Some of the biggest public cloud providers are currently constructing data centres in New Zealand. This is seen by many as a positive move that will decrease New Zealand's reliance on offshore cloud facilities, potentially reducing both technical and legal risks.
The New Zealand Government has also recently updated its "cloud first" policy, including removing the 2012 directive for agencies in the public sector to use the services from the New Zealand-based IaaS (Infrastructure as a Service) providers available under the IaaS panel. This change may contribute to growth in the Government's use of public cloud facilities, including those being opened in New Zealand (see our recent update Refresh of the Cloud First policy).
There is debate over whether New Zealand should allow itself to become heavily reliant on offshore providers of cloud services. One risk of using offshore facilities often cited is 'jurisdictional risk', where data becomes subject to the laws of the foreign jurisdiction where it is stored, potentially increasing the risk of disclosure - such as to foreign law enforcement agencies.
While that is certainly an important consideration, it is worth noting that moving to data centres located in New Zealand won't entirely eliminate jurisdictional risk in any event if the data centre is owned by a foreign entity (as many will be).
Jurisdictional risk for data stored in New Zealand
There are often two sets of laws which need to be considered when thinking about jurisdictional risk:
- The laws of the country in which the data is stored (eg data stored in Australia may be subject to the laws of Australia)
- The laws of the country in which the service provider is registered (eg a United States company or its subsidiaries storing data in Australia is also, in some regards, subject to the laws of the US).
Moving data to a New Zealand data centre will remove the need to consider the laws of other countries that apply to data stored in that country. However, jurisdictional risk still remains as the laws of the country in which the data centre provider is registered may apply to them even if the data concerns New Zealanders and is only held in New Zealand.
US CLOUD Act
When New Zealanders use overseas-owned cloud providers, they are most commonly US-owned. In 2018, the US Clarifying Overseas Use of Data Act (CLOUD Act):
- Introduced a new type of order to compel data within the “possession, custody or control” of a company subject to US jurisdiction, regardless of the data’s location
- Created a US mechanism for bilateral agreements with foreign countries for cross-border law enforcement data access. This can be used with any entity – not only those subject to the US jurisdiction.
New Zealand is party to international treaties that allow foreign law enforcement to request access to data stored in New Zealand. However, these requests are made via diplomatic channels and are seen as slow and cumbersome. Requests for data under CLOUD Act agreements are made directly to overseas service providers, not via a central government authority, making requests much easier and faster.
New Zealand has not entered into a bilateral agreement with the US, so the second limb is currently not relevant to data stored in New Zealand (both Australia and the UK have entered into such agreements).
However, the possibility of orders for access to data held by US companies (including their subsidiaries registered in New Zealand) under the first limb applies equally to such companies whether data is stored in New Zealand or other countries. Moving data to New Zealand will therefore not protect it completely from the reach of foreign law enforcement requests.
Level of risk
It is difficult to identify how frequently orders to obtain data by foreign governments are made and what types of information that are disclosed, or the extent to which US enforcement agencies may be interested in data belonging to New Zealand organisations that is stored in New Zealand (as opposed to US companies' data that is stored offshore).
Most of the major providers, including Microsoft, AWS and Google report on the number of requests received and the percentage of requests that result in disclosure of "non-content" and "content" information. It is difficult to compare the data, as each provider reports in different ways. If you are interested, the reports from each provider are here: Microsoft, AWS and Google.
For example, Microsoft reported that for New Zealand it had a total of 12 criminal and emergency law enforcement requests in the most recent 12-month period for which it has reported. These requests resulted in no disclosure of content, and disclosure of non-content for 33% of the requests. It is unclear, however, whether these are requests were made by New Zealand based parties (such as the New Zealand Police under the Search and Surveillance Act 2012) or offshore entities or both.
The relatively small number of requests reported by Microsoft, AWS and Google may suggest that the risk of disclosure to non-New Zealand entities may in practice be small (particularly when consider the very high number of customers those companies will together have).
It is also worth noting that there appears to be very limited disclosure of "content" vs "non-content". The definition of "non-content" varies between providers. Generally speaking, content refers to information that might actually be stored on the systems hosted/provided by the relevant vendor (eg information about a customer's own clients held on the customer's hosted systems). However, the definition of non-content is typically reasonably broad. It generally includes, at a minimum, personal information such as names, addresses, email addresses and billing information. Disclosure of "non-content" may therefore still include personal information of this nature.
With the impending opening of new data centres in New Zealand, it is worthwhile reflecting on the jurisdictional risks that may remain relevant, even for data stored in New Zealand. It is important to remember that using a New Zealand located data centre will not remove all jurisdictional risk if the owner or operator of the data centre is subject to offshore legislation, such as the CLOUD Act, and this is something that may be worth flushing out through the procurement process so that that relevant agency can better identify and consider any risks.
While there is no legal prohibition that prohibits New Zealand companies or public sector agencies from storing data with providers who may be subject to foreign laws such as the CLOUD Act, if the information is particularly sensitive (for the public sector - using the Protective Security Requirement classifications and noting that only information classified as RESTRICTED or below should be stored in any public cloud services), the organisation may determine that it is more sensible for the information to be held in a location, and by a provider, to which New Zealand laws only will apply or at least consider and assess the risk that any information could be subject to a request under foreign laws.