Comments to Australia’s Department of the Prime Minister and Cabinet Regarding the National Data Security Action Plan
Australia’s National Data Security Action plan includes many useful ideas and questions, but also some seriously problematic ones, especially its framing of data as a national asset and its consideration of data localization (forcing firms to store data within a country’s borders). This submission addresses issues with the Action Plan’s conceptual framing, before moving toward a detailed analysis of its consideration of data localization (question 5 of the Action Plan).
Overview
Policymakers are often mistakenly told that “data is the new oil.” Yes, like oil, data is a valuable input to the economy. But unlike oil, data is non-rivalrous—one party using data does not reduce the amount of data available for others to use. And unlike oil, data is non-fungible—one piece of data cannot be substituted for another the way barrels of oils are interchangeable. Unfortunately, the “data is oil” analogy has led to some poorly conceived policy ideas, in particular the idea of data localization and data sovereignty.
Unfortunately, many protectionist (and often authoritarian) countries advocate a policy of “data sovereignty,” the concept that governments should keep all domestic data local to ensure it remains subject to domestic rules. These ideas directly follow the economic principles put forth in the 1974 Declaration for the Establishment of a New International Economic Order by the United Nations General Assembly that called for “full permanent sovereignty of every State over its natural resources.” Policymakers following this line of thinking believe governments should treat data like a finite natural resource that must be protected from foreign actors seeking to exploit it for profit. Those who espouse this view see data as no different than any other resources a country may be naturally endowed with like oil or minerals.
Australia’s National Data Security Action Plan also reflects some of this muddled thinking. It declares that “Australia’s data is a valuable national asset requiring robust security settings” and that “inadvertently allowing another country to access Australia’s most critical data will erode our sovereignty and control over that data in the long term.” In other words, Australian policymakers are trying to lock down domestic data out of concern that foreign actors may exploit it for unfair economic gain. However, in all cases, data sovereignty is thinly disguised protectionism. Indeed, these policies often gain traction because many policymakers conflate data protection and data protectionism.
Data protection is a legitimate effort to ensure the confidentiality, integrity, and availability of data. For example, policymakers should seek to protect sensitive information from inadvertent disclosures. Sensitive information includes both personal data and non-personal data that, if revealed, undermines privacy, safety, economic, and security interests. For example, sensitive information could be personal data about a person’s health that reveals information the individual would prefer to keep private; intellectual property (IP), including trade secrets, that businesses want to protect; or non-personal information such as classified government data that undermines national security. In these cases, stronger data protection measures, particularly enhanced technical safeguards and better cybersecurity practices, can help prevent data breaches or other unintentional disclosures of sensitive information, including to foreign governments or firms.
But data protectionism is not focused on preventing the disclosure of sensitive information. Instead, it is focused on preventing those outside the country from generating value from data. While the goal of these policies is to maximize value for domestic companies, the net impact of these restrictions is almost certainly negative. The problem is that most data has little to no value until businesses do something with it. Therefore, the more businesses can gain access to data, the more value can be generated. Restricting foreign firms from accessing domestic data limits the potential universe of businesses that can add value to data. That means data holders—whether they are consumers or businesses—miss out on opportunities to benefit, directly or indirectly, from their data.
Consider an Australian radiology lab that has thousands of medical images. Data protection rules are completely legitimate to ensure that personal medical records remain private. However, Australia’s data protectionism rules (under section 77 of Australia’s Personally Controlled Electronic Health Records Act) prohibit organizations from transferring health records overseas. This limits radiology labs from using non-Australian AI systems that could be faster and cheaper and more accurately interpret diagnostic imaging results. These restrictions result in potentially higher costs for Australian businesses and consumers, in addition to worse health care outcomes. It also means that Australia would be in a position to contribute less to improvements in global health outcomes.
Moreover, data protectionism does nothing to enhance data protection. Requiring data be stored in-country (or with domestically owned companies) does not impact the overall security of data. Australian data, for example, is not more secure in an online service simply because that service is owned and operated by an Australian company rather than an American one. The security of the online service depends on a series of technical, legal, and physical controls at the company. Countries that pursue data protectionism risk reciprocal actions by other governments. For example, Australian mining giant Rio Tinto collects data from around the world as part of its smart mining program to analyze geology, optimize energy use, and automate its autonomous equipment. If other governments prohibited Rio Tinto from sending data back to Australia it would have a negative impact on the company.
Unfortunately, policymakers in many countries associate data localization and protectionism with the concept of digital sovereignty, which is not only misleading but actually undermines governments’ efforts to ensure local laws and regulations apply online. Digital sovereignty and associated terms such as ‘cyber sovereignty’ and ‘data sovereignty’ are commonly used pejoratively as catch-all phrases to encapsulate the adoption of data localization and other restrictive policies. Many policymakers portray digital sovereignty as a strong yet nebulous concept, usually referring to the assertion of state control over data, data flows, and digital technologies. More often than not, it’s based on protectionist goals that it helps countries “take back control” and “sovereignty” from foreign technology firms and trading partners (mainly the United States, but increasingly China as well). Misconceptions about data and cyber sovereignty miss the point that a complex interplay of economic, governance, social, and political factors determines a country’s position on digital issues. Policymakers deliberately—and deceptively—use these concepts to condense complex phenomena into catchy phrases.
Proponents think that forcing firms to store data locally enhances the state’s agency and that of their own firms and people. At best, the agency gained by data localization is illusory. In many cases, it is counterproductive. And in cases like Australia—which is a middle-sized economy that depends on global data flows and digital trade to build critical economies of scale and which has actively supported efforts to build an open, rules-based, and innovative global digital economy—data localization undermines other important economic goals as it reeks of hypocrisy and opens a loophole for other countries to enact broad digital protectionism policies. And in the case of authoritarian countries, it is predatory given the agencies data localization policies tend to support are those involved in surveillance and social and political control.
Even those policymakers and advocates who support narrow, limited data localization rules are still often misguided about how cloud services and cloud security functions. This submission analyzes several examples showing this, including the risk of having government agencies store data on premise in the misguided pursuit of cybersecurity. Data security depends on the technical, physical, and administrative controls implemented by the service provider, which can be strong or weak, regardless of where the data is stored. If the Australian government wants to ensure its most sensitive data is especially secure, it can specify detailed technical and control requirements in its procurement contracts, such as the use of international standards for cybersecurity, the use of specific encryption, and cloud-based hardware security modules. Government policymakers need to appreciate that leading cloud service providers invest huge amounts of resources in designing and maintaining cutting-edge cybersecurity measures as their business depends on it. The dynamic nature of cyber risks means that they need to do this continuously. Furthermore, the global operations of leading cloud firms actually improves their ability to protect data as they have to defend against all manner of threats (as compared to just a local firm) and can leverage their global services to secure data, such as through the use of “data sharding” and other technologies.
The Australian government should obviously choose cloud providers based on their commitment to best-in-class cybersecurity measures and transparency and auditability about how they manage and protect data. As part of this, it can review their commitment to aiding by local laws and regulations and pushing back on unwarranted foreign government requests for data. Australia should use all the tools it has to address its cybersecurity concerns. For example, Australia already uses security reviews under its foreign investment screening framework to ensure cloud service providers from countries like China do not manage sensitive government data (which is fair enough).
The challenge for Australian policymakers is putting the right policy pieces together to best protect sensitive government data and services and protect and support the use of data by Australian businesses and citizens, while avoiding misguided and counter protective ones like localization. Australia is already well on its way in doing this in many areas, but including data localization in its National Data Strategy would be a critical misstep that would undermine what it’s otherwise working to achieve at home and globally in terms of digital policy. This is why the OECD’s “Assessing Digital Strategies and their Governance” report counts localization as a detrimental factor in its comparative assessment of different countries’ strategies. Australia scores relatively well at the moment, but if it took into consideration the National Data Strategies proposal for data localization it’d inevitably effect Australia’s score across all categories and overall given data and data governance policies are part of all categories.
Read the filing. (PDF)
