The New Zealand Privacy Act is over 23 years old. A replacement Act was recommended by the Law Commission in 2011, but more than five years on we are still waiting.
While we wait for a new legislation, advancements in the promotion of privacy have been achieved through interim amendments to the New Zealand Privacy Act, other legislation and initiatives, and a Privacy Commissioner who is taking a stronger line with enforcement and compliance.
Brief overview of the New Zealand Privacy Act
The current New Zealand Privacy Act is based on the 1980 version of the OECD Guidelines Governing the Protection of Privacy and the Transborder Flows of Personal Data. We have 12 information privacy principles which deal with the collection, storage and security, access and correction, accuracy, retention, use and disclosure of personal information.
New Zealand was granted EU adequacy status under the EU Data Protection Directive by the European Commission in December 2012. This status allows companies in Europe to transfer data to New Zealand for processing without the need for any additional actions being taken from a privacy perspective. EU adequacy rulings under the EU Data Protection Directive are expected to continue under the new General Data Protection Regulation (GDPR) until revoked or replaced by the European Commission.
New challenges for digital trust
Since the New Zealdand Privacy Act was enacted, the nature and types of personal information available has changed dramatically. Personal information now includes not only names, addresses, age, and other obvious identifiers, but also potentially metadata, location data, and biometric data.
New technology also means new digital trust issues. Take for example drones. In 2016, Domino’s Pizza started trialling aerial pizza deliveries in New Zealand. Obviously, delivery by drone is not a new concept, but in the New Zealand context, it’s still relatively untested from a privacy perspective.
There has only been one official privacy complaint involving drones in New Zealand so far. It involved a drone used by Sky Television to record a sporting event at an outdoor stadium. The complainant was in his apartment, which was very close to the stadium, at the time that the drone was flying by. His complaint was essentially that he had not consented to being filmed.
On investigation by the Privacy Commissioner, Sky’s response was that its drones weren’t constantly recording – the drones only started to record on a particular instruction being given. On this basis, the Privacy Commissioner’s opinion was that the complainant’s rights were not violated under the New Zealand Privacy Act because the drone wasn’t collecting any personal information as it flew by the complainant’s apartment.
The double edged sword of technology
While advances in technology create exciting opportunities and benefits from a business and personal perspective, these advances can also raise some challenging issues on what should be lawful from a privacy perspective.
A relatively recent case illustrates how easily and quickly it can be for activities to be captured and shared via the internet . The incident involved a couple of work colleagues who were photographed and filmed having sex in a central city office late on a Friday night. It was dark outside, but the office was very well lit and it was facing the street so they were clearly visible to patrons at a bar directly opposite the office. The significant others of the couple involved apparently found out about the incident through photos and video footage posted on social media by bar patrons. The incident raises some interesting questions about peoples’ expectations of privacy – are the standards changing given the number of people who carry smart devices, and that activities in public view can be easily recorded and posted by strangers? It also raises some moral questions for spectators – just because you can does not mean you should.
A second example concerns driverless cars. Tests and trials of driverless cars are being conducted by many companies in a number of places around the world. Tests have been conducted on public roads in New Zealand, and they are being trialled as shuttle buses within the boundaries of Christchurch airport. Driverless cars are necessarily fitted with numerous cameras and sensors in order to have situational awareness. This means that there’s an ability to collect masses of data about owners of the vehicles, and also passengers and possibly even people who are in the vicinity of the vehicle.
There’s the risk of data being collected and perhaps used for unintended purposes and potentially even surveillance. Driverless cars also raise an interesting question about consent. While you can get the consent of the owner of the vehicle when they purchase a car, that consent will not necessarily apply to other passengers in the vehicle.
A third example involves automated homes and virtual assistants. Virtual assistants such as Apple’s Siri, Google Now and Microsoft’s Cortana have been available for a number of years now, and more recently there has been the introduction of automated in home assistants such as Amazon Echo and Google Home. It is expected that very soon these devices will be sophisticated enough to be able to make or change appointments and bookings without any human intervention. These devices operate on the basis that they’re always on and they’re able to pick up commands and potentially conversations of anyone within range. That data can be transmitted between machines without users even being aware or consenting.
The ability to gather large data sets from a wide range of sources give rise to potential challenges with the complexity that can arise through the use of the data collected with other shared data sets. We’ve all heard about the prospect of data from connected cars being potentially having an impact on how insurance claims are handled. We also have heard talk about how data from wearable devices might influence health insurance premiums. This can raise issues such as how reliable the data is and, as the power of analytics grows, can data really be, or remain, anonymised? Then there is the challenge of ensuring appropriate consent is obtained. As potential uses and sharing of data becomes more complex, it can become difficult to clearly explain to individuals all of the potential uses and disclosures of their personal information.
Responses to the challenges
We have had a few legislative responses to address some of these challenges. For example:
Amendments to the New Zealand Privacy Act, including:
An amendment dealing with cross border transfers, allowing the privacy commissioner to prohibit the transfer of personal information out of New Zealand in the circumstance where that information has been received into New Zealand from another jurisdiction and is being transferred to a third jurisdiction which doesn’t have the same level of protection as the New Zealand Privacy Act, or the transfer is intended to circumvent the privacy laws in the originating country.
Provision for approved information sharing agreements between public sector agencies intended to enable government agencies to provide more efficient and effective public services.
The passing of the Harmful Digital Communications Act in 2015. Its purpose is to provide victims of cyber bullying and digital harassment a quick and efficient means of redress with both civil and criminal remedies.
The Search and Surveillance Act is under review. This Act allows government agencies to search people or property in order to investigate or prosecute crime is currently under review. The review will consider how technology, and how people use it, has changed. It has been acknowledged that it is important to also take into account the potential implications for people’s privacy.
Other responses have included the Government’s appointment of a Government Chief Privacy Officer. This is a relatively new role that was established after a number of significant private sector data breaches in 2012. In addition, the current Privacy Commissioner (in office since 2014) has been very proactive and vocal about promoting privacy and encouraging compliance. One of his initiatives has been to introduce a “name and shame” policy to publicly name organisations found to have breached the New Zealand Privacy Act.
Future of the New Zealand Privacy Act
Under the current New Zealand Privacy Act, the financial sanctions for a breach are not significant, but avoiding reputational damage is a strong driver for compliance.
New privacy legislation was flagged in 2014. The draft legislation has yet to be released, but the Government has indicated some of the key reforms that can be expected. These include mandatory reporting of data breaches to the Privacy Commissioner and/or the affected individuals.
Other reforms include:
Clarification of responsibilities for transfers in connection with cross border outsourcing and requiring that offshore transfers only go to countries with acceptable privacy standards.
Greater powers for the Privacy Commissioner including greater powers for investigations and the ability to issue compliance notices.
New offences. One is misleading an agency in relation to a privacy request, including impersonating a data subject to get information about that data subject or misleading about having authorization to get a data subject’s information. The other is to destroy any documentation that might include personal information that has been the subject of a data request.
Although we’ve becoming increasingly reliant and dependent on technology and online services, at least in New Zealand, there is still some degree of reticence and concern about how much personal information is shared and how it will be used, and of course security. Transparency of use, and accountability for protecting personal information are key to building and maintaining the consumer trust that is critical to being able to take advantage of the continuing advances in technology. Reforms to our law that are coming will help clarify and provide incentives to comply with good privacy practices.