If offshore cloud compromises your data we'll sue you, not them: Privacy commissioner

Organisations investing in off-shore cloud services could find themselves on the pointy end of legal action should the privacy of Australians be breached as a result, Victoria's acting privacy commissioner has warned.

Laying out the government's position on the legal status of cloud computing in a wide-ranging speech at the recent Evolve.Cloud conference, Dr Anthony Bendall noted that concerns about the privacy-compromising potential of new technologies are nothing new, citing concern in the 1890s over the then-nascent field of photography.

Cloud computing has had a similar effect, with vendors' and customers' technological aspirations tempered by ongoing discussions about the legal and risk status of cloud-computing providers in relation to the personal data of Australians.

Many companies have already rushed into the cloud ignorant of privacy concerns, Bendall said. "I have seen the willingness of organisations to rush headlong into projects that promise to save tens of thousands of dollars and increase productivity, but without stepping back to consider obligations such as privacy," he explained.

"My office has already been consulted on projects where the cloud is being used without deep analysis of the risks and benefits, or a full appreciation of the impact it might have on information privacy."

Like similar organisations in other states and at the federal level, Bendall's office has been working to help companies and government agencies clarify their privacy obligations, with cloud computing one of dozens of topics covered in detail in recently published information sheets.

The cloud computing information sheet spells out a definition of cloud computing and lists guidelines for use of both private and public clouds. And while they offer specific advice about cloud computing, Victoria's state Information Privacy Principles are rooted in the nearly identical http://www.privacy.vic.gov.au/privacy/web2.nsf/pages/information-privacy-principles maintained by the Commonwealth Office of the Australian Information Commissioner.

"The promise of cheap storage, low-cost technical support and unlimited scalability are too tempting to resist, and the juggernaut appears to be impossible to stop," Bendall said. "Yet while contemporary IT brings significant challenges to the field of privacy and data protection, these challenges aren't insuperable. It's entirely possible to use cloud computing in a way that does not compromise the privacy of individuals."

That doesn't mean they are easy, however: one of the major obligations on users of public cloud services, for example, is that organisations ensure those cloud services subscribe to privacy controls that are as stringent as those required by the organisation itself. The same goes for contractors that might have cause to access the cloud data -- which the contracting organisation must ensure subscribe to equally rigorous privacy controls.

Bendall warned against haphazard de-identification of personal data, which has been floated as a way around privacy controls that would facilitate greater use of overseas public-cloud services.

"The threat to information privacy from cloud computing largely comes from an organisation's lack of control," he said. "Generally speaking, cloud service providers are agents of the client agency or organisation -- even if there's a contract between them."

"That relationship means that if there's a data breach, the client agency or organisation remains responsible and the enforcement of the Australian privacy legislation will apply," he continued. "The cloud provider would need to be contractually bound by the relevant Australian privacy law, or fulfil the requirement that a similar privacy scheme to the Australian regime operates in that jurisdiction. This can be difficult in jurisdictions that have no general privacy laws, such as Singapore or the US."

The situation gets even more complex if the public cloud provider is found to be moving protected data between jurisdictions; this is common in load-balancing cloud configurations run by the likes of Google and Microsoft, which load-balance customer data between regions to improve reliability and redundancy.

With so many potential factors affecting the movement of data through public cloud environments, poorly protected cloud arrangements could create significant problems for Australian organisations that have rushed towards the cost-saving promise of modern cloud services.

Just because a public cloud service existed outside the country didn't mean it was exempt from punitive action: if Australian privacy authorities can't adequately address a privacy breach that happens overseas, Bendall said the original source of the data would be targeted instead.

"While we're not saying 'don't use the cloud'," he explained, "if you do and you use someone who's not within our jurisdiction, we'll enforce the law against someone -- and generally we'll enforce it against you."

Join the CSO newsletter!

Error: Please check your email address.

More about EvolveGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place