When our data is stored in Microsoft or Google's cloud, it's governed by the laws of those American companies. Plans are underway to change that
Listen
A ground breaking Māori data sovereignty deal is prompting tech and privacy experts to examine whether or not full data sovereignty is an achievable goal for New Zealand.
Te Tumu Paeroa, the Office of Māori Trustee, is in the process of transferring its data from offshore centres to one here in Aotearoa after the group reached a deal with tech giant Microsoft.
It's taken years of negotiations to achieve it, but it will ensure the way that data is used and treated is in line with Māori cultural values.
The owners of the data, not Microsoft, will hold the keys to the encryption of that information.
Dr Karaitiana Taiuru, an AI and data ethicist, says the deal with Microsoft will give the organisation autonomy over the data and ensure New Zealand law and Māori tikanga is front and centre.
"From a Te Ao Māori perspective we don't talk about ownership, we talk about guardianship, the kaitiaki of the data. If we talk about facial recognition technology, from a Western perspective that's your personal data but from a Te Ao Māori perspective that's collective.
"If I gave an organisation my DNA, that's not just me, that's all of my ancestors, all of my current family and all of my future family's DNA that I am providing," Taiuru says.
But he does think there needs to be some discussion to distinguish what data is collective and what is individual.
"For example, our health data should be our individual data. But then we should have the right to allow others to view our data."
But localising data storage doesn't necessarily guarantee that information will be better protected, according to one privacy expert.
Gehan Gunasekara, an associate professor in commercial law at the University of Auckland, says we need a better legal regime in this area.
"I often give Kim Dotcom as an example because people say that keeping the data in New Zealand will protect it, well in that case it didn't. His servers were in New Zealand and Hong Kong and the New Zealand servers were locked down because the FBI requested it, and everyone, including people who were completely innocent suddenly lost all of their photograph albums, their videos, everything," he says.
Through his research Gunasekara has found several "serious deficiencies" in Aotearoa's information privacy regulations that show our 2020 Privacy Act needs several updates to optimise data security and consumer privacy.
The Act currently provides what Gunasekara describes as a "very generous safe harbour" for cloud service providers.
"While [the provider] is processing the information, as long as it's not identifying people and using it for some completely unrelated purpose, it can process the data to make profit for itself like for example creating algorithms," he explains.
There's an Australian example of this, where a data brokerage holding details of supermarket spending habits used it to predict patterns that could suggest when a household was an 'empty nest' - and its owners might be ripe for targeted real estate pitches.
"I think the regime we have at the moment is very weak and the Privacy Act itself needs to be tightened."
Currently there's very limited capacity for organisations to store our online information in Aotearoa, which means they employ external providers like Microsoft and Google.
These cloud-based providers move data through their servers, which are international, and subsequently the way our information is managed becomes governed by the laws and regulations of the countries it's stored in.
"So we lose our sovereignty, and we also lose our ability to dictate or even have a say in what and how we want our data managed," says Dr Taiuru.
Check out how to listen to and follow The Detail here.
You can also stay up-to-date by liking us on Facebook or following us on Twitter.