"Transborder Dataflows and Jurisdictional Issues in the Cloud - Australia"

I Introduction

Transborder data flows are a significant concern for those interested and involved in cyber-security and information privacy. The issue is given particular focus in the context of cloud computing, as it is often the case that information placed in the cloud will be transferred to or through, and stored in, offshore locations. Says economist Nicholas Gruen: ‘[a] key new source of risk for users on cloud computing services is that associated with the storage of data and the execution of transactions in foreign jurisdictions.’ This whitepaper examines government and industry responses to cross-border data flows in the context of cloud computing, and examines the interesting case of the United States Patriot Act and its implications for businesses and other organizations operating or looking to operate “in the cloud”.

II The Problem

Many jurisdictions impose strict regulations on the transfer and storage of data, especially personal and private data, offshore. In the context of cloud computing this creates significant difficulties as many cloud providers, especially larger providers, will often be based solely or partly overseas and operate overseas servers. For example, Amazon’s EC2, Microsoft’s Azure and Salesforce.com – do not host data in Australia but in Asian business centers such as Singapore. Protection of personal and private data in accordance with domestic standards can become difficult or impossible when that data is transferred offshore. The Australian Law Reform Commission (ALRC) notes an example of these risks an incident where Australian Broadcasting Corporation employees ‘were allegedly offered for sale personal data of 1,000 Australians for around US $10 per person’. This means that anyone dealing with private information and wishing to take advantage of cloud services must take proper precautions in order to not fall afoul of these regulations. 

III Legislation and Industry Regulation

A Australian Legislation

1. Current Legislation

Currently the Privacy Act 1988 (Cth) (‘the Act’) provides the core protections for private data transferred outside Australia through its extra-territorial application and National Privacy Principle number 9 (NPP 9). Section 5B of the Act applies it to: 

"acts done, or practices engaged in, outside Australia by an organization, if the act or practice relates to personal information about an Australian citizen or permanent resident and either the organization:
• is linked to Australia by being a citizen; or a permanent resident; or an unincorporated association, trust, partnership or body corporate formed in Australia; or
• carried on a business in Australia and held or collected information in Australia either before or at the time of the act done or practice engaged in.
The purpose of this section is to ‘stop organizations avoiding their obligations under the Act by transferring the handling of personal information to countries with lower privacy protection standards.’ The section applies to organizations, but not to government agencies."

NPP 9, which was introduced in 2000 outlines the current requirements that must be satisfied before an organization may transfer data to a ‘foreign country’. The aim is continued protection of data after it leaves Australian shores, and the principle was modeled on arts 25 and 26 of the European Union Data Protection Directive (‘EU Directive’). Transfers to foreign countries must either occur with the consent of the individual whom the data concerns, be necessary for the fulfillment of a contract, occur for the benefit of an individual whose consent cannot be obtained or where the recipient of the information is ‘subject to a law, binding scheme or contract which effectively upholds principles for fair handling of the information that are substantially similar to the National Privacy Principles’. 

However, NPP 9 does not apply to transfers between the same organization that cross international borders, neither does it apply to transfers to organizations exempt from the operation of the Act, and transfers to states or territory governments not governed by privacy principles. In their submission to the ALRC privacy enquiry, Professor Graham Greenleaf, Nigel Waters and Associate Professor Lee Bygrave asserted that ‘the six conditions under NPP 9 will generally be sufficient to allow any legitimate transfer overseas of personal information, even when those transfers may harm the interests of the data subjects concerned’. Further submissions revealed to the ALRC that NPP 9 was deficient in a number of ways, including:

"organizations transferring data are not liable for any subsequent breaches; the perceived weakness of the tests for a ‘reasonable belief’ (NPP 9(a)); the operation of consent in the context of cross-border data flows; the failure to address the transfer of personal information offshore by agencies; a lack of clarity as to how NPP 9 relates to other parts of the Privacy Act; and a lack of guidance for organizations as to what steps they must take to comply with NPP 9."

2. Revised Privacy Principles

The ALRC has noted that the growing ease of transferring data between countries has ‘forced jurisdictions to recognize that efforts to protect personal information should be harmonized,’ and that ‘[i]t is important for Australians to feel confident that if their personal information is transferred outside Australia, it will be protected to the same standard that they enjoy in Australia.’ 

As such, in line with the criticisms of the above they recommended a number of changes to Australian privacy legislation which were subsequently reflected in the Exposure Drafts of Australian Privacy Amendment Legislation, reported on by the Senate Finance and Public Administration Committees in June 2011 (the ‘Senate Report’). In particular, the suggested new ‘Australian Privacy Principle’ (‘APP’) number 8 adopts an accountability approach to protection of data, requiring that organization storing information that identifies Australian citizens in overseas data centers must ensure that the organization hosting that data offers the same protections as what is stated in Australia’s Privacy Principles. The principle envisages organizations will take a diligent approach to privacy protection before transferring data overseas:

"before any actual cross border disclosure of personal information occurs, an entity must have put into place appropriate arrangements in relation to the information."

It is expected that entities will ordinarily have a contractual relationship with overseas recipients, and that contract would set out the obligations of the overseas recipient. The principle is also extended to agencies. 

The principle further provides that where a breach of the Privacy Act occurs:

• the overseas recipient’s act or practice will be taken to be that of the entity who disclosed the information to the overseas recipient; and
• the act or practice will be taken to be an interference with privacy for the purposes of the Privacy Act.

APP 8 also widens the coverage of the principle as opposed to NPP 9, changing the term ‘transfer’ to ‘disclose’ and applying the principle to government agencies, with some exceptions. As the Senate Report notes, the use of the term disclosure creates more clarity than transfer as:

"the ordinary meaning of disclosure is to allow information to be seen rather than the implication of ‘transfer’ of a cross-border movement of information. This means that a disclosure will occur when an overseas recipient accesses information, whether or not the personal information that is accessed is stored in Australia or elsewhere."

3. Implications of APP 8

It has been suggested that APP 8 has the potential to ‘rain on the parade’ of cloud computing in Australia by expanding considerably the liability of cloud service operators and businesses seeking to utilize these services. For starters, it will make it more important than ever for organizations to conduct due diligence before outsourcing to foreign cloud computing platforms. In particular, the obligations on Australian companies to ensure equivalent protection of data once it leaves shore is ‘a new development that goes a lot further than existing Privacy Principles.’ The Senate Report has noted that the legislation envisages that contractual relations will be the key method of ensuring compliance with APP 8. As such, it recommends that: 

"guidance should be provided to assist entities in this regard. In addition, compliance with APP 8(1) contains a ‘reasonable steps’ test. Therefore the committee considers that, as a matter of priority, the Office of the Australian Information Commissioner should provide guidance in relation to the type of contractual agreements required to comply with APP 8." 

This recommendation and others requesting clarification of the extent of the extra-territorial application of the Act will hopefully lead to clear principles and accompanying guidance that protects consumer data without stifling local innovation and cloud adoption.

B Industry Regulation

Australian Government Information Management Office (AGIMO) Cloud Strategy and other Government Cloud Guidance

The AGIMO cloud guidance is intended as a whole of government policy position on cloud computing for the Australian Commonwealth government. Regarding adoption of public cloud services, the AGIMO recognizes that the ‘legal/contractual, economic and security aspects of cloud computing are still relatively immature’. The AGIMO therefore advises that ‘[t]ransitioning citizen (personal) information to the public cloud is not expected to be a viable option within the next several years’ ; and the data centre strategy envisages that Australian data centers will be utilized rather than overseas providers. 

Similarly, the Australian Department of Defense issued the following guidance on cloud services in 2011:

DSD strongly encourages agencies to choose either a locally owned or foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian border. A risk assessment should consider whether the agency is willing to trust their reputation, business continuity, and data to a vendor that may transmit, store and process the agency’s data offshore in a foreign country. 

This approach has not been entirely popular with industry. For example, Microsoft has called on the Commonwealth and State governments to move away from stigmatizing offshore clouds, suggesting that investment in public cloud offerings serviced through Australian data-centers is not a viable solution. Microsoft chief technology officer Greg Stone has stated that:

We’re not at the point now where the business can sustain us making a significant investment in Australia to put something like a public cloud of that nature in here... It doesn’t make any economic sense if we want to deliver it at the price point compared to what we do in Singapore. 

However, the Australian government’s reticence to embrace offshore offerings is also a tremendous opportunity for cloud providers with domestic data centers to embrace the government as a valuable ‘anchor client’ for Australian cloud service providers. There is significant impetus to work with government to achieve the vision of a whole of government approach to meeting data centre requirements.

1. The Australian Prudential Regulation Authority (APRA) Guidance

The APRA noted in a November 2010 guidance letter to trustees of APRA regulated super funds that, although uptake of cloud services is increasing in the financial services industry, ‘regulated institutions do not always recognize the significance of cloud computing initiatives and fail to acknowledge the outsourcing and/or off shoring elements in them.’ APRA therefore requires regulated funds to engage in a detailed risk assessment for ‘any off shoring agreement, either directly or via a service provider, involving a material business activity’. Typical considerations include the location of the services and the service agreements with the provider. APRA also requires that the contractual agreements entered into by trustees includes provision for APRA to have access to that company to conduct site visits if required.

APRA’s key concerns relate to the potential for “off shoring” to interfere with: 

• the ability to continue operations and meet core obligations, following a loss of cloud computing services; 
• confidentiality and integrity of sensitive (e.g. member) data/information; and 
• compliance with legislative and prudential requirements. 

APRA’s guidance is a recognition of the importance for organizations dealing with sensitive and private information to be fully aware of the risks, and aware of potential breaches of their obligations, before they seek the convenience of offshore cloud services. The guidance is aimed at ensuring that trustees attain ‘a detailed understanding of the extent and nature of the business processes ... the technology architecture and the sensitive information ... impacted by the outsourcing arrangement’. But, as Macquarie Telecom has noted: 

In the context of the global Cloud, where the third party provider is likely to be using one of a number of data centers in different countries, this has proved to be a difficult issue to overcome because providers have been reluctant to provide guarantees around data security to a level which is satisfactory to the regulator. 

This outlines the central balancing act regulators and businesses face when dealing with private data and the cloud. 

2. Macquarie Telecom Whitepapers on Cross Border Risks

In January of 2011 Macquarie Telecom commissioned a pair of whitepapers from law firm Freshfields Bruckhaus Deringer discussing the cloud and cross-border risks, using the examples of Singapore and the United States. The whitepapers note that cross-border data flows have the effect of ‘seriously reducing’ the ability of companies ‘to ensure continuing regulatory compliance with Australian law and to manage the associated non-compliance risks.’ They also note the growing government and industry concern over the privacy of data that is offshored. The essential conclusion of the papers is the need for caution when sending data overseas, recommending that particularly close attention be paid to regulatory and compliance perspective. The importance of this increases the more sensitive and/or business critical the data is. 

3. Ozhub and ‘The Potential for Cloud Computing Services in Australia’

OzHub is an alliance between a number of commercial cloud providers and the Australian Communications Consumer Action Network. Founding members are: Macquarie Telecom, Fujitsu, InfoPlex and VMware. OzHub seek to ‘establish a regulation framework to promote good business practices and greater transparency to consumers about crucial issues such as where their personal data are held.’ The launch of OzHub has been accompanied by the publication of ‘The Potential for Cloud Computing Services in Australia’ by Lateral Economic Economist Nicholas Gruen, commissioned by Macquarie Telecom. This report outlines the following steps as necessary in order to allow Australian businesses to capitalize on the opportunity to become a world leader and in creating jobs and industry by becoming an Asia-Pacific cloud computing hub, to:

• create the right legislative framework;
• create the right climate for investment;
• promote Australia’s advantages around data security; and
• create new standards for contracts and disclosure. 

As part of achieving this aim, the report recommends that ‘Australia should seek interoperable privacy regimes in which countries recognize one another’s privacy rules to the greatest extent possible.’

III Case-Study: The USA and the USA Patriot Act

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (the ‘USA PATRIOT Act’) provides an interesting case study of the risks faced by businesses when transferring data offshore (in this case to servers located in the United States).

The USA PATRIOT Act in fact is a collection of amendments to US Legislation that, amongst other things, clarifies the position of the US Government in relation to access to data stored on servers within the United States. As outlined by the Macquarie Whitepaper on the United States, this means that ‘[p]rivate data stored in the U.S. is at a higher risk of being accessed by government agencies than data stored in Australia.’ There are two key reasons for this. The first is that information in the US, once passed to a third party is considered not to have an ‘expectation’ of privacy and is therefore outside the protection of the fourth amendment, and able to be accessed by authorities without a warrant (the third party exception). The second is that since the passage of the USA PATRIOT Act the requirements for justifying electronic surveillance are relaxed, requiring only that a ‘significant purpose’ of the surveillance be foreign intelligence.

These provisions have no parallel in Australian law. The implications are obvious for those seeking to utilize cloud services based in the United States. It is possible that where data is covered by NPP 9 or the proposed APP 8, or by regulations such as those impose on APRA members, storing this data in the United States will not be feasible. Further, service contracts will usually express that the relations between the parties are governed by United States law, and even if Australia law was expressed to apply, enforcing the agreement in United States courts would be difficult and costly, and there is no obligation for US courts to recognize foreign judgments. As such, ‘[i]t would be extremely difficult to enforce a statutory right arising under Australian law in the U.S.’ 

The privacy environment in the United States has also faced criticism from Canadian and European sources. In 2004, then Privacy Commissioner for British Columbia David Loukidelis stated that ‘[t]he USA Patriot Act violates British Columbia’s privacy laws because it can order American companies to hand over information on British Columbians in secret’. In July 2011, members of the European Parliament expressed similar concerns about the potential for conflict between the European Union Data Directive and the USA PATRIOT Act in the wake of an admission by Microsoft that even data stored by them in European Servers can still be handed over to United States investigators without informing users. Members questioned the European Commission as to the steps they might take to ‘ensure that E.U. data protection rules can be effectively enforced and that third country legislation does not take precedence over E.U. legislation?’

Such an uncertain environment in the United States obviously creates tremendous opportunity for local cloud providers operating in a good regulatory environment to attract domestic and international customers for whom data privacy is essential. Nicholas Gruen has stated that the provision in the United States create ‘a demand for Cloud computing services that are not subject to such capricious hazards’ as warrantless surveillance and access to data. Where contractual terms and service agreements require high levels of protection it becomes essential for this security to be guaranteed. There therefore exists significant impetus to ensure a regulatory and business environment that is sensitive to these concerns and can distinguish itself from other jurisdictions.

IV Conclusion

Transborder data flows provide one of the most compelling challenges to cloud adoption. Any business seeking to offshore data must exercise significant care and due-diligence to avoid falling foul of privacy regulations and protections by sending data to or through places that do not guarantee the same level of protection as Australian law. However, the dangers of outsourcing also create a potential opportunity for domestic cloud providers and data centers based within Australia to capitalize on the trend towards cloud adoption.