On the eve of his departure from New Zealand to become the UK's next information commissioner, Privacy Commissioner John Edwards shares his thoughts on what privacy means in the modern age.
What is privacy? It's a question I've encountered many times in my seven and a half years as New Zealand's Privacy Commissioner. Many assume it has a narrow meaning: the right to keep everything to yourself; to tell no one anything. But in New Zealand law, privacy is more nuanced. It involves transparency – an obligation on agencies to tell you what they're going to do with your personal information, and your right to see what they've got on you. These agencies are obliged to protect your information with adequate security safeguards and even check that it is accurate and up to date before using it. And they can use it only for the purposes for which it was collected. But that's just the law. What else is privacy?
Privacy is a matter of life and death. When a ransomware attack, via a security weakness, hit the Waikato District Health Board earlier this year, it forced the cancellation of radiology and diagnostic services, and clinicians could not access their patients' medical records. Lives were at stake because the security of personal information was compromised.
More recently, the UK's Ministry of Defence sent an email to more than 250 Afghan interpreters who had worked for British troops. They used the "CC", rather than "BCC" field in the email, thereby revealing the identities of all to each other. Many of the recipients were still in Afghanistan, by then under merciless Taliban rule. The blunder put them in mortal danger.
New Zealand's world-leading response to Covid-19 has privacy at its core. The Government committed to using information collected for pandemic management purposes only for those purposes. It also designed tools, such as the Covid tracer app, according to principles of data minimisation and "privacy by design", making a significant contribution to the social licence that has saved thousands of lives.
Privacy and business
At a recent business seminar, I was asked whether Apple's avowed commitment to privacy is all that it seems to be. Underlying that question was a scepticism of the company's motives, perhaps an inference that Apple, whose business model depends on devices more than data, is engaging in cynical opportunism, rather than genuinely held values. I told the questioner they were missing the point.
If the biggest company in the world decides to put its money down on a consumer preference for privacy to seize a market advantage, to differentiate itself from its competitors, you'd have to be pretty bold to disregard that lead.
And it appears they've read the market correctly. The Financial Times reported this month that the effects of Apple's app-tracking transparency policy were really starting to bite. It found that Snap, Facebook and Twitter earned 98 per cent, 90 per cent, and 50 per cent of their revenue respectively from mobile apps. Of those, 42 per cent, 46 per cent and 46 per cent were on Apple devices. 80 per cent of the users of each app opted out of tracking, costing each company 40 per cent of their revenue. When Apple gave consumers an option to prioritise their privacy, they leapt at the chance.
Even Facebook, whose business model is extracting value from its customers' data, recognises this, and continues to insist that your privacy is important to it. It has even undertaken to delete its billion-strong database of facial-recognition biometrics to try to claw back some of the adverse impact of its more cavalier approaches to privacy in recent years.
Privacy is a human right. It's right there in Article 12 of the Universal Declaration of Human Rights: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."
It's peppered through the International Covenant on Civil and Political Rights as necessary to enjoying the rights of liberty of movement, freedom of thought, conscience and religion, freedom of association and of expression and freedom from discrimination.
But privacy predates those post-war international declarations and treaties. It is woven into the fabric of our common law. Those who say "privacy is a recent construct – we used to live in villages where everyone knew everyone else's business" overlook hundreds of years of legal recognition of civil rights to control who may rifle through our papers, or publish our secrets.
In 1890, American jurists Samuel Warren and Louis Brandeis wrote the seminal essay "The Right to Privacy" in response to the invention of the portable camera. But even that is a relatively recent arrival.
A famous constitutional law case from 1765 showed that even the King of England's messengers could not enter a private residence and read and seize the occupant's correspondence without legal authority. The concept was lyrically put in a speech by William Pitt, who later became prime minister, in 1763: "The poorest man may in his cottage bid defiance to all the forces of the Crown. It may be frail; its roof may shake; the wind may blow through it; the storm may enter; the rain may enter; but the King of England cannot enter."
One of the most important elements of privacy is the concept of the autonomy of the individual, recognising the fundamental and inherent dignity of the human person – their mana. This is why it was no stretch of my jurisdiction, and no artificial elasticity of the law, for me to support the rights of transgender individuals to require the Government to recognise their self-identity, rather than have administrative systems dictate who they are and how they present to their families, and to society.
This is why the Office of the Privacy Commissioner took the Ministry of Social Development to task about the way it was conducting fraud investigations. It was demanding text messages – including intimate photographs sent by beneficiaries under investigation – from telecommunications providers, as well as extensive financial records, medical records and the like, all without any warrant or judicial oversight.
Yes, there was a power to demand information, which could be exercised by relatively low-level clerks. And yes, that was part of the Social Security Act. But those powers could not, we found, be exercised in such an unfettered and intrusive manner, in a way that humiliated and disempowered some of the most disadvantaged people in our community.
Privacy will endure
I have lost count of the magazine covers and headlines pronouncing the "Death of Privacy" in the 30 years I have worked in this field. Yet citizens and customers continue to demand privacy and are prepared to challenge businesses and governments who do not respect their kaitiaki role and what it requires in terms of protecting their personal information.
When someone claims "privacy is dead", it pays to enquire into the motivation of the writer. In whose interest is it for privacy to be dead?
And beware the false dichotomy. If you are offered a choice between safe streets and privacy, good health and privacy, security and privacy, innovation and privacy, then reject the choice and demand both.
Privacy is not absolute – it never has been, and it is not static. When someone asserts privacy is absolute, ask them whoever suggested it was. Can you imagine living in a world of absolute privacy?
I am told that certain cave-dwelling Byzantine holy men in North Syria may have achieved something approaching that state, but it is simply a straw-person argument to suggest such a condition is attainable or desirable in the modern age. Privacy and data-protection laws set the terms for transactions involving our personal information with commerce and government.
Privacy changes with time and with circumstances. It adapts to technology and responds and sometimes pushes back, as we've seen with Apple and Facebook. It responds to other conditions in society as well.
When we call this thing "privacy", rather than the European-favoured "data protection", we see it as fundamentally an individual right. One of the challenges ahead is how to indigenise this right to reflect the culture of our region, which predominantly values the rights of the collective and the communal over the individual.
Might not iwi assert rights of data sovereignty over information about Māori held by the Crown, to better serve their people? This is what the High Court suggested in the recent case brought by health provider Te Pou Matakana Limited against the Ministry of Health. Te Pou sued the Government to get access to data about unvaccinated Māori. The ministry had refused to release identifiable information on privacy grounds.
The High Court found that the Crown could have released the information under the Privacy Act, but chose not to. The act (and the Health Information Privacy Code) allows the release of information where necessary to avoid a serious threat to public safety. Being allowed to release information under the code does not mean the holder of that information must release it; it has a discretion. But the court said that the ministry, in exercising this discretion, must do so in accordance with Te Tiriti o Waitangi.
Evolution of privacy
Now, 28 years after the Privacy Act 1993 was enacted, we are beginning to engage in a process of understanding how this law, this human right, this commercial imperative, and this consumer protection might be informed by te ao Māori and engaged to meet the aspirations of tāngata whenua. This is exciting, and it saddens me to leave the role as we embark on this next stage in the evolution of privacy in Aotearoa.
In the time it has been my privilege to serve as Privacy Commissioner, I have seen the institutions of the state, of commerce and industry, and of the non-government sector come to embrace and internalise privacy values. We have come a long way from regarding privacy as a compliance issue, along with that myriad of regulatory requirements imposed on business and government, to seeing it as a precedent for the maintenance of trust and confidence.
We have an informed and engaged public, and a strong and principled team at the Office of the Privacy Commissioner standing ready to safeguard privacy through the next set of challenges, whether they be calls for law enforcement and intelligence agencies to be able to break the encryption that businesses offer to keep our personal information, communications and commercial secrets safe, or to control the power of artificial intelligence in drawing inferences from and making decisions about us, based on the data we shed as we go about our everyday lives. Privacy is here to stay.
John Edwards will begin his new role as head of the UK Information Commissioner's Office (ICO) on January 3.