Data sovereignty comes into play when an organisation’s data is stored outside of their country and is subject to the laws of the country in which the data resides.
The main concern with data sovereignty is maintaining privacy regulations and keeping foreign countries from being able to subpoena data.
Data sovereignty can be a complex legal issue that can affect organisations worldwide. It might be easiest to explain it with a couple of scenarios:
In scenario one, we have an Australian cloud services provider that has their main office, including sales, marketing, accounting, and operations in Australia. However, their customer service call centre is located in India.
Certain personal information about accounts must be sent to India in order for them to contact clients and provide support. According to Australian Privacy Principles (APP), the cloud provider must disclose what information is being sent outside of Australia.
In scenario two, we have a cloud service provider based in the United States with a branch office in Australia. Their billing functions are handled in their main office offshore. Therefore, a great deal of personal information must be sent to the United States and is subject to their laws.
In both of these scenarios, there is the potential for an organisation’s personal data to be subpoenaed by a foreign government.
Australian Privacy Principles (APPs) have created rules for handling data sovereignty. Section 8 of the APP (APP 8) discusses the disclosure of personal data across borders. It strives to ensure that overseas organisations will handle personal data according to their guidelines. It also makes the entities responsible for mishandling personal information.
When an APP entity (i.e. a cloud services provider) discloses personal information to an overseas recipient, the entity must take “reasonable steps” to make sure the rules of the APP are not broken.
APP clearly defines when it is appropriate for an APP entity to transmit data and also what data is allowed to be transmitted.
Some examples of when an APP entity will disclose when they send information to an overseas recipient include:
The Australian Privacy Commissioner recommends that any entity that is planning to offshore data needs to read the privacy principles and consult legal counsel.
Some organisations such as Commonwealth Bank and Coles have made the decision to host less of their data offshore. Rob Scott, CFO of Coles, stated they are, “very mindful that there is a perception that if information is in Australia it is safe and if it is not in Australia it is not safe.”
Depending on the type of data being stored, data sovereignty may not be a concern. However, if your organisation stores any personal data, it is best to keep your data in Australia in order to minimise the risk.
For some cloud services, like accounting for example, you may have the option to keep your data stored in data centres located in Australia. If a company is international, but has a presence in Australia, you should verify where your data will be stored. You will also want to make sure it is not replicated onto servers in other countries.
While data sovereignty has been a concern for Australian organisations, data centre provider Digital Realty and some other global companies don’t believe these concerns are legitimate.
The U.S. Patriot Act became a concern because Australians feared the act would allow the U.S. government full access to data that is hosted in the U.S. or by a U.S. organisation.
Digital Realty’s senior vice-president, Kris Kumar, told ZDNet that unless an organisation is doing something nefarious, they shouldn’t have to worry about the U.S. gaining access to their information.
According to Kumar, "Unless you're doing something wrong or against the law, you have nothing to worry about. Any act that exists needs warrants to access that data — the government can't clamp down and access the data willy-nilly."
Regardless of which side you believe is right, having your data in the cloud offers many benefits. It allows for easier flow of information with employees anywhere in the world. It also allows for safe and easy remote backup of files and data, and in many cases, cost savings.
The good news is that there are a growing number of cloud-based service providers in Australia. This means there is a greater likelihood that you will be able to keep your data within Australia and still use public cloud services.
Organisations in Australia have enough options to select cloud-based service providers that are located in Australia. This increases the likelihood that your data will stay in Australia. However, you will want to read the service provider’s contract to have a good understanding of where your data will be located.
Of course, not all data is created equal. Some files can be stored anywhere in the world without confidential concerns. On the other hand, when dealing with personal data, it may be worthwhile to secure a basic guarantee that your data stays on Australian soil.
Are you concerned about where you data is hosted?
We have experience helping organisations understand data sovereignty and transition to a compliant solution.
Call us 1300 562 886.