A Push for More Data Privacy in New Zealand

By: Gary Gonzalez

Data privacy is a hot topic around the globe. The General Data Protection Regulation is a leading factor for this trend. The regulation affects all companies conducting business within the European Union. One of the countries seeking to increase its data privacy laws is New Zealand. The United States, however, has taken a step in the other direction. This paper will briefly touch on the upcoming changes to U.S. privacy laws, and then explain the proposed changes to New Zealand’s privacy laws.

The U.S. Law

On March 28, 2017, the Senate passed a bill titled “Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Federal Communications Commission relating to ‘Protecting the Privacy of Customers of Broadband and Other Telecommunications Services’.”[1] If the White House signs the bill into law, which it says it intends to do, the bill will undo an FCC rule requiring Internet Service Providers (“ISPs”) to get consumer’s permission before selling their online activity records.[2]

Republicans asserted this bill was necessary because the FTC, rather than the FCC, should regulate ISPs.[3] They allege this is an example of government overreach and causes consumer confusion by having two “cops” on duty.[4] Democrats, citing a Ninth Circuit opinion, asserted the FTC does not have the ability to regulate ISPs.[5] The silver lining, if it can be called that, is that the prior law requiring ISPs to get permission had not gone into effect.[6] This new bill merely maintains the status quo.

The backlash can already be felt, though. As of March 30, 2017, two separate fundraising campaigns have raised $250,000 to purchase the online activity records of Republican senators who voted for the bill.[7] Additionally, the creator of the popular card game Cards Against Humanity, has vowed to purchase the online activity records of every member of Congress and their aides.[8] Although no provider sells online activity records, the new bill makes it a possibility.[9] Comcast, AT&T, and Verizon have reaffirmed their privacy policies in which they specify they do not collect, and will not sell, their customers’ personal data.[10] However, a now-contested, conflicting report states Verizon plans to install tracking software, AppFlash, on all of its android-based mobile devices.[11]

The Proposed New Zealand Law

In stark contrast, the New Zealand Privacy Commissioner has proposed changes to the Privacy Act of 1993.[12] John Edwards, the Privacy Commissioner, aims to “strengthen enforcement powers and [align New Zealand’s] laws internationally, including the European Union General Data Protection Regulation.”[13]

Under the proposed regulations, agencies would be required to setup a privacy management program and report to the Commissioner their compliance with their plans.[14] These reports aim to reduce the number of systematic data breaches and the Commissioner has the ability to publish the reports to the general public.[15] The decision to publish publicly would be prompted “by the suspicion of a risk to privacy, either generally or in response to a specific agency's practices.”[16]

To ensure compliance with the reporting obligation, the Commissioner would be able to apply to the high court for civil and criminal penalties.[17] The civil penalties would only exist for “serious” breaches, but could result in fines up to $100,000 in cases of an individual and $1,000,000 in cases of a corporation.[18] Although the fines may seem high, this amount brings New Zealand in line with the fines imposed by Australia and other similarly-situated countries for “intentional and reckless breaches of privacy.”[19] A “serious breach” is “ those that pose a risk of harm, such as loss, injury, significant humiliation or adverse effects on rights or benefits.”[20]

Next, criminal penalties could be imposed against parties found to be de-anonymizing data.[21] Governments and corporations release data sets for external analysis, but the data sets are anonymized so an individual user cannot be determined.[22] However, weaker anonymization methods are subject being de-anonymized. For example, Australia’s Department of Health publicly released thirty years of pharmacy claims made under the Australian Medicare system.[23] Unfortunately, due to weak anonymization, the data set was de-anonymized and outside parties were able to determine the service providers of the claims.[24] Fortunately, individual patient IDs were not decrypted.[25]

Finally, the Commissioner’s proposal will change the defenses available to parties that obstruct or fail to comply with the Privacy Act.[26] Currently, a criminal defendant has a “reasonable excuse” defense.[27] The Commissioner proposed three alternatives to the current defense: (1) “lawful justification or excuse,” (2) “strict liability,” or (3) “an option for pecuniary penalty order as an alternative to prosecution.”[28] This proposed change in defenses will align the defenses available for violations of the Privacy Act with other similar offenses.[29]

Conclusion

In conclusion, the European Union’s General Data Protection Regulation has spurred an increase in data privacy protection laws around the world. New Zealand is no exception. Although the Commissioner’s proposals have not been adopted, they are aligned with general global trends. The United States, however, appears to be taking a step backwards. Hopefully ISPs, such as Comcast, AT&T, and Verizon stay true to their words and protect their customers’ data.

[1] Steven Nelson, House Votes to Let Internet Providers Sell User Browsing Data Without Consent, U.S. News & World Report (Mar. 28, 2017, 6:20 PM), https://www.usnews.com/news/national-news/articles/2017-03-28/house-votes-to-let-internet-providers-sell-user-browsing-data-without-consent.

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Timothy B. Lee, What the Republican Online Privacy Bill Means for You, Vox (Mar. 29, 2017, 1:10 PM), http://www.vox.com/new-money/2017/3/29/15107110/republican-isp-data-privacy.

[7] Harper Neidig, GOP Faces Backlash Over Attack on Internet Privacy Rules, The Hill (Mar. 30, 2017, 5:51 PM), http://thehill.com/policy/technology/326631-gop-faces-backlash-over-attack-on-internet-privacy-rules.

[8] Don Reisinger, ‘Cards Against Humanity’ Creator Threatens to Expose Congress Web History, Fortune (Mar. 30, 2017), http://fortune.com/2017/03/30/cards-of-humanity-congress/.

[9] Lee, Supra note 6.

[10] Ben Fox Rubin, Broadband Providers Affirm Privacy Policies Amid FCC Rules Flap, CNET (Mar. 31, 2017, 9:38 PM), https://www.cnet.com/news/comcast-at-t-verizon-reaffirm-privacy-commitments-amid-flap-over-fcc-rules/.

[11] Bill Budington & Jeremy Gillula, UPDATE: Verizon Software on Android Phones, Electronic Frontier Foundation (Mar. 30, 2017), https://www.eff.org/deeplinks/2017/03/first-horseman-privacy-apocalypse-has-already-arrived-verizon-announces-plans.

[12] John Hannan & Brittany Moore, Proposed Amendments to New Zealand Privacy Law, Lexology (Mar. 14, 2017), http://www.lexology.com/library/detail.aspx?g=12acb525-160b-4aab-9a4c-83dfa9ab0734.

[13] Id.

[14] Id.

[15] Id.

[16] Id.

[17] Id.

[18] Id.

[19] Id.

[20] Jeremy Kirk, New Zealand Privacy Chief Backs $1 Million Fines for Breaches, BankInfo Security (Feb. 10, 2017), http://www.bankinfosecurity.com/nz-privacy-chief-backs-1-million-fine-for-breaches-a-9681.

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] Id.

[26] Hannan & Moore, Supra note 12.

[27] Id.

[28] Id.

[29] Id.