Data Sovereignty: Why it matters for Australian companies

As cyber security becomes of increasing concern, data sovereignty and where companies host their data is more than a question of convenience. There are legal and technical considerations too.

What is Australian data sovereignty?

Data sovereignty refers to the jurisdictional or legal control that can be asserted over data because the data physically resides within a specific country. This is important for both regulatory reasons and data security, in particular when data is collected in one country but resides elsewhere.

For Australian companies, when you collect and store your data in Australia you fall under the jurisdiction of Australian laws, making it easier to manage, access, and protect your data.

Data sovereignty implies that data collected by Australian companies but which is then stored abroad may be subject to the other country's laws too. For this reason, Australian companies should understand that where they host their data is not just a question of cost and convenience; there are legal considerations too.

Due to the challenges of cyber security, Australian companies need to seriously consider their data sovereignty obligations.

Is data residency the same as data sovereignty?

Data sovereignty and data residency are terms that are often used interchangeably; incorrectly so as they are different, yet related, concepts.

Think of data residency as the "where" of your data and data sovereignty as the "who's in charge" of your data.

In other words, while data residency deals specifically with the physical location of data, data sovereignty extends beyond that to encompass the legal, regulatory, and jurisdictional aspects of data control and governance.

Data residency refers to the physical location of your data, and can be important for commercial or taxation purposes. When storing your data on a website or in the cloud, you should be aware of the physical location of that data, even if you are using an Australian hosting provider. Hosted data could be anything from website files, emails, business databases, to, most critically, personally identifiable customer information.

Can data reside abroad while complying with Australian data sovereignty?

Yes, Australian companies can comply with Australian data sovereignty if their data resides abroad. By establishing necessary legal agreements, data security measures, data ownership agreements and adherence to Australian data protection laws, businesses can balance their operational needs and with data sovereignty compliance.

Laws and regulations pertaining to data storage in Australia

Some of the key regulations affecting data storage in Australia include:

  • Privacy Act 1988
    Governs how personal information should be managed.
  • Data Breach Notification Laws
    Requires organisations to notify individuals affected in the case of a data breach.
  • Telecommunications (Interception and Access) Act 1979
    Explains how data can be lawfully accessed by government agencies.

By storing your data within Australia, you automatically align with these local regulations, thereby mitigating legal risks. If you store data elsewhere, you may be subject to the laws governing storage of that data in the jurisdiction or jurisdictions where it is stored.

If your data is stored locally but managed by a foreign provider, staff who reside in different jurisdictions may be able to access your data from overseas locations.

Who must comply with data sovereignty in Australia?

Government entities, financial institutions, healthcare providers, educational institutions, legal firms, and various types of organisations in Australia may be required to comply with data sovereignty laws. Even small businesses and startups should consider the benefits and requirements of local data storage and control.

Aboriginal data sovereignty in Australia

Aboriginal Data Sovereignty pertains to the rights of Aboriginal and Torres Strait Islander people to govern the collection, ownership, and application of their data.

Incorporating Aboriginal Data Sovereignty into corporate social responsibility initiatives can play a crucial role in promoting equitable relationships and improving outcomes for Indigenous communities.

Companies handling Indigenous data should understand their ethical obligations, which can extend beyond the standard Australian laws and may include principles of consent, privacy, and cultural sensitivity.

What are the other advantages of storing your data in Australia?

Apart from simplifying the adherence to local and national data sovereignty regulations, storing data within Australia comes with several other advantages:

Technical advantages and faster data access

Local data storage provides low latency to allow quicker access to data which is important for real-time processing. Australian providers are operating locally giving faster responses to issues and may offer competitive service level agreements (SLAs) which are tailored for local businesses.

Legal safeguards

Data protection and privacy in Australia are governed by various Australian laws and regulations, including the Privacy Act 1988 and the Australian Privacy Principles (APPs), which safeguard personal information and data from unlawful access.

Compliance with cyber security protocols

Storing data outside of Australia may expose you to unfamiliar cyber security risks. Local hosting providers like Serversaurus can offer security solutions that align with Australian cyber security standards for your organisation’s ongoing compliance with cyber security protocols.

Easier accountability

Storing data locally in Australia streamlines auditing processes by providing better control, accessibility, and compliance with regulatory requirements.

Transparency and customer trust

Australians may be reluctant to engage services if they don’t trust that their details will be protected and stored within Australia. Local customers often feel more secure knowing their data resides under a legal framework they are familiar with.

Environmental benefits

Storing data closer to home reduces the energy used in data transmission, lessening your company’s carbon footprint. Storing your data with Serversaurus guarantees that all emissions relating to your data storage are fully carbon offset.

When can Australian businesses relax a little with data sovereignty?

Australian companies should always consider their data sovereignty obligations seriously. Under certain circumstances companies may be less concerned, such as when the company:

  1. only collects and uses data within Australia and does not transfer it internationally.
  2. operates exclusively within Australia and has no international customers or partners.
  3. doesn't handle any sensitive data, such as personal, healthcare or financial information.
  4. follows Australian data protection laws, such as the Privacy Act, and ensures data security within the country.
  5. utilises cloud services with data centers in Australia.
  6. has legal agreements and contracts with service providers and partners that specify data handling and storage policies.
  7. has conducted a thorough risk assessment to evaluate the sensitivity of data and potential impacts of data breaches.

A final thought for Australian companies and their data sovereignty

For Australian companies that do not have the financial resources or means to comply with Australian data sovereignty while their data resides abroad, then hosting locally is the safest solution. By choosing to host your data locally, not only would your company comply with Australian data sovereignty, it also provides you with environmental, security and technical advantages.

Last updated March 7, 2024