Data sovereignty: practical reality or pipe dream?

As tech giants including Microsoft and Amazon make noises about establishing New Zealand-based data centres, a paper by Associate Professor Gehan Gunasekara examines data sovereignty; whether it’s achievable, and how Kiwis’ online information might be better protected.

Data sovereignty typically implies control over data under the nation’s laws where it’s stored, but Gunasekara suggests that localising data storage doesn’t necessarily lead to sovereignty.

The privacy expert says there are several “serious deficiencies” in Aotearoa’s information privacy regulations and shows that the country’s Privacy Act 2020 needs updates.

“Currently the Act provides a very generous safe harbour for the providers of cloud services and similar information storage and processing services in New Zealand, irrespective of where they locate the data.”

Gunasekara’s paper, ‘Data sovereignty and privacy: a chimera or realistic prospect in Aotearoa New Zealand?’ exposes two major weaknesses in the data privacy section of the Privacy Act.

First, it highlights a lack of clarity about the purposes for which data processors, such as cloud service providers, can use the personal information with which they’re trusted.

The author says the rules in the Act’s information privacy principles only apply to personal information. However, if this personal data is anonymised and clustered together, commercial entities can freely use it for any purpose. This could include developing algorithms or training artificial intelligence.

Second, it details a lack of formal requirements for accountability and redress in relation to transfers and overseas disclosures of personal information.

“A significant shortcoming of New Zealand’s information privacy regime is the absence of safeguards when information is transferred from one agency to another to enable the information to be stored or otherwise processed for the first agency’s purposes,” he says.

This is the case whether the transfers occur within New Zealand or outside of it, according to the paper.

“My article identifies that there’s a risk to New Zealand companies and governments storing data using foreign companies, cloud and data processing services. The danger is that when you give them the data - are they using it just for the services they’re contracted to provide or are they mining that data to provide benefits for their own company? That’s where the border is a bit fuzzy.

“What I argue in my paper is that our Privacy Act is outdated. It doesn’t take into account new technologies.”

Solutions proposed in the article include only enabling cloud providers to hold data in encrypted form, with the keys to unlocking the data held by ‘data trustees’.

These trustees, says Gunasekara, could be locally based technology companies which could be required to unlock the data if requested by the owner or compelled by authorities under New Zealand law.

The associate professor says further legislative safeguards are also needed to clarify limits on cloud providers’ use of aggregated and anonymised data for commercial benefit and the minimum standards that should be part of their agreements with the agencies using them.