A lack of clarity in Australia’s privacy laws may hinder Australia’s prospects of becoming a data centre-hub in Asia. Cloud providers frequently find it difficult to determine their obligations under the Privacy Act. Resolving this uncertainty now will put Australia in a better position to capture a slice of the global cloud computing industry.
As global technology heavyweights target Asia for deployment of data centre infrastructure, the contest for best jurisdiction is heating up.
Compared to front-runner Singapore, Australia is at a disadvantage as a potential data-hub thanks to high telecommunications costs and its location on Asia’s periphery, which results in higher network latency when servicing the Asian market.
Despite this, there is growing interest and investment in Australian-based data centre infrastructure which marks Australia as a viable alternative.
One factor trumpeted by the Australian Government as being in Australia’s favour is the stable political and regulatory environment. Indeed, Australia’s regulatory environment has been ranked fairly highly as against the 13 other jurisdictions in the Asia Cloud Computing Association’s 2012 Cloud Readiness Index (as shown in the table below).
Click here to view table.
While effective regulation is one of Australia’s traditional competitive strengths, the nation’s privacy regime is causing significant problems for those offering cloud computing services.
Australia’s privacy laws lack a distinction that exists in many foreign privacy regimes, namely, the distinction between a ‘data controller’, who has control over personal information and the purposes for which such information is used, and a ‘data processor’, who processes personal information at the direction and on the behalf of a ‘data controller’.
This makes it difficult for cloud computing providers (as processors of data) to determine their privacy obligations, and results in protracted contractual negotiations with customers over the allocation of risk associated with cloud providers breaching privacy obligations that they are not in a position to comply with.
Data controllers vs data processors
Organisations that collect personal information for their own use, for instance, from their customers, are generally subject to a broad range of privacy obligations. These organisations ‘control’ personal information, in that they collect the information for their own purposes, may access, update and use the information, and generally have some level of relationship with the individuals concerned.
In contrast, a cloud services provider will not have control over personal information stored or processed by customers on its servers, and will likely not have visibility into the data to determine whether it contains personal information. A cloud provider may provide cloud based software, platforms or infrastructure as a service to customers, who then may use such services to upload or handle personal information.
Many foreign privacy regimes differ from Australia’s Privacy Act in that they distinguish between data controllers and processors. Under the UK’s Data Protection Act 1998 and Singapore’s Personal Data Protection Act 2012, ‘data controllers’ are subject to the full range of legal obligations with respect to personal information (including with respect to collection, use, disclosure, accuracy etc.), and only very limited obligations are placed on ‘data processors’ (which are generally limited to ensuring that personal information is secure from unauthorised access or disclosure).
Regulatory uncertainty under the Privacy Act
The Privacy Act applies to Australian-based cloud providers who collect or hold personal information in Australia, but may also apply directly to foreign cloud vendors that store personal information in offshore data centres.
Australian customers will generally require foreign cloud providers to contractually undertake to comply with the Privacy Act, as it prohibits organisations sending personal information outside Australia unless certain exceptions apply, including that the organisation has ensured that the foreign entity receiving the information will comply with the Privacy Act.
Where a cloud provider is required to comply with the Privacy Act, it is difficult to determine which obligations apply, and how compliance is possible.
The Privacy Act makes no distinction between a data controller and a data processor in the privacy obligations contained in the National Privacy Principles (the “NPPs”, which apply to private companies), Information Privacy Principles (the “IPPs”, which apply to government agencies and their contractors) and the Australian Privacy Principles (“APPs”, which unify the NPPs and IPPs under recently passed privacy reforms that will come into effect in 2014).
Rather, the application of most of the obligations contained in the NPPs, IPPs and APPs apply to organisations depending on whether they ‘collect’, ‘use or disclose’, ‘hold’, or ‘possess or control’ personal information, or ‘transfer’ or ‘disclose’ personal information to an overseas recipient. As there is little guidance on the scope of these terms, cloud providers are left to determine on a case-by-case basis whether their processing of customer data triggers the application of an NPP, IPP or APP.
In many cases it appears that cloud providers are required to comply with obligations that they would find difficult, if not impossible, to comply with. For instance, by virtue of a customer’s data being physically stored on a cloud provider’s servers, the cloud provider arguably ‘holds’ or has ‘possession of’ any personal information stored within this data. This triggers obligations such as to provide access to such personal information, and to correct any inaccurate personal information, if requested by an individual to whom the information relates (under NPP6, IPP 6 and 7 and APP 12 and 13). A cloud provider will generally not have access or visibility of the personal information itself, which may be encrypted by the customer, and will be unable to fulfill this requirement without the assistance of its customer.
Another example is the restrictions on ‘use’ of personal information under NPP2, IPPs 9-11, and APP 6, which require among other things, that personal information only be used for the purpose for which it was collected. Cloud providers do not ‘use’ personal information for their own purposes, but rather process data containing such information in accordance with the instructions of their customer. As cloud providers do not collect personal information, they will not know the purpose for which it was collected or whether their processing of the information is outside the scope of this purpose. Again, the customer, as the ‘controller’ of the personal information, is the more appropriate entity to comply with such obligations.
Customers of cloud services also suffer from the regulatory uncertainty, in that cloud providers will seek to pass the risk of non-compliance back onto the customer in the form of indemnities and other contractual assurances. While customers are required to comply with the Privacy Act themselves, they may find themselves burdened with the additional risk of their cloud service providers’ non-compliance.
While Australia’s cloud industry is in its infancy, it has demonstrated strong potential by attracting the attention of some of the world’s largest technology companies. To make the most of this opportunity, Australia must play to the perceived strengths in its regulatory environment and ensure that clarity is given to the privacy obligations of cloud providers.