Data havens and the constitution

Guest posted on the TUANZ blog.

TUANZ CEO Paul Brislen has written a thought-provoking article on the prospects of turning New Zealand into a data haven. There’s a lot going for the idea, but as Paul notes, there are a couple of stumbling blocks, one of which is the legal situation:

The final problem then, is the legal situation. We would need to become the neutral ground, the data Switzerland if we’re to gain their trust. Publicly adhered to rules regarding data collection and retention. Privacy built in, access only under the strictest conditions.

It would indeed require some law changes to become a “data Switzerland” where, as Paul envisages, “we treat bits as bits and that’s that”, and don’t allow the Armed Offenders Squad to swoop in with helicopters if someone uploads the latest series of Mad Men.

Exactly what those laws would be is a huge kettle of fish: privacy rights, intellectual property rights, safe-harbour provisions, search-and-seizure, criminal and civil procedure, etc. But putting aside the content of those laws (and their desirability), it is worth noting that New Zealand is in a somewhat disadvantageous situation in one respect vis-a-vis most other countries. Whilst New Zealand ranks as one of the most politically stable, corruption-free, and rule-of-law-abiding countries – ideal attributes for a data haven – we are in the very rare category of countries that are both:

  • Unicameral, unlike Australia, the UK, the US, Canada, most of the EU, Japan, India, and others; and
  • More importantly, have no written constitution that entrenches rights, limits Government power, and can strike down non-compliant laws. Only a handful of countries (notably including the UK) are in this category (and this is putting aside Treaty of Waitangi complications).

By my quick reckoning, the only other country with both of the above attributes is Israel.

What this means for us, as Sir Geoffrey Palmer wrote many years ago, is that whoever is the current Government of the day has unbridled power. Theoretically, there are little if any limits on what can be passed into law – all it takes is a 1-vote majority in the House of Representatives. This includes major constitutional change and retrospective law. For example, in the past decade-and-a-bit we have seen a Government change New Zealand’s highest Court from the Privy Council to a new domestic Supreme Court on a narrow majority, and retrospectively amend the law (also on a slim majority) to keep a Minister in Parliament – both things that may may well have faced constitutional challenge in other countries, but here were able to be effected with the same legislative ease as amending the Dog Control Act.

What’s this got to do with becoming a data haven? Well, it means that we cannot give the highest level of assurance that a future Government won’t do certain things that might undermine our data haven credentials.

For example, being a true data haven would presumably mean strong freedom of speech laws. You would want a reasonable assurance that a data centre would not be forced to hand over or delete data due to hate speech laws (present or future), except perhaps in the very strongest cases. New Zealand does have its peculiar Bill of Rights Act covering matters such as free speech, but this does not limit parliamentary power – in fact, Parliament regularly tramples various provisions of the Bill of Rights Act, with the only requirement for doing so being that the Attorney-General must inform the house. Nor does it prevail over inconsistent Acts: if another Act removes or abrogates a right, then the Bill of Rights Act doesn’t change that. So Parliament could potentially pass a law, on the slimmest of margins, that limits freedom of speech. This is not as far-fetched as one might think in an “open and free” democracy: the process is well advanced in the UK, where people face arrest and criminal prosecution for making statements considered by the authorities to be “insulting” (such as calling a police horse “gay”). Could this extend to limiting free speech (or content) hosted in data centres? There is nothing that says it can’t, or won’t.

Compare this with the US, where most of the internet’s infrastructure, governance and data centres are located. The federal Consitution provides the highest protection possible against Government limitation of free speech. Now this obviously does not (and is not intended to) stop situations like a US federal agency shutting down Megaupload and seizing data, in that case partly on the basis of alleged intellectual property infringement. But at least the limits on what the US Government can do are constitutionally defined and proscribed.

This issue is obviously much broader than data centres, but it does highlight the question: is it acceptable, in the information age, for there to be no effective limits on Government power over our information?

Is internet access a human right?

Recent IP-related debates have raised the question of whether internet access should be a legally protected human right. An Australian academic is the latest to weigh in:

Internet use has become so woven into everyday life that some technology experts say online access should be legally protected, even to the point of considering it a human right. “It’s a social inclusion question,” said Cyberspace Law and Policy Centre executive director David Vaile

Much of the debate premises that internet access is already a human right, or soon will be. That view has popular support – a recent survey showed “almost four in five people around the world believe that access to the internet is a fundamental right” (FWIW, New Zealand’s previous Culture Minister also thought so). That result should not be surprising though: the right to do non-proscribed things can usually be considered a human right in some form.

[ Update: current ICT minister Steven Joyce says “declaring that the internet is a human right is not a priority for the government”. ]

The real question is whether internet access – which in the absence of any restriction already is a right – should be elevated to a “legally protected human right”, and what would that mean in practice? Internet access is already legally enshrined in some countries. But should it be? Do we need it to be? We all happily rely on access to water, electricity, sanitation, and food without the need to see these rights written into law. So why internet access?

The fact is, New Zealand already has strong free speech and anti-discrimination laws providing a very high level of protection:

  • Under section 44 of the Human Rights Act, it is illegal for any person or company to refuse to provide service to any person on a wide range of discriminatory grounds, including sex, race, political & religious opinions, etc.
  • Freedom of expression, including the rights to “seek, receive and impart information and opinions of any kind”, is enshrined in the Bill of Rights Act 1990.

In any case, there is no shortage of ISPs happy to provide access to anyone who’s willing to pay. Why would any ISP not want to provide service to a paying customer, unless they themselves were being harmed in some way?

If the right to internet access were “enshrined”, what would the practical result be?

  • If a customer didn’t pay their bill, would the ISP be prevented from stopping their service?
  • Would ISPs be unable to enforce terms of use?
  • Would prisoners be able to surf the net all day?
  • Would parents and schools be unable to prevent children from accessing certain sites?

If the aim is to prevent Government censorship or disconnection of user accounts (such as s92A of the Copyright Act), new legislation is not needed to achieve that. Instead, the repeal of the offending legislation is the answer. New Zealand does not have a constitution capable of striking down laws, so any specific legislation expressly providing the right could be limited by another law. Similarly, all rights protected by the Bill of Rights Act are subject to “reasonable limits“. Whether this is an acceptable state of affairs is another question – especially in our unicameral MMP system with a history (in the prior government at least) of ramming through constitutional changes, without a mandate, on a simple majority.

As regards the disconnection sanction of s92A, this is not about being “banned from the internet” any more than it is about banning free speech. Free speech itself has some limitations (even in the US), and certainly consequences in many cases (e.g. defamation). Does internet access need to be elevated above free speech? Besides, internet disconnection as a preferred strategy of some rights-holder groups is not likely to last long. It is more smoke than fire, and is easily avoidable. When the internet becomes the only means of distributing music, movies and other IP, disconnecting – rather than “reforming” – potential customers will make little sense.

In the end, the internet is simply a (very important) technological invention. It should no more need enshrinement in law as a “fundamental right” than the right to use a telephone. Besides breaking the desirable “technology neutrality” of law, this would also seem to be a case of  “rights inflation“:

Deciding which norms should be counted as human rights is a matter of some difficulty. And there is continuing pressure to expand lists of human rights to include new areas. Many political movements would like to see their main concerns categorized as matters of human rights, since this would publicize, promote, and legitimate their concerns at the international level. A possible result of this is “human rights inflation,” the devaluation of human rights caused by producing too much bad human rights currency (Cranston 1973, Orend 2002, Wellman 1999, Griffin 2001b).

Effort is better spent on protecting existing rights, and limiting the power of government. Upper house anyone?

ISP filtering

The Department of Internal Affairs’ (DIA) internet filter has gone live. The system is aimed at blocking illegal images of children. While this is a voluntary scheme (unlike Australia‘s scheme), the experience in the UK has been that there will be pressure on ISP’s (including direct Ministerial threats) to join the “voluntary” scheme, lest they become a known haven for those seeking illegal content. Now, all UK ISP’s subscribe to the Cleanfeed filter.

In New Zealand, any move to make the filter mandatory would require legislation. While many opponents of the filter would likely oppose legislation, it would at least have the effect of defining the parameters of the filter and its regulation. The legislation would need to comply with the Bill of Rights Act (unsatisfactory though that law may be), or be passed with a statement expressly acknowledging where it breaches that Act. This would clear up concerns (or at least bring them into the open) that the filter may one day start to gradually be used for other purposes, such as blocking breaches of name suppression. It would make the filtering accountable to Parliament and the Courts. Also, the enabling legislation does not need to create make filtering mandatory – it could ensure that ISP’s remain free to choose whether or not to sign-up.

As long as the scheme remains voluntary and unregulated, though, no legislation is needed. While the objective is admirable (putting aside major questions over effectiveness), concerns include:

  • What information is being stored in the system, who has access to that information, and is it in compliance with the Privacy Act 1993?
  • What oversight is there on the content being filtered?
  • Is there a risk that the system could be extended to include material covered by name suppression orders?
  • Is pressure being brought to bear on ISPs to join the system?

For now, some ISP’s have expressed strong concerns about the filter which, as long as it remains voluntary, makes it unlikely that full sign-up will be achieved in the short term.

Changing expectations of privacy

The BBC reports on how the expanding use of online social networking is redefining “reasonable expectations” of privacy for everyone. It cites Dr Kieron O’Hara of the University of Southhampton:

“As more private lives are exported online, reasonable expectations are diminishing. When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes”.

The reason is that the law attempts to balance the “reasonable expectations” of privacy with other considerations, such as freedom of information and free speech. In New Zealand, the Bill of Rights Act 1990, section 14, enshrines this freedom (as best it can, given the unsatisfactory state of that Act):

“14. Freedom of expression: Everyone has the right to freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form”.

That right remains strong, but there is no doubt that “reasonable expectations” of privacy are rapidly shifting. In the article Dr O’Hara gives the example of an embarrassing photo taken at a party:

“A decade ago, he said, there would have been an assumption that it might be circulated among friends. But now the assumption is that it may well end up on the internet and be viewed by strangers.”

Another prime example is Google’s Street View. A decade or two ago there may have been some expectation of privacy when walking in the street (although as Katrine Evans of the University of Wellington, now Assistant Privacy Commissioner, notes there is a “considerable body of [precedent] which states that innocuous photographs of people in public places will not attract the protection of the common law”).

Today, Street View routinely photographs people in the streets; there is no doubt that this sort of occurrence will be a permanent part of our lives in some shape or form. Street View has various privacy measures in place (e.g. blurring faces) but there have been cases of people caught in compromising situations and a number of court cases have been fought or are pending.

A while ago I blogged (Don’t expect privacy in cyberspace) about a US case where a girl’s public MySpace rant – ostensibly intended only for her friends – was republished in a newspaper. She claimed a breach of privacy. The Court said:

“[The student’s] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material”.

The US Court’s ruling was quite sensible, however it highlights the point that not only are expectations of privacy rapidly changing, but the avenues for disseminating private information (and thereby possibly redefining what constitutes reasonable expectations) are also expanding. This is happening at the same time that the law in many common law jurisdictions (e.g. UK, US, Canada, Australia & New Zealand) is still relatively unsettled and developing. The societal changes of “the Facebook generation” has already been recognised in data loss / information security incidents, and is equally relevant in privacy law.

It is worth noting that in New Zealand’s current leading case on privacy (Hosking v Runting [2005] 1 NZLR 1) the actual existence of a tort of privacy was only accepted by a 3-2 decision. Since that time, other jurisdictions have expanded their privacy laws more liberally than the Hosking case’s relatively narrow scope. Most recently the 2008 Max Mosley case in the UK (argued on the basis of breach of confidence and “unauthorised disclosure of personal information”) has thrown up a number of related issues likely to be explored in a future New Zealand case.

Due to reasons of cost, substantial court cases involving breaches of privacy are rare. It seems likely that, whatever currently a “reasonable expectation” of privacy is, it will have changed again by the time the next case is argued.