Guest post: Privacy and the Law

Guest post from Hayden Glass - Principal with the Sapere Research Group, one of Australasia's largest expert consulting firms. Thanks to Rick Shera (@lawgeeknz) for instructive conversation.

Part 2

In Part 1 [link] we looked at some aspects of online privacy. In this article we look at the law.

Can the old dog still hunt

New Zealand's privacy laws are generally considered to be pretty sound. The Privacy Act began life in 1993 describing a set of principles and giving you a bunch of rights in relation to controlling the collection, use and disclosure of personal information.

 "Personal information" is defined in the Act as "information about an identifiable individual", i.e., information from which you can be identified. If an agency is collecting anonymous information about your movements online, that is one thing, but if your online profile grows to the point that you could be identified from it, the rules in the Privacy Act can apply. As discussed in part 1, the line between anonymous and identifiable can be pretty uncertain.

The Law Commission looked at the Act in a three-year review of privacy laws that was completed in August 2011. It continues to believe that self-protection is the best protection, but suggests a substantial set of changes aimed at improving the law including:

* new powers for the Privacy Commissioner to act against breaches of the Act without necessarily having received a complaint, and allowing it to order those holding information to comply with the Act or submit to an audit of their privacy rules, and
* measures to minimise the risk of misuse of unique identifiers, and require those holding information to notify you if your information is lost or hacked, and
* controls on sending information overseas.

The government agrees that it is time for substantial changes to the Act, although it does not agree with everything the Law Commission has proposed. A new draft Bill is expected next year.

To the ends of the earth

One obvious issue in the internet age is the lack of match-up between the international nature of internet services, and laws that are limited to the borders of any particular nation. A modestly-sized nation at the end of the world, like New Zealand, has limited ability to influence foreign organisations who may not have any local presence, although our Privacy Commissioner has taken action against reputable major players offering services in this country.

One answer is to harmonise our laws with other countries, or rely on the big fish to protect our privacy. If the US or the EU forces firms to improve privacy protections we will benefit. The US Federal Trade Commission can legitimately argue that its actions will protect users in other countries (see the summary of a talk from Nethui 2012 here) and it is focused on this stuff. Vivian Reding, then the EU Justice Commissioner said that privacy for European citizens "should apply independently of the area of the world in which their data is being processed .... Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules". The French data protection agency is investigating Google's new privacy policy.

Another evident challenge to existing privacy law is to the notion of "informed consent". As a legal principle it is fine, i.e., your favourite online service has a privacy policy and you consent either directly to it by checking the box and clicking "I accept" or implicitly by using their service. So long as the policy does not breach the law and the service follows their own policy, they are legally blameless.

In practice you likely haven't read the policy, and you may not be in a position to avoid surrendering some privacy in any case. Participating in society increasingly requires online interaction, and any online interaction will involve sharing some information. Legally operators can rely on your click to indicate consent to their privacy policy, but in practice you cannot really withhold it.

One solution could be crowd-sourced reviews of online privacy policy, or organisations that rate others policies. There are similar troubles with the terms of licensing agreements to which you have to consent in order to use software.

Fit for purpose

Users have options to protect themselves online if they care to. They can avoid being tracked, ensure their privacy settings for social media services are well considered, disable cookies, turn off javascript, use fake Gmail or Facebook accounts, use incognito modes on their browsers, access the online world through a VPN or a range of other things. The Privacy Commissioner has guidance also. And you either have now or will soon also have an option to turn on a "do not track" option in your browser, that will impede the ability of firms to piece together your internet history as you find your own trail through the online garden.

Sadly users mostly do not avail themselves of these options. That may be because some impede the internet experience a bit. Or because users do not care to change their behaviour much despite saying they are worried about online privacy.

In these circumstances, there will continue to be debate about how far users can or should take responsibility for their own protection, and how far the law needs to go. This battle is the natural result of the standard model for internet services, i.e., if you want free internet services, you need to realise that your eyeballs are the price. No one should be surprised that advertisers try to make their services more effective by learning more about the brains behind those eyeballs.