Thursday, July 03, 2008



Exposing a hole in our privacy laws

Yesterday the government introduced the Privacy (Cross-border Information) Amendment Bill to the House. The bill would amend the Privacy Act to prevent New Zealand being used as an intermediary to escape stronger privacy protections in other countries. For example, the European Directive on Data Protection (their overarching privacy framework) bans the transfer of information to other countries unless those countries have an adequate level of privacy protection. The problem is that information could be transferred to a "safe" country, and then to an unsafe one (such as, for example, the USA), thereby circumventing the law. So, in order to "assure their trade partners that New Zealand law will ensure their privacy is protected", we're erecting some protections.

The problem is that we're doing this via a clunky system of "transfer prohibition notices", issued by the Privacy Commissioner, and requiring from the outset knowledge that information is being laundered. That doesn't strike me as a very effective enforcement framework. The penalties for violating such an order - a $10,000 fine - are derisory, and given the amount of money at stake from personal information, likely to be ignored.

The real problem though, is that while the bill would protect the privacy of overseas citizens, it does nothing whatsoever to protect the privacy of New Zealanders. The EU directive strikes me as a damn good idea, but there is no equivalent in New Zealand law. And that IMHO is a serious hole in our privacy framework. Rather than mucking around with enforcement measures which require omniscience, we should instead follow the EU lead, ban transfer offshore except to countries with equivalent protections or where the information holder agrees to obey NZ privacy principles, and create an offence with real penalties to enforce it.