In this edition of InfoRM:
Privacy – the year in review
There have been some important developments in the world of privacy this year. In previous publications we reported on the implementation of the General Data Protection Regulation (GDPR) in Europe and new case law regarding the right to be forgotten in the UK. Meanwhile, the Privacy Bill was introduced in New Zealand. A few updates on these developments are as follows:
Privacy Bill
On 20 March, the Government introduced a new Privacy Bill into the House of Representatives, intended to repeal and replace the existing Privacy Act 1993. The Privacy Commissioner made a submission on the Bill in June, recommending further amendments to the Bill to provide privacy regulation in line with international best practice.
Notably, the Commissioner recommended that the Bill should strengthen protections for individuals where their information is used for statistical and research purposes, and should enhance individuals' rights to transfer, correct, and erase their personal information.
The submission also included three recommendations to strengthen the framework in the Bill:
- To allow the Commissioner to apply to the courts for civil penalties in the case of serious privacy breaches;
- To enhance accountability by requiring agencies to report on steps taken to ensure compliance with privacy obligations, on request; and
- To implement a Law Commission recommendation to remove the role of the Director of Human Rights Proceedings in privacy cases.
We note that the Commissioner referred to regimes in the US and Australia as models for some of the changes needed. The submission also includes proposed changes to reflect provisions in the GDPR, and rights that are comparable with GDPR standards.
GDPR
On 25 May, the European Union's new General Data Protection Regulation came into force. Six months in, the GDPR does seem to be raising awareness in Europe around privacy concerns. The Information Commissioner's Office in the UK has reported that complaints have more than doubled since May, and data breach reports have also increased, with the majority of incidents being attributed to human error.
Please see our article below regarding some recent data breaches and the importance of maintaining public trust in the current environment.
Right to be forgotten … everywhere?
We reported earlier this year on the first case heard in the English courts on the subject of the right to be forgotten, which was established by a ruling of the European Court of Justice (ECJ) in 2014.
In September, the ECJ heard a case regarding this ruling between Google and the data regulator in France (CNIL). Under the current ruling, search engines such as Google may be compelled to remove inadequate, irrelevant, or excessive data about individuals by delisting websites from their search results on EU internet domains. CNIL argued that a court or regulator should be able to require a search engine to delist the website globally, on all domains, rather than geo-limiting the de-listing. This is in order to address the issue that inaccurate data could still be visible to those outside the relevant country, or anyone using a fake IP address.
Google has argued that this application of the right to be forgotten could have the potential to threaten global free speech, for example if it sets a precedent for authoritarian regimes to suppress access to information. This position is also supported by some human rights organisations who have emphasised that the right to privacy and the right to freedom of expression must be balanced when deciding whether to delist a website. Judgment is expected to be reserved until next year.
Data breaches and maintaining public trust
The occurrence of a number of high profile data breaches recently has highlighted the need for businesses to remain vigilant about how they protect customer data.
Numerous significant data breaches made the news this year, including from global technology companies, major airlines and a global hotel chain, some affecting millions (and in at least one case, hundreds of millions) of customers. European regulators have issued substantial fines in relation to some of these breaches, and with the increased powers under the GDPR, that trend is sure to continue
In this context, it is perhaps unsurprising that more than half of all New Zealanders are more concerned with their individual privacy now than they were in the last few years, as a public survey commissioned by the Privacy Commissioner has shown. In addition, 67% are concerned about their individual privacy, a rise of two percent since 2016, and there has been a significant drop in the percentage of people who say they trust the government and companies with their personal information.
Businesses may well question how to maintain the public's trust in their products in this environment. We note that the Commissioner has recently launched a Privacy Trust Mark as one way of raising awareness around privacy requirements. The Trust Mark is awarded at the discretion of the Commissioner to an outstanding product, service, or process, and has so far been awarded to two organisations. Similar programmes exist in Japan and the USA, and such incentives for organisations to engage in best practice around privacy may gain in popularity in the future.
Copied data is "seized property" for the purposes of criminal investigations
R (on the application of Business Energy Solutions Ltd and Others) v Crown Court at Preston (Cheshire West and Chester Trading Standards, Interested Party)
A recent ruling by the High Court in the UK provides a useful discussion on whether copied data amounts to "seized property" in criminal investigations by the police and other government authorities.
The Cheshire West and Chester Trading Standards Authority (TSA) obtained warrants to search and seize material from the claimants, Business Energy Ltd, for a possible criminal fraud investigation. The seized items included laptops, servers, USB sticks and mobile phones. The contents of these seized devices were imaged, copied and backed up, and included over 200 million documents and 770,000 audio recordings. The claimants applied to the defendant Crown Court for return of seized property which fell outside the ambit of the warrant (including physical property, hard copy documents, and the copies stored on TSA's servers). The Crown Court refused to make any direction regarding the copied data so the claimants sought judicial review of the judge's decision.
The High Court concluded that data copied onto computer devices did amount to "seized property", which in principle is capable of being returned. The Court stressed that the act of copying data creates new "property" that has been seized from the original owner, and which can only be returned by providing the original seized device back to the owner and destroying any information copied from that device.
However, the application for judicial review ultimately failed. The High Court held that its conclusion did not mean that a court must always order return or destruction of such data, and the Crown Court judge had not erred in his analysis that it was not reasonably practicable to do so given the sheer amount of data in this case.
The case raises interesting parallels with the 2016 New Zealand Supreme Court judgment of Dixon v R, where the Court found that data and digital files could constitute property under s 249 of the Crimes Act 1961. That case concerned the copying of CCTV footage of a well-known sportsperson in a Queenstown bar by an employee who then sought to sell that footage to the media. The Supreme Court found that the digital CCTV files were more than simply information. They could be identified, had value and could be transferred to others, so constituted property under the Crimes Act.
It is likely that cases of this nature will continue to arise in the courts, given the widespread use of computer systems to store valuable and sensitive information and the increasing focus on rights that different parties have over this information. Given that both New Zealand and UK courts have been willing to define data and digital information as "property", the extent to which this concept can protect privacy rights is a compelling issue for the near future.