Privacy revisions present risk for offshore clouds

Changes to privacy legislation under consideration by the Federal Government should pose serious concerns for businesses embracing cloud computing, according to a leading intellectual property lawyer.

A revised Privacy Principle 8, released in an exposure draft [PDF] [see page 17] in June 2010, creates new requirements for organisations outsourcing data that identifies Australian citizens to offshore data centres.

Specifically, Privacy Principle 8 requires that any organisation storing information that identifies Australian citizens in overseas data centres must ensure that the organisation hosting that data offers the same protections as what is stated in Australia's Privacy Principles.

Mark Vincent, partner at Truman Hoyle and one of the nation's foremost legal experts on cloud computing, told iTnews that organisations would be wise to conduct due diligence before outsourcing to foreign cloud computing platforms.

The world's largest cloud computing platforms - which include Amazon's EC2, Microsoft's Azure and Salesforce.com - do not host data in Australia but in Asian business centres such as Singapore.

The revised Privacy Principles won't be debated until mid-2011. But if passed, these laws could have serious repercussions for customers hosting data offshore.

"If an Australian company puts its consumer data - its private data - into the cloud, it has to make sure that the company it [hosts] it with has adequate safeguards with the equivalent of Australian Privacy Principles in place," Vincent said.

"If it doesn't take those steps to make sure this company is going to look after the data in the same way, and there is a breach, the Australian company under the exposure draft will be liable for the breach," Vincent said. "That's a new development that goes a lot further than existing Privacy Principles."

A believer

Vincent recognises the benefits of cloud computing - and believes that a combination of high speed broadband provided by a National Broadband Network combined with the agility of the cloud will prove attractive to his enterprise and government clients.

Vincent said the cloud opportunity "bring home the importance of the NBN to Australia.

"Right now it is pretty controversial how much is spent on [the NBN] and what form it takes - but having excellent data access for regional Australia - and for all Australian business - would seem to be an excellent idea with all the new opportunities around cloud computing," he said.

Vincent said it was vital Australian companies did their homework on the implications of using foreign clouds in terms of both foreign and domestic laws.

In terms of domestic law, data hosted overseas is already subject to requirements around data retention and document retention -  enforced in laws such as the Australian Taxation Act, Corporations Law or the existing Privacy Act.

"They all relate to the amount of data you have to keep, the length of time you have to keep it and where you have to keep it," Vincent said.

Governments in Asia equally "have a right to pass laws for everything that goes on in those countries," he said - laws that may be relevant to the data stored there.

"Third party Governments might require access to data," he warned.

Vincent advised organisations to address the "terms on which you collect data from your own customers, and make sure that those consents are adequate to allow you to use a cloud offering" before making the leap.

"And second, due diligence around the cloud provider and how they treat that data - whether it is the equivalent of Australian privacy protections required under our law."