Geoffrey Palmer

Address to the Privacy Forum, Hotel Intercontinental Wellington, 5 May 2010, Rt Hon Sir Geoffrey Palmer SC President Law Commission

The Privacy Commissioner, who is well known to me since the days when we worked on the State-Owned Enterprises Act 1986, has instructed me to be provocative. That is a relative concept. A week after delivering the Law Commission's report on alcohol I do not feel the need for more provocation.

I do apologise for not giving you the comforting security of a PowerPoint presentation. There are two recent quotations about PowerPoint that appeal to me. The first is:1

"Power corrupts and PowerPoint corrupts absolutely."

The second is:2

"We have met the enemy and he is PowerPoint."

That latter was a headline in the New York Times last week outlining the problems that the generals in Afghanistan had got themselves into on account of PowerPoint.

Far be it from me to suggest that the Wellington policy culture is afflicted by a similar disease. But it is worth thinking about. So I shall give an old fashioned speech. Those who want to read it can find it on the Law Commission's website.

The Law Commission's Review of Privacy Law is nothing if not extensive. It has come in four parts. Three parts of it are now complete in the sense we have produced final reports. Stage One was a gallop on horseback entitled Privacy: Concepts and Issues.3 This was a Study Paper. It was a mere 220 pages long. Short by our standards.

It was this work, and the associated paper that is on our website by Dr Mark Hickford,4 that led me to offer to this forum a chocolate fish for anyone who can define privacy. A more protean and elastic concept is difficult to find.

The Judge's decision is final. I am the Judge. We have had the task at the Law Commission of trying to unpack the concept of privacy in different contexts and decide what legal results should flow from that.

The Privacy Project

The first final report that we completed as part of this review of Privacy came out in January 2008. It was entitled Public Registers, and was the outcome of Stage Two of our review.

5 Public Registers are a difficult area of the law but also quite discrete in privacy terms. We recommended that public registers be regulated primarily through their establishing statutes. There are a lot of these, more than 80 of them. They all need to be individually reviewed. That is a big job.

Stage Three of the Law Commission's Privacy project comprised an examination of the law relating to the invasion of privacy. Building on the Issues Paper we published, the final report deals with the remedies and penalties that the law should provide for invasion of privacy.6 This report did not deal with the Privacy Act 1993, except at the margins.

The essence of the Part 3 Report is the civil and criminal law as it is applied in the courts. In particular we reviewed the tort of invasion of privacy that had been confirmed by the New Zealand Court of Appeal in the case of Hosking v Runting.7

We explored whether such a tort was needed, and if so whether it needed to be codified in statutory form or left to develop through the process of the common law. We recommended that the tort be left to the common law and to the courts. At the same time we found that surveillance is not well regulated by the current law. Technology is developing rapidly and continually creating new ways of invading

5 6 7

Law Commission Public Registers: Review of the Law of Privacy: Stage 2 (NZLC R101, 2008). Law Commission Invasion of Privacy: Penalties and Remedies: Review of the Law of Privacy: Stage 3 (NZLC R113, 2010). Hosking v Runting [2005] 1 NZLR 1 (CA). 4 privacy. The Law Commission did a formidable report on Search and Surveillance Powers that was published in June 2007.8 The main recommendations of that report are now contained in a Bill before Parliament.9 That legislation deals with Police powers, search warrants and other warrants that law enforcement agencies are required to get before they can take coercive action. It covers the use of surveillance devices by law enforcement agencies.

But on the other side of that coin, when it comes to private citizens, we found gaps in the law where private citizens are snooping on each other.

The law was patchy and unsatisfactory. We thought that it needed to be rationalised and brought up to date. This has been done in a number of Australian jurisdictions.

We recommended that a Surveillance Devices Act be enacted which would create the criminal offences of trespassing to install a surveillance device; using a device to undertake surveillance of the interior of a dwelling; and using tracking devices. There would be appropriate defences for each of these offences. The offences of intimate covert filming and interception of private communications currently contained in the Crimes Act should, in our view, be transferred to the new Surveillance Devices Act.

We also recommended that the Harassment Act 1997 should be amended to extend its coverage to certain types of surveillance and that a new offence of voyeurism should be created. The Privacy Act 1993 This brings us to the fourth part of the Law Commission's Privacy project, a review of the Privacy Act 1993. Seldom in the history of New Zealand statute law has so much baseless misunderstanding been perpetuated by so many. Some of it seems to have been deliberate. 8 9 Law Commission Search and Surveillance Powers (NZLC R97, 2007). Search and Surveillance Bill 2009 (45-1).

5 The Privacy Act has afforded many public and private agencies a false excuse for not carrying out their obligations. The Privacy Act is used as an excuse for not giving information in numerous occasions where there is no possible justification for the use of the Act in that manner. Thus, the Act has a bad reputation in some quarters that it does not deserve. The legal provisions do not do what many people say they do. There are, of course, serious difficulties of interpretation involved in open-textured statutes like the Privacy Act. But the Official Information Act, which the Law Commission is also currently reviewing, has a similar open texture.

In broad terms, the alternative to an open-textured statute is a rules-based system. We make it clear in our Issues Paper on the Privacy Act10 - another 500-page production - that we prefer the existing open-textured approach and do not see a rules-based system as a practical or desirable alternative. We are hoping to get a great many submissions on this Issues Paper. At present we have around 40, and although submissions were due by 30 April we will receive late submissions up to the end of May. We got nearly 3000 submissions on our Sale of Liquor project. We may get even more on our Misuse of Drugs project. It would be nice if we could get some more than we now have on privacy because it is an important subject. There are a number of issues upon which we need real help.

I cannot, in an address like this, cover all the difficult issues with which we are confronted in this review. But I do want to highlight a number on which we would value your feedback. The complaints process The first issue I want to raise with you is the Privacy Commissioner's complaints process. The essential aim of the Privacy Act is to secure voluntary compliance with the law through providing education, guidance, assistance and incentives to comply. 10 Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy: Stage 4 (NZLC IP17, 2010). 6

The Act is backed up by the possibility of enforcement action in the event that voluntary compliance fails. It needs to be remembered, of course, that the Privacy Principles in the Act are not enforceable in the courts. Any person can complain to the Privacy Commissioner. The Commissioner receives about 600 to 700 complaints each year.

In 2008/2009 there were 806, a significant increase. The Office of the Privacy Commissioner will consider a range of options to deal with complaints, ranging from equipping the parties to resolve the issues themselves, to mediation or full investigation. The Office attempts to resolve the dispute at all stages of its process. In most cases complaints are settled or the complainants decide not to pursue the matter further after the investigation is completed. If the complaint cannot be settled, the Commissioner may refer the matter to the Director of Human Rights Proceedings.

When referring a complaint to the Director, the Commissioner sends a letter of notification together with a Certificate of Investigation which summarises the nature of the complaint, the key points and the statutory provisions in issue. The Director then decides whether to being proceedings in the Human Rights Review Tribunal. There are also provisions in the Act allowing individual complainants to bring proceedings in the Tribunal themselves. In front of the Human Rights Review Tribunal there are essentially quasi-judicial proceedings of a fairly high degree of formality. All this seems to us unnecessarily elaborate. It seems somewhat tentative as well, no doubt because of the rather unusual nature of the privacy legislation at the time it was launched. The Tribunal has about 17 new proceedings under the Privacy Act each year.

The system does seem to us to be generally sound and working well and it is highly effective in settling the vast majority of complaints. 7

But we have come to the tentative conclusion that there are elements of it that are cumbersome. We think it could be made more streamlined and efficient. In particular the structure and allocation of responsibilities between the Privacy Commissioner, the Director of Human Rights Proceedings and the Human Rights Review Tribunal, all making fresh assessments on the same set of facts, seems to us to be unnecessarily cumbersome. Further, it causes delay and unnecessary expense.

In order to address these problems we have developed proposals for reform in the Issues Paper and we have had a lot of assistance in this from the Office of the Privacy Commissioner. What we are aiming to do is to preserve the most effective features of the existing practice but address the key problems by making dispute resolution more effective.

Essentially we propose a reformed complaints process together with some new enforcement tools. We believe that the harm threshold for complaints should be removed. We propose that the Commissioner should be given the power to determine complaints concerning rights of access by people to their own personal information under Principle 6 of the Act. The Tribunal would then become an appeals body in cases involving Principle 6.

Next, the role of the Director would be removed in all privacy complaints. Finally, the Commissioner would have a new power to issue binding enforcement notices where an agency is breaching the Act. These notices would require agencies to take certain actions within a specified period of time to comply with the Act. We really do need to know what people think about these possible changes because they are important. Information sharing

The next issue with which we are having particular difficulty is the issue of information sharing. As it says at the beginning of our chapter on that topic, a report in the UK has recognised:11 11

Richard Thomas & Mark Walport Data Sharing Review Report (London, 2008) at 9-10. 8

The use and sharing of personal information are now permanent features of modern life, supported by mushrooming technological advances in the storage, analysis and use of large data sets. Public, private and voluntary sector organisations will continue to require access to personal information in order to provide goods and services, combat crime, maintain national security and to protect the public.

That statement seems unexceptional. Nevertheless sharing has major privacy implications. It means that personal information collected from one person to whom it relates is used by someone else to whom it does not relate. The challenge, as we put it, is to facilitate the sharing of personal information for individually or socially beneficial purposes while ensuring that privacy is appropriately protected. No easy task.

There have been many discussions within New Zealand Government agencies about all of this. Naturally enough the Government has a keen interest in ensuring that it can use the information in its possession to achieve the policy purposes that it has set.

The Privacy Commissioner has investigated the option of developing a Code of Practice under the existing Act but has tentatively concluded that such a code is not appropriate at this time. But she has not ruled it out as a possibility in the future.

There have been a number of problems identified with the present law by the public sector agencies. We summarised them in our Issues Paper.

They are:

ﰀ The Privacy Act does not fit with the changed public sector environment, in which whole-of-government approaches and integrated service delivery are increasingly important.

ﰀ The law enforcement exceptions are too narrow.

ﰀ There are specific barriers to social services agencies imposed by the Act, particularly where such agencies are working collaboratively to provide services to common clients.

ﰀ The information matching regime in the Act is not suitable for episodic, case- by-case exchanges of information, or exchanges of information that is qualitative in nature.

ﰀ The original purpose of collection of personal information may not allow use of that information in a later initiative.

We have already received and expect to receive more submissions from Government departments on this vexed subject.

We would also like to hear the views of people from outside Government. We have reached the tentative conclusion that the Act needs to be changed to better facilitate appropriate information-sharing amongst Government agencies. For this purpose we have outlined a number of options.

The options that we have looked at include:

ﰀ Guidelines issued by the Privacy Commissioner;

ﰀ a Code of Practice;

ﰀ a national public sector information-sharing strategy;

ﰀ treating the public sector as a single entity so that there is a rebuttable presumption that personal information held by one public sector agency can be shared with other public sector agencies if such sharing is for the benefit of the individual concerned and is for a purpose that is broadly similar to that for which the information was obtained;

ﰀ allowing the Privacy Commissioner to issue binding rulings in advance on compliance with the Privacy Act;

ﰀ enactment of a set of information sharing guidelines similar to the information matching guidelines in section 98;

ﰀ transparency and accountability requirements so that there may be annual reports from agencies on information sharing;

ﰀ the addition of a new exception to Principle 11 in the social welfare arena;

ﰀ an extension of the current section 54 exemption power; a statutory schedule of authorised information sharing activities; a new regime similar to the existing information-matching regime; and a common or integrated programme or service exception. 10

Obviously enough these options are not mutually exclusive. But this is one area where more certainty is needed. Here it may be that statutory rules may be required. This is an important topic and we have to make firm recommendations on it. Data breach notification

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual's personal information is compromised - if, for example, it is lost or obtained by computer hackers. Since the security of an individual's personal information is becoming increasingly important, and more and more information of a sensitive or private nature is being collected, there are issues surrounding this.

A data breach is the "unauthorised access to or collection, use or disclosure of, personal information". Breach notification "is the practice of notifying affected individuals when their personal information has become available to unauthorised individuals or organisations".

These statements are taken from an information paper produced by the Privacy Commissioner in 2008.12 Data breaches take a multitude of forms. Sometimes they are quite innocent, on other occasions they are serious and deliberate acts aimed at damaging other individuals.

12 Office of the Privacy Commissioner Information Paper to Accompany Privacy Breach Guidance Material (Wellington, 2008) at 1.

11 Data breach notification laws are a ubiquitous feature of the United States legal landscape.

In New Zealand neither the Privacy Act, the Privacy Principles nor the Codes require mandatory breach notification. This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

We are asking submitters to tell us: should the Privacy Act include a mandatory breach notification requirement, or is a voluntary notification model more appropriate?

If it is thought that a legal requirement is desirable, how should a data breach be defined?

Furthermore, in what circumstances should organisations be required to notify individuals that their personal information has been compromised? Who should decide whether a notification must be made in response to a data breach? Should the Privacy Commissioner have power to compel an organisation to notify affected individuals? In the case of a data breach, should the agency be required to notify the Privacy Commissioner's office?

There are a lot of detailed questions we have framed around this issue. It is another matter upon which we need help.

Direct marketing

Another subject on which there is a marked degree of public interest concerns direct marketing. The issue here is whether direct marketing needs to be regulated from the point of view of protecting privacy, and whether the current controls on direct marketing are adequate.

By direct marketing we mean the making of marketing approaches to individuals by commercial marketers or businesses, whether New Zealand- or overseas-based. There are various methods including mail, telephone calls, email (or spam), door-to-door approaches by the person, automated dialling machines and more recently automated SMS messages.

12 The Marketing Association has issued a Code of Practice for telemarketing that requires telemarketers to remove a person's name from marketing telephone lists if requested to do so. The Association also maintains Do Not Call and Do Not Mail registers, containing details of consumers who have requested to receive no unasked- for phone calls or mail. Members of the Marketing Association are required by the Association's Code of Ethics to respect the wishes of people on these registers.

However, the Privacy Commissioner has noted that this voluntary scheme is confined to marketers who are members of the Association, and that it lacks enforcement mechanisms. In the United States the Federal Trade Commission established a Do Not Call Register in 2003 that has attracted over 191 million registrations. But the US Register does not apply to charities, market research companies or political polling. There are Do Not Call Registers in Canada and Australia as well. The question is whether any further regulatory controls on direct marketing in New Zealand are needed. If regulatory options are to be introduced, should they be done through a Principle in the Privacy Act or a right to opt out of direct marketing in the Privacy Act or code, or by a voluntary or compulsory Do Not Call Register for telemarketing?

Technology

One difficult topic touched on by this review is technology. We have written a long chapter about it. Whoever can predict our technological future has a great career in front of them. The thing about technology is that it has made it technically and economically feasible to collect, use, store and re-use massive amounts of personal information in a variety of contexts for multiple purposes. Indeed the provision of public services of all kinds has become dependent on data collection, sharing and related practices. The digital revolution continues to create a wealth of personal data about people and their activities and it is a reasonable question to ask whether personal privacy can be protected in the new digital era, and whether it is worthwhile attempting the task.

13

There are economic benefits to the private sector and increased efficiency for the public sector that these developments allow. But on the other hand there are potentially significant societal and individual costs. We wonder whether the Privacy Commissioner's functions in relation to technology should be revised. Other questions include: should the Privacy Act provide for a privacy advisory panel or empower the Privacy Commissioner to set up expert panels on particular issues, such as technology, as the Australian Privacy Act does? Is the basic framework of the Privacy Act adequate to deal with technological change?

Should the Privacy Principles remain technologically neutral?

There are questions such as cloud computing, and all of the new ways of deploying computer technology to give users the ability to access, work on, share and store information using the internet. There are a lot of new technologies that raise privacy issues, and I know that some of these issues will be discussed later in this forum. Another issue to be discussed at this forum, and that it also discussed in the Issues Paper, concerns privacy-enhancing technologies. How can "privacy by design" be encouraged? The Law Commission looks forward to hearing the views of participants in this forum about these matters.

Conclusion

In this address I have only skimmed over the top of a small number of important issues in what is a very detailed review. We welcome your views. It is an interesting subject.

The Law Commission's review of Privacy will conclude when we publish our final report on the Privacy Act around the end of this year. After that, the Government will respond and, if it accepts the need for reform, a Bill will be introduced.

Whatever happens, though, I have no doubt that debates about privacy will continue. Privacy, as far as I can see, comprises a world without end.