Ninefold, an Australian cloud computing company, claims Australian businesses are uncertain about the ramifications of data jurisdiction on their business and warns that they may be at greater risk of non-compliance with Australian law.

Consequently, Ninefold has released a number of resources on its website (http://ninefold.com/data-jurisdiction/) designed to help businesses understand the issues, assess the risks and design an appropriate data strategy.

Ninefold’s call to the industry follows recent comments from Microsoft UK that European data centres would be required to comply with any requests for access under The US Patriot Act and may be restricted from informing those whose data is affected.

This, coupled, with rumours of  international cloud computing players expanding into Australia, has stimulated industry debate about data jurisdiction as it relates to Australian business.

“Many businesses have assumed that a local data centre, even if owned by an offshore provider, is enough to avoid data sovereignty issues,” said Peter James, Managing Director at Ninefold. “However, data stored in an Australian data centre owned by a provider headquartered in the US would face the same exposure to The US Patriot Act – and wider US law - as if it were stored in California.”

Mark Vincent, Partner at Shelston IP Lawyers, said, “It’s no surprise that a subsidiary of a US company can be required to comply with US laws. That aspect of jurisdiction is pretty well known and there are a lot of laws that apply to US companies as they do business all around the world.”

Any business that records and stores personal data (such as customer details) needs to ensure it is kept secure in a manner that does not risk breaching Australian law.
Where US law and other local jurisdictions coincide, debate has raged over which law would have precedence. This has prompted comment from members of the European Parliament recently, as the European Union's Data Protection Directive requires organisations to inform users when they disclose personal information, unlike data accessed under the US Patriot Act.

A Canadian report published in 2004 – Privacy and the USA Patriot Act - established that US hosting providers would most likely give precedence to US law over local privacy legislation, placing Canadian businesses with data in US owned data centres at increased risk of breaching local laws.

Vincent confirmed new tougher amendments to Australian privacy laws are currently under discussion.  “There are amendments afoot to Australian privacy law that will require informed consent to be given by Australians whenever their personally identifiable information is to go offshore. This new version will demand a higher level of consent than under current Australian law. Additional amendments say if you don’t have that informed consent, and you don’t meet any other exceptions, that if you hand data to an overseas service provider and that overseas service provider breaches our privacy act, the company handing the data over will be responsible for the breach.”

The push for ‘informed consent’ – requiring users to be made aware and indicate their understanding of the intention to store their personal information offshore before they agree to use the service – has ramifications for many businesses that may see this as a deterrent for customer sign-ups and registrations.

This places the burden of responsibility clearly with the business owner and places them at risk if private data entrusted to them is accessed in compliance with the laws of another jurisdiction but in a way that conflicts with Australian law.
Kathy Phelan, MD and Co-founder of the Social Media Education Group, an organisation working with organisations to host private data in connection with online web services and social media apps, said, “We have an obligation with government data that it is stored in Australia. One of the problems we had with a particular offshore cloud provider proved that the data was not kept where I thought it was. It was kept in a completely different U. S. state. I think that’s one of the difficulties with international providers – you don’t actually know where the data is.”

Peter James says a local data centre, owned by a local provider, is still the safest option. “Take a risk assessment of your data. Once you’ve identified your high risk and low risk data, you can apply different criteria to each when planning your data storage strategy. Legal and regulatory considerations are of paramount importance for high risk data, but the other criteria of price, latency, reliability and service may be more important to you when dealing with low risk data. A risk management strategy can help you minimise the risk not only now, but in the future as laws continue to shift.”