In Part 1 of this article series, we consider some of the cross-border compliance and enforcement risks which can arise when cloud data centres are used to hold and process personal information. We do so through the lens of Australia’s privacy laws.
For organisations that operate or deliver services in multiple jurisdictions, cloud data centres are appealing as data can be readily collected and processed across each of an organisation’s operating or service delivery locations. Notwithstanding the efficiency of cloud data solutions, there are cross-jurisdictional and organisational complexities that must be considered, especially if the data being collected and processed includes personal information. By way of example, recent legal developments in Australia have the potential to bring the acts and practices of many more foreign organisations within the scope of Australia’s privacy laws, even if those organisations do not have an Australian office and do not generate revenue in Australia.
In Australia, the collection, use, disclosure and security of personal information is governed by the Australian Privacy Principles (APPs) which are set out in Schedule 1 to the Privacy Act 1988 (Cth)…