If offshore cloud compromises your data we'll sue you, not them: Privacy commissioner

Organisations investing in off-shore cloud services could find themselves on the pointy end of legal action should the privacy of Australians be breached as a result, Victoria's acting privacy commissioner has warned.

Laying out the government's position on the legal status of cloud computing in a wide-ranging speech at the recent Evolve.Cloud conference, Dr Anthony Bendall noted that concerns about the privacy-compromising potential of new technologies are nothing new, citing concern in the 1890s over the then-nascent field of photography.

Cloud computing has had a similar effect, with vendors' and customers' technological aspirations tempered by ongoing discussions about the legal and risk status of cloud-computing providers in relation to the personal data of Australians.

Many companies have already rushed into the cloud ignorant of privacy concerns, Bendall said. "I have seen the willingness of organisations to rush headlong into projects that promise to save tens of thousands of dollars and increase productivity, but without stepping back to consider obligations such as privacy," he explained.

"My office has already been consulted on projects where the cloud is being used without deep analysis of the risks and benefits, or a full appreciation of the impact it might have on information privacy."

Like similar organisations in other states and at the federal level, Bendall's office has been working to help companies and government agencies clarify their privacy obligations, with cloud computing one of dozens of topics covered in detail in recently published information sheets.

The cloud computing information sheet spells out a definition of cloud computing and lists guidelines for use of both private and public clouds. And while they offer specific advice about cloud computing, Victoria's state Information Privacy Principles are rooted in the nearly identical National Privacy Principles maintained by the Commonwealth Office of the Australian Information Commissioner.

"The promise of cheap storage, low-cost technical support and unlimited scalability are too tempting to resist, and the juggernaut appears to be impossible to stop," Bendall said. "Yet while contemporary IT brings significant challenges to the field of privacy and data protection, these challenges aren't insuperable. It's entirely possible to use cloud computing in a way that does not compromise the privacy of individuals."

That doesn't mean they are easy, however: one of the major obligations on users of public cloud services, for example, is that organisations ensure those cloud services subscribe to privacy controls that are as stringent as those required by the organisation itself. The same goes for contractors that might have cause to access the cloud data – which the contracting organisation must ensure subscribe to equally rigorous privacy controls.

Bendall warned against haphazard de-identification of personal data, which has been floated as a way around privacy controls that would facilitate greater use of overseas public-cloud services.

"The threat to information privacy from cloud computing largely comes from an organisation's lack of control," he said. "Generally speaking, cloud service providers are agents of the client agency or organisation – even if there's a contract between them."

"That relationship means that if there's a data breach, the client agency or organisation remains responsible and the enforcement of the Australian privacy legislation will apply," he continued. "The cloud provider would need to be contractually bound by the relevant Australian privacy law, or fulfil the requirement that a similar privacy scheme to the Australian regime operates in that jurisdiction. This can be difficult in jurisdictions that have no general privacy laws, such as Singapore or the US."

The situation gets even more complex if the public cloud provider is found to be moving protected data between jurisdictions; this is common in load-balancing cloud configurations run by the likes of Google and Microsoft, which load-balance customer data between regions to improve reliability and redundancy.

With so many potential factors affecting the movement of data through public cloud environments, poorly protected cloud arrangements could create significant problems for Australian organisations that have rushed towards the cost-saving promise of modern cloud services.

Just because a public cloud service existed outside the country didn't mean it was exempt from punitive action: if Australian privacy authorities can't adequately address a privacy breach that happens overseas, Bendall said the original source of the data would be targeted instead.

"While we're not saying 'don't use the cloud'," he explained, "if you do and you use someone who's not within our jurisdiction, we'll enforce the law against someone – and generally we'll enforce it against you."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Copyright © 2012 IDG Communications, Inc.

What is security's role in digital transformation?