Submission: CLOUD Act Agreement

NSWCCL made a joint submission with the Australian Information Industry Association to the Joint Standing Committee on Treaties Inquiry into the Agreement between the Government of Australia and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime under the CLOUD act.


The Clarifying Lawful Overseas Use of Data Act or CLOUD Act (H.R. 4943) is Federal law in the United States and was enacted in 2018.

On 24 June 2021 the Australian Parliament enacted the Telecommunications Legislation Amendment (International Production Orders) Act (Cth) (IPO Act) which enables Australian authorities to obtain international production orders to compel the production of data from entities with a presence in Australia, even if the data is stored outside Australia, and to access/receive that data.

On 15 December 2021 Australia and the United States announced an agreement under the CLOUD Act (Agreement) intended to streamline the sharing of electronic data for law enforcement between the two countries. In conjunction with the IPO Act the Agreement will permit Australian authorities to obtain international production orders to compel the transfer of data held in the United States to Australia. The Agreement also gives reciprocal rights to United States authorities permitting them to compel the transfer of data held in Australia to the United States.

The NSWCCL and the AIIA agree with the policy objective of enhancing cooperation between Australian and the United States of America for the purpose of combating serious crime, including terrorism, but is concerned by the Agreement’s impact on the privacy protections currently enjoyed by Australian residents, among other things.

Our recommendations:

  1. Build baseline privacy protections into the Agreement
    Amend the Agreement to incorporate appropriate exemptions or baseline privacy protections. For example, the Service Provider the subject of an Order should be required to notify the Individual of the additional purpose for the disclosure of the Individual’s personal information before or at the time the personal information is produced under an Order.
  2. Data in the public domain
    Incorporate clear guidance as to what amounts to ‘data [that] has already been made public’.
  3. Forewarning
    Incorporate a requirement to notify the proposed recipient Service Provider that an Order is ‘on the way’ with basic information about what the Order relates to.
  4. Cost-effective challenge mechanism
    Incorporate a cost-effective and straightforward mechanism for Service Providers subject to an Order to challenge it (that is, a place to go before or instead of commencing a court action with all of its attendant costs and complexity). Service Providers that take advantage of such a mechanism should also have the ability to involve the relevant Individual(s) in their challenge to the Order.
  5. Clarify interplay with surveillance devices laws
    Either amend, or publish clear guidance as to the operation of, State/Territory surveillance devices laws in light of the IPO Act and the Agreement. Furthermore, the scope of the operation of the Agreement should be limited so as to exclude data gathered using surveillance devices in breach of applicable State/Territory surveillance devices laws.
  6. Right to know
    Incorporate a right for the Individual to be notified of the existence of an Order relating to them. The notification should be required to contain basic instructions as to how the Individual can lodge a complaint (see Recommendation 8).
  7. Public interest monitoring
    Appoint an independent public interest monitor (PIM) or similar with the role of providing oversight and reporting on the use of the Agreement. The PIM should have the power to make applications and oppose the transfer of information on public interest grounds. This is not a role that can be played by the ‘Australian Designated Authority’, as contemplated by the IPO Act, due to the inherent conflict of interest (i.e. playing both ‘coach’ and ‘umpire’).
    The PIM should also have a role to play in a complaints mechanism under the Agreement (see Recommendation 8).
  8. Complaints mechanism
    The Agreement and IPO Act should have a complaint mechanism to facilitate enhanced accountability, procedural fairness and public confidence in the regime. The PIM should have a role to play in this complaints process.
  9. Annual reporting
    Each of Australia and the United States should be required under the Agreement to prepare a report for publication addressing the number of Orders issued by that party, the purpose(s) for which they were issued, the number of individuals impacted by the Orders, the number of challenges/objections and a summary of the outcomes of those challenges/objections and the purposes for which the data transferred was used.
  10. Death penalty prohibition
    Incorporate the death penalty prohibition into the body of the Agreement.
  11. Reporting
    Require each of Australia and the United States to provide a report to the other detailing all new, amended or repealed laws (directly or indirectly) impacting on the matters which are the subject of the Agreement.
  12. Retrospective application
    The Agreement should be varied to remove Article 14.

Read the full submission.