The recently-enacted Privacy (Cross-border Information) Amendment Act 2010 improves New Zealand’s privacy framework, but also highlights the challenges to privacy caused by the internet. The new law amends the Privacy Act 1993 in 2 main ways:
- It strengthens cross-border privacy co-operation by providing for the referral (by the Privacy Commissioner) of complaints to overseas authorities; and
- It establishes a “mechanism for controlling the transfer of information outside New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated” – so, an anti-circumvention measure.
The cross-border co-operation provision is a small but good step. There are ongoing international privacy initiatives, such as the recent APEC Cross-border Privacy Enforcement Arrangement, and an essential aspect of any international arrangements is the ability for local authorities to interact with their foreign counterparts.
The anti-circumvention measure also assists in this regard, to prevent New Zealand being seen as a “privacy haven” – one that permits “data laundering” if you will . As the Privacy Commissioner Marie Shroff says:
Ensuring that European business and regulators see New Zealand as a safe place for information processing is important for New Zealand’s reputation.
The anti-circumvention measure was added as Part 11A of the Privacy Act 1993. Section 114B(1) states:
The Commissioner may prohibit a transfer of personal information from New Zealand to another State if the Commissioner is satisfied, on reasonable grounds, that:
(a) the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to this Act; and
(b) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and set out in Schedule 5A.
This provision will be useful, for example, to help promote New Zealand data centres hosting data for overseas clients. New Zealand firms who do host or receive data from overseas (it does not apply to New Zealand-sourced data) should have processes in place for ensuring that the “transfer” of data out of New Zealand can be halted if required by the Privacy Commissioner issuing a transfer prohibition notice.
But in the age of cloud computing, are things that clear-cut? Often, the cloud (or the internet in general) makes it hard to know just where data is located. A New Zealand firm may receive data from overseas, and “host” that data in its facilities, but if the New Zealand provider itself uses cloud-based storage, what appears to be data being hosted in New Zealand may in fact be hosted overseas again. A key benefit of cloud computing is that providers can (in theory) transfer data anywhere in the cloud seamlessly. Data can be divided to multiple places at once, and be transferred without notice at about the speed of light. In these situations, who on earth will know what information is where? All of which makes the language of section 114B(1) – “if information has been, or will be, received in New Zealand from another State” – sound rather quaint, as if they are dealing with courier packages.
The challenges of privacy controls in the cloud-era are well known. Just how much regulation is ultimately attempted, necessary or desirable remains to be seen, bearing in mind that most users are willing to trade privacy for functionality.