Reform of pre-internet Privacy Act vital

7 November 2017

The Government must act to reclaim our lead in technology-friendly privacy law, argues Gehan Gunasekara.

Earlier this month it emerged that a Vehicle Testing NZ employee had given several people's personal information to a gang member. The information had, amongst other things, allowed those people's identities and addresses to be known by gang affiliates.

This is just one illustration of how deeply flawed are the truisms that "privacy is dead", and that "those with nothing to hide have nothing to fear". Personal information about all of us exists that, if misused, can have serious consequences.

Australia updated its federal Privacy Act five years ago and further amendments take effect next year. In the Vehicle Testing NZ example, the agency would have to warn those whose details had been leaked.

The previous Government had committed to bringing in this mandatory breach reporting, as well as empowering the Privacy Commissioner to unilaterally make compliance orders against agencies that frequently flouted privacy standards – currently he or she can only make non-binding findings, and it is up to a tribunal to make binding decisions which can take time.

Australia also requires greater transparency through public notification of organisations' privacy policies. New Zealand should go further to bring its law up to date with today's hyper-connected world.

Consider, for instance, mobile ads. Anyone can now use services such as Google AdWords not only to pitch their products and services, but also to find out information about those who download apps that enable this, including their location data.

App providers should, in future, have to incorporate ‘privacy-by-design’ features so customers can control the purposes for which data is being collected. For example, apps should tell you whenever they collect additional data such as your smartphone's unique identifier.

Similarly, ‘Trojan horse’ technologies – where for instance an app is downloaded to facilitate a service but which then snoops on all other information about the user not related to the service – must be regulated.

Critically, the definition of what counts as personally identifiable information and the protection of digital identity needs to be a focus. No one can deny the benefits gained from being able to analyse large data sets when individuals' data has been combined with that of others, or made anonymous by removing identifying details, but the ability to re-identify someone is now alarmingly easy.

Consider a scenario where researchers analyse all data of secondary students in New Zealand and find that there is a high correlation between those who have studied a particular subject and their future health outcomes. If those student who have taken that subject are then denied a health service, is this a valid use of data?

What if, instead, those who have not studied it are targeted for the service? Are these decisions about individuals or about a class of people with certain attributes? These are matters that must be addressed in any new law.

The new law must be future-proof but, at the same time, ought to respect individuals' rights to keep aspects of their lives off-limits to technology. Already, advanced brain-scanning techniques are being developed that allow our innermost thoughts and feelings to be read by a machine. We may have nothing to hide, but most people would wish to keep some thoughts private.

Read the published article:

Gehan Gunasekara

Gehan Gunasekara is an Associate Professor in the University of Auckland Business School's Department of Commercial Law. He is Deputy Chair of the Privacy Foundation New Zealand.



Why we need to rethink creativity in business

If you want to boost creativity in the workplace, first know what you are dealing with, advises dt ogilvie.



NZ needs the same copyright exemption as US law allows

Fair use allows for limited use of copyrighted material without acquiring permission from copyright owners.



Australian privacy laws under a cloud

Michael Kirby reflects on how leading economies were able to reach a consensus on information privacy standards in 1980 and why they have struggled since then to agree on a basis for updating them. He suggests that technological and societal change ought not to marginalise fundamental human rights





New style of reform needed to reverse growing inequality

A fresh approach to personal savings is the only way to stop our slide into inequality and low productivity, argues Robert MacCulloch.




Net-zero carbon requires serious innovation

The Emissions Trading Scheme needs re-thinking if we are to achieve net-zero carbon by 2050, says Basil Sharp.




What New Zealand should learn about renewable energy

Climate change goals must be integrated into industrial policy if they are to succeed, urges Anna Berka.




How youth are breaking leadership taboos

Young people are starting to reject common assumptions about how they should act, argues Fiona Kennedy. Other groups could learn from them.