New Privacy Law for 2019

Written By: - Date published: 8:55 am, December 1st, 2018 - 3 comments
Categories: censorship, Deep stuff, facebook, internet, Media, twitter - Tags:

At some point early in 2019 the new Privacy Bill is going to come out of Select Committee and back to Parliament and I thought I’d get in early. The main purpose of the Bill is to promote people’s confidence that their personal information is secure and will be treated properly. Here’s the text so far.

The Minister has also ensured that there is a single clear threshold for notifying a breach, but the thrust is to make the Privacy Commissioner a bit more powerful.

In this bill you can still go to the Privacy Commissioner, and then the Human Rights Tribunal. The new bill enables the Privacy Commissioner to make binding decisions on complaints about access to information and to issue compliance notices. When there are breaches of information, any agency is required to notify the Privacy Commissioner where there is a risk of harm.

But it also requires New Zealand agencies to take all reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. I interpret that to include Google, Facebook, and Baidu. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas provider.

Maximum fine $10,000. Whoops.

Way back with the Privacy Act 1993, shopping was done in shops, social media meant nothing and scams came via the fax machine or even more quaintly through your letterbox. In 2018 just losing your password means someone will probably have the ability to steal everything in your bank and otherwise erase your identity off the face of the earth.

I don’t think that kind of fine is going to cut it.

We are still a comparatively high-trust society, so long as we are asked about institutions not politicians themselves. This Deloittes paper cites a number of studies, and the Institute for Governance and Policy Studies paper within it is particularly useful.

We are still comparatively corruption free despite the size of our black economy.

But when it comes to digital privacy I am beginning to feel like our proposed bill is something like a water tanker with one good firefighter keeping a circle of grass green, while the great bushfire has gone past and the rest of the world is burnt black. Sure, Facebook and Cambridge Analytica. But actually, Google and Facebook now harvest our data with near-total assent; phone calls, our real-time location, holiday destinations, shopping preferences, sites, searches including cancelled and erased ones, your entire network of people, and every online conversation you’ve ever had.

So now it feels like the realm of privacy is barely enforceable: we gave it away and it’s never coming back. Some governments, like ours, are far more restrained than the private sector in their access to our data and what to do with it.

There are strong and valiant attempts to be sure, with the standout effort coming from Europe’s General Data Protect Regulation 2016.

Another is in the California Consumer Privacy Act 2018.

  • The California one has some nice points including:
  • The right to know what personal information a business has collected about them
  • The right to opt out of allowing a business to sell their personal information to third parties
  • The right to have a business delete their personal information

But again: US$7,500 per violation.

The United States Supreme Court recently held that enforcement acquisition of cell phone records requires a warrant. Even though there is “detailed, encyclopedic, and effortlessly compiled” information available, people do not necessarily surrender their privacy interests to collect data to the state so that enforcement action can be taken.

Whereas in the non-governmental space, our rapidly shrinking realm of privacy means the number and kinds of people that we can trust gets smaller and smaller. Right now, users share personal data with almost anyone who asks for it and trust websites with the barest of due diligence. We click “I Agree” as a default reaction and grumble about the fraction of a second of inconvenience. As a result of this, we regularly get taken advantage of. Even when websites are not accidentally losing our names and credit card numbers to hackers, they are selling browsing histories for fractions of a cent to anyone from advertisers to fraudsters.

Perhaps those great data multinationals will suffer the same fate as other institutions in which we have lost trust. This is something that can happen either suddenly, in the way that the global interbank lending market shut down in 2009 since everyone decided they couldn’t trust another bank’s balance sheet, or as fast as Bitcoin is disappearing.

Ship owners at the Piraeus Marine Club, Greece’s biggest port, will still do a multimillion-dollar deal on a handshake. But they only deal with people they know, preferably with family connections going back generations. The incidence of fraud (against parties other than government) is surprisingly low, because commerce has shrunk to a size where it can be encompassed by small and personal networks.

There are still Old Zealand places in which barter and non-digital exchanges and honesty boxes and cattleyards and farmers markets and koha and other markers of high local trust still operate. I hope you encounter a few on holiday by driving off SH1 and into the proper countryside. But there is no reversing the total takeover of life into digital exchange, and with it the inevitable loss of trust into transactional behaviour and transactional ethics.

The invention of the internet is bigger than the invention of cash, and it’s taking cash, privacy, and people-trust across the globe to their death.
It’s not likely to come back.

Mark Zuckerberg won’t even face in front of the British Houses of Parliament after the trauma of his appearance in front of the U.S. House of Representatives. Zuckerberg can’t handle that much exposure of his details to public scrutiny. He just can’t bring himself to restore trust.
By their abuses of a collective trust, Google and Facebook are becoming complicit in their own destruction—and in making the internet worse for everyone.

We are now so screen obsessed that we care little about the difference between banning a government from spying on us, and letting private corporations put cameras in our homes and location trackers in our pockets. Labrador puppies!

Even if the government at least increases the fines in the next version of the bill, privacy is pretty much gone by our own hand.

3 comments on “New Privacy Law for 2019 ”

  1. DJ Ward 1

    I would like the collection of data, breaching privacy, to be separate from using that data in some way.

    All profits, even income, from using the illegally collected data should be confiscated. It may be hard to prove intent in the collection, but using it can only be intentional.

  2. RedBaronCV 2

    I looked at making a submission to the bill but the language and background material was so dense I found it difficult to know what was actually being legislated . I did get the impression that it had been subject to major player regulatory capture not what individuals might actually want. So I’d have liked it to be more “principled” legislation.

    Among basic principles I’d like to see:

    Should you be allowed to collect the information in the first place – try booking an online airport car park and see all the extra information wanted – irrelevant to actually parking the car. So only permission is to collect information that is directly needed to provided the good or service.

    Should you be allowed to discriminate by pricing or other means against those that use online supply v. some other means of supply of the goods or service – where the pricing difference is more than could be reasonably expected from the costs of delivering through a different channel.
    Again airport parking – online at a significant discount – when the online infrastructure will actually be costing more than paying at the place. Don’t fall for demand arguments – they will have as many carparks as possible to meet peak demand.

    Should you be allowed to pass on information without express permission of the individual concerned and should you be able to deny a good/ service if that permission is withheld.
    Credit scoring here. Your power bill payments go to third parties for credit scoring.The privacy commissioner has come out against it as a practice but does this Bill kill it.

    Should you be able to give “third party” permission. No.
    Wellington city council allowing a Japanese company to track our cellphones when we are downtown.
    Bill English’s data dump that collated all government information on certain birth years including I suspect data supplied illegally by schools to the health department without parental permission around one of the meningitis scares.

    Should you be able to collect mass public data for resale.
    Google street images.

    Should you be able to force people to use online methods when other methods are available at a reasonable cost or the cost is transferred to the customer.
    Looking at the banks , the IRD here & telcos. Closing down on the ground options with very little justification. IRD are even taking common forms off the internet to force electronic compliance and forcing people to buy and use payroll programmes
    ” approved”. The government drive for “I logins” for us all.
    Bank ATMs that only do $50 notes – poor people not wanted here.
    Telcos – certain services can now only be accessed online – no phone number on the bills. Tough where there is a poor or no internet connection.

    Should publicly collected information be supplied to private players to charge for without a public option also being available? Can public information be monetarised? Third party permissions being with held should cover this.
    IRD defaults supplied to credit collections companies. QV data being expensive for citizens to search but being onsold?

    Now a lot of this might not be easy to enforce on overseas players but we can regulate onshore goods and services that most of us can’t avoid consuming.

    and employment – I’ll do a separate post.

  3. A 3

    European countries see privacy as a right. This should be the same for us with the onus on business (et al) to prove permission has been given not assumed.

    Other decencies would include making it illegal to photograph or film accident victims (needless trauma for families and a really distasteful set of priorities), sex acts without written permission (lifelong humiliation for a short term error of judgement) and private electoral enrolments (too much assistance for scammers, stalkers, id thrives)

The server will be getting hardware changes this evening starting at 10pm NZDT.
The site will be off line for some hours.