By Tarafa Mlambo, Helen Arnell, Jason Feinberg, Bethany Newton, and Tanatswa Tuturu. Edith Cowan University.
Data sovereignty is a term which has emerged to consider the ownership and control of information generated within the jurisdictional bounds of a sovereign state, but storage may not occur locally. As with many emerging concepts, there is no agreed definition; nevertheless, there is a general acknowledgement of what data sovereignty encompasses:
“Data sovereignty refers to a nation’s ability to exert full control over data generated within its borders, ensuring that it is governed by local laws and regulations, even if and when stored abroad. It’s about maintaining authority over how data is collected, stored, processed, and accessed to protect national interests and individual privacy.”
For data sovereignty, maintaining control over one’s digital assets is akin to owning and controlling physical property. That is, when using personal devices to communicate, ownership and control mean we decide whom to contact, the exchange’s duration, and the conversation’s content. This sovereignty ensures that our personal information remains secure as we have both direct ownership and control of the device. However, if we lend our devices to someone else, we transfer temporary possession, losing complete control over usage and, therefore, security.
Analogous to lending a device, data stored beyond your jurisdiction diminishes the owner’s control and challenges ownership, raising significant concerns over data privacy, accessibility, and security. In data sovereignty, ownership refers to the legal rights and claims over data, allowing an entity to determine its purpose, usage, and dissemination, much like owning a physical asset. Control, however, focuses on the ability to enforce access restrictions, manage data flows, and protect against unauthorised use or breaches. While ownership establishes who ultimately “owns” the data, control determines who can safeguard and manipulate it. These distinctions are vital, as data stored outside national borders may legally remain “owned” by an Australian entity but be practically controlled, or accessed, by foreign entities under their local laws.
For Australia, data sovereignty – the nation’s power over data within its borders, has become more critical than ever, with governments, corporations and individuals increasingly reliant on cloud computing to optimise global data flows. The Australian Bureau of Statistics has reported that approximately 59% of Australian businesses use cloud technology, with much of this data being stored by foreign cloud giants such as Amazon Web Services (AWS) and Microsoft Azure. Consequently, a crucial question emerges: who truly owns and controls this data?
Australian data stored within foreign cloud environments significantly constrains the Australian government and regulatory authorities’ capacity to exercise complete oversight and enforce stringent controls over data management, access, confidentiality and integrity protections. This extraterritorial storage poses complex challenges to data sovereignty, where the individual rights to privacy under the Australian Privacy Act 1988 often conflict with international intelligence-sharing frameworks, such as the Five Eyes Alliance and the United States of America Clarifying and Lawful Use of Data (US Cloud) Act 2018. To navigate these complexities, digital resilience – Australia’s strategic ability to maintain, recover, and adapt control mechanisms under external pressures – emerges as a vital component in preserving true data sovereignty over information residing outside national borders.
Data breaches
Australia’s reliance on non-Australian cloud providers puts the country’s data sovereignty resilience at risk. That is, not taking a risk-based approach in establishing data storage policies leaves organisations vulnerable to not understanding the impact of reasonably foreseeable data breaches due to third-party storage arrangements. Firstly, it is commonly acknowledged that data breaches by foreign entities or unauthorised access can jeopardise sensitive information. Recent incidents, including the Medibank and Optus data breaches, have highlighted these vulnerabilities. The Medibank breach exposed the personal data of 9.7 million customers, and it is estimated that the total cost of damages, fixes, and potential legal actions could reach up to A$700 million. This includes customer compensation and the costs associated with cybersecurity improvements, according to Insurance Journal’s 2022 report. Similarly, Optus suffered a breach that affected around 10 million customers, exposing sensitive details such as passport and license numbers.
Beyond the immediate financial impact, these breaches led to increased personal scams and identity theft, with many Australians reporting fraud attempts linked to stolen data. In response, the Australian government has introduced stricter privacy compliance penalties, raising fines from AUD2.2 million to AUD50 million for serious breaches.
These incidents are, or should be, a wake-up call or a rallying cry, prompting individuals to ask: How secure is our data when it’s held in foreign hands? And who truly has control over it? These breaches highlight the gaps in Australia’s digital resilience and underscore the need for proactive cybersecurity protocols to secure data integrity and confidentiality, regardless of storage location.
Cross border data control challenges
Foreign legislation’s extraterritorial reach, notably the US Cloud Act, poses significant challenges to Australian data sovereignty. The US Cloud Act empowers US authorities to compel data disclosure from US service providers, regardless of the data’s physical storage location, including data held within Australia. This jurisdictional overreach creates a conflict for US companies operating in Australia, placing them between potentially contradictory obligations: compliance with US disclosure requirements under the US Cloud Act and adherence to Australian data protections principles, specifically the Australian Privacy Principles enshrined within the Privacy Act 1988. This legal and regulatory dissonance underscores the complexity of cross-border data control and lack of Australian oversight in international data flows, highlighting the potential erosion of Australian sovereignty over its citizen’s data.
Additionally, Australian businesses that rely on global supply chains involving non-local cloud providers encounter further compliance hurdles. APP 8, which governs cross-border data flows, becomes increasingly difficult to manage when foreign providers are not subject to the same privacy standards. While data may initially be handled according to Australian laws, it becomes significantly more challenging to control once it’s hosted abroad, creating a grey area for control and security. With a substantial amount of personal and even national security data stored by foreign companies, these risks can be opaque and quickly escalate.
Terms and conditions – disarming data control ownership
Of specific concerns in data sovereignty are the terms and conditions imposed in contractual agreements; these can undermine and disarm data ownership by legally binding users to agreements that limit their control over their personal information. Users who consent to these terms often grant companies broad licenses to use their content and data, leaving an opaque landscape of individual ownership rights. Furthermore, specific clauses can further complicate disputes over data ownership, making it challenging for users to reclaim control, including forcing legal challenges into international courts and prohibiting Australians from defending their rights. A survey conducted by Deloitte concluded that 91% of people consent to terms and conditions without reading them. However, it was also discovered that the UK’s 13 most used applications have terms and conditions that would take at least 17 hours to read. These elements can lead to users unknowingly forfeiting significant rights over their data.
Facebook and international regulations
Facebook’s terms and conditions include clauses that significantly affect data ownership. By agreeing to these terms, users grant Facebook a non-exclusive, transferable license to use, modify, and distribute their content. This means that while users maintain some rights to their posts and photos, Facebook retains the ability to leverage this content extensively, overriding individual ownership. In addition, as stated in Facebook’s Data Policy, it collects and shares user data for advertising and analytics, further diminishing users’ control over their personal information.
This point is emphasised in the Schrems case of 2015. Max Schrems, an Austrian privacy advocate, initiated a legal battle against Facebook regarding transferring European user data to Facebook servers located in the United States, giving US government surveillance programs such as PRISM and Upstream the right to access the information. In 2015, the European Court of Justice (ECJ) ruled that the Safe Harbor agreement, which allowed such data transfers, was invalid and non-sufficient due to concerns about U.S. government surveillance practices, particularly following revelations in 2013 by Edward Snowden about mass surveillance programs.
Such examples illustrate the delicate balance between data ownership, ceding rights to social media platforms, and the potential for that data to be accessed by other countries or corporations. Users may believe they retain ownership of their information, but by agreeing to complex terms and conditions, they often grant platforms broad permission to use and share their data. This can lead to scenarios where sensitive information is stored abroad, exposing it to foreign laws and regulations that could compromise privacy and control sovereignty. Thus, navigating this requires a clear understanding of the implications of data ownership in a global context.
A SWOT analysis review
Data sovereignty needs to be considered within a resilience frame of thought, noting a strata of opportunities and risks which need to be considered for an organisation to demonstrate data sovereignty resilience. Consequently, a SWOT analysis provides a quick overview of the critical factors that impact data management strategies and decisions.
On the strengths side, global cloud providers offer advanced technology, extensive reach, strong security measures, and innovative tools, including Artificial Intelligence, that enhance digital transformation. However, weaknesses include limited control over data stored abroad, complex compliance requirements, and reliance on foreign providers, which can create jurisdictional ambiguities.
Australian businesses have opportunities to explore Australian and non-Australian based cloud solutions, adopt hybrid models, and collaborate with allies to standardise data protection practices. Yet, significant threats remain, such as foreign access requests enabled by laws like the US CLOUD Act, rising geopolitical tensions, and increasing cybersecurity risks. Understanding these elements is essential for making informed decisions aligning with Australia’s data sovereignty goals and protecting sensitive information in an evolving digital landscape.
Five Eyes influence on data sovereignty
Another key opportunity is the global diplomatic influence of being part of such a powerful intelligence alliance.
Australia’s association with the Five Eyes – intelligence-sharing partnership with the US, UK, Canada, and New Zealand, adds another layer of complexity to the data sovereignty debate. The Five Eyes arrangements provide Australia with a cooperative seat in shaping global security policies and strategies, allowing it to assert its influence on issues ranging from cybersecurity norms to international privacy laws. This influence is vital for Australia’s strategic positioning in the geopolitical sphere. On the one hand, this alliance strengthens national security by facilitating the sharing of critical intelligence, including data that helps prevent cyber threats, terrorism, and other global security risks. However, this very partnership also raises difficult questions about control over our data; when we share information with our allies, what guarantees are there that Australian data remains secure and is used solely for its intended purpose?
One of the critical concerns with Five Eyes is the sheer scope of the data that can be accessed. Edward Snowden showed how mass surveillance can occur through these alliances, where data from citizens of member countries was accessed and monitored without their knowledge or consent. This revealed that data collected in Australia, for instance, could be accessed by agencies often bypassing local legal restrictions, underpinned by an argument of access based on a utilitarian ethical perspective instead of an individual’s rights
While this intelligence-sharing arrangement reinforces Australia’s security infrastructure, it challenges digital resilience. Dependence on shared data channels could dilute Australia’s ability to maintain sovereign control over its data, necessitating resilient frameworks that ensure data usage aligns strictly with Australian security priorities.
Data sovereignty digital resilience recommendations
Balancing data sovereignty with the advantages of global cloud services is crucial for Australian organisations in today’s interconnected world. The following recommendations outline a risk-based approach to digital resilience, combining risk assessment, technical controls, and policy measures to ensure adequate data protection while supporting participation in the digital global economy.
Risk-based approach: Data sovereignty needs a risk-based approach, one that facilitates organisational resilience through a stratum of policies that enable key sovereign data to be identified and required to be stored within a defined jurisdictional border, yet enabling less significant data to be stored onshore under a more competitive data storage contracts.
Know your data: First, a comprehensive data identification, classification, and management framework enables visibility over your most and least critical digital data assets and the access and controls in place. This is crucial for accurately assessing the risks posed by to cloud services provider to specific data.
Cloud service provider security assessment: Conducting a CSP risk assessment before selecting a provider enables Australian entities to ensure regulatory compliance, data security, operational continuity and resilience and assess the flexibility to change CSPs or repatriate data if required. The Australian Cyber Security Centre’s PROTECT – Cloud Assessment and Authorisation (January 2024) provides a comprehensive guide with links to the Cloud Controls Matrix and Cloud Security Assessment Report templates. Enhances data sovereignty by ensuring the data protection measures align with Australian regulatory standards. This enables greater control and security over data even when stored in foreign environments..
Hybrid cloud models: One of the most effective solutions to protect Australia’s data sovereignty is adopting hybrid cloud models and sovereign clouds. By storing sensitive data within Australian borders while leveraging foreign cloud providers for less critical information, Australia can maintain control over its most vital data while benefitting global services’ flexibility. Such a risk-based, balanced approach enables Australia to mitigate the risks posed by foreign laws, including the US CLOUD Act, which challenges Australian data sovereignty when information is stored abroad. Enhances digital resilience by balancing control and flexibility, allowing Australian entities to maintain critical data domestically while managing less sensitive data globally.
Data localisation laws: Another crucial step is the introduction of data localisation laws. By mandating that sensitive data, such as healthcare, financial, and governmental information, be stored and processed within Australia, the country can protect itself from foreign jurisdictions that may try to access or compromise this data. Countries including China, Japan and Russia have already implemented strict localisation requirements, and Australia should consider following their lead in sectors crucial to national security and public trust. Reinforces digital resilience by ensuring essential data remains under national jurisdiction, thereby reducing risks of foreign interference.
Domestic cloud infrastructure investment: Investing in domestic cloud infrastructure is another way to strengthen data sovereignty. By fostering the development of local cloud providers, Australia can reduce its dependence on foreign companies such as Amazon Web Services (AWS) and Microsoft Azure, which are subject to varying foreign laws. While the upfront costs of building local data centres are significant, the long-term benefits of securing control over Australian data and boosting consumer trust far outweigh this initial expense. Reduces reliance on foreign providers, mitigating risks of foreign jurisdictional control. Assured data governance also builds consumer trust, promoting long-term resilience in data management.
Enhanced encryption and cybersecurity: Australia must also enhance encryption and cybersecurity protocols for data stored in non-Australian cloud environments. Strong encryption and technologies such as zero-trust architecture will help secure data from unauthorised access, even when stored on foreign servers. Additionally, government policymakers should establish strict cybersecurity frameworks requiring all cloud service providers, foreign or domestic, to adhere to high data protection standards, ensuring that Australian data remains secure from external threats. Encryption and zero-trust architectures contribute significantly to digital resilience by securing data against unauthorised access, even when stored abroad.
Transparency and public awareness: Lastly, raising public awareness about the risks associated with foreign cloud providers and the importance of data sovereignty is crucial. Australians must be informed about where their data is stored and how it is handled. This creates transparency and trust in local data storage solutions. This education will empower citizens and pressure businesses and policymakers to prioritise data sovereignty in their decisions. It raises public awareness, empowering Australians to make informed decisions about data storage. It drives demand for sovereign cloud solutions and pressures businesses to prioritise data resilience. This approach also strengthens trust in local providers and fosters societal support for resilient data policies.
In summary, reliance on foreign cloud services threatens Australian data sovereignty, exposing data to foreign jurisdictions like the US CLOUD Act and conflicting with Australian privacy laws. High-profile breaches highlight these vulnerabilities. Contractual terms often cede user data control, and Five Eyes membership adds further complexity. A risk-based approach is crucial to bolster digital resilience, encompassing data classification, CSP security assessments, hybrid cloud models, data localisation, domestic cloud investment, enhanced encryption, and public awareness, balancing global cloud benefits with data sovereignty protection.
