In this edition of InfoRM:
Office of the Privacy Commissioner is breaking new ground
The Privacy Commissioner has a number of tools available to raise awareness of, and encourage compliance with, the Privacy Act. Recent exercises of two of those powers provide a useful reminder to agencies facing difficult privacy issues.
Privacy Commissioner releases first Advisory Opinion
To increase understanding of the information privacy principles and provide greater certainty for agencies, the Privacy Commissioner established a process in May 2016 where agencies could seek an advisory opinion from the Privacy Commissioner concerning the application of the Privacy Act.
The first advisory opinion was released in January 2017 which concerned the New Zealand Fire Service’s (NZFS) proposal to publish the addresses of fire incidents on its website to reduce the administrative burden from insurers seeking this information. It sought the Privacy Commissioner’s opinion of the proposed initiative to ascertain whether addresses at which there have been fires are personal information, and, if so, whether disclosing that information would breach the Act.
The Privacy Commissioner concluded that the addresses would be considered personal information under the Act, and none of the exceptions to justify disclosing the personal information would apply. Interestingly, the Privacy Commissioner suggested an online facility where approved insurers could access the information may be a way the NZFS could achieve its desired efficiencies while upholding the privacy of those with fire affected properties.
Ultimately, such opinions are advisory only and the Human Rights Review Tribunal could take a different view. It is therefore possible that approved conduct could be found to be a breach. However, an advisory opinion is a significant step towards reducing the risk of non-compliance, and powerful evidence that an agency takes its privacy obligations seriously.
If the Tribunal does differ from any advisory opinions in the future, it will be interesting to see how prior approval affects the Tribunal’s assessment of damages.
Privacy Commissioner’s ‘naming and shaming’ policy
In December 2014, the Privacy Commissioner implemented a new policy of naming agencies that are in breach of the Privacy Act. The policy was intended to encourage compliant and privacy-conscious behaviour from agencies, to warn the public of certain agencies’ practices, and to increase public debate and awareness by encouraging media coverage of privacy cases.
Since the policy was released, five agencies have been named. The first use of the power was in August 2015, followed by three agencies in December 2016. Most recently, a photography business was named in order to warn other consumers about its retention and use of photos.
As privacy becomes of increasing concern to many, the reputational impacts of a breach are also likely to be increasingly significant. If the last few months are an indication, it is likely we will see more such ‘naming and shaming’ in the months to come.
New Zealand Developments
Privacy Commissioner makes recommendations for Privacy Act reform
The Privacy Commissioner has released six recommendations for reform of the Privacy Act 1993, as part of the Commissioner’s statutory mandate to review and report back to the Government on the Act’s operation:
- Making data portability a consumer right (the ability for an individual to request an agency transfer information to another agency in a format that makes it usable by the other agency).
- Introducing protections for individuals against the risk they can be re-identified from anonymised data.
- Granting the Commissioner the ability to require agencies to demonstrate their compliance with the Act and their privacy management plans.
- Introducing new civil penalties on application to the High Court for serious privacy breaches (up to $100,000 for individuals and up to $1 million for a body corporate).
- Narrowing the defences available for obstructing, or failing to comply with the requirements of, the Privacy Commissioner.
- Repealing the current public register privacy principles, instead placing safeguards in the legislation setting up the relevant public register, and making the review of applications for suppression of information on those public registers the responsibility of the Commissioner.
The Privacy Commissioner notes these recommendations have taken into account the Law Commission’s review of privacy law from 2008-2011, but are also made in light of developments in data science, information technology and international privacy laws. This report will be taken into account as part of the Government’s proposed modernisation of the Privacy Act, a draft of which is expected this year.
The full report is available here.
What constitutes ‘harm’ under the Harmful Digital Communications Act?
For the first time since the Harmful Digital Communications Act was passed, a court has considered what will constitute ‘harm’ under the Act.
A man appeared in court after posting intimate pictures of his wife on Facebook without her permission. Judge Doherty considered that because ‘harm’ is defined as ‘serious emotional distress’ in the Act, rather than mental injury, harm would be established by something less than mental injury or a recognised psychiatric illness. He also considered that the need to deter harm must be weighed against the importance of freedom of expression, so the bar for what constitutes harm could not be set too low.
He ultimately held that although the woman was “frustrated, angry, anxious and very upset”, this did not constitute the serious emotional distress that was required. Instead, “a condition short of a psychiatric illness or disorder, or distress that requires medical or other treatment or counselling” were examples of what would constitute serious emotional distress.
Around the World of Privacy
European court rules data retention unlawful
The Court of Justice of the European Union (CJEU) has held that national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all users and all electronic communications, is an impermissible restriction on rights contained in the EU Charter of Fundamental Rights (Charter).
In 2014, the CJEU had invalidated the EU Data Retention Directive on the basis that its general requirement to retain certain communications data constituted a serious interference with the fundamental rights to respect for private life and to the protection of personal data contained in the Charter.
As a result, Swedish telecommunications operator Tele2 Sverige ceased retaining personal data of its subscribers, on the understanding that the applicable Swedish law requiring this was no longer compatible with the Charter. And in the United Kingdom, the High Court ruled that a domestic data retention scheme, which authorised the Home Secretary to require public telecommunications operators to retain all communications data for up to 12 months, was also inconsistent with the Charter in light of the CJEU’s decision.
The CJEU considered the data retention schemes in both countries were inconsistent with the Charter because they made data retention the rule rather than an exception. The schemes also did not require any link between the data and a threat to public security in order for the data to be retained.
However, the CJEU held the Charter does allow for targeted retention of data, for the purpose of fighting serious crime, provided the legislation sets out the limited categories of data retained, the means of communication affected, persons concerned, and the duration of retention.
Data retention must be limited to that strictly necessary. Any domestic legislation must be clear and precise, and include sufficient safeguards against misuse of data or unlawful access. Further, national authorities can only access the retained data following prior review by a court or an independent administrative authority (except in cases of validly established urgency) and where the data concerned is retained within the EU.
This case is another example of the interesting interplay between the strong data protection policies of the European Union with data collection and retention policies for crime prevention favoured by member states. The full decision of the CJEU in Tele2 Sverige AB v Post-och telestyrelsen and Secretary of State for the Home Department v Watson is available here.
United States: Microsoft’s overseas servers are still protected from Federal warrants
Last year, a three-judge panel of the Second Circuit Court of Appeals held that Microsoft was not required to disclose emails held on servers in Ireland to the US Department of Justice, as US warrants could not apply to information held overseas (see our previous coverage in InfoRM here and here).
In January this year, an application by the Government for a full panel to review the case was denied in a 4-4 split judgment. The Court held the legislation under which the warrant was issued was clearly not meant to apply extraterritorially, but noted it had been left behind by technology, and legislative reform was necessary to ensure the correct balance is struck between privacy and international law enforcement. As such, there is speculation the case will be appealed to the Supreme Court or the Government will ask for legislative reform.
Australia: Privacy Commissioner v Telstra Corporation Limited – the Federal Court’s view
The Federal Court of Australia has dismissed an appeal from the Australian Privacy Commissioner in a case concerning customer access to metadata held by Telstra (see our previous coverage here). The Court upheld the Australian Administrative Tribunal’s view that not all information which concerns or relates to an individual has the potential to be ‘personal information’, and it is necessary that the individual be the subject matter of the information. However, the Federal Court did not decide the broader question of whether any of the information originally requested by Mr Grubb was personal information.
As more and more of our devices are collecting information that relates to us, this case raises questions about whether this data will be considered personal information ‘about’ us and whether it will be afforded the protections of privacy legislation.
This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.