Filter articles

Data sovereignty in Aotearoa: Navigating how to protect our digital taonga

18 Mar 2025, 1:21 PM Authored by: Chris Cormack, Kaihuawaere Matihiko at Catalyst

In this article, Chris explores the complex dimensions of data sovereignty as it manifests within our digital infrastructure.

Chris Cormack has led a career that weaves technology through culture and knowledge. As data is a taonga, data sovereignty has been a recurring topic of interest in his work. In his role as Kaihuawaere Matihiko at Catalyst, Chris often ponders the complex dimensions of data sovereignty as it manifests within our digital infrastructure. The questions surrounding where and how our data—particularly Māori data—is stored, accessed, and governed are becoming more important.

The key question of where an organisation’s data is stored isn’t just a technical detail. However, it also affects legal control, security, and compliance. Non-compliance with data sovereignty requirements exposes organisations to heavy regulatory penalties and reputational damage. More fundamentally, data location directly determines jurisdictional control and accessibility.

When data crosses borders, it becomes subject to foreign legal frameworks that may allow access through laws such as the US CLOUD Act. This legislation enables United States authorities to demand US-headquartered technology companies to provide their data regardless of their physical storage location.

The Five Eyes intelligence alliance (Aotearoa New Zealand, Australia, Canada, United Kingdom, United States) further complicates sovereignty considerations, as intelligence-sharing arrangements potentially expand access to data across multiple jurisdictions once it becomes available to a single member nation.

Regulatory frameworks shaping data practices

Organisations operating in Aotearoa must work through regulatory environments including:

  • The Privacy Act 2020
  • International frameworks like GDPR for European data subjects
  • Sector-specific compliance requirements. 

Foreign laws can still apply, even when data is stored in another country. This reality challenges the common belief that storing data in a particular geographical location means you are protected under that country’s laws alone.

International trade agreements can make understanding data sovereignty considerations even more complicated. International trade agreements like the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) contain provisions related to cross-border data flows that can potentially limit a country's ability to impose data localisation requirements. The Waitangi Tribunal (WAI 2522) report specifically addressed these concerns, noting that mātauranga Māori includes rights and interests in the digital domain, placing "a heightened duty on the Crown to actively protect those rights and interests, particularly in a field that is subject to rapid change and evolution."

If a data breach happens in another country’s legal jurisdiction, fixing the issue becomes much harder. Therefore, taking legal action often means dealing with foreign courts, which may not offer the same protections or make it easy for outsiders to get justice.

As new trade agreements are made, their impact on data sovereignty must be examined closely —particularly Māori data sovereignty— to ensure they do not override domestic protections or undermine tino rangatiratanga over digital taonga.

True data custodianship

Many organisations lack clarity on where their data truly resides and who has actual and potential access. While cloud contracts may specify Aotearoa as the physical storage location, the legal headquarters of service providers often determine ultimate jurisdictional control. Data residency alone does not guarantee data sovereignty.

Technical access considerations extend beyond government authorities to service provider personnel. Global cloud engineering teams typically maintain hypervisor-level access capabilities that go beyond geographical borders, creating additional layers of potential data exposure.

 

Data residency

Data sovereignty
Definition The physical location where data is stored. The legal authority governing the data, regardless of where it is stored.
Legal impact Data follows the laws of the country where it is stored, but may still be subject to foreign access if owned by an overseas provider. Data is protected under local laws without foreign interference, provided the service provider is also locally controlled.
Example A company stores its data in New Zealand with a global cloud provider. A company stores its data in New Zealand with a locally owned cloud provider, ensuring full control under NZ laws.
Key concerns Residency alone does not prevent foreign legal claims if the provider is based overseas. Sovereignty can be compromised if encryption keys, infrastructure, or legal ownership remain under foreign control.
Best practice Store data in a location that meets regulatory requirements. Ensure data is hosted by a locally owned and operated provider to maintain full jurisdictional control.

Cloud provider approaches to sovereignty

Major international providers have begun implementing "Sovereign Cloud" offerings that attempt to address jurisdictional concerns.

However, these solutions, including Microsoft's New Zealand data center region and similar initiatives, ultimately remain under the corporate structure of overseas parent companies and are examples of data residency but not data sovereignty.

Locally-headquartered alternatives like Catalyst Cloud —a New Zealand-owned and operated cloud services company— provide cloud services fully contained within the jurisdiction of Aotearoa. This approach offers clear advantages including alignment with NZ legal frameworks, reduced latency, and enhanced support for kaitiakitanga of data.

Encryption's role in sovereignty protection

While encryption provides essential data protection, it represents an incomplete sovereignty solution. Cryptographic measures enhance security but do not fundamentally alter jurisdictional status.

Locally-controlled sovereign cryptographic keys significantly strengthen protection posture. When encryption key management remains within Aotearoa's jurisdiction, meaningful access to underlying data becomes substantially more difficult for external entities.

However, certain jurisdictions maintain legal frameworks that may compel the disclosure of encryption keys under specific circumstances, highlighting the importance of encryption as one component within a comprehensive sovereignty strategy.

Sovereignty in multi-cloud environments

Organisations using multiple cloud providers must carefully architect how they store and protect data.

Best practices include:

  • Classifying data: decide what data should be sovereign and ensure it is kept onshore.
  • Data segmentation: maintain sensitive assets within local private infrastructure.
  • Using encryption systems: these should be done with locally controlled key management
  • Regular reviews: conduct regular cross-environment compliance assessments. 

Hybrid infrastructure models can effectively balance sovereignty requirements with operational flexibility by housing sensitive information locally while leveraging global resources for less sensitive workloads.

Māori Data Sovereignty considerations

Māori Data Sovereignty (MDSov) recognises the inherent rights and interests that Māori possess regarding the collection, ownership, and application of data connected to Māori people, resources, culture, and environments. This conception extends beyond conventional sovereignty frameworks focused primarily on geographical data residency.

Learn about Indigenous data sovereignty

Organisations must carefully consider:

  • The nature and scope of Māori data within their systems
  • Potential exposure of this data to foreign jurisdictional claims
  • Meaningful involvement of Māori in governance decision-making. 

Proper implementation of Te Tiriti o Waitangi in relation to data sovereignty requires direct engagement with its Articles:

  • Article 1 establishes the Crown's obligation to govern in ways that actively protect Māori data while respecting Māori authority over information resources.
  • Article 2 affirms Māori data as taonga and recognises that iwi and hapū maintain tino rangatiratanga over information resources connected to their people, territories, and knowledge systems.
  • Article 3 guarantees Māori equal protection rights while simultaneously acknowledging collective rights dimensions that extend beyond individual privacy frameworks.

The comprehensive Māori Data Governance Model provides practical frameworks for implementing these obligations within a Tiriti-led approach to information management.

Moving forward

As data increasingly becomes a critical strategic asset, sovereignty concerns will continue to grow. Organisations operating in Aotearoa should consider how they can move beyond basic compliance perspectives to embrace wider ethical responsibilities of data handling.

Chat with us about data sovereignty

At Catalyst, we maintain a commitment to onshoring Māori data under NZ legal jurisdiction only. We actively support the development of Mana Motuhake data systems that enable Māori to exercise genuine tino rangatiratanga over information resources.

Chris urges us to collectively recognise that data represents more than mere commodity — it constitutes taonga requiring appropriate protection, respect, and committed kaitiakitanga.

Additional credits: Aleisha Amohia, Courtney Brown Return to Catalyst blog

Learn more about data sovereignty

Data servers in a computer room

Understanding Indigenous data sovereignty (IDSov)