The 2012 policy on how public agencies should use the cloud has been quietly refreshed.
A Cabinet paper from the Government Communications Security Bureau Minister Andrew Little and Digital Economy Minister Ginny Andersen was released without fanfare on the Department of Internal Affairs website in May.
It shows the Government intends to take Māori data sovereignty more seriously but thinks concerns about the legal jurisdictional risk of storing New Zealand data in servers owned by American companies are “overstated”.
“Any jurisdictional risk needs to be considered alongside other risks and benefits relating to cloud. Using cloud services presents productivity, digital and service transformation, cost, and enables cyber security benefits,” the ministers wrote.
“Changes since 2017 have prompted us to review our position on jurisdictional risk, including major hyperscale providers building onshore capabilities in New Zealand, legal changes in some jurisdictions that New Zealand agencies use cloud services from, and a less benign geopolitical environment.”
As it stands, only data up to the restricted classification level can be stored in cloud services. Under the new policy restricted data will be moved to onshore cloud centres.
“The Cloud First policy, first introduced in 2012, has been refreshed to reflect the world we live in, and the construction of a number of onshore data centres. It allows agencies to use world-class local and international technology to benefit New Zealanders,” Andersen told Newsroom in a statement.
“A significant change is an explicit inclusion of consideration of Māori interests and expectations in the use of Cloud. It also addresses questions of how agencies can keep your data safe. All government cloud providers have to meet very high standards of security. While there are laws in place which would allow a foreign government to request information from a cloud provider, the circumstances this would happen are very limited, tightly prescribed and generally related to fighting crime.”
A spokesperson for Microsoft, which recently agreed a memorandum of understanding with the Government, welcomed the policy.
“New Zealand has been one of the countries that identified early on cloud technology as a scalable, secure and cost-efficient way to deploy IT services. We see this recent refresh of Government’s cloud-first policy as strengthening the role of Government Chief Digital Officer to help agencies navigate complexity of technical or legal aspects of the cloud and accelerate digital transformation across the ecosystem,” they said.
“We also believe this foundational policy will be ever more important in view of recent breakthroughs in artificial intelligence creating opportunities for the NZ Government to leapfrog and deliver world-class public services to Kiwis. We look forward to continuing to share our cloud and AI policy expertise as well as exploring together how responsible AI deployment can transform Aotearoa in the years to come.”
One long-time advocate of domestic cloud capability says the new policy will cement the advantage that American companies have over Kiwi providers.
Doug Dixon is the former chief executive of the New Zealand company Catalyst Cloud – one of three companies that can currently be used as a cloud service by the government, alongside Microsoft and Amazon’s AWS.
He said the downplaying of jurisdictional risk will result in New Zealand companies being butted off the scene.
“The policy is more of the same, in some ways. And, unfortunately, the way that it’s framed, it means US cloud only. It’s sort of an America first policy, unfortunately. That’s the way it reads and actually that’s how it works in practice – ever since the first Cloud First policy came out, it handed over the industry to the big tech giants,” he said.
“You’ve already got a situation where there’s a foothold and a dominance of the US cloud providers and that’s only getting stronger. The only real chance for local providers was if jurisdictional risk was: A. Taken into account and B. Taken seriously. But what you can see from this new policy is a pretty clear ‘don’t look here’. It’s basically a wink to say, ‘Guys, having US data centres in the country is good enough for us’.”
He said this approach filtered through to the “disappointing” references to Māori data sovereignty.
“I see that as the common missed opportunity, which is Māori data, in order to be governed under Te Tiriti o Waitangi, would need to be under New Zealand’s exclusive legal jurisdiction. That’s the thing that ties all of this together.”
The concern was heightened when the US passed its Cloud Act in 2018, which asserts jurisdiction over data stored in a data centre anywhere in the world, as long as the company that owns the centre is American.
“The United States is renowned for this: It passes laws which it argues have international effect. In a sense, it tries to enforce its laws in other jurisdictions simply because the entity, in this case Microsoft, might have some sort of connection to the United States,” Rick Shera, an IT law expert and partner at the law firm Lowndes Jordan, told Newsroom when Microsoft announced its data centre here in 2020.
The policy will include guidance on handling Māori data, including linking to a third-party perspective which express a preference that Māori data be stored onshore and requiring agencies to consider the principles of “accountability, ethics, transparency and collaboration” when making decisions with Māori data.
Karaitiana Taiuru, a Māori data expert and long-time commentator on data sovereignty, said the new cloud policy looked like an improvement but was “still quite lacking in substance. I’m used to seeing these documents talking about consultation, and they’ll do this and do that, but it usually never happens”.
The timeframe was too short, too, he added. The document says an announcement would come in the second quarter of this year.
“The timeline that they’ve proposed […] is not achievable. You can’t have genuine consultation in that period of time. I’m involved in a number of Māori groups, and we haven’t been consulted or this hasn’t been brought up with us,” he said.
“There needs to be an acknowledgement that Māori data is a taonga as declared by the Waitangi Tribunal and I think there needs to be clear agreement on what Māori data sovereignty is and how it will be implemented before they enact anything.”