Even where data centre customers face increased service charges as a result of electricity price increases, customers should carefully consider data security issues (privacy, access and control) that arise when using offshore IT infrastructure and cloud offerings, before rushing to use such options to save on cost.
Offshore options may in fact involve additional operational costs to Australian businesses – costs of meeting various regulatory and legal compliance requirements in international jurisdictions. If an issue or dispute arises with an offshore provider, a customer also faces additional costs of enforcing its rights offshore. This may ultimately off-set savings anticipated or achieved in moving data and data centre services outside Australia, following the introduction of the Carbon Price regime.
Data of a particular type (such as personal information), or data relating to particular business activity, may not readily be sent offshore from a regulatory and legal compliance perspective.
For example, the Australian banking and insurance sectors are regulated by the Australian Prudential Regulation Authority (APRA) – and prudential standards applicable to the outsourcing of “material business activities” by companies in these sectors require that they consult with APRA before entering into outsourcing agreements with service providers who conduct their business activities outside Australia.
APRA’s approach to date in relation to offshoring and cloud offerings has been cautious – reflected in the letter it sent in late 2010 to regulated Australian banks and insurance companies, noting APRA’s concern that organisations were failing to acknowledge the outsourcing and/or offshoring elements of cloud offerings in particular, and cautioning in relation to their use.
In its draft Cloud Computing Strategic Direction Paper of January 2011, the Australian Government has indicated it will take a risk-based approach to cloud computing, noting that data security and privacy issues need to be adequately resolved before critical government services could be transitioned to the cloud, and that an awareness of Australian legal and regulatory requirements such as the Privacy Act and the Archives Act was required.
Many Australian businesses must comply with the Privacy Act and the National Privacy Principles (NPPs) made under that Act. NPP 9 requires that an organisation in Australia must not send personal information to another person outside Australia unless it takes steps to ensure the information is properly protected, or the jurisdiction outside Australia will provide equivalent protection, or the individual consents to the transfer. Similar rules apply to State and Territory governments and government agencies under State-based information privacy legislation.
It should be remembered that data is subject to the laws of the jurisdiction in which it is stored. Cloud computing services involve the processing and storage of masses of data that is often commercially sensitive and confidential, or personal information. A key question in relation to offshore and cloud offerings is therefore “where is data stored or processed”? However location is not fixed in the cloud – unlike a fixed server in the customer’s premises or at a data centre in Australia, data in the cloud can potentially be located anywhere in the world, and in more than one data centre.
As a result, sending, storing and processing data around the world through certain cloud offerings may not comply with data protection and privacy laws in various jurisdictions.
The impact of foreign laws such as the US PATRIOT Act on offshore providers (which enables the US Government to access data held on US companies’ servers in connection with criminal proceedings, without notice to the original provider or owner of the data), must also be considered.
So, while offshore data centres and cloud offerings may provide a number of tangible benefits to Australian businesses in the way of cost effective data storage and hosting services, there are data security and regulatory compliance risks (and associated costs) that customers need to be aware of.
It may be that the Carbon Price regime will lead to some Australian businesses and organisations classifying their data – as either data that must continue to be hosted onshore, and data that can be hosted offshore.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.