Privacy Commissioner John Edwards blogs:
The biggest thing in the privacy world just now seems to have exploded into the collective consciousness out of nowhere. For those of you with TLDR (Too Long Didn’t Read) syndrome, here’s the spoiler. The issue is not as clear cut as you might think. I’d like to hear a range of views about how we should approach this in New Zealand.
Since May 13, when the European Court of Justice ruled that Google in Spain should break links to an old newspaper story about the plaintiff, there has been much criticism, astonishment, suspicion, relief and applause, depending on which side of the fence (or the Atlantic) the commentator comes from.
I’m one of those fairly unimpressed with it.
Could someone in New Zealand assert a right to have links removed from a Google search on their name? Our law differs in some key respects from European law. For example, we don’t have the concept of “data controller” or “data processor”, and there are a number of other differences.
The first hurdle would be territoriality. Google could be expected to argue that their search engine and the algorithms that compile and order results are not within New Zealand’s jurisdiction. The ECJ decision might offer some assistance to a litigant on that point, as might this June 13 decision of the Canadian Supreme Court which is a more influential source of jurisprudence to our courts.
Google has a .co.nz domain name registered in New Zealand. If you search for a mechanic or painter in your town, the ads that lead the search results will tell you pretty clearly that Google has a place of business here, and those points might provide the beginnings of an argument that Google should be subject to a range of domestic laws – from the Fair Trading Act, to the Copyright Act, to the upcoming Harmful Digital Communications Act. Should privacy be any different?
Google could of course close down its local office, and run its NZ operations from say Australia.
A number of other arguments would then ensue as to the liability (if any) that Google should have for content hosted on sites to which it is only providing a link to. What is the extent of Google’s obligation under the multi-qualified information privacy principle 8 in our Privacy Act?
An agency that holds personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant, and not misleading.
What is the onus if a New Zealand person asserts a right of correction (a term which is defined as including deletion) under information privacy principle 7?
My views is that people who want data about them on the Internet corrected, should go to the actual publisher of the data, and not hold the search engine liable for the data published by someone else.
Does the “purpose” element of the non-retention principle (principle 9) absolve search engines of the obligation to proactively purge old content? Should I issue a code of practice which spells out the respective rights of search engines and individuals?
I’m going to leave these questions until I am presented with an actual case to apply them to. There are many other authorities around the world grappling with the same difficulties.
I want my search engines to locate all content that is on the Internet, that the published has been asked to be indexed.
It may be that a case will come before me to determine before the issue comes to the Court or to Parliament. Someone might argue that Google should break a link to personal information that has been published online from a data breach, or that it is in breach of a Court suppression order. If I do have to determine such a case, in addition to weighing the various rights of privacy against the rights in the NZBORA, I will need to take into account the matters specified in s.14 of the Privacy Act. That means that, among other things, I have to have due regard to “the protection of important human rights and social interests that compete with privacy, including the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way”.
Where do you think the balance should lie?
This is an issue that won’t go away.Tags: Privacy Commissioner