Who controls our data? Cyber threats and tracing apps add to data sovereignty concern
Differences in US privacy legislation present a challenge for the rest of the world, UNSW Law's David Vaile told a forum on global data protection.
Differences in US privacy legislation present a challenge for the rest of the world, UNSW Law's David Vaile told a forum on global data protection.
Peter Harrison
UNSW Media & Content
0432 935 665
peter.harrison1@unsw.edu.au
The tracking apps introduced by governments worldwide to curtail the spread of the coronavirus, and the ownership of the data they generate in particular, is triggering fresh conversations among privacy advocates around the sovereignty of data.
Data sovereignty, which relates to who has ownership and control over private information collected through digital means, is a complex issue that is causing significant challenges for businesses in terms of where and how they store their data.
But at the same time, it is creating exciting growth opportunities for data centre operators not just in Australia, but also countries subject to increasingly stringent data laws.
A major complexity lies in the fact that US data privacy legislation is at odds with that of many other Western countries, said David Vaile, Data Protection and Surveillance stream lead at the Allens Hub for Technology, Law and Innovation at UNSW Sydney’s Faculty of Law.
Mr Vaile recently shared his thoughts at a virtual roundtable for thought leaders organised by data centre provider HDR | Hurley Palmer Flatt Group.
“In Australia, there’s the Privacy Act based on the same principles as the Organisation for Economic Co-operation and Development of the 1980s, which informs a lot of the privacy and data protection law around the world including in Asia and in New Zealand – more or less everywhere except the US,” said Mr Vaile.
“Then in the US the law in this area (the CLOUD Act) is like a Rorschach blot or a Jackson Pollock painting: there’s a little thin stripe in one place, a big blob somewhere else, splatters and a few sort of gaps – its approach was not created in the light of trying to respect the legal rights and entitlements or expectations of customers and firms in other countries.
“And as cloud services have migrated around the world, you've got a real tension between their approach to things and what everybody else has to do.”
Mr Vaile explained that the Privacy Act in Australia made a “pretty weak” requirement of data holders when they allowed the data they were holding to go out of their jurisdiction.
“In Europe, the same sort of approach is much stricter. They had the Data Protection Directive for a long time, now, the General Data Protection Regulation (GDPR). And that, more or less, says, unless you're sending it into a jurisdiction that's adequate for the protection of European citizens, you can't do it," he said.
“The other question – in a sense, I think it's a little depth charge I can drop into this discussion – is that jurisdiction or data sovereignty is not just based on location. It's just as significant who controls the entity that controls the data," he continued.
"So we've got this COVID-19 app happening here [with] Amazon Web Services. And people have started to say, ‘Well, what if the US Department of Justice says to Amazon, ‘that's a mighty nice store of little tokens you've got down there, why can't we get a few of them over here?’ And the question of it being held in Australia, which I think has been the sort of simplistic and old fashioned sort of idea of where jurisdiction sits, hasn't really kept up with the reality,” he added.
'That’s the government saying, ‘we don't want this huge store of data going back to the US, we're going to try and keep it local’.'
The COVID-19 apps helped bring the “esoteric” issue of data sovereignty into the mainstream, said Robert Thorogood, the London-based executive director of Hurley Palmer Flatt Group.
“Businesses have to take a risk-first approach. They have to ask the questions ‘where is our data being stored, what is it being used for, how is it to be used and who controls and governs it?’,” he said.
It had been hugely significant that for their COVID-19 tracing apps, countries including Australia, and the UK (which later U-turned), decided against using technology developed by Google and Apple, and instead chose to pool and control the information generated by those apps, locally, he said.
“They have deliberately tried to make sure they don't get bound up by data sovereignty and privacy issues. That’s the government saying, ‘we don't want this huge store of data going back to the US, we're going to try and keep it local’," said Mr Thorogood.
“It potentially sets a worrying precedent and I suspect other developers of apps will look at this and say, ‘well, if we can make our data agnostic and independent of being clawed back by other countries in a similar way, then let's do it too’,” he added.
The spotlight on the issue was at least giving businesses pause to better understand where the data they collect was stored, and which country’s laws it was subject to, said Mr Thorogood. This was especially as cloud services, which were responsible for holding growing volumes of digital information, migrated across borders.
“A number of countries – particularly Russia, China, India, and parts of the UAE – have put in very draconian sovereignty laws, where data cannot go outside of their country. In the UK, the principle of the GDPR is that the data stays in the EU. And then you have this overlap on the rest of the world in the US CLOUD Act, which is very difficult to fully comprehend,” he said.
With countries looking to maintain stricter control of their data, new hotspots for data centre development – both hyper-scale and colocation facilities – were emerging, said HDR | Hurley Palmer Flatt director Peter Gaston.
This included across the Asia-Pacific, the Middle East and Eastern Europe.
“It’s a twofold drive: one is to service those emerging markets and get a piece of that pie. But secondly, those safe havens where people traditionally built their data centres may no longer be appropriate because of the requirement under data sovereignty for businesses to store their data in areas it originates,” he said. “I think this is something that potentially we’re only just seeing the very beginning of.”
Meanwhile, in Australia, Macquarie Data Centres – a subsidiary of Macquarie Telecom Group – was putting data sovereignty front and centre.
At a recent announcement about its latest facility, Intellicentre 5, in Canberra, which will serve the Australian government’s increasing cloud storage requirements, the company highlighted sovereignty was embedded in the facility’s security framework, with control and access only by Australian government-cleared specialists.
Speaking at the virtual round table, Matthew O’Rourke, from Macquarie Government – another subsidiary of Macquarie Telecom – said the storage of government data was determined by individual departments, which undertook rigorous risk assessments of the implications of going to a global cloud provider.
However, concerns among legal experts that the cloud provider storing data from the Australian government’s COVID-19 tracing app could be subject to US subpoenas highlighted the need for greater awareness, said Mr O’Rourke.
“One of the biggest challenges we face as this issue develops is raising the capabilities of buyers to assess the technical risk that exists when there is a loss of sovereignty over sensitive government data.”
'The average enterprise simply cannot have a local provider in every part of their vendor stack for everything they do. They do need to avail themselves to a large global organisation.'
For large enterprises, it became common to take a hybrid approach to store data, holding certain workloads in a public cloud, and more valued data sets in a sovereign cloud environment within an Australian data centre.
This separation of data was being facilitated to a degree by ‘edge’ data centres – smaller facilities that stored and processed data (high-value, for instance) near the source of generation.
However, it was not the complete solution, Guy Danskine, of Equinix, a global data centre developer, told the roundtable.
“The average enterprise simply cannot have a local provider in every part of their vendor stack for everything they do. They do need to avail themselves to large global organisations, and sometimes multiple organisations, to support their data storage.
“Loss of control over their data is one of the complexities this introduces, but deploying physical infrastructure in the markets in which you need to be in is a way to navigate this.”
While Mr Vaile urged business to take a collaborative approach to determine sovereignty risk.
“I think for everybody, knowing a lot more about your data is probably necessary. You may need to do quite detailed auditing and you may need to have a dynamic mechanism for working out how it changes on the fly from time to time or with different apps or under different political climates," he said.
“You need three tribes: the lawyers, reluctantly, because they've got a big part to play in going through the fine detail. You need the technologists, but you also need the people who are trying to make all this work – whether it's at the governance level, or the business opportunity level. You've got to be able to communicate between them all,” he added.