Lawmakers struggling to keep up with changing digital world
This stuff is not just important at an individual liberty level, it’s also commercial.
OPINION: So far 2018 has been an annus horriblis for Facebook. The Cambridge Analytica data breach findings keep on getting bigger and bigger. Now a #deletefacebook movement is gaining force and CEO Mark Zuckerberg has been grilled by the Senate for two days.
While I haven’t listened to all of the Zuckerberg tapes, I have listened to a decent whack. Three things stood out.
First, how little apparently educated Congress-people understand about Facebook’s business model.
Second, how often Zuckerberg deferred to his army of advisers on data plumbing issues.
Third, the extent to which Facebook had provided open slather to application developers within the Facebook walled garden. Thousands of application developers have had access to people’s raw data, with little clarity as to what happens to that data once you leave the garden.
Many of the congressional members referenced the EU’s General Data Protection Regulation (GDPR), which comes into effect in May. GDPR sets a new ‘‘ground zero’’ around privacy regulation for Europeans, and for anyone that does business with Europeans (including New Zealand companies).
It imposes new privacy rules on organisations that offer goods or services to people in the EU, or that collect and analyse data tied to EU residents.
This new European law will take effect at the same time as the new Privacy Bill starts its journey through our Parliament. It’s been a long time coming.
Way back in 2011, I was one of a number of people asked to provide comments on a Law Commission review of the Privacy Act. The review itself had been floating around in various forms for five years prior to that.
At the time, it seemed surprising that the Government would allow such sluggish trajectory on such a vital area. Sluggish slowed to glacial, as it’s taken a further seven years for the Privacy Bill to enter the House.
The bill aims to modernise the 25-year-old Privacy Act and implement many of the Law Commission’s 2011 recommendations.
Which is great, except it might result in a piece of legislation that would have provided a pretty good approach to the privacy environment of 2012.
Back in 2012, Facebook had 550 million users, the majority of New Zealanders still used dial-up and the iPhone4 was brand new. Messenger apps were in their infancy and AI was largely theoretical.
Significantly, the massive data breaches of the past few years – like eBay’s breach of 145 million accounts, Facebook’s breach of 87 million and Yahoo’s massive breach of 3 billion – had yet to occur.
Clearly time has moved on, and so have the challenges around privacy in 2018.
Rather than wait around for officials to further postpone progress on the Privacy Bill, Justice Minister Andrew Little has wisely decided to at least get it into the House and start the process. However, it’s clear the bill will need a few tweaks.
First, it needs to have a proper ‘‘right to be forgotten’’. This right is built into GDPR already and is the gold standard for folks like you and me. It means you can ask to have certain data deleted so that third parties can no longer track you, and gives you the ability to have personal data and images deleted from digital records.
Although some elements of this right exist already for criminal and commercial records, we need to go the whole way.
New Zealanders should also have the option of digitally porting their personal information from one organisation to another via an API (application programming interface).
Lastly, the Office of the Privacy Commissioner need greater firepower than the wet bus ticket they currently have. In Europe the equivalent office can deliver penalties up to 4 per cent of a company’s revenue. In Australia it’s fines of up to $100,000 for individuals and $1 million for organisations.
Here in Aotearoa, Privacy Commissioner John Edwards has no real ability to enforce Privacy Act compliance, other than a frightening frown and a bit of name and shame. This is out of whack with the rest of the world and needs redress.
This stuff is not just important at an individual liberty level, it’s also commercial.
Currently, New Zealand enjoys real competitive advantages when it comes to overnight processing of data, being one of the very few countries that the EU recognises as meeting their standards. If we fail to chin this bar we will lose millions of dollars of revenue.
The real challenge now is drop in the necessary tweaks to the bill to make it fit for 2020 then temper this with a round of consultation; all without losing momentum at a time when privacy has moved from the periphery to the core of public policy.
Otherwise it could go from annus horriblis for Facebook, to a pain in the butt for all of us.
❚ Mike ‘‘MOD’’ O’Donnell is a professional director, consultant and writer. His Twitter handle is @modsta and he’d like to have frightening frown.