A relatively common misconception is that entities subject to the Australian Privacy Principles (APPs) can "outsource" their compliance obligations by transferring personal information to the cloud and into the possession of a third party cloud services provider. However, the APPs continue to apply to an entity in those circumstances. The entity may itself be liable if the services provider breaches the APPs. Businesses should be aware of and take steps to address these obligations and risks.

The Australian Privacy Principles continue to apply to data in the cloud

To understand the applicability of the APPs to data in the cloud, the concepts of "holding", "using" and "disclosing" personal information must be considered, within the meaning of the Privacy Act 1988 (Cth) (Act).

An entity is considered to "hold" personal information if it has possession or control of (ie, the right or power to deal with) a document or device containing the information (see s 6 of the Act and the Privacy Commissioner's Guidelines, Chapter B, [81]). The Privacy Commissioner also considers that an entity "holds" personal information where the entity has "outsourced the storage of [the] information to a third party but it retains the right to deal with it".

The identities of the APPs which apply in this context depend, to an extent, on the terms on which the information is transferred and/or stored in the cloud. Different APPs apply to "uses" of information, as opposed to "disclosures". A key factor generally distinguishing the two is whether or not the transfer releases the subsequent handling of the information from the entity's effective control. If so, the transfer will likely constitute a "disclosure", if not, the transfer will likely constitute a "use".

Key APPs in relation to data in the cloud

  • APP 6 provides that entities can only use and disclosure personal information for the purpose for which the information was collected, unless an exception applies.
  • Under APP 8 and s 16C of the Act, where an entity discloses personal information to an overseas cloud services provider, the entity will be liable for any acts of the services provider which amount to a breach of the APPs. Key exceptions apply where the individual has provided informed consent or where the services provider is subject to foreign laws which are at least substantially similar to the APPs.
  • APP 11 requires entities to take reasonable steps to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. In certain circumstances, entities are also required to destroy or de-identify personal information when the information is no longer needed for any permissible purpose.
  • Entities are also required under APP 12 to give individuals access (on request) to personal information about them, unless an exception applies.
  • Finally, entities must in certain circumstances correct and update personal information under APP 13.

Mandatory data breach laws in Australia

As we recently reported, the Federal Government introduced a bill last year, which will, once enacted, impose mandatory data breach reporting obligations on entities subject to the APPs in Australia. These obligations will apply to personal information which is held by such entities and will therefore extend to personal information transferred to the cloud which entities retain the right and power to deal with.

As we expect this bill to pass the Parliament at some stage during the course of this year, we recommend considering now the additional liability risks associated with transferring and storing data in the cloud in light of these foreshadowed laws as well as the APPs more generally.

Five tips for selecting and reviewing the performance of a cloud services provider

  1. Conduct adequate data security due diligence Given the ongoing applicability of the APPs and the expected commencement in Australia of mandatory data breach reporting, we recommend undertaking adequate due diligence of any existing or proposed arrangements with a cloud services provider, with a particular focus on the services provider's data security measures and relevant track record. This is more than mere "good practice" - a failure to conduct adequate due diligence might represent a failure to comply with the obligation under APP 11 to take reasonable steps to ensure the information is protected from loss or unauthorised access.
  2. Understand how data will be stored in the cloud If an entity's data is not clearly segregated in the cloud from the data of other entities, there may be increased risks of unauthorised or inadvertent access or disclosure occurring in relation to such data. The absence of clear data segregation may therefore give rise to greater liability risks.
  3. Ensure access rights are retained Some standard cloud services providers' contracts provide that a customer has no rights to access data which has been transferred and stored in the cloud. This is inconsistent with the obligations of entities subject to the APPs, which must give individuals access to personal information on request and update and correct personal information stored in the cloud in certain circumstances. Entities should therefore retain access rights to data which they transfer to the cloud.
  4. Be aware of the risks associated with overseas cloud services providers If an overseas cloud services provider is in a jurisdiction which has inferior data protection laws to the APPs, then there may be a higher risk that the services provider could act inconsistently with the APPs. An Australian customer subject to the APPs may itself be liable for such contravening conduct. On the other hand, the fact that an overseas services provider is located in a jurisdiction which has stronger data protection laws does not necessarily mean that the data subject is better protected - the effect of section 6A(4) of the Act is that if an overseas law enforcement agency lawfully accesses the data pursuant to the laws of the jurisdiction in question, the customer will be left with no remedy under Australian law. These risks should all be considered in selecting an overseas cloud services provider and adequately addressed in the terms of any agreement. The APP Guidelines also recommend that individuals be apprised of any such risk in advance.
  5. Maintain an up-to-date and compliant privacy policy We recommend that all entities, including those not subject to the APPs, should have a privacy policy in place which complies with the APPs. We believe that doing so will inevitably be in an entity's interests, including by improving data handling and management practices and helping build confidence and trust with existing and potential customers. Putting in place a compliant privacy policy should also lead to enhanced staff education and more focused consideration of relevant issues when relevant contractual arrangements with third parties are being reviewed and/or negotiated. The minimum requirements for a privacy policy are set out in APP 1.4.