Australia's Privacy Commissioner Timothy Pilgrim is cautiously optimistic about the cloud's potential to increase personal privacy, but has put organisations on notice that new laws will require them to take more responsibility for the information they collect.
"Cloud computing has the potential to be privacy enhancing," Pilgrim told the annual conference of the International Association of Privacy Professionals, Australia and New Zealand (iappANZ) in Sydney this morning.
"The outcomes all depend on how it is utilised, as with all technologies. So, for example, storing data in the cloud rather than on portable devices that can be lost or stolen or inadequately-secured in-house systems — if done well — may reduce security risks to privacy," he said.
"On the cloud the information can potentially be stored in servers around the world, where they can have a much higher level of encryption and security put in place," Pilgrim told ZDNet Australia. "The risks are if those things aren't done then the information can be travelling around the world without any protection, and it may be the case that we won't know who's accessing it and who's seeing it until something happens."
Using the cloud doesn't alter an organisation's responsibilities under the Privacy Act. "Data security applies to personal information in a filing cabinet as much as it does to information on the cloud," Pilgrim told the conference. "The challenge lies in identifying where the privacy risks lie and how best to mitigate them."
One such challenge is the borderless nature of the internet and the amorphous geography of the cloud. Data can be stored outside Australia, with its exact physical location often unknown. When a problem arises, there can be jurisdiction issues.
In 2006, for example, it was revealed that the US Department of Treasury had been accessing thousands of financial records held by the Belgium-based SWIFT inter-bank transfer system, operating under the agreements they held with that company.
"There were some concerns that Australian individuals would not have known that was happening, but because that company was wholly and solely based out of Australia, there was no jurisdiction for my office to be able to pursue an investigation into whether the information was handled appropriately in that circumstance," Pilgrim told ZDNet Australia.
Currently, Australia's privacy laws require an organisation to be "undertaking a business in Australia" before the privacy commissioner can investigate.
"That's where the law at the moment does get a little complex," Pilgrim said. "At the moment they need to collect and hold that information in Australia ... and in that particular case they were not holding information in Australia and they weren't strictly carrying on a business in Australia."
This will change. Australia's Privacy Act is being reviewed.
"Businesses are going to have to take on a greater degree of accountability," Pilgrim said. "If they undertake to collect someone's information in Australia but they want to get it processed overseas, they're going to have to ensure — either through sending it to a country with similar protections [to Australia] or putting into place contractual clauses — that [they] will give it the same level of protection before they can send that information out of Australia and therefore they must remain responsible for it."
Those changes to the Privacy Act are currently being considered by a Senate committee. That committee is expected to report by 1 July 2011, with legislation to be introduced into parliament by the end of the year.