News, insights and resources for data protection, privacy and cyber security leaders

New Zealand Privacy Act and Digital Trust in the 21st Century

The New Zealand Privacy Act is over 23 years old. A replacement Act was recommended by the Law Commission in 2011, but more than five years on we are still waiting.

While we wait for a new legislation, advancements in the promotion of privacy have been achieved through interim amendments to the New Zealand Privacy Act, other legislation and initiatives, and a Privacy Commissioner who is taking a stronger line with enforcement and compliance.

 

Brief overview of the New Zealand Privacy Act

The current New Zealand Privacy Act is based on the 1980 version of the OECD Guidelines Governing the Protection of Privacy and the Transborder Flows of Personal Data. We have 12 information privacy principles which deal with the collection, storage and security, access and correction, accuracy, retention, use and disclosure of personal information.

New Zealand was granted EU adequacy status under the EU Data Protection Directive by the European Commission in December 2012. This status allows companies in Europe to transfer data to New Zealand for processing without the need for any additional actions being taken from a privacy perspective. EU adequacy rulings under the EU Data Protection Directive are expected to continue under the new General Data Protection Regulation (GDPR) until revoked or replaced by the European Commission.

 

New challenges for digital trust

Since the New Zealdand Privacy Act was enacted, the nature and types of personal information available has changed dramatically. Personal information now includes not only names, addresses, age, and other obvious identifiers, but also potentially metadata, location data, and biometric data.

New technology also means new digital trust issues. Take for example drones. In 2016, Domino’s Pizza started trialling aerial pizza deliveries in New Zealand. Obviously, delivery by drone is not a new concept, but in the New Zealand context, it’s still relatively untested from a privacy perspective.

There has only been one official privacy complaint involving drones in New Zealand so far. It involved a drone used by Sky Television to record a sporting event at an outdoor stadium. The complainant was in his apartment, which was very close to the stadium, at the time that the drone was flying by. His complaint was essentially that he had not consented to being filmed.

On investigation by the Privacy Commissioner, Sky’s response was that its drones weren’t constantly recording – the drones only started to record on a particular instruction being given. On this basis, the Privacy Commissioner’s opinion was that the complainant’s rights were not violated under the New Zealand Privacy Act because the drone wasn’t collecting any personal information as it flew by the complainant’s apartment.

 

The double edged sword of technology

While advances in technology create exciting opportunities and benefits from a business and personal perspective, these advances can also raise some challenging issues on what should be lawful from a privacy perspective.

A relatively recent case illustrates how easily and quickly it can be for activities to be captured and shared via the internet . The incident involved a couple of work colleagues who were photographed and filmed having sex in a central city office late on a Friday night. It was dark outside, but the office was very well lit and it was facing the street so they were clearly visible to patrons at a bar directly opposite the office. The significant others of the couple involved apparently found out about the incident through photos and video footage posted on social media by bar patrons. The incident raises some interesting questions about peoples’ expectations of privacy – are the standards changing given the number of people who carry smart devices, and that activities in public view can be easily recorded and posted by strangers? It also raises some moral questions for spectators – just because you can does not mean you should.

A second example concerns driverless cars. Tests and trials of driverless cars are being conducted by many companies in a number of places around the world. Tests have been conducted on public roads in New Zealand, and they are being trialled as shuttle buses within the boundaries of Christchurch airport. Driverless cars are necessarily fitted with numerous cameras and sensors in order to have situational awareness. This means that there’s an ability to collect masses of data about owners of the vehicles, and also passengers and possibly even people who are in the vicinity of the vehicle.

There’s the risk of data being collected and perhaps used for unintended purposes and potentially even surveillance. Driverless cars also raise an interesting question about consent. While you can get the consent of the owner of the vehicle when they purchase a car, that consent will not necessarily apply to other passengers in the vehicle.

Karen Ngan

Partner at Simpson Grierson
Karen is a partner in Simpson Grierson's commercial group. She co–heads the firm's information and communications technology (ICT) group and the firm's data protection and privacy group. Karen is one of Simpson Grierson's key data protection and privacy lawyers. She provides expert guidance to local and multi-national clients on a wide spectrum of privacy issues, including practices relating to the collection and use of personal information, database and information management, outsourcing arrangements (often involving data transfers offshore), and the sharing and monetisation of personal information through online services and emerging technologies.

Latest posts by Karen Ngan

    Leave A Reply

    Your email address will not be published.

    Subscribe and Get 50% Off 6-Hour Workshop Video

    PIAs and the ISACA Privacy Principles: Effective Tools to Identify and Mitigate Security and Privacy Risks

    Thanks for subscribing!

    Pin It on Pinterest

    Share This