ITP Techblog

Brought to you by IT Professionals NZ
« Back to Home

Data Sovereignty and Privacy in the Cloud

Paul Matthews, NZCS CEO. 08 February 2011, 10:00 am
Data Sovereignty and Privacy in the Cloud

Happy New Year!

If you're like most people across the ICT sector you would have recently returned to work, and that great Christmas holiday is in the process of turning into a distant memory. Don't depair - not long until Easter! :-)

Not everyone was on holiday over the break however, and some particularly interesting things happened both in New Zealand and abroad over the Christmas period especially in the areas of data sovereignty and privacy in the Cloud.

But first, some of you may have heard of the rather strategically challenged attempt to have GST imposed on overseas purchases in Australia, led by Gerry Harvey of Harvey Norman fame. The concept is that he didn't think it fair that someone ordering something to Australia under $1000 online from overseas didn't pay GST, but if they bought the same thing in his store they did.

While he might have a point, the tactic of taking out full page adverts in Australia's main papers rather backfired. As well as reminding people that it was cheaper to buy technology online rather than his stores, he also singlehandedly managed to annoy a big chunk of the Australian people who don't take kindly to anyone lobbying for more tax...

That idea's subsequently been dumped.

Twitter ordered to hand over Wikileaks info

Those who took their laptops on holiday might also have read that the Wikileaks issue took another interesting turn recently, with the US Government subpoenaing the records of those involved in the Wikileaks website from Twitter and possibly others. There are several worrying aspects to this. Firstly, this was initially a "sealed" order, meaning that those targeted were not even informed or given the opportunity to defend against it. Fortunately Twitter went to court and got that overturned.

Secondly, in some cases this was for people based outside the US and using the service outside the US, including an Icelandic Member of Parliament. Because Twitter is based in the US, however, the US Department of Justice decided to have a crack at it. I don't know about you, but to me this raises some very serious data sovereignty issues.

Moving Government to the Cloud

Back home, right before Christmas the Government released an RFP for the next phase of "all of government" procurement, looking to move to a Infrastructure-as-a-Service (IaaS) approach - basically moving into the cloud. While some Labour-aligned blogs labeled this privatisation by stealth, we're more concerned about the implication of tax and other records being stored by non-Government entities and will be watching this very closely.

No doubt this issue will be discussed at the NZCS presentation next week in Wellington by Brian More, Chief Architect of the Government Technology Services (GTS) from Internal Affairs. This has now sold out with over 160 attendees, however we'll be looking at whether we can record the presentation and make it available to others - I'll keep you posted.

IRD's stance on Cloud-based data

Speaking of cloud, as many of you know in December IRD released an alert stating that:

It is the Commissioner's view that only business records stored in data centres physically located in New Zealand will comply with the record keeping obligations in the Inland Revenue Acts. Taxpayers are responsible for ensuring they comply with their record keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be stored in data centres located in New Zealand. 

Highlighting the power of social media, Rod Drury (founder and CEO of Xero) responded almost immediately on the Xero blog stating that it was all good - they were working with IRD on the issue. Since then, IRD have confirmed that's the case, and hinted that they'll be working with individual software companies on exemptions for specific products.

This raises some issues of course. Whilst Xero might boast a good relationship with IRD, what about smaller software houses? And what about those that utilise services such as DropBox to store their files in the Cloud? (albeit that service usually retains a copy on your computer) - are they unknowingly breaking tax law?

What we're mostly concerned about, however, is what level and nature of access to records will software providers have to give IRD to receive an exemption? Granted, IRD does have the right to come and examine your records in your office, but at least this is with your knowledge and with the opportunity to be present. Does getting an exemption mean IRD will be able to access your customer's draft financials or other files online anytime and without notice, warning, knowledge or consent?

Data Sovereignty

What all of these circumstances point to is that a serious and wide-ranging conversation around issues of data sovereignty and privacy in the age of the Cloud is very much overdue in New Zealand, and consideration of whether our existing laws are good enough.

We intend to work very closely with the office of the Privacy Commissioner and others over the next few months to explore some of these issues in more depth and look to ramp up this conversation, as well as watching developments over the next year very carefully. And if you're in Auckland, some of these discussions are sure to come up at the Privacy-focused breakfast event in a couple of weeks.

Without doubt we'll be looking for you input on this and a range of other issues, so I hope you'll consider contributing your views when the time comes.

Anyway, until next time,



Paul Matthews
Chief Executive
NZ Computer Society Inc


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio