The word sovereignty typically inspires images of royalty and the Treaty of Westphalia. However, put the word ‘data’ before it and you step into one of the most topical areas of law today.  Without question, data sovereignty affects us all. It is particularly important for business which has legal obligations vis-à-vis safeguarding the confidentiality of their personal data. If you would like information about data sovereignty, this article explains what it is and why it matters.

What is Data Sovereignty?

At its most simple, data sovereignty refers to the fact that data stored digitally with a cloud service provider may be stored overseas and is, therefore, subject to the jurisdiction of more than one country. This situation can occur when a business uses a foreign or local cloud service provider.

For example, a local service provider may, in fact, be a branch office of a company based elsewhere.  If head office handles all billing, data is being sent and stored overseas. The data can include all kinds of information including credit card details, health records, personal information and financial records.  Businesses choose to store data overseas for a variety of reasons. It makes doing business easier, costs less and ensures that data is backed up and stored safely and with minimum difficulty.

Why is Data Sovereignty an Issue?

The reason that data sovereignty matters for business is that it raises questions for them concerning:

  • Complying with privacy obligations;
  • Data protection and security; and
  • Notification of data breaches.

Privacy and Data Security

Many Australian businesses have legal obligations under the Privacy Act 1988 (Cth) and Australian Privacy Principles.

The legislation and principles cover issues such as keeping data secure and the disclosure of information including overseas. If the information is sensitive, the obligations are more onerous. Such information includes but is not limited to information on health, sexual orientation or political affiliations. All businesses are legally required to implement reasonable security safeguards and take reasonable steps to protect the information. All businesses need robust and comprehensive information security strategies.

If an Australian entity stores data overseas, they need to know where the data is stored. They also must have even more vigorous internal procedures to protect and secure that data. The onus is on the business to ensure that the data stored overseas is done so according to local laws. Local can mean the location of the service provider and, if different, the place of storage. The costs of protecting data could rise just because it requires knowing more information and using more resources.

It also raises other concerns that could increase the cost of protecting data and complying with privacy obligations. Before a business stores data overseas, they will need to inventory that data to determine if any data is otherwise legally protected. For example, the confidentiality of health records is legally mandated. Similarly, information could be protected for legal reasons, financial reasons or both. A business might need to formally de-identify data before storage in the cloud. If it is de-identified, Australian privacy laws are no longer an issue. However, if any original identities or identifiers are reasonably ascertainable, privacy laws come back into consideration. A business also needs to be sure that their provider will not replicate their information on any other server in any other jurisdiction.

Lastly, a business needs to know if their cloud service provider has insurance to cover their data. If not, a business could be without remedy in the event of a breach. On this point, it is essential to realise that data is not only compromised deliberately, in criminal circumstances. Information can sometimes be inadvertently disclosed.

Notification

If a breach of data occurs, an Australian business is not legally required to report the breach. The Privacy Act 1988 (Cth) does not mandate reporting. It may become so for some businesses if the Serious Data Breach Notification Bill becomes law, thereby amending the privacy act. At present, best practice dictates that they report the breach both to the Office of the Australian Information Commissioner (OAIC) and those individuals affected when the breach presents a real risk of serious harm. The OAIC does point out that notification can also benefit an organisation in these cases by increasing public confidence in the business.

However, if businesses store their data overseas, and a breach occurs, they may not be able to inform an Australian customer. They, therefore, could not follow Australian best practice.  For example, if data stored in the US is subject to a subpoena so as to give law enforcement agencies access to a customer’s information, the business could potentially be prevented legally from notifying that person.  A foreign government could then access information on Australians without recourse to the usual, official channels.  On this point, it is important to remember that foreign providers are not subject to the Privacy Act 1988 (Cth).

***

Data security and sovereignty is a serious legal issue. If you have concerns or need information, speak with a qualified legal professional. Questions? Contact LegalVision’s business lawyers on 1300 544 755 or fill out the form on this page.

Carole Hemingway

Next Steps

If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.