Skip to content

What is Data Sovereignty and How Does it Affect My Business?

Table of Contents

Data sovereignty is an issue that affects businesses and individuals alike. It is particularly relevant to companies with legal obligations requiring them to maintain the confidentiality of any personal data they own or can access. You must understand when data sovereignty applies to your business and your resulting legal obligations. This article will discuss data sovereignty, why it matters and what you can do as a business owner to protect it.

What is Data Sovereignty?

Data sovereignty refers to the concept that jurisdictional control or legal authority may be asserted over data because its physical location is within jurisdictional boundaries. This means specific data may be subject to the laws of more than one country because it is within another country’s jurisdiction. This can occur when data is stored digitally with a cloud service provider and may be stored overseas. 

In other words, data sovereignty comes into play when an organisation stores data both internationally and locally. Often, this occurs when a business uses a foreign or local cloud service provider.

Data Sovereignty and My Business

Data sovereignty is relevant to your business if you use a foreign or local cloud service provider to store data. Businesses choose to store data overseas for a variety of reasons. 

For example, it can:

  • make doing business easier;
  • cost less; and
  • ensure that data is backed up and stored safely and with minimum difficulty.

Consider the following scenario where data sovereignty would apply. 

Your business could be based in Australia and use an Australian-based cloud services provider. However, you have a branch overseas that handles a particular business function. You have to send personal information to this office for them to contact clients. Australian privacy obligations govern the disclosure of this information.

Here, your business must comply with data protection and privacy obligations.

Data can include all kinds of information, including:

  • credit card details;
  • health records;
  • personal information; and
  • financial records.
Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Why is Data Sovereignty an Issue?

Data sovereignty matters for your business because it raises questions concerning your:

  • compliance with privacy obligations;
  • data protection and security;
  • notification of data breaches; and
  • privacy and data security.

Many Australian businesses have legal obligations under Australian privacy laws and the Australian Privacy Principles (APP). These cover the disclosure of personal data across borders. Where you are sending or storing personal information across borders, the APP requires you to protect personal information as if you were handling or storing it in Australia. This will apply when you send personal information to a branch of your business based in another country or when your data hosting provider is in another country. 

You are always the party responsible for personal information. As a result of data sovereignty, where the data you send overseas contains personal information, it will be subject to the APP and any local laws in the country where it is physically located. 

Australian law also covers data security and confidentiality. The law requires all businesses to implement reasonable security safeguards and take steps to protect information. If the information is sensitive, the obligations are more onerous. Sensitive data may include information concerning:

  • health;
  • sexual orientation; or
  • political affiliations.

As a result, all businesses need robust and comprehensive information security strategies.

Your Obligations

If you store or send data overseas, you need to know where the data is being sent or stored. You must also have more rigorous internal procedures to protect and secure that data. Your responsibility is to ensure that the data overseas is stored according to local laws. 

However, before you store data overseas, you must determine if any other laws protect that data. If so, you may be unable to send or store it overseas. For example, health records and associated data must not be processed, held, taken, handled, or stored outside Australia. Similarly, other laws may require you to keep certain information confidential for legal or financial reasons.

Depending on the data type and the purpose for sending or storing it overseas, you may also consider formally de-identifying the data before storing it in the cloud. 

De-identification is removing people’s identities from the data. If you de-identify the data, Australian privacy laws are no longer an issue. However, if someone can ascertain original identity or identifiers, privacy laws come back into consideration. A business also needs to ensure that its cloud service provider will not replicate their information on any other server in any other country.

Notification Obligations

If Australian privacy obligations apply to your business, the data breach notification rules apply to your business. Accordingly, if a notifiable data breach occurs, you must report this breach to both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

Importantly, failure to notify any individuals affected by a breach may result in a fine under the Privacy Act 1988 (Cth). However, if you store your data overseas and a breach occurs, you may not be able to inform Australian customers due to the laws of the country where the data is stored. 

For example, suppose data stored in the US is subject to a subpoena to give law enforcement agencies access to a customer’s information. In that case, your business may not legally be allowed to notify that person. It is important to remember that foreign entities are not subject to Australian privacy laws.

Protect My Data Sovereignty

There are several steps that your business can take to protect your data sovereignty, including:

  • clarifying where exactly you will store your data;
  • where possible, choose an Australian-based cloud service provider;
  • if you have a foreign provider, ensure that it complies with applicable Australian laws and regulations. You can do this through your contracts with your foreign provider. The APP requires you to take ‘reasonable steps’ to ensure you store the personal data in line with the APP in the host location;
  • backing up your data before moving it offshore;
  • updating your privacy policy to inform your clients where you will store data; and
  • implementing a strong data breach response plan identifying your business responsibilities and reporting procedures.
Front page of publication
Guide to Protecting Your Brand

Your business’ brand represents your values, identity and reputation. Learn how to create a successful brand and protect it.

Download Now

Key Takeaways

Data security and sovereignty is a serious legal issue, particularly for businesses with privacy law and APP obligations. Your business needs to ensure that it meets these obligations by understanding where you store your data, how you protect it and the laws that govern it. 

If you need help regarding your data privacy obligation, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions

What is data sovereignty?

Data sovereignty is the idea that data is subject to the laws of where it is physically located. Given the advancements in technology and the increase in global service providers, your data is subject to the laws of multiple countries if you store it offshore. This is because Australian laws will continue to apply, particularly where your data contains personal information. Additionally, the local laws of the location the data is stored also apply. 

What is sensitive data?

Sensitive data may include information relating to an individual’s health, sexual orientation or political affiliation.

Harmanjot Kaur

Harmanjot Kaur


Harmanjot is a Lawyer in LegalVision’s Corporate & Commercial team. She works closely with startups, SMEs and enterprise clients to provide commercially pragmatic advice. Previously a member of our Growth team, Harmanjot harnesses her experience as a Legal Project Manager to better understand the businesses she works with, and uses this knowledge when drafting and negotiating commercial arrangements for her clients.

Qualifications: Bachelor of Laws, Bachelor of Communications, University of Technology Sydney.

Read all articles by Harmanjot

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Read other articles by Harmanjot

Related articles

We’re an award-winning law firm

  • Award

    2023 Fast Firms - Australasian Lawyer

  • Award

    2022 Law Firm of the Year - Australasian Law Awards

  • Award

    2021 Law Firm of the Year - Australasian Law Awards

  • Award

    2020 Excellence in Technology & Innovation Finalist - Australasian Law Awards

  • Award

    2020 Employer of Choice Winner - Australasian Lawyer