Privacy Law and Policy Reporter
compiled by Nigel Waters
The Land Transport Bill, recently introduced to the NZ Parliament, will establish a nationwide plastic card driver licence displaying, for the first time, a photograph. The bill presently provides that the database containing the digitized image will only be available to the police for traffic enforcement. Especially controversial is the obligation to carry the licence at all times when driving. The mandatory carriage requirement for all drivers is entirely new and is accompanied by fines and a power for police to detain motorists for 15 minutes to check identity — even when a licence is produced.
The bill will also allow the Land Transport Safety Authority to get into the business of selling ID cards to non-drivers.
The Privacy Commissioner has expressed concern publicly that the proposal may amount to the creation of a de facto national ID card without the national debate, beyond road safety issues, that such a step warrants. He has also been critical of the lack of adequate and public privacy impact assessment of the initiative by its proponents.
Blair Stewart, Manager,
Codes & Legislation,
Office of the Privacy Commissioner, NZ.
The Senate Select Committee on Information Technologies, which was appointed in August 1997, decided in November to undertake an inquiry:
to evaluate the appropriateness, effectiveness and privacy implications of the existing self regulatory framework in relation to the information and communications industries and, in particular, the adequacy of the complaints regime.
Privacy and Consumer advocates only became aware of the inquiry, and of the 5 January closing date for submissions, in December, and have not surprisingly experienced some difficulty in organising input over the holiday period. Fortunately the Committee agreed to accept late submissions, and both the Privacy Charter Council and the Privacy Foundation, as well as consumer bodies, have made contributions.
The placement of privacy in the terms of reference is somewhat odd, since it is the privacy implications of the information and communications industries’ activities, rather than of the regulatory framework, itself that is at issue. At least the formulation ensures a prominence for privacy that it might not otherwise have received. One reason for this placement is hinted at in the information booklet from the Committee (http://www.aph.gov.au/senate/committee/advert/it_inq.htm), which talks about the need for a balance between individuals, privacy rights and other public interests. In this respect the inquiry appears to see privacy concerns as a possible barrier to regulatory initiatives designed to address other social and consumer concerns.
The booklet makes it clear however that the Inquiry is also interested in the appropriateness and effectiveness of self-regulation in dealing with privacy concerns, and there is specific reference to media intrusion into privacy, with the Thredbo landslide, the Port Arthur shootings and the death of the Princess of Wales cited as controversial examples.
The self-regulatory framework referred to is explained in the booklet as comprising the various Codes of Practice registered under the Broadcasting Services Act, and being developed under the Telecommunications Act. This of course leaves most of the operations of ‘content’ providers, which the lay consumer would see as part of the communications industry, broadly defined, unregulated other than by normal trade practices and censorship laws, and without any significant self-regulatory standards or complaint resolution mechanisms.
The Committee’s report, which is due in June 1998, should be a useful contribution to the current debate on privacy, provided the Committee’s tight timetable allows it to receive and take account of a balanced range of submissions. The hearings which the committee is expected to hold could be an important factor in achieving this.
Nigel Waters, Associate Editor.
‘The Federal Trade Commission will be looking at your web site in March! Does your company collect personal information online? If the answer is yes, you should know that the FTC is planning a formal survey of commercial web sites to determine business’ progress with self-regulation.’ So reads a notice on the web site of the US consultancy service, Privacy & American Business at http://idt.net/~pab/
This timely warning reminds us that the US is not, as some in business and government would have us believe, a regulation-free zone. The Clinton Administration made it clear in 1997 that while it favours self-regulation over statutory intervention, business needs to deliver on effective standards and compliance. In July 1997, launching A Framework For Global Electronic Commerce, the President’s statement said
The Administration considers data protection critically important. We believe that private efforts of industry working in cooperation with consumer groups are preferable to government regulation, but if effective privacy protection cannot be provided in this way, we will reevaluate this policy.
The FCC’s ultimatum to Internet content providers backs up this general policy, subsequently re-iterated on several occasions by the Presidents’s Senior Domestic Policy Advisor, Ira Magaziner.
In a related development, 14 leading ‘information brokers’ in the US have reached an agreement with the Federal Trade Commission to voluntarily restrict public access to some personal information, if individuals request them to do so. The agreement, set out in an FTC report issued in December 1997 (see http://www.ftc.gov/opa/9712/inrefser.htm) was reported in the US press as a response to widespread concern about identity theft and fraud over the last few years, and an attempt by the industry to head off legislative controls. It includes a commit-ment to an annual audit by a third party, the results of which will be made public.
On closer examination however, the initiative appears pathetically weak. The companies have only agreed to suppress limited classes of information on express request to the individual companies, and the complete suppression is only from general public access — restricted access will still be available to commercial users including marketers, banks, lawyers and journalists, and complete access not only to law enforcement agencies but also to private investigators and corporate security.
Apart from concerns about private and commercial abuses, privacy advocates are also very worried about the effect of the agreement on public authorities access to information, which has traditionally been protected by ‘due process’ safeguards such as the need for judicial warrants or subpoenas. Marc Rotenberg, director of the Electronic Privacy Information Centre, is quoted as saying:
this stands the Fourth Amendment [protection against unreasonable search and seizure] on its head ... This is like giving law enforcement copies of the telephone book but telling individuals they have to request specific listings.
This development, and reaction, parallels concerns in Australia about creeping extensions of the powers of law enforcement and revenue protection authorities (see (1997) 4 PLPR 110-112).
The FTC Chairman, Robert Pitofsky, is reported as acknowledging that previous attempts at self-regulation by this industry had fallen short, and expressing disappointment that the companies have refused to give consumers access to information about themselves. While on the one hand apparently saying that the new policy should be given a substantial test before new laws are enacted, he is also reported as contending that the principles are imperfect and leaving open the possibility of legislative attention by Congress.
Nigel Waters, Associate Editor. (Sources: New York Times and Washington Post, 18 December 1997.)
As noted in the last issue ((1997) 4 PLPR 120), Privacy Commissioner Moira Scollay has recently made some changes to the organisation of her office. Her office has provided the following update on the new structure.
The new structure follows significant budget cuts, but also reflects the Commissioner’s view that the terms of the privacy debate in the digital age require some slight changes of emphasis for her work.
A new position of Deputy Privacy Commissioner was advertised in early December, and is expected to be filled by February. The Deputy Commissioner will be expected to act as a strong second public face for the Office, as well as having overall administrative respon-sibility for its work. [We will profile the appointee in a future issue of PLPR — Ed].
The Commissioner has also decided to devote additional resources to the IT Standards section, based in Canberra under the management of Paul Kelly. This reflects the rapid shift of digital technology to the centre of the privacy debate over recent years, and the Commissioner’s desire to continue to contribute to discussion of some of the more technical issues which now routinely arise The Commissioner’s webpage [www.hreoc.gov.au/hreoc/privacy/privacy.htm] is being rebuilt and updated, and will then be given a high priority as her publishing medium of choice.
In the early part of 1998 Commissioner Scollay will finalise a set of privacy principles for adoption in the private sector. In the longer term she has also decided to devote more resources to her work in promoting both privacy in general and the work of her office, with a new education and promotion section under the management of Sue Colman.
All this has meant a need to consolidate some of the important work traditionally done by the office, bringing policy, complaints and compliance work together in one section. The Commissioner is keen to maintain the high reputation of her office for its policy work, but has also stressed that she intends to give continued emphasis to her compliance/audit functions. While this necessarily means that some work will have to be prioritised, the Commissioner and her staff will be doing their best to keep up with the inevitable demands they will face.
A timetable for legislation to implement the government’s decision to establish the Privacy Commissioner’s Office as a separate statutory body has not yet been announced. The Office can be contacted by E-mail on email@example.com
Office of the Privacy Commissioner.
New Zealand Privacy Commissioner, Bruce Slane, is to feature in a regular nationwide radio broadcast. The monthly Radio New Zealand slot continues Commissioner Slane’s efforts to communicate a privacy message directly to the public — especially important in the light of continuing attempts by sections of the print media to misrepresent and trivialise privacy rights. In previous years Slane has contributed a weekly opinion piece to the tabloid Sunday News under the rubric ‘privacy matters’. He also publishes a monthly newsletter — one of only a few commissioners to do so.
Blair Stewart, Manager, Codes & Legislation, Office of The Privacy Commissioner, NZ.
In a recent appointment, Deborah Marshall has become the Manager Investigations at the Office of the Privacy Commissioner. Deborah was previously the manager for investigations in Auckland. The new position, which was publicly advertised, has nationwide responsibility for investigation of all complaints. The investigation staff are located in both Auckland and Wellington.
Blair Stewart, Manager, Codes & Legislation, takes on responsibility in relation to information matching formerly undertaken by Bob Stevens. Blair already oversaw the assessment of proposals for new information programmes. The role now extends to the monitoring of operating programmes and their periodic reassessment. One early priority will be the completion of the reassessment of the first group of matches authorised in 1991.
Nigel Waters (who, as vice-president of the Australian Privacy Charter Council participated in the forum. The Charter Council’s submission to the Inquiry is at (1997) 4 PLPR 117-119.)