Potentially, yes. See the response to question 11 regarding legal requirements to provide access to data.

Additionally, in 2021, the Telecommunications Legislation Amendment (International Production Orders) Act 2021 (Cth) ("IPO Act") came into effect, establishing a legislative framework for Australia to enter into future bilateral and multilateral agreements for cross-border access to communications data.

The IPO Act is broad in scope and could provide the basis for foreign law enforcement to access data held or processed by a cloud service provider for a financial institution, in response to an international production order. This legislation sets the stage for Australia to enter into bilateral agreements with other countries, enabling government agencies in both countries to request access to certain communications data held by service providers located in the other country, for law enforcement and national security purposes. Australia concluded such an agreement with the US in late 2021.

Further, under the Security of Critical Infrastructure Act 2018 (Cth), responsible entities for critical infrastructure in the communications, data storage and processing, and financial services sectors are also required (among other things) to disclose certain information in response to cybersecurity incidents. These entities can also be subject to information-gathering directions, action directions or intervention requests in the event of an incident that could result in further information needing to be provided or made accessible to the government. Additionally, owners and operators of designated systems of national significance have additional enhanced cybersecurity obligations that may include providing the government with access to systems information.