Privacy: a work in progress

The Law Commission has released its latest report on privacy law, Invasion of Privacy: Penalties and Remedies. This report (part 3 of 4) specifically deals with matters such as surveillance, interception of communications, and criminal and civil law.

A key recommendation is that “the tort of invasion of privacy recognised in Hosking v Runting should be left to develop at common law”. It is worth remembering that the Hosking case was only decided in 2004, and then only by a 3-2 judge majority – a very clear reminder that privacy law in this country is still in its most formative stages.

The recommendation to leave privacy law “to develop at common law” is the equivalent of kicking for touch – and in the circumstances, the only realistic option for the Commission. It is clear that much of the “real” privacy issues that will affect New Zealanders on an everyday basis will not be decided by New Zealand’s courts or the government. Rather, where Europe and the US go, New Zealand will have to follow. The increasingly connected nature of the world makes it futile to attempt to chart a different course. And in any case, there are benefits in following the lead of others, with far greater resources and innovation, in this area.

Another recent report, this time from the European Union, highlights just how far advanced Europe is, compared to New Zealand at least, in defining and developing privacy rights. With the terribly exciting name “Study on Online Copyright Enforcement and Data Protection in Selected Member States” (PDF), the report examined 6 EU states (not including the UK) and tells us:

  • “IP addresses are generally considered to be personal data” and therefore subject to privacy laws.
  • “IP addresses are generally considered to be traffic data, which means that they may only be processed in a limited number of circumstances and for specific purposes (such as billing, invoicing, etc.), and that consent is generally required to process them for other purposes (such as online copyright enforcement).”
  • “ISPs cannot store IP addresses for the specific purpose of online copyright enforcement (except in France, where retention for the purpose of making information available to the judicial authorities or to the Hadopi Commission [not dissimilar to NZ’s s92A] is allowed).”
  • “The processing of IP addresses by ISPs to pass on infringement warning notices is generally prohibited or subject to strict restrictions (e.g., in France if the Hadopi Act is complied with).”
  • “The general monitoring of P2P networks by right holders resulting in the creation of a database of potential copyright infringers is usually prohibited.”
  • “The disclosure of P2P users’ identities by ISPs to right holders for civil enforcement is generally restricted by data protection law. “

This is a level of detail and analysis not yet seen in New Zealand. Of course, privacy law around the world is a rapidly developing area of law, policy and social issues (e.g. see my post Changing expectations of privacy). The EU report itself acknowledges that “many of the legal concepts and questions examined have not been the subject of authoritative decisions by courts or data protection authorities” (such as NZ’s Privacy Commissioner). But the decisions, policies, research and jurisprudence being developed in the EU will ultimately determine (or at least, strongly influence) the direction New Zealand takes.