Our privacy law is the operating system for how organisations handle our information, and it affects each of us every day, writes James Ting-Edwards of InternetNZ
New Zealand’s privacy law is finally, finally going to get an update. In a year that’s seen a range of big stories on big privacy threats, that’s good news.
There was Cambridge Analytica, who wanted to influence elections, so they built a quiz app that grabbed data from all your Facebook friends. There were local breaches too, through Z Energy’s fuel card website and Vector’s outage app. These are privacy breaches because they put personal information at risk, information like your name or street address which can be collected, accessed or passed on to others when it shouldn’t.
Our privacy law is meant to control how our information is used, and protect us against privacy breaches. It’s the operating system for how organisations get and use our information. And though we’re living in the Internet age, it hasn’t been properly updated since Jurassic Park first hit cinemas.
That’s right. New Zealand’s Privacy Act was written in 1993. Computers ran Windows 3.1, ‘e-mail’ had yet to lose its hyphen, and it was mainly for people working in universities. My mum had a job updating work databases by driving 3.5 inch floppy disks between offices.
The point being, we’ve seen a few changes since then. First, the widespread adoption of dial-up internet. Then, people buying and selling stuff online. And now, smartphones and social media becoming astonishingly ordinary parts of life.
Those changes have posed big challenges for privacy. Despite its age, our Privacy Act has actually stood up pretty well. It established flexible principles for protecting privacy and set up the Privacy Commissioner as a watchdog to hear complaints and keep an eye on things. That’s a good model for a law that adapts as technology changes. But a good operating system still needs updates. We need our parliament to take those updates seriously.
In 2018, protecting our privacy is vital for trust online. Using the internet often means sharing our information. Lots of us have lots of user accounts, including accounts we’ve forgotten about. Facebook. LinkedIn. Neopets. MySpace. The information we put online through these services is valuable, not only to inform and target ad campaigns but also for unauthorised and criminal uses.
Data breaches are a large and increasing threat to our privacy. The MySpace breach in 2014 included about 360 million emails, usernames, and passwords. By 2016, these were being sold on dark web markets as a resource for identity theft and other crimes. Ironic references aside, the rest of us have forgotten MySpace. But it lives on through the sale of breached accounts to target and inform criminal activity.
These privacy harms can have a long shelf-life. In July 2018, people around the world received blackmail emails, saying “I have hacked you, and have webcam footage of you in a compromising position”. These emails cleverly included, as proof, a real password associated with the target email address. In many cases, a password from the 2012 LinkedIn breach from six years earlier.
Our Jurassic Park-era privacy law fails to provide even basic protections against these harms. An update is long overdue. The Privacy Commissioner first reviewed the law in 1998, the year The Truman Show came out. Then in 2011, the Law Commission reported on its review. That’s the year Thor was released. It’s now been seven years (or three Marvel Movie sequels) since that review. And its recommendations still haven’t been implemented.
After that long, long wait, we finally have a Privacy Bill being considered by Select Committee. For a bill written in 2013, it’s pretty good. It takes some of the obvious steps needed for better privacy protection. For example, it will require organisations to notify users and the Privacy Commissioner about data breaches. It will let the Commissioner issue “compliance notices” to tell organisations what they have to do in response to privacy problems.
At InternetNZ, we’ve joined the 165 other people and organisations submitting on the bill. All the submissions I’ve read support the bill as a path to better privacy protections that work for the next decade. People want better privacy, and organisations want to offer better privacy. Privacy is good for business.
Within that overall support, there are a few things we and others want improved. We think that the way New Zealand does breach notifications should be closer to the model in Australia, and under the European Union’s General Data Protection Regulation (GDPR). If organisations can align notification practices across countries, they’re more likely to do this well. We think the threshold for breach notifications should be a little bit higher to get this alignment (and to avoid flooding people with too many notifications they can’t act on).
We also want our government to think deeply about the GDPR. One reason is to see if the GDPR has good ideas, which we could adapt to suit our own framework. But the main reason is to keep our stamp of privacy approval. Right now, Europe treats New Zealand privacy law as “adequate”. That means we can export to the EU without every organisation doing its own privacy compliance. That’s a very big deal for New Zealand tech companies and exports via the internet. With a deadline of 2020 to review our privacy, we have to get our thinking caps on now.
The main thing we need is for our politicians to sit up and take notice. Privacy is a human right. Our privacy law is the operating system for how organisations handle our information, and it affects each of us every day.
We’re asking the Justice Select Committee to improve and pass the Privacy Bill. We’re asking them to consider and consult on new changes arising from submissions before reporting back to Parliament. And we’re asking for MPs to think about our privacy more often than Jurassic Park gets a reboot.