Soon Amazon, Microsoft, and Google will all offer their cloud services from huge new data centres in New Zealand. But choosing whether or not to go with the big guys won’t be straightforward for New Zealanders.
That’s not only because hyperscalers can cost more. It’s also because the biggest companies in the world are bringing more than their brands and products to our shores. They’ll also bring their legal obligations.
It’s time for New Zealand to have a serious conversation about the role overseas-owned cloud providers ought to play in our digital economy. But not everyone wants to tell the whole story.
Local businesses need to be clear-eyed about the ways that laws from different countries can apply in a single hosting relationship.
Take former Digital Economy Minister, David Clark, who welcomed Google's imminent New Zealand region by saying, "Onshore Cloud facilities give us stronger control of New Zealand’s data because it is held here, where our laws and protections apply”.
Google themselves were a little more cautious, saying that they “will help to address organisations’ increasing needs in the area of digital sovereignty”.
That’s not exactly a rock-solid pledge, but it's as much as Google and their peers can promise. Because while it’s true that New Zealand law applies to data centres located here, that’s far from the end of the story.
Server location is only one-third of the data sovereignty puzzle
When it comes to data, more than one country’s laws can apply at once. There are at least three different considerations:
The physical location of data or servers.
The nationality of the cloud service provider.
The nationality of the infrastructure provider.
All three collide if, for example, an American cloud provider (like Google) uses an Australian-owned infrastructure provider (like DCI) on New Zealand soil. No single set of national laws applies.
It’s not just us saying this. We may not be lawyers but the people at Dentons Kensington Swan are. And the way they see it, “United States-based tech companies are subject to the Clarifying Lawful Overseas Use of Data Act (known as the ‘CLOUD Act’), meaning US authorities can access data physically held by them in New Zealand”.
Over in Australia legal academics say that Australian law “has several potential extraterritorial effects. First, it allows for Australian law enforcement agencies to request or compel assistance from offshore DCPs”. DCPs are designated communications providers, including data centre operators.
True data sovereignty requires the absence of overseas law, not just the presence of New Zealand law. Moving an AWS server from California to Auckland adds New Zealand into the mix, but it doesn't take America out of it.
The legal obligations that overseas providers import into NZ
Amazon, Microsoft and Google operate under American law. This includes the USA’s CLOUD Act which, as Wikipedia puts it:
"Allows federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil." [Emphasis added]
The CLOUD Act applies to every AWS, Google Cloud and Azure server. Location is no protection from U.S. authorities. (If you don’t want to trust Wikipedia on that one, open the full text of the Act and look up Section 3(a)1.)
And it’s not just American law that’s being imported. If we can trust the Herald’s hints, Google Cloud’s NZ region will run out of a giant data centre being built by DCI. DCI, an Australian company, would bring in yet another legal thread. Applicable Australian law includes the Telecommunications and Other Legislation Amendment (Assistance and Access) 2018, or TOLA. This law “empower[s] law enforcement and national security agencies to request, or compel, assistance from telecommunications providers”.
An assessment by the Internet Society found that “TOLA allows for potential government access to critical customer data at any time”. The report predicted “reduced trust in digital services in Australia”.
Foreign-owned data centres and foreign-operated clouds are foreign no matter where they are. They’ve been subjecting New Zealanders’ data to overseas law for years, and that is not about to change.
The stories we’ve been told
The Vice President of Global Public Policy at AWS has blogged about the CLOUD Act. In amongst a bit of ducking and diving one claim stands out:
“Customers around the world can continue to use AWS in compliance with local laws.”
This makes it sound like you don’t need to worry about your data’s location. But when AWS announced their Auckland data centre, a use case that they stressed was to “run workloads and store data that must remain in-country”.
Okay, so sometimes you do need to worry about your data’s location. For some reason AWS didn’t want to talk about that before they had plans to host data here. How odd.
Even as the promises change, they don’t give the whole story. Talk of “compliance with local laws” is silent on foreign laws that would also apply.
It’s not just AWS, either. Google’s talk of “allowing Kiwi users to keep their data on-shore” and “adapt to changing regulatory conditions” glosses over the same issues. Microsoft is big on “data residency” but much quieter about data sovereignty.
True data protection comes with a truly local cloud
For New Zealanders the gold standard in data sovereignty would be a locally-owned cloud provider operating their own servers here in New Zealand. That’s exactly the service that we’re already providing to a number of clients, including Government agencies.
Our largest non-NZ data centre location is Sydney. Having DCs on either side of the Tasman (as back-up locations, for example) is usually a big plus. But we have implemented strict and total onshoring of data when customers need it. That keeps it out of the reach of overseas laws like TOLA or the CLOUD Act.
In all the excitement of huge brands arriving in New Zealand, let’s not forget that you already have a choice of fully local, enterprise-ready providers who can offer higher data sovereignty standards than any international company.
We’re proud to be a New Zealand-owned, New Zealand-operated, and New Zealand-located cloud provider. There aren’t many of us so we want to add our voice to others, like Catalyst Cloud, who are also doing good work here and offering genuinely local hosting.
Local beats hyperscale in other ways
While data sovereignty is a big issue, there are other reasons to think twice before you start hosting with AWS, Google, or Azure. That’s because there are some promises that only smaller, local providers can make.
When you go local, you can get service like bespoke advice from a team that listens, and fast technical support from people who know where you’re coming from. You build relationships and capacity within our country’s economically important and growing tech sector. You genuinely know who you’re dealing with.
True data sovereignty requires the absence of overseas law, not just the presence of New Zealand law. Moving an AWS server from California to Auckland adds New Zealand into the mix, but it doesn't take America out of it.
On the other hand, AWS has recently admitted that plenty of customers can get a better deal by hosting elsewhere. This came years after clever companies started leaving the cloud, pushed away by things like tricky cost management and petty fees. This is a story worth knowing, and you can get the short version from this summary podcast.
“The Cloud” has been in NZ for ages
When hyperscale data centres open here in New Zealand, they will discover a thriving local industry. They will have their uses, for sure, but they won’t solve data sovereignty worries - in fact they are more likely to create new legal knots.
There's still time for an important conversation about data sovereignty before AWS, Google and Microsoft fully arrive. Local businesses need to be clear-eyed about the ways that laws from different countries can apply in a single hosting relationship. Indigenous data sovereignty issues need to be better understood as well.
Be wary of predictions about international brands being “economic game-changers” just because they’ll have an Auckland address. New Zealand already has an impressive tech sector. Look at the strength and contribution of the companies that have grown here and you see fewer reasons to default to big international competitors.
Rather than wait for the big guys to open their doors, why not check in with us now? You might be surprised about the range of problems we can solve for you with genuine local know-how.