Privately speaking is a quarterly publication tracking relevant developments in privacy legislation, regulation and case law.
Privacy is a fast developing area of law, both in New Zealand and internationally, and the risks for organisations from privacy breaches can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of data integrity and confidentiality.
Foreign ownership register
Land Information New Zealand (LINZ) has warned that designing an accurate foreign ownership of land register may raise privacy and Bill of Rights (BoRA) issues. The register’s accuracy would require establishing the ultimate owner of companies and trusts, and would require solicitors to provide citizenship information about buyers.
The Australian Government has established a register of foreign investment in the residential property market and is considering expanding this to include rural land purchases. The New Zealand Government has been publicly sceptical about how effective the policy will be but, recognising that there is some support for it in the electorate, has said it will follow with interest what happens in Australia.
Link: Fairfax article
Use of smart meters by utility companies
The Privacy Commissioner has advised power companies to take “additional care” in how they look after the data collected by smart meters. They should inform consumers how the data will be used, and have “strong security standards to ensure information is transmitted safely online”.
Samsung Smart TVs
Criticisms include that the policy “leaves users with no knowledge or control over where the personal information goes or who has access to it”. In response, Samsung has reiterated that the captured data is encrypted to keep it safe.
Link: NZ Herald report
APEC Privacy Framework being updated
APEC hopes to have an update of its privacy framework completed by the end of this year. The New Zealand Privacy Commissioner has undertaken the review as part of an Australia, Canada and New Zealand stocktake group.
Areas identified for strengthening include:
- introducing the concept of privacy management programmes
- adding breach notification to the list of remedies, and
- outlining factors to be considered in balancing trade considerations when restricting cross-border transfers for privacy reasons.
Privacy Commissioner to monitor police use of personal data requests?
The Privacy Commissioner may create a central register to record Police requests for personal data without search warrants from service providers such as airlines, banks, electricity companies, telcos and internet providers. Police are said to rely on the Privacy Act’s Principle 11, which permits disclosure of personal information where required “for the maintenance of the law”. The District Court has queried the legality of such demands.
Link: NZ Herald report
Data breaches hit record high
According to the Identity Theft Resource Center, the number of US data breaches hit a record high of 783 in 2014, disclosing nearly 86 million records. The medical/healthcare industry accounted for 42.5% of the reported breaches and over 8 million disclosed records, followed by the business sector with 33% (but over 68 million disclosed records).
The financial sector performed best – accounting for 5.5% of breaches and only 1.4% of disclosed records. However, Kaspersky Lab (a cybersecurity firm), has released a report showing that hackers have stolen up to $1 billion from more than 100 financial institutions in 30 countries.
Microsoft adopts international privacy standard for cloud services
Microsoft is the first company to receive certification for the ISO privacy standard for the cloud. ISO guidelines include:
- control: only process personal data in accordance with customers’ instructions
- consent: only process personal data for marketing/advertising purposes with the customer’s express consent
- communication: notify customers in the case of a breach and keep clear records about the incident
- transparency: disclose to the customer the identify of sub-processors and any possible locations where personal data may be processed, and
- independent audit: obtain regular reviews of the cloud service provider’s compliance through an independent third party audit.
Microsoft’s General Counsel Brad Smith explains that the adoption of the ISO standard is just one of the ways the company has been exploring to strengthen customers’ privacy in the cloud.
Expensive settlements for Linkedin and Target
Linkedin has agreed to pay US$1.25 million and to implement industry-standard data security protocols to settle a user privacy class action suit. In 2012, Linkedin was hacked and the passwords for nearly 6.5 million users were stolen. Each claimant is likely to receive up to $50 from the $1.25 million settlement fund.
Target has agreed to US$10 million to settle its 2013 data breach, which exposed the credit card and personal information of up to 110 million customers.
Affected customers will be eligible to receive damages of up to $10,000 each and can claim for time spent dealing with the consequences of the breach, although recovery is limited to $10 an hour for up to two hours. Target will also implement measures to better safeguard consumer data. In the 2014 financial year, Target’s gross expenses arising from the breach topped US$191 million.
High standard for bringing data breach class actions
Claimants’ entitlement to bring data breach class actions is currently a hot topic in the US. In a March 2015 US District Court decision, the Judge held that the plaintiffs did not have standing to sue because they weren’t able to demonstrate “actual misuse of the hacked data or specifically allege how such misuse is certainly impending”. In other words, the privacy breach is not in and of itself sufficient to prove standing. Similarly, in New Zealand, the Privacy Act expressly states its privacy principles generally “do not confer any legal right enforceable in a court of law”.
President Barack Obama has put out for discussion a draft of the Consumer Privacy Bill of Rights Act. The Act would:
- require compliance with fair information practice principles, which set out the legal obligations for the covered entities when collecting, creating, processing, using or disclosing personal data
- require that data security measures are reasonable in light of the “privacy risks”, defined as those risks that cause emotional distress or physical, financial or professional harm to the consumer
- impose civil penalties up to US$25 million, and
- provide a safe harbour for those entities that adhere to codes of conduct approved by the Federal Trade Commission.
Federal Trade Commission releases the “Internet of Things” report
The Federal Trade Commission (FTC) has released a report detailing best consumer privacy and security practices for businesses engaged in the “Internet of Things” (IoT). The IoT refers to the connection of everyday devices to the Internet and the transmission of data between those devices. This is to be a focus of the FTC’s enforcement action in the future.
UK & EUROPE
Court decision against Google
The English Court of Appeal, in Google v Vidal Hall, determined two important issues of law - whether the cause of action for misuse of private information is a tort, and whether a claim for damage can be made under section 13 (compensation) of the Data Protection Act 1998 (DPA) without showing pecuniary loss.
The case concerns Google’s collection of information about the browsing habits of Safari users without their knowledge and consent. The Court ruled that misuse of private information should be considered a tort, rather than an equitable claim for breach of confidence. The Court also held that the DPA permits compensation for non-pecuniary loss, such as distress, where privacy rights have been violated. In reaching this conclusion, the Court noted that distress is “often the only real damage caused by a contravention”.
Link: Google v Vidal Hall
EU Art 29 Working Group releases report on website cookie usage
A survey of 478 popular European websites, across the e-commerce, media and public sectors, has shown that many website operators inform their users about cookies but that:
- expiry dates are often excessive, and
- the lack of easily accessible information describing the ways in which, and the purposes for which, Google will process personal data, and
- the lack of sufficient explanation of technical terms to service users.
Google must fix these issues by August 2015.
Outside of the UK, French and Spanish data protection authorities have fined Google €150,000 and €900,000 respectively for breach of their privacy laws and the Dutch data protection authority is currently threatening Google with a €15 million fine.
Link: Google’s undertaking
Half of British consumers think their privacy is at risk
New research shows that almost half of UK consumers are concerned that their personal data is not safe and that most rate data security as equally important to product and service quality when choosing where to shop.