Web-based e-mail such as Gmail and Hotmail and social networking websites such as Facebook are perhaps the most ubiquitous examples of cloud computing services. However, cloud computing services can be delivered through a multitude of models (including non-public models such as “private clouds” and “shared private clouds”). Although the term “cloud computing” does not have a precise meaning, it generally refers to information technology services such as web-based e-mail and social networking sites that:
  • are delivered via the Internet (the “cloud” being an icon for the Internet) and
  • typically have a de-centralised IT infrastructure (i.e., the supplier's data centres are spread across multiple, and sometimes offshore, locations).
Why Is Privacy An Issue? Concerns about privacy and control over data are often cited as the major impediments to the growth of cloud computing and its wide adoption by business in Australia. It is easy to understand why! Moving to the cloud means relinquishing a degree of physical control over your IT infrastructure and relying in part on your cloud service provider to ensure that your information is kept private and secure. If the data is stored in offshore locations, those locations may or may not be in countries that have privacy laws that are the same or similar to those in Australia. However, cloud computing models are not inherently incompatible with Australia's privacy laws or with privacy protection in general. In our experience cloud computing does not raise legal issues—especially in respect of compliance with Australian privacy laws—that are wholly new or even dissimilar to issues that also arise in other contexts (such as outsourcing and offshoring models) which are successfully managed by well-advised businesses. The National Privacy Principles Australia has federal, state and territory laws which generally adopt similar, although not identical, privacy principles. The principal piece of federal legislation, to which many organisations (including most private companies) are subject, is the Privacy Act 1988 (Cth). The Privacy Act sets out 10 National Privacy Principles (NPPs) that regulate the collection, use and disclosure of “personal information.” The Privacy Act defines personal information to mean “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.” For example, some e-mail addresses, such as alec.christie@dlapiper.com, are personal information, but anonymous information, such as purely statistical data, is not. In the context of cloud computing, businesses that deal with personal information need to be especially mindful that:
  • NPP 4.1 (Data security) requires that an organisation must “take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure” and
  • NPP 9 (Transborder data flows) regulates the transfer by an organisation of personal information about an individual to a different entity, such as a parent company, in an offshore location. It permits offshore transfer only in a limited number of circumstances, such as where the individual consents or the organisation reasonably believes that the offshore recipient is subject to a law, scheme or contract which upholds principles similar to the NPPs.
Practical Ways To Address Privacy Obligations Businesses that rely on cloud computing services commonly address their obligations under the Privacy Act by obtaining consents from individual customers to process and store information about them in the cloud and by placing appropriate Australian specific contractual obligations of privacy on the cloud computing service supplier. From a privacy perspective, some of the most important matters for a business to fully investigate and understand when negotiating an agreement with a cloud computing service supplier include:
  • the types and sensitivity of the information that the business wants to put into the cloud (e.g. personal and/or confidential information about customers and employees);
  • what privacy and other obligations the business has with respect to the information (e.g. contractual or regulatory obligations);
  • the mechanisms and protections that the supplier has in place to protect and manage the information, including disaster recovery processes to protect against data loss;
  • the locations of the supplier's data centres and other infrastructure, and, if offshore locations are involved, what foreign laws will apply (e.g. whether there are laws, such as the USA PATRIOT Act, which will potentially allow the information to be accessed by a foreign government), and
  • the supplier's reputation and track record.
A business that enters into an agreement for a cloud computing service should ensure that the agreement places appropriate privacy-related obligations on the supplier. In particular, some of the appropriate obligations to consider will relate to:
  • retention of ownership of the information;
  • security arrangements to ensure that all information is safeguarded and secure, and rights to audit the supplier's compliance with the security arrangements;
  • reporting of information breaches, and indemnities with respect to losses resulting from privacy related breaches;
  • disaster-recovery measures to help protect against information loss;
  • storage of information only in nominated countries that have privacy protections that are compatible with Australian privacy law, and
  • rights to audit and access information, including a right to the return of information when the agreement ends.
The ability to demand and negotiate contractual measures and protections will depend in part on relative bargaining position, the contract value and the type of services. Accordingly, in some circumstances, a business may be forced to assess the risks of proceeding without certain privacy protections against the benefits it will receive from the cloud computing service. Conclusion As with other IT services, the use of a cloud computing service raises a variety of privacy, security, regulatory and other practical issues that need to be carefully addressed and managed. However, from a privacy perspective, the legal issues that arise in respect of cloud computing services are similar to issues that arise in the context of outsourcing and other IT service models and can, as in these other areas, be appropriately managed. Even so, it is crucial that your legal advisor fully understands the nature of cloud computing, including the privacy issues, and is able to tailor the legal protections in your agreement to fit the cloud computing service model. Coauthored by Laurence Marrie, a solicitor in the Intellectual Property & Technology Group at DLA Piper Australia, where he provides advice in relation to privacy and data security. Prior to becoming a lawyer, he designed and implemented commercial software for financial institutions and telecommunications providers.