Is Cloud Hosting In Australia A Legal Necessity?

Is Cloud Hosting In Australia A Legal Necessity?

A common argument used against cloud computing by large companies and government organisations is that they are legally required to keep all data in Australia, or that they risk being subjected to US law if they use an offshore provider. But is that always the case?

On one level, insisting that your data is hosted in a particular location goes against some of the fundamental ideas of cloud systems: you shouldn’t have to worry about where your information and applications are stored, and for backup and disaster recovery purposes it’s actually a benefit to have them as far away as possible. If you sign up for cloud services from Google or Amazon, for instance, you’ll never be told where your data is actually stored.

One simple counter-argument to that approach is that data stored within Australia can be accessed more speedily than if it has to travel long distances. In the case of very data-intensive applications, that reasoning could have some merit. But in practice, very few people are complaining about the access speeds for web-based applications in business locations.

And so we reach the alternative problem: that in some sectors, compliance regulations require that data be hosted in Australia (or, at the very least, that the owner of the data knows exactly where it is stored). This is most often mentioned by financial institutions in conjunction with APRA regulations, but I’ve heard it elsewhere. A more specific issue is the concern that data stored in the US might be subject to the American Patriot Act and accessed by government authorities with minimal authorisation.

There is clearly a demand for Australia-based cloud options. Companies such as Ninefold make this a major selling point. A whitepaper from law firm Freshfields Bruckhaus Deringer commissioned by Ninefold points out that while hosting overseas is possible in some sectors, the arrangements can be complex:

For example, the Australian Prudential Regulatory Authority (APRA) which oversees the domestic financial services sector, has stated that financial services companies that wish to transfer data offshore must first notify APRA and demonstrate to the regulator that appropriate risk management procedures are in place to protect the data. The company must also secure guarantees in its contract with the data hosting company that APRA will have access to that company to conduct site visits if required. In the context of the global Cloud, where the third party provider is likely to be using one of a number of data centres in different countries, this has proved to be a difficult issue to overcome because providers have been reluctant to provide guarantees around data security to a level which is satisfactory to the regulator.

Last month, hosting provider Rackspace announced plans for a local data centre in NSW. “One of the major requests from our Australian customers was the ability to actually host them from a data centre onshore in Australia,” ANZ country manager Mark Randall said.

Yet Randall doesn’t accept that the legal arguments are a major issue. “There’s been a significant amount of misinformation on this topic,” he said at the launch. “We already offer contracts under NSW law which comply with Australian privacy laws. Customer data will be hosted only in Australia unless a customer specifically requests it to be offshore. And Rackspace will not transfer data to a law enforcement agent without the customer’s consent unless it is compelled to do so by Australian law. Our general counsel has come on the record and said we will not hand over any customer data unless we are compelled by an Australian court.”

One reason Rackspace needs to be vocal on that topic is that even with a local data centre, a US-owned customer such as Rackspace might be seen as subject to US law. However, it’s not clear that using an Australian provider would let you escape that problem either.

“If you look at our existing treaty arrangements, we have an arrangement whereby if the US asks us for data then we would execute on that and make sure that data is made available,” Norton Rose lawyer Nick Abrahams noted at the AIIA cloud summit in Canberra earlier this year. “There’s very little discretion that the Australian government has. The Patriot Act allows the US to go to US companies in Australia directly, but the outcome of that is no different to the outcomes via the treaty.”

As with most legal matters, ultimately you can’t rely on hearsay. If your company is concerned that this is a problem, you’ll need specific legal advice, not generalities. But assuming that you definitely can’t do something makes no more sense than blindly forging ahead without checking.

Evolve is a weekly column at Lifehacker looking at trends and technologies IT workers need to know about to stay employed and improve their careers.


  • of course it’s not always required. I recommend cloud services all the time to small/medium businesses.

    At the moment I’m in the same position a lot of people are – internal policy or external contracts require certain levels of data security and control, and those requirements are easier to satisfy if the data is kept on-shore.

  • The Privacy Act contains restrictions on sending personal information off-shore. If the information is misused off-shore the organisation will still be liable for the breach.

  • The amount of data passing that goes on out of the public domain would surprise people including warrants executed by local law enforcement on behalf of foreign law enforcement bodies (yes, you know which country I’m talking about). It might make it harder but because you data is local don’t assume it is immune to foreign powers.

    Of course if you are not doing anything wrong…

    • Exactly, Australian law enforcement is in bed with the United States. So therefore anything the United States wants, it will get Australian law enforcement to do on their behalf. It might slow them down slightly, but ultimately they will get what they want.

      I would feel more comfortable with my data being stored in a country that gives its residents (the company hosting your data) real protections.

      • Indeed, most people and organisation would simply be more comfortable knowing exactly where their data or their server is. Knowing that the hosting provider is in the same city or at least same country provides a level of assurance.

        Since the entire cloud concept is fairly new to most companies, they would rather trust a local provider rather than overseas provider.

  • Papering over the cracks.

    If a cloud vendor tells you that it’s OK now because they’ve opened a datacentre in your backyard, watch out. The mere fact of locating a datacentre in Australia will not remove the possibility of that company (say US owned) from being required to divulge your data under any one of a number of measures, most notably the US Patriot Act. It’s true, governments do have bi lateral treaties for handling these sorts of requests normally, but those routes involve serious checks and balances. The sort of friction that tends to be overlooked in the name of expediency.
    The real issues are in fact symbolised by the iceberg problem. The legislation and application of the Patriot “toolbox” are the known unknowns, visible above the surface. Lurking underneath and mostly unfathomable are the costs of not complying and the business disruption caused by duelling in an overseas jurisdiction, the unknown unknowns. No amount of risk management and business continuity can prepare a business for this sort of upheaval.
    No smart business would enter into such an uncontrolled experiment, as that is exactly what using an overseas owned hosting vendor would become. US legal firms are advising clients in Australia to “consider the security and confidentiality risks posed by the Patriot Act and to store their data with providers which do not have any US connections.”
    The truth is, an unpleasant situation has yet to arise, therefore no one knows exactly how this might play out. Do you want to be the guinea pig? Prudent decision making dictates that this should be left for others. Why would you go there?

    Ask the vendor to provide and indemnity clause in their SLA with you that specifies they will cover your expenses etc for challenging disputed collection of data.

  • There are some very specific laws out there but they only cover a subset of records. For instance the NSW Associations Incorporation Act 2009 states that the member register HAS to be kept in NSW at the association premises or registered address. The register would be a final copy for sure and not work in progress on Google docs. There are others like this.

    Let us not forget the other side to this such as the warrantless searches the US law enforcement agencies can do. In that case you are helpless in protecting your data, they just walk in and take it and could even make it public as part of an investigation. Bye bye trade secrets.

  • I’m more concerned what happens if the company goes belly up. Cloud data should be like banks with guarantees.
    Access by hackers is another concern as shown by recent leaks of account information

  • Checked out Federal Government contracts lately?

    Look for the provisions that prevent offshoring of data. It might not be Privacy Act but if you want work from the Feds you might change your mind.

  • It’s the laws which AREN’T in place when you are hosted in another country which present an issue to customers. Companies might not be obligated to host in Australia, but hosting here means the benefits associated with 2 big matters, the first being the protection of Australian law (including the limit of governmental powers) and secondly, being able to take the fight to the provider on home soil.

    The fact of the matter is that the most likely loss a customer will experience will be through outage (power loss, hardware failure, etc). Being in Australia, in an Australian contract under Australian law with Australian lawyers makes for a far lower risk position to customers/companies being hosted here, than dealing with (SomethingLabs) being hosted in an unnamed location somewhere in SE Asia. It’s a risk mitigation and trust exercise. Customers are asking, themselves, ‘if the host fails me, what recourse do I have?’ including fallout from security breaches, outages, not delivering on SLAs, and needing quick changes/fixes/etc.

  • I look for such article along time,today i find it finally.this post give me lots of advise it is very useful for me .i will pay more attention to you ,i hope you can go on posting more such post, i will support you all the time. We will expect more like this post from you..

Show more comments

Log in to comment on this story!