The Facebook-Cambridge Analytica scandal reminded us we do care about privacy. It also revealed how easily companies and governments can use technology to reach deep into our lives, to track us and attempt to manipulate us. The huge benefits machine learning and artificial intelligence (AI) will bring, also have the potential to increase these privacy risks.
But privacy law is adapting. Almost 25 years to the day since we passed our 1993 Privacy Act, legislative developments worldwide are reshaping privacy for the 21st century. In New Zealand we have a new Privacy Bill on which submissions close on Thursday. The next day, May 25, the European Union's general data protection regulation, or GDPR, takes effect. This will have a global impact, including for Kiwi businesses interacting with people in the EU.
Closer to home, Australia's privacy law now requires that serious personal information breaches be reported to the Australian Information Commissioner and to individuals affected.
In the New Zealand bill we therefore have an opportunity to do what we did in 1993 when we and many other countries used an earlier OECD report to create a law that was fit for local purposes but adopted internationally consistent core principles. We should take the core European GDPR rules and adapt them for New Zealand, with an eye also to the notifiable data breach regime in Australia. This is important for international consistency, but there's another important reason also.
New Zealand is one of a few countries to which personal data of European citizens can be transferred as of right without additional safeguards, because we have been accorded privacy law adequacy status by the European Commission. This means our businesses do not need to get specific consent each time before, say, selling online and processing personal customer data in New Zealand.
An Australian company doesn't have that luxury because Australia doesn't have adequacy status. We were accorded adequacy because our privacy law was in step with the previous European law. Let's keep it that way.
Some things we should consider:
• Make our data breach reporting standard consistent with the GDPR and Australia. Our bill as drafted would mean even fairly low level breaches must be reported to the Privacy Commissioner and to affected individuals. That imposes costs on our businesses and risks us getting even more of those privacy emails we ignore. The GDPR and the Australian law require only serious breaches to be reported and, importantly, if a breach has been fixed before any harm is caused, there is a lesser or even no requirement for reporting. No harm, no foul.
• Provide a specific right to be forgotten. At present in New Zealand, personal information may be held only for so long as is necessary for the purpose for which it as collected and must be kept up to date. The right to be forgotten takes this one step further and will become more important as mountains of data are collected about us as we interact online. If decisions about us are increasingly going to be taken by machines using all that data, it is critical we can remove past history that is no longer relevant. Balancing this against freedom of speech will be important here though.
• Provide data portability. From social media, to online book services like Kindle, to cloud storage, even to web-based email services, the right to shift to new providers is artificial if we can't get our personal information out in a useable fashion. The GDPR requires this.
• Provide a right to question the machines. Under the GDPR, there is a novel right to object to having decisions taken by automated processing like AI. I'm not sure we should go that far, but allied to that, the GDPR provides that if an individual is concerned about an automated decision about them, they can have it reviewed by a human. A useful safeguard. AI will improve, but there are already many reported instances where algorithms have delivered unexpected and unwanted results.
• Increase penalties. Proposed fines under the Privacy Bill are a maximum of $10,000. We are out of line with Australia (fines up to $A2.1 million) and the EU (fines up to 4 per cent of global revenue or €20 million, whichever is the greater).
International consistency is a must for a law that is one of the main bulwarks against global online overreach into our lives.
For businesses and for individuals, it creates undue cost and confusion to have radically different privacy rules when buying or selling online from New Zealand compared to buying or selling online from Sydney or Spain. We now have the chance to do it right.
• Rick Shera is a partner in the law firm Lowndes Jordan and a member of the Privacy Foundation.