Regulators, Mount up!
We were asked last week if we were aware of the potential incoming regulations for ensuring GPS tracking data is kept onshore in Australia.
Before going nerdy on you all: ImmoTrack Online keeps all data in Australia, on local servers, managed by Australian Citizens. No data ever leaves Australian shores (or will ever leave).
But let’s talk about regulations. I personally spent 30 years in Cyber Security (which used to be called IT Security, then Information Security, and I’m sure there will be a new hype name to come in future). Industry regulations brought in by government are there do one thing - set the minimum acceptable standards.
Or to put it another way, regulations are a floor, not a ceiling. The unfortunate reality is that unless a business views data privacy and sovereignty as core to their mission, they are unlikely to do it, and so regulations eventuate - usually a bit too late - to enforce some kind of minimum accepted standard. Whether those regulations come with any “teeth”, or ability to financially punish businesses for non-compliance, is another matter altogether.
And so, that leads us to the new Australian Security Standards for Smart Devices.
What does the regulation say?
For GPS trackers? It’s vague. The regulation is quite good for ensuring things in your house like Smart TVs and robot vacuums are kept up to date, can’t ignore security vulnerabilities if they are found by the Cyber security industry (trust me, they’ll find them!), and that no devices have poor default passwords.
Anything to do with “road vehicles or road vehicle systems” is explicitly exempted from this standard, so as much as we would like to do the usual marketing of being compliant (notably, other GPS businesses are already doing this), there’s nothing to be compliant with.
What can consumers do?
The reality is that even with this new regulation, GPS tracking businesses in Australia are still relying on your trust. That includes us too, and the most we can do is repeat our statements about our beliefs and our mission.
Whether you choose to use our services or someone else, these are the questions you have every right to ask:
Is the service hosted in Australia?
Is the data stored in Australia (not just the backups, the day to day data!)
Who manages the service? Is it managed in house or from overseas?
Does the service comply with the Australian Privacy Principles (APP)? Ask them to list how they comply with each of them - there are thirteen principles by the way!
Wait, Privacy Principles?
Ah yes, there is some good news here. For the moment, any business with less than 3 million AUD of yearly turnover does not have to comply with the principles, but this exemption is going to be phased out. Regardless, non compliance “because they’re small” is no excuse. Ask your provider to comply, and if they don’t (or won’t), find someone else!
