Friday 23 September 2022

Submission on possible changes to notification rules under the Privacy Act 2020

The Ministry of Justice is requesting submissions on possible changes to the Privacy Act 2020, specifically around introducing requirements for individuals to be notified if their personal information is being disclosed (or transferred) between two agencies / entities. The Information Privacy Principles of the Privacy Act generally require that agencies collect personal information directly from the individual, and that separately agencies should tell the individual what information they are collecting and how they plan to use it, but there is currently a bit of a loophole where information collected from a third party doesn't require notification. Given that similar requirements have been introduced in the European Union (and several other jurisdictions trying to match EU standards), it stands to reason that such protections should be considered here in Aotearoa New Zealand too. Below is my written submission on the topic:

18 September 2022 

1. Thank you for the opportunity to provide feedback on these possible changes. I am a Research Fellow with Koi Tū: The Centre for Informed Futures at The University of Auckland, based in Wellington. My research area is in digital technologies and their impacts on society, particularly in terms of public sector use and privacy. The views in this submission are my own and may not reflect those of my employers.

Key Factors

2. Upholding the principle that individuals should have control over their personal information, where it is, who has it, and how it is used, would logically conclude that when personal information is transferred between agencies that they should be notified so that they can make informed and appropriate choices about their personal information. Therefore, I generally support the intent of the possible changes.

3. This is particularly important as the type of personal information being commonly collected becomes increasingly invasive (for example, analysis or insights derived about a person that speak to intangible aspects like personality rather than purely tangible characteristics like street addresses or phone numbers) and increasingly immutable (for example, biometrics that are unique and cannot be changed). In these cases, the negative impacts of personal information misuse or privacy breaches are greater than in the past, and there may be more reason for individuals to oppose their information or specific types of information ending up in someone else’s ownership or control without their knowledge.

4. The level of privacy harm that has accrued as a result of a lack of requirement for notification of indirect collection thus far is very difficult to quantify, because for the most part we simply do not know how much personal information has been indirectly collected. What we do know is that many modern business models (e.g. large tech companies generating personalised advertising) rely on transferring personal information between agencies for monetary value. Similarly, government agencies are increasingly transferring information about individuals in order to make better decisions and provide better services to individuals (e.g. through the IDI, or through digital identity systems), although there are more protections in place in the public sector. Notifying individuals each time their information is being transferred (with an opportunity to opt-out) may reduce the scale of those transfers, which is not necessarily a bad thing.

5. That our broader society has seemingly accepted business models and processes that rely on the transfer of personal information without notification of individuals is not a sufficient reason to oppose the need for such notification – the harm is still present and therefore it is appropriate to explore mechanisms to mitigate against that harm. An approach that introduces new compliance costs to mitigate that harm should be evaluated by balancing those costs against the harm that is mitigated, rather than accepting an argument that any compliance costs are unacceptable.

6. Our traditional conception of privacy focuses at the individual level, which can make it challenging to assess the level of harm from indirect collection of personal information. It is difficult to identify that a tech company selling someone’s personal information to an advertising company produces significant monetary or emotional harm to justify taking regulatory or enforcement action. However, in developing this policy, the government should consider the level of harm at a collective level – that transferring the personal information of many people between agencies can allow those agencies to make decisions with broader harm. A strong example is the Cambridge Analytica scandal – the individual users, whose information was shared with a political consulting firm when they thought it was only being used for academic purposes, did not suffer much harm at the individual level, but the way that the data was then used to influence over 200 elections in 68 countries is significantly more harmful to those democratic societies.

7. A notification approach is effectively an opt-out approach, where a notified individual has to then take action to stop the transfer of personal information or to request that information be deleted, rather than agencies needing to actively seek permission from the individual to opt-in and agree to the information transfer. This is already a compromise against best practice privacy principles but a necessary one for practical reasons, particularly where significant amounts of information are being transferred. This approach should not be compromised further in any proposed changes.

8. On notification fatigue, while this is a fair concern and a real user experience challenge, it is a weak argument to reject the possible changes. Firstly, in jurisdictions that already have notifications for indirect collection of personal information, I have not been able to find any reports or literature on notification fatigue being an issue based on empirical data, only theoretical arguments. Secondly, that the notifications will be coming from different agencies helps mitigate against notification fatigue, which is much more common when the notifications are from the same source and similar in style and content. With sufficient variation between agencies, this may help reduce the potential risk of notification fatigue. An argument against the possible changes on the grounds of notification fatigue should be based on an analysis of the quantity and frequency of notifications that individuals are likely to receive if such changes were implemented.

9. Maintaining adequacy, particularly with the European Union, is a critical competitive advantage for New Zealand. Adequacy is the status of being deemed to have an adequate level of data protection relative to another jurisdiction’s regulations and expectations, and allows data to flow between the jurisdictions more easily. Particularly where notification of indirect collection of personal information has already been implemented under the EU’s GDPR, and we can see that it is effective and working, it is important for New Zealand to keep up with international best practice. This should also be considered in the discussion around compliance costs, as the cost to New Zealand of not meeting international best practice may be greater than the cost of compliance to agencies.

10. I believe that overall it would be likely beneficial to give individuals stronger agency over their personal information through the notification of indirect collection.

Additional Considerations

11. Practically, we should consider the scenario where agencies may transfer personal information to each other without either agency having contact details for the individual. The legislation should consider this situation and whether or not an exception is required. Taking “reasonable steps” may be sufficient in the legislation to allow for scenarios where it is simply not possible to notify the individual. 

12. However, we should not overly rely on a “reasonable steps” standard in other situations. Over-reliance on a “reasonable steps” standard makes it difficult for both businesses and individuals to know whether the standard has been met. It creates a period of uncertainty where we will have to wait for relevant cases to be brought to the Office of the Privacy Commissioner or the courts before precedent for “reasonable steps” can be established. Such an approach should be used sparingly and for relatively specific parts of the legislation.

13. Policymakers should also consider the scenario where an agency collects information about a person from public sources. Just because personal information is publicly available does not mean that information is no longer personal, and should not mean that the individual has relinquished their rights to privacy – for example, an agency may collect phone numbers from phone books, or harvest information about people from social media networks. Where the personal information will fall under the ownership of a new agency that the individual may not have known about, then they should still be notified about that (acknowledging the exceptions in IPP2/IPP3). For example, the personal information may be combined with other sources already held by the agency, or the personal information may be collected in a public space (e.g. a photo of a person’s face) which becomes a biometric identifier for the individual – the individual should have a right to know how the personal information will be used.

14. The framing of the consultation places emphasis on the collecting agency, which is understandable given the structure of the Privacy Act and the earlier Information Privacy Principles. In terms of the obligations on the disclosing agency, as currently described in IPP11, policymakers should consider whether or not to add an obligation that the disclosing agency must be satisfied that the collecting agency has sufficient processes and controls to be able to uphold the Privacy Act. This could be similar to the provisions of IPP12 in that agencies cannot make disclosures overseas unless the agency believe on reasonable grounds that the exceptions apply. This would reduce the likelihood of information being indirectly collected by poor actors if they cannot demonstrate to the disclosing agency that they are responsible stewards of personal information.

15. It would be important to ensure that, in their interactions with individuals, disclosing agencies cannot contract out of notification requirements ahead of time, and that providing blanket statements would be insufficient. Essentially, agencies should not be able to just put in the Terms and Conditions that the agency may disclose the information to other unspecified agencies without notifying the individual. Firstly, the general approach of satisfying IPP3 through a Privacy Policy or Terms and Conditions on an agency website is weak for ensuring that individuals actually understand what is happening to their personal information. Secondly, individuals’ perceptions of the value of their personal information, and the risks that may be associated with sharing it, change over time and individuals should be given the opportunity to exert control over their personal information at the time that it is being disclosed.

Preferred form of proposed changes

16. My preferred mechanism for enacting these changes would be through amending IPP 11, such that a disclosing agency has to notify the individual concerned that their information has been disclosed to a third party. It would be preferable to strengthen the amendment such that, where possible, notification is provided before the information is disclosed with a minimum notice period, so that the individual has the opportunity to exercise a right to opt-out or request that information not be disclosed.

17. Other mechanisms that place the obligation on the collecting agency run the risk of the collecting agency being a poor actor and notification not being given, and it can be very difficult to ensure that information is deleted once they already have it. If there are no obligations on the disclosing agency, and the collecting agency is either unaware of their obligations or a poor actor, then we may remain with the status quo where no one other than those two agencies know that the information transfer has taken place. Furthermore, the disclosing agency may receive some form of monetary value in exchange for disclosing the information (e.g. selling information to an advertising agency), and therefore they may be more incentivised to ensure that they are meeting their regulatory requirements in order to not compromise their ongoing business model. It may also be easier for a disclosing agency to build the infrastructure to serve notifications if they are providing data to multiple agencies, rather than each of those collecting agencies having to build their own systems.

18. If it is decided that the proposed changes are through IPP3 or otherwise place the onus on the collecting agency to provide notification, then it may still be helpful to specify in IPP11 that for particular types of sensitive personal information (e.g. biometrics) that the disclosing agency has an obligation to also notify the individual of indirect collection. The development of a sensitivity classification may be useful for other sections of the Privacy Act too, and is discussed further in para 22-23.

19. Separately, it would be beneficial to add to IPP2 that where personal information is collected from public sources, the collecting agency must make reasonable efforts to notify the individual that their personal information has been collected and what that information may be used for.

20. Additionally, there may need to be some consideration for how any possible changes to the Privacy Act 2020 may interact with s11, particularly where agencies argue that a discloser-collector relationship falls under this section. The threshold for use needs to be carefully considered in this context.

Applicability to individuals overseas vs domestically

21. While it is understandable that policymakers may want to limit the impact of changes by only requiring notification of indirect collection of information for individuals overseas, that would stop individuals in New Zealand from benefitting from the stronger protections. If we accept that notification of indirect collection is a good thing, then ethically it should be made available to all individuals under the jurisdiction of the Act. Harm can still accrue from the indirect collection of information within our domestic borders (perhaps most significantly when transferred between government agencies), and so these protections should apply to agencies operating exclusively domestically too.

22. If some form of reduction in scope is considered necessary to mitigate the risks of introducing the possible changes, then it may be better to base that on the sensitivity of the personal information through a risk-based approach rather than on jurisdiction. For example, the UK Information Commissioner’s Office maintains a list of “Examples of processing likely to result in high risk” based on both the type of information and the applications. A similar approach was taken in the European Union’s development of AI regulation, which separated use cases into unacceptable risk, high-risk, and limited or minimal risk categories. 

23. As the harms are more serious where the personal information being disclosed is more sensitive (e.g. biometrics), it would be appropriate to still require notification/action in these circumstances. This approach could even allow for banning unconsented and unnotified transfer of personal information for particular very high-risk applications (e.g. real-time biometric identification systems or social scoring), requiring agencies to collect the information from individuals directly. While this approach may require more maintenance than a purely principle-based approach (and therefore should be maintained by the Office of the Privacy Commissioner rather than through legislation), it would also offer more flexibility to allow lower risk indirect collection to occur without notification.

Thank you for considering this submission. I would be happy to engage in further dialogue about these issues in the future if that would be helpful to officials.

No comments:

Post a Comment