State and territory governments and the national science agency are urging the federal government to explore data localisation requirements for both government and critical infrastructure providers, putting themselves at odds with Big Tech.
Global tech companies and their industry associations have come out in force against any prospect of being forced to house the data of Australian customers onshore in submissions to a discussion paper exploring a future National Data Security Action Plan.
The paper sought views on whether Australia needs an “explicit approach to data localisation” in light of some countries adopting the policy, noting there is no security guarantee, and that it could “represent significant barriers to trade and economic cost”.
Concerns raised by the likes of Meta, AWS and Google centre on the security risks posed by data localisation, and the impacts on business growth and the principles of an open internet more broadly.
Similar views were also presented by the Tech Council of Australia, the Digital Industry Group Inc (DIGI), the Australian Industry Group, Communications Alliance, and the Internet Association of Australia.
But it is a different story for at least two state and territory governments, and one Commonwealth government agency, which have called for more stringent data localisation requirements, and not only for government.
The Australian Capital Territory government said in its submission to the discussion paper that it is “supportive of data localisation” for both governments and other critical infrastructure providers, a view also held by the CSIRO.
The CSIRO pointed to recent changes to critical infrastructure laws to recognise data storage and processing as one of 11 sectors as reasoning for the need for an “explicit approach to data localisation”.
“Hence, it is critical that sensitive data is stored and processed within the Australian jurisdiction,” the national science agency said in its submission.
But it also went further, advocating that business data belonging to small to medium-sized enterprises (SMEs) “resides and is processed with Australian jurisdictions” as it contains IP and business intelligence.
The ACT government, meanwhile, said that any data localisation requirements would need to be “accompanied by measures that encourage businesses to invest in new and emerging technologies in Australia”.
“In the past, concerns and uncertainty on data sovereignty have resulted in extensive delays and significantly higher costs to government to implement new technologies readily available in other countries,” the submission states.
“We view that nationally-consistent risk-based approach to data localisation would support agility in introducing systems and services that improve outcomes in the community.”
The Northern Territory government considered the economic benefits of “regulating onshore data storage for certain data, such as personally identifiable information” as it continued to seek investors to build data centres in the top end.
“Cloud-based services pose challenges in enforcing data sovereignty requirements in the absence of national legislative requirements,” the submission states.
“It would be of benefit for all Australian governments to review the risks and benefits of emerging data storage models (including offshore hosting) in a more nuanced way.”
The Tasmanian government said that it “supports the idea that Australian data should be stored locally” but has asked for more information how any proposed approach to data localisation will operate.
The submission noted that local storage requirements are already used to protect sensitive information, including through legislation and that without guidelines, “data leakage to potentially undesirable locations can easily occur”.
“To relax this position and move to an environment where international data flows remain ‘safe, secure, lawful and ethical in line with Australia’s values and interests’ would require transparent safeguards to be firmly in place,” it said.
The South Australian government suggested in its submission that the “location of data should be a risk-based decision wherever possible”, with the exception being “areas already covered within existing legislative and policy instruments”.
It has welcomed further work to “provide clarity on these arrangements”.
Do you know more? Contact James Riley via Email.
I am sorry to hear about Amy. I have not seen your case but it is a familiar story, these are not victimless crimes.
When multiple jurisdictions get involved it gets slow and complicated.
If an Australian employee breaks the law in an Australian company and the victim is Australia there is an odds on chance they would be prosecuted.
I agree that system is broken. HA taking steps to start to address the problem is positive. I don’t find it surprising that Australians and the Government wants data sovereignty. I also don’t find it surprising that big tech wants us to get out of their way.
#techlash
Most of the discussion focuses on money, but this impacts people. I want to share my story about one person, my late daughter Amy.
Amy made the decision to leave us a few months ago and committed suicide. She was a beautiful person with an intellectual disability. Two years ago she was sexually assaulted.
Over her life we got lots of assistance from the Government and service providers. Her medical data would be in many systems, the vast majority we did not choose or provide any consent to. In no cases did we ever say Amy’s data could go overseas.
Earlier this year some of Amy’s data made it to the dark Web. Unfortunately it included her psychologist’s report with the detail of her sexual assault. This is how we became aware of her assault, Amy was devastated.
She was scared that the whole world could read the information and would not talk to anyone for the next 4 days. The next day was her last.
Since her death we have learnt a lot mostly from the police who have tried their best but work in a failed system:
– The data was stored on a public cloud in Australia
– there were copies of the data in several countries
– an employee based in India was working on their cloud in Singapore remotely
– they took a copy of the data and sold it for about $2,000 USD
– Amy was one of many people effected and the Indian worker did not know what the data was that was taken
We are pursuing legal action but the system is completely broken. The crime happened in Singapore but they say they have no jurisdiction as it is a US company and an Indian citizen. In India it is not clear that any law was broken in their jurisdiction and they are not interested in pursuing it anyway. In the US, they will not pursue it criminally and we can not afford to go after one of the world biggest companies in a civil case in the US – not even close. The Australian courts say they have no jurisdiction.
My frustration is this will happen again. I don’t blame the Indian worker, they are paid next to nothing and I am sure they were trying to get by and look after their family. But I also feel that a fellow Australian would never have done this to Amy.
Amy’s story is one of many. Amy is one of the reasons the Department of Home Affairs is trying to fix the broken system.
To read the submissions these global companies have made makes me so angry. These companies are pure evil. They should be trying to help the government fix the system rather than just pursuing profit.
I am not part of your community and don’t read this site, but I hope you think about Amy next time you send someone else’s information overseas or lobby the government to the wrong thing.
It sounds like a copy of a replicated database was taken. If the platform was Microsoft it could have been their database service called Cosmos DB. Cloud providers argue that they encrypt everything so it does not matter who can access the system. This is great until someone gets hold of the keys… In November of 2021 Cosmos DB exposed all its keys and anyone that could get a copy of the encrypted data was able to gain access to the real data. You will find plenty of information online about this and the timeline fits what happened to Amy. It amazes me how it just takes a few months and we move past these gigantic security issues and go back to thinking cloud is secure.
Who holds these companies to account?
I am so sorry to hear about your daughter Amy. What an tragic series of events! You have my condolences. However, this is a very good example of where legal responsibility falls over in the global network of public cloud. I have worked in technical IT for over 20 years now and all I am hearing now from public evangelists is “cloud this” and “cloud that”. I have been telling all my customers that cloud providers won’t tell you where your data is stored or replicated to. If the data is replicated overseas and it’s overseas where a crime is committed to access this data, Australian law will not apply. You can try to hold the public arm of the cloud company accountable in Australia but they have SO many clauses in their services contracts which says “security is your responsibility, it’s not our problem blah blah blah” so they will try to dodge it.
The big tech companies telling the federal government to not put in data localisation lies really speaks for itself and says they keep the bulk of their services off shore and that their points of presence on shore here in Australia is as minimum as possible. They are scared that if this becomes law, they will all have to spend millions of dollars upgrading their POPs to service Australia. They need to suck it up as other countries around the world have done this – this is not a new global initiative.
Not only that, when it all comes very public that the Optus breach was due to an un-secured public cloud API, that will hopefully be more evidence that change is needed and to push that necessary change. I have it on very good authority through my industry contacts this what happened.
People also need to realise that before “public cloud” became the cool thing, it was called third party hosting. Thanks to virtualisation, those with billions to spend at their disposal (e.g. AWS, Microsoft, Google) just built massive third party hosting services for customers to use and the marketing term “public cloud” was coined. Whatever you can do in cloud, you can actually do on premise as well. Public Cloud does have it’s good points but it needs to be viewed as another tool in the box and not this utopian technology cloud providers make you think it is.