State and territory governments and the national science agency are urging the federal government to explore data localisation requirements for both government and critical infrastructure providers, putting themselves at odds with Big Tech.
Global tech companies and their industry associations have come out in force against any prospect of being forced to house the data of Australian customers onshore in submissions to a discussion paper exploring a future National Data Security Action Plan.
The paper sought views on whether Australia needs an “explicit approach to data localisation” in light of some countries adopting the policy, noting there is no security guarantee, and that it could “represent significant barriers to trade and economic cost”.
Concerns raised by the likes of Meta, AWS and Google centre on the security risks posed by data localisation, and the impacts on business growth and the principles of an open internet more broadly.
Similar views were also presented by the Tech Council of Australia, the Digital Industry Group Inc (DIGI), the Australian Industry Group, Communications Alliance, and the Internet Association of Australia.
But it is a different story for at least two state and territory governments, and one Commonwealth government agency, which have called for more stringent data localisation requirements, and not only for government.
The Australian Capital Territory government said in its submission to the discussion paper that it is “supportive of data localisation” for both governments and other critical infrastructure providers, a view also held by the CSIRO.
The CSIRO pointed to recent changes to critical infrastructure laws to recognise data storage and processing as one of 11 sectors as reasoning for the need for an “explicit approach to data localisation”.
“Hence, it is critical that sensitive data is stored and processed within the Australian jurisdiction,” the national science agency said in its submission.
But it also went further, advocating that business data belonging to small to medium-sized enterprises (SMEs) “resides and is processed with Australian jurisdictions” as it contains IP and business intelligence.
The ACT government, meanwhile, said that any data localisation requirements would need to be “accompanied by measures that encourage businesses to invest in new and emerging technologies in Australia”.
“In the past, concerns and uncertainty on data sovereignty have resulted in extensive delays and significantly higher costs to government to implement new technologies readily available in other countries,” the submission states.
“We view that nationally-consistent risk-based approach to data localisation would support agility in introducing systems and services that improve outcomes in the community.”
The Northern Territory government considered the economic benefits of “regulating onshore data storage for certain data, such as personally identifiable information” as it continued to seek investors to build data centres in the top end.
“Cloud-based services pose challenges in enforcing data sovereignty requirements in the absence of national legislative requirements,” the submission states.
“It would be of benefit for all Australian governments to review the risks and benefits of emerging data storage models (including offshore hosting) in a more nuanced way.”
The Tasmanian government said that it “supports the idea that Australian data should be stored locally” but has asked for more information how any proposed approach to data localisation will operate.
The submission noted that local storage requirements are already used to protect sensitive information, including through legislation and that without guidelines, “data leakage to potentially undesirable locations can easily occur”.
“To relax this position and move to an environment where international data flows remain ‘safe, secure, lawful and ethical in line with Australia’s values and interests’ would require transparent safeguards to be firmly in place,” it said.
The South Australian government suggested in its submission that the “location of data should be a risk-based decision wherever possible”, with the exception being “areas already covered within existing legislative and policy instruments”.
It has welcomed further work to “provide clarity on these arrangements”.
Do you know more? Contact James Riley via Email.