Late last year, the Privacy Commissioner, clipped Google for breaching the Privacy Act 1993 (the Act) through its "Street View" filming in New Zealand. Google acknowledged early on that it had made mistakes and has given a number of undertakings to improve its Privacy Act compliance processes.
We might all be pleased with the result, but did the Commissioner apply the law correctly?
'The Street View project involved Google travelling the length of New Zealand with specialised camera-mounted cars to capture real life images for its GoogleMaps application. The privacy issues arose because Google was also using a computer to collect information from WiFi networks within range of the Street View cars. This information included:
- "open" WiFi information (the device's unique identity number, the name the user has given the network, whether the network is secured or unsecured, and the signal strength), and
- payload information from unsecured WiFi networks. (The Privacy Commissioner accepted that Google had collected this information inadvertently and had no plans to use it. Because neither the Commissioner nor Google examined this data in any detail, no-one can be sure of its content. In other countries, however, complete e-mail messages were captured, including real names, addresses and telephone numbers and references to sensitive medical conditions).
The Commissioner's key findings
The Commissioner found Google in breach of Principles 3 and 4 on the "open" WiFi information and in breach of Principles 1, 3 and 4 in relation to the payload information. Principles 1 to 4 are summarised in the box below.
Principle 1: information must be for a lawful purpose connected with the agency and necessary for that purpose.
Principle 2: information must be collected directly from the individual concerned subject to a number of exceptions, the first of which is that the information is already publicly available.
Principle 3: the person must be informed that the information is being collected, the purposes for which it is being collected and the intended recipients. Importantly, it applies only to information which is collected directly from the individual. It does not apply to publicly available information.
Principle 4: the information should not be collected in a manner which is unfair or unreasonably intrusive.
The question is whether Principle 3 should have been in play or whether the information – both "open" and payload – was publicly available and therefore exempt from the Principle 3 requirements.
The Commissioner acknowledged that the open WiFi information was not in any sense 'secret' or 'confidential': it can be accessed by anyone with a smart phone, a wireless-enabled laptop, or other common and basic equipment that can see a display of all wireless networks in the vicinity.
In relation to the payload information (and this was only accessed by Google from unsecured networks), some might say that people who choose not to secure their network are just dumping information into the ether which other people (who write clever computer programmes) can look at.
The Act defines "publicly available information" as information contained in a "publicly available publication", which is in turn defined to mean "a magazine, book, newspaper, or other publication that is or will be generally available to members of the public; and includes a public register". But in 2008, the Human Rights Review Tribunal (considering the same phrase as used in principle 11(b)) decided that1:
And after comparing information gathered from public meetings to a video on the internet or a blog2:
On that kind of analysis, the Commissioner's conclusion that Google was in breach of Principle 3 is open for debate.
The Commissioner's finding that Google was in breach of Principle 4 in relation to the open WiFi information might also surprise some given wide media discussion of the fact that this information is not secure and can be readily "seen" by anyone walking past the house with a clever phone.
Was it reasonable to conclude that Google was "unfair" to gather it – just because of the scale of the project? While the Commissioner's report describes Google's actions as "covert" – some might argue that the initiative was no more covert than if a Google employee had sat at her desk and opened up a phone book. Views will differ.
The Commissioner was, however, on strong ground in relation to the payload information where it seems that Google did "intrude to an unreasonable extent upon the personal affairs of the individual concerned", which is a breach of privacy Principle 4.
However, the Commissioner went a step further; finding that Google's actions were not only unreasonably intrusive but also "unfair". Given that Google was already (clearly) in breach of Principle 4 for the intrusion, in this case nothing really turned on whether the intrusion was "unfair" or not.
But as privacy issues are increasingly pushed to the forefront of the public consciousness, there can be no doubt that the Tribunal will find itself considering similar issues in future when the issue of fairness (or otherwise) may well be the determining feature. "Unfairness" is of course an elastic concept. For some, Google's actions were clearly beyond the pale. Others, though, might ask whether by failing to secure their networks, people had "publicly broadcast" their data and therefore can't complain.
1. Coates v Springlands Health Limited and another  NZHRRT 17, at .
2. Above, at .
The information in this article is for informative purposes only and should not be relied on as legal advice. Please contact Chapman Tripp for advice tailored to your situation.