The Illusion of Data Sovereignty: Why the ICC Sanctions Expose Australia's Digital Dependence

On August 24, 2025, the United States sanctioned judges and prosecutors of the International Criminal Court (ICC). These are people whose job is to investigate genocide, war crimes, and crimes against humanity. They have been sanctioned not for corruption, not for incompetence but for doing their jobs when those jobs threatened American interests. The European Union's response was unequivocal: "Attacks or threats against the Court, elected officials, personnel and those cooperating with the Court are not acceptable. The ICC must be able to work independently and impartially." Australia's response? Silence. 

This silence matters more than most Australians realise. While Canberra debates data sovereignty frameworks and AI governance policies, the ICC sanctions clarify something Australian policymakers seem determined to ignore: when American power conflicts with international norms, institutions crumble, no matter how legitimate, how necessary, or how protected they supposedly are. Australia's entire digital infrastructure operates under that same power structure.

I recently had an exchange with a lawyer about Australia's data sovereignty and the Cloud Act. He was confident, reassuringly so, citing bilateral agreements, legal frameworks, and institutional protections. His certainty reminded me of myself when I studied law and international law at university in France between 1994 and 1996. Back then, the international legal order seemed stable, predictable. Treaties mattered. Institutions had weight. The Westphalian system of sovereign states, refined through centuries of diplomacy and conflict, appeared to be evolving towards something more civilised: multilateral governance, rule of law, institutions that could constrain even the powerful.

The world has changed. The lawyer's confidence wasn't naïve. It was dated. He was operating with assumptions forged in an era when international law still commanded respect from great powers, when institutional frameworks provided meaningful constraints, when bilateral agreements between allied democracies actually protected the weaker party's interests. The ICC sanctions shatter those assumptions. If American judges and prosecutors can be personally sanctioned for upholding international law, why would Australian data protection frameworks fare any better?

The Infrastructure We Pretend to Control

While market share estimates vary significantly depending on whether analysts measure raw infrastructure (IaaS) or total services including software platforms (SaaS), the underlying concentration of American corporate control remains constant at roughly 80%. In 2025, the reality seems to be: Microsoft Azure and Amazon Web Services each command approximately 30% of Australia's cloud services market and are effectively neck-and-neck for market leadership. Add Google Cloud's 20.6%, and the three American companies control approximately 80% of Australian cloud infrastructure. The government's own Digital Transformation Agency ran one of the world's largest generative AI workplace trials using Microsoft 365 Copilot, issuing 5700+ user licenses across more than 60 government agencies. Our sensitive data, our critical government operations, our AI capabilities all run on infrastructure ultimately subject to US legal jurisdiction.

The Australian Taxation Office runs critical systems on Oracle Cloud. Defence systems increasingly rely on cloud infrastructure from American providers. Healthcare data migrates to AWS and Azure. The market is projected to grow from $23.96 billion in 2024 to $150.97 billion by 2033, a 20.21% compound annual growth rate, almost entirely captured by US companies.

From my discussions with peers, it seems we reassure ourselves that this is fine because the data sits in Australian data centres: Sydney, Melbourne, and Canberra in physical servers on Australian soil, regulated by Australian law, protected by our sovereignty. Except it isn't. In December 2021, Australia signed the "Agreement between the Government of Australia and the Government of the United States on Access to Electronic Data for the Purpose of Countering Serious Crime," the Australia-US Cloud Act agreement. It came into force on January 31, 2024.

The agreement is marketed as reciprocal. Australian agencies can request data from US providers, and US agencies can request data from Australian providers, for serious crimes punishable by at least three years imprisonment. It's sold as modernising cross-border evidence sharing, replacing slow Mutual Legal Assistance Treaties with efficient direct requests. What we're told is that this protects Australian sovereignty while enabling law enforcement cooperation. What the agreement actually does is remove legal barriers preventing US companies from complying with US government demands for data, regardless of where that data is physically stored.

The critical asymmetry is buried in the technical language. The US Cloud Act clarifies that American law enforcement can compel any US company to disclose data "in their possession, custody, or control," regardless of physical location. Microsoft, AWS, Google must comply with US legal demands. The physical location of the server is legally irrelevant.

Australia's Cloud Act agreement doesn't grant Australia equivalent extraterritorial reach. It grants Australian agencies the ability to request data from US providers operating in Australia, but the agreement includes specific restrictions. Australian authorities must consult US authorities before using obtained data in prosecutions involving matters such as unauthorised disclosure of information, racial vilification, or advocating terrorism where harm isn't imminent.

The Cloud Act agreement expires after five years unless renewed. Either party can terminate with one month's notice. It's not a treaty. It's not subject to full parliamentary review. It's an executive agreement that gives American intelligence and law enforcement direct access to data stored by American companies in Australia, while providing Australia conditional, supervised, revocable access in return.

Put this alongside what happened to the ICC. Those ICC judges and prosecutors operated within an international legal framework. They had institutional protections. They were investigating alleged crimes under the Rome Statute, ratified by 125 countries. The ICC is the world's premier permanent war crimes tribunal, created specifically to hold perpetrators accountable when domestic systems fail. None of it mattered.

When the Court's investigations threatened American interests, the United States imposed sanctions, not just on the institution, but on individual judges and prosecutors personally. Travel bans. Asset freezes.

Australian policymakers seems to operate under different assumptions. Microsoft's Australian subsidiary won't receive a National Security Letter from the FBI demanding access to data stored in Sydney. AWS won't comply with a Foreign Intelligence Surveillance Act court order overriding Australian privacy law. Google will choose Australian sovereignty over American legal compulsion.

The ICC judges thought their mandate protected them. Australian data sovereignty frameworks assume American respect for bilateral agreements. Recent history suggests otherwise.

Sovereignty in Practice: What Australia Actually Controls

Cloud infrastructure is just the beginning. Australia's financial sovereignty faces similar constraints. Visa and Mastercard dominate Australia's payment landscape.  Both are American companies, headquartered in the United States, processing transactions through US-based data centres even when both parties are Australian. Visa processes transactions through VisaNet at four secure data centres in Ashburn, Virginia, and Highlands Ranch, Colorado. When the US government weaponises these systems, as it has repeatedly with sanctions regimes, Australian transactions can be blocked regardless of Australian law or Australian interests.

The Society for Worldwide Interbank Financial Telecommunication handles critical messaging for Australia's high-value payment systems. While SWIFT is Belgium-based and overseen by G10 central banks through cooperative arrangements, it has been repeatedly weaponised for political purposes. Russian banks were excluded from SWIFT following the Ukraine invasion. Iranian banks were cut off. North Korean institutions blocked. The Reserve Bank of Australia participates in cooperative oversight arrangements for SWIFT, but this is consultation, not control. When geopolitical tensions escalate, Australia's voice in these "cooperative" frameworks carries exactly as much weight as our strategic importance to the dominant power.

Australia has no independent cross-border payment infrastructure. Banks rely on correspondent banking relationships, overwhelmingly with US financial institutions, to facilitate international transactions. US secondary sanctions regimes mean Australian banks must comply with American restrictions on third-party countries or lose access to dollar clearing.

If Australia's foreign policy diverged significantly from US interests (say, maintaining trade relationships with a country under American sanctions), our financial institutions would face an impossible choice: comply with Australian policy and lose access to international payment systems, or comply with US demands and override Australian sovereignty. We've built no hedge against this scenario because we've assumed it won't happen.

The Australian government's "sovereign cloud" initiatives remain largely aspirational. The Digital Transformation Agency certifies clouds for "protected" level workloads, but certification doesn't change legal jurisdiction. A certified American cloud provider is still subject to American law.

Australia's New Payments Platform, launched in 2018, provides real-time domestic payments.[24] It represents genuine achievement, but it's domestic only. For international transactions, Australia remains entirely dependent on Visa, Mastercard, SWIFT, and US correspondent banking. The Reserve Bank has explored linking the NPP with fast payment systems in other countries, but these remain exploratory discussions, not operational alternatives.

Australia manufactures essentially no critical technology components. No semiconductors. No telecommunications equipment. No satellite constellations. No undersea cables owned and operated by Australian entities. Unlike France, which has Law No. 68-678 of 26 July 1968 (French Blocking Statute amended in 1980 and modernised in 2022) prohibiting French entities from complying with certain extraterritorial foreign demands without government authorisation, Australia has no comparable legal architecture.

Some will argue Australia has benefited immensely from US digital infrastructure: efficiency, innovation, scale we couldn't build alone. This is true. The question isn't whether we've benefited, but whether permanent dependence serves long-term interests when power dynamics shift and when bilateral agreements prove as fragile as the ICC's institutional protections.

The Diagonal Partnership Alternative

France has attempted, with mixed success, to build technological and legal autonomy. French blocking statutes create legal frameworks for resisting certain extraterritorial demands. These aren't perfect. American economic pressure often prevails. But they provide options that Australia entirely lacks. Gaia-X, launched in 2019 by France and Germany, aims to create European cloud infrastructure complying with European data sovereignty requirements. OVHcloud, founded in France, provides a European alternative to American hyperscalers. These initiatives struggle with scale and investment compared to AWS or Azure, but they exist. They provide options.

Europe has SEPA (Single Euro Payments Area) for efficient cross-border euro transactions. Ongoing efforts aim to reduce dependence on Visa, Mastercard and SWIFT, including the European Payment Initiative working towards a unified European payment system. France and Europe have decided that strategic autonomy (the ability to act independently when interests diverge from larger powers) justifies the cost and inefficiency of building alternative infrastructure. Australia has optimised for efficiency and cost-effectiveness by outsourcing digital infrastructure entirely to American providers, assuming our interests will remain permanently aligned.

I propose a different approach, one that doesn't require Australia to build everything alone or choose between American and Chinese digital spheres. Australia, France and broader Europe, Canada, and other like-minded middle powers should forge explicit partnerships for digital infrastructure independence. Not as an anti-American bloc, but as democracies building strategic autonomy that serves long-term stability (see my previous post: When Empires Return: The Diagonal (Australia-France-Canada) as a Necessary Balance and The Diagonal of New Possibilities: Canada, France and Australia Forge a Path Forward).

These partners share democratic values without hegemonic ambitions. They offer complementary capabilities: French and European technology sovereignty initiatives, Canadian AI research leadership, Australian geographic positioning in Asia-Pacific. They face common vulnerability. All experience pressure from great powers (today the US, tomorrow potentially China or India) to subordinate sovereignty to alignment. Together they possess economic scale: combined GDP and market size sufficient to support alternative infrastructure development.

Rather than separate national clouds, we could create a federated "democratic cloud" alliance. Data physically stored in member countries, legally governed by democratic frameworks that prioritise privacy and sovereignty, with mutual recognition of certifications and compliance standards. We could link NPP with Canada's Real-Time Rail and European instant payment systems into a democratic-nations fast payment network. Canada and Australia could pioneer Pacific-Atlantic payment corridors that bypass US systems for bilateral trade.

Pooled R&D resources for critical technologies (semiconductors, telecommunications, satellite systems) wouldn't match American or Chinese scale, but would ensure alternatives exist when needed. France's semiconductor initiatives, Canada's AI expertise, Australia's critical minerals could integrate into supply chains without single-point dependencies.

Blocking statutes recognised across member nations would provide collective weight. If an Australian company faces extraterritorial US demands conflicting with Australian interests, Canadian and French legal frameworks support resistance. Collective diplomatic weight matters more than individual objections. "Democratic data governance" certification could become a third option beyond US surveillance capitalism and Chinese state control models. Privacy-first, sovereignty-respecting, individual-rights-protecting frameworks that smaller nations can adopt without choosing a hegemon. This isn't about replacing American alliances. My vision is about having options when those alliances create conflicts between security dependence and sovereignty preservation.

The AI Governance Test and Infrastructure Costs

AI governance provides an immediate test of whether Australia can build sovereignty or remains perpetually dependent. Australian AI development happens overwhelmingly on American cloud infrastructure, using American models (GPT, Claude, Gemini) subject to American legal frameworks. Our AI governance legislation, however well-crafted, can be overridden by US legal demands via the Cloud Act. Training data stored on AWS and Azure becomes accessible to US authorities regardless of Australian privacy law. Models themselves remain proprietary, US-controlled, and can be denied access at any time. GPU clusters are predominantly American-owned or operated. Enforcing algorithmic accountability becomes difficult when you don't control the infrastructure.

If Australia were serious about digital sovereignty (not as rhetoric but as operational capability), the costs would be significant but contextual. Australia's AUKUS partnership involves estimated costs of $268-368 billion over three decades for nuclear-powered submarines. Digital sovereignty is arguably more immediately relevant to national security.

Legal architecture would require minimal investment: draft and legislate blocking statutes modelled on French and EU frameworks, create legal mechanisms for Australian companies to resist conflicting extraterritorial demands, establish reciprocal deterrence tools, renegotiate the Cloud Act with explicit limits on US access and genuine reciprocity requirements. Infrastructure investment over ten years represents the substantial component.

Based on the scale of comparable European infrastructure initiatives, estimated costs would include: building sufficient sovereign cloud capacity for government, defence, critical infrastructure, and sensitive AI workloads in partnership with Canadian, French, and European providers ($15-25 billion); expanding NPP internationally and linking with democratic partner systems ($5-10 billion); co-investing in undersea cables with democratic partners and developing satellite capacity ($5-10 billion); joining European chip initiatives and developing Australian capacity for packaging and testing ($5-10 billion).

Coalition building requires diplomatic effort rather than dollars: formalise diagonal partnerships, create institutional frameworks for collective digital sovereignty, develop mutual recognition of data governance standards, establish collective bargaining power for technology procurement and regulation. Regulatory frameworks would require mandatory sovereignty impact assessments for government technology procurement, critical infrastructure designation for cloud services with foreign ownership restrictions, data localisation requirements with enforcement mechanisms carrying meaningful penalties, and public transparency on foreign access to Australian data.

The Question for Australia

The ICC sanctions demonstrate how power operates when institutional independence conflicts with great power interests. For Australia, the question is straightforward: do we want sovereignty or the performance of sovereignty? Actual sovereignty (the ability to make independent decisions in domains that matter) requires infrastructure that supports it. Cloud systems we can access when American companies receive conflicting legal demands. Payment infrastructure that functions when geopolitical tensions disrupt US-controlled systems. Technology supply chains with diversity beyond single-nation dependencies. Legal frameworks that refuse extraterritorial demands backed by something more substantial than hope. Partnerships with nations that share our predicament and our values.

If we're comfortable with performance (writing impressive AI governance frameworks and data protection legislation that evaporate when they conflict with American legal demands), then we can continue as we are. It's cheaper. More efficient. And works perfectly until circumstances change.

The lawyer I spoke with was confident because the frameworks look robust on paper. The Cloud Act agreement reads like a partnership. The data centre certifications appear meaningful. The sovereignty rhetoric sounds convincing. When I studied international law in the 1990s, the ICC looked robust too. International institutions seemed protected. Treaties appeared binding. The arc seemed to bend towards multilateral governance.

Australia faces a choice: adapt to changed circumstances, or discover too late that we've built a digital infrastructure serving everyone's interests except our own. Institutional frameworks provide protection until they encounter conflicting power. International agreements matter until they conflict with great power interests. Independence receives respect until it becomes inconvenient. 

Australia is building an entire digital future assuming our interests and America's will remain permanently aligned. The sanctioned judges of the International Criminal Court suggest this assumption deserves reconsideration.