Data havens and the constitution

Guest posted on the TUANZ blog.

TUANZ CEO Paul Brislen has written a thought-provoking article on the prospects of turning New Zealand into a data haven. There’s a lot going for the idea, but as Paul notes, there are a couple of stumbling blocks, one of which is the legal situation:

The final problem then, is the legal situation. We would need to become the neutral ground, the data Switzerland if we’re to gain their trust. Publicly adhered to rules regarding data collection and retention. Privacy built in, access only under the strictest conditions.

It would indeed require some law changes to become a “data Switzerland” where, as Paul envisages, “we treat bits as bits and that’s that”, and don’t allow the Armed Offenders Squad to swoop in with helicopters if someone uploads the latest series of Mad Men.

Exactly what those laws would be is a huge kettle of fish: privacy rights, intellectual property rights, safe-harbour provisions, search-and-seizure, criminal and civil procedure, etc. But putting aside the content of those laws (and their desirability), it is worth noting that New Zealand is in a somewhat disadvantageous situation in one respect vis-a-vis most other countries. Whilst New Zealand ranks as one of the most politically stable, corruption-free, and rule-of-law-abiding countries – ideal attributes for a data haven – we are in the very rare category of countries that are both:

  • Unicameral, unlike Australia, the UK, the US, Canada, most of the EU, Japan, India, and others; and
  • More importantly, have no written constitution that entrenches rights, limits Government power, and can strike down non-compliant laws. Only a handful of countries (notably including the UK) are in this category (and this is putting aside Treaty of Waitangi complications).

By my quick reckoning, the only other country with both of the above attributes is Israel.

What this means for us, as Sir Geoffrey Palmer wrote many years ago, is that whoever is the current Government of the day has unbridled power. Theoretically, there are little if any limits on what can be passed into law – all it takes is a 1-vote majority in the House of Representatives. This includes major constitutional change and retrospective law. For example, in the past decade-and-a-bit we have seen a Government change New Zealand’s highest Court from the Privy Council to a new domestic Supreme Court on a narrow majority, and retrospectively amend the law (also on a slim majority) to keep a Minister in Parliament – both things that may may well have faced constitutional challenge in other countries, but here were able to be effected with the same legislative ease as amending the Dog Control Act.

What’s this got to do with becoming a data haven? Well, it means that we cannot give the highest level of assurance that a future Government won’t do certain things that might undermine our data haven credentials.

For example, being a true data haven would presumably mean strong freedom of speech laws. You would want a reasonable assurance that a data centre would not be forced to hand over or delete data due to hate speech laws (present or future), except perhaps in the very strongest cases. New Zealand does have its peculiar Bill of Rights Act covering matters such as free speech, but this does not limit parliamentary power – in fact, Parliament regularly tramples various provisions of the Bill of Rights Act, with the only requirement for doing so being that the Attorney-General must inform the house. Nor does it prevail over inconsistent Acts: if another Act removes or abrogates a right, then the Bill of Rights Act doesn’t change that. So Parliament could potentially pass a law, on the slimmest of margins, that limits freedom of speech. This is not as far-fetched as one might think in an “open and free” democracy: the process is well advanced in the UK, where people face arrest and criminal prosecution for making statements considered by the authorities to be “insulting” (such as calling a police horse “gay”). Could this extend to limiting free speech (or content) hosted in data centres? There is nothing that says it can’t, or won’t.

Compare this with the US, where most of the internet’s infrastructure, governance and data centres are located. The federal Consitution provides the highest protection possible against Government limitation of free speech. Now this obviously does not (and is not intended to) stop situations like a US federal agency shutting down Megaupload and seizing data, in that case partly on the basis of alleged intellectual property infringement. But at least the limits on what the US Government can do are constitutionally defined and proscribed.

This issue is obviously much broader than data centres, but it does highlight the question: is it acceptable, in the information age, for there to be no effective limits on Government power over our information?

Tech law update 23 August 2010

Preference vs protectionism

Labour MP Clare Curran has entered the Kiwi Jobs Bill into the private members’ ballot. The bill aims to “determine whether the NZ Government can have a policy that gives preference to local procurement without breaching our international trade obligations”. The bill would apply to IT procurement, which has prompted some differences of opinion from the industry. For something as universal as IT, anything that is simply protectionist would be irrational and detrimental. But an increase in transparency and the promotion of open standards (if the Bill does that) would be welcomed.

IT & the new Limitations Act

Under the Limitation Act 1950, the general rule is that a person cannot bring a claim in contract or tort more than 6 years after the cause of action arose. As a result, business records (including electronic data) should generally be kept for at least 6 years (although other acts impose specific rules, for example 7 years for certain accounting information under the Tax Administration Act). However, over the years many quirks and wrinkles have been introduced into the picture, resulting in some uncertainty.

A replacement Limitation Bill received its first reading earlier this month. The bill tidies up and simplifies limitation periods. Importantly, it proposes to introduce (for most matters) a “longstop” limitation period of 15 years. As a result, prudent businesses will want to keep some records for 15 years. This sounds like a very long time and, of course, raises some practical issues, but expanding storage capabilities mean disk/cloud space should not be burdensome for most businesses. However, there can be a downside to keeping records – in that they may be discoverable in litigation – so this rather dry subject does require some thought in each case.

Record keeping risk?

On a related note, a new survey shows that most Kiwi businesses do not have documented procedures for recovering from an IT disaster. Besides the business interruption risk, there could be significant third-party legal risks from a catastrophic data loss. For example, a firm that has assumed responsibility for holding records for clients (e.g. accountants, architects, engineers, lawyers, etc) could be liable in negligence for their clients’ business interruption following the record-holder’s data loss, in certain circumstances.

ISP search concerns

Is the Copyright (Infringing File Sharing) Bill a wolf in sheep’s clothing when it comes to secret surveillance? Civil liberties lawyer Michael Bott thinks so, and wants better notification requirements for electronic searches.