This article was first published in Boardroom magazine.
In today’s online and interconnected world, it is essential that people feel safe that their digital identity and data will be protected. Developing and maintaining this confidence will require sustained effort in a climate of increasing, and increasingly sophisticated, risk.
Law changes on the horizon will affect all businesses that deal with personal information, especially those selling into the EU or performing data processing outsourced from the EU.
Public faith in the integrity of New Zealand’s privacy settings is not high. A survey this year by the Insurance Council found only 29 per cent of New Zealanders were confident in the ability of New Zealand businesses and organisations to manage computer hacking and to keep data secure.
This is not surprising given the recent run of high profile privacy breaches and the rickety nature of the regime created by the New Zealand Privacy Act. This dates back to 1993, which makes it 22 years old in calendar years, 154 in dog years and positively ancient in IT years, pre-dating the emergence of social media and electronic commerce.
The activism and energy of the Privacy Commissioner’s Office have mitigated the Act’s weaknesses to some extent but the reality is that it is not well-designed for the age of bulk data where a single privacy spill can have thousands of victims and where the focus needs to be on early risk identification and management rather than on post-breach remedies – although they will always be important.
These facts are well acknowledged by the Government and a reform bill is being developed but the process has been very slow. The Law Commission report, containing 149 recommendations, was tabled in 2011 and the Cabinet signed off on a package of changes in March 2014 yet here we are, in the second half of 2015 and still waiting.
Justice Minister Amy Adams, in a statement provided for this article, said she has been taking time to consider whether there are any other issues in the privacy area which should be included and that the work is “ongoing”.
On-going it most definitely will be because even as the Minister puts the finishing touches to the New Zealand reforms, the European Union is raising the benchmark in a new EU Data Protection Regulation which it expects to be adopted by the end of this year or early next year.
We are currently the only Asia Pacific country to have EU Adequacy (meaning that we meet the EU’s data protection standards and that personal data can flow without impediment from the EU member states to New Zealand for processing). Once the new Regulation is in force, pressure will mount to update our own law to match. At this stage it looks likely that existing Adequacy designations will be preserved, at least for an initial period of five years, but we will now be vulnerable to withdrawal if the European Commission decides we no longer meet the relevant requirements.
So as directors scan the horizon to anticipate how the regulatory framework around privacy will evolve in the short to medium term, it might be useful to think of the Bill as Round One and the EU Regulation as Round Two. We note that both are still works in progress so may be subject to change (the draft Regulation has been described as one of the most lobbied pieces of legislation in EU history).
Reform directions in the New Zealand reform bill
The principal changes which were agreed to last year by the Cabinet are:
- mandatory reporting of privacy breaches – these would have to be notified to the Privacy Commissioner and, where the effects are serious and could cause real harm, loss or humiliation, also to the affected individuals. Failure to notify a breach would be a criminal offence for private sector agencies. Cabinet’s thinking was that “naming and shaming” would be a sufficient deterrent in the public sector
- stronger powers for the Commissioner to initiate investigations and proactively to intervene where concerns have been raised about an entity’s privacy systems and practices, including greater scope to make urgent information requests
- a new power to issue compliance notices which would be enforceable by, and appealable to, the Human Rights Review Tribunal, and
- increased maximum penalties for non-compliance, from $2,000 to $10,000.
The Cabinet Paper acknowledges that the Bill’s penalty provisions are at the low end compared to other jurisdictions, including Australia which provides for fines of up to A$1.7 million for repeat and serious offending. This is much closer to the sanctions anticipated by the EU, which would punish a failure to report a data breach by a fine of up to €1 million or 2 per cent of annual worldwide turnover, whichever is the greater.
Reform directions in the EU Regulation
A key change of particular relevance to New Zealand is that the Regulation will apply to businesses located outside the EU but supplying the EU market. This covers not only businesses that collect and use EU residents’ personal data, but also IT and other service providers who hold or process that data as contractors to those businesses.
The provision which initially excited most media interest is the “right to be forgotten” which will allow data subjects to have data erased if historic or no longer relevant. But this once radical concept has since been “normalised” through a decision by the European Court in Google Spain v Costeja González which allowed a Spanish national to insist that Google remove a link to a criminal record dating back 16 years.
The Regulation is long, immensely detailed and still to go through a tripartite negotiation between the European Commission, the Council of Ministers and the European Parliament so we will await the final outcome before commenting in detail.
At this stage, it is sufficient to note that the proposed new administrative and compliance requirements are significant, such that the Regulation will allow for a two year transition period and that European law firms are advising their clients that they should start putting their houses in order now.