The Australian government can force companies to store your personal data in Australia, despite a clause in the Trans-Pacific Partnership saying otherwise.
Buried in the 6500 pages of the Trans-Pacific Partnership text released on Friday is a provision that, according to the Department of Foreign Affairs and Trade is a commitment made by TPP countries to not impede cloud computing companies to deliver services in the signatory countries. The provision in the electronic commerce chapter means that countries that have signed the agreement must not prevent the flow of data across borders of TPP countries, and cannot force businesses to either buy storage or build local data centres for storing data created by their customers in that country.
This means that companies like Google and Microsoft do not need to keep the emails created and sent by Australians on Australian shores, for example, meaning vast swathes of Australians’ personal information can be held outside of Australia, subject to the laws of the country where the data is held.
But there are a few significant exceptions that mean the Australian government has some leeway to force companies to keep data in Australia. In its outline of the advantages of the TPP, the Department of Foreign Affairs and Trade acknowledges this requirement but maintains the personally controlled e-health record system the government is currently trying to roll out is exempt from the legislation. How exactly?
A spokesperson for DFAT told Crikey: “The [e-health] legislation is not affected by TPP commitments on the movement and storage of data because the TPP includes exceptions which allow parties to regulate to meet public policy objectives, such as privacy and health.”
Health Minister Sussan Ley recently announced a new revamped version of the e-health record system — called “My Health Record” — would be trialled in early 2016 in the Blue Mountains and in far north Queensland as an opt-out model in which patients’ records would be created unless they specifically said no.
Ley suggests the new system will give the patient complete, “open-source” access and control over their health data, and patients would be free to give it to “an app developer, to a dietitian, to a retailer and say how can you deliver the best health services for my needs?”
With all that wider access to confidential medical data, protections will need to be in place to ensure it isn’t mishandled.
Crikey understands that during the negotiations, Australia secured an exclusion for e-health records from the agreement, but there is a broad exception that means governments can continue to regulate the flow of data, and where data is stored to “meet public policy objectives”. This means that if a government that had signed onto the TPP decided to introduce a law to retain health information or other data held by private companies on their citizens, the government would not be in breach of the TPP agreement.
Labor has not yet said whether it will back the TPP agreement. In the party’s platform, agreed to at its national conference in July, the party set out that it would require companies that want to hold Australian customers’ personal information overseas to first obtain the consent of those customers.
The Australian government is planning to introduce legislation that would require companies to report when they suffered a data breach. It was due to be passed this year, but there are only two and a half sitting weeks left. Attorney-General George Brandis said the legislation would be introduced this year but would not passed until next year.