Data sovereignty is a real issue despite datacentre and cloud service providers' reassurance that it is not a legitimate concern, according to a report released by the University of New South Wales (UNSW) Cyberspace Law and Policy Centre.
Titled Data Sovereignty and the Cloud [pdf], the report was sponsored by datacentre provider Next DC, insurance brokerage firm Aon, and law firm Baker McKenzie. It discusses the technical, legal, and risk governance issues around where data is hosted.
"The topic has gone from nervous lawyers talking in the back room stuff to a mainstream business risk management requirement in a couple of years," UNSW Cyberspace Law and Policy Centre executive director David Vaile said.
Microsoft had previously said that concerns about data sovereignty in the cloud are unwarranted; Amazon Web Services brushed off the idea that customers hosting data with the company in Australia will still be subject to the Patriot Act; and Digital Realty believes that if a customer isn't doing anything nefarious in the cloud, they do not have to be worried about data sovereignty issues.
But according to Baker McKenzie partner Adrian Lawrence, each country has jurisdiction over the data that is being hosted within its borders, along with the data hosted overseas. This jurisdiction extends to companies that are originally incorporated in a particular country, as well.
So for US-based companies like Microsoft and AWS, even customer data in their Australian datacentres are subject to US laws, including the Patriot Act. The US also has mutual legal assistance (MLA) treaties with over 50 countries, making it easier for the country's government to gather and exchange information for criminal investigations.
For Australian companies fearing the ramifications of legislation such as the Patriot Act, locally available hosting options offered up by various service providers are becoming a popular option. The only problem is, it would appear that Australia's data privacy laws are weaker than those of its overseas counterparts, according to Vaile.
"There's no constitutional protections in Australia as there are in the US, EU, and UK," he said. "We don't have a Bill of Rights or anything like that, so we don't have any constitutional protections on free speech, privacy, and rights against search and seizure.
"One of the things recent developments have shown is maybe we do need these sorts of protections."
The US National Security Agency (NSA) is said to have violated the country's Fourth Amendment to the US Constitution, which gives citizens the right "to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures".
Australian citizens do not have the same protection.
"We probably do need that kind of protection over time — if we don't have a constitutional protection, then we need some legal protections," Vaile said.
He expressed frustration at the federal government's inability to give Australians such protections, despite a lengthy Australian Law Reform Commission (ALRC) review on the matter.