Data Sovereignty Series

Your AWS Sydney Data Isn't Actually in Australia

By Catalin Lichi · Sugau Pty Ltd

Walk into any boardroom in Sydney and ask where the company data lives. Nine times out of ten the answer will be “AWS Sydney” or “Azure East Australia.” Confident. Certain. Wrong.

The data centre is in Sydney. The company that operates it is American. And under US law, those are not equivalent statements.

A data centre physically located in Sydney doesn't guarantee data sovereignty if the operator is a subsidiary of a US parent company. Under the US CLOUD Act, American authorities can compel US companies to produce data held on servers anywhere in the world.

This is not a theoretical risk. It is the legal architecture your organisation is operating inside — whether you know it or not.

What the CLOUD Act Actually Says

The Clarifying Lawful Overseas Use of Data Act was signed into US law in 2018. Its core provision is straightforward: US law enforcement can compel US companies — including their foreign subsidiaries — to produce data stored anywhere on the planet, without requiring approval from the government of the country where the data physically sits.

AWS is a US company. Microsoft Azure is a US company. Google Cloud is a US company. Their Australian regions are subsidiaries operating under US corporate structure and therefore subject to US jurisdiction. The server rack may be in a building in Rosehill or Alexandria. The legal obligation to hand over its contents sits in Seattle, Redmond, or Mountain View.

The Practical Implication

Your organisation could face a situation where a foreign government compels access to your Australian customer data without notification to you, without Australian court oversight, and without any obligation to inform Australian regulators — including the OAIC. Your Privacy Act compliance does not protect you from a jurisdiction you are already operating inside.

The Australian Privacy Act Does Not Close This Gap

The Australian Privacy Act 1988 and the Australian Privacy Principles govern how organisations collect, use, and disclose personal information. They do not govern what a US court can compel a US company to do. These are parallel legal frameworks with no mechanism for the Australian one to override the American one.

The Security of Critical Infrastructure Act and the DTA Hosting Certification Framework introduce additional obligations for regulated sectors. Neither closes the CLOUD Act gap — they address Australian government access requirements, not foreign government access rights.

Who This Actually Affects in Australia

For most organisations the CLOUD Act risk is theoretical. For some it is disqualifying.

Defence and government-adjacent contractors — any organisation handling PROTECTED classification or working under DISP, where foreign government access to data is architecturally disqualifying.
Financial services — APRA's CPS 234 requires notification of material cybersecurity incidents. A foreign government accessing customer financial data without notification may constitute exactly such an incident.
Healthcare — My Health Record data and sensitive patient records held under Australian privacy frameworks are not intended to be accessible to foreign legal systems.
Legal and professional services — Legal professional privilege and its interaction with a US CLOUD Act request for data held by your cloud provider has not been tested in Australian courts.
Large retail and loyalty datasets — Every retailer running loyalty programmes has the purchasing behaviour and financial data of millions of Australians sitting in cloud infrastructure subject to foreign jurisdiction.

What True Australian Data Sovereignty Requires

Sovereignty is not a postcode. It is a legal and operational condition. For data to be genuinely sovereign:

The infrastructure operator must be an Australian-owned and registered entity, not a foreign subsidiary
The data must be subject only to Australian law and Australian court jurisdiction
Foreign government access requests must have no lawful pathway without Australian judicial oversight
The organisation must have full operational control — no remote access, no vendor backdoor, no support portal routing through a foreign parent entity

This is achievable. It is not achieved by selecting an AWS region with an Australian postcode.

The Colocation Model Closes the Gap

An organisation that owns its hardware, operates it in an Australian-owned colocation facility such as NEXTDC, and manages it with Australian staff has a fundamentally different sovereignty position than one running workloads on AWS Sydney.

Sovereignty Factor	AWS Sydney	Bare Metal @ NEXTDC
Physical location	✓ Australia	✓ Australia
Operator jurisdiction	✗ United States	✓ Australia
CLOUD Act exposure	✗ Yes	✓ None
Hardware ownership	✗ Amazon	✓ You
Vendor backdoor risk	✗ Exists	✓ None
Australian Privacy Act alignment	✗ Partial	✓ Full
Foreign access notification	✗ Not guaranteed	✓ Australian court required
Typical monthly cost (example workload)	$18,500–$30,000	$9,500–$15,000

The sovereignty argument and the cost argument point in the same direction. When that happens, the decision should be straightforward.

The Question to Ask Your Legal Team

If a US government agency issued a lawful demand to AWS for our customer data stored in the Sydney region, would we be notified? Would we have the ability to contest it? Would Australian regulators be informed?

The answer to all three is: not necessarily.

That is the conversation most Australian CTOs have not had yet. The ones who have are the ones building sovereign infrastructure.

Sovereignty is not a feature you configure in the AWS console. It is an architectural decision you make before you sign the first cloud contract.

Next: the technical architecture of a genuinely sovereign private AI stack — air-gapped inference, Australian-jurisdiction colocation, and the Kubernetes patterns that keep your data inside your legal boundary.

Find out what a sovereign infrastructure migration would cost — and what you'd save — before committing to anything.

Get Your Free Cost Analysis