Telco industry opposes the government’s attempt to localise data
The Australian government wants your data to be kept in Australia. But while data localisation policies sound great in theory, they present several practical complications. “Big tech” companies like AWS, Microsoft, Google Cloud, and Meta have already opposed the government’s data localisation proposal. Telstra, Optus, and other telco industry players have now joined in to raise concern over data localisation.
The telcos have pointed out that data localisation is easier said than done. Telstra has called for risk-based guidance instead to help industry players understand security and risks in international jurisdictions. Optus agrees but has also cited the enormous costs and time involved in getting it done and has compared it to the government’s experience in its ongoing efforts to move data from its Global Switch facility in Ultimo.
This article discusses the government’s and the telco industry’s position on data localisation and points out the pros and cons of such a move. Read on to find out.
Why the Australian government wants your data to remain in Australia
To close security gaps, the Department of Home Affairs introduced an action plan to boost Australia’s data security. The government encouraged feedback from concerned industries regarding the action plan, which, amongst other points, seeks to localise data by keeping it here in Australia.
Data localisation refers to the requirement that data is stored within a specific geographic location, often the country where it was generated. In recent years, there has been an increasing trend of governments worldwide implementing data localisation policies, aiming to protect their citizens’ personal data and enhance national security.
Home Affairs’ position isn’t exactly unpopular to the public. Many would support the idea of keeping their data here in Australia instead of spreading it around the world. The thought of having your data in a foreign country, under the purview of a foreign jurisdiction, is enough to make the average Aussie cringe – especially with the spate of data breaches in recent years.
Home Affairs minister Karen Andrews says the plan is to ensure your data is “stored securely, so it can’t be stolen, hacked, or held to ransom”. But while this sounds like a welcome plan, the telco industry has now voiced several challenges to its implementation.
Telstra, Optus, and others are pushing back on data localisation
Telstra and Optus are pushing back on data localisation for several reasons. For one, data localisation is a costly, time-consuming endeavour. Additionally, localising data can restrict the ability to provide global services and access valuable data from other countries, which telcos can use for research and development purposes. And although the government’s focus is security, storing all data in one location can increase vulnerability to cyber attacks.
Telstra’s position on data localisation:
Although Telstra’s reply to the government’s action plan considers costs, the telco welcomes a data security framework. But amongst other things, Telstra suggests that the government’s data security approach should focus more on guidance, not regulation. Telstra’s submission stated, “Guidance, rather than regulation, will ensure data custodians are informed of the risks while retaining the flexibility to make decisions best suited to the requirements of all the jurisdictions they operate in.”
Telstra also pointed out that the different government policies related to data security could overlap and confuse industry players. Data security guidance and regulation already exist in the form of the Protective Security Policy Framework (PSPF), the Information Security Manual (ISM), and the Digital Transformation Agency’s (DTA’s) Secure Cloud Strategy. The telco suggests that more policies could confuse the industry and cause undue burden.
Another way to look at how multiple policies on the same subject could do more harm than good is by considering incidences where federal and local laws or policies conflict. For instance, while the federal government considers strict rules to localise data, individual states and territories have implemented rules of their own that are sometimes conflicting.
Optus’ position on data localisation:
Optus agrees with Telstra’s points but took a more aggressive and critical approach in responding to the government’s discussion paper. Optus’ concerns seem to centre mostly on how costly and time-consuming data localisation would be, especially at this stage where telcos already store data offshore.
Optus has called Home Affairs’ attention to the difficulties the federal government is facing in the ongoing attempt to pull data from the Global Switch Ultimo facility. Optus’ response stated, “The ongoing transfer of Australian government data out of the Global Switch Ultimo (GSU) facility will have taken over a decade to complete at a cost in the hundreds of millions over the life of the project.” The telco went on to state that “transferring data from an international to a domestic location, the cost in both time and money would far exceed that of the GSU project.”
Others in the telco industry oppose data localisation:
These telcos are not alone. The Communications Alliance, the peak body representing the telecommunications industry in Australia, has also been critical of strict data localisation. The alliance has argued that the policies would harm innovation and participation in the global economy as they would limit data flow between countries.
The alliance also echoed concerns about how costly data localisation would be and suggested that instead of using data location as a security measure, “technical controls to establish and maintain data security and privacy” are more important.
Final words – Data localisation could do more harm than good
While telcos are primarily concerned about the costs related to moving data from international facilities to local ones, there are other drawbacks to data localisation.
Storing all data in one location can be a security risk because it creates a single point of failure, making it an attractive target for criminals outside and inside the storage facility. This centralisation of data could increase the risk of data breaches and cyber-attacks. For example, a well-coordinated cyber attack aimed at a single data storage facility could result in widespread damage and compromise of sensitive data. In contrast, distributing data across multiple locations can make it more difficult for criminals to access and compromise the data, as they would need to penetrate numerous security systems.
Also, consider natural disasters, which we have endured quite frequently here in Australia. Data loss could be catastrophic if all data is stored in one location and a disaster impacts that location.
It is common for regulators and governments who oversee this sort of situation to lay down laws without understanding the implications of what they’re doing. For an Australian telco (or all Australian telcos) to have to create a data warehouse to store the incredible amount of information generated on their networks would be a crippling cost – for an industry that already struggles with profitability.