Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.
Kinds of transaction
What kinds of cloud computing transactions take place in your jurisdiction?
In Australia, many kinds of cloud computing transactions take place, but the market is primarily composed of four service models and four deployment models. The four service models are:
- software-as-a-service (SaaS), providing software services hosted from the cloud;
- platform-as-a-service (PaaS), providing an environment for the development and hosting of applications;
- business processing-as-a-service (BPaaS), delivering business process outsourcing services that are sourced from the cloud; and
- infrastructure-as-a-service (IaaS), offering data centre capacity, processing resources and storage.
Within each of the service models, there are four main deployment models:
- the private cloud – for exclusive use by a single organisation;
- the community cloud – for exclusive use by a specific community of users from organisations that have shared concerns;
- the public cloud – for open use by the general public and owned by an organisation selling cloud computing; and
- the hybrid cloud – composed of two or more distinct cloud infrastructures.
Typically, Australian cloud computing services providers come from communications carriers and information, communications and telecommunications (ICT) providers. Established Australian ICT providers, Telstra and Optus, have both significantly expanded their cloud offerings in 2016-2017.
Active global providers
Who are the global international cloud providers active in your jurisdiction?
The global cloud computing service providers servicing the Australian market include Amazon Web Services, Microsoft, Oracle, Salesforce, IBM, Rackspace and Hewlett Packard.
Active local providers
Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?
The local cloud computing service providers in Australia include Macquarie Telecom, Vault Systems, SlicedTech, Cloud Central, Ultraserve, Brennan IT and Servers Australia.
The larger providers including Macquarie Telecom and Vault Systems provide a hybrid cloud service as well as a private cloud and servers. SlicedTech also provides a hybrid cloud, with a focus on production and backup storage.
The types of cloud services provided range from open and private cloud platforms and dedicated servers to storage. For example, Macquarie Telecom provides a hybrid cloud, VMware cloud, private cloud, colocation, dedicated servers, managed hosting, management tools and data centre extensions. Vault Systems provides similar features, including a hybrid cloud, open cloud platforms, private networks, a virtualised server and backup storage. While SlicedTech provides a hybrid cloud, it also provides production and backup storage.
How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?
Australia is a keen adopter of cloud computing. Cloud computing is a fast-growing industry in Australia and IT research firm Gartner forecasts that public cloud services will reach A$4.6 billion in 2018 and $5.45 billion in 2019. The growth from 2017 to 2018 is largely driven by a nearly 25 per cent increase in spending on SaaS offerings. Accordingly, Australia offers opportunities for growth in cloud services, with its developed ICT infrastructure well suited to cloud computing.
Gartner has also noted that security and privacy concerns have inhibited public cloud adoption. There appears to be room for more education to help organisations overcome such concerns to continue the high rate of predicted growth in adopting cloud computing.
Are data and studies on the impact of cloud computing in your jurisdiction publicly available?
Yes, both the Australian government and industry bodies have published reports on the impact of cloud computing.
At a government level, the Australian Bureau of Statistics completes an annual survey of IT Use and Innovation in Australian Business. Some of this data provides details about the number of Australian businesses using commercial cloud computing services. Furthermore, the Australian Communications and Media Authority published ‘Communications Report Series – Report 2 Cloud Computing in Australia’ in March 2014, which noted the government cloud computing strategy to relocate critical data to a secure government cloud from older infrastructure.
At an industry level, organisations and research firms have published reports that discuss the impact of cloud computing in Australia. International Data Corporation’s end-user study Cloudview surveys Australian businesses. In addition, organisations including Media Access Australia have reported on the impact of cloud for specific users, such as people with disabilities, in ‘The Accessibility of Cloud Computing – Current and Future Trends.’ Baker McKenzie also conducts an annual Cloud and Digital Transformation Survey that surveys vendors, professional advisers and customers of cloud computing services.
Encouragement of cloud computing
Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?
The Australian government is committed to developing the country as a cloud computing centre for the domestic market and to provide international cloud services. The Australian government’s Digital Transformation Agency launched a new cloud strategy for government agencies in February 2018, which focuses on building public sector understanding of cloud and confidence in using it. Furthermore, Australia’s trade-friendly policy environment makes the country an attractive market for overseas cloud exporters, where current leaders in the Australian cloud services market include international companies such as Amazon Web Services, IBM and Microsoft.
The Australian government has identified three core goals to achieve its cloud services vision – by maximising the value of cloud computing in government; promoting cloud computing to small businesses, not-for-profits and consumers; and supporting a vibrant cloud services sector in Australia. This was followed by the publication of the Australian Government Cloud Computing Policy, which outlined the goal of the government to reduce the cost of government ICT by ‘using cloud services to reduce costs, lift productivity and develop better services’.
Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?
We are not aware of any Australian governmental incentives or grants that specifically promote cloud computing. However, more general grants such as the ‘business growth grants’ are one of the services of the Australian government’s Entrepreneurs’ Programme, which encourages businesses to update IT systems. The business growth grants provide eligible businesses with up to A$20,000 for a business improvement project, and intends to help small businesses and start-ups in Australia grow quickly and create more jobs.
Legislation and regulation
Recognition of concept
Is cloud computing specifically recognised and provided for in your legal system? If so, how?
No, there is no specific reference to cloud computing in legislation. However, regulators have referred to it as a distinct concept (eg, the Privacy Commissioner specifically refers to cloud computing in guidelines regarding the application of privacy laws in Australia).
Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?
The Privacy Act 1988 (Cth) (the Privacy Act) regulates any overseas disclosures of personal information, a matter that is clearly relevant to many cloud computing implementations. Any organisation covered by the Australian Privacy Principles under the Privacy Act must comply with certain obligations when disclosing personal information outside of Australia.
Under Australian Privacy Principle 8, before disclosing data outside of Australia, the party disclosing the data must take such steps, if any, as are reasonable to ensure that the recipient does not breach the Privacy Act. Unless an exemption applies, the disclosing party will be liable for any breaches of the Privacy Act by the recipient. One exception is if the disclosing party reasonably believes that the recipient is subject to a law or binding scheme that has the effect of protecting the information to at least a substantially similar level to the Privacy Act, and there are mechanisms that the individual to whom the information relates can access in order to enforce that law or binding scheme. Consent is a further exception, provided an individual consents to the disclosure of the personal information to the overseas recipient having been informed that by doing so the disclosing entity will not be held liable for the actions of the overseas recipient with respect to that personal information.
The Australian Prudential Regulation Authority also has Prudential Standard CPS 231 regarding outsourcing, which requires that all outsourcing arrangements (which would typically include the use of cloud services) involving material business activities entered into by an APRA-regulated institution be subject to appropriate due diligence, approval and ongoing monitoring.
Breach of laws
What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?
The Australian privacy regulator (the Office of the Australian Information Commissioner) has the power to investigate matters (based on complaints or the regulator’s own initiative), accept enforceable undertakings, make determinations, bring proceedings and apply to a court for a civil penalty order in certain cases. Civil penalties for serious interferences of privacy can be up to A$2.1 million for corporations.
Consumer protection measures
What consumer protection measures apply to cloud computing in your jurisdiction?
The Australian Consumer Law, the primary consumer protection legislation in Australia, will apply to any cloud computing services supplied to individuals or small to medium businesses in Australia. This includes an unfair contract terms regime and statutory consumer guarantees.
The unfair contract terms regime renders void any ‘unfair’ terms in standard form consumer or small business contracts and, in the case of small businesses, applies when:
- at least one of the parties is a ‘small business’ (ie, employs fewer than 20 people, including casual employees employed on a regular and systematic basis);
- the upfront price payable under the contract is no more than A$300,000 (or A$1 million if the contract is for more than 12 months); and
- it is for the supply of goods or services or the sale or grant of an interest in land.
A term of a standard form small business contract will be considered to be unfair if:
- it would cause a significant imbalance in the parties’ rights and obligations under the contract;
- it is not reasonably necessary to protect the legitimate interest of a party to the contract (note that the party who would be advantaged by the term must prove that it is reasonably necessary); and
- it would cause detriment to a party to the contract if it were to be applied or relied upon.
The statutory consumer guarantees will also apply if individual goods or services being provided are deemed to be valued at less than A$40,000. These guarantees relate to being of acceptable quality, fit for a particular purpose, matching description, title, repairs or spare parts, possession and securities.
Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.
There are obligations under the Prudential Standard CPS 231 for certain regulated organisations in the financial services sector seeking outsourcing services outside of Australia.
Additionally, certain government departments have their own policies regarding the use of cloud computing services such as the Department of Finance (see, for example, the Australian Government Cloud Computing Policy).
Outline the insolvency laws that apply generally or specifically in relation to cloud computing.
There are no insolvency laws in Australia specific to the provision of cloud computing services.
General insolvency laws in Australia will operate in the context of cloud computing services in relation to the insolvency of an Australia-based cloud provider. Such laws could, in relevant circumstances, result in the appointment of an insolvency practitioner, such as a receiver, voluntary administrator or liquidator, as the controller of the cloud provider.
In such instances, the rights of customers of the cloud provider will primarily remain regulated under the agreement pursuant to which the cloud services are provided. However, it is clearly possible that such circumstances could lead to the restructuring or ultimately the liquidation of the cloud provider, and the cessation of the relevant services. Key questions at that point include the rights of customers to receive transitional services to enable transition to an alternative provider, as well as access to customer data. In some instances, cloud providers subject to external administration may be entitled to disclaim certain contractual obligations or terminate customer contracts. Customers with claims against such cloud providers will be required to participate in relevant processes as (generally unsecured) creditors.
For contracts entered into after 1 July 2018, contractual rights that arise only because of certain insolvency-related events (entering into an arrangement or compromise in order to avoid an insolvent winding up, the appointment of a receiver or similar, or a company entering into administration) will be unenforceable in certain circumstances. Practically this may limit the enforcement of suspension, termination or step-in rights until the statutory stay on enforcement is lifted by a court order, or consent to enforcement is given by the counterparty (or the administrator, scheme administrator or managing controller appointed to the counterparty).
Data protection/privacy legislation and regulation
Principal applicable legislation
Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.
The Privacy Act is the primary legislation regulating the collection and storage of personal information in a cloud computing context in Australia.
Cloud computing contracts
Types of contract
What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?
Reporting by Gartner identifies the following breakdown of cloud computing contracts in the Australian market:
- SaaS – 57 per cent;
- PaaS – 6 per cent;
- IaaS – 12 per cent; and
- BPaaS – 20 per cent.
Cloud management and security services account for the remainder of the market
Typical terms for governing law
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?
Given that the majority of cloud providers are based outside of Australia, the typical terms are:
- governing law – the governing law of the territory in which the cloud provider is based is commonly selected;
- jurisdiction – it will likely be the jurisdiction where the cloud provider is based;
- enforceability and cross-border issues – although the jurisdiction is often specified to be the jurisdiction in which the cloud provider is based, or at least, is outside of Australia, if the activity is related to Australia (eg, is provided to a business in Australia), an Australian court will likely find that it has jurisdiction over the matter and can enforce a foreign governing law; and
- dispute resolution – arbitration is the most common dispute resolution mechanism in a typical B2B cloud computing implementation in Australia.
Typical terms of service
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?
The typical terms are:
- price or payment – the price is dependent on the service and is easily and quickly variable by the customer;
- acceptable use – standard list of restrictions on use of the service prohibiting unlawful or offensive use, interferences with service provider facilities or network services, security breaches or hacking; and
- variation – the cloud provider can usually vary the terms of the contract with a certain number of days’ notice to the user. The user will have termination rights if the variation is unacceptable.
Typical terms covering data protection
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?
The typical terms are:
- Security – the cloud provider will provide its own security guarantees with respect to both processes and architecture rather than agree to customer-specific requirements (depending on the size of the customer). These security measures are usually quite robust given that they are intended to be sufficient to satisfy the requirements of the various levels of customers who obtain the services. Certain providers will identify their compliance with international standards such as the ISO 27000 series.
- Data preservation during the contract term – the cloud provider is likely to offer an additional backup option for its customers. If there is a data breach leading to data loss, the cloud provider does not usually automatically provide for a requirement for the provider to reinstate the data at no cost.
- Location of servers and data – the larger cloud providers, such as AWS, provide options for customers to select where their data will be located subject to higher pricing.
- Cross-border transfers – cloud providers are generally quite transparent about the location of their servers and how customer data may be transferred outside of Australia. However, options to keep data in certain locations are generally offered at an additional price.
- Confidentiality – cloud providers generally require their customers to agree to standard confidentiality protections of provider confidential information. Typically, confidentiality is dealt with as part of a provider’s security measures.
Typical terms covering liability
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?
The typical terms are:
- Liability of the provider or customer, including exclusions, limitations and caps on liability – cloud providers typically tend to seek exclusions of consequential losses including data losses, a liability cap based on a certain number of months of fees (usually 12) across most, if not all, possible heads of damage and also seek to exclude all possible warranties or representations except to the extent permitted by law.
- Warranties from the provider or customer – typically, the provider will limit any specific service-related warranties given to the customer and rely instead on service-level agreements (SLAs).
- Indemnities from the provider or customer – common customer indemnities are for violations of law, wilful misconduct or gross negligence and third-party IP infringement; common provider indemnities are for violations of law, wilful misconduct or gross negligence, data security breaches and third party IP infringement.
- Service availability – each provider will offer its own SLAs with respect to availability.
- Reliability and quality, including service levels and key performance indicators – each provider will offer its own SLAs with respect to availability.
- Business continuity and disaster recovery – most providers will offer this service for an additional cost depending on customer requirements.
Typical terms covering IP rights
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?
Typically in Australia, IPR in uploaded content will be owned by the uploading party (as between the customer and provider). The cloud provider will receive an indemnity for any third-party IP infringement caused by or related to the content uploaded by the customer.
Typical terms covering termination
What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?
The typical terms are:
- Termination rights for provider or customer – customers will generally have more flexible rights of termination with short notice periods. Providers will generally only be able to terminate for serious infractions such as non-curable material breach or insolvency by customer.
- Contractual consequences of termination, including preservation and retention of data on and after termination, or migration to customer or alternative supplier – depending on the nature of the termination, most providers will offer a short period of data retention (eg, 30 days post termination) in order for the customer to retrieve copies of their data. Generally, the provider will not offer any further transition assistance unless paid for as a separate service.
Employment law considerations
Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.
Applicable tax rules
Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.
Overview of generally applicable tax rates
- Corporate income tax rate: 30 per cent (27.5 per cent for companies with turnover less than A$50 million for the 2018-19 financial year);
- goods and services tax (GST) rate: 10 per cent;
- royalty withholding tax: 30 per cent (may be modified by provisions of income tax treaties); and
- foreign capital gains withholding: 12.5 per cent.
Cloud computing companies that establish operations in Australia will likely be subject to Australian income tax, and certain employment taxes if they employ people locally (including pay-as-you-go withholding and payroll tax). Further, where a cloud computing company acquires land (for example, to construct a data centre on), they may be subject to state-based stamp duty regimes, where the duty rate can reach up to 13.5 per cent of unencumbered market value of the land acquired by foreign cloud computing companies.
Particularly relevant to foreign multinational cloud computing companies, Australia has recently instituted a set of laws in response to the Organization for Economic Co-operation and Development’s efforts on base-erosion and profit-shifting: the multinational anti-avoidance law (MAAL) and diverted profits tax (DPT). These laws work together to ensure that an appropriate amount of income tax is paid in Australia, and Australia’s tax authority, the Australian Taxation Office (ATO), has been given broad powers to investigate and sanction corporate structures that are seen to result in too little tax being paid in Australia. This means that any cloud computing company looking to establish operations in Australia will need to have close regard to its taxable position, transfer pricing policy, permanent establishment position and application of Australian income tax.
Additionally, where a locally established cloud computing company pays a royalty to a foreign entity (for example, a royalty for use of intellectual property or technology to a foreign parent entity) that royalty may be subject to royalty withholding tax at a general rate of 30 per cent (which may be modified by provisions of an income tax treaty between Australia and another jurisdiction).
Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.
Cloud computing services provided from within Australia (for example, from Australian-based servers) will likely be subject to Australian GST. GST is a broad-based consumption tax that applies to the provision of many goods and services (including cloud computing services) at a rate of 10 per cent of the price. For example, if a cloud computing service cost A$110 (GST inclusive), the provider would be required to remit AU$10 to the ATO.
GST is intended to be borne by final consumers, and as such, generally does not represent a real cost to businesses as they are typically able to recover any input GST paid by way of an ‘input tax credit’. However, where an entity makes ‘input taxed supplies’ (with the most notable example being the financial services industry), it is blocked from recovering any GST (unless a ‘reduced’ input tax credit is available).
In relation to cloud computing services provided from outside of Australia, from 1 July 2017, Australia’s new cross-border GST electronically supplied service (ESS) rules may require the cloud computing company to account for GST in certain circumstances. Where a non-resident provides a cloud computing service to an entity that is resident in Australia and not registered for GST (ie, a consumer), and that non-resident’s sales exceed A$75,000 per year (the GST threshold), the non-resident will be required to account for GST.
While the ESS rules are not intended to apply in respect of business-to-business (B2B) transactions, the non-resident supplier is required to collect the Australian Business Number (ABN) and a declaration as to GST registration status from the recipient before treating a B2B transaction as not subject to GST. Practically, this means that while a purely B2B non-resident cloud computing company should not be required to account for GST on its supplies, it is likely to be required to change its onboarding and business systems to ensure that it collects the necessary information from its customers in order to establish that the customers are GST-registered business entities.
Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.
Update and trends
Update and trends
What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?
No updates at this time.