Our world is very different from that of 1993, when the Privacy Act first came into force, says the Law Commission in a lengthy report that forms the first stage of a “Review of the Law of Privacy”.
Today’s privacy legislation was conceived at a time when the internet, and particularly the web, was not widely used and when digital information likely to be sensitive was held largely by organisations that could be relatively easily regulated, says the Commission.
Today, by contrast, many individuals are active originators of digital information, some of which probably escapes the current Act. The Act, for example, excludes information contained in, or sourced from, a “publicly available publication”. That phrase is defined as meaning a magazine, book, newspaper, or other publication generally available to members of the public.
“There may be issues about the application of this exemption to material published on the internet,” says the commission. “Some of [the Act’s] language is ambiguous with regard to how it applies to internet publication, and some defined terms may benefit from being updated with the internet in mind.”
The definition of publicly available publication also includes public registers. The Law Commission has separately raised concerns about these being widely available, and points out in its report that while the information contained in them may be uncontroversial, it can be cross-matched with personal data in a way that could well be seen by many as a violation of privacy.
Data mining causes as much, if not more, concern as data matching, since this can effectively create information from an accumulation of records that was not inherent in any particular record, for example that a person’s behaviour is atypical of those in his/her demographic class.
The report expresses particular concern about young peoples’ willingness to put information about and images of themselves on social networking sites, without due regard to its possible use by others.
Even less adventurous users will willingly put their name, address and other personal information into a website without giving much thought to whether it is likely to be “used for a purpose other than that for which it was originally supplied”, a violation of Principle 10 of the Act. While privacy policies are published on websites, the report says, many people don’t read them.
Even if a breach of privacy were plain in such a case, it might still be difficult to identify a specific guilty party, it says. “Numerous people may be involved to varying degrees, from the person who posted the information originally, to people who link to the page from other websites, to the ISP and so on.”
Other information gathering is entirely without the consent of the user, for example clickstream data recording of a person’s activity within a website and the site they arrived from and departed to. Such information may be anonymous, being keyed only to an IP address; but it may be possible, particularly with the aid of search engines, to associate that address with identifying information.
The report also comments extensively on technology-aided surveillance in the street and the workplace. It points out that this has now become so pervasive as to present the same difficulty of responsibility as with passing on and matching of data.
“The new surveillance is projected to ‘transform surveillance from a conscious decision by specific corporate or governmental actors into a constant, inadvertent activity by virtually everyone’,” it says, quoting legal commentator Kevin Werbach at the University of Pennsylvania.
The Commission also comments at length on the risks of radio frequency ID tags for accumulating information and tracking movement. The report is the first stage in a four-stage review, which will eventually lead to recommendations as to how the Privacy Act might be amended.