Data sovereignty is an issue which affects businesses and individuals alike. It is particularly relevant to businesses with legal obligations requiring them to maintain the confidentiality of any personal data they own. It is important that you understand when data sovereignty applies to your business and your legal obligations as a result. This article will discuss what data sovereignty is, why it matters and some things you can do as a business owner to protect it.

What Is Data Sovereignty?

Data sovereignty refers to the concept that data may be subject to the laws of more than one country. This can occur when data is stored digitally with a cloud service provider and therefore, may be stored overseas. In other words, data sovereignty comes into play when an organisation stores data both internationally and locally. This situation can occur when a business uses a foreign or local cloud service provider.

How Does Data Sovereignty Relate to My Business?

Data sovereignty is relevant to your business if it uses a foreign or local cloud service provider to store data.

Businesses choose to store data overseas for a variety of reasons. It can:

  • make doing business easier;
  • cost less; and
  • ensure that data is backed up and stored safely and with minimum difficulty.

Consider the following scenarios where data sovereignty would apply and you would need to comply with data protection and privacy obligations.

Your business may be based in the United States but have an office branch based in another country. If the head office based in the United States handles all the billing, the data being sent and stored in the US is subject to US laws. Because you are storing your data using a foreign service provider, data sovereignty is relevant to your business.

Similarly, your business could be based in Australia and use an Australian based cloud services provider. However, you have a branch overseas that handles a particular business function. You have to send personal information to this office for them to contact clients. Australian privacy obligations govern disclosure of this information.

The data can include all kinds of information, including:

  • credit card details;
  • health records;
  • personal information; and
  • financial records.

Why Is Data Sovereignty an Issue?

Data sovereignty matters for your business because it raises questions concerning your:

  • compliance with privacy obligations;
  • data protection and security;
  • notification of data breaches; and
  • privacy and data security.

Many Australian businesses have legal obligations under Australian privacy laws and the Australian Privacy Principles (APP). These cover the disclosure of personal data across borders. This means that it applies to situations where you are handing over personal data to businesses overseas.

Australian law also covers data security and confidentiality. The law requires all businesses to implement reasonable security safeguards and take steps to protect information. If the information is sensitive, the obligations are more onerous. This could include information on:

  • health;
  • sexual orientation; or
  • political affiliations.

As a result, all businesses need robust and comprehensive information security strategies.

Your Obligations

If you store data overseas, you need to know where the data is being stored. You must also have even more vigorous internal procedures to protect and secure that data. It is your responsibility to ensure that the data stored overseas is done so according to the local laws. ‘Local’ could be the location of the cloud service provider and, if different, the storage location.

However, before you store data overseas, you will need to determine if that data is legally protected under other laws.

For example, the law requires you to keep health records confidential. Similarly, the law may require you to keep some information confidential for legal or financial reasons, or both.

Your business may also need to formally de-identify data before storing it in the cloud. De-identification is removing people’s identity from the data. If you de-identify the data, Australian privacy laws are no longer an issue. However, if any original identities or identifiers can be ascertained, privacy laws come back into consideration. A business also needs to make sure that their cloud service provider will not replicate their information on any other server in any other country.

Lastly, you should find out if your cloud service provider has insurance to protect your data. If your data is not insured and it is either inadvertently disclosed or criminally compromised, you may have no remedy.

Notification Obligations

If Australian privacy obligations apply to your business, the new data breach notification rules apply to your business. This means that if a data breach occurs, you will need to report this breach to both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

A data breach consists of three elements:

  • unauthorised access to personal information;
  • unauthorised disclosure of personal information; and
  • loss of personal information.

If all three events occur and it is likely (more than 50% chance) to result in serious harm, your business will need to report the data breach. Whether you should report the breach depends on a variety of factors. The courts will usually judge these factors from the perspective of a person in your business’ position. This is where having a data breach response plan may be a hugely valuable document to have in place for your business.

Importantly, failure to notify any individuals affected by a breach may result in a fine.

Storing your data within Australia can help to prevent a breach from occurring and will enable you to comply with privacy laws and APP obligations. However, if you store your data overseas and a breach occurs, you may not be able to inform Australian customers.

For example, if data stored in the US is subject to a subpoena to give law enforcement agencies access to a customer’s information, your business could potentially be legally prevented from notifying that person. It is important to remember that foreign entities are not subject to Australian privacy laws.

How Can My Business Protect Data Sovereignty?

There are several steps that your business can take to protect your data sovereignty. They include:

  • clarifying where exactly your data will be stored;
  • where possible, choosing an Australian based cloud service provider;
  • if you have a foreign provider, ensuring that it complies with the most recent policies and regulations of the host country. The APP requires you to take ‘reasonable steps’ to ensure the personal data is stored in line with the APP in the host location;
  • backing up your data before moving it offshore;
  • updating your privacy policy to inform your clients where your data will be stored; and
  • implementing a strong data breach response plan that ensures anyone employed by your business understands their responsibilities and who to report any breaches to.

Key Takeaways

Data security and sovereignty is a serious legal issue, particularly for businesses with privacy law and APP obligations. Your business needs to ensure that it meets these obligations by understanding:

  • where you store your data;
  • how your data is protected; and
  • the laws that govern and protect your data.

You may also need to de-identify your data before storing it with cloud service providers. If you have questions about your business’ data privacy obligations, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Mark Christen

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Our Awards

  •  Top 20 Startups in Australia - 2018 LinkedIn Startups List Top 20 Startups in Australia - 2018 LinkedIn Startups List
  • NewLaw Firm of the Year – 2019 Australian Law Awards NewLaw Firm of the Year – 2019 Australian Law Awards
  • Law Firm of the Year Finalist – 2018 Australasian Law Awards Law Firm of the Year Finalist – 2018 Australasian Law Awards
  • AFR Fast 100 List – 2018 Australian Financial Review AFR Fast 100 List – 2018 Australian Financial Review
  • NewLaw Firm of the Year – 2017 Australian Law Awards NewLaw Firm of the Year – 2017 Australian Law Awards
  • Most Innovative Law Firm - 2019 Australasian Lawyer Most Innovative Law Firm - 2019 Australasian Lawyer

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy