A coalition of technology experts and civil liberties groups have said they are concerned the proposed International Production Orders Bill, which would allow Australian law enforcement to gain access to data from overseas telco and service providers, does not contain a notice provision to subjects of data requests.
“In general, users have a universal right to notice. The International Production Orders Bill does not provide any requirement, or even mechanism, for government officials to notify data subjects of requests,” the group said in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the Bill.
“Providing notice — even if delayed to where necessary to protect an ongoing investigation — should be a duty of governments. It should not be left to the discretion of providers and individuals cannot be barred from exercising their rights.”
The group — which includes Google, Reporters Without Borders, Electronic Frontier Foundation, Internet Society, and individuals such Stanford cybersecurity expert Riana Pfefferkorn — also noted that Australia’s Administrative Appeals Tribunal (AAT) falls short of the mark for judicial review, yet law enforcement under the Bill would be able to skirt judges and head to the AAT for approval.
At the start of the year, the latest annual report on telecommunications interception showed the Australian Federal Police obtained 557 interception warrants through AAT members, compared with 77 through the various Federal Court judges, and NSW Police obtained 1,512 interception warrants through AAT members, compared with only 101 through Federal Circuit Court judges.
The group said it was unclear if AAT reviews met the threshold for independent and judicial review.
“The Tribunal, however, is not a court; the AAT is part of the executive branch, falls under the portfolio of the Attorney-General, and its members are appointed by the Governor-General.”
The Attorney-General’s Department has previously said the mean duration of warrant-related appointments is 18 minutes.
“The shortest amount of time recorded for an appointment that proceeded is 1 minute,” the department said. “The data is not subject to auditing.”
The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the US Clarifying Lawful Overseas Use of Data Act (the CLOUD Act).
The submission added that the CLOUD Act is not a basis for the “extra-territorial jurisdiction over foreign providers” that Australia would like to think it is.
“The Bill treats the mere existence of a CLOUD Act agreement as the basis for jurisdiction. Under the bill, the very fact that a provider is located in a country with whom Australia has an international agreement means that the provider is subject and ostensibly bound by an international production order,” it said.
“The Bill would seek to subject service providers to civil penalties if they fail to comply. These provisions contravene the text and the spirit of the CLOUD Act.”
The group urged PJCIS to drop the Bill, but if a CLOUD Act agreement with the United States were to be struck, it said the text of that agreement should be released for public scrutiny.
In a submission published last week, the Western Australia Police Force asked for clarification on what the Bill would give it access to, while the Australian Privacy Foundation has said the Bill is deeply flawed.