New privacy legislation comes into force today. Photo / 123RF
OPINION:
Privacy has historically been treated as a second-class value in New Zealand and with the new Privacy Act 2020 coming into force on December 1 it is possible that little has changed.
Despite privacy being enshrined in the United Nations Universal Declaration of Human Rights it is awkwardly absent in New Zealand's Bill of Rights Act 1990.
Privacy can be described as protection of personal information against unwanted access by other people, where a person has a reasonable expectation of being able to control such access. The Privacy Act describes a number of principles that can be used to enable privacy yet our new act lacks the "teeth" to make it a meaningful deterrent.
The Law Commission's multi-year examination of privacy reform was kept at arm's-length in the various government responses to its recommendations. The specific responses by the Government failed to keep pace with the fundamental shifts in technology in the past 27 years (such as cloud computing and social media), emerging information use-cases (such as digital marketing and ecommerce) and privacy legislation in other countries. Significantly, the value to society of having a robust treatment of personal information is wholly missing.
Specifically excluded by the Government were reviews of the handling of health information, arguably the area where the greatest attention is required. The middle of a global pandemic is not the time to be ignoring the protection of personal information used to deliver health services.
What has changed then?
The amount of personal data produced and shared in 2020 could never have been anticipated in 1993. In 1993 the idea that selling people's web-browsing preferences would become the world's largest tradeable commodity and that it could be used to influence national elections would have marked you out as a delusional futurist.
Why is information so valuable?
Unlike commodities such as gold or other equities, information can be sold multiple times to different people. It can be sold nearly instantly and doesn't need to be loaded onto a ship for delivery. And unlike other tradeable commodities like food, it does not go off or have a "use-by" date. Information can also be denied to you through ransomware which has a price all of its own.
The utility of information knows no limits either. We think the local petrol station is just a place to fill up the car or buy a late-night pie, but the reality is they probably have more data points on you than the Government does. And those personal data points can be enriched with other data sets, sold, sliced and diced to the highest bidder.
It is these characteristics of personal information that have experienced a paradigm shift since the old Privacy Act was enacted.
The two stand-out features of the new Privacy Act are compulsory data breach notification and data sovereignty.
The good
Compulsory data breach notification requires organisations that have a data breach involving personal information to report it to the Privacy Commissioner. By normalising this as a behaviour it raises awareness of these issues as a nation whereas previously these matters were either ignored or actively covered up.
Also good
New Zealand has adopted cloud computing as a way to digitise our economy and drive greater efficiencies out of data. Since none of the big cloud players are in New Zealand yet, we are reliant on hosting much of our data overseas. It is conceivable a foreign Government could force the cloud provider to open its data centres and take the data of its clients because of a perceived "national security" requirement.
Data sovereignty requirements in the new act state that personal data cannot ordinarily be stored outside New Zealand unless the privacy landscape in the hosting country is equivalent to that of New Zealand.
The bad
While similar legislation overseas has both enforcement and highly deterrent levels of fines, the new Privacy Act here has neither.
Enforcement of privacy findings is still largely confined to a tribunal, as it was under the old act, and the limit of fines does not exceed $10,000. This is too small a deterrent for even a modest-sized business.
Compare this with Australia and the scene is quite different.
In Australia there are fines of up to A$1.8 million ($1.89m) for businesses and $360,000 for individuals. The intent to fine individuals should be a caution for directors who are potentially liable for failing to follow obligations under privacy legislation, and not just reckless trading under the Companies Act.
The ugly
It is understandable that there are exceptions to whom this act does not apply, but to exclude members of Parliament is baffling. Should parliamentary privilege overrule the rights of individuals, especially in the case where significant harm can arise for the individual due to a privacy breach caused by an MP?
To illustrate, former MP Hamish Walker knowingly released sensitive information relating to Covid-19 patients, yet faced no action. Having personalities who ultimately act to serve a narrow political agenda could undermine the principles of privacy at the expense of the citizens they are meant to represent.
The goal should be for NZ to be considered a safe place to conduct online business and somewhere that the highest standards of human rights are applied, which is hard when privacy is not defined under our laws as an inherent human right. Wider treatments outside of the new Privacy Act could improve our resilience to privacy issues.
There is a natural symbiosis between privacy and cyber security. Better cyber security can enable better privacy and the fines we have seen overseas have been largely because of failures to take reasonable security precautions as much as any other privacy principle.
Continuous disclosure requirements for listing on the NZX describe what a reasonable person would consider to be material information about the price of the issuer's quoted financial products. If an observer were to be aware that a listed company had suffered a major data breach that materially affects the value of that company, such as its ability to generate revenue, then I would expect a few more disclosures being made, yet they are not.
Making it illegal to pay ransomware has been tabled as it amounts to money laundering, and in some cases is in contravention of international sanctions. Some ecrime groups are large enough to be considered equivalent to terrorist organisations so dealing with them by paying a ransom/extortion can amount to a crime.
If the true cost of cyber attacks in New Zealand was ever calculated we would all be horrified. The Reserve Bank estimates the cost of cyber attacks to the banking and insurance industries alone is between $80m and $134m annually.
Prevention is better than a cure and there is already evidence that proactive measures work and that they cost less than being hacked. Active measures by New Zealand's National Cyber Security Centre (NCSC) have prevented $70.5m worth of damage in the past 12 months and $165m since June 2016.
The deduction is clear: If our nation is largely dependent upon digitisation and data to function (and digital technologies are inherently vulnerable) then they should be protected as critical capabilities.
The new Privacy Act could have been the opportunity to show the world that we take personal information and data security seriously. International privacy legislators will be considering whether NZ still has parity on the world stage when it comes to the protection of personal data. We currently have a helpful parity with the European Union as we have inherited privacy equivalence from the old Privacy Act. For how much longer, I don't know.
- Former RAF officer Jeremy Jones now works as head of cyber-security at Theta NZ.
'This decision has not been made lightly'.