A small boost for NZ privacy – cloud questions remain

The recently-enacted Privacy (Cross-border Information) Amendment Act 2010 improves New Zealand’s privacy framework, but also highlights the challenges to privacy caused by the internet. The new law amends the Privacy Act 1993 in 2 main ways:

  • It strengthens cross-border privacy co-operation by providing for the referral (by the Privacy Commissioner) of complaints to overseas authorities; and
  • It establishes a “mechanism for controlling the transfer of information outside New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated” – so, an anti-circumvention measure.

The cross-border co-operation provision is a small but good step. There are ongoing international privacy initiatives, such as the recent APEC Cross-border Privacy Enforcement Arrangement, and an essential aspect of any international arrangements is the ability for local authorities to interact with their foreign counterparts.

The anti-circumvention measure also assists in this regard, to prevent New Zealand being seen as a “privacy haven” – one that permits “data laundering” if you will . As the Privacy Commissioner Marie Shroff says:

Ensuring that European business and regulators see New Zealand as a safe place for information processing is important for New Zealand’s reputation.

The anti-circumvention measure was added as Part 11A of the Privacy Act 1993. Section 114B(1) states:

The Commissioner may prohibit a transfer of personal information from New Zealand to another State if the Commissioner is satisfied, on reasonable grounds, that:

(a) the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to this Act; and

(b) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and set out in Schedule 5A.

This provision will be useful, for example, to help promote New Zealand data centres hosting data for overseas clients. New Zealand firms who do host or receive data from overseas (it does not apply to New Zealand-sourced data) should have processes in place for ensuring that the “transfer” of data out of New Zealand can be halted if required by the Privacy Commissioner issuing a transfer prohibition notice.

But in the age of cloud computing, are things that clear-cut? Often, the cloud (or the internet in general) makes it hard to know just where data is located. A New Zealand firm may receive data from overseas, and “host” that data in its facilities, but if the New Zealand provider itself uses cloud-based storage, what appears to be data being hosted in New Zealand may in fact be hosted overseas again. A key benefit of cloud computing is that providers can (in theory) transfer data anywhere in the cloud seamlessly. Data can be divided to multiple places at once, and be transferred without notice at about the speed of light. In these situations, who on earth will know what information is where? All of which makes the language of section 114B(1) – “if information has been, or will be, received in New Zealand from another State” – sound rather quaint, as if they are dealing with courier packages.

The challenges of privacy controls in the cloud-era are well known. Just how much regulation is ultimately attempted, necessary or desirable remains to be seen, bearing in mind that most users are willing to trade privacy for functionality.

Cloud computing: what’s in a name?

It is good to see that ICONZ has called out Orcon over its claim to have “just launched NZ’s first locally developed cloud computing infrastructure service” (made during the NZ Cloud Computing Summit no less). On the other hand, good on Orcon for landing a pre-emptive marketing strike and pushing its superior on-demand features.

Cloud computing easily ranks on par with Web 2.0 as a “term that means whatever we want it to mean” (i.e. meaningless). And try explaining the difference between cloud computing, software-as-a-service, network computing and ASP. So it’s arguably both meaningless and redundant.

Clearly, though, it is beloved by marketing departments. Interestingly, the term “cloud computing”, which only started gaining popularity in late 2007, hasn’t reduced “software as a service” in searches while becoming the dominant buzzword, as illustrated here (Google Trends):


It will be interesting to see how other NZ ISP’s and web hosts respond. Anything that promotes competition between, and awareness of, homegrown providers will be a good thing. It is surprising that most of the Kiwi companies I have talked to about cloud computing (well, it is catchy) have only ever mentioned EC2 or Azure, even though their main customer bases are in New Zealand.