TPPA compromises NZ Data Sovereignty

Section 14.13.2 of the Trans-Pacific Partnership Agreement (TPPA) states:

No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory

That is a surprisingly innocuous statement given its apparent profound implication. It suggests that no TPPA participating country may require that vendors it selects to hold sensitive data, be it government or citizen data held in trust by the government.

The term "covered person" specifically excludes financial institutions or (based on my interpretation) institutions holding "credit rating" information... It does not, however (again, by my interpretation) make an exception for sensitive data like personal health data or tax status.

Section 14.2.3(a) tempers this somewhat. It does exclude government procurement from this requirement:

"This Chapter shall not apply to: (a) government procurement;"

Again, it comes down to how the term "government procurement" is interpreted. Most cloud services do not trigger government procurement regulations due to their relatively low up-front cost. Similarly, many quasi governmental organisations, like Primary Health Organisations (PHOs), who hold sensitive patient records, may not be bound by this either.

The Australian government has long had a policy that all government and citizen data it holds in trust on behalf of the people of Australia must be held in IT infrastructure based in the Australian territorial jurisdiction. It would appear that Australia will have to abandon this very prudent policy if it signs onto the TPPA.

Sadly, New Zealand government has been very keen to allow storage of government and citizen data it holds in trust (e.g. the IRD's systems holding citizen taxpayer records) in commercial cloud computing facilities outside the NZ territorial jurisdiction.

The NZ government rationale for that has been the relative lack of NZ-based cloud providers, making that requirement cost prohibitive.

Now, however, a number of multinational and domestic cloud service vendors have infrastructure based here in NZ. The TPPA clause 14.13.2 would prohibit the NZ government for doing the sensible thing and tightening its data sovereignty policy to require that NZ government data, which could have national security implications, and the data it holds in trust on behalf of its constituents, NZ businesses and citizens, be held within the NZ territorial jurisdiction.

Ultimately, it all comes down to the specific interpretations of various terms, like "covered person", and one thing is certain: lawyers advising governments and businesses will be much much wealthier as a result of the TPPA. To my mind, that's a regression, not progress.