 I'd like now to introduce our first keynote speaker, John Edwards, and John was appointed as a Privacy Commissioner of New Zealand in February 2014 after a more than 20-year career practising law. John has degrees in law and also public policy from Victoria University of Wellington and has advised and represented a wide range of clients from the public and private sector. In addition to a practice specialty in the law of information and privacy law, he held warrants as a district inspector for mental health and as a district inspector for intellectual disability services and has provided legal services to the Kingdom of Tonga. In October 2014, John was elected as the chair of the Executive Committee of the International Conference of Data Protection and Privacy Commissioners. Thanks, Alex. Thanks, Gihan. Kia ora tatu. Namihi kia koutou e tene wa. I want to acknowledge the tangata whenua of this place as I welcome our international guests as well as the many representatives of privacy in civil society, in academia and in business from New Zealand. I'm not actually talking about security and privacy. Well, it will come up, of course, but in this environment I thought with so many different jurisdictions and cultural and legal traditions represented it might be useful to question some of the assumptions about the topic of privacy and how it is perceived in different countries. When we come here together representing many different countries, languages, cultural and legal traditions to talk about privacy, how can we be sure that we share a common understanding of the concept? Are we talking about the same thing? Or do we each have a slightly different concept in mind when we use the term? I have to admit that sometimes when I'm in an international forum I wonder if there aren't quite a range of different understandings. If you look at legal writing, I think we can agree that the most general definition is freedom from interference or intrusion or as articulated by Warren and Brandeis the right to be let alone. But privacy means different things to different people, to different cultures, to different communities. At the same time, we live in an increasingly connected global world in which it is often said information or data knows no borders. And information originating from an apparently simple domestic transaction might pass through three or more countries. So there's a tension and arriving at a common definition or meaning of the concept of privacy is one of the challenges privacy regulators and the international privacy community face. And the reason a Hollywood film Arrival, the actor Amy Adams, who I'm reliably informed is no relation to the Minister of Justice of the same name who has more than a passing interest in privacy, plays a linguist who is recruited by the US government to communicate with newly arrived extraterrestrial visitors. The main conflict in the film comes from humans trying to learn the alien's language. The aliens, for example, talk about a weapon. Debate rages in the film about whether they mean a weapon or a tool. Both terms are quite similar, but the slight differences in meaning bring dramatically different consequences. Tool, as a word, builds trust and the word weapon instigates fear and mistrust. When we debate the term privacy we are also trying to find common ground between different cultures definition of ostensibly the same thing. In a world with human languages numbering between six and seven thousand the word privacy can mean different things. These meanings are often nuanced and shaped by culture, society and history. In our early human history privacy was a lesser priority in conditions of subsistence existence. Living in small rural communities most humans had little concept of privacy until fairly recently. Sex, breastfeeding, domestic quarrels, toileting and bathing were usually performed in front of other members of the small communities that were the cradle of mankind. The anthropologist Jared Diamond observed that because hunter gatherer children sleep with their parents either in the same bed or in the same hut there is no privacy. Children see their parents having sex. In one tribal society parents took no special precautions to prevent their children from watching them having sex. They just scolded the child and told it to cover its head with a mat. So there's a basic sense of privacy at least. In the 1951 book, Patents of Sexual Behaviour the American researchers Cleland Ford and Frank Beech studied the sexual behaviour of 191 cultures and found that the preference for privacy was instinctive. In nine of 12 societies where homes have separate bedrooms people preferred to have sex indoors. In those cultures without homes with separate rooms sex is more often preferred outdoors. Often the desire for privacy was overridden by the need to survive. The anthropologist Jean Briggs found herself being ostracised by her native North American Utku host family after daring to explore the wilderness alone for a day. She made the observation how forlorn I would be in the wilderness if they forsook me far, far better to suffer loss of privacy. The concept of individual privacy is usually associated with Western culture and as you can see it was a concept foreign to some cultures until recent times. There's also the subtle distinction between privacy and secrecy. Ontologically the word privacy has been described as an example of an untranslatable lexeme with many languages. There is simply no specific word for it. In Russian the word for solitude, secrecy and private life combine to capture the essence of what we in this room might mean by the term privacy. Other languages adopt privacy as a lone word. Privasi in Bahasa Indonesia or la privacy in Italian. In Mandarin Chinese privacy means secrecy, solitude and seclusion all or each of these things. Meanwhile in Islamic cultures the notion of privacy has no conceptual autonomy in legal literature rather it has to do with a cluster of attitudes and norms. A famous line in the Quran says do not enter houses other than your own unless you have asked permission and greeted the inhabitants. The Quran also includes a general injunction against prying and spying on people. In New Zealand Western concepts of privacy especially legal concepts are centred on the individual. Western intellectual ideas have for many centuries developed along the lines of the rights of the individual. However many indigenous peoples including New Zealand Maori have a different focus that is more likely to emphasise the good of the collective, the rights of the collective as to analogy to the European aspects of European concepts of privacy with its several overlapping shades of meaning including sacred, prohibited or unclean. New Zealand Maori legal academic Kylie Quince described Tapu as a status that exists when a person, place or thing is placed under restriction or dedicated for a particular purpose. She says in a legal sense this relates to the inviolability of the human person to be free from physical assault and interference. A related concept is that of Mana which Kylie Quince describes as my reputation and my self-esteem both how others think of me and how I think of myself. Mana and Tapu combine in many settings to produce ideas and reactions which closely parallel European responses to privacy invasions. In a Law Commission review of this Countries Privacy Act the reviewers observed that in the states drive to collect health information if Maori are confident that their information will be used in a way that is empowering or mana enhancing they will be more willing to agree to the collection and use of that information. But if Maori believe that information will be used in a way that is derogatory to Maori and which diminishes Mana they will be reluctant to share information. So we have similar concepts which in the west might be assigned to the individual being claimed as a right accorded to a collective whether that be whanau hapu or a broader ethnic group. Robert C. Post of the Yale Law School wrote in 2001 that privacy is a value so complex so entangled in competing and contradictory dimensions so engorged with various and distinct meanings that I sometimes despair whether it can be usefully addressed at all. People are different and our ideas of privacy are shaped by culture, religion, language, history and architecture. Through the ages there has been no single unifying concept of privacy but that is changing. These different perspectives that existed have slowed the establishment of a set of internationally accepted principles on privacy. The constitutions of many countries do not explicitly mention privacy in an individual's right to privacy. In Indonesia for example the constitution does not explicitly mention privacy however article 28G protects the right to dignity and to feel secure. Concepts that are often related to the right to privacy in national constitutions of other countries. In Kenya the constitution specifically protects the right to privacy. It states every person has the right to privacy which includes the right not to have their person, home or property searched, their position seized information relating to their family or private affairs are necessarily required or revealed or the privacy of their communications infringed. But according to Privacy International civil society groups in Kenya report it is difficult to work on privacy and surveillance in that country as the issue is not widely deemed important by society in general. This is in part because the increased number of security threats has enabled a strong national security discourse to overshadow concerns about individuals' privacy. Privacy International notes that privacy is often subsumed by other human rights issues. So societal values on privacy change in a temporal basis depending on the domestic circumstances and the needs of the population and individuals. I suggest a universal acceptance of a singular definition of privacy is not going to happen because it would be impossible to get agreement at an instrumental level. How do we get the United States, China, the Republic of Korea and Ghana, for example, to agree upon a universal set of privacy expectations? More importantly, should we even try? Is it important that we all agree? We disagree or have different practices in so many other areas of our cultural or legal practice. Why should we, in privacy, do we need a global standard? Is it possible to abstract what are described as privacy values to a level that receives acceptance across the entire global community? Well, there I think we may have some promise. One of the abstractions is data protection, which I see as a subset of a wider group of privacy values but which is a term often used interchangeably with privacy which can add to the confusion. For example, we see an increasing diversity of countries in the Asia-Pacific region in Africa adopting data protection laws, but the underlying values and cultural traditions on which these laws are based may represent quite divergent approaches to the concept of privacy in those communities from that which informs the similar-looking laws in countries in Western Europe or North America, which themselves begin from quite different points when it comes to recording the respective rights and obligations on data processes or generators and data subjects. So if we in Asia-Pacific or in Africa think that elsewhere there is an agreed set of privacy values, then we are misinformed because at every international forum I've attended in the last two years we've seen a raging debate across the Atlantic between the European approach and the American approach to privacy which begins from different precepts and different values and primacies of different rights such as freedom of expression being a fundamental human right versus the right to privacy being described in Europe as a fundamental and inalienable human right. There's a view among some technologists as well as some governments that accommodating privacy concerns and safeguards is a curb on technological innovation or on the aspiration of building more efficient cities and safer societies. Reflecting that transatlantic discourse that I mentioned the sort of the insult that's cast from the United States across to Europe is Google could never have happened in Germany and variations on that theme. But if we look away from that relationship which dominates much of the international discourse on privacy and perhaps look a bit closer to home China's government is exploring plans for a social credit system which utilizes big data to hold citizens to account for their financial decisions. To do so the government is enlisting some of the country's best known companies. According to the Wall Street Journal Alibaba's Alipay payment system is one of eight companies based on the requirements around China's social credit scoring system. Alipay will compile scores based on a user's smartphone brand and what they buy online before offering users perks for high scores. The information helps the government monitor and reward citizens with higher credit scores. The scores will not only be based on a user's lending and spending numbers but also on what the money is spent on. If friends have a poor lending reputation this reflects badly on the person just as prolonged playing of video games one report explained. Buying diapers indicates responsibility and therefore scores well. China's government says it wants to roll out the social credit score programme nationwide by 2020 and if that sounds like science fiction to you I suggest that you subscribe to Netflix and check out Black Mirror and you'll see that fiction has only narrowly preceded this reality. Meanwhile in the United Kingdom the British financial regulator FCA has warned that insurance companies could use available data to identify customers who shop around and those who do not and could differentiate pricing accordingly. The warning comes as the availability of more personal information on social media and devices such as telematics boxes that monitor driving habits mean the insurance industry is moving towards quotes on observed behaviour of individuals rather than grouped assessments of risk factors. One telematics provider Octo launched an app this year that shared customers' driving data with insurers so they could bid for custom. It claimed that the safest drivers would get the lowest premiums. Imagine that model rolled out to social insurance or health insurance or accident insurance if you have the misfortune to be in an industry that has low safety standards you could find yourself perversely being rewarded with the highest possible premiums. Also this year the British insurer Admiral announced that it planned to use Facebook's status updates and likes to help establish which customers were safe drivers and therefore entitled to a discount. Privacy advocates called the proposal intrusive and it was blocked by Facebook hours before it was due to launch not because any breach of legal norms but because of the creep factor the yuck factor the cultural norms and expectations. I think that the security debate is in the background of all of this so I do need to address it Alex. Due to Edward Snowden one of the hottest privacy debates of recent times has been about the relationship between security and intelligence agencies and the community how those agencies derive their legitimacy and how that legitimacy can be harmed or enhanced. So how does society engage in the conversation with government and big business when it lacks the information necessary to make a fully informed choice about the balances and trade-offs? Can accountability mechanisms keep pace with change and not get left behind and rendered obsolete? I want to take a slightly different tack from one you might expect the Privacy Commissioner to take in discussing the Snowden revelations. A lot of people both within and outside the countries directly implicated in the material Snowden leaked simply didn't care or they expected the governments to be doing exactly what was reported. In some countries there is a very high level of comfort for agents of the state having access to whatever information they need to keep people safe and to stop terrorists. We saw outrage and shock from some NGOs and we saw righteous indignation from some countries which within a few months of the NSA-GCHQ interception activities being revealed were exposed themselves as being involved in exactly the same kind of activity. So we do see I won't say double, I would say multiplicities of standards in this area. The fact that those revelations from Snowden coincided with an explosion in the data ecosystem has led to a complex and interrelated series of responses that do not necessarily as a whole demonstrate a consistency of values and imperatives. In April 2015 the United Nations Human Rights Council adopted a resolution to appoint a special rapporteur on the right to privacy. The resolution directed the special rapporteur amongst other responsibilities to report on alleged violations of the right to privacy, including in connection with the challenges arising from new technologies. Those developments are reactive responses to perceived abuses. At the same time governments are trying to capture for their populations the benefits of the digital economy. A consensus seems to have developed that increasing participation in the digital economy is a good thing. That there are enormous quantifiable benefits to be had from investing in online infrastructure to deliver a range of social and economic services. A precondition to that engagement to the realisation of the benefits of technology is that the users must have trust in the system and that without that trust that personal information will be kept and transmitted safely and securely those benefits will not be realised. When privacy is a prerequisite for governments and businesses benefiting from technology the value proposition for agreeing on some common and consistent approaches to privacy or data protection call it what you will, becomes evident. We saw this at the OECD ministerial in June in Cancun. It was entitled The Digital Economy, Innovation, Growth and Social Prosperity. Paragraph 5 of the ministerial declaration recorded ministers commitment to promote digital security risk management and the protection of privacy at the highest level of leadership to strengthen trust and develop to this effect collaborative strategies that recognise these issues as critical for economic and social prosperity. Support implementation of coherent digital security and privacy risk management practices with particular attention to the freedom of expression and the needs of small and medium enterprises and individuals foster research and innovation and promote a general policy of accountability and transparency. So there's a whole lot packed into that statement about the preconditions for the benefits of digital economies being enjoyed by the broadest possible population. If we abstract privacy to a level of trust in personal information management practices then it doesn't really matter whether one country regards privacy as a fundamental human right and another finds that concept so vague as to be unmanageable. It avoids a primacy of right for example setting freedom of expression against individual privacy. If you ask the question what is required to maintain trust in our management of personal information you can move past prescriptive rules and absolutism and address the underlying question of how competing needs from personal data can be accommodated within a single framework. Returning to the security and intelligence element for example few if any people would deny the legitimacy of the state to act to protect its population most of us would regard it as a duty one of the most fundamental duties of the state to its people. We entrust agencies with powers in order to allow them to do so we expect that trust to be respected. The fact that in certain prescribed circumstances an agency of the state will need to access and use personal information other than for the purpose it was provided should surprise no one. If we can agree on a set of principles governing how that access should be granted and have some transparency to ensure that those principles are respected we should be able to meet these perhaps on these apparently competing needs. There is as yet no internationally agreed standard for the conduct of intelligence and security activities. In my view efforts should be made to develop and articulate some if that sounds like naive folly then let me remind you that even the conduct of war is subject to legally enforceable agreements which has always struck me as the biggest absurdity of the rule of law that you can kill somebody with this weapon but not with that one. The need for this conversation was starkly demonstrated to me when I was at an international a recent international intelligence oversight forum in book arrest the first of its sort I was struck by the lack of agreement on the meanings of basic terms which is a prerequisite for having any kind of conversation about acceptable conduct. The same activity for example a requirement of telecommunications companies to retain content and or metadata for a certain period was described by some observers as mass surveillance a term strenuously rejected by many others the same observers might regard mass surveillance a warehousing of communications data accessible by search terms which had to be individually approved by an overseeing judge the architects and administrators of that scheme argued that it was entirely consistent with international norms requiring lawful and proportionate access to private communications but until we have an international conversation about the parameters of that legitimate activity the elements required to maintain trust such as independent oversight transparency reporting a sound basis in the rule of law we are destined to continue the cycle of criticising the activities of some countries while maintaining a blind spot in respect of our own Governments have three broad options on how they choose to regulate privacy and data protection and many shades in between the first is an environment where governments and organisations can do anything with personal information there are no safeguards and no rules except for what can be negotiated as a private contract the individual is basically powerless to influence or even to know the information which organisations hold about them and government has few if any privacy statues that protect personal information this is the most permissive of models at the other end of the spectrum is a quite prescriptive model under which clear legal authority is required to make use of personal information beyond that which has been expressly consented by the data subject so at the polls we have do whatever you want unless it is expressly restricted at the other end only act in accordance with the expressly authorising legal framework in the middle there is a mixed model of market forces and government intervention this regulatory approach introduces friction into the process by which organisations collect store and disclose personal information individuals also have access to information about them and have measures of redress if their personal information is being used unlawfully this regulatory model puts the onus on an affected individual to enforce their rights and creates litigation risk for an agency that decides they can do whatever it wants with personal data this is the approach we have adopted in New Zealand a law based on the OECD privacy principles that are flexible enough to foster economic growth and technological innovation while also giving individuals the right to exert some level of control over their personal information in May this year the World Bank issued a world development report called digital dividends that highlighted, among other things the need for consistent and reliable data protection regulation as a key factor in reducing inefficiencies and promoting consumer confidence in the online world the World Bank, as you might expect is no cheerleader for privacy or data protection and didn't express a preference about what the correct model might be however it did note that inconsistent approaches add friction and inefficiency into international trade and could be an impediment to realising and releasing what they call the digital dividend it would be overly simplistic and I think plain wrong to think that the actions of security and intelligence agencies are the drivers of the international conversation on data privacy we are seeing an international trend in consumer demand for privacy protective products whether in hardware like the iPhone or in software such as encrypted such as encrypted messaging services like WhatsApp or temporary media like Snapchat the international technology and market research company Foresters declared that 2015 would be the year privacy and security became competitive differentiators we saw that happen and saw the trend continue in 2016 we have seen Apple, Facebook and Microsoft in the courts to stand up for their customers' rights to privacy we have seen Google and Facebook and many others subject to the high profile regulatory attention of European data protection regulators so rather than framing privacy regulation as a drag perhaps we can reframe it as a response to consumer demand it is another trick of language to return to the theme to establish false dichotomies we have all heard the false argument that you can have privacy or security but not both similarly it is in the interests of some to argue that strong privacy regulation is incompatible with innovation in my view there is no trade off to be made between innovation enterprise and privacy and security practices when designed into new technologies become a selling point and improve the whole network ensure that access to network systems content communications and metadata by agents of the state is undertaken only in accordance with lawful authority and only when that access is necessary and proportionate I do believe that privacy is a fundamental human right but like many other rights it is not absolute just as I cannot exercise my right to freedom of expression in this room to shout fire nor can I exercise my right to privacy to prevent the detection of a trade in child pornography access to communications by law enforcement, security or intelligence agencies should be according to consistent legal standards regardless of the jurisdiction nor does privacy only mean secrecy notice and consent or a number of other limited and culturally specific manifestations of individual autonomy new concepts are emerging within the family of privacy related rights which don't fit with a limited linguistic construction of the term think of the concept of data portability the right to receive your data in a machine readable format so you can take it to another provider of the service that originally collected it from you that's not about stopping the flow of data it's about reinforcing and affirming the individuals against the organisation which is profiting from that data I was quite surprised at a conference last year to meet the general council for LinkedIn so quite a senior executive who said when she met me oh yes I saw your tweet and the tweet she was referring to was one which I can't remember the details but after the acquisition of LinkedIn by Microsoft was announced I tweeted 26 billion is amount was how much the purchase price was divided by 335 million active daily users equals your data is worth $633 and of course she said it was wildly inaccurate but but the data is the business model and increasingly we have to try and correct information and power asymmetry so back to data portability just as number portability has proved crucial in promoting competition in the mobile phone sector so is data portability an important concept in promoting consumers rights and facilitating the ease of access to and exit from telecommunications online and other services data portability is part of a European general data protection regulation due to come into effect in 2018 and will need to be provided for beyond Europe it's a concept that we're looking at closely here I'll draw to a close but despite the difficulties in reaching a universal understanding about the nature of privacy a common understanding of the elements of privacy is emerging in New Zealand and in many other countries our laws reflect this need to be able to protect and control information about ourselves and our need to withdraw physically or mentally from society or to exercise some autonomy over our information or at least be informed about it privacy as defined by this common understanding is important to ensure that we feel secure if we are unable to control who knows information about us we will feel insecure at least in part because the boundaries of our relationships become uncertain we started with language what we need is a deep discussion about what we mean when we talk internationally about concepts like privacy and data protection about trust we need to understand not only what we have in common in these understandings but also to make a greater effort to question our assumptions about how other jurisdictions and cultures approach these questions and values and if we see difference to make a genuine effort to understand that difference rather than to assert a cultural and legal superiority this is the ideal forum for that conversation and it is my great pleasure to welcome you and to open up that discussion I get Alex to thank you we have about five minutes I don't know if you're prepared to take questions or not it's not normal after a keynote to have questions but if you're happy to people have a couple of quick questions for John feel free to I suspect rigorous cross examination from such an informed and deep thinking audience yes one of the I think you're exactly right from the point you made I completely agree with and one of the frustrating things that I've been thinking about is the law's sort of tendency to over-alive certain concepts to the exclusion of lots of other ones and the one that I'm thinking about right now is the notion of control which you mentioned at the close of your speech I wonder if you've thought about ways in which we can improve the notion of control because it seems like a lot of what we have now with a lot of our data protection regimes is we over-invest it that we say control is sort of everything and that's the way that we enable people to sort of set privacy preferences for themselves but we ask so much of them I wonder if you've thought about a way to sort of balance that and I particularly like your notion of trust as also a sort of way to think about making privacy issues it's a really good question because what we've seen is some crypto control or pseudo control you know the European concept of notice and consent is folly and you know the consent and notice as a prerequisite for entering into a commercial transaction simply means that somebody is forced to click a button saying I consent I have read this and we all know it simply doesn't happen so that is a false sense of control what I think I need to do as a regulator and I'm increasingly seeing that I need to engage on a multi-stakeholder level with industry, with NGOs with academia I'm just a small office of funded $5 million a year most of which is taken up in overheads a little ability to influence the whole of the economy but you know if we can together explore the value proposition of privacy by design for example as an organisation like Apple has realised you know that they are building these things in to ensure that controllers is real and effective and easily accessible by individuals data portability is one small example of that but having more granular kind of and easily accessible controls in privacy policies for example asking people to take the time to do you realise that this location service is on all the time whether you use the app or not really make that decision you know I see Uber recently changed terms and conditions of its app to to make a binary option that the location controls date on all the time there's not quite a lot of pressure coming on them and they have responded in the past to pressures around privacy to say no you should make it give us an option to only have the app on while we are using it so I do think that consumer demand some is regulated driven and despite some of the shortcomings of the US approach I do think that the fair information practice approach Alex mentioned fair trading act here there's scope there for enforcing some of these things to say listen you've got a 60 page terms and conditions which you're saying authorises you to do whatever you want now strictly as a matter of law that may comply with the privacy act we haven't looked at it but is that a fair information practice is it a misleading practice so I think there's lots of scope to lead by good example and to have regulation and to build consumer demand for better levels of control very long winded answer I'm sorry what we have time for one more question comment comment I saw last year season 3 episode 1 as well there's the citation for it and the thing I thought about when I saw that episode that you mentioned was the question are people or citizens giving away privacy faster than we can pull it back and what do you think about New Zealand as a solution for reaching out to your citizens in relation to privacy education are people giving away privacy faster than we can get it back well I think we have to as much as possible provide people with a means to pull it back you know you offer your consent to a service without necessarily knowing how the environment is going to change in the future I don't accept the assertion that many in the tech world make that you know once it's out there it's out there for good and you can't ever get it back and we all know what the strides and defect is and so on but in fact we've seen assertions to the contrary we've seen Europe say you can have a right to be forgotten and we can't erase history but we can break a link and we provide an instrumental way of exactly doing as you say of pulling back some of that privacy I do think people you know we all want to enjoy the benefits of new technology and sometimes we don't think too deeply about the consequences of that but that doesn't stop us from recognizing that and and taking steps to restore that privacy I entered into this without fully understanding so I reserve my right to back out your question on education is an important one we do have an obligation to educate people but I really I really resile from a tendency to to tell people that they shouldn't go on social media or they shouldn't do this it's not for me to say increase your social score in the episode that you're talking about don't do that it's dangerous people are going to do it but we should just make sure that they have good information and if they've made a mistake that there should be ways of backing out of that that they should be able to exit that service and delete their account and leave no trace I think that's really important or if they want to take it to a different service to be able to do that