How does Data Sovereignty work?
Data sovereignty allows a country to excise its privacy laws on data stored in the jurisdiction. However, this becomes an issue when countries store their data in offshore cloud services. Who's laws should apply then?
What is Data Sovereignty?
Data sovereignty is the idea that a country should be able to enforce its laws on data stored within its jurisdiction. This is not a concern when a company stores data in the country it operates in. However, this becomes an issue when data servers are located outside the country in which the business operates.
For example, a lot of businesses have customer service call centers located outside Australia. This requires the Australian business to provide customer’s personal information to the call center located outside the Australian jurisdiction, thereby making that data subject to different rules.
Our privacy laws require a business to ensure they have proper data security mechanisms in place to protect data. A business needs to know:
- Where it stores its data;
- Whether the service complies with the Australian Privacy Principles (APPs) and;
- If the business knows the consequences of not complying with the APPs.
It is easy to comply with these requirements when the data is within Australia. When the servers are located outside Australia, it becomes difficult to enforce. We cannot force our privacy laws onto another country.
The Australian Privacy Principles
The APPs are a set of principles that govern how a business is to deal with and store personal information. They set out the circumstances under which a business may collect data from their customers. The APPs outline how and when other entities can access this data. It instructs business on how this data may be used and for what purposes. It also sets out the disclosure requirements business have to comply with when sharing personal information for secondary purposes.
A Use and Disclosure Example
Australian Privacy Principle 6.1 requires any personal information collected to only be used for what it is collected and not any secondary purposes the individual has not consented to. When a customer service call center employee accesses your account, they can access your personal information. Personal information is information that can be used to identify you, such as:
- your name
- bank account details
- home address
- email address
- date of birth
- phone number and so on
Where this personal information is stored outside Australia, it becomes challenging to make sure the particular employee who is accessing your file is aware of the disclosure agreement in Principle 6.1. What systems are set in place to ensure that employees know that they are not allowed to disclose personal data for secondary purposes the customer has not consented to?
Australian Privacy Principle 8- Cross-Border Disclosure Requirements
APP 8 requires businesses to take ‘reasonable steps’ to ensure the personal data is stored in line with the APPs in the host location. There is no definition of ‘Reasonable steps’ in the APPs. Rather, it is an objective test that considers whether the business did whatever they could do given their circumstances.
Businesses, however, do not have to meet this requirement where:
- They reasonably believe that the host location has privacy laws that have the same or similar effect as the APPs.
- The individual has ways to enforce their rights to have their data protected.
- The individual has consented to the business disclosing the information.
- A Court order requires them to do so.
- An agency has to disclose that information as a part of an International Agreement Australia is party to.
- An agency has to provide that information for enforcement purposes and the recipient agency performs similar functions or has similar powers as the Australian Agency.
Where Does That Leave Your Personal Data?
Currently, there aren’t any concrete laws to provide 100% assurance that your data will always be secure. Businesses cannot provide that guarantee either because the cloud is after-all a piece of engineering and is susceptible to breaches. That being said, the risk of a data breach is lower when the data is kept within Australia, which more businesses are choosing to do anyway.
A business that store their data offshore can provide security by backing up the data before sending it offshore, or de-identifying it so that it does not identify the individual. They can also keep up to date with the privacy laws of host countries to ensure they offer adequate protection. The business may also choose to train all their employees on their responsibilities under the APPs.
As a business, it is important that you thoroughly know the cloud server you store your data in. It is always a good idea to discuss your options with an IT lawyer who will be able to provide you with comprehensive advice on IT solutions for your business.
Don’t know where to start? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.
Naga Vamaraju is a legal intern at Lawpath as a part of the Content Writing team. She is in her final year of a Bachelor of Arts (Psychology) and Bachelor of Law Degree. She has a particular interest in the law surrounding starting and operating a business.