The Law Commission has uncovered privacy issues arising from new technologies, including social networking, cloud computing and deep packet inspection, that are not adequately addressed in current legislation.
The commission produced part 4 of a series on privacy law earlier this month, pointing out that the principles in the Privacy Act “do not apply in respect of personal information collected or held by an individual … in connection with that individual’s personal, family, or household affairs.” The application of these laws to data volunteered on a social network may therefore be “limited”.
The rise of cloud computing also presents a significant set of privacy risks, says the report, recommending that would-be users of such services go through a detailed Privacy Impact Assessment (PIA).
The report emphasises a client company, not the cloud-service provider, is legally responsible for associated privacy protection. Outsourcing of data to an overseas provider presents additional challenges of cross-border data flow.
In requesting public comment, the Law Commission invites views more generally on whether the Privacy Commissioner should be empowered to direct public and private organisations to conduct a PIA for new projects with a potential impact on privacy.
Deep packet inspection – exploration of the content of transmitted packets for a variety of purposes from traffic shaping to targeted advertising – falls largely under protection of “personal information” in the Act and the Telecommunications Information Privacy Code, the Commission says. An ISP is in theory obliged to inform the user of DPI, but there are several exemptions, such as when the data gathered is not “prejudicial” to the user, when notice is impracticable; or when the ISP is investigating “an action or threat that may compromise network or service security or integrity”.
Increasing use of location data, from GPS to a trail of purchases with eftpos or Snapper cards, is briefly discussed. In an earlier report the Commission recommended that it be a criminal offence to use a “tracking device” to determine a person’s location without their consent.
Pinpointing identity information as an increasing facilitator in public use of government services, the Law Commission discusses principles applied to identity management overseas, but oddly fails to mention the New Zealand government’s own igovt identity verification system, other than in footnotes.
Privacy is crucial to continued growth and the thriving of New Zealand’s international trade in a “fast-paced digital world”, says Privacy Commissioner Marie Shroff, praising the Law Commission’s latest report.
“Since the Privacy Act was passed 17 years ago, the digital revolution has transformed our business and social environment,” says Shroff. “New Zealand needs to keep pace with technological impacts on privacy. There are real challenges to data protection and in our fast-paced digital world, we need to be equipped with the right tools to do our job.”
The Privacy (Cross-Border Information) Amendment Bill, introduced to Parliament last year, and approaching a second reading, is one pertinent facilitator of trade, she notes.
The amendments seek to allow people overseas to inquire on privacy matters pertaining to personal information about them stored in New Zealand; to enable the Privacy Commissioner to refer pertinent inquiries to another country’s privacy authorities and to enable the Commissioner to stop information moving outside New Zealand if this is being done with the intention of evading this country’s privacy law.
The Law Commission devotes a large part of its report to privacy questions arising from technology; but it acknowledges that its treatment of such matters is necessarily partial and that “some of the statements made, and material referred to in this paper, may quickly become outdated”, owing to the rapid pace of change in the field.