One of the 6 principals of Māori Data Sovereignty refers to jurisdictional considerations, or the requirement to store Māori data in New Zealand when appropriate. Jurisdictional considerations for Māori Data should include Māori Data that is tapu (sacred or sensitive) including not limited to: genetic data, personal health data and other private data about individuals, data that Māori, hapū, iwi an hāpori Māori consider to be tapu.
This article will consider the jurisdictional sub principal in more detail. It will use as a base the recent media release and media articles in relation to the Microsoft New Zealand and Te Tumu Paeroa Māori Data Sovereignty initiative, which one article titled “Microsoft enters ‘groundbreaking’ Māori data sovereignty deal” and attracted some disinformation and confusion among some Māori data advocates.
In summary Te Tumu Paeroa publicly accessible data and land owners collective data that is accessible via login details that is currently in the cloud overseas and in New Zealand will be repatriated back to New Zealand servers using Azure Cloud which also has a Sovereign encryption key. Microsoft also agreed to allow customary Māori protocols and tikanga to be carried out according to media reports and personal correspondence.
At this stage, it is important to now consider that the Waitangi Tribunal’s updated 2023 WAI 2522 Report on the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) stated that Māori Data is a Taonga and subject to Māori Data Governance. The Microsoft and Te Tumu Paeroa case reflects that Māori Data is a Taonga by firstly allowing tikanga to be used and repatriation of Māori Data.
When we consider Māori repatriate mokomokai from international museums back to Te Papa, Māori are exercising sovereignty (Rangatiratanga) of the ancestral remains, while still being subject to New Zealand legislation and Te Papa governance. Once the identity of the mokomokai are associated with a marae, hapū or Iwi, they are then offered back to be disposed of in a culturally appropriate manner.
In both the Te Papa and Microsoft cases above, the same process have occurred with the repatriation of Māori Data that Te Tumu Paeroa is the kaitiaki of, by giving and respecting Māori Data Governance to Te Tumu Paeroa. It will make the transfer back to Māori/Iwi servers in the future when and if they are built a much easer task.
Despite the significance of the Microsoft deal with Te Tumu Paeroa, some Māori Data advocates were publicly dismissive (and belittling) that “this was not progress”, “this is not Māori Data Sovereignty” and some stated that “there were still jurisdictional issues such as the Cloud Repatriation Act, this is not Māori Data Sovereignty” as it requires and American owned company to comply with the USA governments requests to take down and share data.
Data hosting in international servers versus New Zealand.
We must first consider that Microsoft provide encryption and a sovereignty aspect to their cloud hosting, as do others including AWS.
Furthermore, in this podcast my colleague Gehan Gunasekara an associate professor in commercial law and I speak of Data Sovereignty and Māori Data Sovereignty and the reality of jurisdiction using the recent announcement of Microsoft and Te Tumu Paeroa Māori Data Sovereignty initiative as an example.
Interestingly we have both used Kim Dot Com, but I also use the Urewera Terrorist case as an example that Data Jurisdiction does not give full sovereignty. In addition and not mentioned in this podcast is that New Zealand is a party to a number of international treaties including the Budapest Convention on Cybercrime (while Māori were consulted including myself this is an international agreement), free trade agreements and a myriad of other legal instruments that the New Zealand government are bound by.
Law enforcement requests of Data
On the Microsoft web site they state:
Third-party sharing is the sharing or onward disclosure of data to third parties. Microsoft will only share data when authorized by the customer or required to do so by applicable law. Microsoft does not give any government (including law enforcement or other government entities) direct or unfettered access to customer data.
Looking at the data provided by Microsoft regarding law enforcement requests for July to December 2022 as an example of how minor this issue is:
Internationally, Microsoft received 24,738 Law order requests for international data, 769 requests resulting in a partial sharing of data, 15,012 of Disclosure of Only Subscriber/Transactional (Non-Content) Data and 5,760 requests declined.
In New Zealand, the statistics are very low with more requests being declined than accepted.
Among those requests were 9 Law Enforcement Requests for New Zealand, 15 for Accounts / Users Specified in Requests. There were 0 Requests Resulting in Disclosure of Content, 4 requests where some data was provided and 5 requests were declined for not meeting local requirements.
Or 0.0161694559% of all international requests in the 6 month period analysed above.
Amazon had 26, 972 requests with 117 requests from countries excluding the USA, France, Germany, India, Italy, Spain, Turkey, UK.
AWS had 954 requests with 80 requests from countries excluding the USA, France, Germany, India, Italy, Spain, Turkey, UK. Source
Though the accepted requests are not public, Amazon does make the following statements:
Does the CLOUD Act change how Amazon responds to requests?
No. The CLOUD Act amended the Stored Communications Act to clarify that the U.S. government may seek to require U.S.-based service providers to disclose data that is in their “possession, custody, or control” regardless of whether the data is located within or outside of the United States. The CLOUD Act does not change any of the legal and privacy protections that apply to law enforcement requests for data. Amazon continues to object to overbroad or otherwise inappropriate requests as a matter of course regardless of where data is located.How many requests resulted in the disclosure to the U.S. government of enterprise or government content data located outside the United States?
None.
Now if we look at the larger Telco Cloud Data providers in New Zealand with the same timeframe as Microsoft:
Spark had 1837 requests from more than 12 agencies. These resulted in 1101 requested information being supplied ; 321 requests were partially supplied information and 415 requests with no information supplied. Of the total requests made, most came from: New Zealand Police Ngā Pirihimana o Aotearoa: 1245 and Coronial Services Pūrongo o te Ao Kakarauri: 391.
I couldn’t find statistics for One NZ but their Privacy Policy is here. Likewise 2Degrees also do not appear to be transparent about requests, with their Privacy Policy here. Both policies acknowledge that your data will be shared with law enforcement agencies if requested.
There are no New Zealand Data Centres? MYTH
Another common myth I heard was the New Zealand only has one local data centre. This is factually incorrect. According to the international web site Data Centre Map, New Zealand has 52 public data centres.
New Zealand has many other local data servers that the public can rent server space, email/web hosting and a range of Software as a Service (SAS). These New Zealand owned and operated hosting providers offer both commercial hosting and Open Source. All three telecommunication providers above have data centres in New Zealand.
We also have many companies and government departments/agencies that have their own local servers for their own exclusive and internal usage.
For Māori, there are several organisations that are either 100% Māori owned or Māori directors are a majority, that offer New Zealand/Māori sovereignty servers and Cloud servers in New Zealand. Some marae are using these sovereign servers as archival repositories for their iwi and hapū. Another Māori owned company is offering a full block chain technology to Māori groups, again offering full sovereign servers.
These sovereign servers still use national and international Internet connections and are still subject to the laws of New Zealand and its international treaties.
Importance of Māori Data Sovereignty Disclosures
It is important that your web site and online presence contains a Māori Data Sovereignty Statement that also disclosures where your data is stored. Taiuru.Co.nz has statement is accessible from each page and is at https://taiuru.co.nz/maori-data-sovereignty-statement/ Noting we are currently migrating the entire site and data to a leased New Zealand server.
If you are not sure of the location of a web site that you use, you can type the web site name into the following web site and it will tell you the country and city. https://www.site24x7.com/tools/find-website-location.html
Conclusion
The principles of Māori Data Sovereignty are becoming more common in government, commercial contracts, academia and there is an increase in individuals and organisations who claim to be Māori Data Sovereignty experts and Māori Data Governance experts, yet many are not. For those who are not collectively well versed in Te Ao Māori, Data Governance and associated Internet technologies, their opinions can cause misinformation and halt progress of Te Ao Māori realising Māori Data Sovereignty.
Māori Data principles (noting there are several different sets) are aspirational and are a guide for Māori, hapū, Iwi and hāpori Māori to collaborate in partnership with data providers recognising the principles of Te Tiriti. Each collective group or kaitiaki of data should exercise their own rangatiratanga as Te Tumu Paeroa have according to the media articles.
It is up to Māori, hapū, Iwi and hāpori Māori to decide what data is tapu and must be treated with a higher threshold than other Māori Data and stored in, or repatriated to New Zealand.
We must use an holistic Māori worldview with Māori Data Sovereignty principles and recognised that using New Zealand owned data hosting providers and open source can be aspirational, yet not viable in all cases. The highest aspiration for Māori Data Sovereignty is using a fully owned Māori Data Hosting company in New Zealand with fully custom and owned severs. Though the later is technically not likely to occur in the foreseeable future.
While there are jurisdictional concerns with Māori Data, we will always be subject to some form of legal jurisdiction. Māori, hapū, Iwi and hāpori Māori need to decide if 0.01% possibility of data being shared with a law enforcement agency outweighs Māori Data Sovereignty principles and the costs and security offered by conglomerate cloud providers.
Leave a Reply