Tag Archives: law reform

Review of securities law

Posted on by
Reply

The Government has released a discussion document on the “biggest shake-up of fundamental securities law in a generation”. The main act governing securities, the Securities Act, was passed in 1978 and has been in dire need of a review for some time. One proposed change of interest to the IT industry (and others) is to relax the rules on offering shares to employees. Employee share plans are often a desirable strategy for many startups. As the document notes, employee share plans:

are … used as a partial substitute for cash remuneration (especially in young, rapidly growing companies that are “cash poor”), and to foster a sense of ownership among employees and participation in the company’s management and direction.

Unfortunately, New Zealand’s existing law makes them more complex to implement than they should be, in particular for small businesses (see my post Clearing the path for employee ownership). The review will hopefully change that:

The Ministry proposes to [allow] offerings of equity and equity options to employees of all companies (listed and unlisted), up to 15% of assets or 15% of the outstanding value of securities of the same class. An additional restriction that we are considering is to require that employee share schemes are offered as part of an employment contract, and would form a single, discrete offering not integrated with any other offers. This would focus the scheme on the employment relationship and its role in remuneration rather than allowing offers to all employees for fundraising purposes.

This would be a big improvement on the current regime. In my view, the restrictions on employee share schemes should be minimal. The idea of linking share schemes to employment contracts, while potentially slightly more onerous for employers, is a sensible way of providing protection for employees. Generally, people working for a company will have a better impression of its prospects and whether or not it is “dodgy” than the public. If they are offered the opportunity, and make an informed decision to invest, the law should avoid putting roadblocks in their way.

Peer-to-peer lending

The review will also look at peer-to-peer lending. The discussion document outlines the problem:

The Ministry is told that [peer-to-peer lending] services are not practical in New Zealand because the borrower is an “issuer” for the purposes of the Securities Act and Financial Reporting Act. The Securities Act states that for a debt security the issuer is “the person on whose behalf any money paid in consideration of the allotment of the security is received”. The borrower, usually a private individual receiving a relatively small sum of money, would have to register a prospectus, produce an investment statement, and file annual audited financial reports.

Peer-to-peer lending, driven by the internet, is experiencing rapid growth in other countries. It would be very unfortunate if New Zealand does not use the rare opportunity of this review to remove undesirable barriers to this new form of finance. This is especially important given the long-term tightening of credit availability since the global financial crisis, and the possibility that peer-to-peer lending and other forms of micro-finance could provide a critical source of capital for small Kiwi businesses.

The discussion document suggests that the service provider, rather than the individual lenders, could be regulated. That would provide a large piece of the solution, but still has the potential to impose an unrealistic or uneconomic burden on the service provider. To make peer-to-peer lending really feasible, the new securities law must not lump such services (and the people who will use them) in the same class as retail finance operations. Imagine, for example, if every casual Trade Me seller, or even Trade Me itself, was required to be licensed under the Secondhand Dealers and Pawnbrokers Act. A clear exemption should be made for “casual lenders” to participate in peer-to-peer finance, and service providers should be recognised as such – intermediaries, not active participants in any financing.

Law reform for online auctions

Posted on by
2

The Ministry of Consumer Affairs has released a discussion document on the proposed reform of New Zealand’s consumer law. One of the areas to be addressed is online auctions. Issues include whether online auctions should be regulated in some form, and whether the Consumer Guarantees Act should apply to goods and services bought via online auctions.

Regulation of online auction

A preliminary (and, lets be honest, entirely academic…) issue raised in the document is whether online auctions are presently subject to the Auctioneers Act. The document says no, on the basis that the Act only applies to auctions “by outcry”, which is defined as 6 people being physically present:

The reference to “outcry” in the beginning of the definition [of "auction"] applies to the various different auction methods referred to in the definition.

Based on that conclusion the documents goes on to say “the Auctioneers Act definition of auction only applies to auctions where it is possible for the bidders to be physically present with the auctioneer”. I take a different view from the good people at the Ministry. As I wrote previously, in my view “outcry” is not a necessary part of the definition:

there does not appear to be any reason … why the words “by outcry” must apply to the entire definition [of auction] while the other sub-clauses of the definition are read as alternates. Furthermore, to do so would limit the final key words “or where there is a competition for the purchase of any property in any way commonly known and understood to be by way of auction.” These final words are clearly a catch-all intended to prevent anything “commonly understood to be an auction” from being inadvertently excluded by the definition.

So my view is that online auctions are currently covered by the Auctioneers Act (which, as I said, is entirely academic). However, I also noted the craziness that online auctions should be “subjected to rules formulated decades ago and premised on a traditional, physical auction process”.

The fact is that specific regulation of online auctions is not currently enforced. Nor is it not necessary. Practical enforcement would be difficult. The UK, New South Wales and Victoria (among others), get by quite well without special legislation covering online auction providers. Hopefully, our new law will clearly exempt online auctions and other forms of e-commerce from unnecessary red tape.

Consumer Guarantees Act

The reform will also address the perennial issue of whether the Consumer Guarantees Act (or whatever its replacement will be) should apply to online auctions. There is no doubt that, generally, the same rules should apply for online “buy now” sales as for bricks-and-mortar sales. But what about online auctions?

The document says that whether online auctions are presently covered by the Consumer Guarantees Act is a “grey area”. But in my view there has never been much doubt: online auctions, if they are in fact conducted as an “auction” with bids etc, are not covered by the Consumer Guarantees Act (Trade Me probably wisely leaves it open for now). However the document gives a strong indication (for a discussion paper) of the preferred view:

There would appear to be justification, accordingly, to clarify that Trade Me style auctions should not be exempted from the Consumer Guarantees Act.

That would be a very sensible proposal, and my bet is this will be an outcome of the review. There will likely be some push-back from Trade Me-exclusive dealers, but most medium/large retailers (who also operate bricks-and-mortar shops) will support it. They already have full consumer obligations for all goods and services sold in their stores and online (non-auction style). So does every corner dairy and most small mum-and-dad shops. There are too many stories of shonky internet-only dealers who are only too happy that they are exempt from the consumer protection obligations that all these other retailers have. Trade Me does a great job in helping out where it can, but the answer is simple: close this unintended loophole. And it doesn’t create more red tape – it simply levels the playing field between dealers and simplifies the consumer protection regime.

Note that the proposal is not to extend the CGA to private online sellers and auctions. As per the current law, it will only apply to sellers “in trade” – i.e. shops, retailers and dealers.

There is debate as to whether online Trade Me style auctions are true auctions of the type intended to be exempted from the Consumer Guarantees Act because they do not meet the definition of auction in the Auctioneers Act. For instance people are not actually physically present for the online auction which is a key component of the “outcry” which is required under the definition of an auction in the Auctioneers Act. As noted, however, the Consumer Guarantees Act does not define auction by reference to the Auctioneers Act, so whether Trade Me style auctions are “auctions” for the purposes of the Consumer Guarantees Act is a grey area, open to interpretation.There is debate as to whether online Trade Me style auctions are true auctions of the type intended to be exempted from the Consumer Guarantees Act because they do not meet the definition of auction in the Auctioneers Act. For instance people are not actually physically present for the online auction which is a key component of the “outcry” which is required under the definition of an auction in the Auctioneers Act. As noted, however, the Consumer Guarantees Act does not define auction by reference to the Auctioneers Act, so whether Trade Me style auctions are “auctions” for the purposes of the Consumer Guarantees Act is a grey area, open to interpretation.

Tech law update 21 June 2010

Posted on by
Reply

Copyright in compilations

The Independent has an update on YPG’s legal battles to uphold the copyright in its Yellow Pages listings (see my post earlier this year). The outcome of the latest Court proceedings – expected very soon – could be of interest to all database or “compilation” rightsholders.

One such group may be New Zealand television networks seeking to restrict use of their TV listings by third parties. In Australia, this was the subject of the landmark IceTV case – which confirmed there is no copyright in basic, factual TV listings. Recently, Sky Television’s lawyers sent out cease-and-desist letters to people who had written programs allowing its listings to be “screen-scraped”, on the flimsy grounds that such actions breached its copyright in those listings (assuming such copyright even exists).

Google Street View WiFi drama

Errata Security has a good technical explanation of Google’s WiFi sniffing controversy, which is the subject of a preliminary criminal investigation in New Zealand (see my post here). From the post:

Although some people are suspicious of their explanation, Google is almost certainly telling the truth when it claims it was an accident. The technology for WiFi scanning means it’s easy to inadvertently capture too much information, and be unaware of it… It’s really easy to protect your data: simply turn on WPA. This completely stops Google (or anybody else) from spying on your private data (assuming you haven’t done something stupid like chosen an easily guessed password, or chosen WEP instead of WPA). If you don’t encrypt your traffic, then by implication, you don’t care if people eavesdrop on it.

Meanwhile, details are emerging that the captured data included passwords and emails. This is hardly surprising given that a huge amount of computer activity involves these two things, and it doesn’t change the “case” against Google. As I wrote earlier, intention is a key issue, as is whether the captured data is “reconstructed into a communication that indicates confidentiality” and made use of.

Luke Appleby gave his take on the Google WiFi drama here. While my post looked at the criminal acts, Luke rightly points out that Google could also have run foul of s 133A of the Radiocommunications Act 1989. That is certainly worth a look by the Privacy Commissioner (not the police; and there is still a need for intention which has yet to be established), although substantive privacy issues should be the focus of any investigation, if warranted – a case which has yet to be made.

Copyright Amendment Bill submissions

Internet NZ has published its submission on the Copyright Amendment Bill. It includes a great detailed analysis by lawyer Rick Shera. While I have different views on some aspects, I support a good many parts of the submission. Paragraphs 86 and 87 of Rick’s analysis in particular raise key questions that need to be addressed by the Committee.

The submission also emphasises the range of business and government activities reliant on internet access. This is a point I submitted on earlier, and it will be interesting to see if other business sectors pick up on this. For example, do banks and online shops really want their customers to be disconnected for transgressions against another industry group? I’m sure the recording industry would not want their online customers disconnected because one of their kids is caught shoplifting at the local dairy.

Aussie net filter to be back-burnered

The Australian government’s daft plan to impose mandatory internet filtering, which only recently was being pushed ahead, is now likely to be shelved until after the election.

Google not guilty of privacy crime, your honour

Posted on by
Reply

The New Zealand Privacy Commissioner’s office has reportedly met with police to discuss a possible criminal investigation into Google’s controversial WiFi data collection. A civil investigation sure, but a criminal one? Really? I hope the police have rather more pressing matters.

But let’s do a quick judge-and-jury exercise. Two relevant laws are sections 252 and 216B of the Crimes Act 1961.

Section 252, which is often misunderstood and is broader than many people may think, prohibits unauthorised access to computer systems. However, based on the reported information, Google’s collection of WiFi data did not involve any kind of “access”, and prosecution under this section is unlikely.

Section 216B prohibits “intentionally [intercepting] any private communication by means of an interception device”. This crime appears most likely to be the subject for any investigation. The key definition of this section is “private communication”, defined in s 216A (which the Law Commission rightly described as “not straightforward” – NZLC IP14, 10.47):

private communication:

(a) means a communication (whether in oral or written form or otherwise) made under circumstances that may reasonably be taken to indicate that any party to the communication desires it to be confined to the parties to the communication; but

(b) does not include such a communication occurring in circumstances in which any party* ought reasonably to expect that the communication may be intercepted by some other person not having the express or implied consent of any party to do so.

It seems clear that Google’s activities amounted to “interception” by an “interception device”. Indeed, any cellphone, laptop computer, or even a tape recorder could be used for such activities and meet the Crimes Act definitions. But are WiFi transmissions “private communications”, as required under s 216B?

Let’s look at some known (or presumed) facts:

  1. All of the data was collected from public locations, specifically from public roads.
  2. The data was being actively transmitted into those public locations.
  3. The data collected was unencrypted (if it turns out encrypted data was collected, things might change).

These facts seem to exclude Google’s activities from part (a) of the definition. How was there any indication that “any party to the communication [i.e. the collected WiFi packets] desires it to be confined” when the WiFi data was being broadcast, in unencrypted form, to the public? And how would Google or anyone else be expected to know that? The question whether the users to whom the data belonged knew it was being publicly broadcast is not the issue. The issue is that a publicly broadcast, unencrypted WiFi communication does not (in this juror’s opinion) give a “reasonable indication” that the person making it “desires it to be confined”. If anything, it conveys the opposite.

Of course, if the collected data is able to be reconstructed into a communication that indicates confidentiality, that could raise further questions. However, that is not known, and may well be beyond the intended working of s 216B.

Part (b) of the definition provides another hurdle, although as the Law Commission has noted, it is problematic. It excludes communications that a party “ought reasonably to expect” may be intercepted. Cribbing from the Law Commission’s recent report “Invasions of Privacy: Penalties and Remedies” stage 3:

In Moreton v Police, William Young J noted that while public awareness has developed over time that cellphone communications are not particularly secure, this does not automatically give rise to an expectation that any particular call will be intercepted. While the method of communication used and public awareness of its security levels may not be determinative on their own, they will nevertheless be relevant to whether at least one of the parties has indicated a desire that the communication be confined to the parties, and to whether there is a reasonable expectation (by both parties) that the communication may be intercepted. …

We anticipate that the main areas of enquiry by the courts will be whether the actions of the parties disqualify their communication from being a private one, and whether any particular method of communication disqualifies a communication from being a private one. By “the actions of the parties”, we mean their conduct of the communication itself; for example, whether they are talking in a private room where they expect no one else can hear them, or talking loudly in a public place.

Judge David Harvey has said that listening in to a conversation on CB radio, or using a police scanner, would not be offences because no-one could reasonably expect the communications to be confined.

Putting aside multi-party complexities for now, this reasoning is applicable to WiFi communications. Today, isn’t using unencrypted WiFi like talking loudly in a public place, or using CB radio? Is the “openness” of unencrypted WiFi well known enough to remove an expectation of privacy? Time will tell, but to some extent the Google situation has shown that could well be the case (not that a person is able to benefit from their own wrong, of course).

Another question is whether WiFi data actually constitutes a “communication” within the definition of s 216A. The comments noted above, and the definition, assume a communication between two or more parties using similar technologies, akin to a conversation. It may be arguable that random WiFi packets collected on a drive-by do not constitute a “communication” capable of falling within the definition of s 216A.

“Intention” is another fundamental requirement (both in the definition and for criminal offences). Did Google intentionally intercept the communications? Intention must of course be proved, and this may not be as straight forward as it appears, with Google now blaming a “rogue engineer” for the data collection.

Based on the information to hand, this jury returns a verdict of not guilty, but with a recommendation of a good public flogging nevertheless (ably led by the Privacy Commissioner), to last until Facebook returns to being Privacy Enemy #1.

The debacle could prove timely, given the Law Commission’s recent review of such issues and the possible law changes that may result. But for now, let’s hope the police do not waste valuable resources on what would simply be a pointless witch-hunt.

Government getting better at not losing data

Posted on by
Reply

Around 120 Government-owned personal storage devices were lost in the past 12 months, according to the Privacy Commissioner. I don’t know how this ranks with other governments and large companies, but it is probably about average. PSDs will get lost. The question is what controls are in place to protect the data.

Last year, the Privacy Commissioner released  a guidance note on PSDs. Now, the Privacy Commissioner has provided an update:

Government agencies have generally improved security around ‘portable storage devices’ (PSDs) such as USB memory sticks – but there are still some key agencies that have less than desirable controls

This is based on a survey released this week (PDF, 4 MB) showing that two-thirds of government agencies have “adequate controls” compared to half last year. That there has been improvement is good, but it does raise the question: what are the other third doing? Controls on PSDs are common sense for government agencies, and not massively difficult to implement. There can be no excuse for not having 100% of agencies with measures in place next year.

The report did not cover data loss disclosure – which the Privacy Commissioner had raised last year – but it did note:

In almost all occasions, agencies became aware of the loss or theft of a PSD through staff notification.

However, at yesterday’s Privacy Forum in Wellington Sir Geoffrey Palmer confirmed mandatory data loss disclosure was on the Law Commission’s reform radar. From his speech:

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

This is clearly an unsatisfactory state of affairs. Data disclosure rules are a common feature in the European Union, and the United States (which is sometimes wrongly criticised as having lax rules). The rules apply not only to the public sector, but private companies too. The Law Commission is taking submissions on this subject as part of its ongoing review process.

Name suppression and the internet

Posted on by
1

The Law Commission has published its report on name suppression. On the issue of name suppression on the internet it makes one recommendation:

Where an Internet service provider or content host becomes aware that they are carrying or hosting information that they know is in breach of a suppression order, it should be an offence for them to fail to remove the information or to fail to block access to it as soon as reasonably practicable. [7.16]

With regards to hosts, this is largely the status quo. It is less clear what an ISP that is “carrying” suppressed information is supposed to do. It would be impractical and ineffective, for example, to require ISPs to block access to sites it didn’t host. Of course, once a suppressed name has been communicated beyond our shores, any restrictions imposed by New Zealand law ceases to have any effect. If a major sports star had name suppression in New Zealand, and it was reported by Australian newspapers, would every ISP in New Zealand be expected to block access to those Australian websites?

The report’s findings on internet issues are brief, and don’t quite grasp the essential difficulties that the internet presents to the name suppression regime.  It states:

Where information as to the identity of someone appearing before a court is already in the public domain, it will not generally be appropriate to grant name suppression. The law will not undertake an exercise in futility, which would bring its own authority and processes into disrepute. [3.65]

Yet in many recent cases involving name suppression, that is precisely what has occurred. Twitter, Facebook and other local and international web sites are routinely used to blithely report (or more often, speculate on) the identity of the individual. An invariable side effect is the gross defamation of innocent persons unlucky enough to fit some “non-identifying” criteria not covered by the suppression order. There is every reason to think this phenomenon will become more and more common. In fact, the application of a suppression order, in many cases, simply has the effect of causing more speculation and breaches of the order – a manifestation of the Streisand effect.

The report noted that name suppression is generally more readily available in New Zealand than in Australia or the United Kingdom. One interesting statistic which the report did not appear to have considered, however, is how effective name suppression orders (in high profile cases) have been. Anecdotal evidence as well as personal experience suggests they are increasingly ineffective.

If the law is not to permit exercises in futility, this issue may need to be revisited again before long.