The Cloud and data sovereignty after Snowden

Main Article Content

David Vaile

Keywords

Cloud and data sovereignty, cloud, data

Abstract

The Snowden revelations have renewed interest in questions surrounding jurisdictional issues about where data is kept (location) and who claims the capacity to direct access to it be given by the entity hosting it (control). While early attitudes to the cluster of technologies marketed as The Cloud generally played down this aspect, and unilateral contracts offered by many major providers declined to specify these parameters for the technical provision of a Cloud service, growing appreciation that assurances of security and confidentiality are no barrier to certain forms of access being granted to third parties in other jurisdictions has rekindled interest. This paper explores the technical and legal issues involved from the perspective of an Australian business interested in both customer and government attitudes, and discusses how moves to implement jurisdiction location and control preferences have been characterised as Data Sovereignty and Digital Protectionism by differing interests.

Downloads

Download data is not yet available.
Abstract 125 | PDF Downloads 12

References

ACMA. 2013. 'AAPT warned about privacy', media release 26/2013, 24 April 2013. Available at: http://www.acma.gov.au/ theACMA/Newsroom/Newsroom/Media-releases/acma-issues-formal-warning-to-aapt
AGIMO. 2011. "Cloud Computing Strategic Direction Paper: Opportunities and for use by the Australian Government". April 2011. Available at: http://www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html
AGIMO. 2012. Better Practice Guide. (July 2012). 'Negotiating the cloud – legal issues in cloud computing agreements'. Available at: http://www.finance.gov.au/e-government/strategy-and-governance/ docs/negotiating_the_cloud_-_legal_issues_in_cloud_computing_agreements.pdf
AGIMO. 2013. “Australian Government Cloud Computing Policy: Maximising the Value of Cloud [for Australian Government Agencies]”, Department of Finance and Deregulation, 29 May 2013. At: http://agimo.gov.au/files/2012/04/Australian-Government-Cloud-Computing-Policy-Version-2.0.pdf
Allgeier, P (President, Coalition of Services Industries (CSI)). 2013. "Services Business Objectives for TPP", U.S. Business Coalition for TPP, December 18, 2013, Available at: https://servicescoalition.org/images/TPP_Business_Coalition_Hill_Briefing_Dec_18_2013.pdf
APRA. 2010. Australian Prudential Regulation Authority (APRA) guidelines "Outsourcing and Offshoring: Specific considerations when using cloud computing services," 15 Nov. 2010, Available at: http://www.apra.gov.au/CrossIndustry/ Documents/Letter-on-outsourcing-and-offshoring-ADI-GI-LI-FINAL.pdf
Assange, J. 2013. US, Australia isolated in TPP negotiations, Wikileaks (editorial), 15th November 2013, Available at: http://wikileaks.org/US-Australia-isolated-in-TPP.html. Includes links to the IP chapter of the text.
Attorney Generals Department. 2013. Telecommunications (Interception and Access) Act 1979 Annual Report, 2012-2013, Available at: http://www.ag.gov.au/NationalSecurity/TelecommunicationsSurveillance/Documents/TSLB-GAPSTIAActAnnualReport2012-13.pdf
Ball, J; Borger J; Greenwald G. 2013. Revealed: how US and UK spy agencies defeat internet privacy and security, Guardian Weekly, 6 September 2013
Bamiah, MA; Brohi, SN. 2011. "Exploring the Cloud Deployment and Service Delivery Models", International Journal of Research and Reviews in Information Sciences (IJRRIS) Vol. 1, No. 3, September 2011, 77.
Barwick, Hamish. 2012a. 'The cloud security minefield', CIO, 5 September 2012.
Barwick, Hamish. 2012b. Data sovereignty still misunderstood in Australia: Microsoft,' Computerworld, 18 September 2012.
Baty, Craig. 2011. CTO, Fujitsu Australia and New Zealand, transcript of Korea-Australia-New Zealand (KANZ) Broadband Summit 2011. Available at: http://www.archive.dbcde.gov.au/__data/assets/pdf_file/0005/138299/Craig_BatyCloud_Computing.pdf
BeVier, L. 1999. 'The Communications Assistance for Law Enforcement Act of 1994: A Surprising Sequel to the Break up of AT&T', Stanford Law Review, Vol. 51, No. 5 (May, 1999), pp. 1049-1125. http://dx.doi.org/10.2307/1229406. Available at: http://www.askcalea.net/
Bleich, Jeffrey (US ambassador). 2012. 'Cloud agreement can bring blue skies', The Age (Melbourne), 11 December 2012, Available at: http://www.theage.com.au/it-pro/government-it/cloud-agreement-can-bring-blue-skies-20121211-2b77f.html
Burr, J. Beckwith. 2010. The Electronic Communications Privacy Act of 1986: Principles of Reform, Available at .
Business Software Alliance. 2014. BSA Proposes Forward-Looking Trade Agenda to Stop the Spread of Digital Protectionism, 30 January 2014 Available at: http://www.bsa.org/news-and-events/news/2014/january/01302014digitaltradeagenda
Capgemini. 2012. "Business Cloud: The State of Play Shifts Rapidly: Fresh Insights into Cloud Adoption Trends," 29 November 2012, p.19, Available at: http://www.capgemini.com/business-cloud-the-state-of-play-shifts-rapidly/ or http://www.youtube.com/ watch?v=v_ga9orIzFI (worldwide survey of 460 IT and business leaders at companies with over 10,000 employees).
Cate, Fred H. 2007. 'The Vanishing Fourth Amendment', Privacy and Security Law Report, BNA, 6 PVLR 1875 (Dec. 10, 2007).
Cate, Fred H; Eisenhauer, Margaret P. 2007. Between a Rock and Hard Place: The Conflict Between European Data Protection Laws and U.S. Civil Litigation Document Production Requirements, 6 PVLR 229 (Feb. 5, 2007).
Chapman, Chris (Chair and CEO, ACMA). 2013. Opening remarks, Launch of ‘Data Sovereignty and the Cloud—a Board and Executive Officers’ Guide’, 2 July 2013, Sydney. At: http://www.acma.gov.au/theACMA/Newsroom/Newsroom/Speeches/launch-of-data-sovereignty-and-the-cloud
Chawki, Dr Mohamed, Judge from the Egyptian Council of State. 2011. 'Egypt's Cyber Revolution: Tweeting from Tahrir Square', Cyberspace Law and Policy Centre, UNSW, 18 May 2011, at: http://cyberlawcentre.org/2011/talks/ltt_chawki.htm
Citi Research. 2012. Cloud Computing – a two part series, Part 2: Market Sizing, Barriers, Value Network and Outlook, December 2012, page 4.
Connolly, Chris. 2008. 'US safe harbor - fact or fiction?' Privacy Laws and Business International 96 December 2008.
Connolly, Chris; Vaile, D. 2012. Drowning in Codes of Conduct: An analysis of codes of conduct applying to online activity in Australia, UNSW Cyberspace Law and Policy Centre, March 2012, Available at: http://cyberlawcentre.org/onlinecodes/report.pdf
DBCDE. 2013. National_Cloud_Computing_Strategy 2013. Available at: http://www.dbcde.gov.au/__data/assets/pdf_file/0008/163844/2013?292_National_Cloud_Computing_Strategy_Accessible_FA.pdf
Dekker, M. 2012. Critical Cloud Computing: A CIIP perspective on cloud computing services, ENISA, December 2012. Available at: http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/critical-cloud-computing/at_download/fullReport
Department of Communications (DoC). 2014. Cloud Computing Regulatory Stock Take, forthcoming, 2014 [after consultation in December].
Dobbie, Phil. 2013. 'Forget PRISM: Who's watching on your doorstep?', SMH, 18 June 2013, Available at: http://www.zdnet.com/au/forget-prism-whos-watching-on-your-doorstep-7000016935/.
DSD. 2012. Australian Signals Directorate. Cloud Computing Security Considerations. Available at: http://www.asd.gov.au/publications/csocprotect/cloud_computing_security_considerations.htm p1.
EC Directorate-General for Justice. 2012a. Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions, Safeguarding Privacy in a Connected World A European Data Protection Framework for the 21st Century, COM/2012/09 final, 25 January 2012, Available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri= CELEX:52012DC0009:en:NOT
EC Directorate-General for Justice. 2012b. 'Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses,' media release, 25 February 2012, Available at: http://europa.eu/rapid/press-release_IP-12-46_en.htm
European Parliament. 1995. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Article 25, OJ L 281, 23.11.1995, Available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT
European Parliament. 2006. Resolution on the interception of bank transfer data from the SWIFT system by the US secret services, P6_TA (2006) 0317, 6 July 2006, Available at: http://www.europarl.europa.eu/sides/getDoc.do?Type=TA&Reference=P6-TA-2006-0317&language=EN
European Parliament. 2014. Resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens? fundamental rights and on transatlantic cooperation in Justice and Home Affairs (2013/2188(INI) 21 February 2014, available at: http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2014-0139&language=EN
Fleming, Jeremy 'US makes first public comment over draft EU data privacy law', EurActiv, 29 April 2013, at: http://www.euractiv.com/infosociety/us-airs-views-eu-privacy-rules-news-519279
Forsheit, Tanya L. 2010. "E-Discovery Involving Cloud Facilities." Computer & Internet Lawyer 27, no. 12 (December 2010): 1-7. Business Source Premier, EBSCOhost (accessed May 9, 2013).
Frost and Sullivan. 2012. Australian Contact Centre Market 2012, Available at: http://www.prnewswire.com/news-releases/frost--sullivan-cloud-based-contact-centre-solutions-poised-to-challenge-traditional-on-premise-model---growing-awareness-of-cloud-based-contact-centre-solutions-177556851.html; and http://www.mcafee.com/ us/solutions/cloud-security/news/20120809-01.aspx
FTC. 2014. Federal Trade Commission. 'FTC Settles with Twelve Companies Falsely Claiming to Comply with International Safe Harbor Privacy Framework', Media Release, January 21, 2014, Available at: http://www.ftc.gov/news-events/press-releases/2014/01/ftc-settles-twelve-companies-falsely-claiming-comply
Gellman, B; Poitris, M. 2013. 'Documents: U.S. mining data from 9 leading Internet firms; companies deny knowledge', Washington Post, 7 June 2013, Available at: http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html. See Slides at: http://www.washingtonpost.com/wp-srv/special/politics/prism-collection-documents/
Gilbert, Francoise. 2010. 'Cloud Service Contracts May Be Fluffy: Selected Legal Issues to Consider Before Taking Off', J Internet Law 14 No. 6, December 2010, p 17
Gold, Joshua. 2012. 'Protection in the Cloud: Risk management and insurance for cloud computing' (2012) 15(3) J Internet Law 23
Greenwald, G. 2013. 'NSA collecting phone records of millions of Verizon customers daily', The Guardian, 6 June 2013, Available at: http://www.guardian.co.uk/world/2013/jun/06/nsa-phone-records-verizon-court-order
Hill, K. 2013. 'How the NSA Revelations are Hurting Businesses', Forbes, 10 September 2013, Available at: http://www.forbes.com/sites/kashmirhill/2013/09/10/how-the-nsa-revelations-are-hurting-businesses/
Hunton & Williams LLP. 2014. 'European Parliament Adopts Draft General Data Protection Regulation; Calls for Suspension of Safe Harbor', 12 March 2014, Available at: https://www.huntonprivacyblog.com/2014/03/articles/european-parliament-adopts-draft-general-data-protection-regulation-calls-suspension-safe-harbor/#more-5892
Irion, Kristina. 2012. 'Government Cloud Computing and the Policies of Data Sovereignty' (2012) 4 Policy & Internet 3, 40
Jabour, B; Pengelly, M. 2014. 'Australia spied on Indonesia talks with US law firm in 2013', theguardian.com, Sunday 16 February 2014, Available at: http://www.theguardian.com/world/2014/feb/16/australia-spied-indonesia-talks-us-firm
JPCIS. 2013. Joint Parliamentary Committee on Intelligence and Security (JPCIS). Report of the Inquiry into Potential Reforms of National Security Legislation, Parliament of Australia, 24 June 2013. At: http://www.aph.gov.au/Parliamentary_Business/Committees/House_of_Representatives_Committees?url=pjcis/nsl2012/report.htm
Keane, B. 2012. 'Protectionism, free trade and security up in the cloud', Crikey, 12 December 2012, at: http://www.crikey.com.au/2012/12/12/protectionism-free-trade-and-security-up-in-the-cloud/
Kessler, David J; Coval, Christopher P; Blenkinsop, Peter. 2008. Is Personal Data Located Outside the United States 'Not Reasonably Discoverable'?, 7 PVLR 1356 (Sept. 15, 2008).
Kisswani, Nazzal. 2012."Telecommunications interception and access regulation framework in the US and the UK." International Journal of Technology Policy and Law 1, no. 1 (2012): 25-47. http://dx.doi.org/10.1504/IJTPL.2012.045944
Kuner, C. 2010. Transborder Data Flow Regulation and Data Privacy Law (Oxford: Oxford University Press, 2010)
Lee, Jane. 2012. 'Million-dollar fines set for privacy breaches', Sydney Morning Herald, 30 November 2012, Available at: http://www.smh.com.au/it-pro/security-it/milliondollar-fines-set-for-privacy-breaches-20121130-2al1e.html
LeMay, Renai. 2013. 'Interpol filter scope creep: ASIC ordering unilateral website blocks,' Delimiter, 15 May 2013, Available at: http://delimiter.com.au/2013/05/15/interpol-filter-scope-creep-asic-ordering-unilateral-website-blocks/
Ludwig, Sean. 2011. 'Cloud 101: What the heck do IaaS, PaaS and SaaS companies do?', VentureBeat blog, 14 November 2011, Available at: http://venturebeat.com/ 2011/11/14/cloud-iaas-paas-saas/
Lynch A; Williams, G. 2006. What Price security? Taking Stock of Australia's Anti-Terrorism Laws (2006) UNSW Press
Maurushat, Alana. 2009. 'Data Breach Notification Law Across the World from California to Australia,' Privacy Law and Business International, February 2009. Available as [2009] UNSWLRS 11 at: http://www.austlii.edu.au /au/journals/UNSWLRS/2009/11.html
Maxwell, Winston; Wolf, Christopher. 2012. 'A Global Reality: Governmental Access to Data in the Cloud – A comparative analysis of ten international jurisdictions (Governmental access to data stored in the Cloud, including cross-border access, exists in every jurisdiction)', Hogan Lovells, July 2012
McNicholas, Edward R. 2009.' National Security Letters: Practical Advice for Understanding and Handling Exceptional Requests' 8 PVLR 13 (Mar. 30, 2009). Available at http://www.sidley.com/publications/detail.aspx?pub=2047
Mayer-Schonberger, Viktor; Cukier, Keith. 2013. Big Data, A revolution that will transform how we live, work and think (John Murray/Hachette, London, 2013)
Michaelsen, Christopher. 2010. "Reforming Australia's National Security Laws: The Case for a Proportionality-Based Approach" (2010) 29(1) University of Tasmania Law Review 31
Morris, Chris/IDC. 2012. Asia/Pacific (Excluding Japan) Cloud Services and Technologies End-User Survey, 2011, IDC, November 2012.
Nicholls, R; Rowland, Michelle. 2007. "Message in a bottle: Stored communications interception as practised in Australia." In The Second Workshop on the Social Implications of National Security, p. 83. 2007
Nielsen, N. 2013. 'The man behind the EU Parliament's data regulation,' EU Observer, 6 May 2013, at: http://euobserver.com/justice/119951
OAIC. 2014. Office of the Australian Information Commissioner. Guide to Handling Personal Information Security Breaches. Available at: http://www.oaic.gov.au/ publications/guidelines/privacy_guidance/Data_breach_notification_guide_April2012FINAL.pdf
Office of the Inspector General. 2007. Report to Congress on Implementation of Section 1001 of the USA PATRIOT Act, Mar. 2007. Available at: http://www.justice.gov/oig/special/s0703b/final.pdf
Office of the US Trade Representative, Trans-Pacific Partnership (TPP), 10 December 2013, http://www.ustr.gov/tppTR: 2013)
Pavolotsky, John. 2012. 'Cloud Services and Information Security: The Public vs. Private Service Provider Debate' (2012) 37 New Matter 1, 32, Available at: http://ssrn.com/abstract=2022519;
Peterson, Zachary N.J; Gondree, Mark; Beverly, Robert. 2011. 'A position paper on data sovereignty: The importance of geolocating data in the cloud', paper presented at Hotcloud 11, Portland, Oregon, USA, 14 June 2011. Available at: http://static.usenix.org/event/hotcloud11/tech/final_files/Peterson.pdf
Pryce, Jeffrey F. 2006. 'The Globalization of Electronic Evidence Gathering: U.S. Joins Council of Europe Convention on Cybercrime', 5 PVLR 1450 (Oct. 16, 2006).
QMUL Cloud Computing Project. 2010. 'What is Cloud Computing?', Queen Mary University London, 2010, Available at: http://www.cloudlegal.ccls.qmul.ac.uk/what/index.html
Roach K. 2010. 'The Eroding Distinction Between Intelligence and Evidence in Terrorism Investigations', in Andrew Lynch, Nicola McGarrity, George Williams, eds., Counter-Terrorism and Beyond - The Culture of Law and Justice After 9/11, Routledge, Sydney, May 2010.
Robinson, Frances. 2013. 'U.S. to EU: U.S. Data Law Is Brill,' Wall Street Journal, 19 April 2013, Available at: http://blogs.wsj.com/brussels/2013/04/19/u-s-to-eu-u-s-data-law-is-brill/.
Rodrigues, R; Barnard-Wills, D; Wright, D. 2013. 'EU privacy seals project: Inventory and analysis of privacy certification schemes', European Commission, Joint Research Centre, 2013.
Salgado, Richard. 2010. Written Testimony of Richard Salgado, Senior Counsel, Law Enforcement and Information Security, Google Inc., House Judiciary Subcommittee on the Constitution, Civil Rights and Civil Liberties, Hearing on Electronic Communications Privacy Act Reform (May 5, 2010).
Schneier, B. 2013. 'The US government has betrayed the internet. We need to take it back', The Guardian, Friday 6 September 2013
Snabe, Jim Hagemann. 2014. 'Don't let data protection turn into protectionism' Reuters US - Opinion: The Great Debate, 9 January 2014, Available at: http://blogs.reuters.com/great-debate/2014/01/09/dont-let-data-protection-turn-into-protectionism/.
Srinivasan, Madhan Kumar; Sarukesi, K; Rodrigues, Paul; Sai Manoj, M; Revathy P. 2012. 'State-of-the-art cloud computing security taxonomies: a classification of security challenges in the present cloud computing environment', International Conference on Advances in Computing, Communications and Informatics, Chenai, India, 5 August 2012
Svantesson, D J. 2013. Extraterritoriality in Data Protection Law (Copenhagen: Ex Tuto, 2013)
US Dept. of Commerce. 2013. 'Clarifications Regarding the US EU Safe Harbor Framework and Cloud computing', April 2013. Available at: http://export.gov/static/Safe%20Harbor%20and%20Cloud%20Computing%20Clarification_April%2012%202013_Latest_eg_main_060351.pdf
Verizon. 2013. 2013 Data Breach Investigations Report. Available at: http://www.verizonenterprise.com/DBIR/2013/
Walden, Ian; Luciano, Laise Da Correggio. 2011. 'Ensuring Competition in the Clouds: The Role of Competition Law?' (April 7, 2011), Available at http://ssrn.com/abstract=1840547
Young, Michael. 2013. 'Global Protectionism on the Rise - But who's being protected? Citizens or local competitors?' Tech Page One, 23 December 2013 Available at: http://techpageone.dell.com/business/global-protectionism-rise/#.UvxKAL9WjHg.
Zimmerman, M. 2013. 'In Depth: The District Court's Remarkable Order Striking Down the NSL Statute', EFF, 18 March 2013, Available at: https://www.eff.org/deeplinks/2013/03/depth-judge-illstons-remarkable-order-striking-down-nsl-statute