Bowen Buchbinder Vilensky

Cloud Storage – What is the Legal Position in Australia?

By Leslie Buchbinder, Director at Bowen Buchbinder Vilensky Lawyers

13 January 2015

Many of us use cloud storage routinely these days as a quick and inexpensive way to keep and share photos and documents.  Increasingly, private and public sector organisations are using cloud storage too.  But it’s important to know that there are legal implications in the way that organisations store personal information.

Changes to the Privacy Act made in March 2014 are directly relevant to all Australian organisations with a turnover of $3 million or more, or which are Government agencies.  Such an organisation can be described as an Australian Privacy Principle  (APP) entity, to which the Privacy Act applies to the way that the organisation gathers, stores and uses personal information.

On the specific subject of using cloud facilities to store information, organisations should be aware of the following.

The Privacy Act applies to Cloud service providers whether they are located in Australia or overseas.  For example, a Cloud provider must give users access to their personal information upon request, must take reasonable steps to secure personal information from mis-use, interference  or unauthorised access, and must delete information that is no longer needed for the purpose for which it was originally collected.

People may be concerned that the offshore locations where data is stored may not have privacy laws similar to those in Australia.  Organisations who use such Cloud servers should be aware of amendment APP8 which regulates the disclosure or transfer of personal information to a different entity (including a parent entity) offshore.  APP8 requires that before disclosing personal information to an overseas recipient, an Australian organisation must:

  • Take reasonable steps to make sure that the overseas recipient will not breach the APPs and the Australian organisation will be accountable for such a breach; or
  • Make it known to the relevant individual(s) that his or her information will not be protected by APPs after the disclosure to the overseas recipient and obtain the individual’s consent to the disclosure OR form a reasonable belief that the overseas recipient is subject to laws substantially similar to the APPs.

What is a ‘reasonable belief’?  The obtaining of independent legal advice by an organisation in regards to foreign privacy protections will provide a strong basis for a ‘reasonable belief.’


If your organisation is an APP entity and you are thinking of using a cloud storage provider, be aware that you are responsible  for ensuring compliance with Australia’s Privacy Act.  If the cloud provider in question is based off-shore, you would be well-advised to seek legal advice to ensure that the provider is subject to laws substantially similar to those which operate in Australia.

Leave a comment

One Response to “Cloud Storage – What is the Legal Position in Australia?”

  1. Thank a lot for sharing details.

Leave a Reply

Please read the TERMS AND CONDITIONS before posting.

Current day month ye@r *