In Part 1 we looked at some aspects of online privacy. In this article we look at the law.
Can the old dog still hunt
New Zealand’s privacy laws are generally considered to be pretty sound. The Privacy Act began life in 1993 describing a set of principles and giving you a bunch of rights in relation to controlling the collection, use and disclosure of personal information.
“Personal information” is defined in the Act as “information about an identifiable individual”, i.e., information from which you can be identified. If an agency is collecting anonymous information about your movements online, that is one thing, but if your online profile grows to the point that you could be identified from it, the rules in the Privacy Act can apply. As discussed in part 1, the line between anonymous and identifiable can be pretty uncertain.
The Law Commission looked at the Act in a three-year review of privacy laws that was completed in August 2011. It continues to believe that self-protection is the best protection, but suggests a substantial set of changes aimed at improving the law including:
- new powers for the Privacy Commissioner to act against breaches of the Act without necessarily having received a complaint, and allowing it to order those holding information to comply with the Act or submit to an audit of their privacy rules, and
- measures to minimise the risk of misuse of unique identifiers, and require those holding information to notify you if your information is lost or hacked, and
- controls on sending information overseas.
The government agrees that it is time for substantial changes to the Act, although it does not agree with everything the Law Commission has proposed. A new draft Bill is expected next year.
To the ends of the earth
One obvious issue in the internet age is the lack of matchup between the international nature of internet services, and laws that are limited to the borders of any particular nation. A modestly-sized nation at the end of the world, like New Zealand, has limited ability to influence foreign organisations who may not have any local presence, although our Privacy Commissioner has taken action against reputable major players offering services in this country.
One solution could be crowd-sourced reviews of online privacy policies, or organisations that rate others policies. There are similar troubles with the terms of licensing agreements to which you have to consent in order to use software.
Fit for purpose
Sadly users mostly do not avail themselves of these options. That may be because some impede the internet experience a bit. Or because users do not care to change their behaviour much despite saying they are worried about online privacy.
In these circumstances, there will continue to be debate about how far users can or should take responsibility for their own protection, and how far the law needs to go. This battle is the natural result of the standard model for internet services, i.e., if you want free internet services, you need to realise that your eyeballs are the price. No one should be surprised that advertisers try to make their services more effective by learning more about the brains behind those eyeballs.
This article was originally published on the TUANZ blog.