Privacy Commissioner raises issues as NZ seeks to join Budapest cybercrime convention

Privacy Commissioner raises issues as NZ seeks to join Budapest cybercrime convention

The Budapest Convention of Cybercrime is seeking access to information in the cloud

John Edwards (Privacy Commissioner)

John Edwards (Privacy Commissioner)

Credit: Supplied

New Zealand's Privacy Commissioner, John Edwards, is raising a number of concerns around the government's aim to join the international Budapest Convention on Cybercrime.

The Budapest Convention provides an international framework to address cybercrime and criminal evidence stored electronically.

It works to promote and support effective investigations and interventions through aligning nations’ laws, facilitating information sharing on existing threats and best practice, and fostering cooperation.

However, in doing so it will also rub up against New Zealand's Privacy Act which governs the collection, use, storage and disclosure of personal information and potentially move some decision-making power out of the judiciary and into the hands of public servants.

Cabinet made an "in-principle" decision to join the convention in June. Submissions on the proposal ended on 15 September.

"Central to my examination of any proposed international agreement is the principle that personal information should be afforded equivalent privacy protections to those in New Zealand and that any conventions should be consistent with privacy rights unless there is very good reason (and evidence) to override those rights," Edwards wrote in a submission.

If New Zealand was to accede to the convention, legislative amendments would be required. 

These would include extending the mutual assistance regime to allow surveillance device warrants to be included in the powers New Zealand can offer as part of any foreign assistance request.

It would also require the ability to make data preservation orders and the ability to issue third party confidentiality orders in regard to a warrant or preservation order.

Data preservation orders would require changes to the Search and Surveillance Act 2012.

Edwards wrote that he understood the Ministry intended to align the conditions for a preservation order with those for a production order, however that would hand some power from the judiciary to a public servant. 

"I do not support the proposal to provide the chief executive of the relevant enforcement agency the ability to make such an order. 

"Delegation of the preservation order power to relevant chief executives is an inappropriate delegation of a power to override New Zealanders’ privacy rights.

"Such an authority more appropriately sits with the judiciary."

Edwards also did not support the proposal to provide for indefinite extensions to preservation orders because the Privacy Act required agencies only hold information for as long as it was required for the purposes for which it may lawfully be used. 

"I recommend a limited number of extensions being provided before an order is discontinued," the Privacy Commissioner wrote.

"Preservation orders should be closely followed by a production order or a notice of discontinuation." 

The ability to preserve data should be limited and timebound, he argued, with agencies not required to hold or preserve data for longer than is strictly necessary.

"I also recommend requiring that the agency subject to the order proactively destroys the preserved information at the expiry of the order or after a notice of discontinuation, if this is information they would not otherwise keep."

Third party confidentiality orders would also be required to be added to New Zealand’s law as part of accession and would also have to be included into the Search and Surveillance Act.

These orders would require those receiving a surveillance device warrant or a preservation order to keep that fact confidential. 

The orders are proposed to be in force for the length of any investigation and only if disclosure to the relevant party/individual would jeopardise the investigation.

"In my view confidentiality orders could be adequately managed within the current Privacy Act regime, in a manner similar to how production orders are managed," Edwards wrote. 

"An agency responding to a request for personal information from an individual under the Privacy Act is required to either provide the information requested or apply one of the available withholding grounds. 

"These withholding grounds protect interests other than privacy, such as national security or foreign relations. 

Edwards wrote that he understood requests for personal information that cover the fact an agency has received a production order were currently managed within the Privacy Act regime. 

Agencies were asked not to disclose the fact of a production order, but this was not legislated for.

"I also recommend including a responsibility for agencies to notify affected individuals either at the conclusion of the investigation or the expiry of a preservation order," he wrote. 

"This responsibility could be subject to an exception which provided that agencies would not be required to notify the individual if to do so would prejudice the maintenance of the law," he wrote. 

This notification would have the advantage of ensuring that individuals could exercise their rights of redress in regard to any wrongful or erroneous collection of their personal information.

The move to extend surveillance device warrants to foreign mutual assistance partners was a reciprocal obligation on other convention members. 

The proposal does not expand the nature or scope of the current surveillance device power, only the ability for it to be used in mutual assistance matters.

However, Edwards wrote that he was interested in hearing more about the proposal.

"I consider Crown Law’s involvement to be an important safeguard in ensuring that any requests comply with New Zealand law and human rights obligations."

Edwards also recommended requiring all domestic agencies to report in their annual reports and to Parliament the number of preservation orders issued and the types of agencies these were issued to, for example, telecommunications, social media and so on. 

"I also recommend implementing similar transparency measures for search warrants, production orders and other information requests."

It was unclear to the commissioner what Māori organisations and groups had been engaged in consultation regarding the impacts of the proposal. 

"I note that my Office must take account under the Privacy Act 2020 cultural perspectives on privacy," he wrote. "I would encourage the Ministry of Justice to undertake consultation with Māori on this proposal.

"I would appreciate any insights the Ministry gains from consulting with Māori. As the Ministry has noted in its consultation document Māori are disproportionately represented in the criminal justice system, both as victims and perpetrators it is therefore critical to understand the impacts acceding to the Convention may have on the Crown’s obligations to Māori as treaty partners."

The consultation paper states negotiations are underway between parties to the convention regarding an additional protocol on evidence in the cloud. 

"I would expect that if New Zealand planned on acceding to this additional protocol that further consultation would be undertaken including with the public, iwi, agencies affected and my Office."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacycybercrimeprivacy commissioner



Show Comments