How does Data Sovereignty work?

What is Data Sovereignty?

Data sovereignty is the idea that a country should be able to enforce its laws on data stored within its jurisdiction. This is not a concern when a company stores data in the country it operates in. However, this becomes an issue when data servers are located outside the country in which the business operates.

For example, a lot of businesses have customer service call centers located outside Australia. This requires the Australian business to provide customer’s personal information to the call center located outside the Australian jurisdiction, thereby making that data subject to different rules.

Privacy Laws

Our privacy laws require a business to ensure they have proper data security mechanisms in place to protect data. A business needs to know:

  • Where it stores its data;
  • Whether the service complies with the Australian Privacy Principles (APPs) and;
  • If the business knows the consequences of not complying with the APPs.

It is easy to comply with these requirements when the data is within Australia. When the servers are located outside Australia, it becomes difficult to enforce. We cannot force our privacy laws onto another country.

The Australian Privacy Principles

The APPs are a set of principles that govern how a business is to deal with and store personal information. They set out the circumstances under which a business may collect data from their customers. The APPs outline how and when other entities can access this data. It instructs business on how this data may be used and for what purposes. It also sets out the disclosure requirements business have to comply with when sharing personal information for secondary purposes.

Get a free Privacy Policy when you sign up to Lawpath today.

A Privacy Policy is required by law in certain circumstances. It outlines how your business will use, store and collect your customers information.

A Use and Disclosure Example

Australian Privacy Principle 6.1 requires any personal information collected to only be used for what it is collected and not any secondary purposes the individual has not consented to. When a customer service call center employee accesses your account, they can access your personal information. Personal information is information that can be used to identify you, such as:

  • your name
  • bank account details
  • home address
  • email address
  • date of birth
  • phone number and so on

Where this personal information is stored outside Australia, it becomes challenging to make sure the particular employee who is accessing your file is aware of the disclosure agreement in Principle 6.1. What systems are set in place to ensure that employees know that they are not allowed to disclose personal data for secondary purposes the customer has not consented to?

Australian Privacy Principle 8- Cross-Border Disclosure Requirements

APP 8 requires businesses to take ‘reasonable steps’ to ensure the personal data is stored in line with the APPs in the host location. There is no definition of ‘Reasonable steps’ in the APPs. Rather, it is an objective test that considers whether the business did whatever they could do given their circumstances.

Businesses, however, do not have to meet this requirement where:

  • They reasonably believe that the host location has privacy laws that have the same or similar effect as the APPs.
  • The individual has ways to enforce their rights to have their data protected.
  • The individual has consented to the business disclosing the information.
  • A Court order requires them to do so.
  • An agency has to disclose that information as a part of an International Agreement Australia is party to.
  • An agency has to provide that information for enforcement purposes and the recipient agency performs similar functions or has similar powers as the Australian Agency.

Where Does That Leave Your Personal Data?

Currently, there aren’t any concrete laws to provide 100% assurance that your data will always be secure. Businesses cannot provide that guarantee either because the cloud is after-all a piece of engineering and is susceptible to breaches. That being said, the risk of a data breach is lower when the data is kept within Australia, which more businesses are choosing to do anyway.

A business that store their data offshore can provide security by backing up the data before sending it offshore, or de-identifying it so that it does not identify the individual. They can also keep up to date with the privacy laws of host countries to ensure they offer adequate protection. The business may also choose to train all their employees on their responsibilities under the APPs.

Final Thoughts

It’s worth scanning a business’s privacy policy when you want to use a service to know where your data will be stored. It may not be a big concern if the business stores their data in places like the US or EU where there are strict privacy laws and practices.

As a business, it is important that you thoroughly know the cloud server you store your data in. It is always a good idea to discuss your options with an IT lawyer who will be able to provide you with comprehensive advice on IT solutions for your business.

Don’t know where to start? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.

Find the perfect lawyer to help your business today!

Get a fixed-fee quote from Australia's largest lawyer marketplace.

Most Popular Articles
You may also like
Recent Articles

Get the latest news

By clicking on 'Sign up to our newsletter' you are agreeing to the Lawpath Terms & Conditions


Register for our free live webinar today!

Tax Strategies for Small Business Success

12:00pm AEDT
Thursday 25th July 2024

By clicking on 'Register for webinar' you are agreeing to the Lawpath Terms & Conditions

You may also like

The 2024 Federal Budget has unveiled a comprehensive package of measures designed to support small to medium enterprises (SMEs) in Australia, while also laying the groundwork for a "Future Made in Australia."
Default interest clauses can help protect lenders' interests, but sometimes they will not be enforceable. Find out more here.
Lying on your resume to get a job is never a good idea. In fact obtaining employment through fraud can actually land you in jail.

Thank you!

Your registration is confirmed. Keep an eye on your inbox for an email with details on how to watch the webinar.