Global tech giants and their industry associations have rallied against the federal government introducing localisation requirements for data storage, arguing it brings no inherent benefit to cybersecurity and that such a regime could impede the economy.
But several others have called for the government to adopt a more nuanced position that takes data sensitivity into account, with one Australian cloud provider suggesting “full data sovereignty” is needed in some instances.
The Department of Home Affairs called for views on the possible introduction of an explicit approach to data localisation in a discussion paper exploring a future National Data Security Action Plan earlier this year.
The paper said that with many countries already having adopted data localisation laws and others moving to do so, it was timely to consider such a requirement to protect sensitive information, noting that it offers no “security guarantee” and could restrict trade.
In Australia, Commonwealth laws already prevent the government from storing personal and sensitive data overseas in some instances such as the information held in the My Health Record system.
Using similar language to convey their concern, a handful of major global tech companies and industry associations roundly rejected the need for data localisation measures in submissions to the consultation, published on Tuesday.
The Tech Council of Australia, which boasts more than 130 member companies, said that data localisation “disrupts” cross-border data flows, and that the government should limit any data localisation measures to “highly sensitive use cases such as health data (as is current practice)”.
It argued that “data localisation is based on the misconception that cybersecurity risk is dependent on physical location”, with technical measures such as strong encryption and infrastructure protection far more beneficial.
“While we acknowledge that the objectives of data localisation such as protecting privacy and security are worthwhile and important, we believe that data localisation is the wrong approach to address these issues,” it’s submission states.
The Digital Industry Group Inc (DIGI), whose members include Facebook, Apple, Twitter and Google, said the inclusion of data localisation in the discussion paper – which it claims is the first time such a question has been posed – was concerning.
“We reject the notion that data localisation increases data security, and we are concerned that it would have negative implications for the digital economy and the availability of digital services to Australians,” its submission states.
DIGI said localisation will “increase the cost of doing business” for multinationals, while suggesting that the centralisation that localisation brings would make “data more susceptible to attack”.
It also said that introducing local data storage requirements could “set a troubling precedent that undermines the principles of an open internet”, pointing to the use of data localisation “as a means to enable surveillance or censorship of citizens’ online activities” in some countries.
This view was shared by Facebook parent Meta, which said in its own submission the “broader implications for the state of an open, global internet” were worrying, while also pointing to data localisation as an inhibitor of business growth.
“Australia’s contemplation of local data storage requirements could set a concerning precedent that undermines the principles of an open internet and emboldens other countries with a different vision of the internet’s future,” Meta’s submission said.
Public cloud provider Google Cloud pointed to the various security and privacy benefits when “cloud-based services are free to leverage distributed network infrastructure without geographic restrictions”, a view also held by Atlassian.
Google Cloud also suggested that “imposing data localisation requirements could negatively impact resilience by reducing the availability of backups in disaster recovery scenarios” and could “increase the likelihood that a single catastrophic event will be insurmountable”.
Competitor Amazon Web Services recommended that “instead of emphasising data localisation as a means for achieving general data security, the threshold for permitted cross-border data flows of high-risk data sets should be linked to a ‘comparable standard’ of data security”.
Australian cloud provider Vault Cloud took a different view, however, and said that an “explicit approach to data localisation and sovereignty” is needed, particularly for personal information stored by the government.
“We support the view in the National Data Security Action Plan that Australia needs to get data localisations correct,” the company said in its submission, adding that in “some cases full data sovereignty is required”.
Vault, which prides itself on its sovereign status as an Australian-owned and operated entity, pointed to “strong sovereignty requirements” in Five Eyes partners the US, UK and Canada, as well as Germany and China.
“Interestingly in the United States, home to many public cloud services, the US government does not allow the use of public clouds for sensitive data. Instead, they elect to use special sovereign variants known as ‘government cloud’, ‘community cloud’, ‘sovereign cloud or ‘secure cloud’,” it said.
Australian Computer Society agreed that an explicit approach to data localisation is needed, suggesting that such a regime “would need to consider the sensitivity of the data and the ability for multinational organisations to protect” it and avoid “imposing excessive costs”.
Optus has recommended the government adopt a “risk-based approach” to data localisation that “considers the particular circumstances of a data storage location and weighs them against the cost of transferring the data to a domestic facility”.
“Optus notes, for example, that the ongoing transfer of Australian Government data out of the Global Switch Ultimo (GSU) facility will have taken over a decade to complete at a cost in the hundreds of millions over the life of the project,” the telco added.
“Were the Government to adopt a localisation policy that required transferring data from an international to a domestic location, the cost in both time and money would far exceed that of the GSU project.”
Home Affairs will now continue to engage with industry and state and territory government on the development of the Action Plan. It has kept 18 submissions confidential.
Do you know more? Contact James Riley via Email.
“Data localisation” is not the issue. What is conveniently being overlooked here is that it is nigh upon impossible to maintain security in the follow-the-sun systems management approach employed by the global hosting providers, where system administrators are located in various countries around the world and are not cleared. It is easy to enforce physical security in a data centre – but much more difficult to do so at the systems management level.
Doesn’t it make you ask the question about what functionality is onshore with cloud providers POPs? As Glen said earlier today, I don’t think any of them know exactly where a customer’s data is stored in their cloud tenancy or tenancies. Do some (or all of them) implement bare bones onshore functionality in their POPs?
Also doesn’t anyone ever question the legalities of data hosted off shore? What laws protect it? What happens if there is a breach say in Singapore or Manilla? Who do you legally address this with? The Australian arm of the cloud provider? Does Australian even apply if the breach happened on foreign soil?
I love how it’s okay for other countries to have data localisation laws but not Australia.
I do find it quite hard to accept the assurances given in the Meta (aka Facebook) submission about how diligently it protects our, and presumably its own, data assets when we read the recent evidence provided by two lead Facebook engineers stating (under oath it seems), that they have essentially no idea where the data is stored. They also admit that there is little or no documentation for many of their core systems and that the code itself takes on this role and that this is simply an aspect of te Company’s “somewhat strange engineering process”. I’d also note that this evidence predates the submission from Meta that is linked in this story. See summary at https://m.slashdot.org/story/404415
+1 how do these people sleep at night?
I thought all sensitive data was automatically held at Mar- a-Lago?
DIGI – “which it claims is the first time such a question has been posed”
Err… Minister Robert’s Sovereign Data Sets Policy and the 57 piece of legislation that prescribe data sovereignty for certain types of data. Or perhaps that awkward moment when Morrison was asked why Covid tracking data was going to the US?
I don’t understand Optus point. Should we be OK with China buying our data centres? I don’t want my data going to Chinese or US companies. Yes there is massive cost to moving the data – perhaps FIRB should stop China buying the data centre in the first place?
The lesson here is to not let foreign companies get our data in the first place as it is very costly to get it back – if that is even possible?
I am an Australian TCA member. We were not consulted at all in this process. I strongly disagree with the paper.
Kate, WFT? What was the member consultation process?
Australia is about as good at holding on to economic value as a sieve.
It reminds me of the film Thank You for Smoking. All the tech giants sat around a table conjuring up new ways to rape and pillage Australia.
It sounds like the TCA just pulled up a chair, I agree John, it is disappointing given their founding commitments.
It is amazing how quickly the TCA has fallen, it was only 1 year ago they committed to supporting Australia and in that short time they have been overcome by foreign interests. It is scary the lobbying power of these companies. I am very disappointed in your Kate Pounder.