AI is driving the case for a fresh look at data sovereignty in Australia

Data sovereignty has reached the forefront of governmental policy, defining how companies store, share and protect data globally. Within Australia, artificial intelligence has emerged as one of the strongest drivers for the imposition of data sovereignty rules, and the concept has its backers.

Sovereignty from an AI perspective is a broader discussion than data alone, but data is a major part of it. As a parliamentary inquiry reported at the end of last year, sovereignty from an AI perspective encompasses infrastructure, data storage, homegrown models, datasets, the availability of skills, and the ability of governments to act as effective regulatory overseers in the space.

Having all these sovereign capabilities is viewed by some observers as a hedge against the risk of AI being misused against Australians — giving Australia more control over AI and all of its enabling elements.

Some academics view sovereignty in the AI era as a net public good, reducing reliance on the consumption of services from global digital and cloud ecosystems. Just as importantly, sovereignty offers a way to tailor AI to an Australian context.

This is supported by the Australian Strategic Policy Institute (ASPI), which notes that “training AI systems on data that accurately reflects the diversity and complexity of Australian society … ensure[s] that these models are not only effective but also equitable and just. Furthermore, sovereign data fosters transparency and accountability, allowing for independent scrutiny of the data and algorithms that underpin AI decision-making”, which could increase trust in algorithms and their outputs.

Should it elect to go down the path of adopting data sovereignty requirements for AI-related reasons, Australia would not be alone. Singapore, for example, is among nations in the region also pushing for AI and digital sovereignty. In fact, over 100 countries have either implemented or are in various stages of developing data protection and data sovereignty laws, mandating companies to store data such as personal and financial information within the country’s national borders.

Some limited sovereignty rules exist today. Federal government agencies are subject to data sovereignty restrictions through the Hosting Certification Framework, which limits where data can be stored, depending on its classification. Critical infrastructure operators — which casts a wide net across many large enterprises and industries — also face some restrictions, and must report on the risks associated with where their data assets reside.

With AI and other advanced analytics use cases still evolving, and potential changes to the Privacy Act and enhancements to the Cyber Security Act a possibility under a future government, organisations and technology leaders within these organisations should look to incorporate sovereign thinking and capabilities into their current and forward planning.

Doing this now will place organisations and technology teams in good stead to meet anticipated future regulations, as well as growing community expectations around responsible data and AI use.

What supportive sovereign infrastructure looks like

Any move to impose broader data residency or sovereignty requirements in Australia would impact organisations’ hosting and infrastructure strategies and options — as it has already for federal government and critical infrastructure operators.

There are several options to consider.

One is to go down the path of using sovereign clouds — cloud environments that adhere to specific local regulations — a concept that is gaining widespread popularity with organisations concerned about sensitive data from regulated industries such as finance and health care. According to a UN Trade and Development Report, sovereign clouds could permit companies to meet the growing demand for data localisation and decrease risks from cross-border data exchanges.

Alternatively, or in addition, organisations may consider hybrid models or on-premise solutions, which provide ultimate control over data security while meeting local data regulations. Hybrid strategies allow organisations to house sensitive information within a private cloud or on-premises environment to meet data residency laws, while still leveraging scalability with public cloud services for less regulated data. This approach benefits organisations in keeping their sensitive data within regulated boundaries while availing themselves of an expanded cloud ecosystem for less constrained processing of other data.

For organisations that take a hybrid multi-cloud approach, with some data residing on- and off-shore depending on its sensitivity, data masking and tokenisation technology is likely to be of assistance. As data flows across borders, both are invaluable tools for protecting sensitive information. Data masking replaces real data with fictitious but realistic data so that it can be shared without compromising its security. Tokenisation, meanwhile, replaces sensitive data with unique identifiers that can then be decrypted only within a secure environment.

According to the International Association of Privacy Professionals, data masking and tokenisation are crucial tools for organisations seeking to comply with data sovereignty and privacy laws while minimising the exposure of sensitive data, even when crossing borders. These tools are especially useful for companies conducting analytics or training AI models on sensitive data.

Lastly, as data sovereignty rules are enacted, organisations cannot afford to manage compliance manually. The most seamless path forward lies in deploying automated tools and continuous monitoring systems to maintain compliance with dynamically changing regulations. Compliance automation platforms are needed to track cross-border data flows (where they exist), to enforce access controls, and ensure encryption standards are met with minimal continuous manual intervention.

With these systems, tech leaders can take some of the operational burdens off their teams’ plates, allowing them to focus on innovation while reducing legal and financial risks of non-compliance. *George Dragatsis has more than 25 years’ experience in the IT industry and is currently ANZ Chief Technology Officer of Hitachi Vantara based in Sydney. He previously worked in solutions architecture roles for organisations including Nimble Storage, Dimension Data, VMware and Data#3.

Top image credit: iStock.com/Just_Super