[LINK] Data Sovereignty questions

Roger Clarke Roger.Clarke at xamax.com.au
Mon Jan 28 15:35:09 AEDT 2019 

On 28/1/19 14:52, Bernard Robertson-Dunn wrote:
> Suppose ADHA, who run My Health Record, wanted to use Akamai CDN
> services for all the usual reasons.
> 
> Questions.
> 
> Would Akamai have to use Australian servers to store the cached, static
> data? or could they use overseas servers?
> 
> Would Akamai have to use edge servers in Australia? or could they use
> USA based edge servers

No specific answers, sorry;  but here's the publicly-provided 
information-base that enables answers to be developed:

1.  The Objects of the Privacy Act include:
http://www8.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s2a.html
 >(f) to facilitate the free flow of information across national 
borders  while ensuring that the privacy of individuals is respected; and

The primacy of economics, and the secondary, mere constraint of a bit of 
respect for privacy, are cemented in, as with all OECD-derived d.p. laws.

Put another way, if an agency found it cheaper to export the data, the 
onus would be on proponents of national sovereignty to argue the case 
for it *not* to be exported.

And of course, even if such a discussion were ever held, there's no 
representation of the public interest in the room.  (The OAIC doesn't 
have any right to be in the room, and is in any case an administering 
and facilitating agency, not a protector of the public interest).

2.  APP8
https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles#australian-privacy-principle-8-cross-border-disclosure-of-personal-information

"take such steps as are reasonable in the circumstances"

"does not apply ... if [long list of loose and open-ended circumstances]"

A trainee lawyer could drive a bus through it.


3.  OAIC Guidelines on APP8
https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information

Expensive lawyers paid for out of the OAIC budget wrote over 6,000 words 
to assist aforesaid trainee lawyers to find said gaps of bus-width.


My short answer is that I reckon any agency can do absolutely anything 
it likes, without any risk even of it being in breach, let alone of any 
sanctions applying or retribution being taken.  (IANAL, and I haven't 
wasted the time doing enough hard yards to remove "I reckon").


 > What is the current status of USA law regarding USA companies having 
to hand over foreign data that they (the companies) store to their 
government?

AFAIK, few effective constraints apply to the assertions (under several 
laws) of US extra-territorial powers, which mean that the data doesn't 
even have to be in the US, merely in the possession of a US corporation.


-- 
Roger Clarke                            mailto:Roger.Clarke at xamax.com.au
T: +61 2 6288 6916   http://www.xamax.com.au  http://www.rogerclarke.com

Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA 

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list