Australia considers bar on offshoring of personal data

The Australian government is considering legislating to ensure that all sensitive government data is held in Australian data centres owned by domestic companies, minister for government services Stuart Robert said last week.
Speaking at a National Press Club lunch, Roberts said that government is examining data sovereignty requirements and how to reassure the public that their data is secure. Transparency and trust are critical, he said, as the government moves towards its goal of making all government services digitally available by 2025.
“We need to take care of that data so we’re exploring what does it mean for nationally significant sovereign data and how should we protect that,” the minister said. “This will include considering whether certain data sets of concern to the public should be declared sovereign data sets and should only be hosted in Australia, in an accredited Australian data centre, across Australian networks and only accessed by the Australian government and our Australian service providers.”
He added: “We need to ensure that Australians can trust that government will appropriately manage the information that they provide to us – whether it is for a tracing app or for the Census. We want to say to citizens we’re going to be very transparent with how we’ll use your data and transparent in how we’ll secure it.”
The speech came after Australia’s information and privacy commissioner, Angelene Falk, called for changes to legislation designed to facilitate data-sharing with other countries. In a submission to the Parliamentary Joint Committee on Intelligence and Security, which is currently scrutinising the International Production Orders (IPO) Bill, Falk said that better safeguards are required to protect Australian citizens’ personal data.
The IPO bill is intended to pave the way for Australia to set up a reciprocal agreement with the US, whereby authorities in both countries would be able to directly request information from companies based in the other without the need to go through local authorities.
“The Office of the Australian Information Commissioner (OAIC) recommends that the bill be amended to ensure personal information that is disclosed by Australia designated service providers to foreign governments is appropriately protected,” Falk said in the submission. “The bill should require that, in relation to foreign countries which do not have privacy protections equivalent to the Privacy Act, designated international agreements contain provisions which afford comparable privacy safeguards.”
As things stand, the Australian Privacy Principles require Australian companies disclosing data to overseas jurisdictions to ensure that the recipient does not breach the Australian privacy laws. However, the restriction is not currently contained within the IPO bill – something Falk said should be changed before the bill is passed.
“The wide range of data that could potentially be accessed under an IPO can provide a rich and detailed picture of an individual’s location, habits, associations, beliefs and preferences, with detail increasing commensurately with the volume of data collected and the methods used to process it,” she said. “The scope of proposed measures must be as clear and transparent as possible and subject to appropriate safeguards, oversight and accountability.”
In other news, it also emerged last week that the OAIC has opened a joint investigation with the UK’s Information Commissioner’s Office (ICO) into the way facial recognition firm Clearview AI handles personal data, focusing on the company’s use of ‘scraped’ data and biometrics of individuals.
“The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalised data environment,” the OAIC said in a statement. “In line with the OAIC’s Privacy Regulatory Action Policy, and the ICO’s Communicating our Regulatory and Enforcement Activity Policy, no further comment will be made while the investigation is ongoing.”
Clearview’s facial recognition app allows users to upload a photo of an individual and match it to photos of that person collected from the internet. It then links to where the photos appeared.
It is reported that the system includes a database of more than three billion images that Clearview claims to have ‘scraped’ from various social media platforms and other websites.
The statement said that the OAIC and ICO will engage with other data protection authorities that have raised similar concerns “where relevant and appropriate”.