Head in the clouds: Australia passes US CLOUD Act-style law

On 24 June, the Australian Parliament passed the Telecommunications Legislation Amendment (International Production Orders) Bill (the Bill) which enables Australian authorities to compel the production of data from entities with a presence in the jurisdiction, even if it is stored abroad. The Bill follows similar legislation in other jurisdictions, such as the US's Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act) and the UK's Crime (Overseas Production Orders) Act 2019 (COPOA), and forms part of a growing framework supporting cross-border investigations and cooperation in relation to the same.

The Bill applies to entities that transport information electronically, including wireless, internet and cloud-based communications businesses, and is - per the accompanying explanatory note - intended to respond to the "exponential rise of global connectivity and reliance on cloud computing" which means that "intelligence and evidence that was once stored within Australia and available under a domestic warrant or authorisation is now distributed over different services, providers, locations and jurisdictions, and is often only obtainable through international cooperation".

The Bill seeks to supplement the traditional mutual legal assistance (MLA) process. Obtaining similar data through MLA is a lengthy and cumbersome process, often taking years. The key distinction here is that Australian authorities should now be able to ask the companies directly for the data, rather than going through the governments of the relevant jurisdictions. The authorities will be able to serve an "International Production Order" on the companies, with a failure to comply resulting in a maximum civil penalty of approximately AUD 10 million (GBP 5.4 million). The hope is that this new process will allow authorities to keep pace with the often fast-moving nature of criminal investigations.

International cooperation is the lynchpin here. The Australian authorities will not be able to obtain the data from foreign companies, including those in the UK and EU, until the Australian government signs specific communications-sharing agreements with the relevant states. There is significant appetite for such cooperation. The UK-US Bilateral Data Sharing Agreement was signed in October 2019 and came into force from 8 July 2020. As we discussed in our previous commentary, the effect of that agreement is that law enforcement in either the UK or the US can, when armed with appropriate court authorisation, require companies that provide clients with an ability to communicate, process or store data, such that they amount to "communication service providers", to produce documents. As in Australia, the process is to be controlled by the courts of the requesting state.

Given the US serves as the hub of many of the companies the authorities will want to seek data from, it should come as no surprise that the Australian government has an agreement with the US in sight. The US is negotiating similar arrangements with the EU, and - as above - they are already in place with the UK.

Keeping abreast of technological advancements is a challenge for any organisation,  particularly so for slow-moving public prosecutors. Still, as the nature of crime and data continually evolve, these recent legal developments indicate a resolve to not be left behind. Their efficacy, however, remains to be seen.