Data Centre Sovereignty

In the context of technology, the topic of sovereignty is almost always preceded by the word “Data”. In its own right, data sovereignty is an important concern for all Australian businesses. There are privacy obligations around the use, disclosure and management of personal data as enshrined in the Australian Privacy Principles (APP) and legislated in the Privacy Act (1988). This works well to protect data on Australian shores, but what about data that is held internationally? To that end, Section 8 of the APP extends the application of privacy law to protect data stored overseas and hence the topic of data sovereignty is borne. However, personal data is just one aspect of data and sovereign concerns.

Traditionally, data privacy has been the domain of Multinationals with international systems. The challenge of adhering to the Privacy Act was largely simplified by good governance, centralised systems with unified processes and clear knowledge and accountability for where that data was stored. It was a simply matter of ticking boxes and ensuring the host country upheld similar standards and values around personal data. The modern technology landscape, however, is more complex and diverse. The dominance of Software As A Service (SaaS) for point solutions, rapid prototyping and software development has fragmented the data landscape and increased the burden of controls and compliance.

This problem is further exacerbated by the proliferation of intermediary online servers such as API connectors, database integrators, third party hosted modules and plugins to help complete the gaps in functionality and in leveraging one’s data. And then there’s the issue of backups, which takes copies of the data and stores it in another facility for protection. Questions arise as to what extent this facility is under the control of the SaaS provider, and what security exists for its storage, both digitally and physically. It perhaps never occurs to many IT Managers that data may be collected and stored in other systems or at least pass through them. When you then consider that access control is usually unified across these disparate systems, through some form of Single Sign On (SSO), the modern IT Manager has to deal with risk not only with increased vectors for data breaches but also the simplification of access to get the data.

Unfortunately, the reality on the data landscape is a little darker and nefarious than the pop culture view of bored youths looking for a challenge. While the activities of overseas State based agents readily makes news headlines, there is a whole raft of criminal activity that we need to safeguard personal data against. A sad fact is that Australian data leaves our shores daily. DDoS protection, as an example, requires the inspection of packets to ascertain their nature and identify whether there is a pattern in the traffic emerging. To that end, most providers of DDoS mitigation are foreign based with points of presence around the globe. Local traffic must route externally to pass through their filters before being returned to our shores. While these providers will attest to their secure facilities and innate data encryption in transit, it still begs the question where one’s data is at any point in time. This point is not to underplay the entire issue of foreign ownership of Australian facilities and businesses. Much of Australia’s critical infrastructure today rests with foreign control. The US Patriot Act compels US owned businesses despite their location to render data when requested. While the US are open about obtaining, any foreign power will want access to data when it serves their purposes.

There are serious repercussions for breaches of the Privacy Act in Australia. Today, businesses must not only take steps to ensure personal data is protected but there are mandatory notification laws in place for when a breach occurs. In this digital age, however, the challenge of safeguarding data is not a simple one on a global stage. Sovereignty raises a larger question than just the privacy of data when stored overseas. Physical sovereignty, it can be argued, offers the greatest safeguard of information in this day and age.