Privately speaking - Issue 4, December 2015

Privately speaking is a quarterly publication tracking developments in privacy legislation, regulation and case law.

The risks for organisations from a privacy breach can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of data integrity and confidentiality.

Our team of data protection lawyers can assist you with data security risk management, including reviewing contractual terms, privacy compliance training, responding to privacy requests and investigations,

and litigation to contain data security breaches.

NEW ZEALAND

Privacy Commissioner’s annual report

The Privacy Commissioner received 121 data breach notifications in the 2014-2015 June year which was marginally up on the previous year. But this may reflect increased awareness as reporting is voluntary and there is no way of knowing how many incidents were not flagged.

Of the breaches, 71 were in the public sector and 50 in the private sector. The most common causes were:

• information inadvertently sent to the wrong recipient

• loss or theft of a file, and

• unauthorised “browsing” by employees.

Link: the report

Security risk analysis from the NZ Intelligence Community

The post-election briefing from New Zealand’s intelligence agencies to the Prime Minister and the Minister in charge of the SIS and responsible for the GCSB, Chris Finlayson, has been released under the OIA.

The paper, which is marked “top secret” and has been heavily redacted, identifies risks of relevance to business, including industrial espionage and cyber data and information loss which it says:

“is happening now, with significant compromises of major New Zealand companies and government departments.  The capabilities are getting easier to acquire, and are easy to combine with insider threats. This is potentially a real drag on our economy, our reputation and the integrity of Government”.

Contents

New Zealand                      1

Australia                            3

North America                     3

European Union                   4

United Kingdom                   4

Contacts                             5

1. | December 2015

The briefing also says the internet:

“doesn’t work like a telecommunications system, but more like an ocean of data with almost no respect for international borders…[I]t is already an area of conflict, as well as an ungoverned space in terms of the economic and social behaviour that it allows”.

NZ Business Number Bill reported back

The Bill which will allow eligible entities to obtain a New Zealand Business Number – a unique identifier to be used in all their interactions with the government – has been reported back from select committee.

It will create rules for collecting, accessing and sharing data to be held on the New Zealand Business Number (NZBN) register, including protections for personal and commercially confidential information.

The committee, after consultation by officials with the Privacy Commissioner and the Government Chief Privacy Officer, is “satisfied that the Bill’s privacy safeguards are adequate”.  It notes, however, the efficacy of the Bill will depend on widespread adoption of the NZBN by government agencies and, if this does not eventuate, there is a risk that the Bill may increase business overheads rather than reducing them.

Link: the Bill

TPP agreement on electronic commerce

A summary of the TPP agreement released by the Ministry of

Foreign Affairs and Trade confirms the 12 countries to the negotiations

have agreed:

• to ensure the free flow of global information and data, subject to legitimate public policy objectives such as personal privacy

• to adopt and maintain consumer protection laws against fraud and deceptive conduct on line and to put in place measures to stop unsolicited commercial electronic messages

• that TPP companies should not be required to build data storage centres as a condition for operating in a TPP market and that the source code of software does not have to be transferred or accessed, and

• that there be no customs duties or other discriminatory measures on electronic transmissions.

Link: TPP text

Supreme Court allows limited protection of “digital data”

The Supreme Court has found that digital data is property for the purposes of the Crimes Act. However civil reliance on property rights will not suffice to protect electronic information – at least for now.

Link: Chapman Tripp commentary

Contents

New Zealand                      1

Australia                            3

North America                     3

European Union                   4

United Kingdom                   4

Contacts                             5

1. | December 2015

Australian report gives NZ respectable “cyber maturity” rating

A study by the Australian Strategic Policy Institute on cyber maturity in the Asia-Pacific rates New Zealand sixth, just behind Australia. The ratings are based on performance across five areas – governance, cyber-crime, military, business and social. The US is highest of the  20 countries surveyed with a weighted score of 90.7 and North Korea is lowest on 16.4.  Australia’s score is 79.9 and New Zealand’s 72.8.

Link: report

Search and Surveillance Act to be reviewed

The Law Commission and the Ministry of Justice will conduct a joint review of the Search and Surveillance Act 2012 next year. Among the issues the government wishes to explore are whether any changes are needed to respond to the impact of modern technology on the ability of the Police and other authorities to prevent and investigate crime.

Link: announcement

AUSTRALIA

OAIC Guide: Developing a Data Breach Response Plan

The Office of Australian Information Commissioner has produced a guide to assist organisations in developing a data breach response plan. Recommended features include:

• a strategy for assessing and containing data breaches, including the actions the response team should take in the event of a breach or suspected breach

• a clear explanation of what constitutes a data breach, such that staff will be able to recognise when one has occurred

• the reporting line, including who needs to be informed immediately

• agreement about which external stakeholders should be contacted and by whom (for example, law enforcement agencies, regulators and the media)

• a procedure for recording data breaches, including those that are not referred to the response team, and

• a strategy to identify and address any weaknesses in data handling that contributed to the breach.

Link: Guide to Developing a Data Breach Response Plan

NORTH AMERICA

S&P rates cybersecurity as big risk for global banking

Credit ratings agency Standard and Poor’s puts cybersecurity “at or near the top of the list” of challenges faced by global banking. It says banks’ retail presence, the value of the data they hold and their

function as a currency conduit make them an obvious target. However, it rates the credit risk of a cyberattack as “medium” rather than “high” because of the mitigation strategies the industry has put in place.

Link: S&P release

Contents

New Zealand                      1

Australia                            3

North America                     3

European Union                   4

United Kingdom                   4

Contacts                             5

EUROPEAN UNION

EUCJ finds US/EU safe harbour agreement invalid

The European Court of Justice has overturned the European Commission’s “safe harbour” decision under which personal data on EU citizens’ could be transferred from Europe to the US.  The ruling means that companies transferring such information may need to sign “model contract clauses” to maintain compliance.

Link: EUCJ decision

French regulator rejects Google’s “right to be forgotten” appeal

French privacy regulator CNIL has rejected Google’s informal appeal against its ruling that an individual’s right to have posts removed extends to all of Google’s websites worldwide, including Google.com (and not just Google’s European websites such as Google.de or Google.fr).

CNIL did not accept Google’s argument that this would not amount

to applying French law extraterritorially. Instead it characterised the decision simply as “[requesting] full observance of European legislation by non-European players offering their services in Europe”.

UNITED KINGDOM

No Disclosure of third party submissions on peership bid

Having twice unsuccessfully sought appointment as a non-party- political life peer, Dr. Ranger brought a claim under section 7 of the Data Protection Act (UK) 1998 for disclosure of two letters sent by third parties to the House of Lords Appointment Commission and for material produced by the Commission in considering his application.

The UK High Court dismissed the claim, saying it came within the exemption in s37 of the Act for personal data processed for the purposes of “the conferring by the Crown of any honour or dignity”.

The Court referred to the High Court decision in Durant v Financial Services Authority [2003] EWCA Civ 1746, holding that “mere mention of the data requester in a document held by the data controller does not necessarily amount to [personal data under section 7 of the Act]“.

It also rejected arguments that the exemption in s37 was disproportionate, saying there was a broad public interest in encouraging full and candid submissions to the House of Lords Appointment Commission.

Links: Ranger v House of Lords [2015] 1 WLR 4324, and Durant v

Financial Services Authority [2003] EWCA Civ 1746

Link: CNIL decision

1. | December 2015

Contents

New Zealand                      1

Australia                            3

North America                     3

European Union                   4

United Kingdom                   4

Contacts                             5

New Privacy Brief newsfeed

We have recently launched a new privacy law and data protection newsfeed (www.privacybrief.net), collating links and articles

from around the world.  Visit and subscribe (via Wordpress, email, RSS or Twitter) if you’d like to stay up-to-date in between our quarterly publications.

Our thanks to Steven Li for compiling this publication.

Contacts

PHEROZE JAGOSE – PARTNER

T:    +64 4 498 4954

M:  +64 27 241 2999

E:    pheroze.jagose@chapmantripp.com

JUSTIN GRAHAM – PARTNER

T:    +64 9 357 8997

M:  +64 27 209 0807

E:     justin.graham@chapmantripp.com

KELLY MCFADZIEN – PARTNER

T:    +64 9 357 9278

M: +64 27 473 2230

E:     kelly.mcfadzien@chapmantripp.com

GEOFF CARTER – SPECIAL COUNSEL

T:    +64 3 353 0394

M:  +64 27 290 5057

E:     geoff.carter@chapmantripp.com

If you would prefer to receive this newsletter by email, or if you would like to be removed from the mailing list, please send us an email at subscriptions@chapmantripp.com.

Every effort has been made to ensure accuracy in this newsletter. However, the items are necessarily generalised and readers are urged to seek specific advice on particular matters and not rely solely on this text.

© Chapman Tripp

TIM SHERMAN – SENIOR ASSOCIATE

T:    +64 4 498 2400

M:  +64 27 345 3250

E:     tim.sherman@chapmantripp.com

SARAH QUILLIAM-MAYNE – SENIOR SOLICITOR

T:    +64 4 498 6307

M:   +64 22 136 2601

E:     sarah.quilliam-mayne@chapmantripp.com