Reading time: 7 minutes

Data sovereignty is an issue which affects businesses and individuals alike. It is particularly relevant to businesses with legal obligations requiring them to maintain the confidentiality of any personal data they own. It is important that you understand when data sovereignty applies to your business and your legal obligations as a result. This article will discuss what data sovereignty is, why it matters and some things you can do as a business owner to protect it.

What Is Data Sovereignty?

Data sovereignty refers to the concept that data may be subject to the laws of more than one country. This can occur when data is stored digitally with a cloud service provider and therefore, may be stored overseas. In other words, data sovereignty comes into play when an organisation stores data both internationally and locally. This situation can occur when a business uses a foreign or local cloud service provider.

How Does Data Sovereignty Relate to My Business?

Data sovereignty is relevant to your business if it uses a foreign or local cloud service provider to store data.

Businesses choose to store data overseas for a variety of reasons. It can:

  • make doing business easier;
  • cost less; and
  • ensure that data is backed up and stored safely and with minimum difficulty.

Consider the following scenarios where data sovereignty would apply and you would need to comply with data protection and privacy obligations.

Your business may be based in the United States but have an office branch based in another country. If the head office based in the United States handles all the billing, the data being sent and stored in the US is subject to US laws. Because you are storing your data using a foreign service provider, data sovereignty is relevant to your business.

Similarly, your business could be based in Australia and use an Australian based cloud services provider. However, you have a branch overseas that handles a particular business function. You have to send personal information to this office for them to contact clients. Australian privacy obligations govern disclosure of this information.

The data can include all kinds of information, including:

  • credit card details;
  • health records;
  • personal information; and
  • financial records.

Why Is Data Sovereignty an Issue?

Data sovereignty matters for your business because it raises questions concerning your:

  • compliance with privacy obligations;
  • data protection and security;
  • notification of data breaches; and
  • privacy and data security.

Many Australian businesses have legal obligations under Australian privacy laws and the Australian Privacy Principles (APP). These cover the disclosure of personal data across borders. This means that it applies to situations where you are handing over personal data to businesses overseas.

Australian law also covers data security and confidentiality. The law requires all businesses to implement reasonable security safeguards and take steps to protect information. If the information is sensitive, the obligations are more onerous. This could include information on:

  • health;
  • sexual orientation; or
  • political affiliations.

As a result, all businesses need robust and comprehensive information security strategies.

Your Obligations

If you store data overseas, you need to know where the data is being stored. You must also have even more vigorous internal procedures to protect and secure that data. It is your responsibility to ensure that the data stored overseas is done so according to the local laws. ‘Local’ could be the location of the cloud service provider and, if different, the storage location.

However, before you store data overseas, you will need to determine if that data is legally protected under other laws.

For example, the law requires you to keep health records confidential. Similarly, the law may require you to keep some information confidential for legal or financial reasons, or both.

Your business may also need to formally de-identify data before storing it in the cloud. De-identification is removing people’s identity from the data. If you de-identify the data, Australian privacy laws are no longer an issue. However, if any original identities or identifiers can be ascertained, privacy laws come back into consideration. A business also needs to make sure that their cloud service provider will not replicate their information on any other server in any other country.

Lastly, you should find out if your cloud service provider has insurance to protect your data. If your data is not insured and it is either inadvertently disclosed or criminally compromised, you may have no remedy.

Notification Obligations

If Australian privacy obligations apply to your business, the new data breach notification rules apply to your business. This means that if a data breach occurs, you will need to report this breach to both the affected individuals and the Office of the Australian Information Commissioner (OAIC).

A data breach consists of three elements:

  • unauthorised access to personal information;
  • unauthorised disclosure of personal information; and
  • loss of personal information.

If all three events occur and it is likely (more than 50% chance) to result in serious harm, your business will need to report the data breach. Whether you should report the breach depends on a variety of factors. The courts will usually judge these factors from the perspective of a person in your business’ position. This is where having a data breach response plan may be a hugely valuable document to have in place for your business.

Importantly, failure to notify any individuals affected by a breach may result in a fine.

Storing your data within Australia can help to prevent a breach from occurring and will enable you to comply with privacy laws and APP obligations. However, if you store your data overseas and a breach occurs, you may not be able to inform Australian customers.

For example, if data stored in the US is subject to a subpoena to give law enforcement agencies access to a customer’s information, your business could potentially be legally prevented from notifying that person. It is important to remember that foreign entities are not subject to Australian privacy laws.

How Can My Business Protect Data Sovereignty?

There are several steps that your business can take to protect your data sovereignty. They include:

  • clarifying where exactly your data will be stored;
  • where possible, choosing an Australian based cloud service provider;
  • if you have a foreign provider, ensuring that it complies with the most recent policies and regulations of the host country. The APP requires you to take ‘reasonable steps’ to ensure the personal data is stored in line with the APP in the host location;
  • backing up your data before moving it offshore;
  • updating your privacy policy to inform your clients where your data will be stored; and
  • implementing a strong data breach response plan that ensures anyone employed by your business understands their responsibilities and who to report any breaches to.

Key Takeaways

Data security and sovereignty is a serious legal issue, particularly for businesses with privacy law and APP obligations. Your business needs to ensure that it meets these obligations by understanding:

  • where you store your data;
  • how your data is protected; and
  • the laws that govern and protect your data.

You may also need to de-identify your data before storing it with cloud service providers. If you have questions about your business’ data privacy obligations, get in touch with LegalVision’s online lawyers on 1300 544 755 or fill out the form on this page.


How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Day in Court: What Happens When Your Business Goes to Court

Thursday 2 June | 11:00 - 11:45am

If your business is going to court, then you need to understand the process. Our free webinar will explain.
Register Now

How to Manage a Construction Dispute

Thursday 9 June | 11:00 - 11:45am

Protect your construction firm from disputes. To understand how, join our free webinar.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer