Is Cloud Hosting In Australia A Legal Necessity?

A common argument used against cloud computing by large companies and government organisations is that they are legally required to keep all data in Australia, or that they risk being subjected to US law if they use an offshore provider. But is that always the case?

On one level, insisting that your data is hosted in a particular location goes against some of the fundamental ideas of cloud systems: you shouldn’t have to worry about where your information and applications are stored, and for backup and disaster recovery purposes it’s actually a benefit to have them as far away as possible. If you sign up for cloud services from Google or Amazon, for instance, you’ll never be told where your data is actually stored.

One simple counter-argument to that approach is that data stored within Australia can be accessed more speedily than if it has to travel long distances. In the case of very data-intensive applications, that reasoning could have some merit. But in practice, very few people are complaining about the access speeds for web-based applications in business locations.

And so we reach the alternative problem: that in some sectors, compliance regulations require that data be hosted in Australia (or, at the very least, that the owner of the data knows exactly where it is stored). This is most often mentioned by financial institutions in conjunction with APRA regulations, but I’ve heard it elsewhere. A more specific issue is the concern that data stored in the US might be subject to the American Patriot Act and accessed by government authorities with minimal authorisation.

There is clearly a demand for Australia-based cloud options. Companies such as Ninefold make this a major selling point. A whitepaper from law firm Freshfields Bruckhaus Deringer commissioned by Ninefold points out that while hosting overseas is possible in some sectors, the arrangements can be complex:

For example, the Australian Prudential Regulatory Authority (APRA) which oversees the domestic financial services sector, has stated that financial services companies that wish to transfer data offshore must first notify APRA and demonstrate to the regulator that appropriate risk management procedures are in place to protect the data. The company must also secure guarantees in its contract with the data hosting company that APRA will have access to that company to conduct site visits if required. In the context of the global Cloud, where the third party provider is likely to be using one of a number of data centres in different countries, this has proved to be a difficult issue to overcome because providers have been reluctant to provide guarantees around data security to a level which is satisfactory to the regulator.

Last month, hosting provider Rackspace announced plans for a local data centre in NSW. “One of the major requests from our Australian customers was the ability to actually host them from a data centre onshore in Australia,” ANZ country manager Mark Randall said.

Yet Randall doesn’t accept that the legal arguments are a major issue. “There’s been a significant amount of misinformation on this topic,” he said at the launch. “We already offer contracts under NSW law which comply with Australian privacy laws. Customer data will be hosted only in Australia unless a customer specifically requests it to be offshore. And Rackspace will not transfer data to a law enforcement agent without the customer’s consent unless it is compelled to do so by Australian law. Our general counsel has come on the record and said we will not hand over any customer data unless we are compelled by an Australian court.”

One reason Rackspace needs to be vocal on that topic is that even with a local data centre, a US-owned customer such as Rackspace might be seen as subject to US law. However, it’s not clear that using an Australian provider would let you escape that problem either.

“If you look at our existing treaty arrangements, we have an arrangement whereby if the US asks us for data then we would execute on that and make sure that data is made available,” Norton Rose lawyer Nick Abrahams noted at the AIIA cloud summit in Canberra earlier this year. “There’s very little discretion that the Australian government has. The Patriot Act allows the US to go to US companies in Australia directly, but the outcome of that is no different to the outcomes via the treaty.”

As with most legal matters, ultimately you can’t rely on hearsay. If your company is concerned that this is a problem, you’ll need specific legal advice, not generalities. But assuming that you definitely can’t do something makes no more sense than blindly forging ahead without checking.

Evolve is a weekly column at Lifehacker looking at trends and technologies IT workers need to know about to stay employed and improve their careers.

Have you subscribed to Lifehacker Australia's email newsletter? You can also follow us on LinkedIn, Facebook, Twitter and YouTube.

Trending Stories Right Now