We live in a time where information often is one of a business’ most important assets. Indeed, a business’ success or failure may depend on how well it manages its databases. This may sound like an exaggeration, but if you are a business leader, ask yourself how your business would function tomorrow if it lost all its databases today. How would you interact with your clients? How would you pay your bills? And how would youknow what assets you have in stock?
To keep data safe, and easily accessible from multiple locations, many businesses have opted for some form of cloud computing solution. Put simply, cloud computing typically refers to a technical arrangement under which users store their data on remote servers under the control of other parties, and rely on software applications stored and perhaps executed elsewhere, rather than on their own computers. Consequently, the term cloud computing encompasses both relatively novel developments such as social networking sites and Google Docs, as well as well established services such as Microsoft’s Hotmail.
While I have already mentioned safety and accessibility, it is worth expanding upon the undisputable usefulness of cloud computing:
- The user can access the same set of applications, and the same data, regardless of location, and regardless of which hardware they use (such as computers, PDAs and mobile phones, including both their own hardware and devices borrowed from other individuals and organisations);
- Several users can access and share the same applications and data which assists in collaborative work;
- Backup and recovery is delegated to a service-provider, which presumably enhances its reliability;
- Licensing of software and third-party data can be simplified; and
- Complex tasks can be performed by using less powerful devices by depending on more powerful remote servers.
But with cloud computing come certain risks. Elsewhere, I have discussed those risks from a consumer perspective (Svantesson & Clarke, Privacy and consumer risks in cloud computing, Computer Law & Security Review, Vol.26 No. 4 (July 2010); pp. 391-397). Here, Iwish to highlight a recent development of interest to any business currently using, or considering, a cloud computing structure.
The impact of Australian privacy law
Australian privacy law places restrictions on the circumstances under which a business can transfer personal information overseas. Many businesses have failed to recognise that the nature of cloudcomputing typically means that this regulation comes into play.
On 3 April 2011, news stories reported that the Federal Government had signalled its intention to “crack down” on the practice of storing personal information in countries with lower privacy protection than that afforded in Australia. In more detail, the Minister for Privacy & Freedom of Information, Brendan O’Connor, was quoted as stating that:
“While some ‘cloud’ providers are located here in Australia, many more are located overseas, […] That gives rise to difficult jurisdictional issues, particularly where the laws of two or more countriescould potentially apply. […] In this potentially fraught legal environment, businesses will need to think carefully about who and where they are sending personal information and about what privacy protections, if any, the recipients of the information have.”
It is easy to see why the cloud computing raises privacy concerns. Once data leaves Australia and is stored overseas, there is a certain degree of loss of control over that data. In the past, we have seen severalexamples of data, outsourced to other countries, being misused by private actors in those countries. In addition, once the data is stored overseas, it may be subject to invasive foreign laws allowing a foreign government access to the data.
With the Australian Government signalling an interest in this area, businesses ought to review their data practice and if they do not already have a privacy strategy in place, they should urgently seek to develop one.