[Home] [Databases] [WorldLII] [Search] [Feedback] New Zealand Law Commission

[Database Search] [Name Search] [Previous] [Next] [Download] [Help]

• Overseas Legislation
• The Issues

11 Privacy

165 IN A RECENT ARTICLE, the Hon Justice Michael Kirby stated:

The speed, power, accessibility and storage capacity for personal information identifying an individual are now greatly increased. Some of the chief protections for privacy in the past arose from the sheer costs of retrieving personal information; the impermanency of the forms in which that information was stored; and the inconvenience experienced in procuring access (assuming that its existence was known). Other protections for privacy arose from the incompatibility of collections with available indexes and the effective undiscoverability of most personal data. These practical safeguards for privacy largely disappear in the digital age. A vast amount of data, identified to a particular individual, can now be collated by the determined investigator. The individual then assumes a virtual existence which lives in cyberspace instead of in what is sometimes described as “meat space”. The individual takes on a digital persona made up of a collection of otherwise unconnected and previously unconnectable data.²⁶³

166 And in a paper presented to the APEC Steering Group on Electronic Commerce, the Privacy Commissioner noted:

It is interesting to consider why, in a consumer age where quality, choice and convenience is demanded, the level of e-commerce is so low. One reason is the appeal of conventional shopping. Another is a lack of consumer confidence in doing business electronically . . . They worry about the security of their personal information and fear it may be misused. Information privacy concerns are discouraging consumers from using the Internet to buy goods and services . . .
Private ownership of personal computers continues to increase, and the online consumer market is growing exponentially. However, a recent survey in the US found that only 23% of computer users with Internet access said they already paid for information or purchased products online . . . The reasons seemed to be privacy focused. A clear majority of people were concerned about threats to their personal privacy while on line. . . . it was clear from the survey that a lack of privacy protection was deterring people from using the Internet and e-commerce. Of those who were not likely to access the Internet in the next year, greater privacy protection was the factor that would most likely convince them to do so.²⁶⁴

OVERSEAS LEGISLATION

167 New Zealand’s privacy legislation (the Privacy Act 1993) goes further in protecting an individual’s privacy than many of our major trading partners.²⁶⁵

168 In the European Union (EU), privacy law is regulated by The Directive of the European Parliament and Council on the Protection of Individuals With Regard to the Processing of Personal Data And on the Free Movement of such Data.²⁶⁶ The Directive was adopted on 24 October 1995. The Directive sets out a number of principles in relation to the collection, processing and accessing of personal data. The data protection principles include: personal data must be processed fairly and lawfully; collected for specified purposes; accurate and kept up to date; processed only if the subject has given consent; individuals from whom information is collected have the right to access the data and adequate security measures must be used to safeguard the personal information. Article 25 requires Member States to provide that the transfer to a third country of personal data may only take place if the third country has an “adequate level” of privacy protection and article 32 requires Member States to bring laws necessary to comply with the Directive into force prior to October 1998.

169 In the United Kingdom the Data Protection Act 1998 implements the EU Data Protection Directive. The Act requires data controllers to comply with a set of data protection principles in relation to personal data processed by the data controller (section 4). The following rights for data subjects are established in the Act: the right of access to personal data (sections 7 to 9); the right to prevent processing likely to cause unwarranted damage or distress (section 10); the right to prevent processing for purposes of direct marketing (section 11); rights in relation to automated decision-taking (section 12); compensation for failure to comply with certain requirements (section 13); and also rights in relation to rectification, blocking, erasure and destruction of inaccurate data (section 14). Also, principle 8 provides that personal data must not be transferred to a country or territory outside the European Economic Area (which is made up of the 15 EU nations plus Iceland, Liechtenstein and Norway) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

170 New Zealand’s privacy law is governed by the Privacy Act 1993. In discussing the Privacy Act 1993, the Privacy Commissioner has recently said:²⁶⁷

If privacy is the key, then New Zealand consumers have an advantage – at least when they deal with New Zealand-based businesses. In New Zealand, consumers’ privacy concerns can largely be met through businesses complying with the Privacy Act. When properly applied, the Act’s emphasis on purpose and openness tends to allay consumers’ concerns about what might happen to their information. A legal requirement to maintain reasonable security safeguards reassures consumers about the security of their information – and that they have a practical remedy to pursue. The availability of a complaints mechanism gives confidence that promises of respect for their personal data can be enforced (1–2).
. . .
Any business based in New Zealand wishing to engage in e-commerce with consumers must ensure its activities comply with the Privacy Act, to the extent that they involve personal information about their customers.
The Privacy Act applies to the handling of all personal information collected or held by agencies, whether in the public or private sectors. Although there are some minor exceptions, all businesses from sole traders to multi-national conglomerates with a New Zealand branch are covered by the Act.
Personal information includes any information about an identifiable living person, whether it is on a computer, in a paper file or in someone’s head (5–6).
. . .
Central to the Act are its twelve information privacy principles . . . the principles are technology neutral, which means they have the flexibility to operate in a number of contexts. It also means they will not date as new technologies come into existence (6).
. . .
New Zealand is fortunate in having a broadly based technology neutral privacy law that covers the public and private sectors. Hence, privacy law does not pose an obstacle to the development of e-commerce within New Zealand or for New Zealand business seeking consumer sales overseas (13).

171 The Privacy Act has a set of Information Privacy Principles which are applied in a broad range of circumstances. The principles apply to all “personal information” held by an “agency”. “Personal information” means information about an identifiable living individual and “agency” is defined as meaning any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector (section 2). The Act is technology neutral²⁶⁸ and applies to all personal information, whether it is held in electronic or manual form.

172 The Information Privacy Principles include:²⁶⁹

• personal information must be collected for a lawful purpose;
• personal information must be collected directly from the individual concerned;
• the individual must be made aware of a number of matters (including that the information is being collected, the purpose for which the information is being collected, the intended recipients of the information, and the name and address of the agency collecting the information);
• personal information must not be collected in an unlawful or unfair manner;
• personal information must be protected by adequate security systems;
• individuals are entitled to have access to, and request correction of, personal information held about them;
• personal information shall not be used unless it is accurate, up to date, complete, relevant and not misleading;
• agencies must not hold personal information for longer than is required; and
• personal information must not be used for any purpose other than that for which it was collected.

173 When a person believes that an action constitutes an interference with his or her privacy, the individual may complain to the Commissioner (section 67). The Commissioner may investigate the complaint (section 70) and if the Commissioner decides that the complaint has substance, the Commissioner must attempt to reach a settlement between the parties (section 77). If a settlement is not reached, civil proceedings before the Complaints Review Tribunal may be taken (section 82). The Complaints Review Tribunal may grant a declaration that the action interfered with the privacy of the individual, make an order restraining the defendant from continuing or repeating the interference, award damages, or make an order that the defendant perform any act specified in the order (section 85).

174 In his presentation to the APEC Steering Group on Electronic Commerce, the Privacy Commissioner argued that privacy law does not pose an obstacle to the development of e-commerce within New Zealand.²⁷⁰ However, it is important to note the effect that article 25 of the EU Data Protection Directive²⁷¹ and principle 8 of the Data Protection Act 1998 (UK),²⁷² which prohibit the transfer of personal information to territories which do not have “adequate” privacy protection laws, may have on electronic commerce in New Zealand. The Privacy Commissioner has recently noted the importance of the EU Data Protection Directive for electronic commerce. In the Privacy Commissioner’s view, the impacts of the EU Data Protection Directive will increasingly be felt over the next few years:

The crux of the Directive for businesses outside Europe is its limitation on the transfer of personal information out of Europe except to third countries which ensure an adequate level of protection. This has the potential to impact significantly on businesses in this region handling personal information about EU residents for European companies. If a business is not in a jurisdiction with “adequate” privacy law, the Europeans may look to what sectoral laws or voluntary codes of compliance apply to the business. If there are none, the business may have to negotiate special contracts in order to carry out transactions with European consumers.²⁷³

175 The Privacy Commissioner has recently made a number of recommendations for amendment of the Privacy Act 1993.²⁷⁴ Two of the amendments recommended are designed to ensure that the Privacy Act will be deemed “adequate” under the EU Data Protection Directive. First, the Privacy Commissioner recommends amendment to section 34 of the Privacy Act. Section 34 provides that certain requests in relation to personal information held by an agency may only be made where the requestor is either a New Zealand citizen, a permanent resident of New Zealand or is in New Zealand at the time. The Privacy Commissioner recommends that the denial of the right of access to non-New Zealanders who are not present in New Zealand at the time should be done away with.²⁷⁵ Secondly, the Privacy Commissioner notes that there is a possibility that European agencies may divert data transmissions through New Zealand to another country so as to avoid the “adequacy” provisions in the EU Directive. The Privacy Commissioner recommends that this should be prevented.²⁷⁶

176 In his review of the Privacy Act 1993, the Privacy Commissioner also notes that the definition of “document” currently provided in the Privacy Act 1993 could be amended so that it is in conformity with the Evidence Code recommended by this Commission in 1999.²⁷⁷

The issues

177 We agree with the Privacy Commissioner that New Zealand needs to have effective privacy laws to encourage electronic commerce. We also agree that the Privacy Act 1993 applies adequately to the electronic environment. Further, for the reasons given by the Privacy Commissioner, we agree that the amendments to the Privacy Act 1993 which he recommends (discussed above) should be adopted.

178 We seek submissions on the issues arising from the process of “caching”. The term “caching” is defined by Gringras²⁷⁸ in the following way:

Caching is when a server with vast storage capacity holds copies of the most popular pages on the worldwide web. If this web cache is located on the local area network users can be saved the delay of gaining access to overburdened sites.

This also means that information may be held on a personal computer and the owner of the computer has no knowledge about the information and no intention to collect the information. The Privacy Act 1993 has 12 principles, the first 11 of which may have implications in relation to caching. The first four deal with “collection” of personal information while the balance affect information held by agencies (whether collected directly or indirectly from an individual or otherwise generated or obtained). The term “collect” is defined to exclude “receipt of unsolicited information”. There is an issue as to whether an agency involved in electronic commerce can be considered to be collecting information through caching. Further issues arise in relation to the retention, use and disclosure of such information and rights of individual access or correction if the information is readily retrievable.

179 We seek submissions in relation to the privacy issues raised by caching, and particularly as to:

• whether there are any practical problems and issues in the application of the existing law;
• whether those problems arise in relation to collection, holding or giving access; and
• if a law change is warranted how that might be framed.