This week we have a guest post by Jim FitzSimons regarding Australia’s new privacy laws. Jim is a former partner of Clayton Utz and is widely recognised as one of Asia Pacific’s leading legal minds in the information technology sector (he was recently voted one of Australia’s best lawyers in Information Technology and IT law). He sits on the Advisory Board for Red Rain.

Anyone who advises on privacy issues finds “the Cloud” something of a conundrum. As the name implies it is hard to pin down a definition and it covers a multitude of possibilities.  Most importantly, it could, but does not necessarily, imply a cross-border data flow, and that has implications under the Privacy Act.

The Act sets up rules for cross-border data flows because the information is leaving the Australian jurisdiction and may therefore be open to abuse over which an Australian resident has no recourse. The conundrum arises, in part, because data held by a well managed foreign data centre is clearly a lot more secure in fact, and less likely to be exposed by negligence or design, than data held on the server of a small organisation in Australia.


It therefore does not make sense for the authorities to discourage use of foreign data centres.

An answer may lie in the fact that while a foreign data centre “uses” the data (in that the data centre owner operates the computer which manipulates the data, records it on a backup disc etc) there is no practical sense in which the data is “disclosed” to anyone at the data centre.  There are multiple protections in place to ensure that employees cannot actually access any of the data in a comprehensible form.

Note that APP 8, which covers cross-border dealings, expressly refers only to “disclosure” while APP 6, which is the more general provision, refers to “use” and “disclosure”.

Therefore using a foreign data centre to store information in the cloud is not covered by APP 8 at all.

How has the Privacy Act affected your firm? Let us know in the comments or on Twitter