September 26, 2022
Amazon Web Services, Microsoft, Google Cloud and Meta are among top cloud providers and data repositories to warn the federal government against initiating data localisation requirements. Home Affairs posed the question in an April discussion paper [pdf] as to whether or not Australia “need[ed] an explicit approach to data localisation”. “Many countries have data localisation…

Amazon Web Services, Microsoft, Google Cloud and Meta are among top cloud providers and data repositories to warn the federal government against initiating data localisation requirements.

Home Affairs posed the question in an April discussion paper [pdf] as to whether or not Australia “need[ed] an explicit approach to data localisation”.

“Many countries have data localisation laws in place, while others are adopting legislation, often to stop insecure transfer of personal information across borders,” it said at the time.

However, it also considered localisation requirements to be fraught and requiring balance, if they are to be contemplated and/or initiated.

The major cloud providers, as well as large data holders like Meta, are unequivocal in opposing data localisation requirements.

Meta, in particular, warned that data localisation requirements were often linked to alleged surveillance regimes.

“Local data storage requirements also have broader implications for the state of an open, global internet,” Meta said in a submission [pdf].

“Personnel and data localisation measures such as those in India, Vietnam, Turkey and China, are often intended to facilitate the surveillance or censorship of citizens’ online activities and violate individuals’ human rights including freedom of speech, expression, access to information, and privacy and due process rights. 

“Australia’s contemplation of local data storage requirements could set a concerning precedent that undermines the principles of an open internet and emboldens other countries with a different vision of the internet’s future.”

Cloud providers favoured specific and granular controls – rather than data localisation – as a more reliable way to secure cloud-hosted data.

Amazon Web Services (AWS) recognised Home Affairs’ “fairly nuanced view” on the issue.

But the cloud provider warned the discussion paper “mistakenly asserts that keeping data on-shore would minimise the risks associated with foreign threat actors or cyber attacks.”

“In reality, the location of data matters more for other reasons (e.g. operational resiliency and latency), rather than to address data security,” AWS said. [pdf]

“The most appropriate determinant of the security of data is the security controls applied to protect it, not its physical location. 

“Practically, the most important aspect of an effective data security strategy is to ensure that organisations have access to the most state-of-the-art and advanced security technologies.”

In a separate submission, Google Cloud said [pdf] “the desire to improve data security cannot be achieved by data localisation requirements.”

 ‘Data localisation’ is the opposite of ‘free flow of data across borders’ which forms part of many free trade agreements, including agreements that Australia is a signatory to,” Google said.

“Even where data localisation controls are applied, they have little effect over the privacy and security of data, which is ensured through controls applied to the data.”

Google Cloud said data localisation rules could make data “more susceptible to attack” by creating larger, more concentrated data stores that are easier to target.

It also argued such rules could preclude Australian users from security tools and services “that rely on cross border data flows” to function.

Microsoft offered to brief Australian government officials on the matter.

“Our view is that the locality of your data in the Microsoft cloud is not considered a security control for data, but is an architectural choice when building applications,” it said. [pdf]

“In essence, with the correct security controls in place, on the Microsoft global network of data centre regions, your data is no more secure in the Sydney data centre than it is in Washington, Auckland or Paris Microsoft data centres. 

“This is an area that is largely still misunderstood in the market, and misconceptions regarding threats such as insider threat or law enforcement access requests still exist. 

“If this is an area of concern, we would welcome the opportunity to brief policy makers on these matters.”

Source