Data Sovereignty: Facts & Furphies

There’s no doubt that cloud computing has helped shape the way modern organisations operate. While the widespread adoption of cloud systems has sped up decision-making and collaboration opportunities, it brings questions of ownership, security, and responsibility.

One of the more confusing aspects of these questions is the notion of data sovereignty.

SPOILER ALERT: unless you deal with government entities, there’s a good chance that data sovereignty is not a legal requirement for your organisation. For most businesses and NFPs, government agencies that require data sovereignty will ensure you know that it is an explicit requirement of your interactions before entering into any relationship.

What is data sovereignty?

Data sovereignty is the idea that data collected by an organisation can be subject to laws and governance structures not only of the nation where that information is stored but also of the nation that the storage provider hails from.

For example, an Australian organisation stores information using an American-owned cloud provider that owns a data centre in Ireland.

In this case, the data could be subject to the rules and laws of at least three countries – Australia, Ireland, and the USA.

Data sovereignty or data residency?

While they share a lot of similar provisions, some key differences between data sovereignty and data residency bear a moment’s scrutiny.

Data residency is the specific geographic location an organisation or government specifies that its data should be stored, often as a requirement of internal policies or industrial regulations.

Data sovereignty acknowledges that any physical location an organisation chooses to store its data is subject to that nation’s laws and the laws governing the storage provider.

The critical difference between the two terms is that data residency refers explicitly to a physical location. In contrast, data sovereignty relates to the legal systems to which the data may be subject because of its location and the various related organisations.

Data sovereignty implications

Should an organisation store data outside its home country, the third nation’s government can use legal measures such as subpoenas to access the user’s data – even if the information belongs to a foreign citizen. Moreover, the organisation that operates the cloud storage solution may also be subject to the legal system in the country it operates from.

Worldwide, there are already many examples of legislation that seek to regulate how businesses can handle data. These laws often control how and when organisations can transfer personal information outside the country. Examples include:

• the European Union’s General Data Protection Regulation (GDPR)
• the California Consumer Privacy Act (CCPA)
• the Personal Information Protection Law (PIPL) of the People’s Republic of China

Issues related to data sovereignty:

1. Lack of compliance requirements. Many organisations are under the impression that there is some compliance requirement to work solely with providers that support data sovereignty – but cannot point to specific laws or regulations that impact their area of operations.
2. The distinction between government and private organisations. Perhaps the most significant cause of confusion over data sovereignty stems from the requirements in place for government organisations. In Australia, government organisations are responsible for securing their sensitive data. The responsibility transfers to private organisations only if they work directly with government organisations as part of their information supply chain – and these issues are sure to be made explicit during any tender process a private organisation submits a tender for.
3. Confusion between data sovereignty and information safety. The issue of data sovereignty tends to distract from the overarching goal of cybersecurity – the implementation and management of resources to help support and enforce data security. Say one organisation focused solely on ensuring data sovereignty, while another was focused on hardening security for everyone, everywhere in their business. The first organisation would still be vulnerable to various information security risks. In contrast, sound cybersecurity policies would better position the second organisation to manage any potential data safety matters that may arise – even if they arise through an issue related to data sovereignty.
4. Distrust and avoidance of solutions that involve international staff. In some cases under the auspices of the GDPR, even benign operations such as updated personal details count as “data processing”. While international teams are held to the same standards as those employed locally, there is some confusion over whether this amounts to the same level of legal protection.

Myths about data sovereignty

Myth: making use of foreign staff breaches data sovereignty. Data sovereignty relates to the laws that apply where data is stored. Even when you use international staff – or have third-party contractors remotely accessing your information – it does not change the data’s location. Thus, it does not breach data sovereignty.

Myth: data sent to the cloud could be stored anywhere. Organisations subject to special data storage requirements are often concerned that if their data is “in the cloud,” there is no way of knowing the physical location where their information is stored. The fact is that your managed IT service provider should be able to tell you where all your data resides. Any information you hold in Australian data centres – and any staff that have access (including staff operating offshore) – are subject to Australian laws regarding data sovereignty and privacy.

What are the facts about data sovereignty?

As a provider of cloud services (both ours and from third parties), we do see some confusion over the role and responsibilities that data sovereignty plays in the way our clients need to handle their data. This situation puts us in an excellent position to examine data sovereignty myths to sort out fact from fiction.

REMINDER: if a government department requires data sovereignty from you, they will let you know before you start working together.

Fact: individual privacy is covered by Australian law. These laws include the Australia Privacy Act (1988), the Enhancing Privacy Protection amendment (2012), and the Notifiable Data Breaches amendment (2017). However, the emphasis of the first Act is “to protect the privacy of individuals”. The term “data sovereignty” is not mentioned once in any of these pieces of legislation.

Fact: Australian businesses should know where their data is generated, collected, and stored. This requirement is because different countries may have different laws regarding data sovereignty than others. The nation where your data is collected and held will be subject to the laws of that country.

The only element of the Acts related to the data sovereignty concept we could find was Chapter 8 of the Australian Privacy Principles, which relates to cross-border disclosure of personal information.

‘The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information per the APPs and makes the APP entity accountable if the overseas recipient mishandles the info.’

But nowhere does it require data kept in Australia. And there’s no legal difference in how the AAPs are to be treated – even when they’re third-party contractors.

Fact: government organisations are already taking action related to data sovereignty. It’s true that the Australian government, like many around the world, are trying to develop legislative frameworks that enable and support the security of their sensitive information. According to the Australian Digital Transformation Agency (DTA), a new whole-of-government hosting strategy would help ensure that government data and digital infrastructure would enable “a world-leading digital government for the benefit of all Australians.”

As part of this strategy, the DTA has set up a new Digital Infrastructure Service (DIS) to “reduce data sovereignty, ownership and supply chain risks.” The solutions under consideration include the following:

• Certification of facilities that meet the standards required to house protected government data.
• Helping agencies assess internal risk tolerance and implement appropriate data controls.

Some solution providers already offer data management products that tackle data sovereignty and residency issues. However, these solutions are not designed for organisations that do not have legal requirements directly related to data sovereignty.

Fact: keeping data in Australia can help maintain legal certainty around data sovereignty. If there is a data breach, Australian-based companies that keep their data onshore can receive breach notifications and legal protections by Australian laws. If working internationally, reviewing the rules of the country you’re operating in is essential. While the laws governing the UK, USA, and parts of the EU are usually deemed compliant, their rules regarding sovereignty and security do differ from those applied under Australian law.

Working with government

Generally speaking, if an organisation wants to work for a public organisation, it must submit a tender for the specific project. In the past, defence-related tenders would also require a specific form (around 200 pages long) that declared that the organisation in question was fit to work with defence organisations. This form was required even if the project in question was only tangentially related to defence, such as garden maintenance or fixing fence posts.

Today, contractors wishing to work with defence-related organisations can apply for security vetting through the Defence Industry Security Program (DISP). This program aims to help organisations understand and manage security risks while providing government entities with a sense of confidence and assurance when procuring goods and services from vetted industry members.

Essentially, DISP helps cut the red tape around becoming a part of the defence industry supply chain. However, only one requirement currently included in the Defence Security Principles Framework (DSPF) relates to data sovereignty.

Under the “Offshore and Cloud Based Computing” section, the DISP states: “Offshore and cloud based Defence information is only hosted by cloud service providers on the ‘Certified Cloud Services List’ who have been evaluated and certified by the Australian Signals Directorate.”

The rationale behind this statement is:

• Many Defence and Defence Industry personnel require secure access to information systems and electronic devices for work purposes.
• Information stored offshore or in a cloud-based environment can be “subject to greater security risks” than data stored “…in Defence or Defence Industry controlled systems and environments.”

And here, we get to the first mention of this article’s topic. As stated by the Defence Industry Security Program, the outcome of these measures is to ensure that: “Technical security and business risks are managed effectively throughout each information system’s life cycle. These include issues of privacy, data ownership and data sovereignty.”

What steps should you take to ensure data sovereignty?

1. Find out what laws apply to your industry
2. Examine internal policies to see what measures your organisation requires
3. Audit your IT environment to see how your data is processed and stored.
4. Talk with your IT provider to ensure your information receives security support that meets your requirements.

Where can you find relevant sources?

Other than the privacy legislation mentioned above, you can find the majority of the relevant information on data sovereignty in the Australian Cyber Security Centre’s (ACSC) Information Security Manual.