Law and technology

Around 120 Government-owned personal storage devices were lost in the past 12 months, according to the Privacy Commissioner. I don’t know how this ranks with other governments and large companies, but it is probably about average. PSDs will get lost. The question is what controls are in place to protect the data.

Last year, the Privacy Commissioner released  a guidance note on PSDs. Now, the Privacy Commissioner has provided an update:

Government agencies have generally improved security around ‘portable storage devices’ (PSDs) such as USB memory sticks – but there are still some key agencies that have less than desirable controls

This is based on a survey released this week (PDF, 4 MB) showing that two-thirds of government agencies have “adequate controls” compared to half last year. That there has been improvement is good, but it does raise the question: what are the other third doing? Controls on PSDs are common sense for government agencies, and not massively difficult to implement. There can be no excuse for not having 100% of agencies with measures in place next year.

The report did not cover data loss disclosure – which the Privacy Commissioner had raised last year – but it did note:

In almost all occasions, agencies became aware of the loss or theft of a PSD through staff notification.

However, at yesterday’s Privacy Forum in Wellington Sir Geoffrey Palmer confirmed mandatory data loss disclosure was on the Law Commission’s reform radar. From his speech:

Another subject on which we are contemplating some changes is data breach notification. We have examined closely the merits of introducing a mandatory data breach notification requirement into the Privacy Act. Currently holders of personal information, both public and private sector agencies, are under no legal obligation to notify individuals or the Privacy Commissioner when an individual’s personal information is compromised – if, for example, it is lost or obtained by computer hackers. … This means that agencies are not required to notify individuals whose personal information has been compromised, no matter how sensitive the information and no matter how serious the risk of harm that could be suffered as a result.

This is clearly an unsatisfactory state of affairs. Data disclosure rules are a common feature in the European Union, and the United States (which is sometimes wrongly criticised as having lax rules). The rules apply not only to the public sector, but private companies too. The Law Commission is taking submissions on this subject as part of its ongoing review process.

Interesting results emerge from a survey released by the Privacy Commissioner yesterday. Among the findings:

• 35% of respondents are more concerned about individual privacy than 2 years ago.
• At the same time, “trust ratings” for most organisations holding personal data have increased since 2 years ago.
• 78% of under-30s use social networking sites.
• Approximately 57% of those users (estimated) believe social networking sites are “mainly private” places for sharing information.
• 54% of respondents were concerned about what social networking uses their personal information for.

One plausible interpretation is that at the same time we are becoming more aware and concerned about privacy issues, we are also becoming more ready to disclose information. This view would be supported by comments to a follow-up article at the NZ Herald website, which reported:

Facebook users who did not think they could protect their privacy outnumbered those who thought they could by four to one – and only one of them thought it was a bad thing.

There are several seemingly conflicting trends within this data, which bears out the overarching (and not entirely new) 64-million dollar conundrum of online privacy: people are willing to trade privacy for functionality, so to what extent should governments intervene? Do we need saving from ourselves?

The survey strongly confirms that New Zealanders do care about privacy, and a recent US survey confirmed the same in that country. Increasing education and awareness of privacy issues are key steps to empowering individuals to make their own, informed decisions, and New Zealand’s Privacy Commissioner is very much at the forefront of that process. It is also helpful when Facebook privacy concerns becomes front page news on our major daily newspaper (and not on a slow news day either).

More local coverage of this issue:

• Media7’s program this week discussed privacy on the internet
• Social site use rising as privacy fears grow
• Facebook must evolve or wither, say analysts

Rendering ACTA superfluous?

Australian law professor Michael Fraser suggests that ISPs could render ACTA “superfluous” by entering into commercial agreements with content providers:

“The best approach to these issues… is to do a commercial deal and bring the ISPs into the value chain,” he said. “Rather than litigate [content providers] should include ISPs in the supply chain and ensure they get a fair part of the reward and allow access to content via the ISPs.”

The suggestion does not, of course, imply that ISPs could “contract out” of copyright law altogether. But if a commercially acceptable deal with major rights-holders could be reached, that could at least provide a “market” solution to the possible uncertainty and other concerns ACTA may cause for ISPs, rights-holders and users.

Parody rights in IP law

The studio behind Downfall film has applied to have numerous parodies of its movies removed from YouTube on the grounds of copyright infringement. The clips of the film used in the short YouTube videos are the copyright of the studio, but the question is whether the parodies are permitted under the fair use doctrine of US law.

Now, YouTube has helpfully given instructions for users whose clips have been the subject of an infringement claim by the studio.

On the local front, Luke Appleby notes that New Zealand still does not have a parody right under our copyright law. In essence, a review was announced in 2008, but has not progressed since.

Privacy attitudes

A study has been published in the US entitled “How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?”. From the report:

An important part of the picture, though, must surely be our finding that higher proportions of 18-24 year olds believe incorrectly that the law protects their privacy online and offline more than it actually does. This lack of knowledge in a tempting environment, rather than a cavalier lack of concern regarding privacy, may be an important reason large numbers of them engage with the digital world in a seemingly unconcerned manner.

From the conclusion:

… we found that in large proportions young adults do care about privacy. … Public policy agendas should therefore not start with the proposition that young adults do not care about privacy and thus do not need regulations and other safeguards. Rather, policy discussions should acknowledge that the current business environment along with other factors sometimes encourages young adults to release personal data in order to enjoy social inclusion even while in their most rational moments they may espouse more conservative norms.

The wider issue for all age groups, though, is that people seem quite happy to exchange privacy for functionality (or other benefits). To what extent should governments intervene?

IT industry supports ban on software patents

InternetNZ, the New Zealand Computer Society and the New Zealand Open Source Society issued press releases yesterday in support of the ban on software patents:

• InternetNZ agrees – no to software patents
• ICT Profession Supports Removal of Software Patents
• NZ Open Source Society Congratulates Government on Patents Bill Stance

The Labour Party also issued a press release supporting the decision and Minister Simon Power’s earlier endorsement:

• Software exclusion will encourage Kiwi innovators
• Power to delete software patents

Meanwhile law firm Chapman Tripp issued a press release criticising the decision:

• Excluding Software Patents Will Stifle Innovation

Privacy Commissioner slams Google’s “experiment”

New Zealand’s Privacy Commissioner, Marie Shroff, has criticised Google Buzz as being a “commercial experimentation on New Zealanders and other internet users, involving the release of significant personal information”:

[Google's actions] violated the fundamental, globally accepted principle that people should be able to control the use of their personal information.

The comments follow Ms Shroff’s signing of a joint letter to Google, stating:

It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.

These comments, including constructive requests that organisaions collects and process “only the minimum amount of personal information necessary” and create “privacy-protective default settings”, are admirable. Ms Shroff does a great job in standing up for New Zealanders’ privacy rights.

The difficulty, as I have written previously, is that people happily trade privacy for functionality. Millions of people willingly pour personal information into different websites every day. To what extent can Google be criticised for finding new, creative uses of information it has been willingly given, in accordance with terms agreed to by users? And to what extent is it necessary or right for governments to intervene?

Open standards in Government procurement

Earlier this year I commented that “the Government must properly mandate open standards and multi-vendor capable solutions for future state-sector IT procurement”.

European Union ministers have now called for “the introduction of open standards and interoperability in government procurement of IT”. This comes as part of an ongoing development of procurement frameworks.

The report states that some groups claim the proposal has been “so watered down due to intense lobbying by the proprietary software makers, to such an extent that the document will have no impact on the market”. Other industry groups have praised the proposals as “well balanced”.

Global privacy regime mooted

New Zealand’s privacy commissioner, Marie Shroff,  has suggested that a United Nations treaty may be required to protect privacy.  She said:

“The reason for this is [a global regime] would bring legal certainty… We have to look at whether and how we can regulate to provide certainty for businesses and protections for individual citizens”

Legal certainty is a very good thing though as I said the other day, there is unlikely to be an “imposed” global regime, and Ms Shroff denied the proposal would be “some sort of a bureaucratic initiative to impose more regulation on business”. The continued development of international guidelines (also suggested by Ms Shroff), co-ordinated enforcement, and even UNCITRAL-type “model law” is more likely here (a TRIPS-like treaty could be a possibility). New Zealand’s “privacy principles” approach works well, and the Privacy Commissioner plays a good and efficient domestic role – could the New Zealand regime be a model template? Standards would also assist and reinforce the nascent “self-regulation” by the industry, such as the Digital Due Process Coalition launched recently.

New Zealand TV listings copyright row

Kiwiblog has commented on Sky TV’s recent attempts to prevent a software developer from distributing software that could be configured to copy its TV listing, claiming their listings are protected by copyright (more on this another day).

Net nuetrality setback

A US court has ruled that the Federal Communicationc Commission does not have the authority to stop an ISP prioritising traffic, meaning that the ISP can take steps such as choking file-sharing traffic. Some see this as a major setback for maintaining net nuetrality, while others are more sanguine. For the record, New Zealand does not have any internet nuetrality regulation.

Germany’s Consumer Protection minister Ilse Aigner has weighed in on the debate over Facebook’s privacy policy, demanding that Facebook “revise its privacy policy without delay”. Her demands include that:

Private data may only be passed on and used for commercial purposes with the consent of the persons involved.

The problem with her complaint (at least in the way it is framed) is that Facebook’s privacy policy, not unreasonably, allows just that. Or, if it doesn’t (or didn’t previously) then Facebook has the right to change its terms of use (see clause 13). Facebook has already received “the consent of the persons involved”, at least regarding personal information about Facebook users, and can get further consent if necessary simply by changing its terms of use. The Latin phrase is volenti non fit injuria: no injury is done to a person who consents. (Of course, it’s informed consent that matters.)

And that’s the issue. Even if Facebook, or another popular site, included privacy-busting rules from day one, what is the likelihood there would be any lasting reaction from users? Very few users actually read website terms anyway. And even if people are vaguely aware of privacy issues, that still does not stop people from signing up if there is some perceived value. If people are willing to trade privacy for value, should the state intervene? Or even the United Nations (as has been mentioned by New Zealand’s Privacy Commissioner)? Compulsory privacy principles and voluntary best-practice standards on personal data storage, such as the new ISO standards for health records, is one thing. Intervening in freedom of contract is quite another.

As I have written previously, people cannot post things to social networks and still expect privacy. Social networks and other website are very aware of the privacy issues, and the potential threat of regulation. The majority of a social networking site’s potential value lies in exploiting (in a commercial sense) the personal data that their armies of users happily supply every day. That is why it is in their own best interest to implement reasonably strong privacy policies without hamstringing their own motives, but of course listening to user pressure when necessary.

It would require a major co-ordinated global effort to impose uniform privacy regulation on social networks – which is why that will not happen. Instead, the social networks will, for the most part, stay one step ahead of well-meaning (and otherwise) crusading politicians, safe in the knowledge that their users will back them if it means a trade off between their very real enjoyment of social networks, and some intangible, hard-to-grasp privacy “benefit”.

It is somewhat ironic that the organisations being labeled (by some) as the worst abusers of privacy are quite possibly doing the most to define and shape the future of privacy law.

Don’t forget the domain names

Securing key domain names likely to be associated with a venture is business-101. Unfortunately for Tourism Australia, they launched their new “Nothing like Australia” campaign without registering www.nothinglikeaustralia.net, which has now been setup as a spoof site. They are now investigating legal action against the site for alleged misuse of a trade mark.

This raises the question of whether parody is a defense to trade mark infringement (for a local situation, see here). In New Zealand, there is no specific parody defence in the Trade Marks Act 2002, although a trade mark must generally be used “in the course of trade” for infringement to occur. A 2007 case, Solid Energy New Zealand Ltd v Mountier raised the question of whether use of a trade mark was use “in trade”. It found that the parody was not “in trade” for the purposes of the Fair Trading Act 1986, but did not reach a conclusion on the trade mark aspect. It also found that the trade mark owner had an arguable case for “exclusive use” of the trade mark, which (assuming a broad application what is “use”) would seem to prevent a parody defence. Whether or not the Bill of Rights Act 1990 (section 14) would override that is yet to be seen.

Cost of world-wide advertising campaign: AUD$150 million. Cost of not registering obvious domain names: $19.95. Parody site: priceless.

Gene patent ruled invalid

For the first time in the US, a judge has ruled that a human gene patent was invalid. This casts doubt on the validity in general of gene patenting in the US, the key market for biotechnology.

New Zealand’s in-progress Patents Bill (reported back from select committee last week) does not expressly exclude gene patents. It does exclude patents contrary to morality, which cover some biotechnology applications. However it does add a requirement for “usefulness”, which will prevent gene-related patents from being granted when no specific use has been discovered or disclosed (as has happened previously). But the value of a gene patent in a particular market is of questionable value, if it cannot be patented in key worldwide markets. The US case (which is sure to be appealed) is therefore of major importance to the biotechnology industry worldwide.

Online health records coming to New Zealand

2014 has been set as the target date for an online national health records system in New Zealand. Meanwhile, ISO (the International Standards Organisation) recently released new standards on electronic health records. From the press release:

Together, the two documents provide a powerful comprehensive solution to address e-health data integrity, including ethical and legal concerns, privacy protection, regulations concerning access and disclosing of records among other needs specific to the industry.

It will be interesting to see if the New Zealand programme achieves ISO compliance from the outset. The Privacy Act 1993 requires that reasonable safeguards be used to protect personal information, and in the case of service providers, that “everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information”. It would be difficult to argue that failure to acheive “reasonable compliance” with an ISO standard (representing best, or at least good, practice) meets that standard.

More on NZ’s proposed software patent ban

Computerworld and Slashdot cover the Select Committee proposal for a ban on software patents in New Zealand.

Meanwhile, the United States Supreme Court is expected to rule soon on the ‘Bilski‘ case on whether software and business methods are patentable in the US.

Novell defeats SCO

A jury has ruled that Novell owns copyright in the Unix operating system, defeating SCO in a long running battle over the ownership of Unix.

Website “authorised” copyright infringment

The English High Court has ruled that Newzbin, a UK-based usenet indexing site, is liable for “authorising” copyright infringement.  The judge said (emphasis added):

I have found that [Newzbin] well knows that it is making available to its premium members infringing copies of films… It operates a site which is designed and intended to make infringing copies of films readily available to its premium members. The site is structured in such a way as to promote such infringement by guiding the premium members to infringing copies of their choice and then providing them with the means to download those infringing copies.

Central to the ruling is the judge’s view that there was active assistance, and even encouragement, of copyright infringement. These findings contrast with the recent iiNet ruling in Australia. Both cases highlight the importance of the ISP /website being very careful not to be seen as authorising or promoting infringing behaviour, and having appropriate policies in place.

Newzbin is considering an appeal.

Computerised medial record privacy concerns

Leading New Zealand software developer Orion Health is pushing for more progress on computerised medical records, as computerisation of medial data is gathering pace around the world, particularly in the US where President Obama campaigned on it. At the same time, serious privacy concerns are being raised. Medical / health information is the key area where privacy law will probably most keep up with developments in technology, and is already reasonably advanced in New Zealand.

Restraints of trade in employment

Computerworld reports on an Employment Relations Authority decision upholding a restraint of trade clause for a former IT account manager. Restraint clauses are common in the IT industry, as in others, and can be particularly important given the significance of IP and know-how in the IT sector. The article notes that the decision “belies the commonly-held belief that restraint of trade clauses are difficult to enforce”. It is true that the ERA and the Courts will strike down or limit unreasonable restraint clauses, but in recent years the Courts have tended to uphold restraint clauses. The conduct of the parties post-termination is also likely to be relevant, with “bad behaviour” on either side likely to be taken into account by the relevant authority.

Website terms

My latest Computerworld article is now online: Analysis: Cases clarify requirements for website terms of use

Facebook privacy investigation

The EU is investigating whether posting photos and other information about people on Facebook without their consent is a breach of privacy law. Privacy is a rapidly developing area, and the EU (for better or worse) leads the world in this area. The policies adopted in the EU are likely to influence privacy policy in other jurisdictions, including New Zealand where the Law Commission recently recommended leaving privacy to develop at common law (i.e. develop “organically”). It is reasonable to expect that with privacy, where Europe goes, the UK will go; and where the UK goes, New Zealand will eventually go.

The Law Commission has released its latest report on privacy law, Invasion of Privacy: Penalties and Remedies. This report (part 3 of 4) specifically deals with matters such as surveillance, interception of communications, and criminal and civil law.

A key recommendation is that “the tort of invasion of privacy recognised in Hosking v Runting should be left to develop at common law”. It is worth remembering that the Hosking case was only decided in 2004, and then only by a 3-2 judge majority – a very clear reminder that privacy law in this country is still in its most formative stages.

The recommendation to leave privacy law “to develop at common law” is the equivalent of kicking for touch – and in the circumstances, the only realistic option for the Commission. It is clear that much of the “real” privacy issues that will affect New Zealanders on an everyday basis will not be decided by New Zealand’s courts or the government. Rather, where Europe and the US go, New Zealand will have to follow. The increasingly connected nature of the world makes it futile to attempt to chart a different course. And in any case, there are benefits in following the lead of others, with far greater resources and innovation, in this area.

Another recent report, this time from the European Union, highlights just how far advanced Europe is, compared to New Zealand at least, in defining and developing privacy rights. With the terribly exciting name “Study on Online Copyright Enforcement and Data Protection in Selected Member States” (PDF), the report examined 6 EU states (not including the UK) and tells us:

• “IP addresses are generally considered to be personal data” and therefore subject to privacy laws.
• “IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing, invoicing, etc.), and that consent is generally required to process them for other purposes (such as online copyright enforcement).”
• “ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to the judicial authorities or to the Hadopi Commission [not dissimilar to NZ's s92A] is allowed).”
• “The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions (e.g., in France if the Hadopi Act is complied with).”
• “The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.”
• “The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law. “

This is a level of detail and analysis not yet seen in New Zealand. Of course, privacy law around the world is a rapidly developing area of law, policy and social issues (e.g. see my post Changing expectations of privacy). The EU report itself acknowledges that “many of the legal concepts and questions examined have not been the subject of authoritative decisions by courts or data protection authorities” (such as NZ’s Privacy Commissioner). But the decisions, policies, research and jurisprudence being developed in the EU will ultimately determine (or at least, strongly influence) the direction New Zealand takes.