 |
| Image courtesy of lennysan |
Any decision to host its email services offshore triggers privacy law compliance issues for Telstra. Our focus in this blog post is on the transborder data flow requirements of National Privacy Principle 9 (NPP9) of the Privacy Act 1988 (Cth) as they apply to offshore hosting.
Last Friday, Telstra announced that BigPond customers will soon experience its new "BigPond with Windows Live" integrated email service. It is rumoured that Microsoft will host the service offshore (though Telstra will retain a copy of all BigPond emails locally).
NPP9
NPP9 permits an organisation to transfer personal information about an individual to an organisation outside Australia, but only if the transfer meets one or more of the six conditions in NPP9. The four conditions relevant to Telstra in this scenario are likely to be:
(a) it has a reasonable belief that Microsoft, as the recipient of the personal information, is obliged by law or otherwise to uphold principles substantially similar to the NPPs;
(b) it has taken reasonable steps to ensure that Microsoft will not use or disclose the information inconsistently with the NPPs;
(c) its customers consent (expressly or impliedly) to the transfer; and/or
(d) all of the following apply:
- the transfer is for the benefit of the customers;
- it is impracticable to obtain their consent to the transfer; and
- if it were practicable to obtain their consent, they would be likely to give it.
Telstra's Customer Terms and Conditions (Terms) set out both Telstra's and its customers' rights and obligations in respect of the BigPond email service.
Interestingly, the 60-plus pages of Terms do not expressly confer on Telstra a right to store emails offshore. Rather, the Terms provide that '[i]nformation concerning you will be held in a database' but without specifying any particular jurisdiction or geography.
The Terms also refer to the Telstra Privacy Statement, which is one of a suite of privacy documents Telstra has for its customers. The Privacy Statement provides that personal information is disclosed to external organisations so that Telstra may 'deliver the services you require', including 'information technology services' among others. Telstra has reportedly confirmed that its BigPond customers will need to sign up to a new set of terms and conditions to allow it to host their emails offshore.
If Telstra's current agreement with its customers does not confer on Telstra express or implied consent to transfer their personal information overseas, one of the other conditions in NPP9 must apply to allow the personal information to be transferred overseas. Microsoft would no doubt argue that it meets condition (a), on the basis that privacy laws in the US are generally similar to, if not more stringent than, the NPPs.
However, is this argument reasonable given that certain US authorities will be able to access personal information held by Microsoft for purposes that would not otherwise be permitted if the data had stayed in Australia? Such access would be permitted even if Telstra and Microsoft have entered into an agreement to ensure that BigPond customers' personal information is protected in a manner consistent with the NPPs – on the basis that NPP2.1(g) allows an organisation who holds personal information to disclose it if required or authorised by law to do so. Telstra would no doubt argue that any compelled disclosure by US authorities falls squarely within NPP2.1(g).
Implications
To sidestep the (often difficult) issue of whether local privacy laws are 'substantially similar' to the NPPs, best practice would be to obtain express or implied customer consent for any prospective transborder data transfer (for example, in the organisation's terms and conditions).
Safety in the cloud?
Many businesses are concluding that their customers' personal information is likely to be more secure in the cloud than if stored by the business itself. Small businesses in particular will generally have far less expertise in cyber and data security than large, professional technology organisations. Moreover, protection of data for the likes of Telstra, Microsoft, Google and Apple is as much a reputational issue as a legal one. If companies such as these cannot show that they can be trusted to protect personal data, their brands (and ultimately businesses) are likely to suffer.
Cognisant of this issue, Microsoft's Chief Privacy Officer, Brendan Lynch, said in December on Microsoft's website:
I recently returned from a two-week trip to discuss a range of privacy topics with customers and regulators in Australia and New Zealand. In virtually every conversation, I was asked about Microsoft’s approach to data protection in our cloud services. Microsoft representatives around the world report hearing similar questions regularly in each of their regions. These questions are understandable [...] At Microsoft, we understand that unless we are responsive to our customers’ and to regulators’ questions about data protection in public clouds, we will not earn the trust necessary for our cloud services to satisfy our customers’ needs.
In the next 12 months we'll see the continued rollout of the National Broadband Network (NBN), together with faster and more reliable mobile internet services (such as 4G LTE). This will no doubt further bolster the adoption of cloud apps by both businesses (think Salesforce.com, Microsoft Windows Live, Google Apps and many more besides) and consumers (think Apple iCloud, Dropbox, Spotify, Evernote, amongst many others). Indeed, as reported in today's Communications Day, KPMG has estimated that the total GDP impact of cloud computing adoption over the next decade in the finance, property, business services and education sectors, will be around $1.6 billion a year.
However, with a number of serious data breaches having occurred in 2011, demonstrably strong data protection will be required in order to maintain business, consumer and government confidence in cloud services.
0 comments:
Post a Comment