14 – Business Law Newsletter – Technology Feature
There have been a number of developments in recent months in the technology space, covering privacy issues, protection of data, open source software and dealing with spam. In many cases, there are some helpful guides and tools that have been released.
|Advisory opinions:||Privacy Commissioner’s new policy on advisory opinions, which may be useful for seeking guidance on new or novel questions of privacy|
|Transparency reporting tool:||Internet NZ’s new transparency reporting tool for reporting requests for access to personal information by Government agencies|
|Developing a data breach response plan:||The Office of the Australian Information Commissioner’s guide to developing a data breach response plan|
|Tools to help fight payment data theft:||The new PCI Data Security Standard, which clarifies requirements around critical data security controls and security monitoring, together with tools for small businesses to help address risks of payment data theft|
|NZGOAL Software Extension:||The Department of Internal Affairs’ release of the NZGOAL Software Extension paper, setting out a framework for the public release of software source code on an open source basis|
|Updates on Spam:||Recent developments in relation to spam, including a High Court case that demonstrates the wide reach of the legislation|
|Business Law Team:||If you have any queries about this newsletter, or any other business law issues, please contact a member of Lane Neave’s Business Law Team.|
On 2 May 2016 the Privacy Commissioner released a policy on issuing advisory opinions. Under the policy the Privacy Commissioner will consider issuing an advisory opinion where:
- there are public interest considerations in doing so, eg to help clarify the law or it concerns a matter of public interest;
- there is no complaint to the Privacy Commissioner or before other relevant bodies or courts in relation to the matter for which guidance is being sought;
- legal advice has been obtained and the matter is still unclear after such advice.
This could be a useful tool for agencies that wish to obtain guidance on a particular matter under the Privacy Act 1993 which is unclear despite legal advice (eg an agency proposes to undertake a new activity where new or novel privacy questions arise and the answers are not clear). Agencies also need to bear in mind that they will be named in any such opinion, the opinion will be made publicly available and the opinion is not binding (ie a court could still reach a different view on the matter). These factors may impact on the value of seeking an opinion.
The policy also notes that if any information provided by an agency in requesting an advisory opinion suggests an interference with the privacy of an individual or a breach of the Privacy Act or any other Act the Privacy Commissioner may investigate and/or refer the matter to other authorities.
A copy of the policy can be accessed here.
Transparency reporting tool
In July 2016 InternetNZ completed a project to provide free tools for organisations wishing to undertake transparency reporting. Transparency reporting is reporting on requests from Government agencies to access personal information held by organisations. Using this tool can help organisations consider more specifically how they go about responding to access requests from Government agencies.
If you are interesting in using this tool, it can be accessed here.
Developing a data breach response plan
Back in May 2014 the Privacy Commissioner released a Data Safety Toolkit which had a particular focus on data breach. It includes strategies for dealing with data breaches and tips on how to prevent them. The Toolkit can be accessed here.
A few months ago, in April 2016, the Australian Information Commissioner (their equivalent to our Privacy Commissioner) released a useful guide that, in our view, effectively complements the Toolkit. It is a guide on how to develop a data breach response plan. While the guide is written for the Australian legislation, its tips are extremely useful for any organisation wanting to develop a plan on how it will deal with a data breach situation.
The key parts of the guide are the sections setting out what the plan should cover (eg the reporting line if a data breach is suspected) and who should be on the data breach response team and what roles they should have. The guide is only eight pages and includes a checklist of the points to consider. It is well worth a read for organisations that have not yet developed a data breach response plan or for those organisations that want to check their existing plan covers all the necessary elements.
The guide can be accessed here.
Tools to help fight payment data theft
Earlier this year, on 28 April 2016, the Payment Card Industry Security Standards Council (the body set up by the major credit card companies) released a new version 3.2 of the PCI Data Security Standard. It replaces the existing version 3.1 which expires on 31 October 2016.
The changes to the Standard include expanding the requirements for multi-factor authentication from personnel with remote access to cardholder data to all personnel with non-console administrative access to cardholder data, ensure that service providers undertake penetration testing six monthly (rather than annually) and that they establish processes to detect and report on failures of critical security control systems.
The Standard provides for the new requirements to take effect on 1 February 2018. The Council also encourages companies that are involved with card payments to adopt the new version as soon as possible. The Standard along with a summary of the changes can be accessed here.
More recently, on 7 July 2016, the Council released a number of payment protection resources for small businesses to help address the risk of payment data theft. This includes a short guide of the key risk areas and some basic security actions that should be taken to help address those risk areas. It is a useful guide which we recommend all small businesses read. The guide and other resources released by the Council can be accessed here.
NZGOAL Software Extension
In July 2016, the Department of Internal Affairs released a “Software Extension” to NZGOAL (the New Zealand Government Open Access and Licensing framework), known as NZGOAL-SE. The focus of the Software Extension is to provide a framework for the public release and open source licensing by Government agencies of software they own or are authorised to release and licence. A copy of the paper can be accessed here.
It sets out 13 policy principles that a Government agency is strongly encouraged to apply in relation to publicly releasing and licensing such software. A key policy principle is that if a Government agency wishes to license its software it should do so on an open source basis. Each of the 13 policy principles is discussed in detail, along with risks that arise in making software source code publicly available. A number of the policy principles discussed recognise the complexity that can arise from software development and the impact that has on releasing the software source code (eg what happens if multiple parties were involved in the development or material bugs are found after the code is released).
The paper also sets out a review and release process to follow before releasing software source code. The review and release process helps the Government agency step through the policy principles relevant to releasing the software source code (ie once the decision to release has been made). As part of this process the paper discusses its two preferred types of open source licence which are to be used to set the terms on which the software source code is licensed, including example wording for doing so.
At the end of the paper are specimen intellectual property clauses for use with service providers where a Government agency proposes to use existing open source software and publicly release adaptations of it or interfaces to it. However, the specimen clauses do not cover the situation where the Government agency is developing new software without building on any existing open source software and wishes to publicly release the software source code of that new software.
As the paper demonstrates, making software publicly available raises a number of complex issues to consider. We recommend any Government agency wishing to do so obtains legal advice before proceeding.
Updates on Spam
On 22 February 2016 the High Court delivered its judgment in Aksentijevic v Department of Internal Affairs (DIA). This was a low level infringement case under the Unsolicited Electronic Messages Act 2007. It was also the first time some of the key provisions of the Act were considered by the High Court.
The case involved an argument between Mr Aksentijevic and a number of people involved in a forum called NEO-GEO. The Court summarised the argument as concerning whether some software was legitimate or bogus and whether some of the software was better than other software. Mr Aksentijevic was found by the Court to have sent 28 messages to 439 unique email addresses (ie a total of 2,230 emails were sent). They all contained a link to an advertisement on Google Play for a free game called CrazyTilt and some of the messages also contained statements about the benefits of the game. The Court noted that the evidence indicated that it did appear that Mr Aksentijevic was the subject of abusive comment from forum members and that some of his messages included abuse. The Court also found that Mr Aksentijevic was not seeking to make a profit when sending the messages.
Two key points come out of the judgment in the course of considering whether the messages breached the Act. They were that:
- The term “commercial electronic message” is just a label, and the meaning is to be determined from the definition. The definition includes an electronic message that “markets or promotes,” among other things, goods or services. The Court held that there is no requirement that an electronic message which markets or promotes goods or services needs to have any commercial or business objective or an intention to make money. This clarifies that the scope of the Act is wide.
- Consent to send electronic messages might be able to be inferred from joining a forum that permits members to do so, but if a person is banned from the forum any possible consent would be revoked on that occurring. Inferred consent will not apply to abusive electronic messages.
Ultimately the Court found that the messages were sent in breach of the Act and imposed a civil liability penalty. As this was at the low end of the spectrum the penalty was set by the Court at $250.
The case is a reminder that first, the Act has a very wide reach, and second, that when sending electronic messages that are subject to the Act, the sender (which might be an individual or an organisation) needs to ensure that it does so in compliance with the Act. In particular, that the sender has the consent of the recipient.
While the messages in this case were caught by the Act, the real problem with spam is a far great one. This is particularly so where the messages sent contain malware or involve phishing or whaling in an attempt to elicit financial gain. The senders of such spam are often sending messages that are in the millions by number. On 15 June 2016 DIA announced that it has strengthened the international fight against spam by signing a Memorandum of Understanding with enforcement agencies in nine countries, including Australia, Canada, United Kingdom and the United States. This MOU will enable the sharing of intelligence where permitted by law to help track down and take action against such spammers.
Articles written by:
Business Law Team
If you have any queries in respect of the above, or any other business law issues, please contact a member of Lane Neave’s Business Law Team:
Disclaimer: The content of these articles are general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.