After Microsoft confirmed a couple of weeks ago that it would have to provide the US government with data hosted in Australia were it requested to do so under the Patriot Act, I decided to talk to the government about the Patriot Act and its cloud strategy.
The Australian Government Information Management Office (AGIMO) pointed out that the Patriot Act wasn't exactly a new issue, having come into force in 2001, and said that government agencies had to be aware of the Act's implications when they were procuring ICT management or hosting services.
Cloud was just a new procurement approach for the same service, and agencies would have to consider the Patriot Act in the same way, according to AGIMO.
IT pointed out a sentence from section three of the "Australian Government Cloud Computing Strategy (Potential Risks and Issues of Cloud Computing)", which says that "[Agencies] need to be aware of Australian legislative and regulatory requirements, including Archives Act, FOI Act and Privacy Act."
It also drew attention to the "Defence Signals Directorate's Guidance for Cloud Computing Security Considerations", which says in the first page of the introduction:
DSD recommends against outsourcing information technology services and functions outside of Australia, unless agencies are dealing with data that is all publicly available. DSD strongly encourages agencies to choose either a locally owned vendor or a foreign-owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign-owned vendors operating in Australia may be subject to foreign laws, such as a foreign government's lawful access to data held by the vendor.
So, in other words, DSD really doesn't think that government agencies should provide information, unless its publicly available information, to foreign-owned vendors. DSD also pointed to this advice when asked about the Act.
So agencies have been warned.
However, let's be realistic; these vendors will most likely have cheaper prices, and the likelihood that the US Government is going to greedily request information left, right and centre is small. As long as agencies are careful about what data they put into the public cloud, there shouldn't be an issue. And there's always encryption.