Is it possible to reconcile the global nature of the Internet with the level of security and independence traditional for a nation state? This might seem like an esoteric question but international and local developments demonstrate that this issue is very real and has practical consequences.
A recent case decided by the Court of Justice of the European Union known as the Shrems decision has invalidated the use of safe harbour arrangements between Europe and the USA as a legitimate basis for personal information collected from citizens in Europe being transferred to the US. In saying that the safe harbour arrangement was inadequate the Court cited the overreach of national security activities in the US as inconsistent with the European Charter of Fundamental Rights. The highest court in Europe said the data of European citizens should not be stored in a location where the National security apparatus of the United States had access "beyond what was strictly necessary and proportionate to the protection of national security".
Microsoft is in litigation with the US Depart of Justice (DoJ
) over whether the DoJ is entitled to access to information regarding an Irish citizen held in a Microsoft data centre located in Ireland. The DoJ delivered a court order on Microsoft in the US requiring disclosure of the information. In resisting the order, Microsoft argued in its submissions that if the German government delivered an order on Microsoft in Germany requesting information stored about US citizens held in Manhattan the US government would not consider that Microsoft should make the information available.
Closer to home, a related issue is the subject of a recent legislative proposal from the Federal government. The Telecommunications Sector Security Reforms (TSSR
) propose new obligations on Telcos to protect their facilities and infrastructure from espionage, sabotage and interference by foreign governments and other external interference. A critical compliance issue presented by the proposed law involves the level of control that can be exercised over service providers and facilities that are located offshore. How can a local company stop a foreign government from conducting espionage or interfering with services that originate in the jurisdiction of that government? In a practical sense, information is subject to the law of the place where it is stored. That local law also applies to the delivery of services and the conduct of services providers.
Significant elements of Australian IT infrastructure are dependent to some extent on offshore services. It's not just business process outsourcing like call centres but also use of offshore cloud infrastructure, shared administrative and support services that often require technical expertise that is not available in Australia at all or not available at a competitive price.
The draft guidance on the TSSR says that providers will not be required to retrofit their systems unless a significant security vulnerability is found. Instead, the new security requirement will only apply when changes are made to existing systems. It seems the thinking is that we are in for the long haul and the aim is for a transition, over time, to systems that are secure from foreign interference.
Perhaps the ambition to secure systems from foreign interference is not realistic. We already have an efficient and competitive industry based on an effective use of a range of offshore services. Preventing interference by foreign governments may be cost prohibitive. Also, why pick on the Telcos? Australian business is dependent on many complex services and systems originating from offshore (such as corporate storage and hosting, and over the top services) that are not subject to the new standard.
Two other aspects of the proposed law are problematic. There is no threshold of significance for systems or services that must be protected from foreign interference, and, no distinction is made between services originating from allies and those located with potential adversaries. Perhaps it is too difficult to draw these distinctions.
Information about the TSSR is available from the Attorney General's website. The consultation period ends on 18 January.
By Patrick Fair, Baker & McKenzie partner.