Customer data subject consent
10. Is express consent from customers or other data subjects required before moving data to the cloud?

Australian privacy law generally only requires an individual's consent to be obtained in certain limited circumstances (e.g., where an Australian-regulated entity wishes to use or disclose personal information for a secondary purpose that does not fall within any of the exceptions in Australian Privacy Principle ("APP") 6).

It would be unusual for a new express consent to be required in order to move an individual's personal information to a cloud service provider because any disclosure of data to a cloud service provider for a back-end purpose would likely be permitted on another basis under APP 6 (e.g., because it is for a related secondary purpose that the individual would reasonably expect, or potentially because there are reasonable grounds for implying consent in the circumstances, strengthened by disclosures already made and consent already obtained via existing privacy policies, collection notices and customer terms).

Obtaining consent from relevant individuals is also currently one of the exceptions to the overseas disclosure obligations in APP 8 (there are proposals to remove this exception). However, the requirements for obtaining a valid consent for such purposes are quite onerous and it would be unusual, in the context of a cloud services implementation, to seek express consent just for the purpose of obtaining an exception to APP 8.

The Privacy Act 1988 (Cth) ("Privacy Act") has recently been reviewed and legislative changes that ultimately result from the review may have some implications for cloud outsourcing arrangements. For example, the report on the review of the Privacy Act proposed some revisions to the law on overseas disclosures of personal information, such as changes to the consent exception to APP 8 and the introduction of standard contractual clauses that could be used to facilitate overseas disclosures.

Additional requirements apply for data that is part of the Consumer Data Right scheme.