Late last year, the Privacy Commissioner (the Commissioner) clipped Google for breaching the Privacy Act 1993 (the Act) through its "Street View" filming in New Zealand. Google acknowledged early on that it had made mistakes and has given a number of undertakings to improve its Privacy Act compliance processes.
We might all be pleased with the result, but did the Commissioner apply the law correctly?
The Street View project involved Google travelling the length of New Zealand with specialised camera-mounted cars to capture real life images for its GoogleMaps application. The privacy issues arose because Google was also using a computer to collect information from WiFi networks within range of the Street View cars. This information included:
- "open" WiFi information (the device's unique identity number, the name the user has given the network, whether the network is secured or unsecured, and the signal strength), and
- payload information from unsecured WiFi networks. (The Commissioner accepted that Google had collected this information inadvertently and had no plans to use it. Because neither the Commissioner nor Google examined this data in any detail, no-one can be sure of its content. In other countries, however, complete e-mail messages were captured, including real names, addresses and telephone numbers and references to sensitive medical conditions).
The Commissioner's key findings
The Commissioner found Google in breach of Principles 3 and 4 on the "open" WiFi information and in breach of Principles 1, 3 and 4 in relation to the payload information. Principles 1 to 4 are summarised in the box below.
Principle 1: information must be collected for
a lawful purpose connected with the agency and necessary for that
Principle 2: information must be collected directly from the individual concerned subject to a number of exceptions, the first of which is that the information is already publicly available.
Principle 3: the person must be informed that the information is being collected, the purposes for which it is being collected and the intended recipients. Importantly, it applies only to information which is collected directly from the individual. It does not apply to publicly available information.
Principle 4: the information should not be collected in a manner which is unfair or unreasonably intrusive.
The question is whether Principle 3 should have been in play or whether the information – both "open" and payload – was publicly available and therefore exempt from the Principle 3 requirements.
The Commissioner acknowledges that the open WiFi information is not in any sense 'secret' or 'confidential': it can be accessed by anyone with a smart phone, a wireless-enabled laptop, or other common and basic equipment that can see a display of all wireless networks in the vicinity.
In relation to the payload information (and this was only accessed by Google from unsecured networks), some might say that people who choose not to secure their network are just dumping information into the ether which other people (who write clever computer programmes) can look at.
The Act defines "publicly available information" as information contained in a "publicly available publication", which is in turn defined to mean "a magazine, book, newspaper, or other publication that is or will be generally available to members of the public; and includes a public register". But in 2008, the Human Rights Review Tribunal (considering the same phrase as used in principle 11(b)) decided that:1
And after comparing information gathered from public meetings to a video on the internet or a blog:2
On that kind of analysis, the Commissioner's conclusion that Google was in breach of Principle 3 is difficult to accept.
The Commissioner's finding that Google was in breach of Principle 4 in relation to the open WiFi information is also a little surprising given that there has been wide media discussion of the fact that this information is not secure and can be readily "seen" by anyone walking past the house with a clever phone.
Is it really reasonable to conclude that Google was "unfair" to gather it – just because of the scale of the project? While the Commissioner's report describes Google's actions as "covert" – the initiative was no more covert than if a Google employee had sat at her desk and opened up a phone book.
The Commissioner was on much stronger ground in relation to the payload information where it seems that Google did "intrude to an unreasonable extent upon the personal affairs of the individual concerned", which is a breach of privacy Principle 4.
However, the Commissioner went a step further; finding that Google's'actions were not only unreasonably intrusive but also "unfair". Given that Google was already (clearly) in breach of Principle 4 for the intrusion, nothing really turned on whether the intrusion was "unfair" or not. But in terms of precedent, was Google's conduct really unfair when all it did was gather data that people – by choosing not to secure their networks – had chosen to publicly broadcast?
For further information, please contact the lawyers featured.
- Coates v Springlands Health Limited and another  NZHRRT 17, at .
- Above, at .
The information in this article is for informative purposes only and should not be relied on as legal advice. Please contact Chapman Tripp for advice tailored to your situation.