Kia ora koutou,
Next week is Cyber Smart Week here in New Zealand. This is very topical. While New Zealand’s cybersecurity agency, CERT NZ, is focusing its messaging on protections against criminal cyberattacks, threats are not limited to criminal actors. The Five Eyes alliance made a call to tech companies this week to enable law enforcement agencies to access encrypted data, including communications and other personal information. Government ministers from New Zealand, the U.K., U.S., Canada and Australia, as well as India and Japan, claim unbreakable encryption technology “creates severe risks to public safety.”
Of course, this is not a new conversation; there have been numerous cases in which tech companies — including Apple, Microsoft and WhatsApp — have publicly and diligently opposed requests from law enforcement agencies for a “backdoor” entry into encrypted data and communications. However, the call has reignited polarizing debates about the appropriate balance between individual privacy and legitimate concerns about public safety and national security. New Zealand’s Office of the Privacy Commissioner made a measured response to the call, noting it was merely a restatement of an already-established position, supported by existing laws (that are replicated in many countries) that permit law enforcement agencies to ask for assistance — under warrant — from communications companies.
This comes as New Zealand’s Ministry of Justice is considering whether New Zealand should accede to the Budapest Convention on Cybercrime, which would provide an international framework to address cybercrime and criminal evidence stored electronically. In an interesting submission to the ministry, the privacy commissioner noted any convention to which New Zealand acceded should be consistent with privacy rights unless there was a very good reason to override them. The commissioner called out a number of extensions that may be made to New Zealand’s search and surveillance laws as a result of accession to the convention that he felt should be considered carefully to ensure they did not erode our privacy regime.
These developments are very pertinent to wider considerations about cross-border data flows, particularly in the context of the recent "Schrems II" decision. Global moves to increase government surveillance powers will have an impact on the ability of agencies to be meaningfully accountable for personal information they share across borders, including for the purposes of data processing or storage services. InfoGovANZ will host an online event on just this topic 22 Oct., with an APAC privacy law update on cross-border data transfers. The panel will include New Zealand Privacy Commissioner John Edwards and Clarisse Girot of the Asian Business Law Institute. It will be an interesting and timely discussion.
It feels appropriate to end with a borrowed mantra from my colleague in Hong Kong, Jason Lau: “Keep safe; keep secure.” Enjoy this week’s digest.
Ngā mihi nui