On December 15, 2021, Australia and the United States signed an agreement that will make it more efficient for law enforcement agencies in both countries to obtain data about criminal suspects, but it leaves technology companies with concerning questions. The new agreement was forged under the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a 2018 statute that enables law enforcement to more easily secure important electronic information about suspected crimes—including terrorism, violent crimes, sexual exploitation of children, and cybercrimes like ransomware or attacks on critical infrastructure—from global technology companies based in the United States. Although the agreement was designed to facilitate law enforcement investigations, it leaves unanswered the encryption privacy questions that have beset preceding agreements.
Prior to the CLOUD Act, foreign law enforcement agencies seeking electronic evidence held by U.S.-based global companies generally entered formal requests for mutual legal assistance (MLATs), a process that was slow and resource intensive. The CLOUD Act provides an alternative to the MLAT process, allowing the United States to enter into agreements with certain trusted foreign countries to obtain electronic evidence more easily when it is stored or processed by communications service providers. This information includes the contents of communications, related metadata, subscriber information, and data stored remotely in the cloud. Agreements entered under the CLOUD Act remove the legal restrictions that could otherwise prohibit businesses from complying with a foreign government’s request to transfer data across borders.
Among other things, before the U.S. can enter an agreement with another country, the CLOUD Act requires that the U.S. Attorney General certify to Congress that the partner country—in this case, Australia—has laws that provide “robust substantive and procedural protections for privacy and civil liberties.” The agreement with Australia is the second CLOUD Act agreement, following a similar bilateral agreement between the U.S. and the U.K., entered in October 2019. The U.S. and Australia have been in talks negotiating this agreement since then.
Under the new bilateral agreement, law enforcement agencies in Australia will be able to use existing warrants to acquire access to electronic information on U.S.-based servers for the purpose of preventing, investigating, and prosecuting serious crimes. Likewise, U.S.-based law enforcement agencies will be able to demand access to data from communications companies with operations in Australia. Under CLOUD Act agreements, each country follows its own legal process for obtaining evidence. Foreign law enforcement authorities then serve their legal demands directly on communications service providers—telecommunications companies, email service providers, social media platforms, and cloud storage services—who must respond to the legal demands in the same way that they would respond to warrants from the jurisdiction where their business is located. A U.S.-based provider who receives a foreign order to provide evidence can challenge the order, but only under the foreign country’s law and only to the extent a challenge is permitted by that country.
One factor that could complicate this sharing of information is encryption of data. Law enforcement access to encrypted devices and data has been an open issue of debate for the past several years, with no clear answers in sight in the near future. In particular, the question of whether law enforcement should have the ability to access encrypted data and devices as part of these criminal investigations. End-to-end encryption in particular may prevent government officials from obtaining electronic evidence and intelligence that they have requested in the course of the investigation or prosecution of crimes, even with a warrant or court order—an issue that the law-enforcement community sees as increasing the risk of threats like terrorist attacks—and applications continue to provide end-to-end encryption for users’ messages. While the CLOUD Act does not provide law enforcement with special authority to compel service providers to decrypt communications, it also does not prevent service providers from providing decryption or prevent partnering countries from addressing decryption in their own domestic laws. Existing encryption legislation in Australia enables law enforcement agencies to require technology companies, device manufacturers, and service providers to build in these “back doors” that allow access to encrypted messages. There is some question whether that legislation undercuts Australia’s position that it has the necessary privacy and civil liberty protections required by the CLOUD Act.
The CLOUD Act agreement must now undergo parliamentary and congressional review in the U.S. and Australia before it is finalized. Unless Congress disapproves by joint resolution, the agreement will go into effect the United States.