Global tech giants and their industry associations have rallied against the federal government introducing localisation requirements for data storage, arguing it brings no inherent benefit to cybersecurity and that such a regime could impede the economy.
But several others have called for the government to adopt a more nuanced position that takes data sensitivity into account, with one Australian cloud provider suggesting “full data sovereignty” is needed in some instances.
The Department of Home Affairs called for views on the possible introduction of an explicit approach to data localisation in a discussion paper exploring a future National Data Security Action Plan earlier this year.
The paper said that with many countries already having adopted data localisation laws and others moving to do so, it was timely to consider such a requirement to protect sensitive information, noting that it offers no “security guarantee” and could restrict trade.
In Australia, Commonwealth laws already prevent the government from storing personal and sensitive data overseas in some instances such as the information held in the My Health Record system.
Using similar language to convey their concern, a handful of major global tech companies and industry associations roundly rejected the need for data localisation measures in submissions to the consultation, published on Tuesday.
The Tech Council of Australia, which boasts more than 130 member companies, said that data localisation “disrupts” cross-border data flows, and that the government should limit any data localisation measures to “highly sensitive use cases such as health data (as is current practice)”.
It argued that “data localisation is based on the misconception that cybersecurity risk is dependent on physical location”, with technical measures such as strong encryption and infrastructure protection far more beneficial.
“While we acknowledge that the objectives of data localisation such as protecting privacy and security are worthwhile and important, we believe that data localisation is the wrong approach to address these issues,” it’s submission states.
The Digital Industry Group Inc (DIGI), whose members include Facebook, Apple, Twitter and Google, said the inclusion of data localisation in the discussion paper – which it claims is the first time such a question has been posed – was concerning.
“We reject the notion that data localisation increases data security, and we are concerned that it would have negative implications for the digital economy and the availability of digital services to Australians,” its submission states.
DIGI said localisation will “increase the cost of doing business” for multinationals, while suggesting that the centralisation that localisation brings would make “data more susceptible to attack”.
It also said that introducing local data storage requirements could “set a troubling precedent that undermines the principles of an open internet”, pointing to the use of data localisation “as a means to enable surveillance or censorship of citizens’ online activities” in some countries.
This view was shared by Facebook parent Meta, which said in its own submission the “broader implications for the state of an open, global internet” were worrying, while also pointing to data localisation as an inhibitor of business growth.
“Australia’s contemplation of local data storage requirements could set a concerning precedent that undermines the principles of an open internet and emboldens other countries with a different vision of the internet’s future,” Meta’s submission said.
Public cloud provider Google Cloud pointed to the various security and privacy benefits when “cloud-based services are free to leverage distributed network infrastructure without geographic restrictions”, a view also held by Atlassian.
Google Cloud also suggested that “imposing data localisation requirements could negatively impact resilience by reducing the availability of backups in disaster recovery scenarios” and could “increase the likelihood that a single catastrophic event will be insurmountable”.
Competitor Amazon Web Services recommended that “instead of emphasising data localisation as a means for achieving general data security, the threshold for permitted cross-border data flows of high-risk data sets should be linked to a ‘comparable standard’ of data security”.
Australian cloud provider Vault Cloud took a different view, however, and said that an “explicit approach to data localisation and sovereignty” is needed, particularly for personal information stored by the government.
“We support the view in the National Data Security Action Plan that Australia needs to get data localisations correct,” the company said in its submission, adding that in “some cases full data sovereignty is required”.
Vault, which prides itself on its sovereign status as an Australian-owned and operated entity, pointed to “strong sovereignty requirements” in Five Eyes partners the US, UK and Canada, as well as Germany and China.
“Interestingly in the United States, home to many public cloud services, the US government does not allow the use of public clouds for sensitive data. Instead, they elect to use special sovereign variants known as ‘government cloud’, ‘community cloud’, ‘sovereign cloud or ‘secure cloud’,” it said.
Australian Computer Society agreed that an explicit approach to data localisation is needed, suggesting that such a regime “would need to consider the sensitivity of the data and the ability for multinational organisations to protect” it and avoid “imposing excessive costs”.
Optus has recommended the government adopt a “risk-based approach” to data localisation that “considers the particular circumstances of a data storage location and weighs them against the cost of transferring the data to a domestic facility”.
“Optus notes, for example, that the ongoing transfer of Australian Government data out of the Global Switch Ultimo (GSU) facility will have taken over a decade to complete at a cost in the hundreds of millions over the life of the project,” the telco added.
“Were the Government to adopt a localisation policy that required transferring data from an international to a domestic location, the cost in both time and money would far exceed that of the GSU project.”
Home Affairs will now continue to engage with industry and state and territory government on the development of the Action Plan. It has kept 18 submissions confidential.
Do you know more? Contact James Riley via Email.