Privacy changes could affect Cloud projects

It is important to plan ahead when hopping into the Cloud. Cloud-hopping companies and their suppliers need to know where their data is going, and should plan for the possibility that they may later wish to hop out, or switch Cloud providers.

Geography matters

It is nice to imagine that we are now in a virtual global village, and that the location of data and software is irrelevant. But the location of software, data and the parties can affect legal obligations, so it is wise to know where your data is.

Under Australian privacy laws, for example, organisations may not transfer information to somebody in a foreign country unless the recipient of the information is subject to a law or binding scheme similar to the National Privacy Principles that apply in Australia, or another exception such as consent applies.

Under proposed new Australian privacy laws, an Australian entity that discloses information about an identifiable individual outside Australia will be liable for any breaches by recipients of the Australian Privacy Principles, unless the organisation reasonably believes that the recipient is subject to similar laws or a binding scheme that can be enforced by the affected individual, or another exception such as informed consent applies.

The proposed laws also oblige entities to take reasonable steps to inform individuals of the countries in which information about them is likely to be disclosed.

It is also important to know what enforcement mechanisms exist in each relevant place. If enforcement is difficult or expensive, the leverage that legal rights provide may be substantially reduced.

Transition-out

It is usually easier to agree on transition-out arrangements at the beginning of a relationship than the end. There are some specific issues that parties should bear in mind.

If data is stored in a proprietary database or can only be accessed using proprietary software, you should consider whether any application or database software licences might be required to transition-out.

Specialised third party data extraction or migration software may be required in order to move away from a Cloud service provider, so it is best to consider whether it is required and the availability of a licence up?front. You might also arrange for an escrow agent to hold copies of certain software or tools so that they can still be accessed in case the supplier is unable or unwilling to provide them when required.

If data is stored in complex databases, it is possible the database structure or data formats are the intellectual property of the Cloud service provider. In these circumstances, even if you have access to your own data, you may be unable to migrate the data into new systems without a licence. Clarify the ownership of and licensing of all relevant material in the agreement.

Contracts should clearly state whether the Cloud service provider will be expected to provide ‘business as usual’ services until the end of the transition out. Customers and suppliers should consider whether service levels should continue to apply, if the cloud service provider will continue to be paid for services, and if other normal contract provisions (importantly, those dealing with liability and risk allocation) continue to apply, and for how long. Consideration also needs to be given to the return and destruction of data. The National Privacy Principles, which currently apply to most Australian businesses, require that reasonable steps be taken to destroy or de-identify information about individuals when it is no longer required for a legitimate purpose.

On the other hand, it is sometimes necessary to retain data. For example, it is sometimes a crime in Victoria to destroy data relevant to actual or anticipated disputes.

In some cases, the sharing of hardware may also affect whether data can be permanently destroyed. As with all outsourcing agreements, companies need to enter Cloud computing agreements with their eyes wide open and manage risks.