Google warns of overreach in proposed cross-border data access regime

Google has warned that the government’s proposed reciprocal data access regime for law enforcement agencies goes beyond that of the United States’ Clarifying Lawful Overseas Use of Data Act (the CLOUD Act) by forcing service providers to comply with requests.

The new framework proposed under the Telecommunications Legislation Amendment (International Production Orders) Bill is intended to allow for “reciprocal cross-border access to communications data” for law enforcement purposes.

The bill, which is currently before parliament, will allow law enforcement and national security agencies to access data directly from oversees communications providers using international production orders (IPOs), granted international agreements are in place.

It is a necessary requirement for Australia to enter into future bilateral agreements with foreign governments, including the US under the CLOUD Act, as it will also allow overseas law enforcement and national security agencies to access data held by Australian-based service providers.

But in its submission to the parliamentary joint committee on intelligence and security inquiry, Google said the bill went beyond the purpose of the CLOUD Act by imposing a $10 million fine on designated communications providers if they fail to comply with an IPO.

“The imposition of a mandatory obligation to comply with an IPO is contrary to the purpose of the CLOUD Act which is to lift blocking statutes, but explicitly does not​ create a compulsory obligation on service providers,” it said.

“The authors of the bill appear to be aware of this dichotomy as the bill explicitly asserts that Australian service providers do not have to comply with reciprocal requests from international agencies. 

“We are concerned by the attempt to impose a mandatory obligation on overseas based designated communications providers that exists only in the construct of an otherwise non-compulsory international agreement, and respectfully request that this be amended to reflect the intent of the CLOUD Act, which is that enforcement procedures be found in existing law, and that references to civil penalties be removed.”

The concern is one of several held by the multinational technology company, which is particularly concerned how the bill will interact with Australia's controversial anti-encryption laws.

“Google encourages and supports efforts by the Australian government to negotiate an executive agreement authorised by the CLOUD Act,” it said.

“However there are certain elements of the Bill that give us cause for concern, especially when considering how the interception powers under this Bill could be used in tandem with technical capability notices under the controversial Telecommunications and Other Legislation (Assistance and Access) Act 2019, which is currently undergoing a statutory review by the Committee.”

Google has called on the government to exempt “service providers in their capacity as infrastructure providers to corporations or government entities” from the laws, unless that organisation is the subject of a criminal investigation. 

“Corporations or government entities are best placed to produce the requested records themselves, save for a rare circumstance where the corporation is itself the subject of the criminal investigation,” Google said

“Any ambiguity on the issue, raising form unclear expectations, should therefore be avoided in the text.”

Google also wants the bill amended so designated communications providers can only provide requested communications and data to the Australia designated authority that acts as an intermediary between law enforcement and national security agencies.

As the bill currently stands, communications and data can be provided to either the “requesting agency or the Australian designated authority, depending on the directions of the international production order (IPO)”. 

“Respectfully, our experience is that a better approach would be that all communications to and from an Australian law enforcement agency be channelled through the Designated Authority and that this Authority acts as a coordinator across multiple agencies,” it said.

“Putting in place a coordinating body will guard against the risk of duplication and will act as a single point of contact for training, education and access to designated communications providers.”

Google has also recommended that the government provide further information about the IPO approval process, as the bill suggests there is no requirement for an eligible judge or Administrative Appeals Tribunal to approve an interception agency’s request.

“Given the invasive nature of these powers, we consider the role of an independent third party who can impartially assess and balance the criteria set out in sub-clause 30(5) to be critical to the approval process,” it said.

“Therefore, we recommend amending the suggestion that an agency “may” apply to an eligible judge to read as strict obligation.”

It also wants a “secondary review and approval step” introduced at a national-level in the form of a national public interest monitor or an equivalent function at each state and territory level. 

Only Queensland and Victoria have committed to this secondary review step in the bill as it stands.