George Orwell wrote literary criticism and one of his best known books is the dystopian novel '1984'. The novel was written in 1947 and identified such terms as "Big Brother", 'doublethink' and 'newspeak' which have become part of everyday language. Who would have thought 70 years later we would still be grappling with the same fairy-tale relationship between morality and privacy.
A recent scandal has erupted with Facebook and big data company, Cambridge Analytica which was involved in the collecting of personal identifiable information of 87 million Facebook users. The data was apparently used to attempt to influence voter opinion during the last US election.
At the start of this year a Cambridge Analytica employee, turned whistle-blower, provided information to the media which indicated that alleged unauthorised possession of personal private data was being used for political campaigns. These campaigns were based on psychological and personality profiles mined from Facebook. Things like public profile, page likes, birthdays and current addresses were used. The data was detailed enough for Cambridge Analytica to create psychographic profiles of the data subjects.
The internet and digital information has no physical reality. There are no dimensions or boundaries and this gives rise to broad privacy and security issues with all number of organisations and agencies collecting, using and storing information and bespoke profiles of people for all number of purposes – for example, with a tap or click any agency can build a profile and brand presence to target clients or consumers.
In New Zealand 25 years ago the Privacy Act was passed in law. A new Privacy Bill has now been introduced into Parliament and is intended to strengthen privacy protections. The key reforms include:
- Requirements to report data breaches: if agencies have a privacy breach that poses a risk of harm, they must notify the people affected and the Commissioner.
- Compliance notices: the Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something.
- Decisions on access requests: the Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner's decisions can be appealed to the Tribunal.
- Strengthening cross-border protections: New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards. The Bill also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws.
- New criminal offences: it will be an offence to mislead an agency in a way that affects someone else's information, and to destroy documents containing personal information if a request has been made for it. The proposed penalty is a fine up to $10,000.
- Strengthening the Privacy Commissioner's information gathering power: the Commissioner will be able to shorten the timeframe in which an agency must comply with investigations, and the penalty for non-compliance will be increased from $2,000 to $10,000.
In Europe recently, General Data Protection Regulations (GDPR) were introduced to meet the increasingly data-driven world. Although the existing key principles of European data privacy laws remain unchanged, the new regulations extend territorial scope to all companies processing personal data, of data subjects residing in the EU, regardless of the company's location. There are increased penalties for the most serious infringements, and conditions for consents will be strengthened. Companies will no longer be able to use long illegible terms and conditions full of legalise, as the consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. There are also increased data subject rights in relation to breach notification (which must be reported within 72 hours of the breach becoming known), right to access personal data (confirmation whether or not personal data is being processed and for what purpose), the right to be forgotten (right to have data erased) and privacy by design (which is a concept involving the inclusion of data protection from the onset of the designing of systems, rather than an addition).
It is fitting to consider the words of George Orwell's 1984 – everywhere a person goes, even to his home, the Party watches him; everywhere he looks he sees the face of the Party's seemingly omniscient leader, a figure known only as Big Brother. In light of the Cambridge Analytica affair there remains a need to closely scrutinize the morality of the ever-watchful Big Brother!Download article in PDF format
Is it OK to collect biometric data from workers?
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.