"By regulating the geography where the data is held rather than the level of security under which it is held implicitly establishes criteria for data protection that are not related to principles of technology security.
While the data security part is right - location is irrelevant - the physical security and legal/jurisdictional security is another. Like who in their right mind would put national data in the US with legislation like the PATRIOT Act that affords nobody any protection from anything the government wants to do? That's just nutty.
Or any other place? Why would you put sensitive (national) data in the trust of foreign nationals and out of the physical reach of the Australian government?
Seems a tad wonky to me.