20 July, 2023
By Charlotte Weston
The ownership and management of personal data is a hot topic, but what does data sovereignty mean? Data sovereignty is the idea that data are subject to the laws and governance structures of the country where they are collected. So data collected by New Zealand organisations on New Zealanders should be subject to New Zealand laws.
However, this is not always the case. When foreign-owned cloud providers such as Amazon Web Services and Microsoft’s Azure build data centres in New Zealand, the data stored on their clouds are subject to the US CLOUD Act. This means Amazon or Microsoft can be required to hand over New Zealand data to US authorities, even though the cloud facilities are physically located in New Zealand.
"Only providers that operate entirely with New Zealand cannot be forced to hand over data to other countries, under laws from those other countries,” says David Zanetti, Chief Technology Officer at Catalyst Cloud. “It's more than just keeping data local, it's about your entire supply chain for Digital and Data services. Without that certainty, you can never be sure of compliance with important New Zealand laws such as the Privacy Act."
Data sovereignty helps organisations fulfil their legal responsibility to protect the privacy of their customers and users, as well as looking after the data necessary for business and government operations.
Crucially, data is a taonga. Data sovereignty is especially important for Māori data governance, for greater control and improving outcomes for Māori. “Good data practices and policies are crucial for achieving resilient and sustainable data systems that people can trust and benefit from.” (From the Māori Data Governance model, Te Kāhui Raraunga.)
For example, in 2019 the Department of Conservation agreed to remove the kākāpo genome from Amazon cloud servers in Sydney, and move it back to a New Zealand database. The genome is considered a taonga that should be protected and held in Aotearoa.
Indigenous data sovereignty asserts authority over Indigenous data, regardless of where the data is kept. “In terms of moving to a place of Māori data sovereignty, the first step is to make sure that data is stored in New Zealand legal jurisdiction only,” says Chris Cormack, Kaihuawaere Matihiko at Catalyst.
The exploitative and extractive practices of big technology companies has been called into question numerous times, and the rise of surveillance capitalism and the attention economy highlights the government’s obligations to actively protect Māori (and all New Zealanders) from unethical corporate practices. Keeping New Zealand data under New Zealand law is a critical step towards a resilient and trustworthy data system and upholding te Tiriti.
Further to concerns about privacy, security, and resilience is the economic factor. Using local companies means vital spend in the New Zealand economy, rather than pouring billions into offshore companies that may not even pay tax in New Zealand.
"Agencies are reluctant to talk about this as they feel good data governance are the only concerns that New Zealand law raises, and they have no obligation to consider larger issues about the use or access to data,” Zanetti says. “However, all the good intent by themselves can be undone by their suppliers, and by ignoring the risk posed by service supply chains, they are cutting corners that put your data at significant risk."
When choosing a cloud provider, consider if your data, and that of your customers and constituents, is better protected on home soil and subject to local regulations. The good news is, there is an excellent, Government-approved, local option. Catalyst Cloud is owned, operated, and controlled by New Zealanders.
"Using Catalyst Cloud services is the only clear way to ensure that NZ law applies to your data and applications, the only clear way,” says Hiria Te Rangi – Co-Founder, Tumu Labs. “Use Catalyst Cloud services if you want to be absolutely sure of where you stand."
Catalyst Cloud and the Department of Internal Affairs reached an all-of-Government Cloud Framework agreement last year, making Catalyst Cloud the first locally-owned cloud provider approved for Government agencies. Previously the only options under the Cloud First policy were Amazon Web Services and Microsoft Azure, which are both owned and operated offshore, even though they now have some servers located in New Zealand.
This important move means local cloud storage options are more accessible to public agencies and more progress towards resilient, secure, and locally-controlled storage of New Zealand data.