Last review date: 31 December 2023
Yes.
☒ a) data localization / data residency laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may be also be stored outside of the jurisdiction):
There are no data localization / data residency requirements for personal data generally (although offshoring will need to be done in accordance with the Privacy Act).
However, some level of data localization / data residency is required, or may be required, in specific sectors:
- In some States / Territories (e.g., NSW and Vic), health records laws restrict disclosure of health records outside of the relevant State / Territory (i.e., impose in-State/in-Territory data sovereignty requirements) unless certain criteria are met (e.g., the individual consents to the transfer; a substantially similar protective regime will apply to the disclosed records; the transfer is necessary for the performance of a contract between the individual and the organization; or the organization has taken reasonable steps to protect the information consistent with State / Territory privacy principles). Original health records and copies of them would be subject to the same disclosure restrictions
- Additional requirements apply before a credit provider can disclose credit eligibility information to offshore recipients who do not have an Australian link. Each credit provider with an Australian link will be responsible for its breach of credit reporting provisions of Australian privacy laws. Original data and copies of it would be subject to the same requirements.
- "My Health Records" and associated information (e.g., back-ups of My Health Records) must not be held, taken, processed or handled outside Australia at all (except that the My Health Records system operator can hold, take, process or handle non personal and non-identifying information outside Australia). This means that original My Health Records and copies of them may not be removed from Australia.
☒ b.) other laws that mandate retention of personal data or a copy thereof in the local jurisdiction (include whether copies or the original data may be also be stored outside of the jurisdiction):
☒ national security laws
☐ anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation
☒ tax or financial record laws
☐ employment laws
☒ export control laws
☒ other
In addition to the laws and requirements noted above:
- Prudentially-regulated institutions will also be subject to guidelines and standards on outsourcing and risk management which may indirectly affect them and how they disclose data to offshore service providers.
- Goods, software or technology listed on the Defence and Strategic Goods List (DSGL) are "controlled technology" under customs laws. Listed items include certain technical data and information and encryption technology. Items listed in the DSGL may not be exported, supplied, published or brokered from Australia unless either a permit has been granted by the Minister for Defence or a legislative exemption applies to the export, supply, publication or brokering activity.
- Under telecommunications and critical infrastructure laws, a responsible minister can give directions to telco carriers, carriage service providers and registered operators of critical infrastructure if satisfied that there is a risk that would be prejudicial to security. It is conceivable that these directions could include directions not to send or make available data offshore (e.g., if there were concerns about foreign government interference)
- Under foreign investment approval laws, a condition of foreign investment approval could potentially include requiring that certain data relating to the business subject to approval be retained in Australia.
In addition:
- Telecommunications interception laws do not specify data sovereignty or data residency requirements, but do impose requirements on relevant providers to ensure interception capability or capacity exists in Australia and/or that there is some presence for law enforcement to deal with in Australia. This may impact on decisions whether and how to offshore data and systems.
- Other non-privacy or security specific legislation may require certain information to be kept in specific locations (e.g., corporations or work health and safety laws may require certain registers or records to be kept at a particular office or in-jurisdiction) and this may have the effect of requiring data localization. Typically, in these instances, it will be acceptable to host copies of this data offshore.
- Commonwealth, State or Territory government policies may also express a preference for data localization, or recommend additional steps are taken where data is offshored.
The Department of Home Affairs issued a discussion paper on 6 April 2022, which sought stakeholder consultation on, amongst other things, whether Australia needed an explicit approach to data localization. The consultation concluded on 24 June 2022. However, there have been no further updates on data localization since then. The review of the Privacy Act considered submissions for and against extending the obligations in APP 8 to cover "uses" or "transfers" but the report on the review stopped short of recommending a broader data localization requirement, and neither the government's 2023-2030 Australian Cyber Security Strategy nor the associated Action Plan make reference to data localization.