The Trans-Pacific Partnership has been the definition of a long, slow burn issue. Partly this is because is has taken so long – five years of negotiations – and partly because there are so many issues wrapped up in it.
One issue that has been of interest to Macquarie Telecom has been its impact on the ability of governments to require some sensitive personal information to be held in data centres onshore.There was confusion about this issue because the negotiations were secret and only sketchy information emerged during the years of negotiations.But now that the TPP has been released, it is apparent it has not fundamentally changed the game.
What has happened in courts around the world over the past nine months, however, does look like it might be heading toward a seismic showdown.
Before discussing how I have reached those views, let me explain why we think data residency is an issue consumers should be interested in, and what is going on with the TPP.
We entered the data centre world in 1999, the first Australian telco to build a datacentre. We’ve been in the cloud services and government market for well over a decade. As the first Australian Telco to build a data centre, and having been advocating both cloud generally and the government adopting of cloud specifically, since before the beginning of this decade, we’ve been talking about the importance of getting security right for a long time. And, within that, we’ve spoken at length on the importance of those holding people’s sensitive information making informed choices about whether that needs to be kept within Australia.
The reasons are simple.
- The most important ingredient in any emerging market is confidence. The biggest threats to confidence among consumers are doubts about safety and whether there is practical redress if things go wrong.
- When things do go wrong, even working out what authority to speak to, let alone actually seeking redress, can be difficult if you are dealing in another country, or multiple countries.
- Sometimes, there are circumstances where companies and agencies need to be able to actually visit the place their data will be stored to ensure it meets security standards.
- And, if your data is in another jurisdiction, legal access might be available to people you don’t know or don’t want looking at the data, creating a real security risk.
For these reasons, we have argued long and hard for information, choice and flexibility for people to determine where their data is located. The Government has led the way with strong guidance to agencies about identifying and assessing the risks before they put data overseas.
So, what is TPP, where is it up to and why is it relevant to this discussion?
The TPP is a very expansive trade deal between 12 nations in or bordering the Pacific. The final document contains 27 Chapters covering topics ranging from Investment to Labour to Environment to individual industry segments, such as Textiles and Apparel and the environment for doing business, such as Transparency and Anti-Corruption. Some chapters contain annexes with specific commitments and comments from each country, and some of those run to dozens of pages. Participating nations signed off on the text at the beginning of February concluding five years of negotiation.
There is now a two-year ratification period within which at least six nations accounting for at least 85 per cent of the GDP of the group must approve it for implementation through their domestic political processes. In practice, that means the parliaments of the US and Japan must implement. President Obama is working to have it ratified by the US Congress before he leaves office, but there are questions about whether this will happen in a US Presidential election year. Hillary Clinton and Donald Trump have both said they oppose the agreement. Which means, there is still a strong chance that the whole TPP will not go ahead.
Putting that uncertainty aside, there are chapters of the final TPP that discuss rules limiting policy around e-commerce and government procurement that pertain to data residency. During the many years the deal was being negotiated, only snippets of information were released. Some of these stories suggested nation states would be precluded from requiring that some information is retained onshore if it is moved to the cloud. That is, there would be no way a government could mandate that your personal information was kept in Australia, no matter what the risks of sending it offshore. This was obviously deeply concerning to us.
Now that the text is no longer secret, we can provide some considered views. Having had time for some expert analysis, we believe the TTP does not mean the Government has thrown away any ability to determine where it stores data, or its ability to say some data that should not leave our shores.
That is, it should have:
- no impact on the present policy and regulatory arrangements,
- nor on the Government’s future ability to require some data to be located onshore, where there is a good reason for it.
So what does the TPP say and do?
The relevant provisions are in the E-Commerce chapter, which contains Article 14, and the Government Procurement Chapter, which contains Article 15.
In the E-Commerce Chapter, Article 14.13 focuses on the Location of Computing Services.
In 14.13 (2), it creates a general obligation on the signatory countries that they will not require a business to use local computing facilities as a pre-condition to do business in that country. But, importantly, that obligation is sandwiched between two clauses that qualify that obligation.
Most importantly, 14.13 (3) makes clear that businesses CAN be required to use local facilities if there are legitimate public policy reasons, provided that is not an unnecessarily heavy-handed means of achieving that policy objective.
What is a legitimate public policy objective? Well, 14.13 (1) recognizes that countries have their own policies to ensure security and confidentiality.
The Government Procurement chapter contains a National Treatment obligation in Article 15.4. In short, this obliges member countries to treat overseas providers of goods and services no less favourably than domestic providers. However, that only means the same conditions apply to all suppliers.
Article 15.12 (7) says the obligation is not intended to prevent a country from applying conditions and technical specifications that limit storage of sensitive data to on-shore.
So, the TPP is not, in Macquarie’s view, the game changer for data residency some reporting suggested it would be. It does not throw out the ability for governments or businesses to make choices for good public policy reasons about where their sensitive data is stored.
However, aside from the TPP, data sovereignty has for the first time become front page news around the world because the action has suddenly moved to the courts.
A series of actions in the US and Europe have created great uncertainty about the obligations of those holding data, the appropriateness and effectiveness of the attempts to balance privacy against government access, and the extent and reach of the powers of governments and government agencies.
First there was the US Department of Justice versus Microsoft case, where a US law enforcement agency has been seeking access to the data of a non-US citizen, created overseas and held overseas, through issuing a warrant issued and served in the US. Its rationale, which has so far been supported through the courts, is that the data is held by a US company and therefore falls within US jurisdiction.
Then there was the decision by the European courts that the “safe harbour” data transfer agreement allowing European citizens’ data to be transferred to the US was invalid because the US privacy protections were inadequate to meet European standards.
And in the past three months has seen perhaps the most dramatically of all stories – the escalating stand-off between the technology sector and the FBI and Department of Justice over attempts to have Apple bypass a security feature on the iPhone that belonged to a new dead domestic terrorist.
The FBI says it requires access to the data stored on the iPhone but needs Apple to disable a security feature to allow that to happen. The FBI wants to run a program to try any and all combinations of the PIN code that presently is preventing them from accessing the device. But a standard security feature on the phone would cause all data on the device to be wiped if 10 incorrect codes were attempted. The FBI wants Apple to remove this protection.
Apple argues there is a line in the sand civil liberties principle at stake – governments should not be deliberately seeking to force companies to build security “work-arounds” because, in the wrong hands, tremendous harm could be caused to Apple users. This is obviously a very vexed case and no one, including Apple, is accusing the FBI of being motivated by ill motives. However, the subtext to this, as it is to the Microsoft Department of Justice case, is that where the US leads, other governments are sure to follow.
Microsoft’s lawyer, referring to the idea that the US could reach into another country to access the data of someone who was using a US-owned service, was quoted as saying “we would go crazy if China did this to us”. Similarly, those opposed to the FBI action against Apple have suggested China would demand similar access to security by-pass technologies if the FBI is successful.
These actions and debates all go to the same issue Macquarie Telecom first raised in the context of the US Patriot Act years ago – jurisdictional reach is a real issue. Knowing who has legal access to your data, and what can you do are legitimate questions for businesses transitioning to the cloud.
As I’ve said before, some of those companies that are now most prominent in arguing that the US authorities are going too far then took a different position to ours in the past.
Our view remains that the best thing the industry can do is accept that it is perfectly legitimate for people to prefer that some data is kept onshore and to provide products that do that. It should provide transparency about what services locate data where. It has always been Macquarie Telecom’s view that this is good for cloud adoption. Transparency is a necessary element of a strong market.
In the absence of information, people will jump to negative conclusions, and be ruled by fear of the unknown. That suspicion, once created, can be very hard to shift.
Aidan Tudehope is the Managing Director of Government & Hosting at Macquarie Telecom. Aidan presented the above blog at the 4th Annual Data Centre and Cloud Conference, Royal Pines Resort, Gold Coast, Qld (March 2016).