Late last year, the Australian Government introduced the Assistance and Access Act. This new legislation makes it mandatory for any organisation whose website or data is hosted in Australia to give Australian authorities access to their IT system if requested.
Given that a huge amount of data, including ours, is hosted in Australian datacentres (typically by US providers), this is of concern. Most NZ businesses use Amazon AWS or Microsoft Azure or 365 tools hosted in Sydney or Melbourne – because it’s reliable, cost-effective and secure. We would regard this as being orthodox. In fact the NZ Government uses it extensively, even the Privacy Commission, with 90-95% of NZ government agency data being held in Australian clouds.
What does this mean?
This is a real challenge for us, especially if you consider all those Australian businesses we deal with, or our suppliers deal with that might have information about us. The jury is out though on whether its a theortical problem or a practical one.
Take a look at the New York Times editorial – they speculate that this is a beachhead and other jurisdictions will impose similar legislation if it is successful in the US. Take a look at https://www.nytimes.com/2018/12/06/world/australia/encryption-bill-nauru.html and https://www.wired.com/story/australia-encryption-law-global-impact/
So you might well move your data elsewhere, only to have the same problem reassert itself. That might mean that the most private places to hold data become outlier jurisdictions – I guess like the flags of convenience on ships at sea. It’s more complex than this of course, as the capital investment needed by cloud providers is significant and they will only invest in low-risk, highly stable countries.
Of course, while we have control over where we store data, we don’t have as much control (notwithstanding legislation like GDPR and NZ Privacy Act) over where data about us is stored. I suspect it’s also going to be less effective than the lawmakers would like, because the rogue elements simply won’t hand over access to their data, or the data will be wrapped in multiple layers of encryption.
We're going to have to wait and see what this means in practice.
It’s clearly not going to stop here. While this seems to be a rash law, it would be unwise to act rashly as a result. There is a lot of water yet to flow under this bridge.
We know that Microsoft are considering their position, and in the past they have successfully fought this kind of imposition in the courts. They won’t be alone, and I would think that this is where this will wind up – in a massive legal battle. We’ll keep you posted as we learn more.