InfoRM Privacy Law Update – May 2016

Home Insights InfoRM Privacy Law Update – May 2016

In this edition of InfoRM:

Survey suggests Divergent Attitudes to Online Privacy

The results of the latest World Internet Project New Zealand (WIPNZ) survey have been released and interestingly, especially in light of recent attempts by corporations to increase privacy measures (see below), reveal that New Zealanders are more concerned about corporate entities violating their privacy than they are about government entities doing so. This was the first time privacy questions were included in the survey, which is an annual report produced by Auckland University of Technology researchers on New Zealanders’ usage of, and attitudes towards, the internet.  

Just under half of internet users (45%) are worried about companies ‘checking’ what they do online, whereas only 32% are worried about government doing the same thing. A similar trend is seen with concerns about violations of privacy. While 29% of users were concerned that government or other people are violating privacy online, a substantial 42% were concerned about the possibility of privacy violations by commercial entities. 

Opinions on privacy differed, with 68% of users actively protecting their privacy online, yet only 45% feeling they can control their online privacy. Conversely, 23% believe that concerns over online privacy are exaggerated. Only 10% of respondents felt as though they had ‘something to hide’.

Of the 11% who reported an online privacy violation within the last year, almost two thirds (61%) reported the consequences of the violation as only a minor problem – for 12%, it had financial consequences, for 11% it was simply embarrassing, 5% had personal relationships affected, and for 2% it affected job or career prospects.  Even allowing for overlap between categories, it appears that over 1% of all respondents were victims of a privacy breach with financial career consequences within the last 12 months.

Other security issues experienced by internet users included malicious requests for bank account details (40%), knowledge of receiving a virus (29%) and credit card fraud (4%). 

Almost half (45%) of internet users responded that they did not use the ‘cloud’, which, for more than half (55%) of those users, was because they lacked sufficient knowledge about cloud computing to do so. Privacy reasons (44%) and security concerns (29%) were the two other main reasons respondents chose not to use cloud computing. 

The full report is available here.

Human Rights Chief speaks on Data Privacy

A recent article by Chief Human Rights Commissioner, David Rutherford, discussed the effects of emerging government data-sharing systems on privacy in the context of Integrated Data Infrastructure (IDI). IDI is a data-sharing system developed by Statistics New Zealand which combines data from a range of government organisations to provide information to help the Government deliver better services to the public, and to ensure investment is made where it is most needed.

Mr Rutherford argues that data-sharing systems like the IDI have the potential to improve policy-making and the delivery of social services in New Zealand, especially in terms of preventing child abuse. However, he also expresses concerns about the privacy implications of these databases, and encourages the public to engage in a discussion on the development of an agreed framework for data sharing.

Individuals may be concerned about the nature and extent of the use of their private information held by the database, especially given that non-government researchers can access IDI data in some circumstances. 

To counter such fears, and in accordance with existing privacy principles, Statistics New Zealand has committed to removing personal identifiers and imposing a strict vetting process for non-government agencies. Given the high volume and detail of the information being stored, past experience suggests that this may be a challenging undertaking indeed.

Internet Drama or Fundamental Freedoms? The State of Play in Online Privacy

Privacy continues to be a hot topic around the world, particularly in jurisdictions which lack an all-encompassing legislative guide to the use of personal information. Recent events abroad have highlighted the precedence of privacy concerns for individuals, companies and governments.

Apple Inc made headlines earlier this year following its opposition to an order made in the case of United States v Black Lexus IS300. Apple claimed that the order to decrypt a terrorism suspect’s iPhone would require it to take extraordinary steps to create a ‘skeleton key’ which could unlock any iPhone in the world. The US Government withdrew its case, however, after the FBI reportedly paid a security contractor over a million dollars to access the phone independently of Apple. 

Microsoft has now brought its own case directly against the US Government, this one in relation to secrecy orders commonly obtained when a state agency executes a search warrant against a person’s cloud-stored data. A secrecy order not only means that the state agency is not required to disclose the search to the data’s owner, but also means that the relevant data holder (in this case Microsoft) is prevented from doing so, often indefinitely. 

In much the same vein, internet discussion site Reddit generated plenty of discourse after a section of its annual transparency report which has come to be known as a ‘Warrant Canary’ was not included in the 2016 edition. The ‘canary’ paragraph, named after the birds traditionally used in mining to detect the presence of invisible gas, stated that Reddit had never received a classified request for user information. While Reddit’s management has remained tight-lipped, the clear implication is that Reddit has now received such a request – although whether a ‘warrant canary’ complies with US law is yet to be determined.

Meanwhile, Microsoft’s challenge to a US search warrant requiring it to deliver data stored on servers in Ireland has yet to be decided.

New EU Data Protection Rules Given Approval

The European Parliament has this month given its final approval to the Data Protection Regulation, which replaces the 1995 Data Protection Directive. The new regulation comes with an accompanying directive which specifically deals with the use of data by police and judicial authorities. While the regulation will become effective in two years’ time, the directive must be transposed into national law by member states individually.

Four years of negotiations have led to the new set of rules, which the steering MP, Jan Philipp Albrecht, has called a “fierce European ‘yes’ to strong consumer rights and competition in the digital age”.

The key provisions included in the regulation are:

  • A right to be forgotten;
  • Clear and affirmative consent being required for a person’s data to be processed;
  • The right to transfer data to another provider;
  • The right to know when data has been ‘hacked’; and
  • A requirement that privacy policies are expressed in clear language.

Severe penalties may apply following breach. Companies that find themselves in breach of the regulations face a maximum financial penalty of up to four per cent of their worldwide annual turnover. By way of example, 4% of Apple Inc.’s FY2015 worldwide turnover is approximately US$10 billion. Such a fine, if ever ordered, would rank alongside fines for banking misconduct leading up to the 2008 financial crisis and fines for oil spills such as the 2010 Deepwater Horizon spill.

Around the World of Privacy:

Panamanian Pandemonium

No roundup of privacy happenings in early 2016 would be complete without a mention of the Panama Papers.  Leaving aside the substance of the documents and allegations that have followed, the worldwide coverage raises numerous questions about the limits of privacy and its intersection with the public interest.

In particular, the Panama Papers leak highlights the issue of whether there is ever a good reason to circumvent strict rules surrounding privacy and privilege for legal and financial records, as well as whether the current rules should change. 

The law has long recognised that privacy interests should sometimes be subordinated to the public interest, for example, the public interest defence to an action for breach of confidence, the ability to obtain search warrants, and the exceptions recognised in the Privacy Act (which do not extend to a generalised ‘public interest’ defence). 

Mass data leaks pose real challenges for privacy law. There may be a genuine public interest in some information being disclosed, but even if the public interest overrides privacy in some instances, the question remains as to what protection there is for those whose information need not be disclosed to satisfy the public interest, and ho have the bad luck of being associated with the same service provider.

Attack on the Drones

A trend toward greater regulation of personal drone use is too slow for some, with a smattering of reports emerging about members of the public taking action to protect their privacy in the face of drone incursions. Last year, a US man was reported to have used his trusty shotgun to shoot down a drone flying over his property, while more recently another man brought down a drone with a pool hose while it was filming his children. 

A more ambitious approach is being trialled in Europe, with a Dutch company known as ‘Guard From Above’ reportedly training eagles to prey upon rogue drones. Dutch police are trialling the initiative, and London's Metropolitan Police says it is “interested” despite the Director of the International Centre of Birds of Prey in Gloucestershire calling the idea a “gimmick”.

German Court Dislikes Facebook Plug-In

A German regional court has held an online shopping site’s use of a Facebook plug-in was a breach of Germany’s data protection laws, a move which will impact how companies integrate social media network plug-ins into their websites.   

When users loaded Peek & Cloppenburg’s ‘Fashion ID’ website, user data such as IP addresses was transmitted to Facebook. The Düsseldorf Regional Court held that Peek & Cloppenburg failed to obtain proper consent from website users before sending this usage data. The Court further held a link to a data protection statement at the foot of the website was insufficient in indicating website user data was being or was about to be collected and sent. 

Peek & Cloppenburg has since changed the use of plug-ins on its website. Website users must now activate the plug-in themselves if they wish to “like” the clothing chain and are warned activating the plug-in will allow social media networks, like Facebook, to collect usage data. Other German companies such as Beiersdorf, ticketing company Eventim and fashion retailer KiK, have also deactivated plug-ins and added similar warning statements.

Facebook does not appear concerned about the future of the plug-in. In response to the Peek & Cloppenburg ruling, a Facebook spokesperson stated “the Like button ... is an accepted, legal and important part of the internet, and this ruling does not change that”. 

This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.

Related Expertise