A new whitepaper explores the issues affecting data sovereignty in the cloud in the wake of the US National Security Agency (NSA) secret surveillance leak.
Co-authors Adrian Lawrence, a partner at Baker & McKenzie, and David Vaile (pictured) from the Cyberspace Law and Policy Centre at the University of New South Wales (UNSW), joined in a panel discussion at Bakers’ Sydney offices yesterday (2 July) following the report’s launch.
“We’re not suggesting we’re going from blissful ignorance to blind panic about data jurisdiction in one jump,” said Vaile, adding that some data can happily live anywhere and some people don’t care if it’s accessed by law enforcement agencies offshore.
Data stored offshore is, however, subject to the laws in the jurisdiction in which it is stored. The report, which took a year to compile, says it is unclear the extent to which FBI/NSA top-secret PRISM data-mining of telecom and internet providers - which Edward Snowden blew the whistle on in June 2013 – would affect business-orientated cloud data services.
“US authorities will not apply particular self-restraint in scenarios involving foreign jurisdictions and US interests,” the report reads.
It’s fifth chapter looks at 10 ways an Australian company’s data can be accessed in the US (the main cloud-hosting jurisdiction), compared to the situation in Australia, with the aim of helping
companies to consider whether a data-sovereignty-aware cloud policy is necessary.
“In some issues these two scenarios are identical, in [others] they’re quite different,” said Vaile.
The primary limit on the US government’s power to obtain personal information, the fourth amendment of the US constitution, considers whether a person has an objective “reasonable expectation of privacy” and it prohibits “unreasonable searches and seizures” based on that expectation.
While there are many exceptions to this protection, including for data held by a third party, much discussion in the US about the NSA breach has been based on the fourth amendment.
“In a sense, we don’t have that discussion here because we don’t have that sort of protection, so I suspect we probably do need, over time, if [not] constitutional protection, legal protections.”
Last week, key legislation to introduce mandatory data breach notification fell by the wayside amid changes in Government and cabinet, despite numerous claims that it is long overdue.
The Privacy Amendments (Privacy Alerts) Bill 2013, which would ensure consumers have a right to know when their privacy has been breached, was one of 295 recommendations that the Australian Law Reform Commission (ALRC) made in 2008 as part of its landmark review of the Privacy Act.
Yesterday’s panel, which also included risk expert Eric Lowenstein from global insurer Aon, and Craig Scroggie, the CEO of data centre operator NEXTDC, were disappointed the inquiry had not been acted on, and called for swift passage of the recommendations.
“Of course we don’t need another review; it was on the point of having a law passed … properly implemented it’s not going to get in the way [of investigative journalism]; it’s for the most extreme and totally unjustifiable abuses that have no public interest component,” said Vaile.
Lawrence (pictured right) said it was difficult for privacy lawyers to advise clients on enforcement issues but that post March 2014, when more detailed evaluation of the Privacy Act is expected, it should become easier.
“This is an issue that is not able to be put into a little box of privacy law anymore, but it’s a key compliance issue right at the top level of corporations,” said Lawrence.
Vaile said that the topic of data retention, sovereignty and protection had gone from “nervous lawyer’s backroom stuff” to a mainstream business risk-management requirement in a couple of years.
“Flowing on from all of this [is] the potential pressure for local regulators to be real regulators rather than sleeping pussycats,” said Vaile.
Australian Communications and Media Authority chairman Chris Chapman gave a keynote address in which he praised the “timely report” and said a nuanced use of mixed strategies would be required to solve personal data collection concerns in the hyper-connected cloud environment.