And there are concerns the schemes’ secrecy is compounded by the Home Affairs minister’s power to delete information in reports on the laws’ operation by the nation’s top integrity official before they are published.
In its submission to a parliamentary committee review of the 2018 laws, Vault Cloud said companies had chosen not to set up operations in Australia after the laws were passed.
“We have seen multinationals ‘blacklist’ Australia as a place to store data and, in some cases, that same company continues operations in China and Russia,” Vault Cloud’s chief executive Rupert Taylor-Price said.
The paucity of local operators means Australian companies are often forced to use overseas IT infrastructure.
“The impact for Australians is that their personal and sensitive data becomes less and less sovereign,” Mr Taylor-Price told The Herald and The Age. “That isn’t the intention of the law, but it is the unintended consequence.”
In its cyber security guidelines, the government warns that “outsourced information technology or cloud services located offshore may be subject to lawful and covert collection, without an organisation’s knowledge,” including by foreign powers.
It is not a requirement, Mr Taylor-Price said, for Australian companies to store Australians’ data here or in a way that prevents foreign governments from accessing it.
“Nearly every country has sovereign data requirements but Australia does not and it makes us a little odd,” he said.
In its own submission the Department of Home Affairs denied Australia has become an unattractive destination for digital businesses because of the security laws.
International companies and investors “should have confidence that the legislation … does not, or indeed cannot, undermine the security of products and devices,” the department said.
Australia’s top integrity official, the Commonwealth Ombudsman, said the Home Affairs Minister’s power to delete information in Ombudsman reports on the laws’ operation should be ended to ensure greater transparency.
As minister, Peter Dutton has the unique power to delete information from Ombudsman reports on the encryption laws to protect ongoing investigations and the security agencies’ methods.
“This power is not available to a Minister in any other legislation under which the Ombudsman may issue a report and, in our view, is inconsistent with the Ombudsman’s role as an independent and impartial office,” Commonwealth Ombudsman Michael Manthorpe wrote in a submission to the inquiry.
Mr Manthorpe pointed to his office’s “unblemished” record when it came to publishing sensitive information, adding that it consults with agencies to avoid missteps and never reports on ongoing operations.
The Home Affairs Department submission warned against handing full reporting powers back to the Ombudsman but accepted there could be a way to compromise.
“The Department understands an alternative to the Minister’s redaction power may be to undertake conditional vetting between the Ombudsman and agencies prior to publication.”
Nick is a journalist for The Sydney Morning Herald.
Max is a journalist at The Sydney Morning Herald and The Age.