Adequacy Of Data Protection Measures
ADEQUACY OF DATA PROTECTION MEASURES:
THE NEW ZEALAND CASE
12th Privacy Laws & Business Annual
"New Data Protection Law, Issues, Solutions, Action"
Cambridge UK, 29 June 1999
New Zealand has a first class data protection law in its Privacy Act 1993. In some respects the law is a superior data protection measure to many European laws given its comprehensive application to unstructured manual data. The New Zealand Privacy Act is the only omnibus national data protection law outside Europe covering both the public and private sectors. It is therefore something of a paradox that the New Zealand Privacy Act may be judged "inadequate" as a data protection measure in the eyes of the European Union. In this paper, I outline something of the New Zealand Act, and the particular issues calling the New Zealand law into question.
OVERVIEW OF THE NEW ZEALAND PRIVACY ACT
New Zealand is no newcomer to data protection. Although it is a small nation dependent on international trade, New Zealand did not pass the 1993 Act as a rushed or superficial response to the prospect of the EU Directive on Data Protection.
The Privacy Act 1993 built upon many years' experience of statutory data protection and following considerable study and consultation. Indeed, the New Zealand Government, in its Privacy Commissioner Bill 1975, was one of the first in the world to propose establishing a Privacy Commissioner by law.
This is not the place to recount in detail the
background to the omnibus privacy legislation ultimately
enacted in 1993 but, briefly, some milestones include:
· the Wanganui Computer Centre Privacy Commissioner operated from 1977 to 1993;
· adoption of the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data in 1980;
· freedom of information legislation, including public sector rights of access and correction, in 1982;
· studies of the need for, and possible shape of, privacy and data protection legislation in 1987 and 1988;
· enactment of the Privacy Commissioner Act 1991 later consolidated, following detailed study by a Parliamentary Select Committee, into the Privacy Act 1993.
I mention these matters as indicating how one nation has grappled with the complexities and challenges of data protection. New Zealand certainly does not have a "pure" or "perfect" data protection law. The protection of privacy involves the balancing of competing interests and democratic law-making involves certain trade offs. However, it is nothing like the US "safe harbour" proposals which give the impression of a frantic scramble to give the appearance, but not the substance, of adequate protection. New Zealand's Act is an advanced data protection measure developed over several years which, seen in its totality, should be considered somewhere near the "excellent" end of the scale rather the merely "adequate".
New Zealand Act
I now offer a short rundown on what constitutes the New Zealand Privacy Act 1993. For a detailed understanding of the law reference should be had to the Act itself and to the secondary sources listed at the end of this paper.
The Privacy Act has a set of information privacy principles similar in approach to that taken in any European data protection law. They are entirely compatible with the EU approach. That, of itself, is fairly unremarkable. The noteworthy aspect is that those principles are applied by law in a very broad range of circumstances. First, the principles apply to all "personal information" which means any information about an identifiable living individual. The principles apply to the collection, holding, use and disclosure of personal information by all "agencies" and confer rights of access to and correction of personal information held by agencies. "Agency" is defined in an all encompassing fashion (with certain limited exemptions, the only notable one for present purposes, being the news media in their news activities).
The effect is that the Privacy Act covers virtually every agency in the country, whether in the public or private sectors. The Act's set of information privacy principles apply to personal information in whatever form it is held, whether electronic, manual, or otherwise.
All agencies are obliged to comply with the
information privacy principles. For example, when
collecting personal information from the individual
concerned an agency must explain the purpose of collection,
the intended recipients and the rights of access and
correction. The agency may use and disclose such
information only for the purposes for which it was obtained
or in certain exceptional circumstances listed in the
principles. Pursuant to the principles an agency may only
retain the personal information for so long as it may
lawfully be used and must be satisfied as to its accuracy
before using it. Agencies are required to action requests
by the individual concerned for access to information and
for correction. The principles also constrain demands for,
and reassignment of, unique identifiers.
The Privacy Commissioner is the national data protection authority. He has a wide range of functions to promote and protect privacy. One of the most important roles relates to cases where individuals have suffered an interference with their privacy. The New Zealand Act emphasises the use of the civil law in redressing complaints and does not impose criminal sanctions. It also gives complainants a helping hand in the form of a free statutory complaints service operated by the Privacy Commissioner. On receipt of a complaint, the Commissioner has two principal functions:
· to investigate the complaint;
· if the complaint appears justified, to attempt to achieve a settlement.
The Commissioner's processes are inquisitorial and are largely modelled upon those of the Ombudsmen, who have operated in New Zealand since 1962. The Commissioner has received and investigated thousands of complaints since the Act commenced in 1993. Most of these have been able to be successfully resolved through investigation, informal conciliation or, if necessary, the rendering of a formal opinion by the Commissioner. The Commissioner cannot award compensation (although many negotiated settlements include an element of compensation) nor order any other action to be taken. However, the Commissioner may take cases to the Complaints Review Tribunal if he considers them to be justified and they have not been able to be settled. The Tribunal can award damages and issue other enforceable orders. Similarly, if a complaint is unable to be resolved it is open to the aggrieved individual to take proceedings to the Tribunal. Of the more than 5,000 complaints made to the Commissioner, only about 2 dozen have proceeded to the Tribunal. Complaints can be laid by anyone, including citizens of the European Union, about processing of personal data in New Zealand.
Subject to comments below about the complaints queue, the procedures for obtaining redress for an interference with privacy work well. Specialist investigation and conciliation by the Privacy Commissioner's office has led to an efficient and low cost procedure. It brings a great deal of expert data protection knowledge to bear, resulting in consistent and non-litigious dispute resolution accessible to ordinary people. However, at the end of the day the process is a legal one and complainants can have their "day in court" if dissatisfied with the Commissioner's opinion. Individuals can be compensated for harm that they have suffered as a result of breaches of the information privacy principles. They need not be satisfied simply with a finding of fault.
I will finish this exceedingly brief commentary on the New Zealand Privacy Act, by mentioning the Privacy Commissioner's powers to issue codes of practice. These allow the requirements of the information privacy principles to be modified in respect of a particular type of information or data processing, or an industry or sector. Codes can prescribe standards which are more stringent or less stringent than the principles and may provide how the principles are to apply in particular circumstances. Codes may also exempt certain actions from the principles.
QUESTIONS OF ADEQUACY IN RELATION TO THE NEW ZEALAND ACT
In the balance of this paper, I mention
four issues which have been suggested as possibly calling
into question the adequacy (in terms of the EU Directive) of
the protection offered to personal data by the Privacy
Standing requirement for access or rectification requests
Access to personal information held about oneself is a fundamental privacy right. Denial of the right may mean that individuals, in some circumstances, will be unable to know what information is held, and possibly being used, to their detriment. Access has been likened to shining a light into dark corners. It enables individuals to find out what is known, or believed, about them. By obtaining access an individual is also in a position to ensure that other information privacy principles are adhered to. Having obtained information, an individual is also able to seek correction of any inaccuracies.
Information privacy principle 6, which confers the right of access, is subject to procedural provisions in the Act. One such provision imposes a standing requirement to the effect that such requests may be made by New Zealand citizens and permanent residents (wherever they are) and by any other individual who is in New Zealand.
The Act does not discriminate against foreigners who are in New Zealand. If a European happens to visit or work in New Zealand, that person is entitled, as is any citizen or permanent resident, to have access to information held about him or her and to ask for it to be corrected. If such a request is lodged, and the information withheld, that individual can request a review of the decision by the Privacy Commissioner and, if necessary, enforce the right of access through the Complaints Review Tribunal and, in some cases, the Courts. Proceedings can continue after a requester has departed so long as a valid request was made while the foreigner was in the country.
This is problematic in terms of adequacy since it means that Europeans whose data is transferred into New Zealand for processing may have no legal rights of access if they do not also travel to New Zealand. The standing requirement was the subject of adverse comment in the case studies used by consultants to the European Commission in developing a methodology to assess adequacy.
In my opinion, the Privacy Act offers an "inadequate" standard of data protection on this point. I offer no justification for the restriction on access which really ought to be dropped. The Privacy Commissioner has recommended to that effect. I note in passing that there is a similar shortcoming in the federal privacy laws both in Canada and, in respect of rectification only, Australia.
However, that is not the end of the matter.
Notwithstanding the question mark in terms of adequacy it
needs to be borne in mind that:
· the fact that an individual does not have a legal right of access and correction does not necessarily mean that requests for access or correction will be denied in practice - many agencies will willingly give access so long as their costs are met and they can be satisfied as to the identity of the requester;
· while an agency may not be obliged to act upon a correction request in terms of information privacy principle 7, it will nonetheless be obliged to consider the question of accuracy if it intends to use any such information;
· if the information is held by a public sector body it is possible for access to be obtained by asking a friend or agent in New Zealand, to seek the information pursuant to our freedom of information laws.
Processing sensitive categories of data
The Privacy Act does not enumerate categories of "sensitive data" and apply special controls to those. The European approach in this regard, both of the Council of Europe and the European Union, is not replicated in the OECD Guidelines on which the New Zealand Privacy Act is based.
In my opinion, the absence of a sensitive categories approach should not be seen as a shortcoming calling into question the adequacy of New Zealand's law. The sensitive categories approach is, perhaps ironically, more in tune with the sectoral approach of the United States than it is with broadly based privacy law such as New Zealand's.
The approach of the OECD Guidelines, and New Zealand's Act, is to impose fair information handling practices upon all personal information held by an agency rather than focusing solely on information carrying special risks. However, when dealing with sensitive information one would expect agencies to take special care and this would be reflected in the interpretation of several of the New Zealand principles. For example, principle 4 prohibits the collection of personal information by means which "intrude to an unreasonable extent upon the personal affairs of the individual concerned". Sensitivity of the information could certainly be relevant in applying that principle. Similarly, principle 5 requires an agency to take such security safeguards to protect personal information "as it is reasonable in the circumstances to take". Again, special security safeguards for especially sensitive information would be expected.
Furthermore, while the Privacy Act does not itself enumerate sensitive categories of data it nonetheless has the flexibility to respond to such concerns. For example, the Privacy Commissioner is able, by code of practice, to impose more stringent standards than are generally required. He has already issued the Health Information Privacy Code 1994 which, in respect of medical data, toughens the privacy standards in certain respects.
Other New Zealand laws sometimes imposes stricter controls in respect of certain information which might be considered "sensitive". For example, the New Zealand Bill of Rights Act 1990 and the Human Rights Act 1993 enumerate grounds, including, for instance, race and sexual orientation, in respect of which discrimination is prohibited. As a result, an employer or landlord may be precluded from demanding certain details concerning a member of a minority group. These offer additional protections over and above the Privacy Act and its generally applicable principles.
Delays in investigating complaints
The EU, in assessing adequacy, is not simply interested in the existence of satisfactory rules for data protection but also seeks reassurance that in practice these rules are adhered to. It is expected that there be a mechanism for redress if there is apparent breach. I endorse that approach.
There is room for a variety of approaches to ensure compliance and to put things right where there has been a breach of the rules. Some countries rely on criminal sanctions to modify the behaviour of data controllers. Others prefer civil remedies through the courts. Some adopt a mixture. In New Zealand, as earlier explained, a complaints process exists which starts with investigation of the facts of a complaint followed by attempts at informal resolution, backed up, if necessary, by Tribunal proceedings.
The Office of the Privacy Commissioner is central to the effective resolution of complaints. The Commissioner exercises a number of functions in addition to complaints handling (for example, he scrutinises legislation from a privacy perspective, supervises data matching activities and issues codes of practice). However, it is complaints handling which places most demands upon his resources. Unfortunately, the number of complaints received by the Commissioner's Office has outstripped the resources provided by the Government to enable the investigation and resolution of complaints. Accordingly, some time ago the Commissioner instituted a system whereby new complaints were added to the current workload of investigators only when existing complaints files were closed. The unallocated complaints remain in a queue which, worryingly, now exceeds 14 months and is growing.
A complainant is not entitled to take a matter to the Complaints Review Tribunal until the Privacy Commissioner has completed an investigation and made settlement attempts (unless he has determined that either step is not warranted). The inquisitorial investigation process, and informal conciliation methods, are found to be eminently suitable for the access and privacy complaints brought to the Commissioner. The process carries far fewer compliance costs than alternatives such as litigation or, in terms of our own scheme, tribunal proceedings. It is therefore disappointing that the process is placed under such pressure due to underfunding.
Does this affect "the adequacy" of the New Zealand arrangements in European eyes? The consultants to the European Commission which applied a methodology to assess the adequacy of data protection in third countries opined that the backlog in complaints was "disturbing". Certainly many New Zealanders are appalled by such a delay. In some circumstances, justice delayed will effectively be justice denied. Certainly delays can make the investigation or settlement of complaints more difficult.
Excessive funding would be required to provide "instant" investigation in busy periods. Small delays are quite acceptable and conducive to efficiency. However, while most of us would readily accept a two or three week delay in investigating complaints, how do we feel about a two or three month delay? If 3 months is OK, what of the New Zealand situation of a 14 month delay?
I caution EU officials against simply assessing the letter of a law and ignoring the actual performance of implementation arrangements. On the other hand, the EU would have a difficult task to monitor delays on a worldwide basis. I suggest that European institutions, such as the Article 29 Working Group, look at the issue. Perhaps they might establish benchmarks as to current and acceptable practice. Can we really conclude that a 14 month delay is inadequate in New Zealand's case without knowing, for instance, whether backlogs exist in obtaining redress for breach in Europe and, if they do, the extent of such delays?
Absence of data export controls
The OECD Guidelines, on which the New Zealand Privacy Act is based, never required the establishment of data export controls. Impediments to data export were seen as an evil to be avoided through the establishment of consistent and compatible privacy laws between member countries and others.
Indeed, it might even be argued that the current fad for data export controls, in Europe and elsewhere, is actually a manifestation of the problem which the OECD Guidelines were supposed to prevent. If so, this may simply point to the ineffectiveness of the OECD Guidelines in establishing worldwide minimum consistent data protection laws. That failure is also shared with the United Nations which has taken no effective steps to establish international norms and implementation mechanisms. Accordingly, it has been left to the European Union, a regional institution, both to protect its own data protection standards but also, in effect, to export those standards to non-member countries. While I generally see this as relatively benign, I have misgivings about the EU insistence upon third countries also having to enact data export controls themselves.
Although the OECD Guidelines did not require data export controls, they did acknowledge that such controls might be appropriate in certain circumstances. The OECD Guidelines provide:
"A member country should refrain from restricting transborder flows of personal data between itself and another member country except where the latter does not yet substantially observe these guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection."
In terms of the international approach to data protection it is fair enough that the EU establish data export controls. I personally may question their necessity, desirability and effect on compliance costs, but controls are nonetheless legitimate. Similarly, in accordance with clause 17 of the OECD Guidelines New Zealand could establish its own data export controls if it saw those as desirable. However, what the EU is effectively saying is that if the EU has data export controls, everyone must have them. It does this in response to a concern about safe countries acting as a conduit to unsafe ones - although I am unaware of any evidence of such a problem. I think that this approach is far too prescriptive.
New Zealand's Privacy Act does not contain a data export control of the type to be found in article 25 of the EU Directive. However, any personal data from Europe transmitted to New Zealand must be processed in accordance with the information privacy principles. Data re-export would generally only be permitted if that were to be consistent with the purpose for which the New Zealand agency received the data. If a European data controller explicitly sends the data to New Zealand for re-export then that will be permitted. If that transmission from Europe is done with an intention to bypass European controls, it seems to me that any culpability falls upon the European data controller which is seeking to circumvent its own national law. The New Zealand agency is not seeking to circumvent any law which applies to it but merely accept its principal's instructions. Surely Europeans should be looking to the adequacy of their own data protection laws if any European agency is taking such actions?
I have real concerns as to the introduction of data export controls into New Zealand. It seems to me likely to carry compliance costs for New Zealand business without necessarily bringing much benefit to individuals. Quite frankly, I believe that data export controls have the potential to give information privacy laws a bad name.
The Privacy Commissioner has proposed that New Zealand adopt a very limited data export control. The proposal is for a mutual assistance provision enabling the banning of particular data exports when a national data protection authority offers evidence that a transfer is being undertaken to circumvent its domestic data protection laws. The New Zealand Government has not indicated whether it will implement such a proposal.
view, the total absence of a data export control should not
necessarily automatically result in a finding that a
jurisdiction's privacy laws are "inadequate". In any event
it cannot be said that New Zealand's law is totally without
controls relating to data exports. In particular:
· section 10 of the Privacy Act continues to apply certain of the New Zealand principles to personal data transferred out of New Zealand in the event that a New Zealand agency retains control of the data;
· information privacy principle 11 constrains disclosure generally and will, for example, usually prohibit transborder disclosures which are unauthorised or contrary to the purpose for which the information is held;
· the Privacy Commissioner can issue codes of practice which, in certain circumstances, might constrain data exports or require the exports to be undertaken in a certain manner.
In my opinion, European officials should be slow to harshly judge the New Zealand law as inadequate based on certain particular features. Instead, they should look at the Privacy Act in its totality. On that basis I believe New Zealand's law should be assessed as offering adequate protection subject only to the need to remove the standing requirement for access and correction requests.
New Zealand's privacy law generally
· Elizabeth Longworth and Tim McBride, The Privacy Act: A Guide, 1994
· Privacy Commissioner, Necessary and Desirable: Privacy Act 1993 Review, November 1998
· Dr Paul Roth, Privacy Law and Practice, Butterworths, 1995-99 (looseleaf, 2 volumes)
Adequacy of NZ Privacy Act in terms of EU
· Privacy Commissioner, Necessary and Desirable: Privacy Act 1993 Review, pages 9-10, 19-20, 102-107 and 171-181
· Raab, Bennett, Gellman and Waters for the European Commission, Application of a Methodology Designed to Assess the Adequacy of the Level of Protection of Individuals with regard to Processing Personal Data: Test of the Method on Several Categories of Transfer (Final Report), September 1998
· Nigel Waters, "Assessing Adequacy: How difficult do we want it to be?" (1999) 5 PLPR 8
· Graham Greenleaf, "New Orientations on the EU Privacy Directive" (1998) 4 PLPR 154 and 185