Legal experts and crossbenchers have said that data collected by the Australian Government’s COVIDSafe app might not be protected from a US subpoena to assist in a law enforcement investigation, because Australia is not yet designated as a 'qualified foreign government' and is therefore obliged to cooperate.
Last week it was revealed that under the 2018 Cloud Act, US law enforcement can legally obtain data they require from a US-registered company to assist with their investigation.
Amazon Web Services was recently awarded the government’s invitation-only tender to house the data collected from the COVIDSafe app. Considering Amazon is a US-registered company, under a subpoena, theoretically, data held by Amazon - even on Australian-based servers - would need to be produced to law enforcement.
The ABC is reporting that “the Australian Government initially told ABC News data held by Amazon would be protected from the CLOUD Act, but Australia’s peak legal body, the Law Council, disagreed, saying that under current arrangements in the appeal avenues under the CLOUD Act “would not have application” in Australia.
As it stands, any data created or collected by the COVIDSafe app will be encrypted, stored on your device and not shared with any person or government agency unless the individual tests positive for the virus. The ABC writes that “if that happens, health officials may ask - but cannot compel you - to upload 21 days of your data. If you do, it is at that point your data will be sent to the Amazon cloud.”
Number of sources inside and close to the government spoke to the ABC last week on the condition of anonymity, stating that awarding the contract to Amazon could mean US law enforcement could potentially get their hands on Australian data with a CLOUD Act subpoena.
Nick McKim, a Greens senator and digital rights activist said “people who will be sitting in head office in Amazon in the US will not be covered by Australian law, they will be within jurisdiction of US law.”
“And the US role is abundantly clear… that US security agencies actually do have a claim on data that is held by a US company, no matter where that data is hosted in the world,” McKim concluded.
The Government has responded to these reports, denying the claims and stating that data held by AWS would be protected under a provision of the CLOUD Act that, according to the ABC, “allowed US companies to apply to refuse or modify US subpoenas seeking the data of foreign governments, if providing such information violated the law in that foreign country.”
Such appeals, it turns out, are only available to a nation that has received a special designation as a “qualifying foreign government”, under the CLOUD Act. Australia has not received this designation, a spokesperson for PM, Scott Morrison confirmed over the weekend.
“Even without yet being defined as a ‘qualified foreign government’ under the CLOUD Act, Australia already ensures that data from a range of government agencies, including our intelligence agency and the Australian Signals Directorate, is kept in Australia,” the spokesperson said.
In order to be recognised as a ‘qualifying foreign government’, both the US and Australia need to sign an executive agreement under the CLOUD Act, which would involve passing special legislation in Australia.
Home Affairs Minister Peter Dutton and the US Attorney-General William Barr met in October of 2019 to discuss the agreement, but it has not been finalised by either party. Mr Dutton said after the meeting that “this is the way of the future between like-minded countries.”
Mr Barr said “this agreement, if finalised and approved, will allow service providers in Australia and the United States to respond to lawful orders form the other country without fear of running afoul of restrictions on disclosure, and thus provide more access for both countries to providers holding electronic evidence that is crucial in today’s investigations and prosecutions.”
The meeting and subsequent announcement of a “bilateral agreement” for Australia’s qualification as a foreign government under the CLOUD Act is set to be “underpinned by Australian legislation yet to be introduced” into the Parliament.
The legislation was put before the House of Representatives in early March, but the Telecommunications Legislation Amendment (International Production Orders) bill has not been enacted by the House, meaning that as it stands, Australia is not able to deny a subpoena from US law enforcement until the bill is passed.
The Law Council’s president, Paule Wright says that “it is the view of the Law Council of Australia that the review mechanisms in the US CLOUD Act would not have application to information held in Australia’s territorial jurisdiction, in the absence of Australia being recognised by the US as a ‘qualifying foreign government’ under that act.”
The Prime Minister’s office has released a statement saying that the data collected and stored by Amazon’s servers was “being reinforced by a declaration under the Biosecurity Act,” but the Law Council says that the Biosecurity Act acts to protect data.
“The fact that it would be an offence under the Biosecurity Act and a breach of our domestic laws is likely to be a relevant consideration to the enforceability of any US-issued warrant in relation to data help in Australia, and Australia’s compliance with any mutual legal assistance request by the US for such information,” Wright added.
Scott Morrison stated last week that “it would - it is illegal - it will be illegal, for information to go out of that data store to any other person other than that for whom the whole thing is designed,” while a spokesperson confirmed a day after that “the Australian government will ensure it is a criminal offence to transfer data to any country other than Australia.”
“These claims about US authorities are incorrect… we’re using the same approach we use to protect some of the highly sensitive data of the Australian Signals Directorate as we are for this app.”
Rex Patrick, a federal crossbench Senator has told the ABC that “I think the application that has been proposed by the Government, and that is now available for download, is a useful application and it will help to save lives, however, there are certainly still some grey areas in respect of privacy.”
“There will be some people in the community who will rightly be a little bit anxious about downloading this application,” he said, adding that “it’s nothing short of an absolute disgrace that this cloud contract was awarded to an overseas company.”
“We have, in effect, just exported Australian dollars to the US, and at the same time, what we’ve done has caused some concerns in relation to the protection of the data that may be collected by the application.”