The World Wide Web was invented in 1989 at much the same time that final drafting touches were being made to a privacy bill to be introduced to New Zealand’s Parliament. By 1993, when the Privacy Act was finally enacted, there were – wait for it – an estimated 15 million users of the Internet worldwide. That same year, according to Down to the Wire, Nat Torkington created New Zealand’s first ‘real web site’.
At the start of 2016 it might be worth asking if the principles in the 22 year old Privacy Act might usefully be supplemented to be ‘fit for purpose’ in this digital age? After all, the 12 familiar information privacy principles in the Privacy Act 1993 were based upon eight even more ancient principles contained in the OECD Privacy Guidelines of 1980. New principles suited to the Internet have been developed in other laws and in other countries that may have something interesting to offer. The question might be especially timely if 2016 turns out to be the year that New Zealand’s privacy law is reformed to give effect to the findings of the Law Commission’s 2011 Review of Privacy.
In this post we propose a few new approaches to privacy, especially those that directly address the challenges created by the Internet and life pursued online. These proposals are drawn from a number of different sources beyond the Privacy Act.
A digital communication should not contain a matter that is published in breach of confidence
This principle is already part of New Zealand law. It is one of 10 communications principles in the Harmful Digital Communications Act 2015. Traditionally the common law tort sought to protect private information that is conveyed in confidence. The principle responds to the digital magnification of harm when a matter disclosed in breach of confidence is further broadcast online.
Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an organisation in relation to a particular matter
Subject to limited exceptions, Australian privacy principle 2 requires entities to give individuals the option of not identifying themselves, or of using a pseudonym, in their dealings. Given the traces left in digital transactions and the ability to link information, many people see anonymity as an effective way of protecting their privacy. The principle seeks to ensure that individuals retain the option to withhold their identity wherever possible.
This proposal provides that people should not have to pay in order to exercise their rights of privacy, nor be denied goods or services or offered them on a less preferential basis. This is drawn from the Australian Privacy Charter of 1994. The approach is consistent with treating privacy as a right, not a chargeable add on, and with experience in consumer protection, where it has been found necessary to prohibit businesses from placing financial barriers in the exercise of individual rights.
Privacy as the default setting
This is the second of seven Foundational Principles of Privacy by Design. Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy — it is built into the system, by default.
Right to data portability
Article 18 of the proposed EU General Data Protection Regulation will give individuals the right to ask for the return of the personal information that they have provided to an information services provider in a structured, commonly used and machine readable, format and have the further right to have that information transferred to another service provider without hindrance. Data portability is the ability for people to reuse their data across interoperable applications - the ability for people to be able to control their identity, media and other forms of personal data. This right responds to the fact that many individuals are entrusting virtually all their personal records to online providers and are likely to do so in the future for their entire lifetimes. In these circumstances one would not wish to be beholden to one single provider. Nor would one want to have deletion of information as the only remedy if dissatisfied with one provider. It will be important to be able to uplift one’s records and move elsewhere. In this sense, it may be a much more useful right to many more individuals than the more familiar newly revealed EU privacy principle: the right to be forgotten.
Respect for context
The Obama Administration’s Privacy Bill of Rights includes many of the old school ‘fair information practice’ principles’, familiar for more than a generation. One has to look fairly hard for a new principle to highlight. ‘Respect for context’ fits the bill. In effect it provides that if an agency plans to process personal information in a manner that is not reasonable in light of context, the agency must conduct a privacy risk analysis including, but not limited to, reviews of information sources, systems, information flows, partnering entities, and information and analysis uses to examine the potential for privacy risk. This is an approach also recommended in New Zealand – see our privacy impact assessment toolkit.
The first of nine principles in the APEC Privacy Framework provides that personal information systems should be designed to prevent the misuse of personal information. Risk assessment and harm mitigation is at the heart of APEC’s approach to privacy. This may be contrasted to the approach in the European privacy instruments which emphasise rights and, in particular, human rights. The difference can be explained in part by the heterogeneous nature of the Asia Pacific region with norms and regulatory approaches that can differ substantially from those prevailing in the more homogenous European nations.
Risk assessment and treatment cycle
We couldn’t leave privacy in a digital age without reference to the ever present underlying concern for security. In 2015 the OECD formulated the principle that “Leaders and decision makers should ensure that digital security risk is treated on the basis of continuous risk assessment”. This is one of eight principles in the OECD Recommendation on Digital Security Risk Management for Economic and Social Prosperity. We often accept some level of risk commensurate with the social and economic benefits of participating in the digital world but agencies must also take into account the potential impact of our actions and choices on the legitimate interests of others.
New principles for New Zealand?
The eight OECD privacy principles were recently reviewed and re-endorsed in 2013. They had stood the test of time and remain sound as far as they went. But there is a general understanding that implementing the principles alone is probably insufficient in today’s environment. Accordingly, in its 2013 review the OECD recommended supplementary approaches to promote accountability and address new risks.
An unwillingness to change or add to the OECD principles was based in part on a pragmatic view that tinkering with a good set of principles after three decades might undermine the consensus that had grown up over certain core approaches. However, the cautious OECD approach has not been followed everywhere and we have witnessed some radical new principles adopted in Australia and, more recently, Europe, and proposed elsewhere.
In New Zealand, our Parliament has itself pushed the envelope with the recent ‘communication principles’ in the Harmful Digital Communications Act. It will be interesting to see what new principles might emerge this year from planned reforms to New Zealand privacy law later this year.
Image credit: NASA via Flickr