Data residency vs data sovereignty: why where your data lives is only half the story
Australian organisations increasingly hear “data residency” and “data sovereignty” used interchangeably, but they are not the same thing. Conflating the two can leave your most sensitive data legally exposed, even when it never physically leaves the country.
What is data residency?
Data residency refers to the geographic location where data is physically stored. Public cloud providers often satisfy residency requirements by guaranteeing that customer data is held in Australian data centres, for example, a Sydney or Melbourne region.
Residency is a location guarantee.
What is data sovereignty?
Data sovereignty goes significantly further. It describes which laws, governments, and entities hold legal authority over data, regardless of where that data is physically stored. Sovereignty encompasses access rights, legal jurisdiction, foreign government subpoenas, and who ultimately controls your encryption keys, metadata, and management plane.
Residency answers “where is the data?”
Sovereignty answers “who ultimately controls it and can access it?”
How public cloud providers frame (and blur) the line
Hyperscalers frequently market data residency as though it were equivalent to sovereignty. It isn’t. While a major public cloud provider may store your data in an Australian region, the control plane, identity systems, support operations, and legal entities that govern that infrastructure are typically owned and operated by foreign parent companies.
This creates real and measurable exposure. Data stored in Australia may still be subject to extraterritorial legislation. Most notably is the US CLOUD Act, which may – absent a qualifying bilateral agreement – compel American-domiciled companies to produce data held anywhere in the world, regardless of where it physically resides.
Common sovereignty gaps in public hyperscaler environments:
- Encryption keys managed or escrowed by the provider, not the customer
- Platform logs, telemetry, and metadata processed offshore
- Administrative access exercised by non-Australian personnel
- Legal entity domiciled in the US or EU, subject to foreign court orders
The result is a sovereignty gap: the distance between what is promised (local storage) and what is actually enforceable (foreign legal and operational control).
Why true data sovereignty requires an Australian private cloud
For regulated industries, government agencies, and organisations handling sensitive or classified data, residency alone is an insufficient compliance posture. True sovereignty demands control across every layer of the stack, from the physical infrastructure to the legal entity that owns and operates it.
Macquarie Cloud Services’ private cloud platform, Launch, is purpose-built to close the sovereignty gap for Australian organisations. It delivers enforceable, end-to-end control, not just a location promise.
- Legal control: the platform is owned and operated by an Australian legal entity, governed solely under Australian law. No foreign parent, no extraterritorial risk.
- Operational control: all infrastructure, management plane operations, and support functions are delivered locally by Australian personnel.
- Cryptographic control: customers retain exclusive ownership of encryption keys and key management systems. The provider cannot access your data.
- Full-stack sovereignty: both the data plane and the control plane are Australian-owned. There is no dependency on a foreign hyperscaler’s global control infrastructure.
- Auditability and assurance: clear, provable boundaries support compliance with government, healthcare, and financial sector regulatory requirements, including IRAP, ISO, Essential Eight, and APRA CPS 234
Is your compliance posture actually enforceable?
If your organisation operates in a SOCI-regulated industry such as healthcare, critical infrastructure, or financial services, and you currently rely on a hyperscaler for workloads Classified above UNCLASS, you should assess whether your current posture meets the Australian Government’s data sovereignty expectations outlined in the Hosting Certification Framework and the Australian Government Cloud Policy.
The question to ask your provider is not “where is our data?” but “who controls it, who can access it, and under which country’s law?”
Assess your sovereignty posture
Talk to a Macquarie Cloud Services specialist about how LAUNCH delivers provable, enforceable data sovereignty for regulated Australian organisations.
