As the use of drones and other surveillance tools proliferates, so do the privacy and other issues surrounding them.
We look at the regulatory response to the new technologies in New Zealand and internationally and catch you up with other developments in privacy law.
The increasing drone of unmanned aircraft
A major security scare was triggered in the US last month when a drone was landed (by accident) on the White House lawn. And media reports from the US, Canada and Australia suggest that drones are being used to transport illegal drugs.
In New Zealand also, recreational drone use is on the up and up - resulting in a number of complaints to both the NZ Police and the Privacy Commissioner, and prompting the Commission to post some broad advice on its website on 21 January this year.
The Privacy Act is “technology neutral”, with the effect in this case that the guidelines applying to camera operators also apply to drone operators. These are to:
- be clear about why you are collecting the information
- make sure people know you are collecting the information
- think about how you intend to use the information
- keep the information safe and make sure that only authorised people can see it
- dispose of the information after it has served its purpose, and
- provide a right of access to the information by the individual or individuals concerned.
Other privacy watchdogs have also commented on drone implications, including:
- the Information Commissioner’s Office (ICO) in the UK, which has developed simple drone data collection guidelines for individuals, but still relies on CCTV guidelines for businesses using drones, and
- the Australian Privacy Commissioner who has observed that, while clear privacy laws apply to private organisations, it is unclear whether they sufficiently constrain individuals.
In the US, the Drone Aircraft Privacy and Transparency Bill 2013 provides for a raft of proposed privacy safeguards. These include provision for drone operation licences that must include information on intended data collection and use. Some commentators have criticised this reform for lacking adequate compliance and enforcement mechanisms, such as an independent oversight body and regular independent auditing of information collected by drones.
Our Office of the Privacy Commissioner could overcome the first of these criticisms, and independent audit would extend what many businesses do already in relation to privacy compliance and the collection of personal information about individuals.
Privacy Act update
The Ministry of Justice is well down the track towards developing the much anticipated new Privacy Act. This is intended to bring the law up to date with the avalanche of technological change since the original Act’s passage in 1993 and to put strong incentives in place to ensure businesses, government departments, and other organisations take privacy issues seriously.
Key proposals include:
- mandatory reporting - organisations will have to report data breaches to the Privacy Commissioner and, in serious cases, notify affected individuals
- new offences - actions such as failing to notify the Privacy Commissioner of a privacy breach or impersonating someone to obtain their personal information will be illegal and carry a fine of up to $10,000
- enhanced powers - the Privacy Commissioner will have new powers, such as the ability to issue compliance notices, and the Commissioner’s powers of investigation will be strengthened
- guidance and clarity – the Privacy Commissioner will provide additional and improved guidance to facilitate better compliance with privacy laws.
The government will conduct a technical consultation before introducing a Bill to Parliament.
Privacy guidelines for app makers
Last year, the Privacy Commissioner released privacy guidelines for app makers. The growing public interest in privacy settings could give innovative app builders a competitive advantage. Five key points were highlighted:
- integrate privacy from the start
- be open and transparent about your privacy practices
- collect and keep only what your app needs to function, and ensure that the information is secure
- obtain meaningful consent despite the small screen challenge by providing a privacy dashboard, graphics, colour and sounds, and
- be aware that the timing of user notice and consent is critical.
- In June 2014, the European Commission released Cloud Service Level Agreement Standardisation Guidelines. The Guidelines aim to help customers understand and compare different cloud services. The European Commission considers that the guidelines will be most effective if adopted internationally.
- The Australian Parliamentary Joint Committee on Intelligence and Security is currently considering a Bill that will expand data retention obligations for telecommunications carriers. The Committee is expected to table its report on 27 February 2015.
Drones and commercial information
New Zealand’s first ever tradeshow for unmanned aircraft was held in January in conjunction with the “Wings Over Wairarapa” airshow. It highlighted the huge potential for commercial drone use in areas such as agriculture, research and development, aerial photography and surveying.
But there is also a dark side to this developing capability as the technological advances created by drones, GPS software and thermal imaging can also be used for commercial espionage.
Existing law on breach of confidence and protecting intellectual property, and laws criminalising various forms of surveillance and theft of information, may not be effective in responding to the challenges presented by the new technologies’ vast information gathering potential, their easy availability and their relative ease of operation.
It was those factors which allowed engineers to assess earthquake damage to Christchurch Cathedral with a cheap drone from Dick Smith Electronics, when orthodox means of inspection were too hazardous. So we do not want to stifle innovation by diving headlong into new technology-specific regulation. But it is an issue we will be watching; we will continue to report to you on it.