Privacy Commissioner John Edwards is no friend of… anyone really

Privacy Commissioner John Edwards has recommended to Government, as part of its plans to reform the Privacy Act, that the penalty for a serious breach of personal information could be a fine of up to $1 million.

If adopted, the Privacy Commissioner would be able to apply to the High Court for a civil penalty of up to $100,000 for individuals and up to $1 million for public and private sector organisations, for serious breaches (as is the case in Australia).

The recommendation is one of six in the Privacy Commissioner?s latest report on the current operability of the Privacy Act, tabled in Parliament this week. This report coincides with the Government?s stated intention to reform the Act.

In the update report, Mr Edwards notes privacy law reform has been under consideration since 1998, including the wide-ranging Law Commission review from 2008-2011. These reviews and the government response have formed the basis for the proposed modernisation of the Privacy Act, as led by the Ministry of Justice.

But Mr Edwards says a lot has changed since the Law Commission?s review. “Important developments since 2011 that impact on the operation and adequacy of the privacy legislation include developments in data science and information technology, and new business models built on data-driven enterprise.”

He says there are apparent gaps and weaknesses in the Privacy Act?s enforcement framework that need to be addressed if the reforms proposed are to introduce an effective and modernised form of privacy regulation.

He is proposing six recommendations. These are:

– empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)

– an update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised

– introducing data portability as a consumer right

– an additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues

– narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and

– reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

Mr Edwards says while the Privacy Act had already been the subject of thorough review, in light of later rapid changes in information technology and data science, and significant developments in international frameworks, these recommendations will help to ensure that New Zealand?s privacy framework will be fit for purpose in the current environment and for foreseeable developments in the future.

It’s not in my nature to admit to failing, especially in public. ?But I truly don’t understand the purpose of the Privacy Commission. ?On one level I do. ?Information that is to be kept from someone else is released or accessed by someone that should not have access to it.

It seems to simple.

The problem is that its enforcement seems so… random. ?We can’t predict what the Commissioner will consider a “bad breach” and what is to be considered “fine”.

I have three examples. ?One of them pertains to me. ?And one, to a lot of you. ?But let’s start with the other one.

1. A supermarket surveillance tapes and till records are searched to try and find the person who bought a lottery ticket so she can be notified as a winner. ? To close the loop, they also need help from the bank and/or a loyalty scheme database.

This, to me, even though well intended, is a gross abuse of privacy. ? The Privacy Commission, when I asked them, said they had no problem with it.

2. Some person or people unknown planned and managed to hack into a number of my computer accounts and downloaded my data. ?You may have read about it at the time. ?When the data was released to bloggers, activists and media organisations, I laid a complaint with the Privacy Commissioner with the expectation that he would protect any subsequent damage to my privacy.

He said there was nothing he felt he could do or had jurisdiction over.

3. Some of you had written to me over the years; conversed with me over the years, and those emails and conversations were part of the data that was taken. ?Criminally taken. ?A police complaint was laid and accepted, and the police still are working on finding out who the hacker, distributor and accomplices were. ? Some of you wrote to the Privacy Commissioner fearing your information might be used by bloggers, activists, competitors or media organisations, and you wanted the Privacy Commissioner to at least be alongside you for protection.

He wrote back that until the information was actually used that way,?and there was prima facie harm, then and only then would the Privacy Commission take an interest.

And over the last few months, the left-wing are already talking about “data dumps” ahead of this year’s election. ?It seems we are set for a redux of criminals, media and the left-wing using illegal means to hijack an election and I expect that the Privacy Commission will again be found wanting.

I don’t mind, in principle, that there need to be substantial fines for deliberate privacy breaches. ?But we have seen simply by looking at?the Commissions stances in the past, that we can’t trust them to act in a way that a reasonable person would consider acceptable.

As such, and until such a time, I am strongly against introducing fines of such magnitude.