24 May Committee Secretariat Justice Committee Parliament Buildings Wellington. Dear Justice Select Committee member,

Transcription

1 24 May 2018 Committee Secretariat Justice Committee Parliament Buildings Wellington Dear Justice Select Committee member, Submission to the Justice Committee Review Privacy Bill Thank you for the opportunity to submit on the Privacy Bill. I support this important privacy law reform. My comments follow. I make this submission in my personal capacity as a New Zealand citizen and Director of a New Zealand based company. This submission is in no way connected with my employment as the Domain Name Commissioner. InternetNZ intends to make a separate submission. I have worked nationally and internationally in the field of privacy for more than 15 years. I am a former employee of two Privacy Commissioner s Offices and a past employee of an industry regulator which has been recognised by the Office of the Information Commissioner as an external dispute resolution scheme for telecommunications and privacy disputes. I was also a voluntary Director of the International Association of Privacy Professionals Australia and New Zealand between 2008 and Section 6 of the proposed bill definition of personal information 1.1 In the definition of personal information I would like to see greater clarity as to whether metadata and location based data should be considered personal information given its data trail is left everywhere a person goes online and in the physical world. 1.2 Some types of information are not obvious. Take for example metadata. All modern communications involve metadata. Using the internet creates metadata. Interacting on social media creates metadata. 1.3 Is this data that an individual creates about them or is it data about the network, device or platform which they used to create their communication? 1.4 Similarly, technologies which enable electronic devices - and therefore the people who use and carry those devices to be easily located - should be addressed in the definition of personal information. 1.5 This type of data may be valuable to some organisations, as it can allow very specific

2 targeting of services to particular individuals. I personally find it very helpful when ordering an Uber, that it knows my precise location on a map on my mobile phone. 1.6 However, this also poses serious risks to individual privacy, as well as risks that such data may be used to make decisions which adversely affect the individual to whom it relates. 1.7 A practical way of protecting metadata and location based data is by expanding the definition of personal information to include: Personal information is information about an individual or whose identity can be reasonably ascertained from the information or in conjunction with other information that is in, or is likely to come into, the possession of an agency. 2. Section 6 definition of personal information - Deceased persons 2.1 When you die your privacy rights are extinguished, except in the area of health or where specifically legislated or at common law. Is this right in the modern age where your memories live online? 2.2 If New Zealand isn t to have a right to be forgotten, perhaps it should have some rights to protect the information of the deceased. 2.3 Some of the reasons to consider protecting personal information of the deceased include: a) social media pages now offer options to create online crypts where your lifetime memories are there for the world to see. b) cultural sensitivities may arise when talking about the deceased. c) protecting personal information after death may impact how people act when they are alive knowing some things about them will not be revealed to a bunch of strangers. d) immediate access to a person s personal information upon death may raise issues with identity management. 3. Section 6 interpretation collect 3.1 For the avoidance of doubt, the definition of collect should spell out that collection of information includes automated collection. The definition of collect could say or words to this effect: in relation to personal information, means to take any step, whether automated or not, to seek or obtain the personal information, but does not include receipt of unsolicited information

3 3.2 Gone are the days where organisations could only collect large quantities of data but didn t have the resources to sift through it. The robots are coming and information is the fuel that will drive them. 3.3 As better tools are developed for processing huge quantities of data, and as better datamining applications come to the market, chances are that new businesses will be built around automated collection and sifting practices. 4. Consent 4.1 I am of the view that it is appropriate to deal with consent as either a definition in section 6 of the Bill, as a separate privacy principle or in the explanatory memorandum. 4.2 Giving greater guidance on consent would make it easier for agencies to collect use and share information with consent. It would also make it clearer who could be the sources of consent, especially in family group situations involving decisions about a person s personal information management. It would also enshrine notions of consent such as it must be voluntary, informed, capable of being given, capable of being withdrawn. 4.3 It would be useful to clarify notice from consent. My experience with dealing with privacy laws has been that these terms can be confused and individuals mistakenly think they can veto an act or practice when they have no real choice, or they are asked to consent when what is really sought is their acknowledgement that they have been told what will happen with their personal information. 5. Part 6 notifiable privacy breaches 5.1 I welcome the inclusion of mandatory data breach notification. However, I would like for the breach notification process as much as possible to be consistent with our Asia Pacific colleagues and not be out of step with the new EU General data Protection Regulation. 6. EU adequacy 6.1 I am the director of a Taranaki based e-commerce agricultural business that has an online store which value adds to the primary sector. Transborder data flow and retaining access to export markets is vitally important to business growth prospects. 6.2 It is not possible to send products offshore without individuals personal information accompanying their purchase. 6.3 To ensure a free flow of information, global ecommerce and access to markets, it would be preferable from an ease of doing business sense, for New Zealand to retain our EU adequacy.

4 7. Section 203 of the Bill - Inquiry and own motion powers of the Privacy Commissioner 7.1 The Privacy Commissioner should be given a qualified performance assessment function for the public and private sector either expressly or through expansion of its own motion investigative function. 7.2 The function could be used where the Privacy Commissioner had reasonable grounds to believe that an organisation is engaging in practices that: (a) posed new and significant risks to personal information they hold; or (b) contravened the privacy principles in the Act or a commitment made in resolution to a complaint or own motion investigation. 7.3 This type of function could be used as an educative tool to assist organisations to identify areas for improvement within their privacy compliance frameworks. It would also be a proactive and contrasting function to many of the additional functions related to compliance notices and fines. 7.4 While 14 (l) gives the Privacy Commissioner an ability to audit personal information it is prefaced on a request by an agency, to audit personal information to ensure it is maintained according to the information privacy principles. It would be better if an inspection or audit function didn t have to be triggered by a request. 7.5 Other privacy jurisdictions such as Australia, the UK and Canada provide for a privacy audit function by the Privacy Commissioner which may be useful reference. 8. Privacy Complaint management 8.1 The proposed section 85 of the Bill which enables the Privacy Commissioner to refer complaints to certain bodies is drafted rather narrowly. 8.2 It would be better to adopt the Australian model for managing privacy complaints. In Australia the Information Commissioner can recognise external dispute resolution (EDR) schemes to handle particular privacy-related complaints (s 35A of the Privacy Act 1988). 8.3 With the broadening of functions to be performed by the Privacy Commissioner, this could be a useful complaint management tool and would also strengthen access to justice though other alternative dispute resolution schemes with relevant industry and privacy knowledge.

5 9. Anonymity and Pseudonymity 9.1 There should be a specific principle aimed at giving individuals choices when they interact with agencies for goods and services around anonymity and pseudonymity. 9.2 Australia has an anonymity principle which applies where it is lawful and practicable for an agency to offer anonymity. Without the necessity of having to collect personal information to interact many of the risks and compliance costs associated with keeping tabs on personal information fall away. 10. Definition of agency 10.1 The Privacy Bill controls how agencies handle personal information. Only a few agencies are exempted. For example Members of Parliament, when they are acting as MPs It would be helpful to determine whether there needs to be any accountability under privacy law of Ministers and their advisors or if Parliament is to perform that role that this be spelt out. 11. Developing Technology 11.1 The fact New Zealand s privacy laws have stood the test of time for so long is an indicator of how relevant a principles based approach is to ensuring technology neutrality Nevertheless, given the pace of technological change it would be good for more periodic reviews of the Act to ensure the law stays relevant. Thank you for the opportunity to contribute to the discussion on privacy law reform. Brent Carey