A Guide to Australian Data Centre Sovereignty

September 6 2024, by Macquarie Data Centres | Category: Data Centres

With data flowing freely across borders, how do we prevent foreign governments from accessing or seizing sensitive information when it enters their jurisdiction? How can we be sure our assets are secure if we use a global cloud provider to store intellectual property?

These are the questions being posed today by governments, organisations, and customers. In response, data sovereignty has become a significant talking point in recent years, driven by a demand to ensure data is subject to the laws of the country in which it is contained.

Data sovereignty is gaining enormous traction, and as one of the world’s leading sovereign data centres, we at Macquarie Data Centres know the topic better than anyone. To break it down, let’s explore what data sovereignty is, how it works, and why it matters for you as a business.

What is data sovereignty?

Data sovereignty is the concept that data must abide by the laws and legislation of the country in which it’s stored. It means businesses must adhere to strict local regulations surrounding data collection, storage, protection, governance, and access to ensure they can control the sensitive information they possess.

Data sovereignty vs data residency vs data localisation.

To clear up some confusion, it’ll be helpful to elaborate on the differences between data sovereignty, data residency, and data localisation. These three terms are often used interchangeably, but they are all unique.

Data residency refers to the physical geographical location of a business’s data. For instance, data might be stored in Australia, the US, France, or Germany. A data residency law will require that data must be held in a specific location. However, unlike data sovereignty, data residency does not prevent data from being subject to the laws of other jurisdictions, transferred across borders, or accessed internationally.

Data sovereignty, however, refers to the rules and laws to which data is subject because of its location. It determines that data must comply with the laws of that jurisdiction and that jurisdiction alone. If data residency is where the game takes place, data sovereignty defines the rules of play.

Lastly, there’s data localisation. This term can be confusing because it is a middle ground between residency and sovereignty. It is a concept that data generated from citizens within a region should be stored and processed within that region before being used externally. In this sense, data localisation is a stricter form of data residency, which mandates that data must remain within a specific country.

Typically, data centres deal with data sovereignty and residency. Data residency refers to a physical location, while data sovereignty refers to the rules and laws under which the data is subject because of its physical location. Of these two fields, sovereignty over data processing is the most important. It’s not just where it’s stored; it’s how it’s governed that matters.

How does data sovereignty work?

Let’s explain the topic with an example. Data handling laws in Asia are different from those in Europe. The rules and regulations that apply to an organisation in one country do not necessarily apply in another. With data sovereignty, a business based in China may be held accountable if it collects data within the EU and allows that data to be compromised.

Data sovereignty ensures this situation doesn’t arise. It requires businesses handling international data to ensure their data privacy isn’t compromised, especially regarding data sharing across borders.

Understanding, adopting, and complying with local data laws and regulations can be crucial for a business operating in a new territory.

Data truly protected by sovereign data centre operations must be located onshore. It should also be under national jurisdiction, as this protects that data from another claim, such as from the government of the country where the company is based.

Why does data sovereignty matter?

National data sovereignty has never been more relevant in Australia than it is today. Our world is hyper-connected, driven by a demand for global collaboration. Data fuels this borderless world, shaping our digital experiences and driving innovation in ways that weren’t previously possible.

However, this raises several concerns. How can we ensure the safety of our sensitive information if data is globalised and can flow freely across borders? Who controls our sensitive information? How do we know they are protecting it?

This is where data sovereignty demonstrates its worth. It ensures that all data collected within Australian borders, even by a business not based in Australia, is subject to our country’s stringent laws and regulations.

Why does this matter? Here are two critical reasons to consider:

  1. Data security: Data sovereignty regulates the fact that data created within Australia must be subject to Australia’s strict security and privacy laws. This reduces weaknesses and vulnerabilities that cybercriminals like to exploit, reducing the threat of a data breach. This is especially important for government agencies, where breaches can threaten national security.
  2. Data privacy: Data sovereignty gives consumers control over which entities can access their data. It ensures that data, like personal details and financial records, remains private and on Australian shores. This protects customers from exploitation and businesses from legal repercussions.

These benefits aren’t rooted in theory, either. Over the past two years, data security and privacy have become increasingly prevalent concerns. To further showcase why sovereignty is so important, let’s look at the data landscape in 2024.

Recent Australian data sovereignty updates 2024.

It’s no secret that cybercrime has increased enormously since the pandemic. A concerning 1.8 million Australians had their data compromised in the first three months of 2024, marking a 388% increase from the previous quarter.

And this is just the start of the problem. In July 2024, MediSecure revealed that hackers had compromised the personal information of 12.9 million of its customers back in 2023. Similarly, Russian hackers stole 2.5 million government documents in Australia’s largest-ever government cyberattack in January.

Attacks like these have led to critical discussions surrounding Australia’s data security and privacy. How can we, as a country, provide a more secure environment for consumer data, protect national security, and protect critical infrastructure from catastrophic breaches?

Following recent attacks, the transition to sovereign data centres was obvious for the Australian government. The Whole-of-Government Hosting Strategy is now fully in effect, meaning all government hosting providers must have proven, certified levels of data privacy, security, and sovereignty.

On a broader scale, the Attorney General announced an overhaul to the Privacy Act 1998 on May 2, 2024. In the amendment act, he proposed several reforms that would tighten existing data privacy laws, enforce stricter punishments for breaches, and give customers greater control over their personal information.

For these reasons, organisations need to transition their data away from hyperscale cloud operations like Amazon Web Services, Google Cloud, and Microsoft Azure. The push for cloud repatriation means many Australian businesses are moving to hybrid cloud models powered by domestic, sovereign data centres. These data centres are onshore and have the tools and protocols to secure customer information, are resilient and secure.

What does it mean to be a sovereign data centre? Let’s take a look.

How does a data centre become sovereign?

Becoming a certified sovereign data centre is challenging. The first and most apparent data sovereignty requirement is that the data centre must be owned by an Australian company, located entirely within Australia’s jurisdiction, and staffed exclusively by Australian personnel.

A useful point of reference is the Australian Government’s Hosting Certification Framework. This framework outlines three certification levels: Strategic, Assured, and Uncertified, with Strategic being the most secure.

The framework describes the requirements for becoming a certified data centre fit to host government data. Gaining certification proves that a data centre offers the highest level of sovereignty, security controls, and privacy.

To ensure data sovereignty and qualify, a data centre must meet several additional requirements, including:

  • Clearance protocols: Data centres implementing data clearance protocols must ensure that authorised personnel have relevant security clearance protocols depending on the type of role performed by each individual. For instance, key personnel with unescorted access must possess an Australian Government Security Vetting Agency (AGSVA) security clearance to a minimum of Negative Vetting Level 1.
  • Certifications: All certified data centres should comply with Australian data standards and certifications such as ISO 27001.
  • Data control: The data centre must be owned by low-risk entities and controlled by parties that exercise decisions and strategies consistent with the Commonwealth’s interests.
  • Physical access control: The data centre needs to demonstrate that its facility is constructed according to the zone specifications outlined in the Protective Security Policy Framework (PSPF).
  • Data protection: The data centre must prove that data protection laws adequately protect data during rest, processing, and transit.
  • Compliance: Data centres need to show that the company is committed to ongoing compliance with data protection and privacy regulations.
  • Monitoring: Secure systems must be used to monitor security and availability throughout the entire facility.

While there are more requirements to gain certification, this brief overview highlights the strict measures in place to qualify data centres as truly secure, private, and sovereign.

Given the complexity of these requirements, it’s of little surprise that there are currently only six certified strategic facilities and six certified strategic enclaves in Australia.

Why choose a certified sovereign data centre?

As a business, choosing a certified strategic data centre is wise for your organisation and your data. Let’s look at why this is the case.

1. Cybersecurity

Data stored outside of Australia may fall victim to unfamiliar cyber threats. A local data centre can offer security solutions that align with cybersecurity standards like ISO/IEC 27001.

2. Physical security

All personnel working in certified data centres are cleared under the Australian Government Security Vetting Agency (AGSVA), offering peace of mind that your data is in safe hands. In addition, secure access controls always keep the physical premises secure.

3. Compliance

As all data within a sovereign data centre is maintained and processed on-shore, you can be confident all data handling complies with Australian data sovereignty laws and regulations, such as the recently modified Australian Privacy Act 1998.

4. Resilience

Sovereign data centres offer resilient infrastructure and redundancy measures, requiring no shutdown during essential maintenance. It also means sovereign data centres are highly resistant to outages, especially crucial for workloads requiring around-the-clock availability.

5. Brand reputation

Protecting customer data under Australian laws means accountability and greater transparency. Your customers will know exactly where their data lives and who has access to it, helping you build a reputation of trust.

Does my organisation need a sovereign data centre?

Most businesses can benefit from a sovereign data centre. However, some companies can be less concerned about data sovereignty than others, such as businesses that:

  • Are only operating in Australia.
  • Have no international customers or partners.
  • Only collects data within Australia.
  • Doesn’t transfer any data internationally.
  • Uses a data centre located within Australia.
  • Uses cloud services with data centres located in Australia.
  • Follows all relevant privacy and security acts.

On the other hand, if you regularly handle sensitive data, must comply with data laws and legislations, and operate internationally, data sovereignty should be at the top of your agenda.

For instance, sovereignty is essential for healthcare organisations that handle a wealth of sensitive health records and numerous stringent compliance requirements.

Similarly, financial services that handle sensitive financial data should aim for sovereignty to maintain trust and avoid costly, unauthorised access.

Technology providers typically rely heavily on the cloud. Still, if they work with global cloud services providers (GCSPs), this introduces a new threat vector because this information is susceptible to foreign influence and law changes. Even data primarily held in Australia could be collected by another country without warning.

A sovereign data centre benefits any organisation that needs to achieve an assured, exceptional level of security and sovereignty, meet compliance, and mitigate risks.

Data sovereignty roadmap.

If your business would like to transition towards data sovereignty, there are several steps you need to take. We’ve outlined them below in a step-by-step roadmap.

Understand the law in Australia.

First, you need to understand the laws and legal requirements and how they impact you. Familiarise yourself with the Australian Privacy Principles (APPs) and their requirements, as they will govern how you collect, use, and disclose personal details.

1. Know your data

Data sovereignty lives and dies by knowledge of your data. Remember, it’s not just about where your data is. It’s about how it’s governed. You need to know where your sensitive information lies, how it’s processed, and what measures are in place to protect it.

2. Choose the right sovereign data centre

There are many criteria for evaluating a sovereign data centre. Naturally, you should choose a hosting service within the country to meet data residency requirements in Australia.

Beyond that, you should also choose a data centre with a proven security, privacy, and compliance track record. Opting for a data centre that is Certified Strategic under the Australian Hosting Framework is an excellent way to ensure exceptional service.

3. Safeguard your data

If you possess sensitive data, you must employ proper safeguards to protect it and comply with legislation. This may involve building firewalls, access controls, and data encryption. A sovereign data centre can guide you through this process and offer advice to help you build a robust security network.

5. Train your staff

Staff are the often forgotten component of data sovereignty. Implement policies and training measures that inform your team of their roles and responsibilities in maintaining compliance. This is especially crucial for staff members who routinely handle sensitive data.

6. Monitor and maintain

Maintaining data sovereignty in Australia requires constant refinement. Stay abreast of changes to legislation, regularly test your cybersecurity measures, perform risk assessments, and conduct periodic testing to evaluate your strategy.

Information for multinationals.

Data residency and sovereignty are fairly straightforward for businesses operating solely within Australia’s jurisdiction, but things can get more complex for an international business looking to enter the country. This is especially true with the globalisation of cloud computing, as these hyperscale data centres can generally be located worldwide.

It’s important to know that Australia’s data sovereignty laws will apply to you if you operate in Australia, even if your core operation isn’t located within the country. Multinational businesses in breach of the APP have been held accountable in the past, so it’s essential to know the laws and what they entail so you can work with them if you plan to enter Australia’s jurisdiction.

Therefore, we recommend running through this checklist of considerations for data sovereignty if you plan to enter the country.

  1. Is the data infrastructure within a data centre located in Australia’s jurisdiction?
  2. Which other organisations can access your data? Is this a security threat?
  3. What policies do we have in place for data exchange? Who has access?
  4. Who manages the data and determines where it is stored?

In addition, we suggest relying on a dedicated sovereign data centre rather than utilising the cloud, especially as international businesses often have segregated data stores and workflows.

Meet Macquarie Data Centres.

As one of Australia’s first certified strategic data centre providers, Macquarie Data Centres is proud to be entirely Australian-owned and operated.

No data centre provider knows data sovereignty like we do. That’s why we’re always working to achieve the highest standard of compliance in Australia. As one of the most heavily-certified data centres in Australia and the world, we put your security first.

There’s a reason we’re one of the few certified strategic data centres in partnership with the Australian Government. Over 42% of all Government entities in Australia trust Macquarie Data Centres with their sensitive information.

Macquarie Data Centres can advise its clients with unrivalled expertise on policy, compliance, privacy, and mitigating risk. Learn more about our secure, sovereign, compliant data centres, or enquire now to ask us any questions you may have.

Do you have any more questions? Feel free to contact us today, learn more about our team, and see why businesses choose Macquarie Data Centres. You can also book a tour at our Sydney data centre.


About the author.

Macquarie Data Centres is Australia’s most trusted data centre provider. They house and protect the data for the world’s biggest hyperscalers, Global Fortune 500 companies and 42% of the Australian Federal Government. Part of the ASX-listed Macquarie Technology Group, they have been successfully building and operating data centres in Australia for over 20 years. Macquarie Data Centres currently owns and operates three data centres campuses, two in Sydney and one in Canberra, all of which are Certified Strategic by the Australian Government. Offering the confidence of a 100% uptime guarantee, their Tier III data centres provide the highest levels of security, sovereignty, service and compliance for their customers.

See all articles by this author

From the Blogs.

2024 in Review: Building Australia's Dig...

2024 was a major year here for us at Macquarie Data Centres. We made a meaningful impact on the industries and communities we serve. This&he...

Read More

A Guide to the Security of Critical Infr...

Australia’s economy, security, and society depend on its critical infrastructure. But with the growing risk of cyber attacks, this critica...

Read More

Where should your AI live? Why Sovereign...

On a recent trip across three U.S. cities, I witnessed Waymo's autonomous vehicles in action—driverless cars effortlessly navigating the b...

Read More