The Ministry of Justice has announced that the Government is considering amendments to the data subject collection notification requirements under the Privacy Act 2020. As part of this process, the Ministry has requested feedback from stakeholders and the public on the proposed changes.
This review has come off the back of the European Union’s review of New Zealand’s status as an ‘adequate country’ under the EU’s primary data protection regulation, GDPR. The review indicates that the European Commission has raised concerns about New Zealand’s lack of transparency around indirect collection of personal information. The Government is eager to close this gap, as it perceives our adequacy status as providing significant benefits to New Zealand, including lower costs for businesses trading with the EU, a reputation for being a country with a strong commitment to protecting privacy, and allowing New Zealand businesses to streamline data transfers with other non-EU countries through mutual recognition of privacy regimes.
The current notification framework
Currently, Information Privacy Principle (IPP) 3 requires organisations collecting personal information directly from the relevant individual to take reasonable steps to ensure that the individual is notified of certain key details about the collection, including the fact of the collection, the purposes for which the information will be used and the intended recipients. IPP 2 requires organisations to collect personal information directly from the relevant individual, but there are a number of exceptions to this rule, including if the information is publicly available, or when it is not reasonably practicable in the circumstances to collect the personal information directly from the individual. The notice requirements under IPP 3 do not apply where an organisation collects personal information indirectly (ie from a third party rather than the relevant individual), so an organisation that collects personal information indirectly in accordance with one of the exceptions to IPP 2 also does not have to notify the individual of the collection under IPP 3.
The Government wants to implement changes to ensure that individuals are informed about the processing of their personal information, regardless of how the information is collected. With this change, the Government aims to promote transparency around the processing of personal information and allow individuals to make more informed decisions about their privacy.
The MoJ’s Engagement Document sets out three options for introducing these changes:
- amending IPP 3 to introduce a notice requirement for all organisations, regardless of how the information is collected;
- amending one of the other IPPs, for example, amending IPP 2 to narrow the exceptions that allow organisations to collect personal information indirectly, or amending IPP 11 to require an organisation disclosing personal information to a third party, to notify the individual of the disclosure;
- introducing a new IPP dealing with notification of indirect collection.
But what value would this change really add?
Extending IPP 3
While greater transparency and accountability in relation to privacy is a noble goal, it is difficult to imagine how extending IPP 3 would operate in practice and, more importantly, how it would actually result in a meaningful change to an individual’s autonomy over their personal information.
In any event, expanding the notification obligation under IPP 3 would not provide individuals with any meaningful additional control over their personal information. If an individual has no means to object to this collection or use of their information, does this really allow them to make more informed decisions about their privacy?
Without more meaningful changes, the extension of IPP 3 to cover indirect collections is likely to present an administrative burden for New Zealand businesses (and international companies who are caught by the extraterritorial scope of the Privacy Act), with little (if any) benefit to individuals.
Amending another IPP
Unfortunately, the Engagement Document does not give any detail around the proposed narrowing of the exceptions under IPP 2. Narrowing these exceptions could have a more substantial impact on the processing of personal information in New Zealand, but could also introduce significant barriers to routine data processing activities. For example, removing the exception that allows indirect collection where direct collection is not reasonably practicable would, by definition, mean organisations must either find an impracticable workaround or not process the personal information. This could have a significant detrimental impact on individuals, as almost all technology we use every day relies on data exchanges between multiple providers’ platforms to function (eg e-commerce platforms, connected cars and streaming services).
There may be much public debate about whether that would be a positive or negative result but regardless, this type of change would have far reaching effects and would need to be very carefully considered by the Government, with a much more robust consultation process than the one at hand.
An amendment to IPP 11 requiring an agency to give notice to an individual when it discloses their personal information to a third party avoids the ‘impracticality’ issues above, as the onus would be on the organisation that has a direct relationship with the individual to tell that individual about all the other parties that will get access to their personal information. However, this could be an administrative nightmare for organisations (eg needing to update privacy notices every time there is a change in service providers to whom the organisation discloses personal information) and result in privacy notices becoming (even more) unwieldy and difficult to understand for consumers.
A new IPP
It is difficult to conceptualise a new IPP that would achieve the limited goals of these proposed changes without either replicating the first two options proposed by the Ministry of Justice or requiring more substantive changes to the Privacy Act 2020, reaching well beyond the Government's objectives of transparency and accountability.
As we have noted in relation to the first two proposed options, without undertaking a broader review of New Zealand’s privacy laws (something the Government is unlikely to consider given the relatively recent enactment of the Privacy Act 2020 after years of delays), the administrative burden on businesses in New Zealand to implement such a narrow change is likely to outweigh the benefit to individuals.
How can you contribute?
The Ministry of Justice is seeking feedback from agencies, both domestic and foreign, as well as individuals whose information may be collected indirectly. The Engagement Document sets out seven questions that respondents should provide comment on. Responses can be emailed to [email protected] or posted to Electoral and Constitutional, Ministry of Justice, PO Box 180, Wellington 6140, New Zealand. The deadline for submissions is 5 pm, 30 September 2022. If you would like to make a submission, please get in touch with one of our experienced privacy lawyers to assist with drafting a response.