Statement on Behalf of OTI to the Australian Parliamentary Joint Committee on Intelligence and Security on the Telecommunications Legislation Amendment Bill 2020

Ms Franklin: Thank you for the opportunity to testify before you today. I'm an attorney in the United States and I serve as policy director for New America's Open Technology Institute, which is a digital rights organization. I'm appearing on behalf of our International Civil Liberties and Technology Coalition of 32 members that submitted comments regarding this committee's review of the Telecommunications Legislation Amendment (International Production Orders) Bill 2020. I will address two of the four issues that we covered in our comments and my colleague Lucie Krahulcova will address the other two points.

Before doing so, I would like to provide a brief background about the US CLOUD Act, which contains two parts. The first part of the CLOUD Act resolves a lawsuit called United States versus Microsoft, or Microsoft Ireland, in which the US government sought, under the US Stored Communications Act, to obtain electronic communications held by Microsoft on a server in Ireland. The first part of the CLOUD Act now clarifies that US government requests under the Stored Communications Act of companies that are under US jurisdiction apply, regardless of whether the data is located within or outside of the United States. The second part of the US CLOUD Act is directly relevant to the international production orders bill. It sets up a process through which countries like Australia can enter into a bilateral agreement with the United States that will enable each country to bypass the time-consuming traditional mutual legal assistance treaty, or MLAT, process for gaining access to electronic communications information. This will allow law enforcement officials in each country to make direct requests to providers in the other country in order to obtain communications information like emails.

Under the CLOUD Act process, first the US Attorney-General and Secretary of State must certify that the other country meets a series of factors demonstrating robust protections for privacy and civil liberties and respect for human rights. Then the two countries negotiate a bilateral executive agreement, and the CLOUD Act sets out minimum criteria for these agreements. Once negotiated, the agreement must be submitted to the US Congress, which has 180 days to disapprove of the agreement before it goes into effect. The CLOUD Act requirements for the bilateral agreements should be considered the floor, and not the ceiling, for the safeguards that are necessary.

As you know, the international production orders bill is designed to qualify Australia to enter into a CLOUD Act agreement with the United States. Our coalition has raised four concerns regarding why this draft legislation is not adequate to provide the robust level of safeguards needed. I will address two of these. First, the bill fails to ensure prior judicial review under a robust legal standard. CLOUD Act bilateral agreements are designed to replace the judicial review that, under the current MLAT system, is conducted by the home country. Individualized review by an independent authority is a fundamental protection under international human rights law. The international production orders bill does contain mechanisms for prior review, but these include review by the Administrative Appeals Tribunal, which is a part of the executive branch.

In addition, the CLOUD Act requires a robust standard of review for data requests, specifically that they shall be based on 'requirements for reasonable justification based on articulable and credible facts, particularity, legality, and severity regarding the conduct under investigation'. However, the international production orders bill does not require any showing at all that the person being investigated has committed any wrongdoing or is tied to any wrongdoing. Instead, it simply requires that there are 'reasonable grounds for suspecting' that the communications provider offers services and that a targeted person is using the services, and then that they are likely to obtain information that would assist in their investigation. Then the bill lists a series of matters to be considered, including how much privacy will be interfered with and the gravity of the conduct. Here, too, there is no rule defining how authorities should weigh these various factors. Rather, it appears to provide the deciding officials with broad discretion in conducting the review.

Second, the bill fails to provide a clear and robust mechanism for providers to challenge inappropriate and overbroad requests. This is another key principle for a rights protective system for cross-border access to data. Providers receiving direct requests from foreign countries must have an opportunity to challenge overbroad or otherwise unlawful demands prior to disclosing their customers' sensitive data. Specifically, there should be a procedure that protects the rights of providers to seek clarification from requesting countries about data requests and the system should establish a clear procedure for an independent authority to hear and adjudicate providers' challenges to data requests. The international production orders bill fails to provide a sufficient procedure for challenges and only notes that challenges can be filed.

I will now turn this over to my colleague, who will address the remaining two concerns in our coalition's comments, and I will then be happy to answer your questions. Thank you.

CHAIR: Thank you very much.

Ms Krahulcova: Good morning and thank you for the opportunity to further explore some of the concerns that we raised in our coalition's comments. As you know, contrary to the documentation that was supplied with this bill, we have concluded in our analysis that the bill does not provide sufficient safeguards to protect human rights. Before I delve into the two points that Sharon mentioned, one of the big overarching concerns that we have is that the bill, as it stands, compounds some of the issues under TOLA as well as the data retention inquiry. To that extent, I think it's worth noting the 4 October 2019 letter from Jerrold Nadler, who is the chairman of the US House of Representatives Committee on the Judiciary. He raised the issue that some of the provisions under TOLA, as they infringe upon individuals' rights, would preclude Australia from successfully reaching a CLOUD agreement with the US. As you may be aware within this committee, we've been extensively involved throughout the review in assistance and access in TOLA. Some of the concerns that I'm about to go over have been part of those conversations as well. I've raised them both with this committee, as well as with the independent review that's being conducted by Dr James Renwick. I know that we will get to the ins and outs of some of the points in this legislation and what could be made better, but I would strongly urge this committee to table this bill, at least until the ongoing review of TOLA is completed and until the independent assessment of individual rights under TOLA is completed, before we introduce an extraterritorial dimension, essentially, to some of the powers that are enshrined in it.

There are the other two points that Sharon mentioned—and I'm mindful of time, so I won't go over them— notice and transparency, as well as the compulsory nature of IPOs. In our submission, we wrote that the current bill does not include a mechanism requirement for government officials to notify subjects of data requests. This is the same challenge under TOLA: that individuals have a right to be notified. This goes back to Sharon's point—an individual's right as well as a company's right to challenge requests. In the explanatory memorandum, they do provide that individuals can challenge in court, as part of a court criminal proceeding. However, it is my understanding that, under TOLA as well as under this bill, requests will often be made to inform an investigation or a request will be made under which criminal proceedings aren't undertaken. So, essentially, for anyone whose case doesn't escalate to the court, where they can deploy that mechanism, where they're notified of the [interruption] understand. This is what we brought up as well in the case of US law. There will be cases where you cannot proactively inform individuals that they are subject to warrants, but, once the investigation has concluded, there should be notification to individuals that their privacy was infringed upon. There should be notification, and individuals who were subject to the provision should have a right to understand, ask questions and challenge in court if they believe that it was arbitrary or unlawful.

The last thing I'll mention is, going back to what Sharon mentioned about the company having a right to stand up for an individual, under TOLA—you may know this from my comments under that legislation—that right is removed, because the company cannot be subject to individual action on the basis of a breach of privacy. I think that's a flaw that we're seeing here, further compounded by the nature of the IPOs being mandatory.

One of the things I want to flag is that I understand there is the introduction of the public monitors as a part of the bill. As we know, those only operate in Victorian and Queensland. So I think there are deficiencies in terms of individuals rights' and representation that need to be remedied. Again, I would urge this committee to defer this until the review of TOLA is completed and those deficiencies have been addressed.

CHAIR: Thank you very much again for appearing today. If we could go to page 3 of your submission, where you state in paragraph 4, 'In general, users have a universal right to notice.' Perhaps you could start off a discussion about the right to notice and balancing that against the risk of destruction of evidence. Could you go into a bit more detail, and perhaps also talk about the example you give of the destruction of physical property on page 4? Is that the same as the destruction of electronic material?

Ms Krahulcova: The Fourth Amendment details that we list on page 4—If individuals are to exercise their rights, there has to be a notification. We've had that conversation within the independent review of TOLA as well. I think an essential component of that is missing. Ultimately, the access to remedies and redress is subject to individuals being notified that they were implicated in such an investigation. That is a key component of individuals exercising their rights. That said, of course, as I mentioned and as the bill foresees, notice can be delayed for an investigation. However, it shouldn't be completely disregarded. I don't know if Sharon wants to add on that and on the US component.

Ms Franklin: Yes, the notice can certainly be delayed as appropriate to avoid interfering with an investigation, but we're talking about the gathering of evidence in connection with a prosecution. Certainly that notice does need to occur, even though delay can be appropriate.

CHAIR: Thank you. Accordingly to Microsoft's law enforcement requests report, approximately 23 per cent of legal requests for data were rejected in 2019. In the view of the coalition, are communication providers well placed to challenge orders that exceed the provisions of international agreements?

Ms Franklin: That's the point I was addressing about the importance of providing a mechanism for providers to file those challenges, particularly in light of what we were just discussing, where there may be a need to delay notice so the subject would not be aware of the request and would not be in a position to defend their own rights. The provider will have the ability to see requests and, if there are a number of these, particularly with the larger providers, and to be familiar with what the appropriate scope is and to question whether a request may be overbroad or otherwise inappropriate.

Ms Krahulcova: In practice we have to look at what happens here and the sort of interests that are at play— whether it's a law enforcement agency or an intelligence agency almost directly submitting an IPO, for instance for telecommunications data. The discretion doesn't have to be exercised. They can go direct. There's no intervention on behalf of the individual. There should be an interactive notification for individuals. But I think you have to look at the weighing mechanism, when a warrant like that is presented, of who is representing the individual. Often this ends up being companies just because they have the legal team and they are bound by consumer legislation in different jurisdictions to respect individuals' rights. As I flagged, my concern is that this sort of mechanism that the individual has over the company has been removed. I think that's a huge area of concern. I was part of the EU negotiations on very similar mechanisms for several years when I worked in Brussels. From my perspective, companies being in a position to reject requests is not a perfect system, but it is often the last frontier for individuals' rights, because there isn't a human rights body or an independent reviewer who is part of that mechanism. Again, I recognise that there are public interest monitors who would be engaged in several states as a part of that process. However, that sort of neutral or independent reviewer should be part of every evaluation that happens, because there is such a power discrepancy between an agency going directly or an agency with the Attorney-General's signing-off going directly to the company, where the company is not liable to the user. It presents a really tragic power paradigm.

Senator FAWCETT: Can I segue off that last point you made. On page 5 you talk about concerns about extra-territorial jurisdiction as a result of civil penalties for non-compliance. Most legislation, to be effective, has some penalties for non-compliance, either criminal or civil. If you don't support the existing form, how would you suggest that it is made effective such that non-compliance is discouraged?

Ms Krahulcova: I think that's a great question and it's something that any mechanism that tries to replace or supersede a mutual legal assistance treaty, which is kind of what this lays the ground for, will inevitably suffer from an extraterritoriality because you are exerting kind of power in another territory. I would say that this is not just a problem of this particular bill; it generally comes up with these types of mechanisms.

I think currently there is unfortunate public discourse around the use of Amazon servers for a contact-tracing app. I'll use this as an example—it's not a perfect one. But one of the things that the government has to start to do is to assure individuals that their data won't be shared by Amazon with US entities and that data won't leave. I'm not going to argue about whether that's a concern for this committee at the moment, but it's not something that Australia can guarantee. Amazon is still an entity. It's a US based entity, and when we get into a place where governments put provisions like this into legislation there is simply no way, unless there is a very expensive diplomatic undertaking and extreme carve-outs are sought, to guarantee that. Our concern, I guess, is about a framework that's set up in the future and which countries have that discretion over others. I would urge this committee to consider the sorts of implications that creates for the international regime more broadly. I don't know if Sharon has anything to add to that.

Ms Franklin: The one thing I would add is that, as I noted, the structure under the CLOUD Act is designed to bypass the MLAT process, but when you ask about how you would ever enforce it, ultimately the MLAT process will still be in place as a backstop where needed.

Senator FAWCETT: Perhaps I could just go to the principle. We're moving away from here from data and to the principle of a sovereign state achieving an outcome that's deemed desirable. If we look at, for example, modern slavery legislation, there is some discussion even in the US at the moment—certainly in other places— that where you have an example of a multinational company who has in their supply chain forced labour or modern slavery conditions that they haven't taken action on whether there should be civil penalties applied to them in the country where they're selling their product as opposed to the country where the modern slavery conditions exist. That seems to have fairly broad support, but isn't that essentially applying a penalty in one country for an action that was taken in another country?

Ms Franklin: This is I think less about penalty than an attempt to exert jurisdiction over data that is held in a different country. Although, how far can one country reach into the other where the provider is located to demand the data? To date, that has been only through government-to-government requests under the mutual legal assistance treaty process. The CLOUD Act structure is designed to create a more streamlined process, recognising that in the MLAT process is rights-protective but cumbersome, so it's a question of how far one country can reach into the others. I think it's a jurisdictional question separate from how you can condition the rights of companies that try to do business within your borders.

Senator FAWCETT: I accept that; thanks.

Ms Krahulcova: If I can just supplement: I'm not super familiar with the example that you used of slavery, but there are different standards—and the bill goes back and forth on the different standards: this will be for a serious criminal offence, this will be for terrorism, this will be for enforcement. These standards vary greatly internationally, and one of the things we struggled with even at the European level was to arrive at an understanding of what could constitute something like this where that sort of infringement on people who are residing in another country would be proportionate and lawful under the jurisdiction of another country and even within the EU where there's key legislation and a lot of harmonization. We were not simply able to arrive at a conclusion. I think some of our members voted in terms of if there's a minimum penalty of five years, three years or seven years and the reality is just that those frameworks differ.

There's a reason that MLAT is a higher part of a more diplomatic international framework rather than domestic legislation, and I know that creates a lot of frustration for folks in Home Affairs, not just here but elsewhere as well. But the reality is that that's there for a reason, and something like interfering with slavery and enforcing human rights, I think I could see that as being a noble reason to interfere and exert that sort of power. But here we have seen huge infringements, and I'm not convinced, as I outlined, because of the challenges that exist within Australian systems that have been really amplified by TOLA. I'm not convinced that Australia should be seeking to exert that power externally.

Mr DREYFUS: I've got a question for Ms Franklin. The Department of Home Affairs has told this committee that it consulted with the United States Department of Justice on the measures in this bill. That suggests that the Australian government is confident that this bill does in fact provide sufficiently robust protections for privacy and civil liberties as required by the CLOUD Act. Do you take any comfort from the fact that the department has consulted with the US Department of Justice?

Ms Franklin: I am glad to know that they are talking to each other, but I know that there is not a procedure for prior certification, to my knowledge. The Department of Justice has reached out to various civil society organizations in the US and elsewhere for consultation on what kinds of requirements should be in place. The one that I focused on that are contained in our comments that I talked about here today, including prior judicial review under a robust legal standard and an opportunity for companies to be able to object, are ones that we have continued to have a dialogue with the Department of Justice on. They don't necessarily always speak with one voice either.

I will also note that, although it is not a strong safeguard from our point of view, there is at the end of the day the ability for our congress to weigh in on the terms of the agreement as well. We have continued to urge that the bare minimum requirements in the CLOUD Act are just that, bare minimum and that the implementation should seek to be as rights protective as possible.

Mr DREYFUS: You've come now to the other part of the process. You've mentioned the congressional approval. When you were speaking in your introduction you mentioned the letter from Congressman Nadler to the Australian Minister for Home Affairs. Can you explain that approval process through the congress—in other words, what role will congress play in this process?

Ms Franklin: Unfortunately, from my perspective, to be perfectly candid, congressional approval is not required. The way it works is that once the agreement is finalized our justice department must submit it to both houses of Congress, and that starts a clock ticking for a 180-day period. The CLOUD Act contains some fairly detailed description of a procedure that congress can follow to disapprove of a CLOUD Act agreement, but if Congress does nothing during those 180 days then it will go into effect. The procedure is to enable congress to act more quickly than it normally would, so that is an important tool. In fairness, it is not a congressional approval requirement so it is not as robust a check as we would have hoped when the CLOUD Act was being enacted.

Mr DREYFUS: We're familiar with that process here. We also have a disapproval process by the parliament for regulations and treaties. But it's the case that, even if the US Department of Justice is satisfied with the measures in the bill, the United States Congress might form a different view and decline to endorse an executive agreement.

Ms Franklin: That is correct.

Mr DREYFUS: In the light of the letter that Congressman Nadler has sent to the Australian Minister for Home Affairs, do you think that, as drafted, this bill will satisfy the Department of Justice and the US Congress that Australia provides sufficient robust protections for privacy and civil liberties for the purposes of the CLOUD Act?

Ms Franklin: I hesitate to forecast anything that our congress will do. I think, as we have pointed out, that there are some real questions and that you would be well served to make those safeguards sufficiently robust so that there won't be those questions and concerns in play.

Mr DREYFUS: Thank you. Perhaps I could just go to a specific matter. You've noted in your submission that this committee has a current inquiry into TOLA, and we've also got another current inquiry into press freedom in Australia. This goes to the matter that you've both raised about human rights protections. The Australian Inspector-General of Intelligence and Security has drawn this committee's attention to the fact that, unlike the current domestic data access regime for access to telecommunications data, the international production orders bill does not include any specific protections for journalists. As I just said, we are conducting another inquiry into press freedom in Australia. I can't recall a single person telling this committee that existing protections for journalists in Australian law should be watered down. Not even the current government has said that. But, incredibly, this bill that is now before the committee appears to water down existing protections for journalists. Does this concern you?

Ms Krahulcova: Maybe I can jump in on that one. I think that's a fantastic question. Drawing that sort of parallel between the different pieces of legislation, I think, is really essential, so thank you for that. Yes, I would be concerned. At Access Now, we haven't focused extensively on freedom of expression, but Digital Rights Watch and other Australian digital rights groups have, and it is of high concern. To go back to the extraterritoriality and the incoming orders and requests under part 13 of the schedule: it removes blocking provisions mutually, so not only is Australia able to go directly to the IPO but that is reciprocated in the bill. Through the way it's written, there's absolutely nothing that would give you the ability to stop the request to that extent, not just from the US but from anyone that Australia would seek to implement an agreement like that with, which seems from the explanatory memorandum to be any 'like-minded' country. So I'd be really concerned about the impact that's going to have on journalists and on the integrity of communications in general, even for lawyers, politicians and others.

Mr DREYFUS: So I take it you're suggesting that the bill should expressly require some minimum level of protection for journalists.

Ms Krahulcova: I wouldn't classify journalists as a specific category. I think they're a great example of where the real risks are, though. There are other extremely vulnerable people—political dissidents and other individuals—who would benefit from the same sort of protections that you're suggesting journalists have. But ultimately, yes, I think this does compromise freedom of expression and journalistic integrity.

Mr DREYFUS: Thank you. I will just tease out something that you've been reasonably clear on in the written submission. As I understand your position, the Australian Administrative Appeals Tribunal, from your point of view, simply does not satisfy the requirement for independent authorization that would be adequate to protect the rights of individuals.

Ms Krahulcova: That is correct, yes.

Ms Franklin: Yes. From what we understand, the Administrative Appeals Tribunal is part of the executive branch. It is not equivalent to independent judicial officials, so it does not provide that level of independence. I would also just reiterate concerns about the standard of review not meeting the requirements of the CLOUD Act or the sufficiently robust standard. I quoted from the standard in my opening remarks.

Mr DREYFUS: You've correctly made the point that this is something that the Independent National Security Legislation Monitor, Dr Renwick, is looking at in his review of TOLA, and this committee will almost certainly be looking at it in our review of TOLA, which is upcoming.

Ms Krahulcova: Yes. This is something that we brought up with Dr James Renwick, and he has been extremely concerned. I think he draws a comparison with the UK Investigatory Powers Act and some of the other mechanisms in the UK, which enjoy something that's called the double-lock mechanism. I think that sort of objective independence is not guaranteed under the AAT structure, so I would look forward to what both the committee inquiry and his own review yield on that.

Mr DREYFUS: Thank you very much.

Ms Franklin: If I can just add to that, our coalition, or substantially overlapping members of the coalition, also submitted comments in connection with that review back in July of 2019, and specifically in connection with the request to address the interaction with foreign laws including the US CLOUD Act. Those comments addressed our concerns in that regard, particularly noting the issue of the lack of independent judicial review.

Mr DREYFUS: Thank you very much.

CHAIR: Thank you very much again for your evidence and for appearing before the committee today. If you have anything to add, could you get it to the secretariat by Thursday next week. We'll also give you a transcript of your evidence so you can make any corrections. Thank you again on behalf of us all.

Ms Krahulcova: Thank you so much for the opportunity.