Data Sovereignty Guide: Considerations for Data Localisation and Relocation to Australia
Recent amendments to data sovereignty laws around the world have left many businesses and organisations scratching their heads on new compliance requirements and considerations for security.
Our guide aims to break down everything you need to know as a multinational looking to operate in Australia, or as an Australian business looking to keep up to date with the rapidly changing world of data privacy and security.
What is Data Sovereignty?
Data sovereignty is a broad concept used to describe the legal restrictions, regulations and compliance procedures that a business or organisation must adhere to when processing and storing data within a specific country or area.
In Layman’s terms, data sovereignty refers to the control that a government entity may have over data when it is physically located within its jurisdictional control. Meaning that any organisation looking to operate or expand abroad will be subject to the data laws and regulations of that country.
In today’s digitally dependent world, the interconnectedness of data has made the murky waters of data sovereignty incredibly challenging to navigate. One such example is when an organisation’s data has to comply with data laws in more than one country. This can occur if data is being stored or is in-transit overseas, either digitally with a cloud provider or physically in a data centre.
Data Sovereignty vs Data Residency: What’s the Difference?
Data residency refers to the physical location in which the data is stored. Although the term is often used incorrectly as a substitute term for data sovereignty, it’s important to note that data residency does not actually refer to the laws or entities that govern data. I.e. organisations are subject to Australian data sovereignty laws if the data residency is in Australia.
What is Data Localisation?
Data localization is the process of keeping data within the country or region that it originates from, i.e. if an organisation collects data in the UK, they store it in the UK rather than relocating it to another country for processing.
Data localisation has seen a rise in popularity in recent times due to increasing concerns about security from regulators, privacy advocates and governments.
Although most data privacy laws do not explicitly require data localisation, in some cases, countries may impose data residency restrictions that pressure organisations to localise their data.
Disadvantages of Data Localisation for Multinationals.
Data localisation may be a relatively straightforward task for smaller businesses or organisations that operate exclusively in a single country or region, as they can opt to keep their data infrastructure on-prem.
However, with the advent of advanced cloud computing, data localisation has become increasingly complicated and difficult to achieve. Cloud servers and the hyperscale data centres from which they operate generally tend to be located anywhere around the globe.
This is particularly restrictive for international technology companies and multinational organisations that rely on strategically placed data centres for efficient processing of data. Therefore, many of these multinational organisations vehemently oppose data localisation since they create roadblocks for highly interconnected data ecosystems.
Larger organisations tend to favour cloud providers or data centres that are equipped with processes that adhere to data sovereignty laws in their respective countries.
Australian Data Sovereignty Laws 2023.
There are a handful of key data sovereignty considerations for businesses that operate in Australia, but most of these can be grouped into a set of legislations and amendments known as the Australian Privacy Principles (APPs). The notable ones are as follows:
- Australia Privacy Act 1988: This act introduced the APPs and amendments withstanding, it is still the primary legislation that governs the handling of personal data in Australia.
- Privacy Amendment Act 2012: This act provided much-needed amendments to the 1998 Privacy Act by introducing a new set of rules for personal data processing by corporate and government entities
- Privacy Amendment Act 2017: One of the minor amendments to the act, but significant due to its role in establishing a set of responsibilities when responding to data breaches, i.e. Notifiable Data Breaches (NDB) scheme.
These Australian Privacy Principles govern the standards, rights and obligations regarding:
- Collecting, using and disclosing personal information
- An organisation’s governance and accountability
- The integrity and correction of personal information
- The rights of individuals to access their own personal information
Along with these core APPs, the Australian government introduced further data security compliance procedures as part of the Security of Critical Infrastructure Act 2018 (SOCI Act). This bill also saw further amendments in late 2021 and throughout 2022.
The SOCI Act established a mandatory framework for security compliance for all critical infrastructure sectors and assets. As part of the newly-imposed compliance, data storage and processing were identified as one of the main priority sectors, introducing further considerations for data sovereignty.
For an easy-to-digest breakdown of the SOCI Act and its implications, you can view our comprehensive guide on the Security of Critical Infrastructure Act.
Does Australia Have State-Specific Data Sovereignty Requirements?
Australian laws do not differentiate at the state level and are applicable nationwide.
However, in some areas data sovereignty considerations can often be region-specific.
For instance, the European Union’s General Data Protection Regulation (GDPR) is one of the most broadest geographical regulations surrounding data protection and is applicable to an entire continental region.
Whereas, the California Consumer Privacy Act (CCPA) only encompasses businesses that operate within the state of California in the U.S.
Do Australian Data Sovereignty Laws Apply to International Businesses?
Data sovereignty laws will apply to most businesses that operate in Australia, regardless of where their main operations are located.
In the past, multinational businesses or organisations that breached Australian Privacy Principles have been held responsible. Therefore, the linked incident serves as a case study that provides a precedent to penalise and hold other complacent international businesses responsible.
More specifically, foreign entities (organisations and businesses of any size) can be held accountable against APPs if they are deemed to have an Australian Link.
Entities are deemed to have an Australian Link if they satisfy any of the following conditions (as listed in subsection 5B of the Australian Privacy Act 1988):
- The operator is an Australian citizen
- The operator is a person whose continued presence in Australia is not subject to a limitation as to time imposed by law
- The organisation is a partnership formed in Australia
- The organisation is a trust created in Australia
- The organisation is a body corporate incorporated in Australia
If the entity does not meet any of the above criteria, it can still be considered to have an Australian Link if:
- The organisation/operator carries on business in Australia, and
- Personal information was collected or held by the organisation/operator in Australia (either before or during the act/practice).
Therefore, it’s safe to say that any multinational intending to carry out operations in Australia may be bound by this act, irrespective of where they are physically located.
Data Sovereignty Checklist for Australian Expansion or Data Relocation.
Simply put, most organisations are utilising cloud computing more than ever before and multi-cloud or hybrid cloud computing are the most commonly selected options.
Although this provides numerous benefits for operational efficiency, hybrid and multi-cloud models also introduce more steps for data sovereignty compliance.
For multinationals entering Australia, here is a simple checklist for data sovereignty considerations:
- Is the data infrastructure stored in a Data Centre located in Australia?
- What other organisations have access to your data? Could this compromise your security?
- What are the policies in place for data exchange and usage? Who has access to it and how is it shared?
- Who is managing the data and the related infrastructure on which it is stored?
How Do These Data Security Considerations Impact Cloud Computing and Data Centre Providers?
These data security considerations mean that the organisation must ensure data protection along each stage of data storage and processing via encryption or access management. In order for data contained in the cloud infrastructure to comply with data sovereignty laws, data should only be accessible by authorised personnel, as well as be completely auditable and traceable.
These data sovereignty requirements are making dedicated physical servers more important than ever before. Dedicated data centre providers may be the only practical solution for highly segregated workloads that have extensive demands for physical infrastructure hosting and require high level of access management.
This is because leading-edge colocation providers such as Macquarie Data Centres provide the option for data centres that are dedicated to a single tenant. These dedicated hosting locations can be highly optimised for specific requirements, including environment, reliability and security compliance.
Dedicated, Compliant and Secure: Macquarie Data Centres.
The application of a highly customised hybrid or multi-cloud model has already seen widespread adoption by Macquarie Data Centres clients that operate in sectors which handle copious amounts of sensitive data, including:
- Public Sector – More than 42% of Australian Federal Government agencies and personnel
- ASX and Global Fortune 500 listed companies within healthcare, finance and tech.
No other data centre provider knows data sovereignty requirements as we do and that’s why we’re constantly striving to achieve the highest levels of compliance and certifications.
Since data laws will continue to become more comprehensive in the future, it’s vital for organisations operating in Australia to locate their data in an Australian sovereign facility. For any multinationals looking to eliminate as much risk related to data sovereignty as possible, don’t compromise on security and sovereignty.
Our leading edge data centre facilities are all proudly Australian owned and operated. Moreover, Macquarie Data Centres are Federal Government Certified Strategic and fully equipped with some of the most extensive certifications for data centre reporting and auditing in Australia.