Cloud Computing: Transborder Data Flows and Jurisdictional Issues
A WhitePaper by Nicholls Legal
I Introduction
Transborder data flows are a significant concern for those interested and involved in cyber-security and information privacy. The issue is given particular focus in the context of cloud computing, as it is often the case that information placed in the cloud will be transferred to or through, and stored in, offshore locations. Says economist Nicholas Gruen: ‘[a] key new source of risk for users on cloud computing services is that associated with the storage of data and the execution of transactions in foreign jurisdictions.’[1] This whitepaper examines government and industry responses to cross-border data flows in the context of cloud computing, and examines the interesting case of the United States Patriot Act and its implications for businesses and other organisations operating or looking to operate “in the cloud”.
II The Problem
Many jurisdictions impose strict regulations on the transfer and storage of data, especially personal and private data, offshore. In the context of cloud computing this creates significant difficulties as many cloud providers, especially larger providers, will often be based solely or partly overseas and operate overseas servers. For example, Amazon’s EC2, Microsoft’s Azure and Salesforce.com – do not host data in Australia but in Asian business centres such as Singapore.[2] Protection of personal and private data in accordance with domestic standards can become difficult or impossible when that data is transferred offshore. The Australian Law Reform Commission (ALRC) notes an example of these risks an incident where Australian Broadcasting Corporation employees ‘were allegedly offered for sale personal data of 1,000 Australians for around US$10 per person’.[3] This means that anyone dealing with private information and wishing to take advantage of cloud services must take proper precautions in order to not fall afoul of these regulations.
III Legislation and Industry Regulation
A Australian Legislation
1. Current Legislation
Currently the Privacy Act 1988 (Cth) (‘the Act’) provides the core protections for private data transferred outside Australia through its extra-territorial application and National Privacy Principle number 9 (NPP 9). Section 5B of the Act applies it to:
acts done, or practices engaged in, outside Australia by an organisation, if the act or practice relates to personal information about an Australian citizen or permanent resident and either the organisation:
- is linked to Australia by being a citizen; or a permanent resident; or an unincorporated association, trust, partnership or body corporate formed in Australia; or
- carried on a business in Australia and held or collected information in Australia either before or at the time of the act done or practice engaged in.
The purpose of this section is to ‘stop organisations avoiding their obligations under the Act by transferring the handling of personal information to countries with lower privacy protection standards.’[4] The section applies to organisations,[5] but not to government agencies.[6]
NPP 9, which was introduced in 2000 outlines the current requirements that must be satisfied before an organisation may transfer data to a ‘foreign country’. The aim is continued protection of data after it leaves Australian shores, and the principle was modelled on arts 25 and 26 of the European Union Data Protection Directive[7] (‘EU Directive’). Transfers to foreign countries must either occur with the consent of the individual whom the data concerns, be necessary for the fulfilment of a contract, occur for the benefit of an individual whose consent cannot be obtained or where the recipient of the information is ‘subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles’.[8]
However, NPP 9 does not apply to transfers between the same organisation that cross international borders, neither does it apply to transfers to organisations exempt from the operation of the Act, and transfers to states or territory governments not governed by privacy principles.[9] In their submission to the ALRC privacy enquiry, Professor Graham Greenleaf, Nigel Waters and Associate Professor Lee Bygrave asserted that ‘the six conditions under NPP 9 will generally be sufficient to allow any legitimate transfer overseas of personal information, even when those transfers may harm the interests of the data subjects concerned’.[10] Further submissions revealed to the ALRC that NPP 9 was deficient in a number of ways, including:
organisations transferring data are not liable for any subsequent breaches; the perceived weakness of the tests for a ‘reasonable belief’ (NPP 9(a)); the operation of consent in the context of cross-border data flows; the failure to address the transfer of personal information offshore by agencies; a lack of clarity as to how NPP 9 relates to other parts of the Privacy Act; and a lack of guidance for organisations as to what steps they must take to comply with NPP 9.
2. Revised Privacy Principles
The ALRC has noted that the growing ease of transferring data between countries has ‘forced jurisdictions to recognise that efforts to protect personal information should be harmonised,’[11] and that ‘[i]t is important for Australians to feel confident that if their personal information is transferred outside Australia, it will be protected to the same standard that they enjoy in Australia.’[12]
As such, in line with the criticisms of the above they recommended a number of changes to Australian privacy legislation which were subsequently reflected in the Exposure Drafts of Australian Privacy Amendment Legislation, reported on by the Senate Finance and Public Administration Committees in June 2011 (the ‘Senate Report’).[13] In particular, the suggested new ‘Australian Privacy Principle’ (‘APP’) number 8 adopts an accountability approach to protection of data, requiring that organisation storing information that identifies Australian citizens in overseas data centres must ensure that the organisation hosting that data offers the same protections as what is stated in Australia’s Privacy Principles. The principle envisages organisations will take a diligent approach to privacy protection before transferring data overseas:
before any actual cross border disclosure of personal information occurs, an entity must have put into place appropriate arrangements in relation to the information.
It is expected that entities will ordinarily have a contractual relationship with overseas recipients, and that contract would set out the obligations of the overseas recipient. The principle is also extended to agencies.[14]
The principle further provides that where a breach of the Privacy Act occurs:
- the overseas recipient’s act or practice will be taken to be that of the entity who disclosed the information to the overseas recipient; and
- the act or practice will be taken to be an interference with privacy for the purposes of the Privacy Act.
APP 8 also widens the coverage of the principle as opposed to NPP 9, changing the term ‘transfer’ to ‘disclose’ and applying the principle to government agencies, with some exceptions. As the Senate Report notes, the use of the term disclosure creates more clarity than transfer as:
the ordinary meaning of disclosure is to allow information to be seen rather than the implication of ‘transfer’ of a cross-border movement of information. This means that a disclosure will occur when an overseas recipient accesses information, whether or not the personal information that is accessed is stored in Australia or elsewhere.[15]