Speed read

Until recently, Privacy Commissioners rarely named wayward corporates. Instead they relied on bringing tribunal proceedings, which are steps that are time consuming and expensive, and therefore taken only on limited occasions.

Now, like other regulators such as the Commerce Commission, the Privacy Commissioner will, in appropriate cases, ‘name and shame’.

For many corporates that is a much bigger negative than, say, being ordered to pay a penalty.

With greater regulatory exposure, corporates should up their privacy compliance. Plus, when the Privacy Commissioner starts to investigate they should be proactive and careful in managing the situation.

This article first appeared as the Letter to the Editor in NewLaw, Issue 8, p4, 5 December 2014.

The Detail

Until recently, Privacy Commissioners tied their hands behind their backs when enforcing the Privacy Act. Litigating to enforce the Act is rare as that involves a two-step, time-consuming, and costly approach with the ultimate decision made by an independent tribunal. And publically naming defaulting companies was rare too.

Ask any corporate what matters most about action over privacy breaches - or most other regulatory breaches for that matter - and it is not the dollar exposure such as to pecuniary penalties or damages. Those dollars are typically just a rounding error. It is the adverse publicity in the media. Nothing talks in these areas like the prospect of having a corporate criticised in the media.

Absence of such naming and shaming has made the Privacy Commissioner’s job a lot tougher. Producing, for example, anonymous decisions with criticisms only behind the scenes, better enables ongoing breaches,and does less to encourage compliance by companies in the future. A company may be a lot more careful about privacy and security compliance if the risk of public outing was greater.

All this changes from 1 December 2014, with the introduction of ‘naming and shaming’ guidelines by the Privacy Commissioner.1  Well, the Commissioner does not call them that; he calls them the Naming Agencies in Public Reports Policy. But naming and shaming is the predominant intent, especially:

  • Pour encourager des autres. Thatis alwaysabigdriverifnotthebiggest driverforregulatorsofanytype:a deterrenttocorporatesandothers thatare,inthewordsofthePrivacy Commissione,persistentlyorriskily disregarding their Privacy Act obligations. Especially useful can be to hang out a well-known scalp to help educate and encourage others (regulators will not always so clearly articulate that approach - although some do - but it is what can happen in reality; after all regulators have limited resources and will use their limited time and money to get maximum impact),
  • Wherebreachesaredeliberate,repeated, designedtomaemon,andsoonthe Commissionerismorelielytogopublic andissuemediareleasesetc.

​This is the sort of approach regulators such as the Commerce Commission have taken for years. Of recent times the Commerce Commission has got this down to a fine art, with admirable lateral solutions that can benefit relevant consumers of affected services. See for example, our article Air New Zealand and IAG provide contrasting case studies on how to handle Fair Trading Act complaints.2

As to be expected, the Privacy Commissioner has said that he will consult the alleged wayward corporate before going public. Like all regulators, he confirms in his policy that he will not ‘negotiate’. While regulators cannot horse trade at a commercial level due to their wider duties, the reality is that the regulator can accomplish  its goals while still agreeing an approach with the corporate including even largely agreeing what a press release might look like.

A great example of this is the IAG case study referred to above where both IAG and and the Commission came out of this well, as did IAG’s customers.

In another great case study from Privacy Commissioner action earlier this year [outlined at p11 of Issue 7 in NewLaw], the Office of the Privacy Commissioner concluded that “one of New Zealand’s largest credit reporting agencies,Veda Advantage, was flouting the law. It was over- charging customers who were in urgent need of their credit information”.

The Privacy Commissioner says he had the options of: (a) doing nothing but highlight the Office’s conclusions, (b) instigating the litigation process, (c) amending the relevant privacy code, or (d) naming the company. He decided to name the company due to “strong public interest justification”.

And that is likely to be the main thing that a corporate like Veda Advantage would be worried about. And now all that is formalised and to the forefront of the Privacy Commissioner’s enforcement tool box.

The Veda Advantage situation is a great example of the sort of thing that triggers regulatory action. As the Privacy Commissioner said:

“Naming Veda ticked a number of our naming policy criteria. Its conduct was likely to have affected persons other than any one complainant; it had breached the law on numerous occasions, so much so that it had become a lucrative revenue stream; it had demonstrated an unwillingness to comply with the law, and naming it had a potential deterrent effect on other agencies and was a function of our role in carrying out consumer education.”

This is not the only ‘naming and shaming’ privacy law initiative on the horizon. There is talk also of amending the Act to require compulsory disclosure of privacy breaches in certain circumstances, as we reported at: Businesses must fess up to privacy breaches under new law.3