Table of Contents
Data sovereignty is an issue that affects businesses and individuals alike. It is particularly relevant to companies with legal obligations requiring them to maintain the confidentiality of any personal data they own or can access. You must understand when data sovereignty applies to your business and your resulting legal obligations. This article will discuss data sovereignty, why it matters and what you can do as a business owner to protect it.
What is Data Sovereignty?
Data sovereignty refers to the concept that jurisdictional control or legal authority may be asserted over data because its physical location is within jurisdictional boundaries. This means specific data may be subject to the laws of more than one country because it is within another country’s jurisdiction. This can occur when data is stored digitally with a cloud service provider and may be stored overseas.
Data Sovereignty and My Business
Data sovereignty is relevant to your business if you use a foreign or local cloud service provider to store data. Businesses choose to store data overseas for a variety of reasons.
For example, it can:
- make doing business easier;
- cost less; and
- ensure that data is backed up and stored safely and with minimum difficulty.
Consider the following scenario where data sovereignty would apply.
Your business could be based in Australia and use an Australian-based cloud services provider. However, you have a branch overseas that handles a particular business function. You have to send personal information to this office for them to contact clients. Australian privacy obligations govern the disclosure of this information.
Here, your business must comply with data protection and privacy obligations.
Data can include all kinds of information, including:
- credit card details;
- health records;
- personal information; and
- financial records.
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
Why is Data Sovereignty an Issue?
Data sovereignty matters for your business because it raises questions concerning your:
- compliance with privacy obligations;
- data protection and security;
- notification of data breaches; and
- privacy and data security.
Many Australian businesses have legal obligations under Australian privacy laws and the Australian Privacy Principles (APP). These cover the disclosure of personal data across borders. Where you are sending or storing personal information across borders, the APP requires you to protect personal information as if you were handling or storing it in Australia. This will apply when you send personal information to a branch of your business based in another country or when your data hosting provider is in another country.
You are always the party responsible for personal information. As a result of data sovereignty, where the data you send overseas contains personal information, it will be subject to the APP and any local laws in the country where it is physically located.
Australian law also covers data security and confidentiality. The law requires all businesses to implement reasonable security safeguards and take steps to protect information. If the information is sensitive, the obligations are more onerous. Sensitive data may include information concerning:
- sexual orientation; or
- political affiliations.
As a result, all businesses need robust and comprehensive information security strategies.
If you store or send data overseas, you need to know where the data is being sent or stored. You must also have more rigorous internal procedures to protect and secure that data. Your responsibility is to ensure that the data overseas is stored according to local laws.
However, before you store data overseas, you must determine if any other laws protect that data. If so, you may be unable to send or store it overseas. For example, health records and associated data must not be processed, held, taken, handled, or stored outside Australia. Similarly, other laws may require you to keep certain information confidential for legal or financial reasons.
Depending on the data type and the purpose for sending or storing it overseas, you may also consider formally de-identifying the data before storing it in the cloud.
If Australian privacy obligations apply to your business, the data breach notification rules apply to your business. Accordingly, if a notifiable data breach occurs, you must report this breach to both the affected individuals and the Office of the Australian Information Commissioner (OAIC).
Importantly, failure to notify any individuals affected by a breach may result in a fine under the Privacy Act 1988 (Cth). However, if you store your data overseas and a breach occurs, you may not be able to inform Australian customers due to the laws of the country where the data is stored.
Protect My Data Sovereignty
There are several steps that your business can take to protect your data sovereignty, including:
- clarifying where exactly you will store your data;
- where possible, choose an Australian-based cloud service provider;
- if you have a foreign provider, ensure that it complies with applicable Australian laws and regulations. You can do this through your contracts with your foreign provider. The APP requires you to take ‘reasonable steps’ to ensure you store the personal data in line with the APP in the host location;
- backing up your data before moving it offshore;
- implementing a strong data breach response plan identifying your business responsibilities and reporting procedures.
Your business’ brand represents your values, identity and reputation. Learn how to create a successful brand and protect it.
Data security and sovereignty is a serious legal issue, particularly for businesses with privacy law and APP obligations. Your business needs to ensure that it meets these obligations by understanding where you store your data, how you protect it and the laws that govern it.
If you need help regarding your data privacy obligation, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Data sovereignty is the idea that data is subject to the laws of where it is physically located. Given the advancements in technology and the increase in global service providers, your data is subject to the laws of multiple countries if you store it offshore. This is because Australian laws will continue to apply, particularly where your data contains personal information. Additionally, the local laws of the location the data is stored also apply.
Sensitive data may include information relating to an individual’s health, sexual orientation or political affiliation.
We appreciate your feedback – your submission has been successfully received.