A new Privacy Bill has been tabled in Parliament. It introduces some small but notable changes to the privacy regulatory framework in New Zealand.
The Bill (once passed) will affect your business. Its passage through the parliamentary process is one you should keep an eye on.
Below is a summary of the main points along with some comments. We'll look to update you as the Bill progresses.
New Commission powers
The Privacy Commission's ability to investigate will be strengthened by granting it the power to shorten time frames for compliance, and increasing penalties for non-compliance, with investigations.
Having investigated, the Commissioner would now be able to issue compliance orders and binding decisions which require information holders to grant access, or take prescribed steps to comply with the Act.
All of this is able to be made public by the Commission and reputational damage is likely to still be the main weapon of the Commission if the new Bill becomes law.
Information breaches would now be automatically notifiable, but only where an individual has been harmed or there is a risk of harm. The retention of the harm requirement may leave some frustrated, with doubt over whether data breaches should be notified to the Commission in the absence of clear actual or potential harm despite the breach being significant and substantial (for example, the recent Uber breach).
New criminal offence
The Bill adds a number of new criminal offences, notably misleading an agency or the Commissioner in a way that gains access to or affects someone else's information, misrepresenting authority under the Act, and knowingly destroying documents containing personal information after it has been requested. The fine is up to $10,000.
Exporting data overseas
Attempts in the Bill to give some additional protection to individuals where agencies export their information overseas appear to ask more questions than they answer.
Agencies will be required to observe that the jurisdiction they've sent information to has privacy laws comparable with New Zealand's. But what does 'comparable' mean?
The two major jurisdictions to which Kiwis' data is exported are the EU and the USA. Each has quite different privacy frameworks. So different in fact that there is vigorous discussion underway about how American data holders will comply with the GDPR. Are those privacy frameworks comparable with New Zealand's?
Businesses and Government departments using services like AWS and Microsoft Office 365 would need to give careful consideration to where those services house data containing personal information, especially when those services may interchangeably use servers in more than one jurisdiction.
Commission's goals only partly met
John Edwards, the Privacy Commissioner, has been calling for successive Governments to strengthen his office's powers since he took office.
While publicly the Commission have applauded the introduction of the Bill, and some of its recommendations have been adopted, the Bill does not include any of the more robust reforms that Mr Edwards has called for, such as:
- substantial civil penalty provisions ($100,000 for an individual, $1m for a corporate);
- restrictions on re-identifying individuals in data that has purportedly been anonymised; or
- a consumer right to data portability.
World view and direction of privacy law
At first glance the Bill falls well short of the new European Union General Data Protection Regulation (GDPR) which comes into force in May this year. Note that the scope of EU data protection law has been extended by the GDPR, which will apply to agencies operating anywhere in the world where the agency is collecting, storing or using EU residents' personal information when offering them goods and services or monitoring their behaviour.
Where to from here?
We're expecting some strong debate as the Bill progresses through select committee.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.