Australia: Storm clouds ahead? When information in the cloud is evidence

Last Updated: 15 April 2014


In Part 1 of this article , we considered the issues surrounding data privacy in the cloud. In Part 2, we now turn to consider the issues which arise when using data stored in the cloud as evidence in support of investigations or litigation.

Most investigations and litigation discovery processes involve the review of electronic information held by organisations, such as emails, documents and internet histories. Organisations are often required to provide specific information to third parties, such as law enfor cement authorities, within a short timeframe.

Whilst cloud infrastructure may improve remote access to an organisation' s data, in some cases from anywhere in the world, it also reduces an organisation's direct control over the data. This means that when faced with the need to quickly produce or disclose information, organisations who store data in the cloud face some unique challenges.

In this article, Ronald Holtshausen from our Perth office considers the key issues surrounding the use of data in the cloud for litigation and law enforcement, including:

  • acquiring data from the cloud
  • the risk of modification of data
  • data sovereignty
  • data possession and control.

Data acquisition from the cloud

Imagine that your organisation has just found out that it faces investigation by a regulator - it may need to provide the regulator with a large volume of data within a short time frame. Complying with this deadline will be hard. Even if there is no such specific request, the organisation needs to understand what data it has and perhaps start its own review of that data. But then you remember - your organisation stores some, or all of its financial, operational and email data in the cloud. What can be easier , you think.
Doesn't storing company information in the cloud make data easy to access?

Unfortunately, that is not necessarily the case when it comes to acquiring and preserving a copy of an organisation's data from the cloud for investigation and litigation purposes - this can prove to be slower, and more complex than originally perceived. It can also be costly , particularly if contractual arrangements are not in place for such an event.

Conventional computer forensic acquisition procedures look to acquire and preserve data from a storage device which the investigator can physically access. The investigator can then take the appropriate precautions to isolate the data from further access and ensure it is not altered or modified during the preservation, whilst also ensuring adherence to any specifications of the search or disclosure orders.

However, in many cases, data contained in the cloud will be stored in remote infrastructure that is shared by multiple organisations. This may limit an investigator's ability to physically access the data storage facilities and isolate it from further potential modifications. The investigator may then need to employ a different approach in order to acquire the data remotely, potentially being hampered by issues such as slow connection speeds to the cloud provider.

Risk of modification of data

Many investigators rely upon metadata (such as author information, file creation, modification and access times) as part of their work, for example, to piece together a sequence of events by preparing a chronology of a document's creation and modification.

Unfortunately, whilst a cloud facility may increase an organisation's ability to access its data, it also increases the risk of potential data modification (accidental or deliberate) by employees and the cloud provider .

Simple maintenance activities performed by a cloud provider can modify metadata associated with data. This includes activities such as backups, imaging, data relocation and data replication. This means that data which could prove crucial in investigating a user's activity may be modified or lost.

When accessing data in the cloud (known as a 'remote acquisition') for litigation purposes, it is crucial that appropriate precautions are taken to preserve data artefacts that may be modified by simply downloading the data from the cloud. We recommend that all remote acquisitions are done by experienced professionals.


Mr Smith resigns from his software development job at Jones & Co and is immediately walked out of the building by security. Mr Smith sets up his own business with the intent of developing and selling similar software to that designed and owned his former employer. Jones & Co becomes concerned that Mr Smith has stolen its intellectual property.

Jones & Co investigates whether Mr Smith accessed and copied its proprietary software designs and source code before his resignation. They therefore want to establish the date at which the software or source code was last accessed, and by whom.

Jones & Co stores its software specifications and source code in the cloud, so it asks its cloud provider to check the metadata of the relevant files. Unfortunately, the cloud provider does not make a forensically sound copy of the files, and so accidentally 'accesses' the files during this check. At approximately the same time Jones & Co's data gets replicated from the Singapore data centre to the cloud provider's German data centre. The data's replication to the German data centre has now resulted in further changes to potentially crucial metadata. This means that the previous date of access and modification was updated, and there is no longer any evidence linking Mr Smith to the file.

Jones & Co are not able to provide any metadata to establish the theft of their intellectual property , and Mr Smith continued to run his own business as a competitor to Jones & Co.

Data sovereignty and international concerns

Data sovereignty is the concept that information which has been converted and stored in a digital form is subject to the laws of the country in which it is located.

Data sovereignty is a key issue for organisations that use the cloud for data storage. Cloud providers often store data in offshore storage facilities to reduce costs. As a result, an organisation's data could physically be held in storage locations anywhere in the world and, potentially , in a number of different jurisdictions.

The long arm of overseas legislation

Because data may be stored outside Australia, it is important that organisations understand the privacy laws of the country where the data is located, as these may apply in contractual agreements with cloud providers.

Organisations may even find their data susceptible to foreign go vernment access in relation to investigations or litigation overseas.

For example, through the use of the American Patriot Act, brought in as a response to the events of 11 September 2001, the US Government and its agencies have powers to access Australian data held by US owned cloud providers and their subsidiaries, wherever they may be located.

This includes both:

  • Australian data held in Australia by a US owned cloud provider
  • Australian data located in the US by an internationally owned cloud provider.

Susceptibility to foreign government access does not stop with the US. A study carried out by Hogan Lovells, an international law firm, found similar data access laws in other countries 1 . The governments of the United Kingdom, Germany, France, Japan and Canada have similar laws in place allowing them to obtain personal data stored in the cloud during the course of a government investigation.

Data Sovereignty and Australian Privacy Laws

When storing data in the cloud, an organisation should be aware that the legal obligations over the protection of the data still reside with them under the Australian Privacy Principles 2 (APP 5 and APP 8).

APP 5 requires that upon data collection from a customer, organisations notify individuals of their intention to disclose personal information to recipients overseas 3 . They must also specify the location in which these disclosures may take place, if practicable to specify those countries.

APP 8 requires that before disclosing personal information to an overseas recipient, the organisation must also take reasonable steps to ensure the recipients will not breach the Australian Privacy Act. An exception to this is if the overseas entity is an 'agency' 4 and

the disclosure of the information is required or authorised by or under an international agreement relating to information sharing to which Australia is a party; or
the [organisation] reasonably believes that the disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body and the recipient is a body that performs functions, or exercises powers, that are similar to those performed or exercised by an enforcement body.

This means that if an organisation is required to provide data as part of an investigation, either by an Australian or foreign law enforcement agency, then it is not required to inform the customer of the disclosure of that data. However, organisations should determine whether their cloud provider is required to notify them of such requests as part of their contractual arrangements.

Issues with possession and control

In dealing with data stored in the cloud, it is important to understand not only where the data resides (the entity which has possession of it), but also which entity utilises the data and is able to modify it, i.e. the entity which is in control of the data.

As we have discussed, many organisations who place their data into cloud storage may be required to produce this information for legal or investigative purposes; but to whom should investigators address these data requests? Should it be the user organisation, as they are the uploader or generator of the data and already have access to it? Or should it be the cloud entity, as they are the entity who have possession of the data storage?

A Singapore Case

A recent Singapore case 5 has discussed this very notion of possession and control of data from a legal discovery point of view when storing email communications and their attached data in the cloud. In particular, there was much discussion around the technical aspects of who has possession and control of 'cloud based email services'.

"This is because, in so far as emails accessed using web browsers are concerned (such as Gmail, Yahoo, Hotmail, and web-based/off-site corporate email accounts), the email user does not technically have possession and custody over the emails, as the emails are stored on mail servers and data centres sited in remote locations. In this case, the user may still download and save a copy of the emails in his computer, hard disk, smart phone, tablet device, or some other compound document. However, unless the user has saved his emails in his computer or in similar devices, what the user has in his possession is not the email itself, but the username and password to access the emails in the possession of the email provider. To this end, the email provider is in effect a custodian of the electronically stored information in the user's email account." 6

With this in mind, a suitable understanding of the cloud infrastructure should be obtained before drafting discovery orders to ensure that they are correctly instructing the entities, and more importantly, identifying the correct entity when making orders for discovery.

The judge in the Singapore case allowed the application for discovery , and commented from a practical perspective, saying:

"The plaintiffs are not seeking discovery of physical printouts of emails kept by the defendants, neither are they seeking discovery of soft copies of emails saved in the defendants' computers, smart phones or other compound documents (storage devices or database). If this was the case, the defendants can be found to be in possession and custody of these physical printouts, or the saved softcopies kept in their computers. Instead, the plaintiffs are seeking discovery of the emails in the defendants email accounts." 7

On this basis, at least from a Singapore perspective, it suggests that for disclosure of web based email, suitable care should be taken to determine where the data may reside and which entity the discovery orders should be served on.

In our experience the appropriate use of forensic tools, together with the express permission of the web based email account user (and assuming there are no issues with the terms and conditions of the web based email provider) can allow for the appropriate collection of web based email accounts.

To date, we are unaware of any Australian cases regarding such a scenario but there could be significant implications for data privacy.

In the definitions of the Privacy Act an entity 'holds' personal information if it has possession and control.

Could it be that Google or Hotmail might be deemed to be holding personal information through its hosting of email accounts?

Our recommendations

Storing data in the cloud has obvious cost benefits, but organisations who do so must address some unique challenges when faced with an investigation or litigation. In particular , the risks surrounding data privacy in the cloud (as discussed in the last article) mean that it is important to be 'litigation ready'.

We suggest that:

All remote acquisition is undertaken by an experienced forensic technology professional, to avoid the risks of data modification.

  • Alternatively, organisations may request cloud providers to assist investigators in acquiring data. This scenario should be discussed as part of contractual agreements to avoid additional costs, however ,organisations should ensure that the cloud provider has the requisite experience to do this without modification of the data.
  • Organisations should obtain confirmation (and ensure regular updates) from cloud providers of the location in which their data is stored, and whether the local legislation will apply.
  • Whilst requests from regulatory and law enforcement agencies for data stored in the cloud may be unavoidable, ensure that suitable contractual arrangements are in place, including whether your cloud provider is required to notify you of such requests.
  • Legal teams should give due consideration to the wording in their orders for the discovery of cloud based data. Again, expert assistance can assist in ensuring that the appropriate information is collected in a timely manner.
  • So, ask yourself, when your organisation is faced with litigation, or required to provide evidence as part of an investigation, how ready will you be?


1 See detail.aspx?news=2268
2 See privacy-resources/privacy-fact-sheets/privacy-fact-sheet- 17-australian-privacy-principles_2.pdf.
3 See engaging-with-you/current-privacy-consultations/Draft-APP- Guidelines-2013/Draft_APP_Guidelines_Chapter_8.pdf
4 As defined by the Privacy Act 1988, Section 6, an agency would include most Commonwealth government bodies and representatives, including the AFP and the Federal Court. See pa1988108/s6.html
5 Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01
6 Dirak Asia Pte Ltd and another v Chew Hua Kok and another [2013] SGHCR 01 [12]
7 Ibid [11]

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Mondaq Advice Centre (MACs)
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.