Why both businesses and individuals must follow NZ’s looming privacy law changes

The Privacy Bill that’s about to update New Zealand’s data-protection regime has been a long time coming, and it’s about time more people and businesses pay attention to the looming changes, says K3 Legal’s Patrick Shanahan-Pinker.

“The original act came out in 1993, which is fine for some acts. We have some older acts on the books, but for a legislation concerning people’s privacy, I think that’s very old considering the change in technology. In legal terms, it’s not that long, but in technology terms, that’s ancient history,” he says. “In 1993 when the Privacy Act came out, there was nothing really like the internet as we know it today. There were no massive data-collection agencies. How privacy data is collected now is completely different to how data used to be collected.”

Overall, [the bill] provides greater clarity and protections for both consumers and the general public. There are several major changes that the bill introduces, Shanahan-Pinker says. The first of these is mandatory reporting of “notifiable privacy breaches” under Part 6 of the bill.

“Simply, business or agencies that fall within the legislation have to report privacy breaches to those persons who are affected as soon as possible after the breach occurs. That’s the big change for most businesses. Under the previous regime, companies didn’t need to report, really,” he says. “Now if they don’t report, they can incur a fine up to $10,000.”

The definition of a “notifiable” breach is the contentious issue, he says. “The test under Part 6 of the bill is that a privacy breach is notifiable when there is a breach that causes any type of harm. Many sectors agree that the threshold that qualifies breaches as reportable may be too low.”

Another significant change concerns the country’s privacy commissioner, who will be given the power to issue compliance notices. These notices basically tell an agency or business that they should be or shouldn’t be doing something, in order to comply with the privacy regime, Shanahan-Pinker says.

“It’s really the power for the commissioner to go along and say, ’We think your actions breach the Privacy Act or privacy principles. You have to take these steps or comply with these conditions we deem appropriate in order to remedy the breach.’ If they don’t comply with that, the matter goes before the Human Rights Tribunal. Companies that fail to comply would face criminal liability and a fine of up to $10,000,” he says.

The Privacy Bill also institutes what are called ‘cross-border data flow protections.’

“When a New Zealand company has data and that data flows overseas, say to a server in America, they have to be sure that the data is protected under our act when it goes over to international jurisdictions. They need to be sure that the data protections or privacy protections in America for example are as strong as those in New Zealand. A good example of this is companies using services like Dropbox to share and store information,” Shanahan-Pinker says.

Consumers are also given the power to lodge an access request. If the bill becomes law, this provision enables consumers to go to companies and ask them to confirm what data these companies keep about them.

“They can make access requests to these companies. If the company doesn’t comply within the strict timeframes, especially if an urgent request is made, individuals can go to the privacy commissioner and the commissioner can then make companies comply with those data requests.  If they don’t comply, this can, again, result in criminal liability and a fine,” he says.

In fact, much of the focus of the bill is centred on the individual.

“I think the changes are more consumer-focused than business-focused. It’s all about protecting the individual and their privacy. It’s a big change towards individuals so that they benefit,” he says.

This is why people need to pay attention to the changes, which he says will become apparent if the bill is passed.

“I think people will quickly see the changes. A lot of people have privacy data out there in the hands of companies, so when a business gets hacked or something along those lines, then a lot of people could potentially receive privacy breach notifications. People will actually see the changes themselves,” Shanahan-Pinker says. “I don’t think the average consumer is actually aware of how much privacy data businesses keep on them.”

Shanahan-Pinker says that the heightened protection for individuals is precisely why businesses need to take heed, because compliance will become tougher.

“It’s going to be more onerous for businesses when you include compliance notices and request access notices. It’s all stuff for the company to comply with, so it’s a lot more administration for their side,” he says. “They need to get an understanding of their responsibilities under the new act and know how to have processes in place to deal with these, because if they don’t, there are serious consequences.”

The Privacy Bill is currently before the select committee in Parliament, with recommendation of public submissions due back early 2019. A majority of public submissions Shanahan-Pinker viewed compared New Zealand’s Privacy Bill with Australia and in the European Union, which have recently enacted new privacy regimes of their own.

“In the submissions, there were a number of technology companies advocating to follow the path of Australia. That law has a higher standard for mandatory reporting of privacy breaches, so companies don’t have to report so often,” he says.

Companies like Amazon and Facebook have come out to say that the New Zealand’s bill may have too low a bar for mandatory notification reporting, which will flood consumers and the privacy commissioner with notices for even the most minor breaches.

It will also be interesting to see whether the New Zealand law will adopt facets of Europe’s new General Data Protection Regulation, Shanahan-Pinker says. If it does, one can expect even more protections for the individual’s privacy, possibly something similar to Europe’s infamous “right to be forgotten.”

“There are interesting different perspectives out there on international law and what this country is doing differently, so I think the Select Committee will have to think about which path to follow. I think we’ll end up following Australian law more closely. Whether we’ll implement exactly the same thing remains to be seen, but there are definitely people saying that we should be following their mandatory reporting law in terms of the test under that, which is a lot higher than we currently have,” he says.

He leaves both individuals and businesses a simple approach to follow as the bill proceeds.

“Individuals will have greater power and better understanding of their rights under the law. They can request information. They will be notified of any breaches. The commissioner will have these greater powers to enforce. For individuals and consumers, there will be a lot more power to them and they should understand exactly what power they have,” he says. “For businesses, the main thing is just understanding what the law is.