Data sovereignty in New Zealand

Last year Internal Affairs Minister Chris Tremain told The Dominion Post government could make big savings moving public service computing to the cloud.

The same is true for every organisation in New Zealand. It’s not just about saving money. Cloud computing is more flexible and less trouble.

Tremain went on to say government could save more money by using overseas cloud services. He said the cost savings improve as you go further offshore.

That’s also true. But those extra financial savings come with a different cost attached. Data sovereignty is not often talked about in New Zealand, it’s a huge issue in Australia.

What they don’t tell you about data sovereignty

Multinational cloud service providers prefer it when customers don’t ask awkward questions about data  sovereignty. They often dismiss it as insignificant, or argue that it is nothing for you to worry your pretty little head about.

Maybe it isn’t. Yet the moment your data leaves New Zealand other nation’s laws kick-in. In some cases more than one other nation’s laws. That can quickly get tricky.

You are responsible

It is the data owner’s responsibility to make sure everything complies with the local laws in the country or countries where the data is stored. For data stored in the US, this means the government can access your information without a warrant whenever it chooses. Store your data there and you could be in breach of privacy legislation elsewhere.

Australians worry about data sovereignty because their laws prevent certain types of information being stored overseas. New Zealand businesses operating in Australia, need to keep this in mind as they plan cloud projects.

US laws apply to US companies even when they host data from other countries in other countries. The way US law works means it’s possible the cloud company may be forced to hand over information to the US authorities without seeking your consent or even letting you know that it happened.

Why you need to care

All this may seem a little fussy after the recent revelations governments routinely snoop on data. Yet there are still practical legal matters to worry about. Should anything happen to your cloud project that involves going to law, there’s a good chance the action will take place in a foreign court and be subject to unfamiliar rules, concepts and procedures. All of which could quickly get expensive.

I’ve heard stories of companies saving money from hosting cloud projects overseas, only to see all the savings go up in smoke in a foreign court room.

Another problem is the costs of running overseas clouds can be less clear than operating in New Zealand. Overseas cloud providers don’t necessarily have to worry about the same contract transparency rules as in New Zealand. You may find unexpected extra charges. Good luck getting overseas lawyers to sort that out for you.

None of this means you should avoid using an overseas cloud provider. Just be aware of the risks – they don’t tend to get mentioned in the sales literature.