On Newshub Nation: Lisa Owen interviews Privacy Commissioner John Edwards

Lisa Owen: Privacy Commissioner John Edwards has a simple way to assess the risk of your personal information being collected and shared online. He says "if you're not paying, you're the product”. He deleted his own Facebook account earlier this year after a run in with the social media giant. Now he's pushing the government to tighten up our privacy laws to keep pace with technology. I began by asking him if there's such a thing as privacy in the modern digital world.
John Edwards: Yeah, there is. It’s obviously an idea that’s changing, but all around the world, we’re seeing, rather than the diminution of privacy, which some in big data industries kind of promoting, we’re seeing a further demand for privacy. And we’re seeing regulation increasing all around the world, outpacing where New Zealand’s got to.
Lisa Owen: Do you actually think it is being promoted by big data companies, forget it, don’t worry, there is no privacy any more, everybody’s an open book?
Yeah. I keep a folio of magazine covers and headlines heralding the death of privacy, and it’s been going since the 1950s. You know, 1970s with Newsweek; we’ve seen Time Magazine. Just recently, I saw an article titled, ‘Getting by in a post-privacy world.’ We’re not in that world. The concepts of privacy are changing. What we are increasingly seeing consumers and citizens demanding is greater transparency. Not don’t tell anyone anything, but tell us what you’re going to do with our information when you collect it.
I want to talk about how we keep pace a little later, but you have said in the past that it is a fundamental human right, privacy. But say, unlike the right to food or shelter, privacy is an incredibly subjective thing, you could argue. So how much privacy do we have a right to?
Sure. Well, you’re right, Lisa – it is subjective, but it’s also highly contextual. You know, when you go to the doctor, you think, this is about as private as it gets, right? But within that ecosystem, there are reports to laboratories, to pharmacies, to funders, to insurers, to employers. All around, you know, that information follows. Privacy is not necessarily about restricting the flow or putting up the gates; it’s about ensuring people have some autonomy, so that they can retain some element of control over what happens to their information.
Do you think, though, that we assume that we have more privacy than we actually do?
Possibly that’s true for some. I mean, we do see our survey results, which we conduct every two years, indicate a high level of concern about diminution of privacy. We see actually growing levels of trust in government’s ability to manage privacy, so that’s a good thing. But we see increasing levels of concern about how industry handles our personal information. We see high levels of concern about privacy of young people.
Yeah. So do you think there is a generation of young people who have unwittingly thrown open a door to their private information without realising it?
I think that young people are more canny than we give them credit for. You know, I often speak to groups who say, ‘Young people don’t care about their privacy – look what they’re posting on Facebook.’ Well, you know, you tell that to a parent who’s teenager has blocked them on Facebook. You know, these kids are making privacy choices. They’re using pseudonyms; they’re using technology like Snapchat, which erases the record. They are being very selective, in fact, about what they post. So yeah, again, I come back to my theme – privacy is changing, but it does remain a fundamental human right.
Okay. So with privacy changing, then presumably the laws need to change as well, and we are currently reviewing the Privacy Act. How can you actually make the law keep pace with technology that seems to be changing constantly? You’ll be outdated by the time you get your law stamped off.
Well, that’s right. And if you do regulate with reference to specific technologies, that’s the exact risk. What we’ve found is that our privacy law is principle-based, so it’s actually managed to stand these changes in technology reasonably well. But what we have not kept pace with is the globalisation of personal information. You know, data knows no borders. And so there’s a real pressure, I think, to make sure that we have compatible laws with the nations that we’re trading with and that we compare ourselves with. We’ve just seen, for example, California pass one of the most progressive privacy laws in the world. And that, I think, has surprised everyone in this area of business.
So what do you think our biggest challenge is here in New Zealand when it comes to privacy?
I think it’s a question of scale. I mean, we are net contributors of personal data. Very many of the organisations that we are giving our data to are based offshore. So we’ve got those challenges of the networked data economy.
And you’ve obviously faced one of those challenges in the sense of the borders with Facebook, who said, ‘Nah, go away. We’re not based there in New Zealand’. So you’re powerless in that respect.
Well, there is a real issue there. There’s an imbalance. You know, Facebook is an enormously powerful empire, literally. It’s an economy in itself. It’s an entity with a population of 2.5 billion people and huge financial resources. We say to Facebook, when you are collecting the information of 2.5 million New Zealanders, when you are collecting revenue from advertisers, when you are directing people who land in New Plymouth to the places, the businesses where all their friends have visited, you are doing business in this country, and you’re subject to New Zealand’s laws. Now, they have a different approach to jurisdiction.
You have said if you are not paying for a service, you’re the product. So what do you mean by that?
Yeah. It’s become a bit of almost a cliché in our world, that when you’re offered something online that is free, that is attractive to you, you are actually contributing your data. Your personal information, Lisa, in this economy, is currency. This is the trade. You get the service, you exchange your personal information for that. Now, in that, it’s incumbent on that organisation to be open with you about why they’re collecting the information and to restrict the information to those purposes.
Well, because that’s the thing – it’s really about where the line in the sand is. Because if you look at the Cambridge Analytica scandal, which is an example of that, where people’s data was being harvested via Facebook and used for targeted electoral campaigning, right? Can we be sure that there are no other companies doing that kind of thing in New Zealand?
Well, we can’t be sure, because we don’t go out and positively audit every entity. You know, the Privacy Act in New Zealand covers almost every conceivable enterprise in the economy.
And that’s the problem, isn’t it? Because you don’t know until you know.
That’s right. Yeah, that is a real problem. I guess a lot of our laws act in that way. You know, if somebody’s breaching a Fair Trading Act, you don’t know about it until somebody makes a complaint and says, ‘You know, I asked for this thing. It doesn’t have the features I expected to see in it.’
Yeah, of course, but this is not just social media. So you sign up for loyalty cards, like for the shopping, for the supermarket, you sign on for logins for entertainment sites. A lot of them, even if they’re free, make you create a login; there’s cookies. Where do you draw the line at what is acceptable use of information? When does it become an issue? So Cambridge Analytica was hoovering up all this information. Lots of other companies are as well. That’s why when I look at a dress online, they keep bombing me with more dresses or clothes that look like the one I’ve looked at. So where is the line?
Sure. Yeah. I mean, we would draw the line at misleading conduct, unlawful collection of information. But in New Zealand, we have a particular cultural legal approach to enforcement of this law. We say the law sets up these principles which businesses are supposed to comply with, but they’re not enforceable until someone suffers some actual harm. So you getting an advertisement for a dress and saying, ‘Well, that’s creepy. Why are they doing that?’ You know, that’s annoying, but it hasn’t caused you harm to the threshold that gives you access to the remedies under the Privacy Act. It can get even more creepy. With the Cambridge Analytica kind of thing, that was misleading, it was misrepresenting, it undermined some of the democratic institutions. And, you know, that is a wider societal harm rather than a harm to a particular individual.
Right. Well, there is no mandatory reporting requirement at the moment if someone breaches your privacy, you want that to change.
Yes. Yeah.
How so?
Well, we’ve slipped way behind most of the countries that we compare ourselves to in the world in this regard. There’s no obligation on a company that you have entrusted your personal information to who loses it or compromises it to tell you about it. We’re very happy that that is included in the bill that parliament is currently looking at. The Minister of Justice, Andrew Little, introduced that as one of his first, kind of, legislative reforms, and that is going to catch us up in that regard.
So, what level of breach would you need to notify someone of?
That’s something that the Select Committee is actually working on. Because it’s quite tricky.
But in your view?
In my view, well, I’m happy with the threshold of something that is likely to cause serious harm. So if there is information that’s compromised that could be exploited by someone to do you harm, such as to allow them to impersonate you online, such as to access credit-card details, to access online accounts, you should be told so you can take steps to protect yourself.
Okay. Well, let’s talk about punishments, then, because at the moment, well, you want to see civil fines of up to a million dollars for serious breaches or people who are repeat offenders. Won’t a company like Facebook just refuse to pay, because they’ll say, ‘We’re based offshore’?
Well, actually, since we had that issue with Facebook earlier in the year, they have even changed their terms and conditions. They had said to New Zealand Facebook users, ‘We will comply with the laws of your country.’ I think that’s quite significant.
It’s yet to be tested, though, isn’t it?
It is yet to be tested, but if you look at all those big data companies, they tend not to respond to regulators like me unless there is a court backing for it.
Is a million dollars enough, then?
Well, I think it’s still an amount that makes a company sit up and take notice. That’s not in the bill we’ve submitted. We’ve said to Select Committee we think that should be there. We’ve said to the Minister of Justice we think that should be there.
Because would you say that it is toothless without that level of punishment?
I think this is, yeah, a singular opportunity we have to upgrade that part of our law. You know, if you send a spam message, the dress one that you mentioned, you can be subject to civil penalties – the Unsolicited Electronic Messages Act has that in it. If you breach the Fair Trading Act and misrepresent the quality of your product, you can be subject to prosecution by the Commerce Commission. If you do either of those things in breach of the Privacy Act – no consequence.
Thank you for joining us this morning, John Edwards, Privacy Commissioner.
Thank you, Lisa.
Transcript provided by Able. www.able.co.nz

________________________________________

Newshub Nation on TV3, 9.30am Saturday, 10am Sunday. Proudly brought to you by New Zealand on Air’s Platinum Fund.

© Scoop Media