Source: New Zealand Privacy Commissioner – Blog
One of the most persistent problems of privacy and data protection in the digital age moving the responsibility from consumers needing to read terms and conditions for services they’re using to those services clearly explaining the choices and consequences that consumers have. We all know the problem, and it has been presented in several very striking ways. We’ve seen researchers print out and measure the length of the privacy policies and terms and conditions of popular services.
Dima Yarovinsky’s art project, ‘I agree’ where he printed out the terms of service for seven major tech companies to highlight their length and complexity. Instagram, Snapchat, and Facebook’s terms of service are so long they sprawl off the gallery walls onto the floor.
The reality is most privacy policies are far too long and complex for any regular internet user to read and understand.
Privacy consents a significant issue
Our Chief Justice believes that privacy consents will prove to be a significant issue. In her lecture (opens to PDF, 386KB) commemorating the first New Zealand Privacy Commissioner, Sir Bruce Slane, she said:
There is good reason for proceeding with caution when weighing the significance to be given to consent when assessing whether the individual expected privacy or had waived it. These are standard contracts people must agree to if they are to access services, sometimes essential services. Most do not read the full content of any such contract. That is especially so with online service providers. Although the privacy policy must be agreed to before services can be accessed, acceptance is easy — simply click on the accept button.
Often the consequential authorised collection of data will occur in the course of a very low to no value transaction. Few would spend time reading a privacy policy before using a search engine or purchasing food to go. And yet by clicking accept, we are agreeing to all of the terms and conditions, if expressed in suitably plain English, contained in the privacy policy of the service provider. Even if we do read the privacy policy, it is doubtful we will have a full understanding of the implications of what we have agreed to. T
As with many problems that the digital age has created as a by-product of convenience and access to services, the solutions need to be found in a variety of different areas.
Yes, we need to change behaviours (both of consumers, and service providers), to make the former more curious and diligent, and perhaps willing to defer their digital gratification before “clicking to accept”.
But industry needs to be more transparent with consumers about the nature of the transaction that “click” involves, and more innovative in the ways it conveys transparency.
Privacy by design will play a part. Ensuring that the most privacy protective options are obvious, and the default setting should become the industry norm.
And regulation will play a part. Labelling laws are a staple of consumer protection; there is a reason there’re easy to understand graphics, prominently displayed on hairdryers warning of the dangers of exposure of the device to water. It’s unlikely our product safety regulator colleagues allow those warnings to be buried on page 23 of a 26 page “consumer information notice”?
Consent
Unlike other parts of the world, New Zealand’s law does not depend on consent as the primary authority for collecting, using, and disclosing personal information. Consent certainly has a role, but the main driver is the legitimate business purpose of the holder of the information. Here’s what this means in practice for complicated privacy policies, terms and conditions, and ‘click to consent’.
Information privacy principles 10 and 11 say that an agency that collected personal information for one purpose, should not use or disclose that personal information for any other purpose unless an exception to that overarching principle applies.
The exceptions require an agency to have a justifiable basis for relying on them. They need to have a belief on reasonable grounds that one of a set of conditions exist. For example, a novel use or disclosure of personal information will not be a breach of the principle where the agency concerned “believes on reasonable grounds that the use/disclosure”:
- Is authorised by the individual concerned
This threshold belief is tested when we investigate complaints, and we examine the grounds on which an agency holds a particular belief. In the case of a “clicked consent” defence, we will enquire as to the basis on which the online agency believes that click conveys an authority to undertake the action complained of. What research have they done to establish the number of people who read the terms they are purportedly consenting to? How many times do their customers click the link to the terms and conditions or privacy policy before clicking the consent box? How long do those who do click spend on the privacy policy page long enough to read it?
We’ve already declined to accept an imputed authority for a disclosure, based on the continued use of services based on broad and unexpected terms and conditions.
Purpose
Under New Zealand law, it’s the concept of purpose that plays a central role in authorising the collection, use and disclosure of personal information. The fact that your customer’s “consent” might not pass muster as an authority to use the information you’ve collected doesn’t necessarily mean you’re stuck. You need to look closely at the principles that prohibit novel uses or disclosures:
IPP 10
An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose …
IPP 11
An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds –
that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained.
Consent or no, if you always meant to do what you are proposing to do with the personal information, and you’re clear about that, then that’s your purpose, so you don’t need any individual authorisation.
So, you can do what you want, right? Not quite.
In order for consumers to make informed decisions about who gets to see and use their personal information, agencies must, by information privacy principle 3 to take “such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of” a number of matters, including “the purpose for which the information is being collected, and the intended recipients of the information”.
If you are telling customers in the “click to consent” box that their information will be used to “enhance the services we can provide you”, and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to US data brokers, I may well conclude that you have not discharged your obligation under information privacy principle 3 (and potentially IPP 4 for unfairness, in particular for children and other vulnerable consumers), and that you are therefore in breach of the Privacy Act.
So what, you say?
While it is true that neither the current law nor the Privacy Bill allows the Commissioner to issue the massive fines available to my colleagues under the GDPR or at the US Federal Trade Commission, you will be liable for damages for any harm caused by the deception or obfuscation of your purposes.