In this edition of InfoRM:
Connected toys again causing privacy concerns
The US Federal Trade Commission (FTC) recently settled a case against electronic toy manufacturer, VTech Electronics Limited (VTech), under the Children's Online Privacy Protection Act (COPPA).
The FTC accused VTech of collecting children's personal information (including text messages, audio messages and photos) without providing direct notice of such collection, and without obtaining parental consent. These actions were in breach of the COPPA, which requires parents to give permission for a company to collect internet data on children. VTech was also accused of inadequately anonymising data collected, after a hack of VTech in 2015 resulted in children's personal information (including email addresses, names and genders) being stolen. The settlement reached required VTech to pay a penalty of USD$650,000, implement a comprehensive data security programme subject to independent audits for 20 years, and produce reports to show VTech's compliance with the COPPA.
Unlike the US, New Zealand does not have child-specific privacy legislation. However, the Office of the Privacy Commissioner has recently reiterated the need for Privacy Act reform (see link here), including suggestions which would be directly relevant if this situation arose in New Zealand, including:
- introducing civil penalties for serious breaches of privacy (up to $100,000 in the case of individuals and up to $1m in the case of companies);
- introducing a new privacy principle to limit the re-identification of previously de-identified or anonymised personal information; and
- adding a provision to clarify the obligations on agencies that anonymise data containing personal information.
The "right to be forgotten" arises in England
For the first time, English courts will get a chance to opine on the "right to be forgotten", as two men have brought separate cases against Google Inc, seeking orders that Google remove links to information about their previous convictions from its search engines. Both men have historical convictions covered by England's clean slate legislation, meaning their convictions only need to be disclosed in limited circumstances. However, both men have experienced hardship due to their convictions remaining accessible on the internet.
As mentioned in a previous edition of InfoRM, the European Court of Justice decided almost four years ago that anyone with connections to Europe could ask search engines to remove links about themselves from online searches if the links appear to be inaccurate, irrelevant or no longer relevant. This "right to be forgotten" was developed further, when France's highest administrative court held these links must be removed not only from European domains, but global domains as well.
The closest New Zealand has come to a "right to be forgotten" case was Tucker v News Media Ownership Limited, where a man who crowdfunded for a heart operation was found to have previous convictions for child sex offences. In that case, the court held that privacy could "grow back" over what was previously publicly available information.
In New Zealand, the closest analogous power to the "right to be forgotten" is bringing a claim against the publisher of a harmful digital communication under the Harmful Digital Communications Act 2015. However, establishing the requisite level of harm is a high threshold. The historical connection between our legal system and the United Kingdom's means an actual "right to be forgotten" case will be of great interest to New Zealand.
Law Commission review of the Search and Surveillance Act – what does this mean for privacy?
The Law Commission has recently released its review of the Search and Surveillance Act 2012 (Act), which has some interesting implications for privacy and the Privacy Act, including:
- Cost contribution for assisting law enforcement: the Commission recommends the Ministry of Justice should evaluate the options for establishing a cost contribution scheme in respect of requests for service providers to voluntarily supply customer records. Service providers currently bear the costs associated with assisting law enforcement agencies and the concern is that these should not be (or be seen to be) passed on to customers, but rather shared between service providers and law enforcement agencies.
- Preservation of data: the Commission recommends introducing a preservation regime for data, complying with the Council of Europe Convention on Cybercrime. It would introduce the ability for the Commissioner of Police to issue a preservation notice, requiring the recipient to preserve specified data on a confidential basis for no more than 20 days.
- Notification of production order being an offence: the Commission recommends requiring those who receive production orders not to disclose the existence of that order to any targets of the order until after any period of deferred notification specified in the order has expired. Notification in these circumstances would amount to non-compliance with the production order, an offence under the Act and punishable with a fine of up to $40k for a body corporate.
- Intercepting non-audio communication: the Commission recommends s 47(1)(b) be amended to provide that a warrant is not required for an enforcement officer to intercept messages between two or more persons when one person consents to the interception. This amendment will allow Police to obtain evidence by intercepting messages (such as text messages and emails) in situations where persons are receiving threatening messages.
- "Principles" provision and production orders: the Commission recommends the introduction of a "principles" provision to the Act, including some with a privacy focus, to assist those seeking production orders and to help those being asked to comply.
A link to the full report is available here.
Some comments on information provided by the Police from Mullane v Attorney-General
The Human Rights Review Tribunal has recently made some interesting observations about information provided by Police to the NZ Transport Agency (NZTA) as part of NZTA's taxi driver vetting service.
In this case, Mr Mullane consented to NZTA obtaining information from Police when he was reapplying for a taxi licence. The licence was not renewed by NZTA based on some of the information provided by Police. Subsequently, Mr Mullane challenged NZTA's decision and it renewed his licence. By then, however, Mr Mullane had been unable to operate his business for a month, leading to the repossession of his taxi and the closure of his business. Mr Mullane argued that Police should have investigated and verified the information, and that he should have had an opportunity to comment on the information, before it was passed on to NZTA.
In holding there was no privacy breach, the Tribunal considered:
- it would not be in the public interest for the Police to be restricted to only passing on information that has been investigated and verified as correct, given the vast volume of information received by the Police every day;
- the Privacy Act does not prevent any agency (particularly the Police) from using any information acquired without further investigation even if it is subjective, unverified or opinion, provided that the information is an accurate reporting of such subjective, unverified or opinion intelligence received; and
- the Police are under no obligation to provide an opportunity for individuals to comment before potentially prejudicial information is used – privacy principles are distinct from natural justice rights and cannot and should not be used as a backdoor for review of administrative action.