Make a submission on the Privacy Bill

Parliment New Zealand

There are many people who are amazed at all the controversy surrounding privacy at the moment. The European Union, Facebook, Google and Cambridge Analytica are in the news almost constantly and many people just don’t seem to care or refuse to consider how it effects them, especially in New Zealand.

It might just be an outcome of the current generation though. In the 1970’s there were large scale protests against the erosion of privacy. Firstly in 1976 with protests against the Wanganui Computer Legislation (allowing the Police, Ministry of Transport and Justice officials to share information via hundreds of terminals around the country) and again in 1977 against the amendments to the SIS Act (vastly expanding the powers of the SIS).

It wasn’t until 1993 that the first version of the Privacy Act came into being. For a little perspective on how long ago that is, at the time Internet in New Zealand had roughly 10,000 users, the population was 3,500,000, Google didn’t exist and the National Party won the election because voters felt betrayed by Labours neo-liberal reforms. Clearly things have changed. Unfortunately, although the Act was touted as promoting and protecting individual privacy it only protected information privacy and weakly at best.

That, of course, is hindsight. When the Act was written there was no way the government could have foreseen the rise of commercial surveillance on the Internet. There is no mention in the Act of cookies, advertising, GPS or on-line tracking because those things either didn’t exist or weren’t seen to have any impact on the general population. Largely people were concerned about data like their name, address and birth date. That was what was considered personal information.

As the Act says,

Personal information means information about an identifiable individual; and includes information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 1995, or any former Act (as defined by the Births, Deaths, Marriages, and Relationships Registration Act 1995)

Now companies don’t need to have someone’s name to identify them. A persons online habits, devices used, collections of cookies or web beacons can identify them on-line as an individual just as well as a name. Using the Panopticlick just a browser can be seen to be an individual fingerprint that is possibly even more identifying than a name. After all, there are lots of people with the same name but my browser fingerprint was unique amongst the 1,500,000 tested on the service so far.

And how is an address more useful in identifying a place of residence than the GPS of a phone. 456,000 New Zealanders have a smart phone and in most of those cases the GPS data will be being uploaded. Google is being investigated in Australia over claims that it is harvesting 1GB of data from phones per month and even when location services are turned off they have admitted to tracking Android users using cell towers. They are also accused of using peoples mobile data to do so.

As for a persons birth date. How many people have received an email with happy birthday or happy 40th. Because if that email wasn’t encrypted then every server between where it was sent and where it was received could read it. Email wasn’t designed with security in mind and it is only recently that truly secure email services have become popular or readily available.

Clearly what it means to be an identifiable individual has changed in the 25 years since the Privacy Act 1993. Luckily the Act is up for review with submissions for the Privacy Bill being accepted now. This upgrade has been put forth by Andrew Little, Minister for the courts, GCSB, Justice, NZSIS, Pike River Re-Entry and Treaty of Waitangi Negotiations. And if it seems a little dubious having the Minister in charge of government surveillance in charge of the Privacy Bill then take some time and write a submission. It doesn’t take long and you may have to live with the outcome of this bill for another 25 years.

1 comment
  1. Anonymous
    Anonymous
    May 24, 2018 at 3:14 pm

    Well, that is one submission down…..

    Overall the Privacy Bill seems to weaken the right to privacy with a few tweaks on the old legislation. I would be much happier if we adopted a framework based on the principles of the GDPR than another effort to assuage business and security interests.

    I would like our legislation to be based on privacy by default with any movement away from that being subject to informed consent, the ability to correct, the ability to remove consent, re-consent required for passing data to third parties and deletion after a specified time period.

    I would also like the Privacy Commission to have oversight of and to be able to be investigate the security and intelligence services . For some reason we have, with little oversight, granted immense legal powers to an agency for a problem we don’t have or that can be handled by the Police. Approximately one in five woman in New Zealand experience a serious sexual assault yet the Police have less power to gather information than an agency that protects us against an act which has only happened five times in the last century.

    From an internet user point of view I would like right to be informed if the service provider I am connecting through, website, app I am installing, etc….has third party servers or is tracking me, who they are passing the data onto and how they will use it. To give an example if I go to https://www.mentalhealth.org.nz/get-help/in-crisis/helplines/ I don’t expect to be attached to ten third parties in the background including Google, Facebook, Adobe and Olark (I would suggest reading Olarks Privacy Policy to see how that information can be used).

    There should also be limits on what certain companies can force you to agree to in order to receive a service. For instance there has been a case in Australia recently where Google was allegedly uploading user tracking information at the users expense. Another case in America involved the cell carriers selling user location data. Both of these things were probably included in the terms and conditions of the phone people had just bought or the service provider they had connected through but since not consenting to the information gathering would make the phone useless it would seem to me to be a form of duress that should be avoidable.

    Specific problems I have with first part of the current bill are (by clause);

    (3) Includes the OECD but fails to mention the Universal Declaration of Human Rights (specifically article 12) or the Treaty of Waitangi.

    (6) Excludes RNZ and TVNZ from some IPPs.

    (18) a (II) Businesses should be removed.

    (19)

    IPP 1 gives a blanket OK to collection by advertising companies. Eg; Advertising is lawful and collecting personal information is necessary to target individuals for maximum profit.

    IPP2 (2)b should be removed as it allows an agency to collect personal information without notification.

    IPP3 (1)b should be changed to,”the purpose for which the information is being used” to stop information being collected for one purpose and used for another without notification.

    IPP3 (1)c should be changed to,”the recipients of the information” to stop information being collected for one purpose and used for another without notification.

    IPP3 (1)d2 should be changed to, “the agencies that will be, or are, holding the information” (eg, there should be an updated list. Information shouldn’t just disappear into the ether).

    IPP3 (3) should be removed completely. Of course people should be informed the information is being gathered again.

    IPP3 (4)a should be removed completely as it is up to an individual to decide whether their interests are preduced.

    IPP3 (4)c should be removed completely as it concerns the secret gathering of information.

    IPP3 (4)d deciding what is ‘reasonably practicable’ should should be a function of the Privacy Commission.

    IPP5 should include the option to have information anonymised if it is passed on.

    IPP6 should include the ability to delete the information.

    IPP8 should include the informed consent of the individual before the information is passed on.

    IPP9 should include a time limit on how long information can be kept without re-consent.

    IPP10 (1)b1 should place a limit of anonymisation instead of individual. (Eg; data must be anonymised into groups of 1000 individuals).

    IPP10 (1)f The Privacy Commission should decide the limits on 1 and 2.

    IPP10 (2) The Privacy Commission should decide the extent of the security intelligence services usage.

    IPP11 (1)g should be removed.

    IPP11 (3) should read to and overseas agency, not person.

    IPP11 (3)c The Privacy Commission should decide on who is a prescribed state.

    Reply
Leave a Reply

Your email address will not be published. Required fields are marked *