|
Privacy is a relatively recent development to the law. Indeed the concept of privacy itself is much debated in today's society – with some predicting the end of privacy, and others arguing that privacy threatens other important values such as freedom of speech.
In recent years, privacy law has been outpaced by technological advances and it is thought that the law in this area will benefit from being thoroughly reviewed and updated. One of the main sources of privacy law in New Zealand, the Privacy Act 1993 (Privacy Act), provides a good example. The Privacy Act was conceived at a time when the internet, and particularly the web, was not widely used and sensitive digital information was largely held by organisations and could be relatively easily regulated. By contrast, today many more individuals and organisations are active originators of digital information, some of which escapes the current Privacy Act. For example, the Privacy Act excludes information contained in, or sourced from, a "publically available publication". That phrase is defined as meaning "a magazine, book, newspaper or other publication that is or will be generally available to members of the public", and there may be issues about whether it applies to material published on the internet.
As a result of considerations such as these, the Law Commission (Commission) is currently undertaking a review of all privacy law in New Zealand.
The review is proceeding in four stages as follows:
(a) Stage One: A high level policy overview to assess privacy values, changes in technology, international trends and implications in New Zealand's civil, criminal and statute law.
(b) Stage Two: A review of the law relating to public registers and whether it requires alteration as a result of privacy considerations and emerging technologies.
(c) Stage Three: A review of the adequacy of New Zealand's civil and criminal law to deal with invasions of privacy.
(d) Stage Four: A review of the Privacy Act with a view to updating it.
The Commission has now released its reports on Stages One and Two of the review. This article provides an overview of the key findings of the Commission in these first two stages of the review and the particular issues the Commission has indicated it will be dealing with in Stages Three and Four.
Stage One: Privacy Concepts And Issues
The Stage One report was issued on 8 February 2008. This report:
- provided a conceptual framework for the review;
- reviewed social, technological and international developments that may have an impact on privacy in New Zealand; and
- identified some key issues and implications for law and policy that will be considered in more depth at a later stage.
The Commission described the conceptual framework for the review as being based on two "core values" – (1) the autonomy of humans to live a life of their choosing; and (2) equal entitlement of people to respect.
The Commission took the view that privacy has two main dimensions: informational privacy and local or spatial privacy. Informational privacy is concerned with control over access to private information or facts about ourselves. The Commission considers that not all personal information can be regarded as private, although opinions may differ as to exactly what counts as private. Local or spatial privacy is concerned with control over access to our persons and private spaces (typically in our homes). The report states that we are able to behave differently in our private space than we do when exposed to the scrutiny of others. This is based on the notion that a person's home is that person's castle – a "bedrock" principle of the common law.
The Commission commented that a person's right to privacy is not an absolute right and must be balanced against other competing interests, such as freedom of expression. Therefore, context is paramount in determining when a right to privacy exists, for instance, land transfer records should be treated differently from individual health records. The Commission warned against an "all embracing" approach to privacy, but instead stated that careful analysis should be given to each discrete area in which privacy issues may arise.
While this is a somewhat ad hoc balancing, the Commission stated that this analysis must be conducted in each policy area otherwise we will end up with an unpredictable, general privacy law of little utility and with an uncertain breadth of application.
The report acknowledged the development of the internet as a major change since the Privacy Act was passed. In particular, the Commission focussed on the collection of personal information by companies (whether covertly or overtly), and the availability of personal information posted by private individuals. While no recommendations were made at this stage, the Commission noted that this is an area of particular concern, especially where companies are covertly tracking a user's online activities and using that information to target advertisements to particular users, and, in the blogging and online social networking context, where private information about others is posted without their consent.
The Commission stated that there are a number of legal issues that relate specifically to the impact of the internet on privacy. First, there are jurisdictional issues (as the internet is without borders and can be accessed from anywhere), and, secondly, there are enforceability issues as it can often be difficult in determining the respective liabilities of the various parties regarding material posted on the internet (for instance, from the persons posting the information originally to the people who link to the page from other websites, to the ISPs and so on).
Other issues discussed in the report included social attitudes towards privacy, new technologies that can be used to enhance or protect privacy and international developments.
Stage Two: Public Registers
The Stage Two report related to public registers and was released on 19 February 2008. This report considered whether the law relating to public registers requires systematic alteration as a result of privacy considerations and emerging technology.
For the purposes of the review, the Commission defined a "public register" as comprising:
- a register, list, or roll of data;
- created and maintained pursuant to an enactment;
- open, in whole or in part to public inspection, copying, distribution or search, and under a specific access provision of the enactment creating the register.
This definition excludes registers or databases held by the government that are not publicly accessible and also registers, such as the teachers register, that are publicly accessible (and may even be on the internet) for which there is no statutory right of search or access.
In this report, the Commission made several recommendations, including that:
(a) Public registers should be regulated primarily through their establishing statute. Regulations should consider what personal information should be held on a register, and what information should be publicly accessible.
(b) Protective mechanisms should apply across all registers containing personal information, and these are to be based on mechanisms in the Electoral Act 1993. This would enable suppression of personal information where there is evidence that the safety of a person on the register and/or their family would be put at risk by disclosure of that information.
(c) A system of authorisation, or accreditation, for bulk access to some specified public registers should be implemented. This recommendation comes in response to the increased use of public registers for the purposes of direct marketing. Where this system is appropriate, the potential bulk user should apply to the Minister for the relevant Government agency that administers the public register. The Minister would then decide whether accreditation is appropriate in the circumstances after considering issues such as the uses of the information, the registers to which it will apply and public interest considerations. This decision would be guided by specific statutory criteria and subject to judicial review.
(d) The penalty system under Part 8 of the Privacy Act, that includes damages, restraining orders and other potential remedies, should apply to breaches of access provisions in public register statutes.
Stages Three And Four
The Commission is currently undertaking Stage Three of the review. In this stage, the Commission will consider and report on the adequacy of New Zealand's civil law remedies for invasions of privacy, including tortious and equitable remedies, as well as the adequacy of New Zealand's criminal law to deal with invasions of privacy. This report will also include a consideration of the tort of invasion of privacy.
Stage Four will be a review of the Privacy Act, which will take into consideration the recommendations the Commission has made so far, as well as any submissions it has received from the public. Issue papers for Stages Three and Four will be released in the second part of this year, with final reports to be released in 2009.
In the meantime, the Commission has called for submissions from organisations to assess whether they have concerns about existing laws relating to privacy, and any proposals for reform of these laws. If you would like more information in this regard, please contact us.
While it is impossible to predict the changes the Commission will ultimately recommend, it is likely that privacy law, and in particular the Privacy Act, will change dramatically once the final reports are released, so watch this space!
Key Contacts
Karen Ngan +64-9-977-5080 karen.ngan@simpsongrierson.com
Anthony Burnet +64-9-977-5195 anthony.burnet@simpsongrierson.com
Note: The information provided in this article is intended to provide general information only. This information is not intended to constitute expert or professional advice and should not be relied upon as such. Specialist legal advice should always be sought for your particular circumstances.
|
