A Canberra-based tech company has warned international organisations are pulling their data out of Australia over fears encryption-busting laws passed late last year have weakened data security.
Vault, which is certified by the Australian Signals Directorate to hold protected government information, said companies were blacklisting Australian data centres, even choosing China or Russia over local options.
Meanwhile global tech company Amazon, whose web services division recently signed a whole-of-government agreement to host government data, warned ways to access to otherwise encrypted data were detrimental to data security.
Vault's chief executive Rupert Taylor-Price said the company had been "materially and detrimentally" affected by the laws, which has increased the "perceived compliance burden of the jurisdiction".
"We are currently seeing an exodus of data from Australia including physical, operational and legal sovereignty," he said.
The legislation, introduced last year, allows Australian law enforcement agencies to access data sent on encrypted channels.
Before the laws were passed in December, Home Affairs Minister Peter Dutton said they were necessary to combat serious crimes like terrorism and child sex offences.
Amazon and Vault have told the a review by the powerful Parliamentary Joint Committee on Intelligence and Security there was a need to increase trust that the legislation would not weaken data security.
"Data cannot be made more secure by introducing any security vulnerability into a technology system," Amazon's submission said.
"Deliberately creating for one party a means of access to otherwise secure data will create weaknesses and vulnerabilities that, regardless of any good intentions, creates the opportunity for other actors - including malicious ones - to access that same data."
Mr Taylor-Price's submission said data moved offshore circumvented the intention of the legislation by storing data where Australian authorities could have no access, even though that data could still be used to provide services to Australian governments and citizens.
Vault recommended the government enact "data sovereignty" laws that required information stored for the public sector in Australia was subject only to Australian laws and that government agencies favoured Australian-based data centres.
"Mandating Australian cloud infrastructure sovereignty requirements is an important step in safeguarding overseas countries accessing sensitive government information.
"Unless a government cloud is fully Australian-owned and operated it can be subject to the laws of other countries, opening Australia up to cyber-terrorism and extreme security threat opportunities," the submission said.
Amazon Web Services, which operates in 29 countries, said technology service providers should be able to defend a decision not to comply with a notice if what the provider is asked to do would break laws in another jurisdiction.
Amazon said notices issued to providers should be signed off by a judge, rather than public servants or the Attorney-General.