Cloud computing is an innovative way to get an edge on competitors and reduce costs. It is also intrinsic to a well designed Data Recovery Plan. However, there are serious legal implications for businesses that choose to store sensitive, legally protected data using cloud technology. Ignorance of these can easily see a business losing more than it gained.
Organisations are legally responsible for the security and the integrity of the data that they collect and maintain. They retain this responsibility, irrespective of how they store and secure their data and cannot outsource their legal responsibilities to a third party.
The most sensitive and legally protected data that organisations usually collect is personal data. There is nothing wrong with storing data that contains personal information on cloud technology (in fact we recommend it), but the organisation uploading the data needs to ensure that steps have been taken to protect the personal information so it cannot be accessed by a third party.
This means that it is up to the client organisation to ensure the cloud provider has security measures in place to protect the data because legally the data is theirs. They are responsible for who they give it to, even for storage and if personal information is not secure, they are liable.
The same law applies to personal information that is no longer needed. The Information Privacy Principle (IPP) 4.2 states that an “organisation must take reasonable steps to destroy or permanently de-identify personal information” if it’s no longer needed. This includes information stored in the cloud. The organisation must similarly check that its cloud provider has steps in place to destroy personal information. Storage on the cloud should not mean that it is retained forever.
When an organisation uses a cloud provider to store its data, the cloud provider may have servers in a different country. This raises a whole raft of cross jurisdictional implications, and will mean that the data is now subject to the laws of the country in which it is being physically stored, as well as those of the country of origin.
In other words, the stored data is subject to the data laws of the second country, even if they have no offices or contractual arrangements in that country.
For example, Frogs4Sale, an Australian business, uses CloudsRUs to host its data on the cloud. The data is consequentially stored in the USA. Frogs4Sale must now abide by American data law, and is subject to the regulations of the USA. Unlike Australia, the United States has laws allowing its government to access data in certain circumstances, whilst preventing the holder of the data from notifying the owner.
Frogs4Sale is therefore legally responsible if its data is accessed in breach of Australian law, even though the access might be legal under US law. The fact that they might not have realised that CloudsRUs, was using servers hosted in another country will be irrelevant should the breach result in court action or professional misconduct hearings.
It is not only the physical location of the data that needs to be taken into account. The jurisdiction of company ownership is also a relevant factor that has to be considered. Companies are subject to the laws of the country in which they are based. As such, even if foreign owned CloudsRUs were to physically store their information on Australian soil, the data might still be legally accessible under the laws of their native jurisdiction, despite such access contravening Australian law.
Now, it could be argued that in this case, by disclosing the information to a third party CloudsRUs has breached Australian law and is liable. But it is still Frogs4Sale that is going to have to hire lawyers and waste valuable resources arguing that particular case, so it is perhaps best to simply not risk going there.
Ultimately, Frogs4Sale is responsible for any issues that arise from such a situation and the best solution is to ensure that any sensitive data is stored in Australia, and maintained by a wholly owned Australian entity.
Data is big business and in the modern economy, information equals wealth. Sadly, there are many people who will look to exploit others information to nefarious ends. On account of this, all businesses should ensure that cloud data storage solution is managed by identifiable people, who actually exist in real life and is not merely a tool for organised crime to skim sensitive data. While this has yet to be much of a major issue thus far, it only a matter of time.
It is also important to realise that Australia is one of the few jurisdictions with laws compelling disclosure of any breaches of data storage security. This has two major implications. Firstly, Australian data storage companies have a high motivation to maintain the security of the data under their protection, or face legal sanction themselves. Secondly, that in the unlikely event that such a breach occurs, it won’t be simply be swept under the rug. Instead clients will be notified, so that measures can be taken to rectify any potential damage to their business and interests.
If a business uses a foreign-owned cloud provider, and that cloud provider is sold to a new owner, this may impact on the cloud provider’s obligations to its customers, especially if local laws allow for contract modification under such circumstances, or the entity is sold to an organisation constituted in a third foreign nation.
When terminating the contract between the cloud provider and the client, what becomes of the data? Will the data be given back to the client and deleted from storage, or will it be kept? Similarly, will the cloud provider give all data back, or just certain elements?
All these situations are real and have serious implications for the client. The client can not only suffer a loss of data, but also damage to reputation and loss of business. Information breaches can also incur significant legal consequences up to and including professional deregistration, fines and jail sentences. Needless to say, the legal costs associated with a poor choice of cloud host could be significant and the organisation could easily face bankruptcy and go out of business in the most serious of cases.
Of course, many of these issues aren’t just relevant for legally sensitive data and also apply to intellectual property. That is why it is important whenever deciding to use a cloud provider, the client must check to see where their data will be stored, the level of protection the cloud provider offers and ensure they work through a comprehensive contract that keeps their client’s business interests front and centre.
It is your data and irrespective of where it is stored, you retain legal responsibility for it. Use of the cloud for data storage is an essential component of most Data Recovery Plans, but it is in your best interests to ensure that your data is stored by people that you know and can trust and subject only to the laws of the country of origin.