The new Australian Privacy Principles (APPs) came into effect on 12 March 2014. In APP 8, they introduce a new 'accountability' approach to cross-border disclosures of personal information. 

The Office of the Australian Information Commissioner (OAIC) has indicated that an entity using a cloud service provider will not be required to comply with APP 8 if personal information is not 'disclosed' to the cloud service provider. However, this may lead to some counter-intuitive and probably unintended consequences. As a result, any entity that uses, or is contemplating using, cloud service providers will need to consider whether or not APP 8 applies to the arrangement and how this impacts on the steps required to make sure that the arrangement is privacy compliant.  

Background

The new APPs

The Privacy Amendment (Enhancing Privacy Protection) Act 2012 introduced significant changes to the Privacy Act 1988(Cth) (Privacy Act), including a new and more cohesive set of privacy principles – the APPs. The APPs replace the Information Privacy Principles that applied to Commonwealth government agencies and the National Privacy Principles that applied to the private sector.

Who do the APPs apply to?

The APPs apply to Commonwealth government agencies and all Australian businesses with an annual turnover of $3 million or more. They also apply to small businesses (with an annual turnover of less than $3 million) that are:     

  • health service providers
  • organisations trading in personal information
  • organisations related to a larger body corporate
  • contractors providing services to the Commonwealth government
  • 'reporting entities' for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth)
  • operators of residential tenancy databases.

The entities to which the APPs apply are collectively called 'APP entities'. In this article, we have used the shorthand term 'Australian Entities'.  

What do the APPs regulate? 

The APPs regulate the manner in which 'personal information' is collected, used, disclosed and otherwise handled. 'Personal information' means information or an opinion about an identified individual (or an individual who is reasonably identifiable), whether the information or opinion is true or not and whether it is recorded in a material form or not.

What is cloud computing?

In basic terms, cloud computing is information technology infrastructure that hosts applications, software, computing platforms and/or data at offsite data centres which are accessed via the internet, rather than being hosted on and accessed through a local computer's hard drive or local dedicated server. The servers used in a cloud platform may be located in Australia or overseas.

The benefits of cloud computing systems include the ability to store, process and make available large amounts of data more cost effectively, scalably, flexibly and securely than by conventional owner-operator models. 

However, cloud services also raise privacy concerns, because they can involve the transfer of data by an Australian Entity to a third party, and the storage of that data on servers located remotely and outside the Australian Entity's or an Australian regulator's control.

How do the APPs impact on cloud computing?

Australian Entities using cloud computing services which utilise servers located outside of Australia need to be particularly mindful of APP8, which sets out the steps an Australian Entity must take to protect personal information before it is disclosed overseas, as well as APP 1.4 and 5.2, which relate to the content of privacy policies and privacy collection statements.

APP 8 - Cross-border disclosure of personal information

(a)   General rule

As a general rule, APP 8 provides that, where an Australian Entity discloses personal information to an overseas recipient, it must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the information (APP 8.1). 

APP 8 does not apply:  

  • if the Australian Entity sends personal information to one of its own offices overseas (although it will apply if personal information is sent to a foreign related body corporate of the Australian Entity)
  • if the Australian Entity sends personal information to the individual to whom that information relates
  • if there is no 'disclosure' of personal information (this is considered under heading (c) below).

APP 8.1 has to be read with the new section 16C of the Privacy Act, which provides that, if an Australian Entity discloses personal information to an overseas recipient under APP 8.1, the Australian Entity will remain liable for any breach of the APPs by the overseas recipient in relation to that personal information (unless the overseas recipient is itself subject to the APPs in relation to that information).

What are 'reasonable steps'?

The OAIC has released APP Guidelines, which are not legally binding but outline the OAIC's interpretation of the APPs. The APP Guidelines state that it is generally expected that an Australian Entity will enter into an enforceable contractual arrangement with the overseas recipient that requires the recipient to handle the personal information in accordance with the APPs (other than APP 1). The guidelines indicate that the contractual arrangements might also include:  

  • the types of information to be disclosed and the purpose of disclosure
  • a requirement that the overseas recipient include the same privacy provisions in any contractual arrangements with subcontractors
  • a complaint handling process for privacy complaints
  • a requirement that the overseas service provider notify the Australian Entity if there is a breach of the APPs.

Other issues Australian Entities should consider including are:  

  • the locations at which the information will be stored (if practicable to specify)
  • segregation of the Australian Entity's data from the data of third parties, to avoid inadvertent disclosure
  • security arrangements and safeguarding of the personal information
  • audit requirements to ensure compliance with the APPs.

In some cases, it will be difficult to negotiate the terms of the arrangements with cloud providers.

The APP Guidelines state that whether 'reasonable steps' require a contract to be entered, the terms of the contract and the steps taken to monitor compliance with the contract depend on the particular circumstances, including:

  • the sensitivity of the personal information
  • the Australian Entity's relationship with the overseas service provider and whether personal information has been disclosed to that provider before
  • the possible adverse consequences for an individual if the information is mishandled by the overseas service provider
  • existing technical and operational safeguards implemented by the overseas recipient
  • the practicability, time and cost involved in taking particular steps to safeguard personal information.

(b)  Exceptions to the general rule in APP 8.1 and section 16C

An Australian Entity will not be responsible for APP breaches by an overseas recipient under section 16C if:  

  • the overseas recipient is itself subject to the APPs in relation to the personal information (ie because it has an Australian link and is subject to the Privacy Act)
  • an exception in APP 8.2 applies. 

The three main exceptions in APP 8.2 which are relevant in the cloud computing context are:   

  • equivalent law or binding scheme– where the Australian Entity reasonably believes the overseas recipient is subject to a law or a binding scheme that protects the personal information in a way that is at least substantially similar to the way in which the APPs protect personal information in Australia and there are mechanisms the individual can access to take action to enforce the protection of the law or binding scheme (Australian Entities will generally need to seek legal advice to determine whether this is the case, as the OAIC has not published a list of 'safe' overseas jurisdictions)
  • informed consent - where the individual consents to the disclosure, having been expressly informed that, if they consent, APP 8.1 will not apply to the disclosure
  • required or authorised by law - the disclosure is required or authorised by or under an Australian law or court/tribunal order.

(c)   When there is no 'disclosure' to the cloud service provider

APP 8 only applies if there has been a 'disclosure' of personal information to an overseas recipient.  'Disclosure' is not defined in the Privacy Act, but the APP Guidelines state that 'An APP entity discloses personal information when it makes it accessible to others outside the entity and releases the subsequent handling of the information from its effective control'.

The APP Guidelines also indicate that providing personal information to an overseas cloud service provider may not amount to a disclosure in certain circumstances, where the provider is only providing storage services:

8.14   However, in limited circumstances providing personal information to an overseas contractor to perform services on behalf of the APP entity may be a use, rather than a disclosure. This occurs where the entity does not release the subsequent handling of personal information from its effective control. In these circumstances, the entity would not need to comply with APP 8.  For example, where an APP entity provides personal information to a cloud service provider located overseas for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, this may be a ‘use’ by the entity in the following circumstances:   

  • a binding contract between the entity and the provider requires the provider only to handle the personal information for these limited purposes
  • the contract requires any subcontractors to agree to the same obligations
  • the contract gives the entity effective control of how the personal information is handled by the overseas recipient. Issues to consider include whether the entity retains the right or power to access, change or retrieve the personal information, who else will be able to access the personal information and for what purposes, what type of security measures will be used for the storage and management of the personal information (see also APP 11.1, Chapter 11) and whether the personal information can be retrieved or permanently deleted by the entity when no longer required or at the end of the contract.

8.15  Where the provision of personal information to an overseas contractor is a use, the APP entity must comply with the APPs when the entity or the contractor handles the information. Any acts or practices undertaken by the contractor on behalf of the entity will generally be treated as having been done by the entity (s8(1)).

It is worth nothing that this interpretation in the APP Guidelines is (like all Guidelines) not legally binding and has been questioned by some.  

What are the consequences if there is no 'disclosure'?

Ironically, if the interpretation above is correct, the circumstances outlined in paragraph 8.14 of the APP Guidelines apply (so that the provision of information to a cloud service provider is a 'use' rather than a 'disclosure'), the Australian Entity will generally be in a worse position than it would be if APP 8 applied.

This is because, as set out in paragraph 8.15 of the APP Guidelines, the acts and practices of the cloud provider will be taken to be the acts or practices of the Australian Entity. As a result, the Australian Entity will be liable for any APP breaches by the cloud provider in much the same way as it would be if section 16C applied. Further, the Australian Entity will not necessarily be absolved if the cloud provider is itself subject to the APPs, as it would be under section 16C, and it will not be able to rely on the exceptions in APP 8.2.

As a result, the Australian Entity which is not 'disclosing' information should still take reasonable steps to ensure the cloud provider complies with the APPs (other than APP1), in much the same way as required by APP 8.1.

On the other hand, if the use of cloud services is not a 'disclosure' to an overseas entity, the requirements of APP 1.4 and APP 5 (considered below) will not need to be met, so in this sense the Australian Entity's obligations are reduced.

Other APP considerations in the cloud computing context

Other APPs that Australian Entities should be particularly aware of when considering cloud computing options are:  

  • APP 1.4, which requires Australian Entities to have a clearly expressed and up to date policy about their management of personal informatin, including informations about whether the Australian Entity is likely to disclose personal information to overseas recipients and, if so, the countries in which recipients are likely to be located (if it is practicable to specify them).
  • APP 5, which requires Australian Entities to advise individuals of additional matters when their personal information is collected, including whether the information is likely to be disclosed to overseas recipients and, if so, the countries in which those recipients are likely to be located (if it is practicable to specify them).

In both cases, specifying the countries in which recipients are located may be difficult in the cloud context if an overseas service provider mirrors (or saves) information in multiple locations around the world. This will need to be considered and addressed on a case by case basis, as it will depend on the actual services being provided.

The APP Guidelines provide some assistance in relation to when it may be impracticable to specify the countries in which overseas recipients are located.  For example, in relation to privacy policies, the Guidelines state:  

  • 1.30  An example of when it may be impracticable to specify the countries in which overseas recipients of personal information are likely to be located is where personal information is likely to be disclosed to numerous overseas recipients and the burden of determining where those recipients are likely to be located is excessively time-consuming, costly or incovenient in all the circumstances.  However, an APP entity is not excused from specifying the countries by reason only that it would be inconvenient, time-consuming or impose some cost to do so.  As in other examples, it is the responsibility of the entity to be able to justify that this is impracticable.
  • 1.31  If personal information is disclosed to numerous overseas locations, one practical option may be to list those countries in an appendix to the APP Privacy Policy rather than in the body of the policy. Another option in these circumstances may be to include a link in the APP Privacy Policy to a regularly updated list of those countries, accessible from the APP entity's website. Where it is not practicable to specify the countries, the entity could instead identify general regions (such as European Union countries).

Similar guidance is provided in relation to privacy collection statements (as paragraph 5.30 to 5.32).

Additional considerations for agencies

Commonwealth agencies considering adopting cloud computing arrangements will also need to comply with applicable government guidelines. For example, the Australian Government Policy and Risk management guidelines for the storage and processing of Australian Government information in outsourced or offshore ICT Arrangements, released by the Attorney-General's Department in July 2013, set out the approvals required depending on the type of cloud arrangement being used and the sensitivity of the information involved.

Conclusion

There are many benefits to using cloud service providers, but there are also a number or risks, including in relation to privacy compliance with the APPs.

We recommend Australian Entities undertake a privacy impact assessment and ask questions of cloud service providers before adopting cloud serivce provider's agreements to make sure the privacy implications of the particular model of cloud service provision have been identified and appropriate steps are taken to ensure privacy compliance.