The Australian Information Industry Association (AIIA) has struggled to reach consensus among its diverse membership base on data localisation, but has broadly agreed that onshore hosting does not guarantee security.
In a “confidential” submission to the Department of Home Affairs, the AIIA said its more than 300 members, including both multi-national and local cloud providers, had expressed a “broad range of views” on the vexed issue.
Home Affairs is exploring the need for an explicit approach to data localisation in Australia as part of a discussion paper that is being used to inform the development of a National Data Security Action Plan.
“The AIIA had intended to submit a detailed paper in response to the discussion paper, but due to reasons outlined herein, this letter will form the basis of our contribution,” the AIIA said in its submission obtained by InnovationAus.com.
“The AIIA membership, which comprises multi-national cloud companies and software vendors, telecommunications companies, data centre operators and owners, SMEs and Australia cloud platform providers, have a broad range of views and perspectives around the issue of onshoring of data and whether this provides enhanced security.”
Many of its members, including Amazon Web Services, Google Cloud and Microsoft, have argued in their own submissions to the consultation that data localisation does not inherently lead to improved security.
They are also concerned about the effects of data localisation on business growth, the availability of digital services in Australia, and an open internet, drawing a connection between onshore hosting and surveillance or censorship of citizens’.
Others, like Vault Cloud and a selection of state and territory governments, believe an “explicit approach to data localisation and sovereignty” is required, particularly for personal information stored by the government.
The AIIA is sympathetic towards both views across four “high level points” in its submission including that select datasets belonging to government, as well as health and financial providers, be hosted in Australia.
“The AIIA understands and supports that governments and certain critical industries such as health and financial services, have requirements to ensure that certain datasets are hosted in Australia,” its submission states.
The AIIA cites the government’s hosting certification framework (HCF), which was introduced in March 2021 to impose ownership and control conditions on data centre operators and cloud providers.
As of July, only certified strategic or certified assured providers can host sensitive government data, whole-of-government systems and systems rated to a protected classification level under the scheme.
The mandate applies to new contracts, as well as extension to existing contracts, not all government contracts as had been envisioned for the scheme.
But there remains some contention over the scheme, with providers like AWS awarded strategic certification based on undertakings with the Digital Transformation Agency.
Certified strategic is the highest level of assurance under the framework, requiring providers to allow the government to specify ownership and controls conditions.
The AIIA also agreed with the discussion paper, as well as other tech giants and industry associations, that there is no inherent guarantee that data localisation will lead to improved cyber security.
“The security of data and policies that aim to promote and protect data need to consider the security controls around the data itself as the location of data, whilst it is relevant, does not of itself guarantee security,” its submission states.
The AIIA also agreed with the government that the “free flow of data across borders is essential for modern global economies and is important for Australia’s economic interest” but did not go as far as the Tech Council of Australia.
The Tech Council said in its submission that data localisation “disrupts” cross-border data flows, and that the government should look at technical measures like encryption to address data security issues.
The AIIA also used its submission to point towards “a need for policies that support domestic capability, including government procurement rules to support Australian SMEs”.
Do you know more? Contact James Riley via Email.
Of course on-shore hosting does not guarantee security. You’re missing the point. What it does do is guarantee an avenue for prosecution in the event of a breach.