On 28/1/19 14:52, Bernard Robertson-Dunn wrote:
Suppose ADHA, who run My Health Record, wanted to use Akamai CDN
services for all the usual reasons.
Questions.
Would Akamai have to use Australian servers to store the cached, static
data? or could they use overseas servers?
Would Akamai have to use edge servers in Australia? or could they use
USA based edge servers
No specific answers, sorry; but here's the publicly-provided
information-base that enables answers to be developed:
1. The Objects of the Privacy Act include:
http://www8.austlii.edu.au/au/legis/cth/consol_act/pa1988108/s2a.html
>(f) to facilitate the free flow of information across national
borders while ensuring that the privacy of individuals is respected; and
The primacy of economics, and the secondary, mere constraint of a bit of
respect for privacy, are cemented in, as with all OECD-derived d.p. laws.
Put another way, if an agency found it cheaper to export the data, the
onus would be on proponents of national sovereignty to argue the case
for it *not* to be exported.
And of course, even if such a discussion were ever held, there's no
representation of the public interest in the room. (The OAIC doesn't
have any right to be in the room, and is in any case an administering
and facilitating agency, not a protector of the public interest).
2. APP8
https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-australian-privacy-principles#australian-privacy-principle-8-cross-border-disclosure-of-personal-information
"take such steps as are reasonable in the circumstances"
"does not apply ... if [long list of loose and open-ended circumstances]"
A trainee lawyer could drive a bus through it.
3. OAIC Guidelines on APP8
https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/chapter-8-app-8-cross-border-disclosure-of-personal-information
Expensive lawyers paid for out of the OAIC budget wrote over 6,000 words
to assist aforesaid trainee lawyers to find said gaps of bus-width.
My short answer is that I reckon any agency can do absolutely anything
it likes, without any risk even of it being in breach, let alone of any
sanctions applying or retribution being taken. (IANAL, and I haven't
wasted the time doing enough hard yards to remove "I reckon").
> What is the current status of USA law regarding USA companies having
to hand over foreign data that they (the companies) store to their
government?
AFAIK, few effective constraints apply to the assertions (under several
laws) of US extra-territorial powers, which mean that the data doesn't
even have to be in the US, merely in the possession of a US corporation.
--
Roger Clarke mailto:[email protected]
T: +61 2 6288 6916 http://www.xamax.com.au http://www.rogerclarke.com
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
_______________________________________________
Link mailing list
[email protected]
http://mailman.anu.edu.au/mailman/listinfo/link
