When Australians sign up for satellite internet from operators like Starlink or OneWeb, their data often travels in ways that bypass domestic regulation entirely. A report authored by the Australian Signals Directorate's Australian Cyber Security Centre in collaboration with the Australian Space Agency, the Canadian Centre for Cyber Security, the NSA, and the New Zealand National Cyber Security Centre has flagged a uncomfortable truth: some global satellite firms may be beyond the reach of Australian privacy law.
Optus struck a deal with SpaceX to employ the LEO satellite operator's Starlink constellation to deliver 100 percent mobile coverage across Australia, while Telstra concluded a deal with OneWeb to provide satellite backhaul to mobile base stations and also signed a deal with Starlink. Yet these operators need not be physically present in Australia to offer services. Regulatory approaches to these emerging services remain uneven and, in many markets, underdeveloped, with existing frameworks not designed for these new models, creating uncertainty for all communication providers, investors and consumers.
The core problem is straightforward. LEO constellations operate in highly distributed environments with limited physical access to space-based assets, increasing reliance on remote management and wireless communication links, making systems particularly susceptible to signal interference, data interception and exploitation of weak points across interconnected segments. Data doesn't stay in one jurisdiction; it bounces between satellites across international airspace before reaching ground stations anywhere globally.
This creates a sovereignty vacuum. Australia's Privacy Act 1988 (Cth) includes the Australian Privacy Principles (APPs), which set national standards for how personal information must be handled. But if a satellite operator routes your data through foreign ground stations and never establishes infrastructure in Australia, regulators struggle to enforce those rules. There is no international treaty specifically governing data privacy in space.
What the agencies recommend
The security advisory stops short of saying the problem is unsolvable. Instead, it shifts responsibility to the organisations using satellite services. Businesses should negotiate contractual terms upfront. These should include demands that operators keep encryption keys onshore, downlink data only to approved ground stations in jurisdictions Australia recognises, and isolate customer data at multiple network levels.
The guidance also addresses physical and cyber threats that sit beyond data sovereignty. LEO satellite constellations grow, the attack surface open to adversaries increases; LEO SATCOM systems face unique challenges due to their distributed architecture and limited physical access to space-based assets, and rely on radio frequency links that are susceptible to jamming, spoofing, and interception. For satellites, agencies recommend techniques such as frequency-hopping signals, anti-jam capabilities and redundant communication paths to maintain operational continuity, while ground systems should implement continuous monitoring and anomaly detection, and user devices and applications require stronger endpoint protection and secure access controls.
The counterargument
Not everyone agrees Australia should tighten rules immediately. LEO satellite constellations operate globally and modern satellite constellations utilise optical inter-satellite links to create a laser-based mesh network in space, with some providers planning to allow customers to route traffic exclusively through this space network, ensuring data only reaches ground level at the customer's terminal locations, strengthening security by preserving data sovereignty. Industry advocates argue that newer technologies already solve many of these problems without heavy-handed regulation.
There is force in that argument. The paper 'Regulatory Preparedness for Satellite Services' urges policymakers to take proactive steps to modernise regulatory frameworks and outlines five guiding principles to promote innovation, ensure consistent user protection across technologies, safeguard essential public-interest needs, support investment across communications networks, and build consumer trust. If Australia moves too aggressively, satellite firms might simply avoid serving the market, leaving rural Australians without the connectivity these systems now provide.
Yet there is also a reason for scepticism of that view. Australia has satellite operators already holding carrier licences and subject to domestic regulation. The question is whether new arrivals should face the same accountability. Starlink was not designed using traditional telecommunications principles which are necessary for legal interceptions and data sovereignty, raising real questions about whether existing licensing frameworks capture the full scope of the risk.
The advisory itself offers a middle path: not banning satellite services, but making clear that the burden rests on both operators and users to establish safeguards before data enters the system. Contracts matter. Encryption matters. Regular testing of incident response plans matters. In a connected world where satellites may soon handle the same critical infrastructure as ground networks, expecting everyone to trust blindly is no strategy at all. The Australian Cyber Security Centre's full advisory is available here.