Dude, where's my data?

Published on: 16-11-2025

Navigating privacy compliance in a cloud-first world.

Written by Stephen Cox

Data Sovereignty, what Australian organisations need to know.

#CyberSecurity

#PerthBusiness

#SmallBiz

#CloudCompliance

#CyberSecurity

#AUSlaw

#DataPrivacy

Data sovereignty in a cloud-first world

You use cloud apps because they’re fast, cheap, and let you avoid the joy of racking physical servers at 3am. The downside? Your customers’ personal data might be on hardware governed by someone else’s laws, on a different continent, and — ahem — not necessarily behaving itself. Here’s a clear, slightly sarcastic, very practical guide to where the major services sit under Australian privacy law (Privacy Act 1988 (Cth) and the Australian Privacy Principles — APPs), and what you should actually do about it.

The gist of it

You (or your organisation) retain copyright in the content you upload to basically every major service. Good.

Most providers get a license to host/use/serve your content — that’s how the service works. Fine, expected.

Big risk for Australians: where data physically sits and who can legally access it. That’s the data-sovereignty problem.

Best technical route: use cloud services with explicit Australian regions + strong contractual terms. Still not bulletproof, but much better.

Ratings: how each service stacks up for Australian privacy & data sovereignty

(5★ = good for sovereignty + APP alignment if configured correctly; 1★ = poor)

Google Cloud (Australian region) — ★★★★☆

Microsoft Azure (Australian regions) — ★★★★☆

Amazon AWS (Australian region / S3) — ★★★★☆

Google Workspace (paid, with Australia region/contract) — ★★★★☆ (depends on config)

Microsoft 365 (business, Australian region/contract) — ★★★★☆ (depends on config)

Figma / Canva / Notion / iCloud — ★★★☆☆ (Good controls and export options, but less transparent residency guarantees by default.)

Consumer cloud (Google Drive free, OneDrive free) — ★★☆☆☆ (Convenient, but defaults may route data offshore and contractual protections are weak for organisational use.)

Flickr — ★★☆☆☆ (You own photos, but backup/export tooling is basic; public content is a different beast.)

Social platforms — Facebook / Instagram / X / TikTok / Reddit — ★☆☆☆☆ (Global platforms, complex cross-border flows, limited sovereignty control — risky for regulated or sensitive Australian data.)

Bluesky — ★★☆☆☆ (decent intent and license limits, but decentralisation means content can persist outside direct control)

What this means under the Privacy Act / APPs (TL;DR)

The APPs don’t ban sending data overseas — they require you to take reasonable steps to ensure equivalent protections before you do. In practice that means: know where data will go, read contracts, and document your risk assessment.

If you’re an Australian organisation using these services to store or process personal information of Australians, you remain responsible for APP compliance. The provider is not your privacy lawyer.

For highly sensitive data (health, government, financial), assume extra scrutiny — local residency, stronger contractual assurances, and encryption will be required.

Practical checklist — what to do right now (yes, do it)

Map your data — what personal data do you hold, where is it stored, who has access? (If you can’t answer this in one coffee, stop and map it.)

Choose Australian regions for cloud services where available (GCP, Azure, AWS). Don’t rely on default settings.

Contract properly — ensure the provider’s terms, data processing addendum (DPA) and security docs explicitly address: data residency, backups, subcontractors, access by foreign governments, deletion/exit procedures.

Encrypt at rest & in transit — and where possible, control the keys (Bring Your Own Key). If the vendor can’t prove it can’t read your data, assume they can.

Limit data sent to social platforms and consumer apps. Put commercial/regulated data on enterprise clouds only.

Retention & exit plan — test exports and deletions. Don’t find out the hard way that your data sits in a backup no one can get.

Document everything — your APP-compliance risk assessment must show you took reasonable steps. The regulator likes paperwork.

When in doubt, escalate to legal + security. If data is super-sensitive, consider local providers or private hosting.

Quick notes on specific gotchas

Backups and replication: Even if you choose an Australian region, some services replicate backups cross-region — check the fine print.

Support & admin access: Support staff may be offshore — can they access live data? Contractually control or log their access.

Social platforms: Marketing teams love them; privacy teams hate them. If you’re collecting leads or customer data via socials, treat that dataset like customer data and apply APP rules.

Decentralised systems (e.g., Bluesky): deletion isn’t guaranteed across the whole network. Plan accordingly.

Final (practical) recommendation

If you run an Australian business that stores or processes personal information of Australians, assume consumer free-tier apps and social platforms are not acceptable for regulated or sensitive datasets. Pick enterprise cloud regions in Australia, lock down contracts and keys, and build an exit/export test into every project. Do that, and you’ll sleep better. Maybe even through the night.