Sunday, 20 May 2018

Privacy Bill Submission (2018)

Introduction
1. Thank you for the opportunity to provide a submission. I am currently a PhD Candidate in Computer Systems Engineering, investigating embedded vision and video analytics. As technology continues to improve, new types of applications will be enabled that allow for the greater and faster extraction and collection of data and information about individuals. As part of my research, I have sought to understand the implications of camera-based surveillance systems on privacy, how we can protect privacy using technology during system design, and the drivers of public perceptions of privacy.

2. I am happy that the Bill places specific emphasis on “promoting people’s confidence that their personal information is secure and will be treated properly”. Without a strong expectation of privacy, our society would be far more insular, and the barriers and costs of interaction would be much higher. The proposed Privacy Bill is a step in the right direction, but it is only that – a step. The proposed changes, particularly giving the Office of the Privacy Commissioner more powers to investigate privacy breaches, requiring public notification of privacy breaches, and introducing compliance notices, are sorely needed in the digital age where private information flows more freely than ever before. I am generally in favour of the proposed Bill. However, the protections given in this Bill need to be extended further to ensure that we have adequate protections for individuals and their information going into the future. The Privacy Bill also needs to become more enforceable to de-incentivise non-compliance. All subsequent suggestions should be taken to be additive, i.e. that they are added on top of the existing Bill, not replacing any of the existing parts.

Information Privacy Principles
3. New Zealand is fortunate to have a set of strong Information Privacy Principles (IPPs), as elucidated in s 19 of the Bill. As new technologies are developed, along with their associated opportunities and threats, it is helpful that we can return to and apply the same set of Principles that can be used in a wide variety of circumstances. I strongly support the continuation of the use of these Principles.

4. However, IPP6 needs to be further extended to provide better protection for individuals. The “Right to Access”, as presented in the European Union’s General Data Protection Regulation (GDPR) goes further than IPP6 to allow for greater transparency. Confirmation that the agency holds information or not, and access to that information, is insufficient. I believe that agencies should also, upon request, be required to state how personal information is being stored, the specific purposes for which the information is being collected (as already included under IPP3, but available after the collection of information), whether data will be used anonymously or not, how data is being shared, and how data was acquired. Making these details available is critical for allowing individuals to understand, after data collection, where their information will go and who will have access to it. Importantly, it is also a source of evidence for individuals seeking to understand how their information has ended up somewhere unexpected.

5. There is perhaps more scope to include the findings of the Data Futures Partnership into this Bill. Their work focused on social license and improving public confidence and trust around the use of data. In particular, the specific questions that have been identified by the Partnership that should be answered about data use could be built into IPP6. Extending beyond the details included in the previous paragraph, this includes identifying what the benefits of collecting the information are, and identifying who receives those benefits, as well as stating whether there is potential for data to be sold or used for other secondary purposes that are not stated at the point of data collection.

Penalties
6. I note that s 28 means that only breaches of IPP6 by public sector agencies are enforceable in a court of law. This is a positive step forward from the status quo, but it is definitely not enough. Agencies that breach the privacy of individuals need to be held accountable, more concretely than through a compliance notice. The Human Rights Tribunal may be the only recourse for most individuals seeking restitution for privacy breaches, but this process is too slow and the barriers too high for many individuals. While we may hope that these never need to be used, it is important that stronger civil penalties are eventually introduced, with adequate infrastructure to support the associated justice processes, so that privacy is taken very seriously and not treated as a secondary concern.

Investigations
7. While the Commissioner has power to obtain information during investigations (s 88), in order to issue compliance notices (s 129), or to determine whether personal information can be transferred (s 194), the penalties for not co-operating with this under s 212 are worryingly weak. In some cases, without the co-operation of the Agency, it may be impossible for the Commissioner to obtain the necessary evidence for determining if a privacy breach has occurred. For example, a large company may be internally using collected data for secondary purposes that are not covered by their Privacy Statement or notified to customers. Even though the Commissioner may suspect that something is wrong, they cannot prove that anything is wrong without the co-operation of that company. The large company may well choose that they would rather pay a small fine for obstructing the investigation, than to be subject to a more public compliance notice or Tribunal hearing. Stronger penalties are required, and exemptions such as the “reasonable excuse” defence should be further limited or removed, as recommended by the Privacy Commissioner in their Report to the Minister of Justice under s 26 of the Privacy Act from 2017 (https://www.privacy.org.nz/assets/Files/Reports-to-ParlGovt/OPC-report-to-the-Minister-of-Justice-under-Section-26-of-the-Privacy-Act.pdf).
8. At the same time, giving the Office of the Privacy Commissioner more investigative powers requires sufficient oversight. It appears that there is little opportunity for appeals against requests for information, or for a complaint to be laid against the Privacy Commissioner for vexatious requests. For example, there exists the potential for a Privacy Commissioner to demand information repeatedly, or for information to be demanded that is on the borderline of the Privacy Commissioner’s scope. Appropriate checks and balances need to be in place in order to improve public confidence and trust in this system. It may be helpful to provide an intermediary ombudsman or similar oversight body to allow for appeals without having to go through the Court system.

9. In general, the Commissioner needs more powers to investigate whether appropriate privacy protections have been put in place. A step below the Compliance Notice may be a “Please Explain”-style notice that is commonly used by stock exchanges and other agencies in financial areas. This may be useful in a scenario where the Commissioner is not sure if a breach of any IPP has occurred, but there is strong potential for an IPP breach and there is public interest in determining if this is the case. For example, recent revelations that Foodstuffs are using a security product from Auror that uses facial recognition to detect shoplifters led to some public concern about the integrity of that system (https://www.odt.co.nz/news/national/rise-ai-nz-supermarkets-using-facial-recognition). In this case, I believe that there would be significant value in allowing the Privacy Commissioner to ask Foodstuffs to provide more details about the system, and for the Privacy Commissioner to determine if a subsequent investigation into an IPP breach is necessary. If the Privacy Commissioner determines that the system is actually compliant and that there are no concerns, then that can help allay the fears of the public, improving public confidence. This option gives Agencies an opportunity to co-operate with the Office of the Privacy Commissioner before the more punitive step of issuing a Compliance Notice, and gives the Privacy Commissioner an opportunity to spot potential issues and provide advice so that Agencies can rectify any issues before harm can accrue.

Anonymisation and Re-identification
10. On the protection of “anonymised” data from re-identification, I believe that the Privacy Commissioner’s proposed amendments (https://www.privacy.org.nz/assets/Files/Reports-to-ParlGovt/OPC-report-to-the-Minister-of-Justice-under-Section-26-of-the-Privacy-Act.pdf), which include controls and penalties on the re-identification of previously anonymised data, are almost adequate. The idea that intentionally de-anonymising data for nefarious purposes should be a criminal offence should be supported. However, identifying the intent is important, and there should be exceptions in place for those with good intentions. For example, academic researchers who discover that anonymised data can be de-anonymised should be given an opportunity to disclose that to the Agency and the Privacy Commissioner or similar regulatory body, and not suffer negative consequences as a result. Penalties should exist for Agencies that release poorly anonymised data that can be easily re-identified in order to incentivise Agencies to take appropriate care in anonymising and releasing that information.

Conclusion
11. As a final point, I urge the committee to remain steadfast in a Principles-based approach to privacy. My recent research into public perceptions of privacy in the context of surveillance cameras has shown that the context of how data is being collected, stored, and used is incredibly important for public confidence and acceptance of surveillance cameras, and this is likely applicable to other contexts. Creating specific rules that dictate how to protect privacy will lead to loopholes, non-compliance, and ultimately reduced public confidence in the efficacy of those privacy protections. One-size-fits-all privacy protections will not work – the nuances of each individual application and scenario can significantly change whether something is considered to be appropriate or not. Trust in how our privacy is protected is critical for public confidence. Our current Principles allow for flexibility so that a wide variety of applications can be considered, but also need to be further extended to provide sufficient protections for individuals in the digital age.

12. Thank you again for the opportunity to make a submission to this Bill. I would be glad to make an oral submission, and understand that all submissions will be available publicly.

Regards,
Andrew Chen