EXCLUSIVE
Australian authorities are now accessing personal data from social media and email users in just days under an agreement with the United States, raising fresh questions about digital privacy and transparency.
In the past 14 months, more than 100 user information disclosure orders have been fast-tracked from platforms including Meta, Discord, Snapchat and Melbourne-headquartered email provider Fastmail through a reciprocal deal giving Australian and US law enforcement direct access to provider’s data – even when it's hosted in the other’s territory.
The reciprocal deal, effective since January 2024, allows police and intelligence agencies in both countries to issue “international production orders” (IPOs) directly to technology companies – bypassing the slower, government-to-government processes that once took more than a year.
A Department of Home Affairs (DHA) spokesperson told Information Age that Australian agencies’ IPOs had “resulted in data being returned from US-based providers in as little as three days”.
This is a significant acceleration compared to traditional police-to-government channels which “regularly take longer than twelve months”, they said.
IPOs bypass “intensive engagement by agencies, as well as the Attorney-General’s Department and Department of Justice (DOJ)”.
127 orders but more users
“As of 3 September 2025, 127 IPOs” have been made by Australia, DHA revealed last week in its submission to a review of a bill to amend the Telecommunications (Interception and Access) (TIA) Act 1979 and other surveillance laws.
The number of user disclosures ordered is likely higher than 127 as one order can be for multiple users.
Australia made 12,827 requests for 18,104 account-holders’ data to Meta (5,293 for 6,727), Google (5,727 for 8,487), Microsoft (1,231 for 1,900) and Apple (576 for 990) in the 2023 - 24 financial year.
Meta, Microsoft, Apple and Google’s biannual transparency reports. Source: Supplied
These requests were made through the slower, police-to-government scheme because, although the Australia-US Cloud Act-Agreement became effective in January 2024, agencies did not begin using it until the second half of 2024, according to DHA’s 2023-24 report on agencies’ use of TIA Act-enabled powers.
Real-time data
DHA’s submission said that IPOs for telecommunications metadata – which can include sender-recipient logs and geolocation data – had been effective for both historical and real-time user info, but IPOs for content data, like messages, had been more effective for historical than real-time data.
In some cases, agencies had been stifled by the TIA Act’s narrow definition of real-time data which only covers data transmitted “in a ‘livestream’ or ‘recording’ fashion”, which means the orders are not mandatory for providers that do not already “have the technical capability” to livestream it.
DHA supported the bill amending real-time IPOs for content data to include “methods other than a ‘livestream’, such as making a copy of messages from their servers and transmitting the copy to the agency”.
The UK – the only other nation that has established a bilateral police-to-provider agreement since the US passed the Cloud Act to enter into them with its allies – has ordered more prospective than historical user data.
Since October 2022, when the US-UK Cloud Act Agreement became effective, the UK issued 20,142 IPOs to US providers, “the majority of which were real-time interception ... for lead purposes,” the DOJ reported in November.
Discord, SnapChat, Fastmail, Meta and who else?
Only four companies are on the public record as having received IPOs.
IPOs made to Discord and SnapChat were revealed by a Victorian Country Court sentencing judgment, published in August 2025; Australian police used them to obtain “19 months” of a Victorian user’s “conversations”.
Meta’s transparency report said that Australia sent four IPOs in the second half of 2024.
Fastmail’s report neither disclosed the exact number or nation that sent them.
Despite being an Australian company, the IPOs would have originated Down Under because Fastmail’s servers are entirely US-based.
Apple’s report did not include statistics on IPOs, Google’s report has not been released for the relevant period, and Microsoft’s report inaccurately stated it could only disclose IPOs within a 0 - 499 threshold due to “applicable restrictions from laws”.
When Information Age drew Microsoft’s attention to TIA Act sch 1 cl 156, which permits reporting on the “total number of IPOs given to the provider during a period of at least 6 months”, the company declined to comment.
Vanishing transparency
The US government has not reported on the number of times that it has streamlined user info across the Pacific through the scheme.
Australian companies have largely stopped publishing statistics on both domestic and foreign disclosures, including Telstra, which would not reveal why it reported on customer information requests between 2014 - 2019 and then stopped.
Although Optus and Telstra declined to comment, Australia’s third largest telco TPG revealed authorities made 109,941 requests in the last financial year and confirmed that none were through the Australia-US Cloud Act Agreement.
When Information Age asked Fastmail why it publishes the number of user information requests it complies with and resists each year, CEO Bron Gondwana said, “We want our customers to be secure in the knowledge that we're not enabling blanket surveillance of their digital life.”
Update 25/11/25: The Department of Home Affairs, in a correction sent to the Parliamentary Joint Committee on Intelligence and Security, has clarified that 107 International Production Orders (IPOs) were sent by relevant agencies in Australia as of 3 September 2025, and not 127 as it had previously stated.
