Labor wants customer consent for offshore data storage

The Australian Labor Party has added new privacy provisions to its national policy platform that would force businesses to obtain consent from customers before hosting personal data in offshore cloud facilities.

The policy amendments would also see businesses and other organisations banned from hosting data in facilities located in jurisdictions that don’t match up with Australian privacy protections.

At the ALP national conference over the weekend, party members voted to add four new privacy positions to the Labor platform, including a resolution that Australians "retain ownership of their personal information".

"It is essential that Australians can have confidence that their information is securely stored and accessed and in ways that enshrine their rights as they exist under Australian law," the resolution read.

When in government, Labor passed a revision of the Privacy Act that gave the Privacy Commissioner new powers to fine businesses up to $1.7 million for serious breaches.

Its latest policy stance restates the party's commitment to demand organisations declare in a publicly-accessible privacy policy whether and where they store customer data offshore.

However, the new additions could potentially add onerous new regulations to the use of offshore cloud computing if Labor was to regain government and pass its new privacy demands into law.

The party's position is to require “entities who intend to store or allow access to Australians' personal information offshore secure the permission of those Australian before doing so”.

Labor also expects “entities storing or allowing access to Australians' personal information do so safely and securely where the rights of Australians in offshore jurisdictions is at least equal to those rights under Australian law”.

The existing Privacy Act adopts what is essentially an opt-out system where consent is implied if a customer chooses to provide their data to a business after accessing information on its offshore activities.

The Act also currently places the onus on businesses to satisfy themselves offshore storage arrangements are in keeping with their obligations under Australian law, and to fortify these responsibilities in any contracts they sign with cloud providers.

It does not, however, go as far as banning any particular location outright.

During its national conference, the ALP also said it would review the current government’s telecommunications data retention scheme if re-elected.

A review into the scheme - to be conducted 18 months following its commencement - is included in the existing legislation. Labor supported the passage of the laws through government.