Don’t let the opportunities presented by the CLOUD Act and US-EU Privacy Shield to harmonize global regulatory frameworks pass like ships in the night.
An increasingly connected world creates incredible opportunities and challenges for humankind. Every now and then, we’re reminded that some of these connections are as vulnerable to disturbance as a house of cards. We saw this recently with international trade, relying heavily on a few narrow canals for goods to flow.
The global digital economy is just as fragile, and in much the same way, despite not being as tangible.
It’s not a wayward ship that can slow progress to a halt; it’s regulatory approaches that become inconsistent from country to country, region to region, creating new barriers. These barriers can be erected by a single country, like concerns related to the Australian Assistance and Access Act, or by groups of countries, such as the current legal uncertainty in data flows between the US and the EU.
Acknowledging the importance of this international system – that technology (and technology companies), and the trust they rely on is global in nature – is the seventh of Atlassian’s Principles for Sound Tech Regulation. Atlassian’s own success owes itself to the fact that a company starting in Australia twenty years ago could sell its software to any team around the world with access to the internet and a credit card.
Don’t let regulation become a blockade
We are in the midst of a significant wave of new technology-focused regulations. While regulation itself is not a bad thing – it’s important that negative consequences of technology are mitigated – serious problems emerge when national and regional regulatory frameworks start to rapidly diverge.
Right now, we’re confronting a situation where governments are losing trust in each other and each other’s regulatory frameworks because of inconsistent approaches to law enforcement access, surveillance, and privacy. If this trend continues, we’ll see more roadblocks emerge in the free flow of data and services.
Inconsistent regulatory frameworks also impact innovation and competition. They entrench those larger platforms and providers with sufficient engineering resources and legal and compliance teams to address a growing patchwork of international tech regulation.
The OECD acknowledged this growing issue in December 2020, when it announced that it was exploring the development of “high-level principles or policy guidance for trusted government access to personal data held by the private sector.” The OECD stated that these principles may include standards to establish minimum legal safeguards before governments can access private data such as transparent processes, independent oversight, and redress mechanisms – acknowledging that “such safeguards and their application would facilitate the promotion and protection of data free flow with trust.”
Harmonize regulation
While the OECD activity provides some hope for longer-term reform, we should still embrace other, more immediate opportunities to drive regulatory harmonization. We can stop the democratic internet from becoming the splinternet.
Two such opportunities are the Clarifying Lawful Overseas Use of Data (CLOUD) Act negotiations between the US and Australia (and others) and the renewed Privacy Shield negotiations between the US and the EU. The US CLOUD Act and the EU’s General Data Protection Regulation (GDPR) are both incredible forces and opportunities for global regulatory harmonization.
GDPR
GDPR has set the global benchmark for privacy regulation. One important feature of the GDPR is the process through which the EU can make decisions about the adequacy of other “third party” countries’ privacy regimes. These adequacy determinations (soon to be 13 in force) create a framework for equivalency and certainty across the world’s privacy regimes.
Many companies, including Atlassian, have built on top of GDPR to create a globally recognized baseline for their own data handling processes and those of their supply chains.
The CLOUD Act
Similarly, the CLOUD Act was created to improve on the current processes through which law enforcement agencies in the US are able to request access to data and information not held within its borders. The current processes of international law enforcement cooperation on data are derived from a patchwork of existing mutual legal assistance treaties with other countries, widely recognized as cumbersome and time-consuming to navigate. The CLOUD Act instead enables the US to create bilateral agreements with other countries to mutually recognize and facilitate compliance with each other’s law enforcement access request processes.
Importantly, the protections within these CLOUD Act agreements incentivize other jurisdictions to ensure that their legal systems meet basic standards of human rights and that their law enforcement requests are subject to independent review and oversight.
Both instruments are opportunities to raise the bar on global privacy and security. Both are opportunities to remove emerging barriers to trust and confidence that should not be wasted.
And, although they address very separate areas – one about privacy and the free flow of data, and the other about streamlining international law enforcement access and surveillance arrangements – they are clearly linked.
Schrems II
Indeed, concerns related to law enforcement access and surveillance are at the very heart of the decision made by the Court of Justice of the European Union (CJEU) in Schrems II, which struck down the most recent Privacy Shield arrangement between the EU and the US. The Privacy Shield was established between those jurisdictions to facilitate the flow of personal data between the EU and the US under the GDPR, after earlier versions had themselves been invalidated for similar concerns.
The CJEU decision demonstrated that the treatment of personal data needs to be considered hand-in-hand with surveillance arrangements that may apply to that data. Only then can we gain the full picture of how the collection and processing of personal data and the right to privacy operate within the relevant jurisdiction.
What this decision made clear is that as we build bilateral and multilateral pipelines between countries for data sharing and potentially law enforcement data access, we need to have consistent checks and balances on government access.
Improve the Australian Assistance and Access Act
It is therefore clearly in the US Government and industry’s best interests to improve the equivalency of US surveillance and law enforcement access arrangements with the EU and to ensure that CLOUD Act agreements build equivalency elsewhere. This is critical in rebuilding trust in the global internet and the companies who operate on it.
A start would be to ensure that before the Australia and US finalize their CLOUD Act agreement, the Australian Government amends the Assistance and Access Act.
The Australian Assistance and Access Act creates a regime where law enforcement or national security agencies can request technical assistance with the fulfillment of lawful access requests. Such requests can include the decryption of encrypted data and the development of new capabilities to support law enforcement.
The Act was introduced to address concerns that the widespread use of encryption in devices and communications has led to situations where law enforcement agencies are no longer practically able to access data otherwise legally obtainable. However, industry has consistently raised concerns with the broad, sweeping nature of the powers the legislation grants and the lack of independent authorization and oversight over those powers.
US lawmakers have raised similar concerns with the then Australian Government. House of Representatives Judiciary Committee Chair Jerry Nadler wrote to the Australian Minister for Home Affairs, Peter Dutton, in late 2019, citing concerns from industry, civil society, and others that the Act “has profound impacts on privacy and security well beyond Australia’s borders.” Those concerns have not diminished, even if the powers under the Act have been sparsely used.
Just this week, the Internet Society released a report into the economic impact of these powers, which included a survey of 79 companies. 36 percent of those companies stated that the law negatively impacted the risk environment for their business and 21 percent believed that the Act will negatively impact future operating costs.
Luckily, there’s an easy fix.
There is a set of ready-made, well-considered amendments, recommended by an Australian Government statutory office and supported by industry, that address a number of concerns raised by Congressman Nadler. The Independent National Security Legislation Monitor’s (INSLM) year-long review of the Act reported to Parliament in July of last year and proposed amendments to address many of industry’s key concerns, including:
- independent authorization of notices
- improvements to the definition of a systemic weakness
- clarifications that requests for assistance can’t be made to individual employees of a provider that is subject to the Act
The recommendations are with the Parliamentary Joint Committee for Intelligence and Security (PJCIS) for its consideration. We feel they provide a necessary set of additional checks and balances to boost confidence in the regime.
A reformed Assistance and Access Act in Australia may actually provide a practical template for law enforcement to request technical assistance to access data to which it is otherwise entitled, with the appropriate oversight and safeguards. In demonstrating how CLOUD Act agreements can be used to implement and shape safeguards and protections, these reforms will help grow confidence in the global system, building trust for future CLOUD Act agreements and other bilateral data-sharing arrangements.
We are at a point in time where we can either choose to keep the digital canals open for traffic or we can allow mistrust and regulatory inconsistencies to start clogging the lanes.