Australia may be setting a bad example and limiting its options when it comes to providing offshore services due to a lack of strong data protection laws, according to the Council of Europe head of data protection and cybercrime division Alexander Seger.
(Credit: Michael Lee/ZDNet Australia)
In an interview with ZDNet Australia at the Kaspersky Lab Cyber Conference 2012 in Cancun, Mexico, Seger said that Australia should examine whether it would be appropriate to join Convention 108 — an international agreement for the protection of individuals' privacy when dealing with automatically processed data.
"It's important for individuals that their data is protected, but it will also help countries like Australia and other countries that join this treaty if [they] have offshore services."
Seger said that the absence of strong data privacy laws would result in a country missing out on being able to provide offshore services to European citizens.
"[Although the] data of citizens from Europe may be processed in Australia or any other country, it makes it very difficult if that country does not have data protection standards in place. It would actually be illegal for European companies to transfer their data to a country that does not have data protection standards in place."
Australia could learn from countries such as Morocco and Egypt, which already provide offshore services and have matching legislation to support the trade.
"It's no coincidence that Morocco has very strong data protection legislation. Egypt — OK they have a bit of a difficult political situation, but Egypt had also developed already, some years ago, a draft law on data protection."
Seger said this was an area that he expected Australia to provide leadership in, especially due to its influence in the Asia-Pacific region.
"It's important for Australia to realise that there are many other countries in the region that look to Australia, that look for guidance. Conceptual guidance, but also for trading support, for capacity building support."
While he applauded Australia's progress in tackling child abuse and its ability to support other countries with issues such as forensic investigations, he said that Australia would need to take responsibility and lend a greater helping hand in the region.
"From 14 [Asia-Pacific] countries, I think none, possibly with the exception of Fiji, had forensic capabilities, which means for forensic investigations, they needed to call on Australian law enforcement to come and provide that kind of technical support.
"This is not a sustainable thing. We hope in the near future that with the support of Australia or the international community that some of these countries are trained or equipped to also have forensic capabilities."
On the matter of cybersecurity and the requirement for internet service providers to preserve data for 180 days under the Cybercrime Legislation Amendment Bill 2011, Seger appeared to be unsurprised at Telstra's recent protests that implementing data retention mechanisms would be a complex process.
"In Europe, it took them quite a while to set this up. After 2006, some countries still haven't put the laws in place so they're in violation of EU law."
Seger said the problem was even more complex due to different countries specifying different retention periods. He said that the conditions specified by legislation in each country needed to be clearer and, ideally, harmonised to provide greater clarity.
"The conditions must be clear [and] the conditions must be harmonised because it's very difficult for service providers if you have six months in Germany, 12 months in France, 24 months in Ireland."
Michael Lee travelled to the Cyber Conference 2012 as a guest of Kaspersky Lab.