Telstra, Optus and their peers have joined “big tech” in calling for the Australian government to abandon data localisation in its national data security action plan.
Opposing the idea that Australians’ data should be kept here, Optus [pdf] likens localisation to the federal government’s ongoing project to pull departmental data out of the Global Switch facility in Ultimo.
“The ongoing transfer of Australian government data out of the Global Switch Ultimo (GSU) facility will have taken over a decade to complete at a cost in the hundreds of millions over the life of the project,” Optus said.
Were the government to require “transferring data from an international to a domestic location, the cost in both time and money would far exceed that of the GSU project”, Optus claimed.
Telstra [pdf] argues instead for risk-based guidance, something supported by Optus’ submission.
“Guidelines that help data custodians understand the appropriate level of security and the possible risks in international jurisdictions would be an appropriate solution to managing data sovereignty, while permitting flexibility,” Telstra wrote.
Telstra, Optus and other carriers also expressed concern at the growing burden of overlapping data security legislative regimes.
Telstra cited the Protective Security Policy Framework (PSPF), the Information Security Manual (ISM), and the Digital Transformation Agency’s (DTA’s) Secure Cloud Strategy, and said “adding to this collection will only exacerbate confusion and the burden on industry.”
The Communications Alliance, as the voice for most of Australia’s carriers and service providers, is in favour of “a free flow of information across geographic borders to allow organisations’ maximum participation in the global economy.” [pdf]
The Alliance said that data localisation requirements “complicate or impede operations and increase the cost of doing business for organisations that operate across regulatory jurisdictions.
“The OECD guidelines, which focus on economic benefits derived from a data protection framework, support the free movement of personal data.”
The submission stated that “technical controls to establish and maintain data security and privacy” are more important than physical location in ensuring data is secure.
Where jurisdictions pose sovereign risk, the alliance’s members ask that the government issue “guidance … rather than rigid restrictions or regulation,” it said.
They also express a concern that to the extent data localisation requirements concentrate data storage, they would also create a “larger prize” that’s more attractive to attackers.
Other concerns raised about the impact of data onshoring include impacts on multinational business operations (which may need to host data near an international operation so as to deliver acceptable performance).
Telcos agreed that implementing a data action plan could provide an opportunity to harmonise regulatory regimes, and to reduce overlap between different legislative regimes.
Optus provided a straightforward example of regulations whose aims conflict: the Privacy Act, which is undergoing a review which could result in more restrictions on access to personal information; and the Consumer Data Right, which “is premised upon greater access”.
“While Optus appreciates the importance of effectively regulating data security and the
handling of personal information, it is harder to effectively achieve this with the
proliferation of duplicative regulations that are not always fit-for-purpose,” the carrier stated.
The Communications Alliance argues for a delay to the action plan, because of the interaction between other national frameworks “which themselves are still in flux”.
With the Privacy Act, the Security of Critical Infrastructure Act and the Consumer Data Right all in flux, “it is important to give these processes sufficient time to be finalised and time to settle down, prior to embarking on further substantial projects in adjacent and overlapping areas”, the Alliance said.