Guest post: Privacy and the Law

Guest post from Hayden Glass – Principal with the Sapere Research Group, one of Australasia’s largest expert consulting firms. Thanks to Rick Shera (@lawgeeknz) for instructive conversation.

Part 2

In Part 1 [link] we looked at some aspects of online
privacy. In this article we look at the law.

Can the old dog still

New Zealand’s privacy laws are generally considered to be
pretty sound. The Privacy Act began life in 1993 describing a set of principles
and giving you a bunch of rights in relation to controlling the collection, use
and disclosure of personal information.

information” is defined in the Act as “information about an
identifiable individual”, i.e., information from which you can be
identified. If an agency is collecting anonymous information about your
movements online, that is one thing, but if your online profile grows to the
point that you could be identified from it, the rules in the Privacy Act can
apply. As discussed in part 1, the line between anonymous and identifiable can
be pretty uncertain

The Law Commission looked at the Act in a three-year review
of privacy laws
that was completed in August 2011. It continues to believe
that self-protection is the best protection, but suggests a substantial set of
changes aimed at improving the law including:

* new powers for the Privacy Commissioner to act against
breaches of the Act without necessarily having received a complaint, and
allowing it to order those holding information to comply with the Act or submit
to an audit of their privacy rules, and

* measures to minimise the risk of misuse of unique
identifiers, and require those holding information to notify you if your
information is lost or hacked, and

* controls on sending information overseas.

The government agrees that it is time for substantial
changes to the Act, although it does not agree with everything the Law
Commission has proposed
A new draft Bill is expected next year.

To the ends of the

One obvious issue in the internet age is the lack of match-up
between the international nature of internet services, and laws that are
limited to the borders of any particular nation. A modestly-sized nation at the
end of the world, like New Zealand, has limited ability to influence foreign
organisations who may not have any local presence, although our Privacy
Commissioner has taken action against reputable major players offering services
in this country.

One answer is to harmonise our laws with other countries, or
rely on the big fish to protect our privacy. If the US or the EU forces firms
to improve privacy protections we will benefit. The US Federal Trade Commission
can legitimately argue that its actions will protect users in other countries
(see the summary of a talk from Nethui 2012 here) and
it is focused on this stuff. Vivian Reding, then the
EU Justice Commissioner said that privacy for
European citizens “should apply independently of the area of the world in
which their data is being processed …. Any company operating in the EU market
or any online product that is targeted at EU consumers must comply with EU
rules”. The French data protection agency is investigating Google’s new privacy policy.

Another evident challenge to existing privacy law is to the
notion of “informed consent”. As a legal principle it is fine, i.e.,
your favourite online service has a privacy policy and you consent either
directly to it by checking the box and clicking “I accept” or implicitly
by using their service. So long as the policy does not breach the law and the
service follows their own policy, they are legally blameless.

In practice you likely haven’t read the policy, and you may
not be in a position to avoid surrendering some privacy in any case.
Participating in society increasingly requires online interaction, and any
online interaction will involve sharing some information. Legally operators can
rely on your click to indicate consent to their privacy policy, but in practice
you cannot really withhold it.

One solution could be crowd-sourced reviews of online
privacy policy, or organisations that rate others policies.
There are similar troubles with the terms of licensing agreements to which you
have to consent in order to use software.

Fit for purpose

Users have options to protect themselves online if they care
to. They can avoid being tracked, ensure their privacy settings for social
media services are well considered, disable cookies, turn off javascript, use
fake Gmail or Facebook accounts, use incognito modes on their browsers, access
the online world through a VPN or a range of other things. The Privacy Commissioner
has guidance also. And you either
have now or will soon also have an option to turn on a “do not track
option in your browser, that will
impede the ability of firms to piece together your internet history as you find
your own trail through the online garden.

Sadly users mostly do not avail themselves of these options.
That may be because some impede the internet experience a bit. Or because users
do not care to change their behaviour much despite saying they are worried
about online privacy.

In these circumstances, there will continue to be debate
about how far users can or should take responsibility for their own protection,
and how far the law needs to go. This battle is the natural result of the standard
model for internet services, i.e., if you want free internet services, you need
to realise that your eyeballs are the price. No one should be surprised that
advertisers try to make their services more effective by learning more about
the brains behind those eyeballs.