While the Federal Government pushes the privacy safeguards around its CovidSafe app, the expansion of Australia’s already extensive national security laws continues apace.

On 5 March 2020, the Federal Government introduced the Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (the IPO Bill), which will amend the Telecommunications (Interception and Access) Act 1979 (TIA Act).

The IPO Bill will allow foreign and local law enforcement agencies to access electronic information from ‘designated communications providers’ in the other jurisdiction, under agreements between Australia and the ‘like-minded’ countries.

There is an existing mechanism for mutual assistance in criminal matters through Government-to-Government channels. However, the IPO Bill allows an Australian law enforcement agency to ‘bypass’ this intergovernmental process and get an order in Australia directed at a foreign-based designated communications provider (and vice versa for foreign law enforcement agencies seeking orders in their home jurisdiction against Australian-based providers).

Minister Peter Dutton says the new process is needed because:

“Investigations of serious crimes such as terrorism and child exploitation are too important to be stalled, or even derailed, by outdated, cumbersome processes when evidence includes communication data held in a different country.”

The first cab off the rank will be a bilateral agreement with the USA under its Clarifying the Lawful Overseas Use of Data Act (the CLOUD Act). The UK finalised a similar CLOUD Agreement with the USA last year.

Who are designated communications providers

‘Designated communications providers’ cover almost every species of service provider on communications networks, including internet service providers, cloud systems providers, messaging apps, and social media platforms.

Unlike other provisions of the TIA Act, providers no longer need to be tied geographically to Australia. Instead, the extra-territorial reach is limited by an easily satisfied ‘enforcement threshold’. For example, if there is a single Australian using its service, the enforcement threshold is met.

IPO orders

Agencies can seek an International Production Order (IPO) for investigating serious criminal offences, for monitoring a person subject to a control order, and for national security. Different IPOs are for interception, stored communications (which would include a corporate customer’s internal communications and data stored in the cloud), and telecommunications data (essentially metadata).

An IPO is granted by a Judge or nominated Administrative Appeals Tribunal member, who must ‘have regard to’ factors including:

• the extent to which other methods of investigating are available;
• in respect of IPOs relating to national security, whether methods less intrusive methods to the person’s privacy are available;
• in respect of IPOs which do not relate to national security, how much a person’s privacy would be likely to be interfered with;
• the extent to which such methods would be likely to assist, and prejudice, the investigation; and
• how much the information sought under the IPO order would assist in the investigation.

What safeguards are there?

The IPO Bill creates an Australian Designated Authority (ADA). The ADA will have oversight over the IPO framework and a broad discretion to cancel an IPO at any time, including if the ADA considers an IPO is not in the public interest.

There is some measure of independent review from the Commonwealth Ombudsman.

Response to the IPO Bill

The Parliamentary Joint Committee on Intelligence and Security is currently considering the IPO Bill.

The Australian Privacy Foundation’s submission says:

“The Bill is deeply flawed. It conflates bureaucratic convenience with what is imperative. It obfuscates accountability through inadequate transparency... It enshrines an inappropriate level of discretion and weakens parliamentary oversight regarding interaction with governments that disrespect human rights. It is a manifestation of a drip by drip erosion of privacy protection in the absence of a justiciable constitutionally-enshrined right to privacy in accord with international human rights frameworks.”

The Digital Industry Group, consisting of big players such as Facebook, Google and Twitter, is supportive of a mirror law to the US Cloud Act, but considers the Australian IPO Bill “does not require a high standard of privacy or data protection considerations”.