The growth of cloud computing may mean an update to regulations protecting Australians’ personal data is required, according to Australian Communications and Media Authority (ACMA) chairman, Chris Chapman. “Many of the existing personal data protections were developed in a pre-Internet age,” Chapman said at the launch of a whitepaper outlining data sovereignty issues facing businesses. The paper was co-written by the University of New South Wales, insurance company Aon and lawfirm Baker McKenzie, and sponsored by data centre provider NextDC. “The developing nature of cloud services has brought many new service providers to the Australian market [and] many are not communications market players as they’re currently defined in existing legislation,” Chapman said. Those new players “may not be familiar with existing regulatory obligations such as the consumer safeguards and protections.” It’s “inevitable” that law will lag behind technology, said Adrian Lawrence, a Baker McKenzie attorney who co-authored the data sovereignty whitepaper. “Businesses will move faster than the law can keep up.” It’s even more difficult for government to keep up with cloud because cloud is an international issue, he said. Chapman called for a “unified, coherent regulatory framework” for cloud computing. He referred to a paper released last month by ACMA supporting an industry-written cloud computing code of conduct to improve consumer confidence in service providers. “From a regulatory perspective, the ACMA sees that there is a clear and present collective need to address concerns about personal data protections, and also understands that these issues are a complex environment that spans national and international law,” he said. Nearly 71 per cent of Australians use a cloud computing service, but few understand how cloud works and even fewer understand related data protections, Chapman said. Industry must offer citizens adequate information and protections so they may better assess the risks, he said. “Confidence is critical,” said NextDC CEO Craig Scroggie. “As an industry, we’re really only ever one disaster away from eroding confidence that has built up over time in cloud computing.” However, Scroggie and other officials said much uncertainty about data sovereignty and other issues related to the cloud exists among CIOs. NextDC customers consistently ask about their issues around data sovereignty and data breach notification, said Scroggie. “We still have customers who are uncertain about what their obligations are,” he said. Location of the data centre is a top concern for CIOs, according to Stephen Wilson, principal consultant at Lockstep Consulting, specialising in privacy, digital identity and authentication. CIOs want to know where the data is, how to be sure a data centre is meeting Australian jurisdictional obligations, and what new obligations arise if a data centre is located overseas, he said. Recent headlines about the US National Security Agency’s surveillance program PRISM have heightened Australian businesses’ concerns about data sovereignty, officials said. “Three months ago, not many people thought it was interesting,” said David Vaile, report co-author and UNSW executive director of the UNSW cyberspace law and policy centre. “Today they do.” Many NextDC customers’ concerns about data sovereignty surfaced after the PRISM headlines broke, Scroggie said. A similar thing happened when it was revealed that US soldier Bradley Manning had passed classified material to WikiLeaks, he said. The authors of the whitepaper said that data sovereignty is an issue that can’t be ignored by anyone in an organisation. Among other suggestions, the whitepaper advises that cloud customers review international laws that may govern their data, ensure their cloud provider complies with local laws in the jurisdiction where data is stored and check whether the business’s data is covered by the provider’s insurance policy. The paper also recommends that businesses carefully assess what data must be housed in Australia. “It’s no longer just an IT responsibility,” said Eric Lowenstein, client manager at Aon. “It is something with which you need to engage all stakeholders in your business. That includes legal, communications, marketing, the CFO and CEO, he said. “It’s clear … that data stored offshore will be subject to the laws of the jurisdiction in which it’s stored,” said Lawrence. “Consumers, businesses, anybody who wants to deal with data needs to accept that proposition and deal with it.” Follow Adam Bender on Twitter: @WatchAdam Related content brandpost Sponsored by SAP When natural disasters strike Japan, Ōita University’s EDiSON is ready to act With the technology and assistance of SAP and Zynas Corporation, Ōita University built an emergency-response collaboration tool named EDiSON that helps the Japanese island of Kyushu detect and mitigate natural disasters. By Michael Kure, SAP Contributor Dec 07, 2023 5 mins Digital Transformation brandpost Sponsored by BMC BMC on BMC: How the company enables IT observability with BMC Helix and AIOps The goals: transform an ocean of data and ultimately provide a stellar user experience and maximum value. By Jeff Miller Dec 07, 2023 3 mins IT Leadership brandpost Sponsored by BMC The data deluge: The need for IT Operations observability and strategies for achieving it BMC Helix brings thousands of data points together to create a holistic view of the health of a service. By Jeff Miller Dec 07, 2023 4 mins IT Leadership how-to How to create an effective business continuity plan A business continuity plan outlines procedures and instructions an organization must follow in the face of disaster, whether fire, flood, or cyberattack. Here’s how to create a plan that gives your business the best chance of surviving such an By Mary K. Pratt, Ed Tittel, Kim Lindros Dec 07, 2023 11 mins Small and Medium Business IT Skills Backup and Recovery Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe