At some point early in 2019 the new Privacy Bill is going to come out of Select Committee and back to Parliament and I thought I’d get in early. The main purpose of the Bill is to promote people’s confidence that their personal information is secure and will be treated properly. Here’s the text so far.
The Minister has also ensured that there is a single clear threshold for notifying a breach, but the thrust is to make the Privacy Commissioner a bit more powerful.
In this bill you can still go to the Privacy Commissioner, and then the Human Rights Tribunal. The new bill enables the Privacy Commissioner to make binding decisions on complaints about access to information and to issue compliance notices. When there are breaches of information, any agency is required to notify the Privacy Commissioner where there is a risk of harm.
But it also requires New Zealand agencies to take all reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. I interpret that to include Google, Facebook, and Baidu. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas provider.
Maximum fine $10,000. Whoops.
Way back with the Privacy Act 1993, shopping was done in shops, social media meant nothing and scams came via the fax machine or even more quaintly through your letterbox. In 2018 just losing your password means someone will probably have the ability to steal everything in your bank and otherwise erase your identity off the face of the earth.
I don’t think that kind of fine is going to cut it.
We are still a comparatively high-trust society, so long as we are asked about institutions not politicians themselves. This Deloittes paper cites a number of studies, and the Institute for Governance and Policy Studies paper within it is particularly useful.
We are still comparatively corruption free despite the size of our black economy.
But when it comes to digital privacy I am beginning to feel like our proposed bill is something like a water tanker with one good firefighter keeping a circle of grass green, while the great bushfire has gone past and the rest of the world is burnt black. Sure, Facebook and Cambridge Analytica. But actually, Google and Facebook now harvest our data with near-total assent; phone calls, our real-time location, holiday destinations, shopping preferences, sites, searches including cancelled and erased ones, your entire network of people, and every online conversation you’ve ever had.
So now it feels like the realm of privacy is barely enforceable: we gave it away and it’s never coming back. Some governments, like ours, are far more restrained than the private sector in their access to our data and what to do with it.
There are strong and valiant attempts to be sure, with the standout effort coming from Europe’s General Data Protect Regulation 2016.
Another is in the California Consumer Privacy Act 2018.
But again: US$7,500 per violation.
The United States Supreme Court recently held that enforcement acquisition of cell phone records requires a warrant. Even though there is “detailed, encyclopedic, and effortlessly compiled” information available, people do not necessarily surrender their privacy interests to collect data to the state so that enforcement action can be taken.
Whereas in the non-governmental space, our rapidly shrinking realm of privacy means the number and kinds of people that we can trust gets smaller and smaller. Right now, users share personal data with almost anyone who asks for it and trust websites with the barest of due diligence. We click “I Agree” as a default reaction and grumble about the fraction of a second of inconvenience. As a result of this, we regularly get taken advantage of. Even when websites are not accidentally losing our names and credit card numbers to hackers, they are selling browsing histories for fractions of a cent to anyone from advertisers to fraudsters.
Perhaps those great data multinationals will suffer the same fate as other institutions in which we have lost trust. This is something that can happen either suddenly, in the way that the global interbank lending market shut down in 2009 since everyone decided they couldn’t trust another bank’s balance sheet, or as fast as Bitcoin is disappearing.
Ship owners at the Piraeus Marine Club, Greece’s biggest port, will still do a multimillion-dollar deal on a handshake. But they only deal with people they know, preferably with family connections going back generations. The incidence of fraud (against parties other than government) is surprisingly low, because commerce has shrunk to a size where it can be encompassed by small and personal networks.
There are still Old Zealand places in which barter and non-digital exchanges and honesty boxes and cattleyards and farmers markets and koha and other markers of high local trust still operate. I hope you encounter a few on holiday by driving off SH1 and into the proper countryside. But there is no reversing the total takeover of life into digital exchange, and with it the inevitable loss of trust into transactional behaviour and transactional ethics.
The invention of the internet is bigger than the invention of cash, and it’s taking cash, privacy, and people-trust across the globe to their death.
It’s not likely to come back.
Mark Zuckerberg won’t even face in front of the British Houses of Parliament after the trauma of his appearance in front of the U.S. House of Representatives. Zuckerberg can’t handle that much exposure of his details to public scrutiny. He just can’t bring himself to restore trust.
By their abuses of a collective trust, Google and Facebook are becoming complicit in their own destruction—and in making the internet worse for everyone.
We are now so screen obsessed that we care little about the difference between banning a government from spying on us, and letting private corporations put cameras in our homes and location trackers in our pockets. Labrador puppies!
Even if the government at least increases the fines in the next version of the bill, privacy is pretty much gone by our own hand.