The New Zealand government is leaving its guidance on cloud computing unchanged after Australia passed a controversial law giving authorities power to access network and cloud-based information.
The Department of Internal Affairs (DIA) said its initial assessment of the Australian Assistance and Access Act is that the government chief digital officer’s guidance on managing jurisdictional risks stands "as is".
"Australian government agencies still require warrants and notifications to access data from cloud providers, as is the case in other countries," the DIA said.
"In addition, while there has been some commentary in the media that this legislation require cloud providers to introduce weakened encryption, the practical consequences of implementing this have yet to be well understood.
"For these reasons we don’t see that anything has changed at this time, but we will be working through this in more detail as part of the planned refresh of the guidance on managing jurisdictional risks this year."
Among other provisions, the Act requires tech companies to provide law enforcement and security agencies with access to encrypted communications.
The bill, which was opposed by global tech and cloud giants, provides for fines of up to $10 million for institutions and prison terms for individuals for failing to hand over data linked to suspected illegal activities.
Opponents of the law charged it was vaguely worded and open to abuse and would require carriers and other providers to build tools, or backdoors, to deliver access to law enforcement and security agencies.
It also potentially threatens New Zealand government and private data held in Australian data centres operated on behalf of major cloud providers such as Amazon Web Services and Microsoft.
New Zealand Privacy Commissioner John Edwards told Reseller News government agencies’ adoption of offshore-based cloud services was supported by a number of Cabinet decisions and the government chief digital officer.
"It is for the Department of Internal Affairs to revise and update any guidance and recommendations in light of this new law," he said.
Agencies that have migrated to data centres in Australia should also do their own assessment of the risks, as the commissioner had done.
"My office migrated to Microsoft’s Azure service in late 2018, storing our data in Microsoft’s data centres in Sydney," Edwards said. "We have considered the impact of the change in Australian law and have formed the view that it does not materially affect our risk.
"We continue to be satisfied with our current arrangement, which has provided significant efficiencies and benefits to our business."
Lowndes Jordan partner and technology and privacy specialist Rick Shera said, while he hadn’t looked at the Australian provisions in detail, he wasn't sure the Australian law was much different from New Zealand's new Telecommunications Interception Capability and Security Act (TICSA) in terms of central government review and approval of infrastructure change by network providers and in terms of interception access.
"It seems to me that the position with respect to over the top providers remains unclear on both sides of the ditch," he said. "Particularly with respect to requirements to decrypt.
"I can therefore understand DIA not wanting to depart from the status quo until there are some use cases under the new Australian legislation that they can assess."