Late last year, the Privacy Commissioner, clipped Google for breaching the Privacy Act 1993 (the Act) through its “Street View” filming in New Zealand. Google acknowledged early on that it had made mistakes and has given a number of undertakings to improve its Privacy Act compliance processes.
We might all be pleased with the result, but did the Commissioner apply the law correctly?
'The Street View project involved Google travelling the length of New Zealand with specialised camera-mounted cars to capture real life images for its GoogleMaps application. The privacy issues arose because Google was also using a computer to collect information from WiFi networks within range of the Street View cars. This information included:
“open” WiFi information (the device’s unique identity number, the name the user has given the network, whether the network is secured or unsecured, and the signal strength), and
payload information from unsecured WiFi networks. (The Privacy Commissioner accepted that Google had collected this information inadvertently and had no plans to use it. Because neither the Commissioner nor Google examined this data in any detail, no-one can be sure of its content. In other countries, however, complete e-mail messages were captured, including real names, addresses and telephone numbers and references to sensitive medical conditions).
The Commissioner’s key findings
The Commissioner found Google in breach of Principles 3 and 4 on the “open” WiFi information and in breach of Principles 1, 3 and 4 in relation to the payload information. Principles 1 to 4 are summarised in the box below.
Principle 1: information must be for a lawful purpose connected with the agency and necessary for that purpose.
Principle 2: information must be collected directly from the individual concerned subject to a number of exceptions, the first of which is that the information is already publicly available.
Principle 3: the person must be informed that the information is being collected, the purposes for which it is being collected and the intended recipients. Importantly, it applies only to information which is collected directly from the individual. It does not apply to publicly available information.
Principle 4: the information should not be collected in a manner which is unfair or unreasonably intrusive.
The question is whether Principle 3 should have been in play or whether the information – both “open” and payload – was publicly available and therefore exempt from the Principle 3 requirements.
The Commissioner acknowledged that the open WiFi information was not in any sense ‘secret’ or ‘confidential’: it can be accessed by anyone with a smart phone, a wireless-enabled laptop, or other common and basic equipment that can see a display of all wireless networks in the vicinity.
In relation to the payload information (and this was only accessed by Google from unsecured networks), some might say that people who choose not to secure their network are just dumping information into the ether which other people (who write clever computer programmes) can look at.
The Act defines “publicly available information” as information contained in a “publicly available publication”, which is in turn defined to mean “a magazine, book, newspaper, or other publication that is or will be generally available to members of the public; and includes a public register”. But in 2008, the Human Rights Review Tribunal (considering the same phrase as used in principle 11(b)) decided that1:
... the exception in Principle 11(b) should be interpreted as extending to include a situation (as in this case) in which a person makes the personal information about themselves which is at issue public. In this sense we consider that Parliament has used the word ‘publication’ in Principle 11(b) as encompassing the first of the meanings given for the word ‘publication’ by the Oxford English Dictionary, i.e., “The action of making something publicly known; public notification or announcement; an instance of this.”
And after comparing information gathered from public meetings to a video on the internet or a blog2:
We see no reason to read the definition of ‘a publicly available publication’ as excluding that kind of information simply because it is not in magazine, book or other printed form.
On that kind of analysis, the Commissioner’s conclusion that Google was in breach of Principle 3 is open for debate.
The Commissioner’s finding that Google was in breach of Principle 4 in relation to the open WiFi information might also surprise some given wide media discussion of the fact that this information is not secure and can be readily “seen” by anyone walking past the house with a clever phone.
Was it reasonable to conclude that Google was “unfair” to gather it – just because of the scale of the project? While the Commissioner’s report describes Google’s actions as “covert” – some might argue that the initiative was no more covert than if a Google employee had sat at her desk and opened up a phone book. Views will differ.
The Commissioner was, however, on strong ground in relation to the payload information where it seems that Google did “intrude to an unreasonable extent upon the personal affairs of the individual concerned”, which is a breach of privacy Principle 4.
However, the Commissioner went a step further; finding that Google’s actions were not only unreasonably intrusive but also “unfair”. Given that Google was already (clearly) in breach of Principle 4 for the intrusion, in this case nothing really turned on whether the intrusion was “unfair” or not.
But as privacy issues are increasingly pushed to the forefront of the public consciousness, there can be no doubt that the Tribunal will find itself considering similar issues in future when the issue of fairness (or otherwise) may well be the determining feature. "Unfairness” is of course an elastic concept. For some, Google’s actions were clearly beyond the pale. Others, though, might ask whether by failing to secure their networks, people had “publicly broadcast” their data and therefore can’t complain.