Cloud services have emerged as a new driving force for Australian business. According to the Australian Bureau of Statistics, cloud usage has increased from 42% to 55% between 2018 to 2021 respectively. According to BCG, Australia is one of the most advanced public cloud markets in APAC. The market is expected to grow from a value of US$4.7 billion in 2018 to US$10.5 billion in 2023, with a CAGR of 17% over the next five years. The higher adopter of cloud is Media and Gaming, Retails and Financial services, while Manufacturing and Public Sectors will remain low.

Australia’s public cloud market to continue on a strong path, with businesses increasingly interested in using the cloud to help develop advanced digital capabilities such as Artificial intelligence, machine learning, Internet of Things, Big Data, Blockchain, and government agencies actively using the public cloud to enhance citizen services.

Regulators: 
The Privacy Commissioner, under the Office of the Australian Information Commissioner (OAIC) is the national data protection regulator responsible for Privacy Act oversight.
Office of the Information Commissioner, Northern Territory, Australia is responsible for Information Act 2002 (Northern Territory)
Information Privacy Commission, New South Wales is responsible for Privacy and Personal Information Protection Act 1998 (New South Wales)
The Office of the Information Commission, Queensland is responsible for Information Privacy Act 2009 (Queensland)
The Ombudsman Tasmania Investigates complaints under Personal Information Protection Act 2004
Office of the Victorian Information Commissioner is responsible for Privacy and Data Protection Act 2014 (Victoria)


General Privacy Laws:
Australia has a combination of territory, state and federal Privacy law. The federal Privacy Act was enacted in 1988, and is currently undergoing a review exercise, and the Australian Privacy Principles (APPs) contained in the Privacy Act apply to private sector entities with an annual turnover of at least AU$3 million, and all Commonwealth Government and Australian Capital Territory Government agencies.
Most states and territories in Australia (except Western Australia and South Australia) have their own data protection legislation applicable to state government agencies, and private businesses that interact with state government agencies. These acts include: 
1)Information Privacy Act 2014 (Australian Capital Territory)
2)Information Act 2002 (Northern Territory)
3)Privacy and Personal Information Protection Act 1998 (New South Wales)
4)Information Privacy Act 2009 (Queensland)
5)Personal Information Protection Act 2004 (Tasmania), and
6)Privacy and Data Protection Act 2014 (Victoria)

Data Cross-Border Transfer Requirements:
Personal information may only be disclosed to an organization outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the personal information. The disclosing / transferring entity will generally remain liable for any act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a breach of the APPs. However, this provision will not apply where any of the following apply:
The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to mechanisms by the individual to take action to enforce the protections of that law or binding scheme.
The individual consents to the transfer.
A 'permitted general situation' applies.
The disclosure is required or authorized by law or a court order.
Australia is also one of the participating countries for the APEC CBPR system.

Overview:
Alibaba Cloud offers a high degree of flexibility in designing and implementing the IT architecture on the cloud with two Availability Zones in Sydney. With proper solution design, it can meet the requirements of security, resilience, recoverability, and performance for regulated entities in the Financial Services industry. Alibaba Cloud has helped several customers minimize the risks of losses in confidentiality, integrity, and availability when moving to a public cloud.
Alibaba Cloud is committed to facilitating the customers in compliance with the financial industry-specific regulatory requirements, including the initial high-level due diligence and risk assessment, solution selection, implementation and transition, and post-implementation assurance. Alibaba Cloud provides a full suite of offerings that can help, including responses in every due diligence evaluation aspect, best practices in services and product configuration, automated and continuous security check tools, as well as assurance over the design and operational effectiveness of internal controls.

Regulator:
The Australian Prudential Regulation Authority (APRA) is an independent statutory authority that supervises institutions across banking, insurance and superannuation and promotes financial system stability in Australia.

Guidance and standard on cloud computing services:
The Australian Prudential Regulation Authority (APRA) has released information on the use of shared computing services, such as cloud, by APRA-regulated entities.
The Prudential Standard CPS231 – Outsourcing. sets out APRA’s requirements on outsourcing for regulated institutions.
The Prudential Standard CPS232 – Business Continuity Management sets out APRA’s requirements on Business Continuity management for regulated institutions.
The Prudential Standard CPS234 – Information Security sets out APRA’s requirements on information security management for regulated institutions.
The Prudential Standard CPG 235 - Managing Data Risk Security sets out APRA’s requirements on Managing Data Risk Security for regulated institutions.

23 February 2021: Alibaba Cloud, the digital technology and intelligence backbone of Alibaba Group, has demonstrated the company’s ability to meet the requirements which are established by Australian Prudential Regulation Authority (APRA).

Is cloud permitted?
Yes. 
 
Is there any additional approval needed?
No, however, regulated entities and FIs must notify and consult APRA before outsourcing material business activities outside of Australia.

Is offshore outsourcing arrangement allowed?
The followings are permitted:
1)Consent from data subjects.
2)The regulated entities and FIs have reason to believe that the CSP is subjected to law or contracts that protect the personal information in a similar way in Australia.
3)The CSP agrees to the contractual terms that is in line with the Australia Privacy Principles.
4)The CSP is APEC CBPR and/or PRP certified.