Cloud requires data protection rethink: ACMA

ACMA chairman, Chris Chapman, addresses NextDC event on data sovereignty. Credit: Max Australia

The growth of cloud computing may mean an update to regulations protecting Australians’ personal data is required, according to Australian Communications and Media Authority (ACMA) chairman, Chris Chapman.

“Many of the existing personal data protections were developed in a pre-Internet age,” Chapman said at the launch of a whitepaper outlining data sovereignty issues facing businesses.

The paper was co-written by the University of New South Wales, insurance company Aon and lawfirm Baker & McKenzie, and sponsored by data centre provider NextDC.

“The developing nature of cloud services has brought many new service providers to the Australian market [and] many are not communications market players as they’re currently defined in existing legislation,” Chapman said.

Those new players “may not be familiar with existing regulatory obligations such as the consumer safeguards and protections.”

It’s “inevitable” that law will lag behind technology, said Adrian Lawrence, a Baker & McKenzie attorney who co-authored the data sovereignty whitepaper.

“Businesses will move faster than the law can keep up.”

It’s even more difficult for government to keep up with cloud because cloud is an international issue, he said.

Chapman called for a “unified, coherent regulatory framework” for cloud computing. He referred to a paper released last month by ACMA supporting an industry-written cloud computing code of conduct to improve consumer confidence in service providers.

“From a regulatory perspective, the ACMA sees that there is a clear and present collective need to address concerns about personal data protections, and also understands that these issues are a complex environment that spans national and international law,” he said.

Nearly 71 per cent of Australians use a cloud computing service, but few understand how cloud works and even fewer understand related data protections, Chapman said. Industry must offer citizens adequate information and protections so they may better assess the risks, he said.

“Confidence is critical,” said NextDC CEO Craig Scroggie.

“As an industry, we’re really only ever one disaster away from eroding confidence that has built up over time in cloud computing.”

However, Scroggie and other officials said much uncertainty about data sovereignty and other issues related to the cloud exists among CIOs.

NextDC customers consistently ask about their issues around data sovereignty and data breach notification, said Scroggie.

“We still have customers who are uncertain about what their obligations are,” he said.

Location of the data centre is a top concern for CIOs, according to Stephen Wilson, principal consultant at Lockstep Consulting, specialising in privacy, digital identity and authentication. CIOs want to know where the data is, how to be sure a data centre is meeting Australian jurisdictional obligations, and what new obligations arise if a data centre is located overseas, he said.

Recent headlines about the US National Security Agency’s surveillance program PRISM have heightened Australian businesses’ concerns about data sovereignty, officials said.

“Three months ago, not many people thought it was interesting,” said David Vaile, report co-author and UNSW executive director of the UNSW cyberspace law and policy centre. “Today they do.”

Many NextDC customers’ concerns about data sovereignty surfaced after the PRISM headlines broke, Scroggie said.

A similar thing happened when it was revealed that US soldier Bradley Manning had passed classified material to WikiLeaks, he said.

The authors of the whitepaper said that data sovereignty is an issue that can’t be ignored by anyone in an organisation.

Among other suggestions, the whitepaper advises that cloud customers review international laws that may govern their data, ensure their cloud provider complies with local laws in the jurisdiction where data is stored and check whether the business’s data is covered by the provider’s insurance policy. The paper also recommends that businesses carefully assess what data must be housed in Australia.

“It’s no longer just an IT responsibility,” said Eric Lowenstein, client manager at Aon. “It is something with which you need to engage all stakeholders in your business. That includes legal, communications, marketing, the CFO and CEO, he said.

“It’s clear ... that data stored offshore will be subject to the laws of the jurisdiction in which it’s stored,” said Lawrence. “Consumers, businesses, anybody who wants to deal with data needs to accept that proposition and deal with it.”

Follow Adam Bender on Twitter: @WatchAdam