Published daily by the Lowy Institute

Data sovereignty: Up in the clouds

Data sovereignty: Up in the clouds

The surprise recent decision of the European Court of Justice to make Google responsible for removing search result information demonstrates the ambiguous sovereignty of online data.

In recent years there has been a trend toward de-territorialisation of business and government operations, storing data and operations in an online cloud so it can be accessed by partners at multiple locations in one country or internationally. Yet the easy technical passage across international borders is met by regulatory complexities. A company with data in the cloud is subject both to the laws of the nation hosting the server and to their own local laws regarding how that data should be protected, leading to a potential conflict of laws over data sovereignty. The implications of these overlapping legal obligations depend on the specific laws of the nation and the relationship and agreements between governments.

Last year the University of New South Wales' Cyberspace Law and Policy Centre produced a White Paper on cloud computing to advise Australian businesses on risk management and decision-making within the current legal and regulatory framework. The authors claimed that cloud computing requires nuanced analysis of what data can be stored where and under what conditions. Some data may be hosted almost anywhere or by anyone, while more sensitive data may necessitate attention to location and jurisdiction. 

The key legal issues related to cloud computing range from privacy and confidentiality of the data, to security of the data and who has the right to audit it. In general, legal access to data is possible if it is hosted locally or controlled by local companies. Regarding audit, Baker McKenzie partner Adrian Lawrence, who co-authored the UNSW study, says each country has jurisdiction over data hosted within its borders. Yet jurisdiction also stretches to data in use by companies that are originally incorporated in the given country but hosted overseas. That means customer data in the Australian data centres of American companies such as Microsoft and Google could be audited under both US law and Australian law. This clash of jurisdictions could result in very real problems of data sovereignty or different rules governing the same data.   

The result is not only confusion but also an awareness of the continual need for negotiations and agreements over digital issues between different countries. [fold]

The US has mutual legal assistance agreements with over 50 countries and the EU, making it easier to gather and exchange information for criminal investigations. Moreover, in 2006 the US ratified the Council of Europe Convention on Cybercrime, allowing gathering and sharing of electronic data and evidence at the request of foreign law-enforcement agencies. The Convention was ratified by Australia in 2012, building on previous treaties between Australia and the US. This has increased the exposure of Australian data held in European cloud services to access from the US and other signatories.

In relation to data privacy, if the cloud provider stores data offshore, or is even headquartered outside the country, Australian privacy laws may not offer direct protection. However the Privacy Act 1988 obliges companies to protect personal information which they transfer out of Australia. Thus Australian companies fearing the ramifications of foreign legislation should develop policies and solutions to manage the privacy and sovereignty of their and their customer's data. For example, companies may opt for locally available hosting options offered by various service providers. Earlier this year the international information management software company OpenText began offering local services to meet Australian data sovereignty requirements for customers like Telstra and Computershare from the NTT Australia data centre in Sydney (NTT Australia an Australian-owned subsidiary of NTT Communications, one of the world's largest telcos). However data which is not sensitive, and does not require consumer protection, can be stored offshore. 

There is currently no collective international framework for the management of issues related to cloud computing. Expectations for data security can vary wildly between different nations.

Ultimately companies and governments which are clients of cloud services are responsible for managing how and where their data is stored. The type of information will determine whether data should be stored locally or can go offshore. Companies should ask whether more sensitive documents are being kept locally for legal security, which laws apply to jurisdictions hosting their offshore data, and whether they should maintain their own data sovereignty management regime. Meanwhile, continuing diplomatic efforts between nations are necessary to ensure that there is agreement between them, and with business, on how to manage data traffic.

Image by Flickr user George Thomas

You may also be interested in