Publications

InfoRM Privacy Law Update – March 2015

Home Insights InfoRM Privacy Law Update – March 2015

In this edition of InfoRM:

Drones: a new era for privacy law?

It has become a trend to forecast the chilling ways in which new technologies might pry into private lives. One of those new technologies is drones. 

The drone – or “UAV” (unmanned aerial vehicle) is an increasing feature of many nations’ backyards and many are equipped, or can be readily equipped, with cameras. Aviation safety concerns are well rehearsed and many imagine consumers turning their toys on sunbathing neighbours. However, legitimate commercial uses also give rise to privacy concerns. Potential applications include remote sensing of farms and infrastructure, communications, search and rescue, surveillance, transport, and broadcasting. Amazon.com has hinted it might develop drones for delivery purposes, and other businesses are expected to join it in such innovative ventures sooner or later. 

Is New Zealand ready for the ‘attack of the drones’?

Take one possible situation: a courier company uses a fleet of drones to deliver domestic packages. Drones fitted with operational cameras will “collect” information about the private property of individuals. Aside from the news media, every business that collects, holds or uses information about individuals is an “agency” under the Privacy Act 1993. Therefore, if a courier company is operating drones which gather information about an identifiable individual, the Privacy Act will apply and the Privacy Commissioner’s CCTV guidelines should be kept in mind. Under the Privacy Act’s information privacy principles (IPPs), when operating a drone, a business should:

  • make sure people know it is collecting information and how it intends to use it;
  • keep the information safe and limited to authorised access;
  • dispose of the information once it has served its purpose; and
  • observe the right of access to the information by the individuals concerned.

Those guidelines may be difficult to apply to cameras on drones, and, while further guidance can be expected in future, organisations wishing to use drones should carefully consider what information is gathered and how it is dealt with. (The consequences of failing to comply were covered in this issue of InfoRM).

Individuals misusing drone technology already face an array of legal responses. Applicable criminal provisions include Part 9A of the Crimes Act 1961, which prohibits using a device to intercept private communications, as well as the making, possession and distribution of intimate visual recordings. The Summary Offences Act 1981 also prohibits peeping or peering into a dwellinghouse. In other cases, New Zealand’s tort of intrusion on seclusion may also offer a remedy to those whose privacy is breached. This privacy tort, developed in C v Holland [2012] NZHC 2155, requires an intentional and unauthorised intrusion into seclusion (that is, intimate personal activity, space or affairs), involving an infringement of a reasonable expectation of privacy which is highly offensive to a reasonable person. Inappropriate use of drones could well fall within that test. 

The Civil Aviation Act 1990 bars actions in trespass or nuisance so long as the aircraft complies with that Act and any rules under it, and is at a reasonable height, taking into account wind, weather and all other circumstances. However, such actions may be taken in other cases, which may provide an indirect means of limiting access and thus restricting privacy violations. 

Following the Civil Aviation Authority’s public consultation, the Ministry of Transport is now working on new rules for drones, which could be in place by the end of the year. The safety (as opposed to privacy implications) of drone use appears to be prevalent in current discussions in New Zealand, so that full analysis of the privacy implications of the commercial use of drones will probably not be undertaken until after updates have been made to aviation regulations.

New Zealand’s privacy law is a vehicle for change well poised to embrace new technology. All in all, drones appear to be grist for the mill.

New Zealand developments

Review of major privacy breaches of the past year

In 2014, a number of privacy breaches and issues came to the fore. The most recent high-profile privacy case was the Human Rights Review Tribunal’s decision in Hammond v NZCU Baywide: an InfoRM overview of this decision can be found here. Other major privacy cases are discussed below.

Dashcams

The Privacy Commissioner has stated that drivers can share dashboard camera footage with the public and not breach privacy law as long as the videos do not identify people. This statement came after a member of the public, Mr Ellis, uploaded onto the internet footage from a ‘dashcam’ installed in his car which he claimed showed a Park’ n Fly driver at Auckland Airport taking his car on a wild ride. The video was viewed more than 80,000 times in two days. The availability of the video was restricted after Park ’n Fly director Mohammed Amil notified Mr Ellis that he was considering his legal options.

The Privacy Commissioner said the driver in the viral video could complain if he felt aggrieved. However the Privacy Act 1993 would not apply, as the footage did not feature images identifying the driver.The spokesperson noted that a general member of the public would not be able to identify the driver, although the employer might be able to. However, that would be an employment, rather than a privacy, issue.

The Privacy Commissioner’s comments on dashcams can be found here.

CCTV footage

The Privacy Commissioner has questioned councils on how they collect and store CCTV footage, following news that six cameras in Lower Hutt used to record activity in public places could also be swivelled to look into private homes. There has been an increase in use of CCTV cameras, including council owned cameras in business districts. The Privacy Commissioner has sought to emphasize the responsibilities of CCTV camera operators under the Privacy Act 1993.

The Privacy Commissioner has issued guidelines on the use of CCTV cameras, which can be found here.

The use of CCTV cameras was also the central issue in the recent Human Rights Review Tribunal case of Armfield v Naughton [2014] NZHRRT 48 (which was covered in this issue of InfoRM). Comment from the Privacy Commissioner on Armfield v Naughton can be found here.

DHB breaches

From April 2013 through December 2014, there were seven privacy breaches at Nelson Marlborough District Health Board, according to response under the Official Information Act 1982 prepared for Fairfax Media. Three cases concerned patient discharge summaries that were sent to the wrong places, including to the wrong GP, the wrong healthcare facility, and wrong patient.

The DHB said that all reported privacy breaches were investigated by the DHB privacy officer. A report published by the Privacy Commissioner in September 2014 found that the increase in the electronic sharing of health information nationally had increased the chances of widespread and accidental disclosures. Comment from the Privacy Commissioner on privacy in electronic health records here.

Showercams

The use of security cameras in prison showers and toilets is under the spotlight in the latest examination of conditions in New Zealand jails. The 2014 Annual Report into places of detention published under the United Nations’ Optional Protocol to the Convention against Torture (OPCAT) has criticised the Department of Corrections for breaching prisoners’ privacy, due to the ability of guards in certain prisons to observe prisoners showering and using the toilet.

Inmates in separate cells, and in the at-risk unit at Auckland Women’s Prison are monitored on camera in the shower and toilet, by both male and female guards. In addition, fellow prisoners have the ability to view female inmates in separate cells showering or using the toilet by standing in a corridor or cell opposite the facilities.

In Northland Prison, male inmates in separate cells must shower in an external yard under camera surveillance. The OPCAT report stated that the ability to view prisoners in the shower was “significantly degrading treatment or punishment”. The Department of Corrections maintains that privacy screens cannot be used in cells for at-risk prisoners because of the overriding need for staff to safeguard prisoner well-being, but have conceded that Northland Prison must undertake significant upgrading, including the building of a new shower block.


Case note of interest

Complainant’s identity disclosed to employer

The Privacy Commissioner has found that a government agency was in breach of Information Privacy Principle 11 (limits on disclosure) when it disclosed a complainant’s identity to the complainant’s employer. Although the agency was brought in to inspect the complainant’s workplace with the request that her name remain confidential, her name was revealed to the employer during the inspection. The matter raised an issue under IPP 11, which prohibits an agency holding personal information from disclosing that information, unless it has reasonable grounds to believe that one of the exceptions set out applies (eg, authorised by the individual, or sufficiently connected with the purpose for which it was obtained). The agency acknowledged that it had breached the principle, formally apologised to the complainant and noted steps the agency had taken to ensure a similar situation did not occur again. The Commissioner emphasised that (in certain circumstances) it is important that people can remain anonymous when they make a complaint. A copy of the case note can be found here.

Breach of Telecommunications Information Privacy Code 2003

In this case the Privacy Commission found that a telecommunications company was in breach of rule 8 of the Telecommunications Information Privacy Code 2003 (TIPC) in its procedure of checking the legitimacy of information before use. The TIPC takes precedence over the Information Privacy Principles in the Privacy Act 1993. Under rule 8, agencies must take reasonable steps to test the accuracy of the information they hold before using that information. The complainant, after discovering that someone had opened a mobile telephone account using her name and date of birth, was unsatisfied with the telecommunication company’s explanation as to the process it used to confirm the identity of the person who opened an account. The Privacy Commissioner concluded that, whilst it agreed the company’s process was reasonable in testing that the information was accurate (that is, gathering, checking and making further inquiries to conduct credit checks), the company had not taken reasonable steps to ensure the information was being provided by the person to whom it was related. As a result, the company paid the complainant’s legal fees and made a further payment for stress and inconvenience. A copy of the full case can be found here.

Smart meters

Following several complaints of privacy breaches by power companies, the Privacy Commissioner issued a case note on the subject on 11 February 2015. Smart meters are used by power companies to take real-time electricity readings, so that manual readings are no longer required. The Commissioner concluded that data from smart meters is ‘personal information’ under the Privacy Act 1993 when it becomes associated with an account holder. Utility companies had to ensure all information gathered was used only for the purpose for which it was collected, as outlined in the company’s privacy policy. Additionally, information had to be carefully stored and handled, and should only be accessible by staff who have a ‘need to know’, with rigorous security procedures in place to protect the information. The Privacy Commissioner did not uphold any complaints as he found none had established the companies had breached the Act, but confirmed the Office will be keeping a watching brief on the development of smart meters. The Commissioner’s case note can be found here.

Supreme Court rules police raids on Dotcom’s house legal

The Supreme Court has upheld the Court of Appeal’s decision that police search warrants used to search Kim Dotcom’s house in January 2012 were legal. The Supreme Court handed down its decision in late December 2014, holding the warrants were not unreasonably vague and general. While they could have been drafted more precisely, they were legal, and so the search (resulting in the seizure of 135 electronic items from Mr Dotcom’s house) was legal. A necessary corollary of this decision is that Mr Dotcom’s privacy had to give way.  The Supreme Court has thereby confirmed that, where the state exercises its intrusive powers properly, privacy concerns do not to limit that lawful exercise of state power. The Supreme Court’s decision can be found here.


Privacy issues in the Trade in Services Agreement

Leaked draft articles of the Trade in Services Agreement (TISA) suggest a potentially far-reaching change to how New Zealand regulates its data flows. TISA is a 23-member international agreement, building on the 1995 General Agreement on Trade in Services (GATS). Although negotiations still continue, if implemented, TISA would facilitate a significant liberalisation of services across borders.

One key issue identified in the draft articles is the limitation on the ability of states to regulate the use, transfer and retention of data in their territories. In particular, states cannot prevent a service supplier from transferring, accessing, processing or storing information (including personal information) within or outside its territory in relation to the service supplier’s business (Article X.4), nor require it to have a commercial presence (Art X.1). Other requirements restrict the state’s ability to regulate technology or electronic content.

What does this mean for New Zealand businesses, individuals and professionals that work with data? Recently introduced provisions of the Privacy Act 1993, which allow the Privacy Commissioner to prohibit the transfer of personal information to states without comparable data protections, would be ineffective in relation to those states. While encouraging increased data-sharing, the New Zealand Data Future’s Forum in its recent report has noted that such sharing depends on continued trust in high standards of data protection; a key question is therefore whether other states (and multi-nationals) will follow New Zealand’s lead with adequate regulation (for example, on the basis of OECD or EU standards), or pare back such protections.

A corresponding issue is the enforcement of legal rights. TISA’s focus on increased data-sharing (without explicitly requiring states to have remedies for data breaches) can impede the enforcement of privacy rights, already a difficult matter when different jurisdictions are involved. 

TISA also highlights that increased data sharing can put businesses in the middle of awkward jurisdictional disputes, and render potentially sensitive data subject to disclosure in unanticipated ways. For example, a New York Judge recently ordered Microsoft to provide information held on a server in Dublin to US authorities under a US search warrant, despite the traditional view that extra-territorial searches require the cooperation of foreign governments (please see our summary of this decision in a previous issue of InfoRM, here).

More generally, TISA signifies an on-going and controversial debate regarding the extent to which sovereign power to regulate in the public interest should be foregone for the economic benefits of increased liberalisation. As a minor international participant, the New Zealand Government’s bargaining power is minimal and unlikely to affect the shape of the final document significantly; but nor will it want to miss out on the assumed benefits of TISA. The question remains whether these economic benefits will outweigh significant concerns around weakening privacy laws.


Who is taking your personal information for a ride?

New technology often finds itself a square peg in the round hole provided by old law. The issue has been experienced recently in New Zealand by Uber (the ‘private driver’ app taking the taxi industry by storm), when its drivers were pulled over by Police, their passengers removed, and an infringement notice issued for not using a taxi meter, even though the Uber phone app performs that function.

The charm of the app is that it knows exactly where you are, directs a driver to you accordingly, tracks the trip and bills your automatically. However, this charm begins to wear thin when the information produced by the app is used for other ends. For example, a journalist who recently interviewed Uber’s CEO was greeted by him on the sidewalk upon arrival: he had been “tracking” her. The potential for more sinister use is obvious. For a recent blog post, Uber collated data on users who had been dropped off late at night and picked up early the following morning from the same address to compile a map of “one night stand hotspots”. This has raised significant questions about the ability of firms to use their customers’ personal data, and the capacity of privacy law to respond effectively. 

Privacy decisions made by businesses will have both economic and compliance costs. Even where regulators cannot reach businesses whose conduct raises privacy concerns, the perception that personal data has been or could be misused may have serious market consequences, and businesses should be mindful of whether the data they are using data for legitimate purposes.

Overseas developments

International open letter to app operators

In December 2014 New Zealand’s Privacy Commissioner joined 23 other global privacy authorities in signing an Open Letter to the operators of seven mobile app marketplaces (available here), calling for new requirements for apps collecting personal information to state their privacy policies clearly before they are downloaded by consumers.

The Letter arose out of the findings of the second annual Global Privacy Enforcement Network (GPEN) Privacy Sweep, which investigated the privacy permissions sought by 1,200 of the most popular apps in the world, and the extent to which consumers were aware of the privacy policies of those apps. The Sweep found that almost a third of all mobile apps surveyed appeared to request access to information that beyond that necessary for them to function.

The Sweep also observed that:

  • 75% of apps requested one or more permissions (such as location permissions and access to contacts and the camera);
  • 59% of apps offered limited, difficult to find, or even no pre-installation privacy information; and
  • 15% of apps provided clear explanations as to the use to which they would put the collected information.

The Letter urged operators of app marketplaces such as Apple, Google, and Amazon, to shoulder greater responsibility for the transparency and detail of privacy information that consumers can access pre-installation. It called for operators to mandate that privacy information be displayed on the app download page, along with information that is currently displayed (such as the app’s age rating, size and version).

The Letter provides a further example of the New Zealand Privacy Commissioner intended approach towards mobile apps. The Commissioner had previously issued a set of Guidelines for mobile app developers and businesses to facilitate compliance with the Privacy Act 1993 (accessible here). These Guidelines stress the fact that if apps seek to collect information from consumers, they must let the consumer know the reasons for that collection, and the use to which that information is intended to be put. Furthermore, the information collected must be no more extensive than is reasonably required for the purpose.

It remains to be seen what effect the Letter will have in the app marketplace, and how far it might change operators’ behaviour in the privacy context. 


US: consumers have right to sue Target over data breach

A United States Judge has dismissed an application by Target to strike out claims brought by a number of consumers against the mega-retailer, over its data breach in late 2013, which compromised consumers’ credit card details. This breach may have resulted in the theft of the personal information of up to 110 million people. 

Federal District Court Judge Paul Magnuson rejected Target’s argument that consumers lacked standing to sue, because of a lack of injury as a result of the breach, and that any injury caused as a result of fraudulent charges had been resolved by card issuers. His Honour instead found that it was plausible consumers suffered injuries from breaches of their right to privacy, and that these breaches were fairly traceable to Target’s conduct. Such injuries could include the imposition of unauthorised charges, lost account access, fees, and credit monitoring costs. The Judge added that Target’s arguments glossed over the actual allegations and sought to set too high a standard for consumers to meet to prove their injury.

Target also faces the prospect of having to reimburse banks, which spent a collective $400 million replacing cards of those people whose information was stolen during the data breach. The class action against Target is seen as a test case for other recent high-profile breaches, including at the Home Depot and Kmart. 

Judge Magnuson’s decision can be found here.


US: stronger data privacy laws on the horizon?

The White House is developing proposals to strengthen nationwide data privacy laws to regulate the way consumers’ data is collected, stored and commercially used. This follows the President specifically citing identity theft and other cyber-attacks as a direct threat to Americans’ economic security.

Congress is presently considering a bill to criminalise the selling of student data to third parties by educational software firms. The President has also called on Congress to pass further consumer privacy legislation, including:

  • requiring firms to inform customers of any data breach within 30 days;
  • a “Consumer Privacy Bill of Rights”, drafted by the White House in 2012, enabling consumers to determine how their information is used by firms online;
  • increasing access to consumer credit reporting; and
  • criminalising the sale by US firms of their customer identities to overseas parties.

These proposals come after a year of cyber-attacks on large US retailers, including Target, Home Depot, Staples and Sears, and after the most recent attack on Sony. White House officials are also alive to companies’ use of consumers’ personal data and characteristics, such as race, age, gender or religion, to determine how prices are set and charge different customers different prices online. For example, movie theatres have taken to reducing ticket prices for older adults, and airlines to giving frequent passengers special fares. An additional incentive for reform is the lack of alignment across the US legislative landscape, where different states have different disclosure regimes, many of which are more than 10 years old.

How the US shapes and updates its data privacy laws will undoubtedly have wider implications. For instance, global US-based corporations, such as Microsoft, Yahoo, Apple and Google – which will be subject to the stricter privacy laws proposed – will need to ensure they adhere to these policies and restrictions for their consumers beyond the US. 


This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Talk to one of our experts:
Related Expertise