There’s no doubt that cloud computing has helped shape the way modern organisations operate. While the widespread adoption of cloud systems has sped up decision-making and collaboration opportunities, it brings questions of ownership, security, and responsibility.
One of the more confusing aspects of these questions is the notion of data sovereignty.
SPOILER ALERT: unless you deal with government entities, there’s a good chance that data sovereignty is not a legal requirement for your organisation. For most businesses and NFPs, government agencies that require data sovereignty will ensure you know that it is an explicit requirement of your interactions before entering into any relationship.
Data sovereignty is the idea that data collected by an organisation can be subject to laws and governance structures not only of the nation where that information is stored but also of the nation that the storage provider hails from.
For example, an Australian organisation stores information using an American-owned cloud provider that owns a data centre in Ireland.
In this case, the data could be subject to the rules and laws of at least three countries – Australia, Ireland, and the USA.
While they share a lot of similar provisions, some key differences between data sovereignty and data residency bear a moment’s scrutiny.
Data residency is the specific geographic location an organisation or government specifies that its data should be stored, often as a requirement of internal policies or industrial regulations.
Data sovereignty acknowledges that any physical location an organisation chooses to store its data is subject to that nation’s laws and the laws governing the storage provider.
The critical difference between the two terms is that data residency refers explicitly to a physical location. In contrast, data sovereignty relates to the legal systems to which the data may be subject because of its location and the various related organisations.
Should an organisation store data outside its home country, the third nation’s government can use legal measures such as subpoenas to access the user’s data – even if the information belongs to a foreign citizen. Moreover, the organisation that operates the cloud storage solution may also be subject to the legal system in the country it operates from.
Worldwide, there are already many examples of legislation that seek to regulate how businesses can handle data. These laws often control how and when organisations can transfer personal information outside the country. Examples include:
Myth: making use of foreign staff breaches data sovereignty. Data sovereignty relates to the laws that apply where data is stored. Even when you use international staff – or have third-party contractors remotely accessing your information – it does not change the data’s location. Thus, it does not breach data sovereignty.
Myth: data sent to the cloud could be stored anywhere. Organisations subject to special data storage requirements are often concerned that if their data is “in the cloud,” there is no way of knowing the physical location where their information is stored. The fact is that your managed IT service provider should be able to tell you where all your data resides. Any information you hold in Australian data centres – and any staff that have access (including staff operating offshore) – are subject to Australian laws regarding data sovereignty and privacy.
As a provider of cloud services (both ours and from third parties), we do see some confusion over the role and responsibilities that data sovereignty plays in the way our clients need to handle their data. This situation puts us in an excellent position to examine data sovereignty myths to sort out fact from fiction.
REMINDER: if a government department requires data sovereignty from you, they will let you know before you start working together.
Fact: individual privacy is covered by Australian law. These laws include the Australia Privacy Act (1988), the Enhancing Privacy Protection amendment (2012), and the Notifiable Data Breaches amendment (2017). However, the emphasis of the first Act is “to protect the privacy of individuals”. The term “data sovereignty” is not mentioned once in any of these pieces of legislation.
Fact: Australian businesses should know where their data is generated, collected, and stored. This requirement is because different countries may have different laws regarding data sovereignty than others. The nation where your data is collected and held will be subject to the laws of that country.
The only element of the Acts related to the data sovereignty concept we could find was Chapter 8 of the Australian Privacy Principles, which relates to cross-border disclosure of personal information.
‘The framework generally requires an APP entity to ensure that an overseas recipient will handle an individual’s personal information per the APPs and makes the APP entity accountable if the overseas recipient mishandles the info.’
But nowhere does it require data kept in Australia. And there’s no legal difference in how the AAPs are to be treated – even when they’re third-party contractors.
Fact: government organisations are already taking action related to data sovereignty. It’s true that the Australian government, like many around the world, are trying to develop legislative frameworks that enable and support the security of their sensitive information. According to the Australian Digital Transformation Agency (DTA), a new whole-of-government hosting strategy would help ensure that government data and digital infrastructure would enable “a world-leading digital government for the benefit of all Australians.”
As part of this strategy, the DTA has set up a new Digital Infrastructure Service (DIS) to “reduce data sovereignty, ownership and supply chain risks.” The solutions under consideration include the following:
Some solution providers already offer data management products that tackle data sovereignty and residency issues. However, these solutions are not designed for organisations that do not have legal requirements directly related to data sovereignty.
Fact: keeping data in Australia can help maintain legal certainty around data sovereignty. If there is a data breach, Australian-based companies that keep their data onshore can receive breach notifications and legal protections by Australian laws. If working internationally, reviewing the rules of the country you’re operating in is essential. While the laws governing the UK, USA, and parts of the EU are usually deemed compliant, their rules regarding sovereignty and security do differ from those applied under Australian law.
Generally speaking, if an organisation wants to work for a public organisation, it must submit a tender for the specific project. In the past, defence-related tenders would also require a specific form (around 200 pages long) that declared that the organisation in question was fit to work with defence organisations. This form was required even if the project in question was only tangentially related to defence, such as garden maintenance or fixing fence posts.
Today, contractors wishing to work with defence-related organisations can apply for security vetting through the Defence Industry Security Program (DISP). This program aims to help organisations understand and manage security risks while providing government entities with a sense of confidence and assurance when procuring goods and services from vetted industry members.
Essentially, DISP helps cut the red tape around becoming a part of the defence industry supply chain. However, only one requirement currently included in the Defence Security Principles Framework (DSPF) relates to data sovereignty.
Under the “Offshore and Cloud Based Computing” section, the DISP states: “Offshore and cloud based Defence information is only hosted by cloud service providers on the ‘Certified Cloud Services List’ who have been evaluated and certified by the Australian Signals Directorate.”
The rationale behind this statement is:
And here, we get to the first mention of this article’s topic. As stated by the Defence Industry Security Program, the outcome of these measures is to ensure that: “Technical security and business risks are managed effectively throughout each information system’s life cycle. These include issues of privacy, data ownership and data sovereignty.”
Other than the privacy legislation mentioned above, you can find the majority of the relevant information on data sovereignty in the Australian Cyber Security Centre’s (ACSC) Information Security Manual.