Computerworld in New Zealand tries to make sense of the Privacy (Cross-Border Information) Amendment Act and gaps in privacy law as they relate to data and cloud computing issues:
Section 10 of the Privacy Act in its present form covers some of the situations. For example, where a company in New Zealand sends data to an affiliated company overseas, it is still protected by the principles of the Act covering misuse, availability to the subject and opportunity for correction; but where data is sent overseas to an unrelated third party or into the cloud there is no guaranteed protection under the Act, says assistant privacy commissioner Blair Stewart.
Three solutions have been proposed for protecting data that leaves the island:
- Impose Kiwi law on foreign states, like the EU has imposed on NZ
- Pass laws to make Kiwi companies liable for data in their care regardless of where it is processed or transmitted
- Adopt the Indian example of using security standards (ISO) instead of using the law to control privacy
It seems to me that they really should consider a combination of two and three.
One is amusing but would be a wasted political effort. When the countries within the EU can barely work out a breach notification law, demanding adoption from the outside is a long shot at best. Does NZ have that kind of clout?
Likewise the Amendment’s new “transfer prohibition notice” has a reference to security controls but it leaves the door wide open to interpretation. Adopting a standard would clarify things immensely.
114C Transfer prohibition notice
(1) A prohibition under section 114B(1) is to be effected by the service of a transfer prohibition notice on the agency proposing to transfer the personal information concerned.
(2) A transfer prohibition notice must
(a) state the name of the agency to whom it relates; and
(b) describe the personal information concerned; and
(c) state that the transfer of the personal information concerned from New Zealand to a specified State is prohibited either
(i) absolutely; or
(ii) until the agency has taken
anythe steps stated in the notice to protect the interests of any individual or individuals affected by the transfer; and…
Can you guess what “steps stated in the notice to protect” will mean?
That kind of ambiguity will be very unpopular with data managers and service providers for good reason. Each prohibition notice could vary so much it would create an impossible onus on providers to comply; even if compliance just means writing a formal response to the request. Cloud providers like consistency as it is the only way to scale. They will want to see a discrete and regular list of controls, for which they can prepare answers and solutions. The ISO 27002 is a good example of what has worked, even for clouds.