Hon SIMON POWER (Minister of Justice) Link to this
I move, That the Privacy (Cross-border Information) Amendment Bill be now read a first time. At the appropriate time, I intend to move that the bill be referred to the Justice and Electoral Committee for consideration. The Government recognises that in an increasingly difficult economic environment, we need to take positive steps to improve the international competitiveness of New Zealand businesses. The bill contributes to this aim by assuring our international business partners that their customers’ personal information will be protected. To this end, the bill amends the Privacy Act 1993 by introducing new provisions to govern the cross-border transfer of personal data, and to facilitate the cross-border enforcement of privacy laws.
As things stand, there is nothing in the Privacy Act to prevent data received from overseas being transferred outside New Zealand to a jurisdiction without adequate privacy protection. Nor does the Privacy Act allow foreign nationals who are resident overseas to make privacy information requests. In an era of increasing globalisation and e-commerce, our inability to assure our international business partners that their customers’ personal information will be protected is a potential impediment to growth. This is a serious risk for New Zealanders and New Zealand businesses that wish to enter into international arrangements. Currently, the only option is for those companies to enter into special contractual arrangements for privacy protection, resulting in additional transaction costs.
This Government is committed to doing all that it can to enhance New Zealand’s competitive advantage—for example, as a supplier of information, communications, and technology services in the international business arena. This bill will enhance New Zealand’s case for a finding by the European Union that we have adequate data protection and privacy laws. Countries that have an adequate privacy legal framework may be given so-called white list status, meaning that data from Europe may be sent and received freely. EU approval will mean that New Zealand businesses face reduced red tape and costs when doing business with Europe.
Although the changes aim to more closely align New Zealand’s privacy laws with the current EU directive on privacy, the bill is not solely Eurocentric.
I thought you might. It has wide international application. Recognition by the EU will assist New Zealand to gain recognition by other countries and trading blocs that maintain data export controls. Although such countries do not generally have formal approval processes, they are likely to recognise an EU finding, given the stringent standards involved. The changes will also enhance New Zealand’s standing as a privacy-conscious and privacy-protective country with our existing and developing international business partners.
The bill authorises the Privacy Commissioner to issue a data transfer prohibition notice if he or she is satisfied on reasonable grounds that personal information received from overseas is being routed through New Zealand, to circumvent another country’s privacy laws. It will be an offence to fail to comply with a transfer prohibition notice, but existing appeal rights to the Human Rights Review Tribunal will be available to affected parties. An essential part of all privacy regimes is ensuring individuals are able to access and correct the data that agencies hold about them. The bill will enable foreign nationals who are not in New Zealand to access any of their personal information that is held here.
The bill also looks to future international arrangements with overseas privacy enforcement authorities. The amendments dealing with the cross-border enforcement of privacy laws will complement the European Union directive on privacy. The bill is the first step in facilitating the adoption of the OECD’s mutual assistance framework and compliance with the APEC privacy framework, which, when fully implemented, will contribute to APEC’s efforts to increase cross-border trade and grow regional e-commerce.
The bill also authorises the Privacy Commissioner to consult with overseas privacy enforcement authorities like the Privacy Commissioner where there is a potential for overlapping jurisdiction or where it appears that the overseas authority has sole jurisdiction. The Privacy Commissioner will be able to transfer all or part of a complaint to an overseas authority, but only if both the complainant and the overseas authority agree. Likewise, New Zealand’s Privacy Commissioner may receive complaints transferred from an overseas privacy enforcement authority. The cross-border privacy enforcement provisions establish a mutual assistance framework between enforcement authorities that will benefit individuals both here and overseas.
The Privacy Commissioner has stated: “Globally, businesses are becoming extremely aware that information is an asset and are seeking to put measures in place to protect that information against loss or misuse.” I agree, as I am sure the Hon Lianne Dalziel does, with those comments. New Zealand cannot continue to do what it has always done, if we wish to foster greater competitiveness in an increasingly international economy. The changes to the Privacy Act that are proposed by this bill, which are no doubt supported by many parties in this House, will directly benefit New Zealand from both a business and an individual privacy perspective. I commend the bill to the House.
Hon LIANNE DALZIEL (Labour—Christchurch East) Link to this
I do not know why I feel as if I have nothing left to say before I have even begun, but, never mind, let me try my best. I am absolutely delighted to be able to speak in the first reading of the Privacy (Cross-border Information) Amendment Bill. I just said to one of my colleagues that perhaps I could spend a few minutes explaining why the Minister Simon Power says “priv-acy” and why I say “pry-vacy”, but we would just call the whole thing off, I think!
The reality is that this legislation had its genesis way back when I first entered Parliament, actually—in 1993, when the original legislation was passed.
Hon LIANNE DALZIEL Link to this
Well, I was here even before 1993, as the member knows. I sat on the select committee that dealt with the original Privacy Bill. In fact, I think the Hon Peter Dunne, who was my colleague in those days, introduced a member’s bill, but it was superseded by a Government bill, which the select committee considered at the same time.
A lot of people get hung up on the whole issue of privacy. Quite a lot of people use that expression “political correctness” when the Privacy Act is used to protect people’s right to privacy. But, in fact, a lot of the legislation we already have in this country, with its many flow-on effects in terms of our economy, comes from the fact that it is about protecting private information. It is data protection that drives the European Union in terms of its response to other countries and their mechanisms that are in place to protect data that is collected. Given the period of time that I have been in Parliament, the ability to gather information with the surveillance systems we have in place now has increased enormously since the Act was passed. Even when we travel, a large amount of information is held by airline databases and customs organisations in various countries. All of that information is held in huge databases that enable a lot of searching to be undertaken in terms of people’s movements.
So what we do today is monitored in quite a significant way. What we do with information when we gather it is very, very important, and this bill is so important because it is about data protection in terms of how we are seen to be dealing with other nations. The Minister quite rightly said that this bill is not purely Eurocentric, but it does stem from European Union requirements and the fact that if we want to have trade relationships with other countries, then we must have data protection provisions that are up to scratch and are accepted by those countries as providing sufficient protection—or adequacy, to use the correct word.
I will go back to quote a speech that I gave on 28 March 2003—that was not so long ago, was it? Only 6 years ago, almost to the day, I stated: “My appointment as Minister of Commerce has meant that I have taken a particular interest in trade matters. Most recently, my officials have been working on the Privacy Commissioner’s proposals to make changes so that we can advance our request to be granted a ruling that our data protection laws are ‘adequate’ for the purposes of the European Data Protection Directive. The EU Directive is likely to prove highly influential outside the EU because of the data flow controls that it instigates. Our trading partners from Europe will obtain a measure of satisfaction from knowing that our data protection laws meet their standards for data protection. Accordingly, a ruling of ‘adequacy’ will enhance New Zealand’s position in world trade.” Well, we have been a little bit slow in getting that up and running, but finally the day has come when I can stand in Parliament to talk about this bill. Tragically, I do not stand as the Minister introducing the bill; otherwise, I would have had a very, very good speech to deliver. But I thought that the Minister delivered the introduction speech very well instead.
The point is that this legislation has been on the agenda for quite some time. We can be flippant about the fact that it has taken a number of years, but I think it is important to realise that it is hard to get relatively minor amendments to controversial legislation on to the agenda at any time.
I will spend just a minute explaining why I think the Privacy Act comes out of this as controversial legislation when it ought not to be. I have heard members in this House talk about privacy laws as if somehow we are, firstly, protecting the politically correct attitudes that we might have—nanny State—and, secondly, acting so that people cannot pass on information about other people without their consent. But I think people need to realise that important trade implications come from our not allowing overseas nationals to apply for information held by New Zealand databases, and from our not having security around what happens to information that is transferred out of New Zealand and, perhaps, into the hands of those without adequate data protection laws. This legislation is designed to address those two features of our privacy law.
I will use an example I used back in 2003 when I was talking about why it was important to have privacy legislation in place. I talked about how easy it was to make flippant comments about giving up the right to privacy, and to argue that somehow the legislation is something that is imposed on people by Governments. The example that I always used was the sign that appeared on airline counters after the law was originally passed in 1993. I remember seeing this sign on the stand outside the Air New Zealand counter as I went up to buy my airline ticket or to confirm my booking. The sign said that the airline would not give out information about passengers, due to the operation of the Government’s Privacy Act 1993. The airline made it very clear that the reason it would not give out passenger information was the Government’s requirements under the Privacy Act, which had just been passed. My view is that the sign, if it was honest, would have read: “Because we value our passengers’ right to privacy, we do not give out information about our passengers to anyone without their permission.” By saying that, the airline would have said what it had always said before the Privacy Act was passed. Members would have noticed that Air New Zealand never gave out information about its passengers, but, hey, it was really convenient for it to blame nanny State and the Government for imposing this requirement on it, to the inconvenience of all.
I want my privacy protected. I do not want people to be told information about when I am travelling, where I am travelling, or what I am up to. What is on the public record is on the public record, but for private matters I believe that it is important that we maintain privacy. I am prepared to stand up in this House to defend the principles that lie behind the Privacy Act, and to say that I support these amendments to it, because they will advance New Zealand’s interests at the same time. I welcome the opportunity to speak on the first reading of this bill. I hope people realise that it is not worth making flippant asides in respect of privacy, and that privacy is an important human right that Parliament should protect.
In protecting privacy, we are motivated by different reasons. On my own side, I believe that it is a valuable human right. It is my right to privacy, and I am the one who gets to decide what private information about me is put on the public record. If others are collecting private information about me, I have the right to request to see that information, and I have the right to correct that information if it is incorrect. Our law allows that to happen. This bill is an extension of that. It makes it a commercial right as well. If we do not have adequate data protection laws in this country, we will not be able to enter into trade negotiations with countries that require our exporters to have that security. If we leave it up to individual companies to negotiate it, then that will add an unreasonable compliance cost on to their businesses.
I support this bill. I am glad that after 6 years we are finally able to get to it, and I look forward to its progress through the House.
CHESTER BORROWS (National—Whanganui) Link to this
It is great to be in the House on a day when we all seem to be agreeing on so much. As has been articulated by previous speakers, it is interesting to see the Privacy (Cross-border Information) Amendment Bill finally come before the House after such a long preamble. It is good to see it here. It is anticipated that it will facilitate trade and give security to people who travel to New Zealand that their travel arrangements will remain private. That is a good thing. It is something that is expected when we live in such a global community, and when people travel between countries with such frequency. The amendments are intended to assure our international business partners that their customers’ personal information will be protected when they deal with businesses in New Zealand. They are designed to ensure that personal data that originates overseas and is sent to New Zealand is subject to New Zealand’s privacy protection.
It has always amazed me that New Zealanders are so besotted with privacy, and, at the same time, so besotted with obtaining information. It is interesting to think for a moment about the debate we had on the Māori Trustee Amendment Bill, when we heard that over 183,000 people are unidentified, while money sits waiting for them in the account of the Māori Trustee. Funnily enough, information that would identify well over half of those people, if not damn near all of them, actually lies on Government records at the moment. If we had half a dozen police officers checking in their down time, for instance, the National Intelligence Application database that is held within the New Zealand Police, we would find that most of those 183,000 people have a firearms licence, own a motor vehicle or have an interest in one, have been a witness for the police or have had their name recorded, or have been issued with a traffic ticket or a notice for some other infringement within the last 10 years. Their names, addresses, ages, occupations, and dates of birth would all be sitting there on the database. It would be a relatively easy matter for someone to find out just where those 183,000 people are, but we will never know that, because we are not allowed to look. Our privacy laws prevent us from doing that. So it seems to me that on many occasions our privacy laws act against us, but on this particular occasion the privacy legislation will act for us.
I note that the Privacy Commissioner, Marie Shroff, said on 2 July 2008 that she welcomed the introduction of the Privacy (Cross-border Information) Amendment Bill, saying it would have benefits for New Zealand’s trading opportunities and would enhance personal rights. She said: “The bill will have two main impacts: first, it will help ensure New Zealand law meets the expectations of our trading partners and second, it will remove an anomaly so that people living overseas can access their personal information held in New Zealand. New Zealand business is operating in a global data processing economy and our data protection law needs to be recognised as stacking up internationally.” She also said: “It is important that our privacy law keeps pace in order to facilitate international trading opportunities. These changes should help to secure a finding from the European Union that New Zealand law offers an adequate standard of data protection.”
It is important that we, as a smaller country and especially in fairly tight times, are able to punch above our weight, as we continue to do on the international stage. That means that our systems and protections must have the integrity of those overseas and of our larger trading partners. It is important to note that the amendments dealing with cross-border data transfers aim to substantially reduce the likelihood of New Zealand being used as an intermediary for the avoidance of the privacy laws of other countries. I am sure that members can relate to the information that we have had over recent times about the lengths that people will go to in order to infringe the law in other countries by using New Zealand as a safe haven or conduit for either sending goods on to another country, because New Zealand is seen as a fairly benign country—
Sandra GoudieOr as a soft touch, as my friend and colleague Sandra Goudie says. Other countries that see goods coming in from New Zealand, and that see information coming from New Zealand into other countries, do not take quite as much notice as maybe they should.
The amendments also aim to increase the competitive advantage for trade between New Zealand and the European Union and other current developing trade partners. The Law Commission and the Office of the Privacy Commissioner agreed that the bill should go ahead at this time. It is good to be part of a Government that has recognised the need for this bill, and that is kicking on with legislation that is not contentious, at least among the bigger parties in the House. It will be interesting to see, for instance, just where the Green Party will go on this bill, bearing in mind the stance it has sometimes taken in the past in relation to data collection and privacy information. Largely, the bill seeks to enhance New Zealand’s opportunities as a trading nation. It seeks to prevent the malicious acquisition of private information, and the use of that information against those whom it would identify. The Privacy Act also makes it clear that there are important trans-border dimensions to the application of privacy legislation. This bill is a useful addition to the Act. The Law Commission’s view on the bill was sought, and it has indicated that it supports the bill, as well.
It is my pleasure to be able to endorse the process of this legislation, which acts in New Zealand’s best trade interests, and uses all opportunities it can to enhance our position as a global trader.
CLARE CURRAN (Labour—Dunedin South) Link to this
I rise to support the Privacy (Cross-border Information) Amendment Bill, which was introduced by the previous Labour Government on 2 July 2008. Before I address the bill I say that I have taken a bit of a poll of my Labour colleagues, and I think the consensus is that we say “pry-vacy” and members on the opposite side of the House say “pri-vacy”. I think that says something about the differences between us.
Hon Steve ChadwickYes.
This bill is a Labour bill and, therefore, we support it. It is a good bill. It amends the Privacy Act 1993 by introducing new provisions dealing with the cross-border transfer of personal data. To complement these changes the bill includes new provisions that facilitate the cross-border enforcement of privacy laws. The aim of the bill is to reduce the likelihood of New Zealand’s being used as an intermediary for the avoidance of other States’ privacy laws. Currently, the Privacy Act does not allow foreign nationals resident overseas to make information privacy requests, and, further, nothing in the Act prevents data received from overseas from being transferred outside New Zealand to a jurisdiction that does not have adequate privacy protection. That means New Zealand is unable to provide the assurance requested by overseas trade partners that we can fully protect their privacy and their customers’ privacy.
As previous speakers have said, in an era of increasing globalisation and e-commerce our inability to give this assurance is a potential impediment to trade. So getting our privacy laws right is important both for individuals and for businesses. Major advances in technology have changed the way personal data is collected, stored, and used. The challenge for businesses is to ensure that the benefits obtained through using new technology do not compromise individuals’ expectations about the security and use of their personal information. Businesses must be able to assure their customers that their privacy will be respected.
This bill complements a privacy review currently being undertaken by the Law Commission. I will talk a bit about that. The Law Commission is undertaking a review of privacy values, technology change, and international trends and their implications for New Zealand law. The terms of reference for the review were released in October 2006. The project is proceeding in stages, with reports being made at each stage. In stage one of the project the Law Commission is undertaking a high-level policy overview to assess privacy values, changes in technology, and international trends and their implications for New Zealand’s civil, criminal, and statute law. The Law Commission will conduct a survey of these trends in conjunction with the Australian Law Reform Commission, and a report on the overview will be published.
In stage two of the project the Law Commission is considering whether the law relating to public registers requires systematic alteration as a result of privacy considerations and emerging technology. In stage three of the project the commission is considering and reporting on how adequate New Zealand’s civil law remedies are for invasions of privacy, including tortious and equitable remedies, and the adequacy of New Zealand’s criminal law to deal with invasions of privacy. In stage four of the project the commission will review the Privacy Act 1993, with a view to updating it, taking into account any changes in the legislation that have been made by the time this stage of the project has been reached. Stages one and two were completed in early 2008 with the publication of a study paper and a report, and the Law Commission is currently engaged in stages three and four of the project.
In commenting on the review and the introduction of this bill, the Privacy Commissioner, Marie Shroff, last year welcomed the introduction of the Privacy (Cross-border Information) Amendment Bill, saying it would have benefits for New Zealand’s trading opportunities and would enhance personal rights. She said the bill would have two main impacts: “first, it will help ensure New Zealand law meets the expectations of our trading partners and second, it will remove an anomaly so that people who live overseas can access their personal information that is held in New Zealand.” She said: “New Zealand business is operating in a global data processing economy and our data protection law needs to be recognised as stacking up internationally. It is important that our privacy law keeps pace in order to facilitate international trading opportunities. These changes should help to secure a finding from the European Union that New Zealand law offers an adequate standard of data protection. The Bill will also give the Privacy Commissioner the ability to cooperate with overseas privacy authorities when dealing with, or transferring, privacy complaints. This reflects a priority area in the privacy work of both APEC and the OECD.”
Labour supports this bill. In essence, it will remove the current restrictions on who can make an information privacy request, it will enable public sector agencies to charge for making personal information available to overseas foreign nationals, it will provide for the referral of cross-border complaints to the appropriate privacy enforcement authority, and it will establish a mechanism to control the transfer of information outside of New Zealand to circumvent the privacy laws of the country from where the information came.
This bill is a Labour bill. We commend it to the House but we wonder to ourselves where National’s ideas are and how this bill will stimulate the economy, save jobs, and lift us out of a recession. There are important things the Government could be putting before us in the middle of a recession—not that this bill is not important. It is important, but we have to wonder—particularly in light of a global financial crisis of which the likely effects have been described as the greatest financial crisis since the Great Depression and the most severe recession since World War II: job losses; businesses going to the wall in many countries such as the US, the UK, and those in Europe; financial companies falling over; and thousands of small investors losing their savings. To some extent, that is happening in New Zealand. The International Monetary Fund chief economist has advised world Governments to commit whatever it will take to avoid a depression, which means making clear policies and acting decisively—doing too much rather than too little. Gee, where is the Government’s plan and where are the measures that are being put into place immediately to deal with the financial crisis?
This bill is a good bill and we support it. As the Hon Lianne Dalziel talked about, data protection is extremely important and it has important trade implications. They are both extremely important issues that this legislation is designed to address. The bill has been on the agenda for some time and we commend it to the House.
KEITH LOCKE (Green) Link to this
The Green Party is supporting the Privacy (Cross-border Information) Amendment Bill. We are very keen on protecting people’s privacy, and this bill goes some way towards achieving that. It is driven mainly by the requirements of the European Union countries, which are at the forefront of the world in protecting databases and privacy. In order for those countries to exchange data, they make it a condition for the countries they exchange it with to be up to the required standard. We have some country-to-country arrangements with European nations’ Governments, such as the Netherlands.
As the previous speaker, Claire Curran, indicated in her description of what the Law Commission is up to on the privacy issue, and also the Privacy Commissioner herself when one reads her stuff, this bill is touching only the edges of the problem. The issue goes much deeper than what is in this bill. But it is good that we are updating our law to fit in with the European Union requirements and be on, what was called earlier, its “white list”.
One of the problems is that so much information is international these days that it is very hard for any one national jurisdiction to really get a handle on the problem and to protect the privacy of databases. If one listens to people like Marie Shroff, the Privacy Commissioner, one hears them talk now about what I believe is called cloud computing, whereby people are not storing information so much on their own computers and hardware but on the Internet. That does not mean it is in the middle of space; it is on a server somewhere. But sometimes one cannot work out which country the server is in, and in that respect it is very hard to protect the privacy of databases.
We also know, and it is happening in New Zealand, that call centres are going to overseas locations. In New Zealand, call centres are now basing themselves in countries like India or the Philippines in particular. Although the countries might have data protection—they are supposed to have passwords and the like to get into the system as well as firewalls; you name it—if one deals with countries like the Philippines, the governance is not particularly strong, and the workers are not unionised. One cannot necessarily guarantee the privacy of the New Zealand data when there are call centres, or data being processed, in the Philippines, using cheap, non-unionised labour in many cases. There is a big problem there.
Lianne Dalziel talked about the advanced passenger processing system and the protection of data within that system. Airlines have to keep the data secret so that people do not know where travellers are going, except that under some of the laws brought in over the last couple of years, the airlines have to hand out the data. They have to hand it out not only to New Zealand agencies but to overseas agencies with which New Zealand has an advanced passenger processing agreement. Information such as the details of a passenger’s 28 days of travel, or projected travel, on either side of the date of departure goes all around the world.
The European Union, which as I said is at the forefront of a lot of this privacy stuff, had a big fight with the United States over the passenger processing system. One of the problems was that the American law enforcement agencies said they were after terrorists around the world and, therefore, wanted information on passengers coming from Europe to America. The European population got a bit upset. So the European Parliament passed motions about, for example, situations when Europeans—and it would be the same with New Zealanders—paid for an airline ticket with their credit card. The American law enforcement agencies said they wanted, as part of their advanced passenger processing, terrorist-checking system, the credit card numbers on their database for people who paid with their credit card when they booked flights in London or Brussels. The Europeans said that that was all very well except that the Americans did not have any serious data protection systems. They do not—that is one of America’s big weaknesses. New Zealand has an advanced passenger processing exchange with America, but we do not really know where the data we are exchanging ends up.
When we were discussing legislation in Parliament 3 or 4 years ago to guide the advanced passenger processing system, we added a provision to tighten it up. The provision said that if information were given to, say, the US customs or immigration departments, the departments could not pass on that information—there was a whole pile of about 20 bits of data on each individual, including nationality; you name it—to some other agency unless it was for a continuation of the original purpose. In reality, how could that ever be worked out? Since that time, the US has set up the Department of Homeland Security, which incorporates all the different agencies. The last I heard, it had on its database the names of about 70,000 people whom it considered a security risk. So there is a lot of room for error, discrimination, and leakage of data in that whole US system.
There are cases when people think they are transferring personal information just from one country to another, but really it goes around a big circuit of other countries. There was the case about 5 years ago of a man in Auckland called Mohammad Abbas, who had a sick relative in India. He wanted to send the relative some money for help in getting hospital treatment. He went into Western Union—an American company—in Auckland to transfer the money. But it did not get to the other end, which caused big distress to his family in India. Then it was discovered that Western Union had put the information through to an American Government database, and that Mohammad Abbas’ name had come up as having terrorist links, so the money never got through. In fact, it was just a confusion of names. Mohammad is a very common name, and Abbas is a very common name. There will be a whole lot of common names in any database of doubtful people. Abbas had a hell of a problem. There was no guarantee that Mohammad Abbas’ information would not circulate in directions he was unaware of when he first went into Western Union in Auckland.
There is also the problem of financial data relating to individuals and companies. It is very important private data. It is circulated and exchanged through banks around the world through a computer system called SWIFT. Although it is operated out of Brussels, it is American-owned, with a mirror of the data running in America as well so that the American agencies can get hold of the information if they want to use it to track down terrorists. Sure, we want to track down money transfers between terrorists, but in the process currently used to do so, the whole privacy system tends to break down. The Europeans have been a bit upset about the SWIFT system and some of its problems.
There is another problem with the internationalisation of data through law enforcement agencies, and even with what information comes up in newspapers. Poor old Ahmed Zaoui had this problem in a different way when he arrived here several years back. The Refugee Status Board did the first processing of his refugee status application, and it was much criticised by the Refugee Status Appeals Authority afterwards. An officer at the Refugee Status Board did a Google search and came up with a whole lot of newspaper clippings about Ahmed Zaoui in Belgium and France. The officer thought that Ahmed Zaoui must have some links with terrorism and denied his refugee status application on the basis of media information from abroad that was untested.
I have been involved as an advocate in other immigration cases. Police files have emails and stuff from agencies overseas that have come through. Supposedly, the information is about things like people’s job background, but none of it is tested or verified. People have been discriminated against because of that information. There is a free exchange of very personal information between, in particular, Government databases and, going beyond that, private databases, as well. Sometimes people can get a raw deal because of that. It is good that the European Union is trying to set the pace in terms of protecting privacy. The Green Party supports this bill and wishes the Law Commission and the Privacy Commissioner well in trying to deal with these very difficult and complex issues of protecting people’s privacy.
JONATHAN YOUNG (National—New Plymouth) Link to this
There are a lot of bus stops between here and Auckland, and there are a lot of bus stops around the world that our data travels through. Sometimes people at those places open packages in order to find out what they can see. The aim of the Privacy (Cross-border Information) Amendment Bill is to amend the Privacy Act 1993 in order to reduce the likelihood of New Zealand being used as a bus stop for the avoidance of other States’ tougher privacy laws. Where there is a hole in a net, fish will swim there in order to get through to the other side. Right now, New Zealand has a hole in its regulatory regime that is attracting fish that might have slipped through the privacy laws of their own countries.
This bill brings consistency with overseas States’ requirements with regard to the transference of information and data across their borders. With consistency of standards come confidence and trust. It is important for New Zealand to be seen as a trusted trading partner, especially with the European Union—we need its confidence. The changes proposed in this bill address the concern of some of New Zealand’s trading partners—especially European Union members—that overseas businesses have been locating operations and computer servers in New Zealand in order to benefit from our more flexible regulatory environment.
The Privacy Act became law in 1993. Like the privacy laws in many other jurisdictions, it was formulated in the 1990s, and at that time personal information was, largely, stored manually. With the advent of the power and the reach of the Internet, information about all of us is far more easily collected and disseminated throughout the world. An example of that is the spam scams that hit our email in-boxes on occasion. Even last week, I received email correspondence yet again from Nigeria, where people have copious amounts of money that they want to distribute around the world to worthy individuals. They want to bestow the magnificence of their generosity on such people. Well, they found me—although I do not consider myself worthy enough to benefit from their spare millions of dollars. I suggest that members on the other side of the House would be far more worthy than I. So I will not be sending the Nigerians my bank account number. Fortunately, I am not a member of Twitter, so I am no twit.
The Nigerian letter—also called the 419 fraud, Nigerian bank scam, or Nigerian money offer—originated in the early 1980s, as the oil-based Nigerian economy declined. Several unemployed university students first used the scam as a means of manipulating business visitors interested in shady deals in the Nigerian oil sector, before targeting business people in the West and, later, the wider population of the planet. Scammers in the early to mid-1990s targeted companies, sending scam messages via letter, fax, or telex. But then the spread of email and easy access to email harvesting software significantly lowered the cost of sending scam letters by utilising the Internet, and greatly increased the opportunity that spammer-scammers had. Hence the invitation that I received—and I am sure some of the other members of the House received it—last week. Somehow the spammer-scammers have accessed nearly every email address I have had.
In the 2000s, the 419 scam has spurred imitations from other locations in Africa, Asia, and Eastern Europe. More recently, there have been imitations from North America and Western Europe—mainly the UK—and even from our cousins across the Ditch in Australia. The Unsolicited Electronic Messages Act 2007 now deals with that sort of practice, but what it highlights is the open window that the Internet has provided to the world to access our private information. The collection, use, storage, and disclosure of one’s personal information can happen unnoticed, across borders, and at lightening speed.
I was visiting my brother, who is a medical researcher, in San Diego in the early 1990s. We went to a famous American department store called Sears, where there was a computer available to shoppers. One typed in the name of a friend who was getting married, and up came a list of preferred gifts—a Ferrari, a Porsche, and a red Corvette soft-top would be on my list. So I typed in my name. Surprisingly—and I say “Surprisingly” because I did not think that I was a person with a very common name—up came eight Jonathan Youngs who were all getting married in the US. I do not know how they managed to steal my identity. I did not know that I was as prolific as that. I must admit I left the department store dazed and depressed, both at the same time.
That is right—broke, but depressed at the lack of my uniqueness. That, too, demonstrates the power of computerisation and the ability to identify people’s information across the world.
Exactly.
The main purpose of this bill is to assure our international business partners that their customers’ personal information will be protected when dealing with businesses in New Zealand. That is a very important thing—we need to give our international traders confidence that they can trust our systems. The bill is intended to ensure that personal data that originates overseas and is sent to New Zealand is subject to New Zealand’s privacy protection. The amendments dealing with cross-border data transfers aim to substantially reduce the likelihood of New Zealand being used as an intermediary for the avoidance of the privacy laws of other countries. We are stitching up the hole in the net, so to speak. The amendments aim to increase competitive advantage for trade between New Zealand and the European Union, and with our other current and developing trade partners.
The bill has wide support. We note that the Law Commission and the Office of the Privacy Commissioner agree that the bill should go ahead at this time. The Privacy Act makes it clear that there are important trans-border dimensions to the application of privacy legislation. This bill is a useful addition to the Act. The Law Commission’s view was sought on the bill, and it has indicated that it supports it. We want and need to protect our data here in New Zealand, and to protect what comes to New Zealand from around the world. We need to repair the hole in the net, so that international traders feel confident in the protection we offer. Then New Zealand businesses can become, and will continue to be, the trusted traders and partners they seek them to be. I support this bill and I commend it to the House.
RAYMOND HUO (Labour) Link to this
I rise to support the Privacy (Cross-border Information) Amendment Bill, another bill introduced by the Labour Government, and it was introduced in July 2008. Speaking on this bill at its first reading, I want to emphasise two points. The first one is, in an era of increasing globalisation and e-commerce, how can privacy law in New Zealand be better adapted to enhance our trade opportunities and assist our businesses in gaining access to international markets? The second is, how can our privacy law be better drafted to reflect the notions “privacy is your business” and “good privacy is good business”?
The Privacy Act 1993 currently does not allow foreign nationals living overseas to make information privacy requests. What is an information privacy request? It is a request made to obtain confirmation of whether an agency holds personal information, to be given access to personal information, and/or for the correction of personal information. There is also nothing in the Act to prevent data received from overseas being transferred to a jurisdiction without adequate privacy protection outside of New Zealand. That means New Zealand is unable to provide the level of assurance requested by overseas trade partners that it can fully protect their privacy and their customers’ privacy. In today’s world of increasing globalisation and e-commerce, our inability to give that assurance is a potential impediment to trade.
In that regard, this bill is primarily designed to address two main issues: firstly, to ensure that New Zealand’s privacy law meets the expectations of New Zealand’s trading partners by assuring them that their privacy will be protected; and, secondly, to enable people living overseas who are not citizens or permanent residents of New Zealand to access their personal information held in New Zealand. Currently, the Privacy Act provides that an individual must be a citizen or permanent resident of New Zealand, or be in New Zealand, to make such a request.
There are four main provisions in this bill. The first concerns the transfer of personal information outside of New Zealand. One purpose of the bill is to establish a mechanism for controlling the transfer of information outside of New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country where the information originated. The bill provides the Privacy Commissioner with a discretion to prohibit, on reasonable grounds, the transfer of personal information from New Zealand to another country. Secondly, the bill removes the residency restriction from persons who may make an information privacy request. Thirdly, the commissioner may authorise a public sector agency to impose a charge. Fourthly, the bill provides for complaints about breaches of the Act to be referred to overseas privacy enforcement authorities.
The changes proposed by this bill reflect the fact that the movement of personal information increasingly transcends national borders. The current Privacy Act 1993, like the privacy laws in many other jurisdictions, was formulated in the 1990s. At that time, most personal information was stored manually and it was not easy to copy or disseminate written information. Things have changed dramatically. Individuals may be perceived in a millisecond as a piece of information in an email or on a website such as YouTube or Facebook. Participants in a transaction may be on the other side of the world from each other. In my own case, for example, my maiden speech was broadcast live via the Internet as far away as Beijing, Hong Kong, and Taipei.
Thank you. My subsequent speeches in this House, as I have learnt, were also watched, reviewed, and reported overseas on Chinese language websites.
With the extensive use of technology, it is much easier to collect, copy, or distribute information than it was in the 1990s. By extending the scope of persons who may request access to personal information in New Zealand, the bill is especially relevant to the growing number of New Zealand businesses that trade offshore.
An aim of this bill is, of course, to reduce the likelihood of New Zealand being used as an intermediary for the avoidance of other States’ privacy laws. The changes in that regard are considered necessary because many States will not allow personal information held within their borders to be transferred to a jurisdiction where the personal information will not receive equivalent protection. One might infer that entities might have been locating operations and computer servers in New Zealand to benefit from a more flexible regulatory regime. Having said that, and with some trepidation, I suddenly had a feeling that we may need to get this bill passed with some sense of urgency.
I tell members to look at other jurisdictions; regulators seem to be seeking enhanced powers. In European Union countries we see signs of more stringent laws sought and enhanced enforcement penalties planned. Across the Ditch, the Australian Law Reform Commission initiated in August 2008 a comprehensive review of its privacy and confidentiality laws. Similar measures have also been implemented in Hong Kong. This bill is therefore necessary, and is expected to provide a timely boost to our businesses trading offshore. The history of New Zealand’s privacy legislation lies in part in the desire to be consistent with the OECD guidelines. I recall that our Privacy Commissioner once said that good privacy is good business. Indeed, businesses can help themselves by developing top-down privacy-conscious cultures.
To conclude, I support this bill because it will help ensure New Zealand law meets the expectations of our trading partners, and it will remove an anomaly, so that people living overseas can access their personal information held in New Zealand. The bill also complements the privacy review currently being undertaken by the Law Commission.
Overall, business is global and politics is local. I am pleased, indeed, to see that this bill, originally introduced by the previous Labour Government, seems to have received bipartisan support. I am sure that it is only the first part of a more extensive modernisation of our privacy laws. Thank you.
LOUISE UPSTON (National—Taupō) Link to this
I rise in support of the Privacy (Cross-border Information) Amendment Bill. It is important in an increasingly global economy that New Zealand is able to compete without burdens or barriers. This bill improves data collection and the security of information.
If we think back to 1993, when the Privacy Act was first passed, and if we compare the technology that was used in 1993 with what we use now, we see that it is vastly different. I want the House to reflect for a moment on the sorts of ways that we used to collect information. It may have been on paper cards or it may have been in notebooks. It definitely was nothing like what we have the capability to do today. So it is really important that we review the legislation and make sure it keeps pace with the speed of technology, and that it is relevant and puts in place the appropriate security nets.
I was going to talk about some points of interest that have been made by Opposition members tonight, but, in reality, of the points I have heard, there is really not too much in dispute. So I will move on instead. I support the comments made by my colleagues Simon Power and Chester Borrows, and made so well by Jonathan Young. The aim of the Privacy (Cross-border Information) Amendment Bill is to amend the Privacy Act 1993 in order to reduce the likelihood of New Zealand’s being used as an intermediary for the avoidance of other countries’ privacy laws.
I will reinforce the points that have been made this evening, so that we are all clear about what this bill would achieve. Firstly, it will remove the current restrictions on who may make an information privacy request. It will enable public sector agencies to charge for making personal information available to overseas foreign nationals. It will provide for the referral of cross-border complaints to the appropriate privacy enforcement authority. It will also establish a mechanism for controlling the transfer of information outside of New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated. At present, the Privacy Act does not allow foreign nationals resident overseas to make information privacy requests, and does nothing to control the transfer of information outside of New Zealand in cases where information has been routed through New Zealand to circumvent the privacy laws. This bill addresses both of those deficits in the Privacy Act.
I will give members a couple of examples to make this amendment bill a bit more relevant. I will start with clause 5, which repeals section 34 of the Privacy Act of 1993. I was fortunate in 1994 and 1995 to work with the then Privacy Commissioner, Bruce Slane. The former Privacy Commissioner made the following comment during an address to the 13th annual Industrial Relations Conference meeting: “First, section 34 of the Privacy Act restricts making information privacy requests (requests for access to personal information) to New Zealand citizens and permanent residents wherever they are and to other individuals who are in New Zealand. So, a European who has formerly lived and worked in New Zealand has no right of access to information held about him here unless he is in New Zealand when he makes his request.” Bruce Slane recommended that the standing requirements in section 34 be abolished, and that is what we are doing today. The bill will also enable any individual to make an information privacy request. That means individuals do not have to be New Zealand permanent residents or citizens, or here in New Zealand at the time the request is made.
I will look at another example, which was raised in NZ Marketing Magazine by a business owner, who queried how the privacy laws work. The owner stated that he had a database that included a customer’s personal information, which is what most New Zealand businesses hold. However, the owner had affiliations with offshore companies, and he wanted to know whether he needed to change the way he handled the customer’s personal information. This bill seeks to reduce the likelihood of New Zealand being used as an intermediary for avoiding privacy laws in the United States—an important thing indeed.
Under this bill, the Privacy Commissioner will have authority to prohibit the transfer of personal information from New Zealand to another State, if he or she is satisfied, on reasonable grounds, on three points. First, the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third party where it will not be subject to a law providing comparable safeguards to the Act. Second, the transfer of the information may circumvent the privacy or data-protection laws of the State from which it has been, or will be, received. Third, the transfer would be likely to lead to a contravention of the basic principles of national application set out in part 2 of the OECD guidelines. Prohibition of the transfer of the information is effected by the commissioner, when he or she uses a transfer prohibition notice to the agency proposing to transfer the personal information. If someone failed to comply with a notice, that person would be liable and could be fined up to $10,000. It is important to note that the bill enables any individual to make an information privacy request. As I stated before, individuals do not have to be New Zealand permanent residents or citizens, or here at the time that the request is made.
The collection, use, storage, and disclosure of personal information can happen unnoticed across borders and at phenomenal speeds. If we think for a moment about the significant advancements of technology, data collection, data sharing, and data transfer, we realise it is vital that the legislation keeps up. With our legislative process, it is doubtful that our legislation will keep up at the same speed as technology advances, as that advance happens on a daily basis. But this amendment bill takes us a good way down the track in terms of protecting that information.
The amendments are intended to assure our international business partners that their customers’ personal information will be protected when dealing with businesses in New Zealand. We need to make sure that New Zealand is seen and recognised as a safe, productive, and competitive place to do business. The amendments are designed to ensure that personal data originating overseas and sent to New Zealand is subject to New Zealand’s privacy protection. The transfer prohibition notice mechanism will ensure that foreign personal data cannot be sent via New Zealand to jurisdictions without adequate privacy protection. The amendments will enable New Zealanders and New Zealand companies to assure their important trade partners that the New Zealand law will ensure their privacy is protected. The amendments dealing with cross-border data transfers aim to substantially reduce the likelihood of New Zealand being used as an intermediary for the avoidance of the privacy laws of other countries.
I am delighted to support the first reading of the Privacy (Cross-border Information) Amendment Bill, which is sponsored by our very capable and hard-working commerce Minister, Simon Power. I commend this bill to the House.
CHRIS HIPKINS (Labour—Rimutaka) Link to this
I would like to take a brief call on the Privacy (Cross-border Information) Amendment Bill. I will begin where Louise Upston left off, by congratulating Simon Power, the hard-working and diligent Minister in charge of the bill. I will take only a brief call because I know that the Minister is eager to get on to the next bill on the Order Paper, which is also in his name, as is the bill after that. Tony Ryall is allowed a brief turn on the Order Paper, then the next three bills are in the Minister’s name. As a matter of fact, if we count all of the bills on the Order Paper, we find that 15 out of the 35 bills are in the name of Simon Power. It could be that the reason we are discussing so many of Simon Power’s bills is that a significant number of the other bills are in Richard Worth’s name and he has been told he is not allowed to participate in the debate at the moment.
I note that this bill, like all of the other bills I can see on the Order Paper, was introduced by the previous Labour Government. Although Simon Power is a conscientious and hard-working Minister in charge of this bill, he does appear to be somewhat advantaged by the fact that a significant number of bills in his portfolios were introduced by the last Labour Government.
That is right.
This debate today is fairly topical because privacy is integral to avoiding issues around identity theft. As we have heard in the House today, identity theft can apply to anybody. Politicians and members of this House are not immune to issues of identity theft. Changes in technology have made identity theft so much more possible, and we saw that just this afternoon, when the Government aided and abetted a right-wing blogger’s attempt to be passed off as a member of this House in order to discredit that member. I am sure that is something we would like to avoid and that we would not encourage in any way.
The issues around privacy have been heated. I, for one, do not profess to be an expert on privacy issues in any way, shape, or form, but I like the idea that any information stored about me is kept securely and will not be passed on to somebody who is not entitled to have it. I understand that private information that comes into New Zealand as a result of our trading relationships with people from overseas should also have that same protection. I like the thought that if the private information stored about me is incorrect, I will have the ability to access that information and to correct it. When international trading partners and their customers are involved, those rights should be extended to them also.
I agree with Louise Upston that the environment we live in now is very, very different from what it was in 1993, when the Privacy Act was passed. We do not have file cards, and things like that, so much any more. The information is all stored electronically, and that introduces a whole range of new challenges.
As this bill progresses through the House, I will be interested in the enforceability of this law and in how it will be enforced. Again, I do not profess to be an expert on privacy issues, but if we look at the provisions in the bill, and the powers given to the Privacy Commissioner, it is difficult for us to see how some of those things will be enforced. For example, if the Privacy Commissioner prohibits the transfer of a certain amount of personal information, the ruling would be difficult to enforce, given how easy it is in the current technological climate for information to be exchanged very quickly.
The aim of the bill is to reduce the likelihood of New Zealand being used as an intermediary for the avoidance of other States’ privacy laws. The bill removes the current restrictions on who may make an information privacy request, by enabling public sector agencies to charge for making personal information available to overseas foreign nationals, by providing for the referral of cross-border complaints to the appropriate privacy enforcement authority, and by establishing a mechanism for controlling the transfer of information outside of New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country where the information originated.
Getting our privacy laws right is important for both individuals and for businesses. Major advances in technology have changed the way in which personal data is collected, stored, and used. The challenge for businesses is to ensure that the benefits obtained through the use of new technology do not compromise individuals’ expectations about the security and use of their personal information. Businesses must be able to assure their customers that their privacy will be respected. Currently, the Privacy Act does not allow foreign nationals resident overseas to make information privacy requests.
Further, nothing in the Act prevents data received from overseas from being transferred outside New Zealand to jurisdictions without adequate privacy protection. This means that New Zealand is unable to provide the level of assurance requested by overseas trade partners that we can fully protect their privacy and their customers’ privacy, in an era of increasing globalisation and e-commerce. Our inability to give this assurance is a potential impediment to trade.
This bill complements the privacy law review currently being undertaken by the Law Commission. It is a good bill. It was introduced by the previous Labour Government, and I commend it to the House.
TIM MACINDOE (National—Hamilton West) Link to this
It is good to have an opportunity to speak in a debate that has been conducted in a positive and constructive spirit and that clearly enjoys bipartisan support in our Parliament. As other speakers have noted, the Privacy (Cross-border Information) Amendment Bill aims to protect the rights of New Zealanders and to reduce the possibility of foreign personal data being sent via New Zealand to jurisdictions that do not respect the high standard of “priv-acy” or “pry-vacy” protection that we in this country hold dear.
I use both pronunciations of “privacy” because, although I note that, apparently, members on this side of the House are meant to pronounce the word one way and members opposite another way, my parents were always divided over how to pronounce that word—and I can assure Ms Curran that neither of them ever voted Labour.
Listeners to this debate—including those in the packed public gallery, and television viewers with a shortage of alternative channels—will be relieved to know that this House is, for the umpteenth time since the change of Government, completing the unfinished business of the last Parliament. I have to say that as a new member I am at a loss to understand how the previous Labour Government so comprehensively lost control of its own legislative agenda. But I guess that is history now and the important thing is that we have a Government that is getting things done and mopping up Labour’s mess.
For Ms Curran to ask where National’s ideas are is unbelievable. A responsible Government finishes important business even when it was started by a previous Government, and we are doing just that. A responsible political party campaigns on the issues that matter and offers solutions to problems that concern the electorate at large. That is what we did last year, it is why National was elected to lead the Government in November, and it is what we have been doing, I say to Ms Curran, ever since. So to ask where National’s ideas are, when Ms Curran repeatedly complained about how quickly we got on with the job during our first 100 days of action—and have continued to do so subsequently—will fool no one up in the gallery tonight or in the country at large.
The country knows what National stands for and what our ideas are, and people are delighted to have a Government that knows what it is doing and that has such excellent Ministers as the very energetic member for Rangitīkei, the Hon Simon Power. When we consider all that Mr Power has achieved since the change of Government, and the myriad of marvellous measures he has managed so magnificently in this House since he took up his ministerial warrant, the suggestion that he is somehow lacking in ideas is patently ridiculous.
It is clear that the international business community not only expects legislative protection of this kind but depends upon it. Several previous speakers have rightly explained that point in some detail. I will focus for a few moments on the extra challenges that rapid technological advances have generated. They significantly underline the importance of achieving the enactment of the Privacy (Cross-border Information) Amendment Bill as soon as possible.
My excellent colleague Jonathan Young represents the fine people of New Plymouth not only in this House but also on the world stage. That reminds me that I would like to add my personal congratulations to the Rt Hon Helen Clark on her significant appointment that was confirmed this morning and to note that she, as a prolific texter, will also benefit from the extra security provided by this bill—but I digress, and that is totally out of character. The very fine Mr Young, as I was saying—who apparently managed to find eight brides in the United States last month alone, such an outstanding and popular public figure is he—drew attention to the plague of bogus email and other seemingly unstoppable spam, which drives us all nuts on a daily basis. The sad fact is that many innocent people have been taken in by such nonsense as the endless Nigerian money offers, the apparent Eastern European bequests, and the amazing lottery wins from Uzbekistan that arrive on a daily basis. Although the discovery tonight that I shall have to share my winnings with Dr Blue is a shattering one, I would come to terms with my grief if someone could stop me from receiving any more such glad tidings of dubious joy.
Seriously, this is a vital and widely supported measure. Let us get on and add it to Mr Power’s list of stunning achievements. I commend this bill to the House, and thank the gallery, and my mother—who is glued to her radio at home—for their rapt attention.