Friday 23 September 2022

Submission on possible changes to notification rules under the Privacy Act 2020

The Ministry of Justice is requesting submissions on possible changes to the Privacy Act 2020, specifically around introducing requirements for individuals to be notified if their personal information is being disclosed (or transferred) between two agencies / entities. The Information Privacy Principles of the Privacy Act generally require that agencies collect personal information directly from the individual, and that separately agencies should tell the individual what information they are collecting and how they plan to use it, but there is currently a bit of a loophole where information collected from a third party doesn't require notification. Given that similar requirements have been introduced in the European Union (and several other jurisdictions trying to match EU standards), it stands to reason that such protections should be considered here in Aotearoa New Zealand too. Below is my written submission on the topic:

18 September 2022 

1. Thank you for the opportunity to provide feedback on these possible changes. I am a Research Fellow with Koi Tū: The Centre for Informed Futures at The University of Auckland, based in Wellington. My research area is in digital technologies and their impacts on society, particularly in terms of public sector use and privacy. The views in this submission are my own and may not reflect those of my employers.

Key Factors

2. Upholding the principle that individuals should have control over their personal information, where it is, who has it, and how it is used, would logically conclude that when personal information is transferred between agencies that they should be notified so that they can make informed and appropriate choices about their personal information. Therefore, I generally support the intent of the possible changes.

3. This is particularly important as the type of personal information being commonly collected becomes increasingly invasive (for example, analysis or insights derived about a person that speak to intangible aspects like personality rather than purely tangible characteristics like street addresses or phone numbers) and increasingly immutable (for example, biometrics that are unique and cannot be changed). In these cases, the negative impacts of personal information misuse or privacy breaches are greater than in the past, and there may be more reason for individuals to oppose their information or specific types of information ending up in someone else’s ownership or control without their knowledge.

4. The level of privacy harm that has accrued as a result of a lack of requirement for notification of indirect collection thus far is very difficult to quantify, because for the most part we simply do not know how much personal information has been indirectly collected. What we do know is that many modern business models (e.g. large tech companies generating personalised advertising) rely on transferring personal information between agencies for monetary value. Similarly, government agencies are increasingly transferring information about individuals in order to make better decisions and provide better services to individuals (e.g. through the IDI, or through digital identity systems), although there are more protections in place in the public sector. Notifying individuals each time their information is being transferred (with an opportunity to opt-out) may reduce the scale of those transfers, which is not necessarily a bad thing.

5. That our broader society has seemingly accepted business models and processes that rely on the transfer of personal information without notification of individuals is not a sufficient reason to oppose the need for such notification – the harm is still present and therefore it is appropriate to explore mechanisms to mitigate against that harm. An approach that introduces new compliance costs to mitigate that harm should be evaluated by balancing those costs against the harm that is mitigated, rather than accepting an argument that any compliance costs are unacceptable.

6. Our traditional conception of privacy focuses at the individual level, which can make it challenging to assess the level of harm from indirect collection of personal information. It is difficult to identify that a tech company selling someone’s personal information to an advertising company produces significant monetary or emotional harm to justify taking regulatory or enforcement action. However, in developing this policy, the government should consider the level of harm at a collective level – that transferring the personal information of many people between agencies can allow those agencies to make decisions with broader harm. A strong example is the Cambridge Analytica scandal – the individual users, whose information was shared with a political consulting firm when they thought it was only being used for academic purposes, did not suffer much harm at the individual level, but the way that the data was then used to influence over 200 elections in 68 countries is significantly more harmful to those democratic societies.

7. A notification approach is effectively an opt-out approach, where a notified individual has to then take action to stop the transfer of personal information or to request that information be deleted, rather than agencies needing to actively seek permission from the individual to opt-in and agree to the information transfer. This is already a compromise against best practice privacy principles but a necessary one for practical reasons, particularly where significant amounts of information are being transferred. This approach should not be compromised further in any proposed changes.

8. On notification fatigue, while this is a fair concern and a real user experience challenge, it is a weak argument to reject the possible changes. Firstly, in jurisdictions that already have notifications for indirect collection of personal information, I have not been able to find any reports or literature on notification fatigue being an issue based on empirical data, only theoretical arguments. Secondly, that the notifications will be coming from different agencies helps mitigate against notification fatigue, which is much more common when the notifications are from the same source and similar in style and content. With sufficient variation between agencies, this may help reduce the potential risk of notification fatigue. An argument against the possible changes on the grounds of notification fatigue should be based on an analysis of the quantity and frequency of notifications that individuals are likely to receive if such changes were implemented.

9. Maintaining adequacy, particularly with the European Union, is a critical competitive advantage for New Zealand. Adequacy is the status of being deemed to have an adequate level of data protection relative to another jurisdiction’s regulations and expectations, and allows data to flow between the jurisdictions more easily. Particularly where notification of indirect collection of personal information has already been implemented under the EU’s GDPR, and we can see that it is effective and working, it is important for New Zealand to keep up with international best practice. This should also be considered in the discussion around compliance costs, as the cost to New Zealand of not meeting international best practice may be greater than the cost of compliance to agencies.

10. I believe that overall it would be likely beneficial to give individuals stronger agency over their personal information through the notification of indirect collection.

Additional Considerations

11. Practically, we should consider the scenario where agencies may transfer personal information to each other without either agency having contact details for the individual. The legislation should consider this situation and whether or not an exception is required. Taking “reasonable steps” may be sufficient in the legislation to allow for scenarios where it is simply not possible to notify the individual. 

12. However, we should not overly rely on a “reasonable steps” standard in other situations. Over-reliance on a “reasonable steps” standard makes it difficult for both businesses and individuals to know whether the standard has been met. It creates a period of uncertainty where we will have to wait for relevant cases to be brought to the Office of the Privacy Commissioner or the courts before precedent for “reasonable steps” can be established. Such an approach should be used sparingly and for relatively specific parts of the legislation.

13. Policymakers should also consider the scenario where an agency collects information about a person from public sources. Just because personal information is publicly available does not mean that information is no longer personal, and should not mean that the individual has relinquished their rights to privacy – for example, an agency may collect phone numbers from phone books, or harvest information about people from social media networks. Where the personal information will fall under the ownership of a new agency that the individual may not have known about, then they should still be notified about that (acknowledging the exceptions in IPP2/IPP3). For example, the personal information may be combined with other sources already held by the agency, or the personal information may be collected in a public space (e.g. a photo of a person’s face) which becomes a biometric identifier for the individual – the individual should have a right to know how the personal information will be used.

14. The framing of the consultation places emphasis on the collecting agency, which is understandable given the structure of the Privacy Act and the earlier Information Privacy Principles. In terms of the obligations on the disclosing agency, as currently described in IPP11, policymakers should consider whether or not to add an obligation that the disclosing agency must be satisfied that the collecting agency has sufficient processes and controls to be able to uphold the Privacy Act. This could be similar to the provisions of IPP12 in that agencies cannot make disclosures overseas unless the agency believe on reasonable grounds that the exceptions apply. This would reduce the likelihood of information being indirectly collected by poor actors if they cannot demonstrate to the disclosing agency that they are responsible stewards of personal information.

15. It would be important to ensure that, in their interactions with individuals, disclosing agencies cannot contract out of notification requirements ahead of time, and that providing blanket statements would be insufficient. Essentially, agencies should not be able to just put in the Terms and Conditions that the agency may disclose the information to other unspecified agencies without notifying the individual. Firstly, the general approach of satisfying IPP3 through a Privacy Policy or Terms and Conditions on an agency website is weak for ensuring that individuals actually understand what is happening to their personal information. Secondly, individuals’ perceptions of the value of their personal information, and the risks that may be associated with sharing it, change over time and individuals should be given the opportunity to exert control over their personal information at the time that it is being disclosed.

Preferred form of proposed changes

16. My preferred mechanism for enacting these changes would be through amending IPP 11, such that a disclosing agency has to notify the individual concerned that their information has been disclosed to a third party. It would be preferable to strengthen the amendment such that, where possible, notification is provided before the information is disclosed with a minimum notice period, so that the individual has the opportunity to exercise a right to opt-out or request that information not be disclosed.

17. Other mechanisms that place the obligation on the collecting agency run the risk of the collecting agency being a poor actor and notification not being given, and it can be very difficult to ensure that information is deleted once they already have it. If there are no obligations on the disclosing agency, and the collecting agency is either unaware of their obligations or a poor actor, then we may remain with the status quo where no one other than those two agencies know that the information transfer has taken place. Furthermore, the disclosing agency may receive some form of monetary value in exchange for disclosing the information (e.g. selling information to an advertising agency), and therefore they may be more incentivised to ensure that they are meeting their regulatory requirements in order to not compromise their ongoing business model. It may also be easier for a disclosing agency to build the infrastructure to serve notifications if they are providing data to multiple agencies, rather than each of those collecting agencies having to build their own systems.

18. If it is decided that the proposed changes are through IPP3 or otherwise place the onus on the collecting agency to provide notification, then it may still be helpful to specify in IPP11 that for particular types of sensitive personal information (e.g. biometrics) that the disclosing agency has an obligation to also notify the individual of indirect collection. The development of a sensitivity classification may be useful for other sections of the Privacy Act too, and is discussed further in para 22-23.

19. Separately, it would be beneficial to add to IPP2 that where personal information is collected from public sources, the collecting agency must make reasonable efforts to notify the individual that their personal information has been collected and what that information may be used for.

20. Additionally, there may need to be some consideration for how any possible changes to the Privacy Act 2020 may interact with s11, particularly where agencies argue that a discloser-collector relationship falls under this section. The threshold for use needs to be carefully considered in this context.

Applicability to individuals overseas vs domestically

21. While it is understandable that policymakers may want to limit the impact of changes by only requiring notification of indirect collection of information for individuals overseas, that would stop individuals in New Zealand from benefitting from the stronger protections. If we accept that notification of indirect collection is a good thing, then ethically it should be made available to all individuals under the jurisdiction of the Act. Harm can still accrue from the indirect collection of information within our domestic borders (perhaps most significantly when transferred between government agencies), and so these protections should apply to agencies operating exclusively domestically too.

22. If some form of reduction in scope is considered necessary to mitigate the risks of introducing the possible changes, then it may be better to base that on the sensitivity of the personal information through a risk-based approach rather than on jurisdiction. For example, the UK Information Commissioner’s Office maintains a list of “Examples of processing likely to result in high risk” based on both the type of information and the applications. A similar approach was taken in the European Union’s development of AI regulation, which separated use cases into unacceptable risk, high-risk, and limited or minimal risk categories. 

23. As the harms are more serious where the personal information being disclosed is more sensitive (e.g. biometrics), it would be appropriate to still require notification/action in these circumstances. This approach could even allow for banning unconsented and unnotified transfer of personal information for particular very high-risk applications (e.g. real-time biometric identification systems or social scoring), requiring agencies to collect the information from individuals directly. While this approach may require more maintenance than a purely principle-based approach (and therefore should be maintained by the Office of the Privacy Commissioner rather than through legislation), it would also offer more flexibility to allow lower risk indirect collection to occur without notification.

Thank you for considering this submission. I would be happy to engage in further dialogue about these issues in the future if that would be helpful to officials.

Tuesday 20 September 2022

More Zeros and Ones - The Algorithm Charter

After editing Shouting Zeros and Ones in 2020, I passed the mantle of editorship to the Pendergrast sisters, Anna and Kelly. Their edition, More Zeros and Ones: Digital Technology, Maintenance and Equity in Aotearoa New Zealand, is being added to bookstores around the country this month thanks to the support of the good folks at Bridget Williams Books. Since I wasn't editing, I got to contribute an actual Chapter relating to my research, so I wrote about the first year or so of the Algorithm Charter - He Tūtohi Hātepe mō Aotearoa. Here's a quick summary and taster of what I wrote about:

We've heard a lot about algorithms in recent years, whether they're calculating your insurance premiums, running our traffic lights, or deciding what content to show you on social media platforms. While algorithms have a broader meaning, we often think of pieces of software running on some computer somewhere, making decisions that affect our lives. It turns out the government has many scenarios where they would like to improve our lives, and algorithms can help them make better decisions, respond to changing situations faster, and allocate resources more efficiently and fairly.

However, there is also the potential for the government to misuse algorithms or use them poorly, whether intentionally or accidentally. The types of decisions that government makes are consequential – they can affect a lot of people very quickly, and the impacts can be significant for individuals. Trust in government is crucial for a strong society, yet mistakes in using algorithms and other new technologies can undermine that trust. This is why the government has also introduced an Algorithm Charter, which sets underlying principles and commitments that government agencies should consider when developing algorithms.

The Algorithm Charter, launched in July 2020, asks government agencies to assess six key areas: transparency, partnership and consistency with The Treaty of Waitangi, engaging with impacted communities, understanding limitations and bias, human rights and ethics, and retaining human oversight. It provides a very high-level framework to help policymakers evaluate whether or not they are doing the right things when it comes to using algorithms, and mitigating the risks.

However, the Charter is not without its pitfalls. Government agencies commit voluntarily to the Charter, and there are no enforcement mechanisms or centralised reporting to ensure that agencies are living up to the Charter. There is significant variation between agencies regarding how and when they apply the Charter. The Charter doesn't really engage with Māori, including in terms of Māori data sovereignty. And agencies are now finding edge cases where the Charter and its associated risk matrix don't really apply – for example, where the Charter asks agencies to evaluate negative impact as "unintended harms for New Zealanders", which leaves out harms to people overseas or the environment or other systems.

These shortcomings are of course, unintentional, and sometimes we have to operationalise something to find out why it might not work as fully as intended. StatsNZ and the Government Chief Data Steward (GCDS) have recently released their one-year review of the Charter, which reflects on the experiences of government agencies and subject matter experts. It's clear that the Charter has had a positive overall impact in its first two years, but there is still so much more potential. Greater coordination and sharing of best practice between agencies would significantly lift the bar, with better templates and accountability. Maintaining a high standard and repeatedly demonstrating good behaviour helps to build trust between the government and its citizens – we still have a long way to go.

I discuss these topics and issues in much more detail in the book! I've also read most of the other chapters and they are really great too, including a couple of really interesting case studies of how we are making technology work for us in an Aotearoa New Zealand context. You can order a physical copy of the book or an ebook at https://www.bwb.co.nz/books/more-zeros-and-ones/

Wednesday 14 September 2022

Submission on Proposals to Enhance Export Controls Regime Operations

The Ministry of Foreign Affairs and Trade recently consulted on proposals to enhance export controls regime operations. Export controls are the process through which the government prevents the export of goods or technologies that essentially could be used in weapons or warfare. Historically, export controls have existed in the context of countries not wanting to have their high-tech weaponry sold to enemies. In the New Zealand context, there is more of a focus on wanting to protect peace and encouraging non-proliferation, regardless of who the recipients may be. Below is my written submission on the topic.

01 September 2022

1. I make this submission with several hats on:

- Research Fellow at Koi Tū: The Centre for Informed Futures at The University of Auckland, focusing on digital technologies and ethics, with an interest in autonomous weapons regulation and arms control
- Appointed Member of the Public Advisory Committee for Disarmament and Arms Control (PACDAC)
- Venture Partner at Matū Group, early stage deep tech venture capital investors that support the commercialisation of Kiwi research
- Chair of Advemto Limited, a company that produces instrumentation for ultrafast spectroscopy for materials analysis

The views expressed in this submission are mine, and are not necessarily those of the organisations named above.

2. In my opinion, the proposed purpose statement, criteria, and transparency objectives and principles are generally appropriate. The high-level aims are understandable, but the challenges rest in the detail of implementation. Where the criteria rely on legislation and international law the thresholds are relatively clear, but where they rely on subjective assessment such as whether or not an export will compromise New Zealand’s international reputation, there is room for ambiguity and inconsistency. This is somewhat unavoidable and needs to be considered on a case-by-case basis, but processes need to be in place to help provide certainty.

3. Where there is subjectivity, clear processes need to be in place for appeals processes, including defining who has ultimate decision making authority (whether that is the Minister or someone else). Reasonable people may differ in their opinion on goods that are in the grey area, and there needs to be a natural justice process in place to maintain confidence in the system.

4. Businesses need certainty around whether or not what they are developing would potentially intersect with an export control limtation – well before they are ready to apply for a permit. Particularly for R&D-intensive businesses, significant capital can be expended before the company is at a stage where they can apply for a permit. The consultation does not cover some of the operational processes, but it would be helpful to more widely publicise and state that there is an informal “approval in principle” or interim assessment process, where businesses can have a conversation with the Export Controls team and understand their risks and obligations without having to go through the full permit application process.

5. Similarly, in some cases businesses need to be able to demonstrate that their goods are exportable even if they are not a Controlled Good. For example, investors or customers conducting due diligence on some products may have a concern that a product could be a Controlled Good and that this represents a commercial risk of the product not being delivered. Where the business does not need a permit because the product is not actually a Controlled Good, it would be helpful to have a certification letter or a formal opinion that can be provided to clearly indicate that something is not a Controlled Good and thus eliminate that risk. This certification or opinion could be time-limited and relate to specific products if needed to offer MFAT flexibility needed. Investors and customers may not trust a self-certification or self-checklist, so it would be valuable to offer an independent third party certification in this regard.

6. Timeliness of decisions is also an important element in this respect, as businesses need confidence that they can or cannot continue with their work. Resourcing the team appropriately is important, and it would be helpful to give some guidance to applicants on how far in advance they should be applying for permits if needed.

7. I support the calls for the need for better record-keeping and reporting to the public around the Export Controls regime. It is important to be able to understand how many applications are being made and considered, and how many are being granted. It would also be helpful to understand the types of Goods that are being exported (e.g. NZ may be exporting a lot of electronics but not much explosive chemicals). Quarterly reporting would be appropriate to help others monitor our activity in this regard. Commercial and diplomatic sensitivities should be respected, but transparency is helpful for maintaining confidence.

8. Lastly, I have a small concern that the Export Controls regime mostly focuses on physical goods, and that there is not enough attention paid to the export of digital goods (e.g. software) and intellectual property that may contribute towards the proliferation of weapons. Software is listed several times in the Customs Export Prohibition (Strategic Goods) Order 2021, but the rest of the consultation doesn’t touch on this issue much. It would be difficult to enforce Export Controls on intangible goods like software and intellectual property. I am aware that the MFAT Export Controls team are aware of this issue, but the public at large (including other parts of government) may not be. It would be worth clearly explaining in future documentation and proposals that the Controls do not only apply to physical goods.

9. Global supply chains are such that it can be difficult to identify where a product may end up, and especially so with software. It is highly likely that there are pieces of code developed in New Zealand that are in common libraries that are then used in weapons systems overseas, or that data collected from New Zealand is used to help train machine learning models used in weapons systems (e.g. person recognition from videos) without the intent or knowledge of the original developer or subjects. It is helpful that the proposal speaks to intent and knowledge, and perhaps broader awareness building is important to help people understand their obligations. The history of encryption software, particularly in the US, provides a case study for the types of issues that we can face if we get the regulation wrong in this area. There is no easy solution here but it is important to acknowledge the challenges. Ultimately, there is a degree of trust in this system and in our society.

Thank you for the opportunity to make a submission on these proposals.