Proposed law changes to require companies and government agencies to let you know when they share your personal information with another entity could boost awareness of privacy rights

The Government plans to legislate next year to close a ‘loophole’ in the Privacy Act that allows companies to share your data among one another with few restrictions.

While any entity, including government agencies, that wants to collect information about individuals from them must get permission, there isn’t even a requirement to notify individuals if that entity later shares that information with another.

Andrew Chen, a research fellow with Koi Tū, The Centre for Informed Futures, said there are still some restrictions on information-sharing. However, the lack of a notification requirement is effectively a ‘loophole’, allowing third parties to get your information indirectly rather than coming straight to you.

There are plenty of legitimate reasons for information-sharing, he said. The Ministry for Social Development might want to share information with Inland Revenue to ensure someone is receiving the correct Working for Families tax credit, for example.

But there are also murkier reasons – maybe legal, but maybe not savoury. Facebook, for example, could be sharing information with a data broker who might then sell it on to advertisers.

In either of these circumstances, there should be little harm and potentially a lot of benefit in notifying the affected individuals.

Consultation on the changes closed recently, but a spokesperson for the Ministry of Justice told RNZ Cabinet had made an in-principle decision to close the loophole.

Documents released to Newsroom under the Official Information Act show the changes were prompted by a review of New Zealand’s compliance with European Union privacy laws. Under the world-leading General Data Protection Regulation, New Zealand is currently considered adequate, meaning Kiwi businesses can freely transfer EU data for processing.

The Ministry of Foreign Affairs and Trade told ministers the adequacy status “confers a significant benefit”. Anecdotally, officials reported, New Zealand businesses have a strong competitive advantage over companies in non-adequate countries. Only a handful of other countries are considered adequate and major digital competitors like the United States and Australia aren’t among them.

The focus on overseas benefits is particularly clear in the justice ministry’s consultation on the proposal. That document asks submitters whether the changes should only protect the privacy rights of overseas individuals whose information is handled by New Zealand entities, or whether they should apply domestically as well.

That raises the possibility the Government might legislate to give better privacy protections to people overseas than to those in New Zealand.

“If the rules are good enough for individuals who are overseas, they should be good enough for those in New Zealand too,” Chen said.

He added that the Privacy Act contains a number of exemptions for certain data uses, which would apply to the indirect notification requirement as well. If police sought information about a suspect from a third party, they wouldn’t have to notify that suspect because law enforcement is one of the exemptions, he said.

Chen also didn’t think there was much merit in concerns that the notification requirement would bring on “notification fatigue” for people. If personal information is being so rapidly transferred at such a large scale that a notification of each transfer would overwhelm individuals, that’s even more reason for people to be told about these transfers.

Any companies that might think twice about whether to transfer personal information now that they have to notify the individuals involved probably shouldn’t be doing it in the first place, he said.

While many people might still disregard the notifications, the scheme could raise awareness more broadly about individual privacy rights and the degree to which our data is used.

It is backed by the Privacy Commissioner and the Privacy Foundation.

Enhancing privacy rights in New Zealand also moves us towards being able to have difficult but necessary conversations about who really owns personal information as well, Chen said. If Facebook is selling a person’s name, birthday and interests to a third party, should that information be Facebook’s to sell? Or should it be the individual’s property.

Those questions may be some way down the track, but they’ll get closer if people continue to regain more control over their personal information.

Marc Daalder is a senior political reporter based in Wellington who covers climate change, health, energy and violent extremism. Twitter/Bluesky: @marcdaalder

Leave a comment