Privacy reforms threatened by overseas cloud

Federal moves to improve Australian privacy protections could be undermined by a growing use of international cloud services, a parliamentary committee has heard.

Thunder storm

Several submissions to a Senate inquiry into the Privacy Amendment Bill 2012 indicated that the Government's proposed Austrailan Privacy Principle (APP) 8, regarding the cross-border disclosure of personal information, could be too difficult to enforce.

Queensland Law Society and the Australian Broadcasting Commission (ABC) said the increasing use of cloud services made it tough to decide what was reasonable.

The ABC raised concerns over the logistics of investigating and assessing any third-party partners to determine the location of their servers and the privacy protections in those regions.

The Law Institute of Victoria (LIV) expressed a similar concern about what was deemed practical and reasonable, given the complexity of the APP 8.

LIV noted that APP 8(1) required entities -- such as Government agencies -- to take "reasonable" steps to ensure that overseas partners complied with APPs before sharing individuals' personal information with those partners.

But under APP 8(2)(a)(i), entities were "not bound to take reasonable steps to ensure that an overseas recipient ... does not breach the APPs", as long as the entity "reasonably believes" that the recipient would protect privacy in a “substantially similar way”, LIV wrote.

LIV questioned how Australian individuals might be able to access international privacy enforcement mechanisms, in practice.

It argued that such mechanisms might exist in theory, but "if it is time-consuming, expensive or not applied in a practical sense in the country of receipt, then it does not provide any meaningful protection to individuals".

LIV warned that Government agencies could avoid compliance with the APPs by entering into international agreements, highlighting the Department of Immigration and Citizenship's agreement with five countries to exchange biometric information as an example.

Telstra subsidiary Foxtel supported the protection set out in the new APP 8, but expressed concern over an organisation's responsibilities in the face of hacking.

"Foxtel remains concerned that where an organisation takes such reasonable steps, including reviewing its security controls and protocols, the accountability provisions may still apply even where access to the relevant information is unauthorised, such as by hacking," it wrote.

The organisation called for further legislative guidance to exclude unauthorised ‘disclosure’ from falling within the APP 8 accountability regime.

Several concerns aired in the parliamentary submissions were anticipated in an exclusive iTnews inverview with Mark Vincent, partner at Truman Hoyle in 2010.

Other submissions to the Senate committee questioned the complexity of the proposed privacy principles and the continued exemption of small business enterprises from the operation of the Act.

LIV argued that small business operators should not be exempt from privacy compliance obligations, asserting that the exemption did "not serve any rational policy as it would not diminish any regulatory burden on small businesses" under Victorian law.

Any exemptions should target nature of information collected, and not the size of the organisation that collects the information, LIV suggested.