Australia has joined a growing list of countries that has established laws to protect the privacy rights of its citizens in the Internet era, but which may create a legal conundrum when it comes to cloud computing.
Australia has actually had a Privacy Act in place since 1988, but has now taken steps to bring its law up to date with The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Reform Act) which passed through the Australian Parliament on 29 November 2012 and received royal assent on 12 December 2012. You can find updates about the Privacy Reforms on the Australian Government Office of the Australian Information Commissioner website.
This is part of the trend of globally adding to an increase in privacy laws and updates to things that have been around but haven’t been updated for the Internet age. And although the Aussie government has extended the deadline for compliance with the Act until March 12, 2014, enterprises that are either based in Australia, store data there, or have customers based there, should be aware of the significant increase in penalties for non-compliance, which can be as much as $1.1 million (AUS).
While it remains to be seen if the Australian government will actually actively go after enterprises for potential non-compliance, it is clear that they will not be targeting cloud providers for the penalties. The updated Privacy Act does include specific language about who is directly responsible for the security of Australian citizens personal data… the enterprises that hold the data, and not the cloud providers. Even if you store the data offshore, or using a cloud provider somewhere else, the owner of the data is still responsible, according to the updated Act, and the Australian government will come knocking if the data is compromised.
And in what’s becoming a familiar situation, the Australian Privacy Amendment Act can and probably will come in direct conflict with other countries’ data access laws, including the poster child of law enforcement access laws, the U.S. Patriot Act. For example, if the U.S. requires access to an Australian citizen’s personal data, which was created in Australia and stored in the U.S., the two laws would be in conflict, but its not impossible to predict that the Australian government would simply levy a not insignificant fine on the Australian enterprise which holds the data.
As always, it’s important if you are working with a cloud provider to know where your data will be stored, and to encrypt that data before it leaves your enterprise to be stored elsewhere around the world.
You can find out more about how to comply with the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Reform Act) and by watching the following webinar “Concerned by Cloud Data Residency and Security Issues” by Willy Leichter, a Cloud Security Advocate at CipherCloud