Revelations about surveillance activities by the National Security Agency (NSA) in the US may fuel fears among Australian businesses about offshoring data, according to privacy advocates.
"The arguments about data sovereignty have certainly been fired up again ... but it was always there," said Malcolm Crompton, a former Australian Privacy Commissioner who is now managing director of Information Integrity Solutions.
Recent reports have revealed the NSA, under a program called PRISM, is engaged in two types of data collection activities. First, the agency is collecting metadata about US phone calls, which includes information about a call--including time, duration and location--but not the content of the call itself.
Second, and perhaps more directly concerning to Australia businesses, the NSA is collecting data on Internet traffic from major American cloud companies including Google and Microsoft.
"We've always known about these risks--none of these are new," said Crompton, citing a 2009 report in The New York Review of Books that the NSA was building a massive data centre to collect information. "Now we just have more evidence that they're collecting everything."
There had already been a fear that the US government could invoke the Patriot Act to collect Australian data hosted by American cloud providers, according to Civil Liberties Australia director, Tim Vines.
The reports about the US government's surveillance activities reveal "that in many instances it appears that these large cloud services have actually been willing to pass on information or to at least make available some of its users' content to these agencies with minimal scrutiny," he said.
"It certainly reinforces the existing concern that Australian companies had about hosting data in the United States where they felt that information could be accessible or handed over to the US government," he said.
However, Australian businesses should carefully consider their situation before cutting ties with American cloud providers, said Vines.
"There's certainly enormous capability and enormous potential in this PRISM scheme for invading privacy and for collecting huge amounts of data. Is it worth a company that is heavily service-based or on cloud services now jumping ship? I think it's going to be up for each company to decide, and they're going to have to go back and look at their risk management plan and how they handle client information."
"If they have very sensitive commercial information, they may not want to host it in the cloud," he said.
"Of course you need to do a risk assessment about offshoring data," said Crompton. However, believing that "going to America is dangerous and leaving it here is safe is a very, very poor assumption."
Even before news broke about PRISM, Australia had been debating collection of phone call metadata in the ongoing data retention inquiry in the Joint Parliamentary Committee on Intelligence and Security.
Sign up for CIO Asia eNewsletters.