Last week, the Attorney-General’s Department revealed it had just no way of knowing whether the data stored as part of the mandatory data retention regime was actually being stored in Australia. One concerned constituent wrote to her local Senator, Eric Abetz, about this matter, and in a generalised response — where it is clear Abetz has sought advice from the department — Abetz talked about the current legislation rather than the data retention scheme, and said that not forcing companies to keep data in Australia was about “flexibility”:
“The Bill does not specify where or how data must be stored. The amendments support a risk-based approach to managing national security concerns to the telecommunications sector, while also retaining flexibility in decision making for industry.
The continually changing nature of this environment necessitates the need for industry to innovate and be flexible to support their changing needs and with minimal but sensible regulatory burden.”
ISP iiNet, back in the day when it was a company fighting for the interests of its customers rather than for TPG’s bottom line, suggested that if there were no restriction on where the data had to be stored, it would go for the cheapest option in China. At least now if there is a data breach they will have to inform us.