The National Cloud Computing Strategy - clear skies ahead?

Posted by Harry Aitken, Rosie Johnson and Paul Kallenbach

In late May of this year, Senator Stephen Conroy, Minister for Broadband, Communications and the Digital Economy (as he then was) announced The National Cloud Computing Strategy (Strategy) at the Cloud @ CeBIT Conference held in Sydney.  Unfortunately the conference was not held on SKYWALK at the Sydney Tower, which somewhat limits the number of 'sky' and 'cloud' puns we could have otherwise used in this paragraph.  But we digress ...      

cloud computing

noun the provision of services over the internet to allow users to remotely store, process and share electronic information.

Cloud computing is not, as the name might otherwise suggest, using technology to compute the structure, pattern and formation of clouds.  (We apologise in advance to any nephologists who may have stumbled across this blog post.)  Cloud computing, rather, is the use of computer platforms to deliver services over the internet.  Whenever you use your Gmail account, online banking service, Amazon or iTunes, you're engaging with the brave new(ish) world of cloud computing.

Returning to the Strategy, the Government's aim is to address three goals:

• for the Australian Government to be a leader in the use of cloud technology, creating efficiencies and generating value and to deliver better services and create more agility in the public service;
• for Australian small business, not-for-profit organisations and consumers to have the protection and tools they need to acquire cloud services with confidence; and
• for Australia to have a vibrant cloud sector supported by a skilled and cloud-aware information and communication technologies (ICT) workforce, able to create and adopt cloud services, effective competition in cloud services, and regulatory settings that support growth, foster innovation and protect users.

The Strategy goes on to detail steps which the Government considers might be taken in order to achieve these goals.

What is the Government proposing to do?

The Government plans to lead by example and adopt cloud computing in its own enterprise.   It also plans to assist other government agencies and non-government organisations to do the same by identifying training and skill development opportunities to facilitate the adoption of cloud computing and encourage lines of communication between Government agencies about what works and what doesn't.

The Strategy identifies that smaller businesses are likely to obtain the most benefit from the adoption of cloud computing mechanisms.   Consequently, in order to empower small businesses and not-for-profit organisations to utilise cloud computing, the Government will strive to enhance the information in the market in relation to cloud computing and the likely benefits to smaller businesses which might not otherwise take up the opportunity or be able to obtain sufficient information in order to make and informed decision.   The Government identifies that there is a lot of information about cloud computing but that is not easy to understand, and aims to release publications and information in a more digestible format.  The Government also plans to open the lines of communication between cloud service providers and consumers in order to better consider issues which may arise.

In relation to its aim of encouraging a vibrant cloud services sector, reliable internet access is central, and the Government not surprisingly touts the the National Broadband Network as a key aspect in providing the infrastructure necessary to facilitate the expanding use of cloud computing.  Using the tertiary education sector is another way identified by the Government to increase the knowledge and skills of cloud computing, hence a proposal to incorporate cloud computing into the ICT curriculum and encourage further research and development activities in this area.

Impact?

So how might the Strategy impact consumers and business owners?

The Strategy posits that cloud computing can enhance functionality, mobility, scalability and security for businesses, enable them to scale their processing up and down as their capacity changes, and employ a range of diverse services for each task.  The Strategy also suggests that everyday consumers may benefit – 33% of 1,000 sampled small and medium Enterprises (SMEs) who were surveyed in 2012 'indicated they would be quite likely to pass on cost savings achieved through the adoption of cloud services to their consumers'.   For business owners, greater efficiencies may lead to increased profits, which can be invested in things which will assist the growth of the business, including providing consumers with a greater range of goods and services. 

For cloud computing service providers, the Strategy aims to expand their market reach.  Ensuring appropriate measures are taken to protect users will be an area of government and media scrutiny going forward; however there are opportunities for providers with strong data protection mechanisms in place to make a big splash in the Australian market.  IDC predicts that the cloud computing market sector will be valued at $2,030 million by 2015, and by 2020, almost 40% of digital information will be affected by cloud computing in some manner.[1]

The regulatory setting

Presently, there is a complex mix of international, domestic and industry-specific regulations and standards which apply to cloud computing practices. 

Australian consumers and businesses have general contractual, consumer and privacy protection under the law of contract; the Privacy Act 1988 (most relevantly, the new APP 8, which comes into effect in March 2014, and will impose new obligations on government agencies and private sector organisations in relation to the the overseas disclosure of personal information ); the Competition and Consumer Act 2011 and the Australian Consumer Law; the Telecommunications (Interception and Access) Act 1979 and other statutes besides.  On the industry front, the Telecommunications Act 1997 seeks to promote competition and facilitate access to telecommunication infrastructure, while the Australian Prudential Regulatory Authority (APRA) regulates the outsourcing and offshoring activities of banks and other financial institutions through prudential standards, including, most relevantly, Prudential Standards CPS 231 and SPS 231.   

However, none of these instruments have been designed with the cloud in mind, and the emergence of cloud-based providers - who may fall outside existing legislative categorisations and standards - potentially weakens the efficacy of the regulatory framework.  Moreover, the cross-border nature of cloud services raises difficult issues of jurisdiction and enforcement, since national laws may not extend to the conduct of service providers who are based in other countries.

As a consequence, the Australian Communications and Media Authority (ACMA), in a recent paper,[2] has proposed that while the National Cloud Computing Strategy aims to stocktake the current regulatory framework, a 'single coherent framework' should still be sought. 

The Australian Computer Society's Cloud Consumer Protocol discussion paper may be a useful first step in this regard.  The paper aims to elicit feedback from cloud service providers and customers on the tools and protections that they require in order to acquire and deploy cloud services with confidence and trust. 

Submissions on the Cloud Consumer Protocol paper are open until 5 September 2013.  

[1] IDC EMC, The Digital Universe in 2020: Big Data, Bigger Digital Shadows and Biggest Growth in the Far East, cited in Australian Communications and Media Authority, The cloud – services, computing and digital data: Emerging issues in media and communications (Occasional paper 3, June 2013).

[2] Australian Communications and Media Authority, The cloud – services, computing and digital data: Emerging issues in media and communications (Occasional paper 3, June 2013). 

The importance of social media monitoring

Posted by Nicole Reid and Paul Kallenbach

The use and monitoring by companies and organisations of social media continues to be a fraught issue. Earlier this year, the ASX imposed additional obligations on listed companies to monitor social media for what is being said about them (see our blog post here). But there are potential risks, both legal and non-legal, for other companies too that do not pay sufficient attention to what is being posted on social media sites.

A range of companies have faced criticism for the way in which they have dealt with negative content posted to social media (for example, you might recall a Twitter campaign backfiring on McDonalds earlier this year, and a memorable response by the proprietors of a US restaurant to criticism directed at them). There can be serious reputational repercussions for organisations that are seen as not properly managing online dialogue with their customers and other stakeholders.

From a legal perspective, the biggest risks for organisations arise from content that third parties post to their social media sites. So far, there is limited guidance from Australian courts about when a company may have legal responsibility for such content. One exception to this is the Federal Court's decision in Australian Competition and Consumer Commission v Allergy Pathway Pty Ltd (No 2) [2011] FCA 74. In this case, Allergy Pathway was found guilty of contempt of court for breaching undertakings it had given to the ACCC not to make or publish representations similar to those which had earlier been found to be misleading or deceptive. The conduct that amounted to contempt of court was the posting to Twitter and Facebook by third parties of testimonials containing such representations. Although Allergy Pathway did not post the content itself, it became aware of the testimonials but failed to remove them, and the court agreed with the ACCC's argument that this was sufficient to render it liable for the content.

A similar position to that adopted by the Federal Court in the Allergy Pathway case was also taken by the Advertising Standards Bureau (ASB) in its decision that content posted to the official Victoria Bitter Facebook page breached the Advertiser Code of Ethics, even though the offending content was posted by users (albeit in response to questions posed by the company) rather than by the company itself.

The importance of the issue of responsibility for third party content is highlighted by the fact that two advertising industry bodies in Australia have recently released guidelines on monitoring social media. The best practice guideline issued in 2012 by the Australian Association of National Advertisers (AANA), the body that develops the Advertiser Code of Ethics applied by the ASB, advocates regular monitoring of social media against the standards in the Code and sets out specific timing for such monitoring to take place.

On the other hand, the guidelines issued in June by the Interactive Advertising Bureau Australia (IAB) take a more robust approach. The IAB states in the guidelines that user comments 'do not constitute advertising' unless they are endorsed by the organisation, and that organisations should not be too conservative in moderating social media as this may 'adversely impact their presence on social platforms'. The IAB does, however, note that there may be a need to remove illegal posts, and recommends that companies follow the recommendations published by the ACCC in relation to avoiding liability for misleading or deceptive content on social media (which are reproduced in the guidelines).

So what should an organisation do about moderating its own social media sites, especially in light of the competing views of these two industry bodies?

We agree with the IAB that a company should tailor its approach to social media monitoring taking into account the areas of risk for the company (both legal and non-legal), and the social media landscape in which it operates, as well as the resources available to monitor social media, rather than attempting to adopt a one-size-fits-all approach. However, in doing so, it is important that the full range of potential risks be considered. These risks include not only the risks of an adverse decision by the ASB or an action for misleading or deceptive conduct (by either the ACCC or a third party, such as a customer or a competitor), but also:

• legal liability for defamatory content if the organisation has published that content and does not have a defence available to it, such as innocent dissemination (see our earlier blog post considering this issue in the context of user generated reviews);
• legal liability for authorising copyright infringement (particularly where the organisation has solicited users to post content such as videos or photographs that may contain third party copyright content used without permission);
• legal liability for offensive material, including under legislation prohibiting racial or religious vilification; and
• other reputational risks from hosting content that may not breach any laws or advertising standards but that may offend customers or other members of the public (and may also breach the rules of Twitter, Facebook or other social media platforms).

We recommend that organisations develop their own views about the level of social media monitoring that is required, taking into account the guidance of both the AANA and the IAB, as well as factors specific to the organisation and the industry in which it operates.

It is also important to ensure that the individuals who carry out any such monitoring are aware of the various types of content that may be problematic, including the range of legal issues associated with user generated content, and the ways in which this can be dealt with.  Finally, as part of the organisation's preparation for effective social media monitoring, it should ensure that the terms of the organisation's social media sites clearly set out the organisation's expectations about what content may be posted, and what action it may take in relation to content that falls short of the required standards.