Privately speaking - Issue 5, April 2016

Contents New Zealand 1 Australia 3 North America 4 European Union 4 United Kingdom 5 Contacts 6 1 | April 2016 Privately speaking NEW ZEALAND Security intelligence review Sir Michael Cullen and Dame Patsy Reddy were tasked by the government with reviewing New Zealand’s intelligence and security agencies, the Government Communications Security Bureau (GCSB) and the New Zealand Security Intelligence Service (NZSIS). They reported on 29 February. The review’s principal recommendation is to create a single, integrated and comprehensive statute to cover both the NZSIS and the GCSB which would take as its purpose “the protection of New Zealand as a free, open and democratic society”. Section 14 of the GCSB Act, prohibiting the GCSB from intercepting the private communications of New Zealand citizens and permanent residents, would be removed as the review judged it to be confusing, antithetical in practice to the protection of national security and less protective of individual rights than it might appear. It considers that privacy would be better protected through a strengthened authorisation regime which would require all surveillance activities targeting New Zealanders to be specifically authorised by the Attorney-General and a judicial commissioner. The A-G would take into account national interest considerations with discretion to refuse a warrant even where these criteria are met. The commissioner would consider the legality of the application, including human rights laws. The review also brought to the media’s attention section 57 of the Privacy Act, which provides public and private sector entities with discretion to disclose individuals’ personal information to the NZSIS or GCSB without being restricted by the Privacy Act. Link: Intelligence and Security in a Free Society Privately speaking is a quarterly publication tracking developments in privacy legislation, regulation and case law. The risks for organisations from a privacy breach can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of security and confidentiality. Our team of data protection lawyers can assist you with privacy and data security risk management, including reviewing contractual terms, privacy compliance training, responding to privacy requests and investigations, and litigation to contain data breaches. Contents New Zealand 1 Australia 3 North America 4 European Union 4 United Kingdom 5 Contacts 6 2 | April 2016 Privately speaking Poor cyber security awareness The PwC 2016 Global economic crime survey has found poor cyber security awareness among New Zealand companies. Only half of boards ask for information on their organisation’s state of readiness to deal with cyber incidents, despite 42% of New Zealand workplaces reporting being victimised by economic crime in the last two years (up from 33% in 2014). New Zealand was ranked 19th of 115 countries. Link: PwC Report Cyber security package The government launched a refreshed Cyber Security Strategy in December. The package is comprehensive and will be refreshed each year to keep up with any emerging threats. It comprises four work streams: • cyber resilience - to ensure the ongoing protection of New Zealand’s most important information infrastructures • cyber capability - to build the skills for people and organisations to protect themselves online (key to this will be the Connect Smart public-private partnership and the “cyber security tick”, a credentials scheme to encourage small businesses to improve their cyber security) • cyber crime - building police capability, and • international cooperation - engaging internationally on cyber security issues. Although New Zealand has yet to have a significant cyber incursion, research has established that 56% of businesses experience a security attack at least once a year and only 65% are confident that their IT security systems are safe. Links: Ministers’ statements on the overall package and on the credentials scheme Torchlight on government information requests As part of a broader campaign to persuade private companies to compile regular “transparency reports” detailing any requests received from government agencies for user data, the Privacy Commissioner surveyed ten firms between August and October last year and has now released the results of the survey. They show that altogether 11,799 requests were received, of which the companies complied with 11,349, declined 449 and partially accepted one. The agencies which made the most requests were: IRD (4,670); Police (3,513); Ministry of Social Development (3,150); Ministry of Business, Innovation and Employment (99) and Customs (73). The Privacy Commissioner considers that the value of transparency reporting is to be open with consumers about the limits of the confidentiality applying to their information. Link: Privacy Commissioner’s Blog Post Can you sell your customer database? Dick Smith customers were given a week to opt out of the failed company’s database after receivers sold its IP – including trademarks, the online business in Australia and New Zealand, customer and loyalty databases, websites and domain names – to Ruslan Kogan. The opportunity to unsubscribe was necessary to comply with Privacy Act requirements. Links: Chapman Tripp commentary; Fairfax Media article Contents New Zealand 1 Australia 3 North America 4 European Union 4 United Kingdom 5 Contacts 6 3 | April 2016 Privately speaking Privacy guidance to councils on property data The Privacy Commissioner has provided guidance to councils on their obligations in relation to online property and building data, and steps they might take to enhance privacy. The Office has received over a hundred complaints and inquiries from members of the public which have highlighted: • a lack of public awareness that personal information will be published as a result of processes such as building consents • the limited ability of individuals to opt out of online publication, and • the associated safety and security risks in relation to stalking, harassment and domestic violence. Link: Privacy Commissioner Guidance Nearly half of consumers suspicious about data privacy A poll of more than 18,000 consumers across nine countries – including New Zealand – revealed that almost half are suspicious about how companies use their data. Fewer than half trust their bank to keep their data safe. Link: Businesswire article Annual privacy forum Bookings are now open to attend the Privacy Forums in Wellington and Auckland during 9 May to 14 May. Keynote speakers will include UN Special Rapporteur for the Right to Privacy, Professor Joseph Cannataci, and Australian Information Commissioner Timothy Pilgrim. Link: Privacy Commission media release AUSTRALIA Grubb decision overturned in Telstra Corporation Ltd v Privacy Commissioner The Administrative Appeals Tribunal has set aside the Privacy Commissioner’s finding (reported in our June 2015 edition) that Telstra was in breach of the Privacy Act in refusing to provide some metadata to Ben Grubb, a customer and a Fairfax reporter. Key to the Tribunal’s decision was that the data in question was about the services Telstra provided to Mr Grubb and how they were delivered. It was not about Mr Grubb and could not be used to identify him. It provided some guidance on the steps organisations should follow when processing customer data requests, saying: “The first step is to ask whether the information or opinion is about an individual. If it is not, that is the end of the matter. If it is, the second step is in the characterisation process to ask whether the identity of that individual “is apparent or can reasonably be ascertained, from the information or opinion”. Link: Tribunal decision Contents New Zealand 1 Australia 3 North America 4 European Union 4 United Kingdom 5 Contacts 6 4 | April 2016 Privately speaking NORTH AMERICA Oracle settles FTC charges Oracle has agreed to settle Federal Trade Commission charges that it deceived consumers about the security provided by updates to its Java Platform, installed on more than 850 million personal computers. The settlement requires Oracle to give consumers the ability to remove older, insecure versions of Java that might be vulnerable to hacking. The FTC was willing to hold Oracle responsible for alleged data security failures despite the fact that the company collected no personal information itself. There was no evidence that the statements influenced consumers’ purchasing decisions. Link: FTC press release New Cybersecurity Information Sharing Act The United States has published guidance on the use of the Cybersecurity Information Sharing Act 2015, which creates safe harbours from liability for private entities that share cybersecurity information with the Department of Defense (including the National Security Agency). Links: Department of Homeland Security and Department of Justice guidance Privacy and cybersecurity reform for US energy sector The Federal Energy Regulatory Commission has issued a final rule creating information security standards for the US electric grid. The US Congress is also considering legislation to combat perceived cybersecurity and privacy threats related to the grid, including by establishing a regulated security testing regime for products used in the grid. Link: FERC Rule EUROPEAN UNION Final EU General Data Protection Regulation The legislative package for the new EU General Data Protection Regulation (GPDR) has been agreed with the European Parliament, meaning that it is now on the road to adoption. Features which may influence law reform in other jurisdictions include: • codifying the ‘right to be forgotten’ (confirmed by the European Court of Justice in the 2014 Costeja decision) • regulating algorithmic decision-making where it produces legal effects or significantly affects individuals • a requirement on companies to report privacy breaches to the relevant regulatory authorities within 72 hours, and to customers as soon as possible, and • new enforcement powers and stronger sanctions, including penalties of up to 4% of global revenues for failure to report a breach. Link: WSGR via Bloomberg BNA Companies can monitor employees’ private online chats The European Court of Human Rights has dismissed a claim that a company violated an employee’s right to confidential correspondence in accessing messages sent on Yahoo messenger. Company policy prohibited the use of the messaging app for personal purposes. The Court said it was “not unreasonable” that an employer would want to verify that employees were engaged with their professional tasks during working hours. Link: ECHR decision Contents New Zealand 1 Australia 3 North America 4 European Union 4 United Kingdom 5 Contacts 6 5 | April 2016 Privately speaking If you would prefer to receive this newsletter by email, or if you would like to be removed from the mailing list, please send us an email at [email protected] Every effort has been made to ensure accuracy in this newsletter. However, the items are necessarily generalised and readers are urged to seek specific advice on particular matters and not rely solely on this text. © Chapman Tripp German consumer protection association takes on Google German consumer protection association VZBV has filed a complaint with Google, alleging that two clauses in its privacy policy are illegal – one giving Google automatic access to user content for the purposes of offering personalised advertising, the other providing that explicit consent is required only for the disclosure of ‘sensitive categories’ of personal data. VZBV claims that the distinction between ‘sensitive’ and other personal data is not allowed under German law. Link: VZBV Press Release; Translated Version (via Google Translate) UNITED KINGDOM ICO calls for tougher sentencing powers The Information Commissioner’s Office has called for stronger sentencing powers for theft of personal data. The call came after a woman convicted of selling 28,000 pieces of sensitive data was fined just GBP1,000. The Commissioner said the fines now available to the court “just don’t do enough” to deter data thieves. Link: Guardian.com article Strong criticism of “Snooper’s Charter” from UK legal profession More than 200 senior members of the legal profession – including QCs, law professors, senior lawyers and former judges – have signed an open letter to the UK Government condemning the Investigatory Powers Bill currently before Parliament. The letter describes the Bill as “unfit for purpose”, citing its failure to reflect international standards for surveillance powers, especially in relation to bulk data collection, targeting, and grounds for the issuing of warrants. Link: The Guardian; Draft Bill Contents New Zealand 1 Australia 3 North America 4 European Union 4 United Kingdom 5 Contacts 6 6 | April 2016 Privately speaking JUSTIN GRAHAM – PARTNER T: +64 9 357 8997 M: +64 27 209 0807 E: [email protected] KELLY MCFADZIEN – PARTNER T: +64 9 357 9278 M: +64 27 473 2230 E: [email protected]pp.com GEOFF CARTER – SPECIAL COUNSEL T: +64 3 353 0394 M: +64 27 290 5057 E: [email protected] Contacts If you would prefer to receive this newsletter by email, or if you would like to be removed from the mailing list, please send us an email at [email protected] Every effort has been made to ensure accuracy in this newsletter. However, the items are necessarily generalised and readers are urged to seek specific advice on particular matters and not rely solely on this text. © Chapman Tripp TIM SHERMAN – SENIOR ASSOCIATE T: +64 4 498 2400 M: +64 27 345 3250 E: [email protected] SARAH QUILLIAM-MAYNE – SENIOR SOLICITOR T: +64 4 498 6307 M: +64 22 136 2601 E: [email protected] Privacy Brief newsfeed To stay up to date between our quarterly publications, visit our privacy law and data protection newsfeed www.privacybrief.net and subscribe (via Wordpress, email, RSS or Twitter).