InfoRM Privacy Law Update – May 2014

Home Insights InfoRM Privacy Law Update – May 2014

New Zealand Developments

Privacy on the agenda

The tide appears to be turning in favour of recognising and protecting privacy. Privacy, once branded by media and many others as an unjustified threat to the free flow of information and an impediment to innovative online service delivery, is now being given prominence. Raising public concern has drawn business and legislative responses.

A recent survey has evidenced this increase in concern for privacy. The Privacy Commissioner's Individual Privacy and Personal Information survey recorded that nearly half of all New Zealanders have become more concerned about privacy issues since 2012.More specifically:

  • 83% were concerned about their credit card or banking details being stolen;
  • 81% were concerned about business-to-business information sharing without consent;
  • 67% were concerned about government agency-to-agency information sharing without consent; and
  • 52% regarded businesses selling over the internet as untrustworthy (37% considered them trustworthy).

The complete survey is available here.

Businesses have already been alerted to the need to adapt their practices to growing expectations of privacy.  The 2014 CFO Summit in Auckland saw software experts tell financial leaders that their marketing models needed to be modernised, and that the “stalker economy” of trawling through customers’ purchases was not the way forward. Information gathering had to be less intrusive, relying on voluntary information disclosure and encouraging talk-back. 

The Privacy Commissioner himself has addressed businesses to highlight the unprecedented public interest in and concern with privacy. He recently referenced highly-publicised breaches by public and private sector agencies alike, and set out the risks that lie for businesses: although the risk of formal litigation was low in the Privacy Act scheme, the enforcement risk was relatively high because a complainant need not show that the breach was deliberate or caused harm. The Commissioner also noted that he intends to put more emphasis on “naming and shaming”, thus increasing the reputational risk posed by poor privacy practices. He also reminded his business audience of his commitment to making privacy easy. This meant he would be willing to help businesses with compliance, to minimise costs. The Office of the Privacy Commissioner already offers basic assistance. The Commissioner’s address can be found here.

On the legislative front, the Commissioner has also welcomed the Harmful Digital Communications Bill (here), currently before the Select Committee, as providing individuals with greater recourse against intrusive and harmful online postings. In addition to criminalising online bullying, the Bill gives the Commissioner powers to investigate complaints, order compensation of up to $200,000 and assist in getting the offensive material taken down. This is a significant addition to the Commissioner’s armoury, but of course potentially raises acute freedom of expression concerns as the Bill itself recognises (clause 6(2) of the Bill).

The cumulative effect of these developments is that organisations, businesses and individuals cannot afford to take privacy lightly. Privacy concerns have led to the promotion of customer-centric business models, to the strengthening of powers to enforce rights and punish intrusions, and to the privacy watchdog intending to publicise breaches more widely. 

Working Group to advise Government on the future of information-sharing

The Government has established a working group to advise Ministers on how collection and sharing of business and personal information will affect public services in the future: the New Zealand Data Futures Forum.

The Forum is working with experts and institutions overseas, and with New Zealand public and private organisations, to develop ideas on how dealing with the information of others will affect core public services, from a legal and a practical point of view. The Forum is charged with helping to develop legal and technical frameworks that aim to account for public expectations and technological developments. It will be involved with supranational bodies considering similar issues.

The Government’s stated rationale reflects the reasoning of former Privacy Commissioner Marie Shroff, who emphasised the importance of international cooperation. She predicted that future institutional advances in managing the conflict between privacy and other interests, including security, would take place on an international level, amongst different states’ privacy watchdogs. 

New Zealand’s new data working group has a wide mandate and is expected to assist the Government in its international and inter-governmental efforts in dealing with information-sharing and surveillance challenges. It does not have a report-back deadline.

The Forum is sponsored jointly by Treasury and Statistics New Zealand, and is chaired by former Treasury Secretary and World Bank Director John Whitehead. The other eight members have a range of backgrounds, from the Ministry of Social Development, to private companies, to universities.

The Forum has released a discussion paper (here) and is currently running an online discussion (accessible here) to help it identify the risks and opportunities associated with online data.

TICSA Guidance to Network Operators

The National Cyber Security Centre (NCSC) has published the GCSB Director’s Guidance for Network Operators on the new Telecommunications (Interception Capability and Security) Act 2013 (TICSA).

The TICSA fully came into force on 11 May 2014.  Its central purpose is to strike a balance between state surveillance activities on the one hand, and network operators’ processes and provision of services to the public on the other.  It imposes certain duties on network operators, including to ensure networks have full interception capability, and to engage in good faith.  The TICSA can be accessed here.  

The Guidance has been issued to assist in applying the TICSA, and it focuses on network security, which includes the duty to engage in good faith.  The Guidance aims to throw light on the following areas:

  • who qualifies as a “network operator” under the TICSA, and the registration process;
  • notification requirements for network operators;
  • the network proposal process, and the GCSB’s consideration of proposals;
  • mitigating “network security risk”;
  • when cases might be referred to the Minister;
  • the role of security cleared personnel in network operators; and
  • the national security focus of the TICSA.

It can be accessed here.

The NCSC provides services to state agencies in order to assist with defending themselves against cyber-borne threats.  It is key element of the Government’s Cyber Security Strategy.

Overseas developments

Search engine's practices to be tested before the Courts

The England and Wales High Court has held that a search engine’s use of individuals’ internet metadata is subject to privacy protections, and that individuals can bring privacy claims in England and Wales against providers based overseas. The case was procedural but has significant implications.

Three Apple Safari users lodged a claim for breach of privacy against Google. They alleged the search engine had tracked and collated information relating to their internet usage, without their consent or knowledge, resulting in targeted advertisements displayed on their own screens, which had the potential to identify them. The claimants needed permission to commence the proceedings in England, which could only be given if the claim was based on a tort. Google argued that misuse of private information was not a tort in England.

Tugendhat J dismissed Google’s application and held that:

  • misuse of private information was a tort for the purposes of the jurisdictional question;
  • there was a serious issue to be tried as to whether Google’s collation and use of the metadata breached privacy, as the advertisements might display private information;
  • it was arguable that metadata was “personal data”, because third parties viewing the users’ screens could identify them as having the characteristics inferred from the targeted advertisements; and
  • distress, without financial loss, was sufficient to establish liability.

The case demonstrates the Courts’ willingness to fashion privacy remedies and is further confirmation that online services are subject to the laws of the jurisdiction in which they are accessed. It is a useful reminder that online operators will be liable under the privacy (and other) laws of every country where their products are used, viewed or downloaded.  

The judgment can be read here.

The judicial blue pen applied to Google searches

In another case of judicial protection of privacy interests, the European Court of Justice (ECJ) has upheld a right to be “forgotten”. Search engine providers can now be ordered to remove certain personal information from search results. 

The ECJ decision was triggered by a Spanish claimant’s objection to Google searches on his name bringing up links to historic articles about the repossession of his home. The ECJ, advising the Spanish Court which heard the case, decided that links and information on a results list must be erased where the publication of personal information harms a person’s fundamental rights, including the right to a private life, and where there is no public interest in publishing that information. An individual may now ask a search engine to remove personal information, and can resort to a data-protection authority or the Courts if the search engine refuses. Any internet operator processing or controlling personal information of any EU citizen must abide by this law. 

The implication of this decision will only become clear with time. The ruling empowers the Courts to decide what cannot be published online, encroaching on the freedom of operators (and users) to post, view and retain information on the internet.

The judgment can be accessed here.

Progress for privacy

The European Parliament has voted through a new EU data protection reform package aimed at strengthening data protection within the EU. The package contains the EU General Data Protection Regulation (Regulation) and the Police and Criminal Justice Directive (Directive). Both of these were voted through on 12 March 2014.

The package is intended to protect consumer interests by safeguarding their personal information. Consumers will have greater rights in respect of having their data erased, and limits will be placed on organisations’ ability to profile consumers. The package also makes changes to require international data transfers to obtain prior authorisation.

The requirement that organisations register with or notify an EU data protection supervisory authority has been removed. Organisations will now be required to maintain certain documents and records internally for regulatory inspection.

The package requires non-European companies offering goods and services to EU consumers to apply the EU data protection law in full.

The Regulation will increase the fine imposed on firms that break data protection rules to €100 million or 5% of the firm’s annual worldwide turnover, whichever is greater.

It remains for the Council of Ministers to formalise its position on the package. To date, the Council, which is composed of a Minister from each EU State, has been broadly supportive of the proposals in the package. The Ministers are next due to meet and discuss the reform in June 2014. Once the Council of Ministers has adopted a formal position, negotiations on the Regulation and Directive will begin between the European Council, the Commission and the Parliament.

Developments elsewhere include:

  • UK’s Information Commissioner’s Office has published an updated Code of Practice on conducting Privacy Impact Assessments (PIAs). The updated Code can be found here.
  • The Office of the Australian Information Commissioner has published a new Guide to undertaking PIAs, accessible here. (The New Zealand PIA Handbook, last updated by the Privacy Commissioner in 2008, can be viewed here.)

Constitutionality of the NSA before the US Courts

A federal judge has declared that the NSA’s collection of Americans’ phone records is probably unconstitutional.  That is of increased interest to New Zealanders given the recent coverage of interaction between the GCSB and the NSA. 

In the NSA’s first legal set-back since Edward Snowden’s June 2013 leaks, District Court Judge Leon granted an injunction against the NSA’s surveillance activities, on grounds they “surely infringe” privacy rights contained in the Fourth Amendment. The plaintiffs argued the NSA’s programmes amounted to unreasonable search and seizure due to their secrecy and over-reach, and sought injunctions and USD3 billion in damages. The Department of Justice (DOJ) has filed an appeal and the injunction has been stayed in the interim.

In his judgment (accessible here), Judge Leon found the NSA’s programmes to be “almost Orwellian”, and something at which the drafters of the Constitution “would be aghast”. He held the NSA engaged in highly “indiscriminate” and “arbitrary invasions” through its “systematic and high-tech collection and retention of personal data on virtually every citizen”. The programme involves collecting nearly all telephone calls made to, from and within the US. 

Crucially, Judge Leon found there was no evidence the programme helps head-off terrorist attacks, which would have provided some constitutional legitimacy. The NSA could not establish a reasonable, articulable suspicion of involvement in terrorism in each case of surveillance.

There are a handful of other challenges to the NSA before the US courts. Criminal defendants are beginning to challenge the programme after the DOJ revealed it was used in their cases. Another District Court decision (available here) recently dismissed such a challenge, holding that the NSA’s actions were a legitimate “counter-punch” to terrorism, and the secrecy and wide scope of the programme were effective in combating terrorism.  That decision is also under appeal. 

Such cases are opening a long process that will ultimately require the Supreme Court to decide on the constitutionality of surveillance activities currently used in the US. The Supreme Court itself faces a petition for review of its 2013 decision refusing to question the constitutionality of warrantless electronic surveillance. The petition was filed by a law firm whose communications with its foreign clients were subject to NSA surveillance.

The New Zealand context is quite different. The New Zealand Bill of Rights Act 1990 (BORA) does not empower the Courts to strike down legislation, and there will be no claim against the Government for surveillance within the scope of the empowering provisions. The GCSB’s Director has also recently offered public assurances that spying on and listening to everyday New Zealanders was not part of the agency’s normal practices. However, remedies, including damages, may be available under the BORA where surveillance is found not to have been authorised.

This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Related Expertise