New Zealand won’t compromise on privacy rights for the sake of Facebook, Google's business models, Edwards says

The global momentum around consumer data rights is arriving in New Zealand, the country’s top privacy official has said, with pressure from the financial industry for the country to introduce open banking systems only expected to grow throughout 2020.

In an interview with MLex, Privacy Commissioner John Edwards said that recent progress across the Tasman Sea with Australia’s Consumer Data Right is something New Zealand doesn’t want to fall too far behind on.

But if New Zealand were to revisit Edwards’ 2016 recommendations on data portability, he will have to navigate an issue now troubling Australian officials — the prospect of technology giants such as Facebook and Google gaining access to financial data.

That prospect, which is now being weighed by Australian regulators, may well exacerbate Edwards’ already complicated relationship with the digital platforms.

The head of a regulator many thousands of miles from Silicon Valley, Edwards shows little hesitation in calling out the technology giants — whether it’s over content, privacy, or international policymaking, the commissioner appears ready to stand up for New Zealanders.

Controversially, he labeled the platforms “morally bankrupt” last year, in the wake of the terrorist attack in the city of Christchurch. Edward decried what he saw as a lack of willingness on the part of Facebook to acknowledge any responsibility for how its platform was used by the alleged gunman.

Edwards said Facebook’s failed efforts last month to win the EU over on its suggestion that digital-platform content should face global policies on content, was just one more example of the company’s failure to understand international policymakers.

“Facebook is doing exactly what you would expect an organization like that to do, which is to minimize compliance costs by having one harmonized system. Although their business model works that way, the international legal community does not,” he told MLex.

Edwards admitted that “there are efficiencies and values to having a global approach,” but he added that “if there was a global approach that included New Zealand, New Zealand should be entitled to say, ‘if you’re doing business in this country, here are the rules that you have to comply with’.”

The privacy commissioner slammed what he perceived as a tendency by digital platforms to “fetishize” free speech rights simply because doing so “suits their business model.”

“[It’s] not for a small cabal of Silicon Valley to tell New Zealanders what they have to put up with, what they have to expose their children to, what their rights and obligations are,” Edwards said.

— The Australian precedent —

The privacy commissioner’s dismal view of social media platforms is likely to cast a shadow over any data-portability New Zealand may want to consider.

Australia, New Zealand’s closest economic partner, has been working on data portability rules since 2017, when recommendations from the country’s top economic adviser, the Productivity Commission, urged the government to give consumers greater access to data held on them by private companies.

Those recommendations resulted in Australia’s Consumer Data Right, or CDR — bold data-portability legislation that included a pilot program for the banking industry and a promise that similar rules would be rolled out to the energy telecommunications industries.

But along with the CDR have come concerns that the platforms may use the policy to gain access to users’ personal data. It’s an unlikely prospect — under the Australian rules, users would have to approve any transfer. But, on paper, Facebook and Google could be able to use banking information to link their advertising to purchases made.

Given Edwards’ personal history with the platforms, the prospect of tech giants obtaining accreditation to receive personal data through a data-mobility mechanism may not be one the country’s top privacy official would warm to.

— Data-breach balance —

Another policy area in which New Zealand may have turned to Australia for inspiration is that of managing breaches of personal data — an issue that has been at the forefront of discussions surrounding the revamp of New Zealand’s privacy legislation, which is entering its final stages.

In February 2017, Australia’s parliament adopted the Notifiable Data Breaches legislation, that made the reporting of such breaches obligatory and established protocols to manage that reporting. The data-breach program has been in place now for two years.

The updating of New Zealand’s 1993 Privacy Act has also examined the need for mandatory reporting requirements, with Edwards telling MLex that “there’s always a tension between having very explicit and prescriptive rules and having vague rules which are able to take into account the infinite variety of the breaches we see.”

“To create uncertainty can lead to overreporting,” he said, adding that he wants to build a tool to help agencies and businesses identify how and when they would need to report a data breach.

While the law is still to clear a final hurdle in New Zealand’s parliament, a redrafting of the planned changes gained cross-party support in August when policymakers raised thresholds for data-breach reporting. The bill currently before parliament would make the reporting of data breaches in the country mandatory “where it is reasonable to believe the breach has caused or is likely to cause serious harm.”

— Privacy variety—

Edwards believes New Zealand’s new privacy laws — when adopted — will stand up to international scrutiny.

In a recent explanatory document, Edwards said the country’s proposed changes were part of a decision to follow international trends by providing “more comprehensive statutory controls on cross-border disclosures” and is in line with the EU’s General Data Protection Regulation.

And when it comes to the varying approaches around the world on tackling threats to privacy, Edwards says he accepts the need for jurisdictions to find the tools that suit them best.

Google’s use of location data is a case in point. The company is facing complaints around the world over allegations that devices using Google’s Android software were gathering data even when the user thought the phones’ tracking apps had been switched off.

These allegations are being pursued differently in a range of jurisdictions — with some enforcers, including those in Australia and Brazil, turning to consumer law, while enforcers in the EU, the US and Brazil seeing it as a privacy issue.

“I’m pleased to see this trend of finding the best regulatory fit to respond to a particular challenge,” Edwards said.

“Privacy regulators all around the world have limited funding but this trend of regulators working together to identify the most appropriate regulatory response to a challenge to pursue them is overdue and the industry players have played regulators off against one each other,” he said.

Edwards said he’s looking forward to working closely with the New Zealand Commerce Commission, the country’s competition regulator, and he thinks he will be increasingly having conversations about managing platforms in coming years.

— Avoiding encryption mistakes —

Despite sometimes waiting for Australia’s policy lead, Edwards appears to have also learned from what he perceives as errors in Australian policymaking — namely, the country’s controversial encryption laws.

Edwards told MLex that controversial measures which entered into law in Australia in December 2018 granting law-enforcement agencies the right to demand access to decrypted communications including those of WhatsApp have given “some pause” to commercial entities outside Australia.

The laws are “potentially adversely affecting Australia’s ability to play in [the] commodity cloud service space,” Edwards said, adding that he’s not aware there is any move in New Zealand to increase law enforcement’s access to encrypted data.

Edwards acknowledges that when it comes to tackling privacy there are times to cooperate and even learn from other regulators, and there are other times when he says he has to stand firm, to safeguard the interests of New Zealanders.

At times, his role means he has to clash with the giants of our time: Facebook and Google. And, Edwards says, he’s okay with that.