Send Link mailing list submissions to
[email protected]
To subscribe or unsubscribe via the World Wide Web, visit
https://mailman.anu.edu.au/mailman/listinfo/link
or, via email, send a message with subject or body 'help' to
[email protected]
You can reach the person managing the list at
[email protected]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Link digest..."
Today's Topics:
1. Outsourcing as an end-run around privacy laws? (Craig Sanders)
2. America orders diplomats to fight data sovereignty
initiatives (Stephen Loosley)
----------------------------------------------------------------------
Message: 1
Date: Thu, 26 Feb 2026 17:11:00 +1100
From: Craig Sanders <[email protected]>
To: [email protected]
Subject: [LINK] Outsourcing as an end-run around privacy laws?
Message-ID: <[email protected]>
Content-Type: text/plain; charset=utf-8
Anyone know if any research has been done on the effects of outsourcing on
privacy? Has the omudsman looked into it? Any government enquiries?
It seems that every entity - businesses, NGOs, and governments - that you
interact with in any way requires or at least encourages you to use some third
party web sites or, worse, apps which all collect a lot of personal data.
With T&C and "privacy policies" that can change unilaterally at any moment
(but which basically all say "we can do whatever we want with your data, and
share it with whomever we want")
And all of them use your name and phone number as primary keys, so your data
across all of these entities can be easily matched and consolidated.
I'm particularly concerned about the privacy impact for medical and health
data. Almost every GP nowadays is outsourcing appointments and SMS reminders
to companies like Hot Doc and patient questionnaires to sites like Better
Consult. Each of which has, of course, their own T&C and their own privacy
policy.
Even the Royal Melbourne Hospital has a third-party site called Health Hub,
for managing appointments AND providing access to test results and other
patient records. Health Hub is apparently owned jointly by RMH (Melbourne
Health), Peter MacCallum Cancer Centre, The Royal Children?s Hospital, Royal
Women?s Hospital and Parkville Youth Mental Health & Wellbeing Service, and
maybe others...but still a separate legal entity.
Health Hub is particularly worrisome because there are two especially
egregious clauses in their T&C. The first is that you have to absolve
Health Hub and the participating health services of any responsibility or
liability for any leak or misuse of your data. The second is that you have
to **indemnify** them for any leak or misuse.
https://health-hub.org.au/Health-Hub/Authentication/Login/StandardFile?option=TermsAndConditions
W.T.A.F.? Not only absolve them of liability (which is bad enough) but also
indemnify them!
They SMS spam you about signing up to Health Hub for every appointment. I've
never logged in (and never will, with terms like those)....but I don't know
and have no way of knowing if my medical records are being pre-mptively sent
to HH without my consent, or if HH has any access to my medical records stored
on RMH's systems.
To make matters worse, Health Hub is further outsourced to US medical software
company Epic Systems Corporation and runs on US servers with data stored in
the US. Epic claim to care about patient privacy - which may or may not be
true, but it's difficult not to remember that Exxon Mobil claim to care about
the environment too. Corporations lie all the time, they can not be trusted.
How, exactly, is a patient (or customer, or client, or citizen) supposed to
keep track of all these ever-changing terms and conditions and policies in
order to give any kind of informed consent to the sharing of their data?
What actual recourse do we have if our personal information is leaked or
misused, or if it is stored on servers outside of Australian jurisdiction?
My attitude is Just Say No. I don't (and won't) login to these sites, I don't
click on links sent to me via email or SMS. I instruct my GP and RMH not
to share my personal info to these or any other third-parties (but this has no
effect, they still share my data anyway - at minimum, PII including my name
and phone number).
I complained recently to my GP about them giving my name, phone number, and
appointment details to Hot Doc. They claimed that only happened because I
gave them permission because it is "impossible" to get SMS reminders from Hot
Doc without me first agreeing and giving them some 6 digit code to authorise
it. Which would be kind of OK, I guess, except THAT NEVER ACTUALLY HAPPENED.
I just started getting SMS appt reminders from Hot Doc several years ago.
They didn't ask for my permission, I was never asked to login and generate an
authorisation code, I was never even informed about it in advance. And if
they had ever asked for my permission, I would have refused because it's not
the kind of thing I would ever agree to - I don't want my information to be
shared with third parties.
My guess is that Hot Doc asked for and received a list of their patients names
and phone numbers, or they asked for direct access to the clinic's patient
management system, or there's a button (or automatic export feature) in the
clinic's management software to send appt details to Hot Doc for them to send
an SMS.
------------------------------
Message: 2
Date: Thu, 26 Feb 2026 21:05:38 +1030
From: Stephen Loosley <[email protected]>
To: "link" <[email protected]>
Subject: [LINK] America orders diplomats to fight data sovereignty
initiatives
Message-ID: <[email protected]>
Content-Type: text/plain; charset="UTF-8"
Exclusive: US orders diplomats to fight data sovereignty initiatives
By Raphael Satter and Alexandra Alper February 25, 2026 Updated 11 hours ago
https://www.reuters.com/sustainability/boards-policy-regulation/us-orders-diplomats-fight-data-sovereignty-initiatives-2026-02-25/
Summary
Trump administration opposes foreign data sovereignty laws
Rubio's cable criticizes GDPR as burdensome
Europe wary of US tech firms' data practices
WASHINGTON, Feb 25 (Reuters) - President Donald Trump's administration has
ordered U.S. diplomats to lobby against attempts to regulate U.S. tech
companies' handling of foreigners' data, saying in an internal diplomatic cable
seen by Reuters that such efforts could interfere with artificial
intelligence-related services.
Experts say the move signals the Trump administration is reverting to a more
confrontational approach as some foreign countries seek limits around how
Silicon Valley firms process and store their citizens' personal information -
initiatives often described as "data sovereignty" or "data localization."
In the State Department cable, dated February 18 and signed by U.S. Secretary
of State Marco Rubio, the agency said such laws would "disrupt global data
flows, increase costs and cybersecurity risks, limit Artificial Intelligence
(AI) and cloud services, and expand government control in ways that can
undermine civil liberties and enable censorship."
The cable said the Trump administration was pushing for "a more assertive
international data policy" and that diplomats should "counter unnecessarily
burdensome regulations, such as data localization mandates."
The State Department did not provide comment on the cable. However, it said the
U.S. strongly supports cross-border data flows that promote growth and
innovation while protecting privacy, safety, and free expression and stands
ready to partner with countries that share those goals.
"We seek to counter unnecessarily burdensome regulations, such as data
localization mandates," it added.
Data sovereignty initiatives have gathered pace, particularly in Europe, as
tensions have flared between the U.S. and the European Union over Washington's
protectionist trade policies and support for far-right political parties.
The dominance of U.S. artificial intelligence companies - many of which draw on
massive stores of personal data to power their models - has underlined European
concerns around privacy and surveillance. Officials across the continent have
increased pressure on American social media giants, too.
Bert Hubert, a Dutch cloud computing expert and former member of the board that
regulates the Dutch intelligence services, said Europe's increasing wariness of
America's tech companies may be spurring Washington to take a more aggressive
tack.
?Where the previous administration attempted to woo European customers, the
current one is demanding that Europeans disregard their own data privacy
regulations that could hinder American business," he said.
'UNNECESSARILY BURDENSOME'
Data sovereignty laws vary in scope. Some impose rules around where information
is kept by requiring that data collected from a certain nation only be stored
within that country. Others put restrictions around how data is shared,
limiting its distribution to foreign companies. The European Union's 2018
General Data Protection Regulation (GDPR), for example, imposed restrictions on
transferring Europeans' data abroad and has led to a series of stiff fines on
American tech firms.
Rubio's cable cited GDPR as an example of a rule that imposed "unnecessarily
burdensome data processing restrictions and cross-border data flow
requirements."
It also said China was "bundling enticing technology infrastructure projects
with restrictive data policies that expand its global influence and access to
international data for surveillance and strategic leverage." The cable did not
provide much more detail, but China has over the past few years tightened
regulations over how its companies store and transfer user data.
The Chinese Embassy in Washington said it was not familiar with the cable but
that Beijing "has always attached great importance to cybersecurity and data
security." The European Commission in Washington did not respond to a request
for comment.
The cable, whose headline described it as an "action request", tasked American
diplomats with tracking the development of proposals to restrict cross-border
data flows and supplied talking points promoting the Global Cross-Border
Privacy Rules Forum, a group established in 2022 by the United States, Mexico,
Canada, Australia, Japan, and others "to support the free flow of data and
effective data protection and privacy globally." The Forum did not respond to
requests for comment.
The cable is the latest in a series of initiatives aimed at thwarting European
regulation of the digital sphere.
Last year, Rubio ordered diplomats to whip up opposition to the EU's Digital
Services Act, which aims to make the internet safer by compelling major social
media firms to remove illegal content, such as extremist or child sexual abuse
material. Last week, Reuters reported that the United States planned to launch
an online portal intended to help Europeans and others bypass the censorship of
material including alleged hate speech and terrorist propaganda.
Reporting by Raphael Satter; Editing by Stephen Coates and David Gregorio
---
------------------------------
Subject: Digest Footer
_______________________________________________
Link mailing list
[email protected]
https://mailman.anu.edu.au/mailman/listinfo/link
------------------------------
End of Link Digest, Vol 399, Issue 27
*************************************
