Data Sovereignty vs Data Localisation - Why the difference between them is important
17 Sep 2024, by Slade Baylis
With the ever-growing concerns of foreign influence over data, “data sovereignty” is becoming more and more important not only to governments, but to enterprises and small businesses as well. Data sovereignty refers to the laws and regulations that data is subject to, specifically the preference to have data be subject to the laws and regulations of the country that it was generated within.
Within Australia, all organisations are governed by the principles set out in the Australian Privacy Principles (APP), which were initially established in the Privacy Act in 1988. Within the APP, rules are set out governing how organisations are allowed to disclose personal information across borders with international recipients. These rules set out to ensure that all organisations must at least take “reasonable” steps to ensure everyone they work with – and share with - complies with the APP. What this means is that all organisations, regardless of their internal policies around the protection of data, are required to implement protections ensuring some minimum level of data sovereignty.
However, there is only so much that can be done to ensure compliance internationally. With accountability still falling to Australian organisations for breaches of the APP by international partners, the risks of non-compliance can still be very high. It’s for this reason that many are choosing to avoid those risks by instead looking at policies that establish rules around the locations where data is allowed to be stored.
What is Data Localisation?
Two terms that often come up when discussing data sovereignty are “data localisation” and “data residency”. Both these terms are often used interchangeably, however they actually refer to different but closely related concepts.
“Data residency” refers to the location where data is stored, with this location usually referring specifically to the country that data is stored within. Whereas “data localisation” refers to the policy of setting rules around data residency, only allowing data to be stored within the country that it was generated within.
What is the importance of Data Sovereignty and Data Localisation?
When it comes to government, amongst the growing concerns around national interest and geopolitical factors, control over data has become so paramount that it is driving data sovereignty to become key when choosing where to store data. Specifically, with data localisation policies, there are many reasons that governments, enterprises, and other organisations would look to implement them. One of the primary reasons is that it helps simplify and ensure compliance with local laws and regulations, and ultimately helps maintain data sovereignty.
As mentioned, the APP governs and sets out rules for organisations to follow to ensure compliance with the APP abroad, so moving data internationally isn’t forbidden. However, doing so can introduce complexities and risks that could otherwise be avoided. That’s why many businesses are looking to not only choose providers based on their data sovereignty polices, but also evaluating them based on their data localisation policies as well.
Highly regulated industries, such as banking and healthcare, often face many more requirements and restrictions if data is stored or processed internationally. That’s why these industries often look to the reduced complexity and reduced difficulty around compliance that comes with locally stored and processed data. By keeping data within the same jurisdiction within which it was generated, they’re able to avoid the risks of possible violations and the financial penalties that can follow.
For Australians specifically, there are legal concerns around the protection of your data that should be considered when looking to host within some international jurisdictions. For example, within the US, the Patriot Act – originally a response to the September 2001 (9/11) attacks – strengthened the ability of the US government to combat terrorism, including broadening and enhancing their surveillance powers. Through this – and other laws similar to it – data is able to be demanded from ISPs (Internet Service Providers), telcos (Telecommunication Providers), and other service providers with much less protection than was previously afforded.
For this reason, we recommend considering these types of jurisdictional issues when choosing where to host your infrastructure and data. If an Australian organisation hosts their systems and data within Australia, this helps reduce the number of concerns around both foreign access to and control over those systems and the data stored within them.
How do you implement Data Localisation?
For organisations that only operate out of a single country, it’s usually straight forward to implement policies to limit the spread of your data. If you host and backup your systems on-premises, then it’s easy to know where your data is stored and which jurisdiction you fall under. However, if you host your services within a data centre - as there are many advantages to doing so such as redundancy around power, cooling, and networking, as well as much greater physical security – then it’s important to know how to evaluate different data centres and cloud providers.
For those that are looking to either colocate their servers at a data centre - or use cloud-based services with one - the main thing to check for is whether your provider is based within Australia. If they are based in Australia, then the next thing to check for is whether they have data localisation policies in place to only store domestic data domestically. Whilst an organisation stating they have a data localisation policy doesn’t necessarily guarantee that all your data is stored locally, it’s a lot more likely that they do than an organisation that doesn’t even mention they have one.
Once you’ve confirmed that your provider is based out of Australia and that they do have a data localisation policy, then it’s best to check with them as to how this is implemented by garnering answers from questions like: Where exactly is your data being stored? Does that data ever leave the country, such as for backup or disaster recovery purposes? If the data is transferred between locations temporarily, is it encrypted to ensure it can’t be accessed or viewed in transit? These are examples of questions that you should ask your provider to ensure that they have actually implemented their policies.
But many providers don’t even have such policies. This is usually because it can often be cheaper for them to host systems internationally. By choosing to move or host systems overseas, these organisations are able to save on infrastructure costs, however this cost saving comes with the potential cost of that data not being as protected by the principles outlined in the APP.
Which is why for added protection, we also recommend looking at the ownership of the companies that you choose to host with. Whilst legal protections are in place for Australians to protect their privacy, global corporations may have obligations and agreements in place that prioritise other aims over the protection of your data. By choosing to host with a company that’s 100% Australian owned, that’s just one more reassurance that your data is safe from foreign influence and control.
Overall, it’s important to check your provider’s data sovereignty and data localisation policies, as well as make sure they’re followed - otherwise your data could actually be located in countries and jurisdictions that you’re not comfortable with, if you’re not careful!
Have any questions about Data Sovereignty, Data Residency, or Data Localisation?
Micron21 is 100% Australian owned and operated. Not only do we have policies implemented around data sovereignty and data localisation, but we’re also ISO 27001, 27002, and 27018 certified. Each of these are related to information security, cybersecurity, privacy protection, and the protection of personally identifiable information (PII) within public cloud environments.
So, if you have any questions about our policies around how we protect data, let us know! We’re happy to have a chat about your requirements and how to best protect your data.
You can reach us via email at sales@micron21.com or via phone on 1300 769 972 (Option #1).
