs may be issued to prescribed communications providers who meet the enforcement threshold, including:
- Carriers: a person who owns or operates a telecommunications network that is used to supply a carriage service to the public or a section of the public. A carrier may provide facilities such as transmission infrastructure, cabling and wireless networks. The definition is not limited to a telecommunications network within Australia. For example, a carrier that may be affected by the Act is a foreign company who owns network units that deliver carriage services (such as Verizon).
- Carriage service providers: a person who supplies a carriage service to the public or a section of the public. A carriage service is defined as capturing any current or future service that facilitates the transmission of communications through a wide variety of technological means, and includes internet service providers (who may also be a carrier). The Act does not require a nexus between the carriage service provider and Australia. The definition does not cover communications providers who only provide a service internally within their own organisation, for example in the form of an intranet system.
- Message/call application service providers: a person who provides a message/call application service to the public or a section of the public, for example Zoom or WhatsApp. The definition includes application services that enable end-users to send or receive communications to or from one another using a carriage service.
- Storage/back-up service providers: a person who provides a storage/back-up service to the public, for example Apple's iCloud or other cloud storage solutions providers that provide the ability for the public to remotely store material for back up or storage purposes.
- General electronic content service providers: a person who provides a general electronic content service to the public or a section of the public, for example Instagram or Twitter. The definition covers providers of services which allow end-users to access material using a carriage service, and broadly captures any service that permits the public to post content either to the broader public or a section of the public.
The "enforcement threshold" requires that there is a sufficient connection between Australia and the service of the prescribed communications provider. The threshold is met if the prescribed communications provider either:
- supplies a service to one or more Australians;
- owns or operates a telecommunications network that is used to supply a transmission service to one or more Australians; or
- provides a general electronic content service onto which one or more Australians have posted material.
What if the communications provider objects?
If a foreign prescribed communications provider is issued with an IPO from Australia, the starting point is that they must comply with it. Failure to do so could result in significant penalties – up to AUD 10 million for companies.
The Act allows a foreign prescribed communications provider to object to an IPO on the basis that the IPO does not comply with the relevant designated international agreement. The provider must provide the Commonwealth Attorney-General's Department with written notice (within a reasonable time after the IPO is issued) which sets out the reasons why the IPO does not comply with the designated international agreement. In response, the Department will review, and may cancel, the IPO.
If you have any questions about the implications of the new law, please get in touch.