Data sovereignty is one of those terms that crop up frequently when discussing data governance. But what does it really mean? Here we try to explain the term and how it impacts users of globally hosted services.

Meaning of “data sovereignty”

“Data sovereignty” refers to the right to control and access data. It is premised on the idea that data generated within a particular jurisdiction should be governed by the laws of that jurisdiction. The term is most used in the context of arguing that a nation should be able to control how the data that originate within its borders are accessed and handled. Less frequently, it may be used to describe the ability of organisations to control how their proprietary data are accessed and handled.

The term data sovereignty should be distinguished from “data residency”, which is used to describe the actual location in which data is stored. As part of exercising their data sovereignty, governments or organisations may sometimes stipulate that particular types of data (e.g. health records) are stored locally. This is often referred to as a data localisation requirement.

Exercising data sovereignty to protect privacy rights……

It is not unusual for governments committed to the protection of privacy and civil liberties to prohibit the transfer of personal data outside their national borders unless an equivalent level of data protection has been established in the receiving country. This has led to the creation of various legal instruments confirming the equivalence of privacy protection, such as standard contractual clauses or government-level adequacy decisions, to facilitate cross-border data flows.

One example of the latter is the EU Commission’s adequacy decision for the EU-U.S. Data Privacy Framework (the “EU-U.S. Privacy Shield 2.0”), issued in July 2023, concluding that the U.S. provides a level of protection for personal data that is essentially equivalent to that of the EU, thereby facilitating transatlantic data transfers.

The validity of the EU-U.S. Privacy Shield 2.0 was reaffirmed recently by the EU’s General Court. However, various European civil liberty groups have expressed concerns about the ongoing integrity of some privacy safeguards in the U.S., given the Trump administration’s unorthodox use of executive powers, and a further legal challenge to the adequacy decision has not been ruled out.

….and to conduct surveillance.

National security interests often conflict with protection of privacy and civil liberties, and this can be reflected in conflicting sovereign laws attempting to exert control over personal data.

The U.S. is particularly active in trying to exert sovereignty over data created outside its national borders, on the grounds of national security. Some will recall the U.S. Patriot Act (2001), which was enacted following the 11 Sep 2001 terrorist attacks on U.S. soil. Amongst other things it contained provisions granting U.S. officials access to any information physically hosted within the U.S., regardless of its country of origin. That legislation, together with the usual latency considerations, encouraged many non-U.S. customers to consider local or regional data hosting arrangements at the time.

But the U.S. federal CLOUD Act, enacted in 2018, goes a step further. Amongst other things, it allows U.S. law enforcement to compel companies who are headquartered or operate in the U.S. to disclose data stored abroad, even if it relates to non-U.S. citizens. Regional hosting arrangements offered by U.S. based providers are no longer beyond the reach of U.S. federal authorities.

Response of the U.S. cloud providers

The CLOUD Act conflicts with Article 48 of the EU’s General Data Protection Regulation (GDPR), which states that third party demands for access to EU data are enforceable only if based on an international agreement between the countries, also known as a mutual legal assistance treaty (MLAT), or if they have some other legal basis under the GDPR such as consent. The CLOUD Act is an attempt to circumvent the (rather bureaucratic) processes required by the current MLAT between the US and the EU. But if the MLAT doesn’t apply, then cloud providers must ensure a CLOUD Act request has some other legal basis under the GDPR before responding. If not, they and their customers are at risk of breaching the GDPR and incurring significant fines.

This creates additional complexity for data controllers trying to comply with EU data sovereignty requirements. To mitigate the perceived risk, some hyperscale cloud providers have responded by offering not just local hosting arrangements but also technical measures and operational controls specifically designed to prevent other parties (including themselves) from accessing hosted data. They argue they can only respond to legal requests for data “…where we have the technical ability to do so”. These so-called “sovereign platforms” offer customer-managed key encryption, operational separation, and physically isolated infrastructure, providing local data residency and customer control.

Response of the EU

In the battle for jurisdictional control, the EU has launched several new legislative and policy initiatives intended to promote European digital infrastructure as an alternative to the U.S.-centric hyperscalers.

The EU’s Cloud Sovereignty Framework (CSF), launched in Oct 2025, helps organisations to assess the independence of cloud services based on strategic, legal, operational, and technological criteria. Its stated goal is to guide public and private entities in choosing secure cloud options and to reduce reliance on foreign systems. The CSF is supplemented by the EU’s Data Act, which contains new rules designed to unlock the EU cloud market, by allowing customers to more easily switch between different data-processing service providers, or to on-premise services.

Given the compliance dilemma invoked by using U.S.-centric service providers, opting for an EU provider or an on-premise solution is being promoted by EU vendors as the simplest path for demonstrating GDPR compliance.

The situation in Australia

The situation is similar in Australia; if U.S.- centric service providers comply with data access demands under the CLOUD Act, they and their Australian customers may be in breach of Australia’s Privacy Act 1988, which holds data owners accountable for the acts of their data processors.

Partly to protect U.S. cloud service providers from any such liability, and to facilitate efficient data access for serious crime investigations, Australia and the U.S. have signed an Australia – U.S. CLOUD Act Agreement. This bilateral agreement affirms that the countries’ respective domestic legal frameworks provide “robust substantive and procedural protections for privacy and civil liberties” and that these would govern the handling of any data accessed in the context of investigating serious crime.

Although the Australia-U.S. CLOUD Act Agreement simplifies law enforcement access to cross-border data, it does not automatically protect Australian data owners from liability or penalties for any consequential breaches of the Australian Privacy Principles (APPs).

What should Australian data owners be doing?

To minimise the risk of data access demands under the U.S. CLOUD Act, data owners could consider using only Australian-owned and operated cloud services that keep all data and services within Australia. Several Australian providers claim to offer such services, marketed as sovereign clouds or private managed clouds.

But many SaaS solutions today are hosted on infrastructure owned by US-based hyperscalers. If you use a U.S.-based SaaS or communication platform, you should assume that U.S. authorities may access your data, no matter where it is stored, via the CLOUD Act. If you are planning to sign up with a U.S. based vendor for a new cloud hosted service or SaaS solution, consider the following:

1. What is the nature of the workload you propose to place on the service? Is it processing sensitive / personal information?
2. Are there any mandatory localisation requirements governing the data you are proposing to place in the cloud?
3. Do you understand the data flows for the new SaaS solution? Map where your different data classes originate, how they move, where they are stored and processed, and where backups are stored.
4. Should you architect hybrid or split models? For sensitive data classes that require absolute sovereignty (such as classified data, national infrastructure, regulated industry data), consider on-prem or sovereign-appliance models that keep control local. Less sensitive workloads can be left in global clouds.

If using the sovereign clouds marketed by U.S.-centric providers, demand contractual guarantees for key operational features such as customer-managed key encryption, separation of regional operations and audited access controls. Also require contractual indemnities for any loss or penalties incurred due to breaches of local privacy legislation when responding to law enforcement data access requests.