What Australian businesses need to know about cloud compliance

From ZDNet:  Australia often draws up regulation based on tried and tested laws from around the world. But there are times when the country pushes for bold new legislation that may be out-of-step with our technology-centric modern society.

Prime examples of these include changes to its Privacy Act, which have taken four years to reach parliament after recommendations were made, and the glaring omission of powers for the Privacy Commissioner.

However, it does opt for voluntary codes, allowing industry to self-regulate at times and, in cases such as the iCode, has arguably set a precedent for other countries to follow.

Cloud legislation and the US Patriot Act

A common misunderstanding around cloud compliance and regulatory conformance is the issue of ensuring that data stays within Australia. There are currently no cloud-specific laws prohibiting an organisation from using an offshore cloud provider. But many choose not to due to the possibility of data being exposed via legislation in the foreign country, and then being subject to penalties under the Privacy Act. The US Patriot Act is the most commonly cited piece of foreign legislation that theoretically could allow the US to view data in a US-owned datacentre, despite the data being ‘Australian-owned’.

Organisations are not legally obliged to only use local cloud providers, which can often be more expensive or less developed than their overseas counterparts, but the perceived risk and reputational fallout makes this an issue that rates just as highly as compliance and regulatory ones.

It does not, however, mean that organisations are able to shirk the obligation to their customers to be wary of which cloud providers they use. Although not in effect until 2014, the new Australian Privacy Principles (which combine the public-sector National Privacy Principles and the private-sector Information Privacy Principles) state that before an organisation governed by the Privacy Act discloses personal information to another party, it needs to ensure that they do not breach the APPs, or at least protects them in a similar manner.

As the new principles have yet to come into effect, we are yet to see more publicised cases where companies have argued over whether, for example, US privacy legislation is equivalent to Australia’s, even with mechanisms like the Patriot Act, and are therefore compliant with the Privacy Act when off-shoring the data of customers.

Mandatory data breach-notification legislation

In 2008, as part of an inquiry into Australia’s Privacy Act, the Australian Law Reform Commission (ALRC) raised the issue of introducing new mandatory data breach-notification legislation. The recommendations of the ALRC would mean that organisations that experienced a data breach would be legally obligated to notify the relevant parties of what had happened. The exact details of who should be informed, and with what information, is still a continuing debate, as is whether the legislation is needed at all.

The Australian public was polled by the Attorney-General’s Department in October 2012 for submissions on the proposed laws. Some of the submissions indicated that additional privacy reforms, conducted in concert with the notification laws proposal, may result in them being rushed and overpowered. The Attorney-General’s Department is yet to hand down its report on the matter.

An exception to the rule applies to Australia’s personally controllable electronic heath records (PCEHR) system that is being developed. Under this system, organisations dealing with eHealth records are required by law to notify the system operator — currently the Secretary of the Department of Health and Ageing — as soon as they become aware that a breach has occurred. The system operator is the only entity permitted to inform those who are affected by the breach.

Privacy Commissioner’s new powers

Recently passed privacy reforms will grant the Australian Privacy Commissioner new powers. These were viewed as sorely needed after it came to light that existing legislation meant that the Office of the Information Commissioner had no means of punishing organisations that breached the Privacy Act.

The former legislation meant that the Privacy Commissioner could force an organisation to compensate an individual when their privacy had been breached, but only when the individual requested so. In cases where the Privacy Commissioner opens its own investigation, without a complainant, it is only able to point out that the organisation has breached the Privacy Act as it has no power to enact any form of penalty.

While the Privacy Commissioner has not seen a case where an organisation has blatantly flaunted the fact that there are no legal repercussions for continuing to leak data after a breach, the loophole could have been theoretically exploited by companies that see it more cost effective to pay out individual complainants than fix their security.

Voluntary iCode

While not a legal requirement, a large proportion of the major internet service providers (ISPs) in Australia have adopted a voluntary iCode governed by the Internet Industry Association. The code is designed to help stop users who have unknowingly become infected with malware from doing further damage to others. Participating ISPs place users within a “walled garden” that restricts their access to the wider internet, and alerts them to the fact that they are infected with malware that could be harmful to others.

In order to ensure that customers can continue to seek help online, they are given the option to continue online regardless, but the aim of the code is more around educating the user, rather than taking away their right to an agreed-to service.

It has attracted the feedback and support of the Australian government, and the review committee had been looking at involving hardware vendors.

The iCode has also been proposed for introduction in South Africa.

Data retention legislation

Data retention is fast becoming a significant issue in Australia. The Attorney-General’s Department put forth a proposal to compel ISPs to retain customer data for two years. The period of retention, as well as the type of data to be retained, has long been debated. On the data side, there has been an emphasis on only storing metadata — details such as IP addresses and who the content was intended for — and not the actual content of traffic.

Law enforcement agencies, such as the Australian Federal Police (AFP), are strong supporters of a data retention scheme, with AFP Assistant Commissioner Neil Gaughan saying in August last year that, “without data-retention laws, law enforcement cannot work out criminal associations”.

The data retention debate follows cybercrime legislation that already allows law enforcement agencies to force ISPs to tap and store data on customers who are suspects, even without a warrant. Once a warrant is obtained, only then can the information be handed over.

Such legislation had been met with initial resistance from ISPs themselves. ISPs have said that they would not be ready to implement such systems in the time frames demanded by government. At the time of the discussions, Telstra complained that implementing such logging systems would “involve significant amendments to our network and IT systems” and “a reconsideration of capital programs, and business planning programs within the business”. A little under a year later, the same ISP reversed its claim, stating that it is “not a bigger impost” on it.

Contact Matthew Nicholls (ph: +61 3 8376 7131) to discuss your requirements.