David Braue reports:
Organisations investing in off-shore cloud services could find themselves on the pointy end of legal action should the privacy of Australians be breached as a result, Victoria’s acting privacy commissioner has warned.
[…]
“The threat to information privacy from cloud computing largely comes from an organisation’s lack of control,” he said. “Generally speaking, cloud service providers are agents of the client agency or organisation – even if there’s a contract between them.”
“That relationship means that if there’s a data breach, the client agency or organisation remains responsible and the enforcement of the Australian privacy legislation will apply,” he continued. “The cloud provider would need to be contractually bound by the relevant Australian privacy law, or fulfil the requirement that a similar privacy scheme to the Australian regime operates in that jurisdiction. This can be difficult in jurisdictions that have no general privacy laws, such as Singapore or the US.”
The situation gets even more complex if the public cloud provider is found to be moving protected data between jurisdictions; this is common in load-balancing cloud configurations run by the likes of Google and Microsoft, which load-balance customer data between regions to improve reliability and redundancy.
Read more on CSO.