Top things you need to know about Data Sovereignty
What is data sovereignty?
Data has become the most valuable asset globally, and who controls it is of increasing importance to governments, corporations and individuals alike.
Data sovereignty is key to data security, but ‘what is data sovereignty?’ you may ask.
One data sovereignty definition explains the term as the jurisdiction and legal framework that governs digital data. But the substance of the data sovereignty term has greater depth, breadth and implications than this succinct data sovereignty definition implies.
To gain a greater understanding of data sovereignty, let’s start with some aspects of digital data.
Digital data is stored on computers and data centres that have a physical location. All earthly locations (except Bir Tawil), are controlled by a government’s jurisdiction, and the jurisdiction that presides over data determines its data sovereignty.
Data sovereignty vs data residency.
Perhaps not surprisingly, data residency refers to the physical location where data resides, and it’s become an important term for commercial and taxation purposes. As mentioned above, data sovereignty refers to the jurisdictional legal framework that presides over data.
Why it is important?
Prime Minister Scott Morrison’s recent address at Macquarie Telecom’s IC3E data centre launch underscored the importance of trust; ‘when it comes to your data security, you got to be dealing with someone you trust and so words like sovereign really mean something. Secure really means something.’
As numerous studies have found, trust is essential for consumer adoption of digital services.
A recent McKinsey & Company study found that 87% of respondents would not do business with a company where they had concerns about the company’s security practices, and 71% of respondents would stop doing business with a company if it gave away sensitive information without permission.
New research from the Australian National University (ANU) found that the extent of government protection of personal data will help shape citizens’ views on how governments share and use their data. Study co-author Professor Biddle from ANU said, ‘Our findings provide strong support for the notion that trust and confidence in different aspects of policy design and delivery interact with each other, creating vicious or virtuous circles.’
Maintaining data sovereignty ensures that the ultimate owner of the data is able to exert jurisdictional control of their data. This is beneficial when developing security and confidentiality policies and procedures that fulfil citizen expectations of data privacy and security and conform to prevailing data laws.
Maintaining data sovereignty also reduces the likelihood of a data leak to foreign entities where there is little or no chance of a legal remedy. However, If you can’t maintain data sovereignty without first ensuring data residency, your data may be subject to overlapping jurisdictions.
Data sovereignty and international data disclosure laws.
With an increasing amount of data being stored with global cloud service providers (CSPs), data disclosure laws in the US and Australia have significant implications for maintaining the data sovereignty of government and corporate data in Australia.
To improve the effectiveness of prosecuting international crime, the US Congress in March 2018 ratified the US Clarifying Lawful Overseas Use of Data (CLOUD) Act. The Act affirms that a US company can be compelled to produce data the company controls regardless of where it is stored. US law enforcement and security agencies can order CSPs to provide data held overseas.
The CLOUD Act also allows for international agreements that resolve conflicting data disclosure laws between two countries. For instance, a US-headquartered global cloud service provider may have conflicting legal obligations if they were to receive a US data disclosure order for data stored within an overseas jurisdiction that has conflicting privacy laws.
In December 2021 the Australian Government signed the Australia-US CLOUD Act Agreement which creates a legal framework for Australian and US law enforcement and security agencies to request data directly from Australian and US CSPs. The agreement is expected to become operational by the end of 2022 and lifts statutory restrictions to enable CSPs to respond to incoming data requests from foreign countries where such an agreement is in place.
Data sovereignty issues in the cloud.
As mentioned previously, data sovereignty is determined by where the data is stored, but data sovereignty is jeopardised if data is accessible by non-nationals from an overseas location, with often little legal redress possible.
For this reason, maintaining cloud data sovereignty is challenging for global cloud providers as they leverage support and technical teams in other countries when they provide 24/7 ‘follow the sun’ support.
Even with the best intentions, having foreign eyes and hands-on Australian data increases the risk of data becoming subject to foreign laws. A CSP could be compelled by the US government to provide access to Australian sovereign data.
Sovereignty problems arise with data stored in the cloud.
Global companies are subject to different laws in the jurisdictions where they operate. If global CSP staff in other jurisdictions can access and control data in Australia that jeopardises Australia’s data sovereignty.
Additionally, the US CLOUD Act can compel US-based cloud providers to produce data held in Australia, and the Australia-US CLOUD Act Agreement removes the statutory restrictions that may impede cloud providers from providing data to other countries.
Maintaining security and control over customer data is essential for customer trust and web service adoption. Managing secure access and control over data that is held with global service providers introduces significant data sovereignty risks that jeopardise effective control over data.
About Macquarie Government.
Macquarie Government recognizes that for a data centre to be truly sovereign, where it is managed is just as important as where it is located. That means our data centres are managed and operated 100% within Australia’s physical and judicial borders. Out of hours support is not handed over to another geography in a “Follow-the-Sun” model but remains entirely within Australia, always undertaken by our NV1 cleared staff.