The EU General Data Protection Regulation (GDPR) will come into full effect on May 25 2018 and will affect New Zealand businesses that do business with EU residents or entities or have a presence in the European Union.
In addition, the New Zealand privacy commissioner recently released a report(1) recommending that the Privacy Act 1993 be substantially amended (including to comply with the GDPR) and the Ministry of Justice has indicated that privacy reform is a key initiative.(2)
This update examines these changes and what they mean for New Zealand businesses in practice.
The GDPR sets out a data protection framework to be applied across the European Union, which substantially enhances individual data protection and privacy rights. The privacy commissioner has noted that "it is widely perceived as the most stringent and most influential privacy law in the world: the 'gold standard'".(3)
Consistent with New Zealand privacy legislation, the GDPR concerns the storage and use of personal information, which is information about an identifiable natural person.
The GDPR states that compliance with it is mandatory and applies worldwide to all entities (including those based in New Zealand) that hold or use data concerning people within the European Union. Non-compliant organisations risk fines of up to €20 million or 4% of their total worldwide annual turnover.
The key differences between the position under the GDPR and the current position in New Zealand are as follows:
- Consent: the GDPR requires data controllers to obtain the subject's express consent for the use of his or her information and must retain records that this consent has been freely given.(4) In contrast, the Privacy Act requires those who collect information to take reasonable steps to ensure only that the individual concerned is aware that information is being collected and of the purpose for which it is being collected.(5)
- Right to data portability: the GDPR provides individuals with the right to request their personal information in a commonly used format, so that they can transfer that information to another data controller.(6) This right does not exist in New Zealand at present; however, it is likely to be introduced in upcoming reforms (discussed below).
- Right to be forgotten: the GDPR provides individuals with the right to have personal information erased in specified circumstances, including where the personal information is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or the individual withdraws his or her consent on which the processing is based and there is no other legal ground for the processing.(7) The GDPR expressly permits entities to refuse to comply with a request for erasure in other specified circumstances, including where the personal information is processed to exercise the right of freedom of expression and information, or for archiving purposes in the public interest. This right does not exist in New Zealand at present.
- 'Privacy by design' and 'privacy by default': the GDPR requires companies to consider privacy at the initial design stages and throughout the development process of new products, processes or services that involve processing personal data (referred to as 'privacy by design').(8) It also provides that where a system includes choices for the individual about how much personal information is shared with others, the default settings should be the most privacy friendly (referred to as 'privacy by default').(9) These requirements do not exist in New Zealand at present.
Given the GDPR's extraterritorial reach, New Zealand businesses that do business with or have a presence in the European Union will need to review their systems and policies with regard to the processing of personal information to ensure that they comply with the GDPR in advance of the May 25 2018 deadline. The European Commission recently published guidance on the new rules.(10)
At present, New Zealand's privacy law is formally recognised by the European Union as providing an adequate level of data protection to meet the requirements of existing EU law and this recognition provides a legal basis for EU businesses to send data freely to New Zealand for processing. However, this formal recognition will be subject to ongoing review and with the more stringent EU standards set out in the GDPR coming into effect, there is a risk that New Zealand's status will be lost if its law is seen as falling below those standards.
In February 2017 the privacy commissioner published a report to the minister of justice under Section 26 of the Privacy Act, setting out the following recommendations for reform:
- Right to portability: the commissioner recommended that individuals be given the right to request their personal information in a commonly used format, so that they can transfer that information to another data controller, which corresponds broadly to the new GDPR right to portability.
- Controls on re-identification: the commissioner recommended the introduction of penalties to discourage re-identification (ie, the identification of individuals from purportedly anonymised information) and requirements in relation to the anonymisation of information (eg, the need to take reasonable precautions in the circumstances to limit the identifications of individuals included in a dataset).
- Demonstrations of agency compliance: the commissioner recommended that he be given the power to require businesses to demonstrate their compliance with the Privacy Act by establishing and producing a privacy management programme or plan. This aims to enable the commissioner to identify and respond to systemic issues proactively and reflects the importance of business accountability for compliance.
- New civil penalty: the commissioner recommended that a new penalty of up to NZ$100,000 in the case of an individual and up to NZ$1 million in the case of a body corporate be introduced for serious or repeated breaches of the Privacy Act. This is intended to align New Zealand's civil penalties with international standards.
- Adjustments to criminal offences: the commissioner proposed amending the scope of the defences available in respect of criminal offences for obstructing his power under Section 127(a) of the Privacy Act or failing to comply with a lawful requirement under Section 127(b) of the act by making these strict liability offences. This is intended to improve the efficiency and effectiveness of the commissioner's investigations.
- Public register reform: the commissioner proposed:
- carrying out the public register reform recommended by the Law Commission,(11) including repealing the public register privacy principles and the related provisions set out in Part 7 of the Privacy Act due to their lack of utility;
- enhancing the provisions for the suppression of personal information; and
- confirming the commissioner's privacy complaints jurisdiction in relation to breaches of public register access provisions.
The Ministry of Justice is reviewing the Privacy Act at present and intends to present a new privacy bill to Parliament. It is anticipated that any new privacy bill will implement these recommendations and possibly introduce some of the other rights and obligations provided for in the GDPR to ensure that New Zealand's privacy laws meet internationally recognised standards.
Many EU data protection experts are predicting a material rise in privacy litigation following the introduction of the GDPR, as businesses struggle to adapt to new privacy obligations and individuals are afforded new rights of action for privacy breaches.
Article 82 of the GDPR provides individuals with a right to claim compensation for material and non-material damage resulting from privacy breaches. This is consistent with the existing position in New Zealand under Section 88 of the Privacy Act, which enables individuals to bring a claim to the Human Rights Review Tribunal for:
- financial losses;
- the loss of any benefit;
- loss of dignity; or
- injury to the aggrieved individual's feelings.
There is an international trend towards higher compensation awards for privacy breaches, with significant sums being ordered to compensate non-financial harm and provide a clear deterrent in an environment where personal information is increasingly valuable. The most significant award of damages in New Zealand to date was the NZ$168,000 ordered in the 2015 case Hammond v Credit Union Baywide,(12) which was more than three times the next highest award and increased the band guidelines for future cases.
There is also an international trend towards privacy-related class action litigation. On December 1 2017, following class action proceedings brought by 55,187 existing and former staff members, the English High Court found the supermarket chain Morrisons vicariously liable for the leaking of payroll information by one of its employees, despite also concluding that Morrisons had adequate and appropriate data security measures in place at the time.(13) There is nothing in the Privacy Act that would prevent similar claims being brought before the Human Rights Review Tribunal in relation to privacy breaches in New Zealand. Given the recent rise of class action litigation in New Zealand, similar privacy-related class actions are anticipated in the near future.
New Zealand businesses will need to review their data management processes to ensure compliance with changing international standards where applicable. Given the apparent inevitability of reform in New Zealand, there is no reason to wait for a change in law to begin examining such practices.
Businesses should consider:
- identifying whether and to what extent they must comply with privacy law. It is likely that businesses will have privacy obligations if they collect, use, disclose, store or give access to information about identifiable living people. If so, they must ensure that they are familiar with their obligations under the law;
- identifying whether they hold or use the personal data of people within the European Union. If so, they may be required to comply with the GDPR from May 25 2018;
- reviewing the extent to which information management systems enable easy access to personal data and are compatible with other information management systems used in the relevant industry to facilitate the portability of personal data;
- if they use or share aggregated data, whether the means by which they anonymise that data is effective and ensure that reasonable precautions are taken to limit the identification of individuals in the dataset; and
- preparing a privacy management programme setting out their approach to personal data that could, if necessary, be provided to demonstrate compliance with the Privacy Act.
For further information on this topic please contact Felicity Monteiro or Sam Holden at Wilson Harle by telephone (+64 9 915 5700) or email (firstname.lastname@example.org or email@example.com). The Wilson Harle website can be accessed at www.wilsonharle.com.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.